Experts disagree over data security in the cloud
Davide Perilli of the European Privacy Association believes that the European data protection system is incompatible with the prevailing model of data processing in the cloud. At a lobbying event held on Monday, Perilli reported that it is the opinion of EU data protection officials that cloud service providers are the actual data processors – with all the security obligations and liability that that implies. Providers such as Amazon, Google and Microsoft currently take the approach that the obligation to monitor information stored in their clouds is a shared obligation. During the initial phase, prior to actually processing data in the cloud, they consider the owner of the bits and bytes to be responsible for the security of their data. According to Perilli, providers believe that their responsibility starts only once data has been successfully transferred to their data centres. This, says Perilli, is not in the spirit of the EU's data protection directive.
Jörn Kruse, an economist at Helmut Schmidt University in Hamburg, believes it would be inadvisable to respond to such technicalities and legal loopholes with government regulation of cloud computing. According to Kruse, the market will solve any data protection problems: "Providers which fail to offer a secure service will be unable to attract customers." He thinks that having specific ISO certificates and quality marks would be a sensible means of providing users with enough information to select a provider. The delegate from the European Forum for Sustainable Development (EFNE) noted that whether cloud data centres are located in Europe, the US or Asia is not particularly important from an economic point of view. The key thing is "what it generates in added value". He believes that the many years of competition for the best location for chip development clearly demonstrate this; Silicon components have long been mass produced, and the economic effect of their production is barely noticeable.
Bernd Becker, Chairman of cloud industry association EuroCloud, disagreed. According to Becker, with the exception of SAP, there are no global players in the IT or cloud fields located in Europe. The big US providers have data centres "as big as 17 football fields", able to offer data processing in the cloud for next to nothing. As a result, Becker believes, European SMEs simply cannot compete on price. Anyone entrusting their data to a European provider does, however, enjoy legal safeguards. Becker believes that while European cloud providers may not be able to compete on size, they can score points in the areas of reliability and data protection.
A German customer in the market for external data processing services is, said Becker, is obliged to find a trustworthy service provider by the German Data Protection Act. Furthermore, the information held by the service provider must be stored within the EU. Microsoft, for example, operates a data centre in Dublin and a backup facility in Amsterdam. According to Becker, the company is, however, unable to guarantee that the US government will not use anti-terror legislation such as the Patriot Act to access European data. His association therefore always recommends at least one European alternative to the major US providers to customers. He also noted that the association already awards quality seals which compare service agreements with the national legislative framework in the customer's territory.
The EuroCloud representative described the trend for Amazon, Google and others to offer developers cheap or even free "developer clouds" as areas for experimentation as "precarious". When commercialised, applications developed in such environments would continue to be operated in these environments which were "not necessarily located in Europe". The result would be that the added value would drift away. German Christian Democrat MP Nadine Schön admitted that "the legal framework is not right", and that technology was once more a step ahead of politics. She believes that changes and any amendments to the law need to be considered first at the EU level, and thereafter globally.
(Stefan Krempl / ehe)