Since I wrote on the convergence of cloud computing in Europe for The Privacy Advisor in April 2014, there have been several regional and international initiatives that further set the stage for increased cloud proliferation in the EU region in 2015. These initiatives are in addition to other data protection activities in the region, including the implementation of the new General Data Protection Regulation, the opinions and statements issued by the Article 29 Working Party such as the risk-based approach to data protection legal frameworks and issues raised by Court of Justice of the EU decisions such as the right to be forgotten by exclusion from search engine search results.

The first set of initiatives arose from the European Commission's (EC’s) strategy for "Unleashing the potential of cloud computing in Europe," announced in 2012 and described in my cloud book, Cloud Computing for Lawyers and Executives – A Global Approach, Second edition. This strategy has three main components: utilizing an approach to standards and certification schemes to ensure cloud interoperability and portability; providing cloud contract terms and conditions and SLAs that are safe and fair, and implementing common procurement requirements for cloud services in Europe.

In February 2014, under the first component, ENISA published the Cloud Certification Schemes List for cloud service providers (discussed in my previous article). In November 2014, ENISA in coordination with the EC’s Cloud Select Industry Group (CSIG) published the Cloud Certification Schemes MetaFramework. The initial version of this document maps 27 public-sector procurement network and information-security objectives to the ISO 27001 information security certification scheme (and controls in ISO 27002) and the cloud computing privacy controls detailed in ISO 27018 (discussed below). The first 22 objectives map essentially the same for both standards. Of the final five security objectives, two, cloud data security and cloud interface security, map only to ISO 27018 (not to ISO 27001/2), while the cloud software security objective maps to both standards, the interoperability and portability objective maps to neither standard, and the monitoring and log access objective maps only to ISO 27001/2. This metaframework will be integrated with the CSIG’s cloud provider code of conduct when that is promulgated.  

In June 2014, under the second component, CSIG published the Cloud Service Level Agreement Standardisation Guidelines. This document, to be used by cloud consumers in negotiating with cloud service providers, categorized service level objectives (SLOs) into the four categories of performance, security, data management and personal data protection. Some important SLOs for cloud security and privacy include cryptographic brute force resistance, cryptographic key access control, percentage of timely vulnerability corrections, categorization of data into categories of client, provider, and derived, classification of data by its intended uses, data deletion types, cloud provider data protection codes of conduct, standards, and certifications, geographic location of customer data, and the ability of customers to intervene to exercise their rights of access, rectification, erasure, blocking and objection. The intention is for this document to feed into the ISO/IEC 19086 cloud SLA framework and technology project.

In December 2014, under the third component, the European Cloud Partnership’s Cloud for Europe project published a tender for the joint pre-commercial procurement (Joint PCP) for research and development on cloud computing services for public administrations. To help facilitate cloud adoption by the public sector across Europe, this project is intended to identify appropriate solutions for three types of cloud services. These are federated certified service brokerage, secure legislation-aware storage and legislation execution. Selected industry firms are required to design, prototype and then develop appropriate products or services for these three types of cloud services.

In September 2014, DG Connect, the EC’s directorate general for communications networks, content and technology, issued a public consultation on the future priorities for research, in both cloud computing and software. More than 60 documents were received on cloud computing, which was followed by a workshop in November and a final document in December. The final document listed a number of key areas requiring cloud research priority, including interoperability, portability, federation, automated security and privacy enforcement, data traceability, personal identity, cloud brokers, verifiable chains of trust, end-to-end encryption, decentralization of the cloud infrastructure to the edge of the network to further enable fog computing, integration with the Internet of Things, experimental cloud platforms and cloud simulation capabilities. In addition, more focus was requested on cloud standards, business models, regulation and European clouds.

In July 2014, ISO/IEC 27018, a code of practice for personally identifiable information (PII) in the public cloud, was published. Much like ISO/IEC 27002 sets out a code of practice for information security, this new standard suggests security controls, control objectives and guidelines that may be applicable to use of the third-party providers processing PII in the cloud. It works in conjunction with ISO/IEC 29100, which addresses privacy safeguards, roles and principles when dealing with PII. ISO 27018’s objectives include providing greater information for cloud consumers to select, contract with and audit cloud service providers (CSPs) and to be able to demonstrate compliance with applicable laws and regulations.

Among the many controls suggested for CSPs, who act as data processors under European law, are secure data destruction procedures for customer and temporary data, the use of measures such as encryption for PII sent over the public Internet, disclosure of subcontractors used and customer data locations, data breach notice, restrictions on portable media and hard copies containing PII, limitations on PII processing to customer specifications, CSP assistance with customer data access requests and CSP notification to customers of law enforcement requests for PII (unless prohibited by law). For future planning, ISO/IEC DIS 27017, which is intended as a true code of practice for information security controls for cloud services, is targeted for release in the fourth quarter of 2015.

In September 2014, the governments in Germany and the UK published additional guidance on cloud computing for cloud consumers. Bundesamt für Sicherheit in der Informationstechnik (BSI), the IT security office of the German federal government, published Sichere Nutzung von Cloud-Diensten (Safe Usage of Cloud Services). This step-by-step document starts by discussing the cloud consumer’s cloud strategy, then the cloud service definitions, planning for migration and usage, the security measures, selection of the CSP, the cloud services contract, migration to the cloud and operations and completion of the contract and cloud usage. It also discusses privacy and compliance. The UK Information Commissioner’s Office provided online guidance to consumers regarding how to keep their data in the cloud secure, including the use of privacy settings, appropriate passwords and use of encryption.