Europe opens up to the cloud — by adding more red tape

If last weekend’s Amazon (s AMZN) outage taught us anything, it’s that the cloud is a complex thing. But it’s particularly convoluted in Europe, where the desire by companies to rely on Internet-based services is at odds with the European Union’s relatively tough data protection laws.
Trying to reconcile what businesses want with the heavy responsibilities for protecting information is one of the biggest obstacles to cloud adoption, according to some senior figures. After all, it’s one thing for lawmakers to tell organizations to be careful with such data — but how are they supposed to be able to check what their providers and those providers’ providers are actually doing with it?
That’s why European privacy watchdogs are recommending that a new auditing system should be brought in to vet cloud providers in the U.S. and elsewhere.
The Article 29 Working Party (WP29), a group representing the various EU member states’ various data protection bodies, is saying the best way to be sure that everyone is compliant is to go and check. And that would be a pretty serious new development.

Old rules, new rules

As things stand, no EU company or organization is allowed to send their users’ personal data overseas unless that country has data protection laws that match European standards. The U.S. is not one of those countries – however, it is where many of the best-known cloud providers are based.
In order to get around this awkward situation we have something called Safe Harbor: that means providers can basically certify themselves as being up to the EU’s data protection standards. Here’s Google’s self-certification, by way of example – and there are hundreds more like it. But WP29 isn’t comfortable with this way of doing things, because it says that EU organizations that really want to comply with the continent’s laws can’t be 100 percent sure they’re actually doing so.
And so the group wants tougher, external inspections.
“Such certification would, as a minimum, indicate that data protection controls have been subject to audit or review against a recognised standard meeting the requirements set out in this Opinion by a reputable third party organisation,” one of the more readable parts of the recommendations states. “In the context of cloud computing, potential customers should look to see whether cloud services providers can provide a copy of this third party audit certificate or indeed a copy of the audit report verifying the certification including with respect to the requirements set out in this Opinion.”
The full opinion is worth reading, if you have the stomach for it.
There are other interesting recommendations, too. For one, WP29 says the EU’s new upcoming data protection laws should ban organizations in the EU from passing on people’s personal data to third countries just because those countries’ courts or governments demand it, “unless this is expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority.”
But for cloud-based companies, the auditing recommendation is the big one.
How seriously should it be taken? Well, WP29’s recommendations aren’t binding, but the group exists to give advice to the European Commission – which is currently revising the continent’s privacy laws. Its pronouncements give a pretty good indication of the way the wind is going to blow.
If the recommendations do become reality, it will probably be good news for EU businesses, simply because the current situation is a joke: everyone breaks data protection rules because the shift to the cloud, with its labyrinthine network of unsure responsibilities, makes compliance almost impossible. Legal certainty and transparency are what the regulators are after.
But for those cloud providers in the U.S. and elsewhere who want to sell their services in the EU? Just saying you’re good enough may no longer be good enough. Expect a whole new world of pain.