When organisations move their applications to the cloud, the number one priority is proving to customers that their data will be safe and protected.
Until recently this has been quite difficult, as most clouds tend to be operated by large American cloud providers such as Amazon and Microsoft. This makes it hard for European organisations that use cloud services to ensure compliance with EU data privacy regulations.
The "Safe Harbor" framework was therefore developed to allow American companies to work with EU data, and enable customers to demonstrate that they are meeting their obligations under the law.
Last month, privacy authorities from all 27 European Union member states adopted a long-awaited opinion from the Article 29 Working Party, clarifying what companies must do to safeguard the private information of Europe’s citizens when these companies use cloud services.
The opinion emphasises that the cloud customer “must accept responsibility for abiding by data protection legislation” and “is responsible and subject to all the legal obligations mentioned” in the EU Data Protection Directive.
It goes on to say that cloud customers “should select a cloud provider that guarantees compliance with EU data protection legislation” and that commitments should be clearly set out in the contract between the customer and its cloud service provider.
According to Stephen McGibbon, chief technology officer (CTO) for Microsoft in EMEA, this is the strongest endorsement to date for the European Model Clauses – a set of contractual safeguards that cloud service providers can use to demonstrate their commitment to the world’s most stringent data protection requirements.
McGibbon explains that these Model Clauses provide a set of formal commitments around how and where data can be accessed and who can access that data. Organisations can then use these Model Clauses in their contracts to demonstrate to regulators that they are meeting their obligations under data protection legislation.
“Obviously the cloud is different from traditional outsourcing, it's a very different model, so a lot of the thinking that had gone into the earlier work on data protection had been focused on outsourcing models,” says McGibbon.
“What's interesting is that this new Article 29 Working Group document is the first to come out and address the applicability of these regulations to cloud. We were delighted with some of the things that were in there because it endorses much of the approach that we've taken around Model Clauses as being a good thing to have.”
Microsoft claims that it is the only cloud operator to offer Model Clauses for key commercial services such as Office 365, Dynamics CRM Online and Windows Azure to its customers at present. Google has also announced plans to offer Model Clauses to its customers, but the timing for this has not yet been outlined.
McGibbon says that Model Clauses have a massive benefit for small and medium enterprises, because it gives them some level of certainty up-front.
“Cloud being all about scale, you don't want to do something for one company and something different for another company. So the way Microsoft approached this was, we engineered the process and the way that the product worked so that we could offer these clauses in our contracts, and having done that we offer those to everybody now,” he says.
“So it doesn't actually make any difference whether you elect to have the clauses in the contract or not. All customers of Office 365 get the benefits of that same level of protection.
“I would venture to say that SMEs have a far better assurance around compliance with this legislation now using Office 365 than they probably ever would have using other services, and probably even services that they've built themselves.”
McGibbon says that it is important for the economy that SMEs are able to take advantage of the cloud, because it allows budding entrepreneurs to have access to world-class IT from day one. It also gives them an international reach that they would not otherwise have.
He gave the example of a company based in the Netherlands that runs a distribution network for video games. The company was offered a contract in Brazil, and was competing with a company in Sweden that had also won a contract based in Brazil.
“Because they used the cloud, they were able to deliver content in Brazil as if they were a Brazilian company,” he says. “Their competitor in Sweden wasn’t using the cloud, so it was taking two to three days to do what the first company could do in half an hour.”
McGibbon says that Microsoft isn't just offering Model Clauses to European customers, but also to customers worldwide.
“The model clauses are good because they bring clarity, but Microsoft's commitment is to making it easier for customers to be able to demonstrate that they are meeting the responsibilities and legal obligations when Microsoft is their cloud provider,” he adds.