Cloud providers warn against EU 'over-regulation'

The EU should not attempt to "over-regulate" the constantly changing market of "cloud computing" - a buzz-word applied to a growing industry of outsourced data-storage centres and computing facilities that can cut costs for businesses and government bodies - a representative of the US telecommunication company AT&T told this website.

Be it governments or small start-ups keeping records online, school kids uploading homework to 'Google Docs' or gadget fans 'synchronising' smartphones with home computers - virtually every internet user can become a 'cloud' user without even knowing it.

"The reality of cloud is that it has been there for a while, it's just the name that's new," said Karim Lesina, executive director at AT&T Europe.

A booming market expected to surpass €175 billion by 2020 compared to €29 billion last year, cloud computing is now on offer by a wide range of companies, including telecommunications providers such as AT&T, internet giants such as Amazon and Google or computer-maker Apple. But with this myriad of cloud providers come the problems of no longer having complete control over one's data and of new forms of exposure to data theft.

"People tend to look at cloud as a single one, but there are a lot of clouds, different levels of what the consumer can access, with enhanced security, depending on what each person desires," Lesina explained.

"The level of security is higher compared to what the average user is doing at home," he added, citing bad habits such as not keeping any back-up copies, ignoring anti-virus updates or keeping passwords in an unsecured document.

"The real fear everybody has in the sector is creating barriers in the development of the new systems. It's important not to over-legislate in a sector that is still developing. The European Commission has a tough role to find a compromise between ensuring a good level of privacy for the citizens and also promoting the development of cloud, which would increase competitiveness of European companies and reduce costs."

Lesina also warned against the temptation to introduce 'territorial' criteria in the draft law, obliging cloud providers to store data in a certain country. "That would be in our opinion one of the biggest potential problems," he said, noting that cloud computing is all about border-less services.

Cloud headache

Data location is intrinsically linked to the issue of jurisdiction - a major headache for EU legislators and companies alike.

Since data can be split and stored in multiple locations within and outside the EU, it would be unclear how inconsistencies among those jurisdictions would be resolved in case of abuse or a data breach, a recent report by the World Economic Forum says.

Government access to data stored in the cloud is also an issue, according to the Switzerland-based group.

"Governments worry about losing the legal ability to 'oversee' data in the cloud and apply their laws to the cloud. These concerns can result in data location constraints being imposed – for example, requiring cloud providers to locate data within national borders, or subjecting transfers of data outside a given jurisdiction to additional legal hurdles and authorizations," the forum adds in its paper.

It recommends that cloud providers keep their services as transparent as possible: "Providers of cloud services should make available to customers information about how their services are provided and how they perform. This includes letting customers know how data is secured, where data is stored and/or what jurisdictional provisions apply, how and by whom it can be accessed, and how it can be deleted."

Coming from a hacker who proved to one German hosting provider, Hetzner, how vulnerable its password security was, there is "no 100 percent guarantee against attacks."

Empty bank accounts no suprise

In an interview with Netzwelt, a German online magazine, Tobias Huch said that the best way to protect oneself is to have different passwords for email accounts and online banking services: "In most cases people have just one password, and even that one is not too secure. In that case one cannot wonder too much when one's account becomes empty one day."

According to European Commission spokesman Matthew Newman, cloud providers would fall even today under the legal obligation to protect personal data.

"European data protection legislation already obliges those businesses that process personal data to make sure that they have appropriate technical and organisational security measures in place, and makes them liable for any damage to individuals caused by not observing their obligations," he told this website.

An obligation to notify customers of data breaches will be put into law next year, he added.

"Frequent incidents of data security breaches risk undermining consumers' trust in the online economy. Companies should beef up their precautions against identity theft and better protect consumers' personal data. They should immediately notify breaches of data security and confidentiality," he said.