Us lawyers involved in ICT and disputes, it is very common to talk about data protection and privacy, but in reality cloud computing is much more complex phenomenon. As an example if we look at the issue from business perspective, we can see enormous potential for cost savings. As an example according to data available from the Commission, cloud computing "....allows individuals, businesses and the public sector to store their data and carry out data processing in remote data centres, saving on average 10-20%".
The cloud computing guidelines have been developed by a Cloud Select Industry Group which is part of the Commission’s European Cloud Strategy. One interesting part relates, perhaps for someone surprisingly, not to the privacy, but SLA terminology and metric. For those interested in SLA or not familiar with the term, please look from here. The key elements include:
The availability and reliability of the cloud service,
The quality of support services they will receive from their cloud provider
How to better manage the data they keep in the cloud.
I have personally disagreed with European Commission Vice-President @NeelieKroesEU several times in the past in particular in connection with the pharmaceutical sector-inquiry and software patents, but from customers point of view this statement is most likely welcome: "This is the first time cloud suppliers have agreed on common guidelines for service level agreements. I think small businesses in particular will benefit from having these guidelines at hand when searching for cloud services". From suppliers' point of view there are of course challenges if the existing operating models are harmonized to meet requirements of this proposed model so the question remains whether these costs are taken into account while calculating the above cost savings figure? I would assume no.
As a next step there is a privacy aspect involved as the European Commission will test these guidelines with SMEs and these will be presented to the Article 29 Data Protection Working Party (European Data Protection Authorities) as well, but this is not the whole story. According to the Commission, the next step is to find out fair terms on which the firms could deal with each other and this work has been started already by the Expert Group on Cloud Computing Contracts and this is fascinating. We also have some national initiatives in Finland pending as an update is planned to IT2010, and it remains to be seen whether there is a need to update these IT2010 Agreement on service delivered via data networks. Personally I think the most needed changes concern these terms and then I would draft specific terms for agile projects. Clearly we can see that there are some similar clauses and considerations in these contract types, but of course differences as well. Personally I would concentrate IT2010 update efforts to agile and wait for European-wide harmonization to influence on these cloud terms before implementing another set of terms for domestic terms and conditions for services delivered via data networks. Now I have to advertise that we already have these "Specific Terms for Agile Projects" done and ready in our models at TRUST as we needed to draft those for one specific project to be used with IT2010 - got you interested? Please send an e-mail and we are pleased to share these.
In conclusion, there is one final issue that should be noted, in many case if one is talking about cloud for SMEs or consumer clouds there is one point above all that cannot be solved by "fair contract terms" and that is the dichotomy between harmonization (means less revenues for suppliers) and business risks and damages in worst possible case scenarios (means bigger risks for customers). This emphasizes the importance of collaboration between legal, technical and business units and also lawyers' understanding of the technical solutions available.