When organisations move their applications to the cloud, the number one priority is proving to customers that their data will be safe and protected.

Until recently this has been quite difficult, as most clouds tend to be operated by large American cloud providers such as Amazon and Microsoft. This makes it hard for European organisations that use cloud services to ensure compliance with EU data privacy regulations.

The "Safe Harbor" framework was therefore developed to allow American companies to work with EU data, and enable customers to demonstrate that they are meeting their obligations under the law.

Last month, privacy authorities from all 27 European Union member states adopted a long-awaited opinion from the Article 29 Working Party, clarifying what companies must do to safeguard the private information of Europe’s citizens when these companies use cloud services.

The opinion emphasises that the cloud customer “must accept responsibility for abiding by data protection legislation” and “is responsible and subject to all the legal obligations mentioned” in the EU Data Protection Directive.

It goes on to say that cloud customers “should select a cloud provider that guarantees compliance with EU data protection legislation” and that commitments should be clearly set out in the contract between the customer and its cloud service provider.

Model Clauses

According to Stephen McGibbon, chief technology officer (CTO) for Microsoft in EMEA, this is the strongest endorsement to date for the European Model Clauses – a set of contractual safeguards that cloud service providers can use to demonstrate their commitment to the world’s most stringent data protection requirements.

McGibbon explains that these Model Clauses provide a set of formal commitments around how and where data can be accessed and who can access that data. Organisations can then use these Model Clauses in their contracts to demonstrate to regulators that they are meeting their obligations under data protection legislation.

“Obviously the cloud is different from traditional outsourcing, it's a very different model, so a lot of the thinking that had gone into the earlier work on data protection had been focused on outsourcing models,” says McGibbon.

“What's interesting is that this new Article 29 Working Group document is the first to come out and address the applicability of these regulations to cloud. We were delighted with some of the things that were in there because it endorses much of the approach that we've taken around Model Clauses as being a good thing to have.”

Microsoft claims that it is the only cloud operator to offer Model Clauses for key commercial services such as Office 365, Dynamics CRM Online and Windows Azure to its customers at present. Google has also announced plans to offer Model Clauses to its customers, but the timing for this has not yet been outlined.

McGibbon says that Model Clauses have a massive benefit for small and medium enterprises, because it gives them some level of certainty up-front.

“Cloud being all about scale, you don't want to do something for one company and something different for another company. So the way Microsoft approached this was, we engineered the process and the way that the product worked so that we could offer these clauses in our contracts, and having done that we offer those to everybody now,” he says.

“So it doesn't actually make any difference whether you elect to have the clauses in the contract or not. All customers of Office 365 get the benefits of that same level of protection.

“I would venture to say that SMEs have a far better assurance around compliance with this legislation now using Office 365 than they probably ever would have using other services, and probably even services that they've built themselves.”

McGibbon says that it is important for the economy that SMEs are able to take advantage of the cloud, because it allows budding entrepreneurs to have access to world-class IT from day one. It also gives them an international reach that they would not otherwise have.

He gave the example of a company based in the Netherlands that runs a distribution network for video games. The company was offered a contract in Brazil, and was competing with a company in Sweden that had also won a contract based in Brazil.

“Because they used the cloud, they were able to deliver content in Brazil as if they were a Brazilian company,” he says. “Their competitor in Sweden wasn’t using the cloud, so it was taking two to three days to do what the first company could do in half an hour.”

McGibbon says that Microsoft isn't just offering Model Clauses to European customers, but also to customers worldwide.

“The model clauses are good because they bring clarity, but Microsoft's commitment is to making it easier for customers to be able to demonstrate that they are meeting the responsibilities and legal obligations when Microsoft is their cloud provider,” he adds.

Data sovereignty

While the importance of data sovereignty has long been recognised, the cloud is throwing the issue into sharper focus. However, McGibbon says that the danger for suppliers is to dismiss the reasons behind this legislation and assume that the cloud has superseded it.

“This legislation exists for a very good reason, and I think cloud providers like Microsoft need to ask how we can provide these protections in a cloud environment, rather than say the cloud changes everything, just deal with it,” he says.

He believes it is important to clarify that data is not just whizzing around in the cloud without anybody knowing where it is.

“The data is actually inside a fairly large and very static concrete data centre backed up into another one. However, if somebody from the US accesses a server with data on it, then that's regarded as an export,” he says.

“So it's actually much more the case that we're talking about administrative access and normal operations, and good prudent controls around that.”

McGibbon says that small companies tend to be quicker to adopt cloud, because they have less of a hinterland, whereas larger companies need to plan what to do with their existing infrastructure. He says that each company needs to decide for itself what risks it is willing to take with its data.

While some organisations take the view that it is too risky to put sensitive data in the cloud, others argue that it is risky to not put data in the cloud, from a disaster recovery perspective.

“Companies are understanding where the cloud fits in their architecture and they're building a new generation of applications that are cloud-savvy, and that manage the risks that they identify in ways that they are satisfied with.”

He says that, generally speaking, organisations are very quick to understand the benefits of cloud from a data integrity point of view. Most cloud data centres are extremely resilient, have automated failover and offer increased availability. CIOs are therefore coming to the conclusion that cloud gives them choices that are beneficial in managing their risk profile.

“It's interesting that the EU has come up with some quite sensible policies regarding their cloud strategy. They seem to be recognising that the EU wants to be part of the cloud conversation and aren't just trying to develop a separate European cloud,” he concludes.