The European Cloud Initiative
The EU Commission recently announced a major new project to improve access to big data and cloud computing in Europe. Beginning with the European Open Science Cloud to support European researchers and their global scientific collaborators, the EU plans to roll out further ambitious cloud facilities including making available the vast quantities of data produced under grant-funded Horizon 2020 projects, quantum computing and in 2020 a large scale European high performance computing, data storage and network infrastructure.
The Commission envisages committing €2 billion to the project, and attracting a further €4.6 billion of public and private funds. It anticipates a major benefit to industry and particularly SMEs, who will enjoy cost-effective and easy access to top level data and computing infrastructure, as well as a wealth of scientific data enabling data-driven innovation.
Concerns about US courts granting access to data held in Europe, and a possible answer
Meanwhile colleagues from our French affiliate, FIDAL, are involved in their own cloud initiative in response to concerns about the security of personal data. Isabelle Gavanon, FIDAL partner and specialist in IT issues reports:
“The protection of personal data in the United States is not considered equivalent to European standards, due to the lack of specific legislation and differences between American and European concepts of privacy.
In a ground-breaking decision on 25 April 2014, a US judge became the first to issue a warrant on data from a non-US source, under the US Stored Communications Act of 1986. The warrant concerned customer emails that were stored in an Irish datacentre belonging to a Microsoft subsidiary. Data storage location is irrelevant, the judge concluded. Only “possession, custody or control” of an US corporation or a corporation with “continuous and systematic contacts” with the US is relevant. So a US court has a right to access, export and record personal data of a European citizen as evidence in a criminal case. The controversial decision was confirmed on appeal.
This interpretation of the Stored Communications Act even restrains the application of the law of the country where the data is located, including its rules protecting its citizens against seizures by authorities. Cooperation with the local authorities (an Irish judge in this case) could be protective of individual liberties of citizens of the data location country. The judge could decide between the protection of these liberties and the protection of public order.
The Microsoft case demonstrates that personal data are at high risk of seizure when they are stored on European-based servers belonging to a US company. This extensive application of US law, together with Federal agency intrusion, are considered, in France, as a risk to the security of personal data that is processed by non-European corporations. But it offers an opportunity for cloud providers based in the EU, as they will not be affected by US offshore data seizure rules.
Creation of a confidence environment
Cloud Confidence offers an alternative to meet the needs of European companies for a greater degree of security of data stored in the cloud.
This French association offers a certification for cloud providers, based on two essential prerequisites:
- a high level of personal data security equivalent to or greater than that required in current European laws on personal data protection,
- a commitment not to be subject to the criminal or surveillance legislation of a non-EU member country, such as the US Stored Communications Act or Patriot Act, so preventing direct access to data by a proceeding of a non-EU member state.
Compliance with these requirements are checked by annual audit.
The purpose of Cloud Confidence is to establish a normative security framework that offers an alternative solution to US cloud providers.”