Framework for the free flow of non-personal data
Here is a brief summary from the Chair of our Legal Forum, Prof Conor Ward, of the matters dealt with at the Digital Single Market Cloud Stakeholders meeting last month at the European Commission in Brussels
First the Commission is keen to promote the portability of non-personal data between platforms to facilitate cloud services customers (CSCs) switching between providers. The Commission would "encourage and facilitate" the development of self regulatory codes of conduct at an EU level. The purpose would be to ensure that CSCs would be provided with "detailed, clear and transparent" information before contact signing. The Commission has an aggressive timetable with (i) adoption by the Council and EP June 2018; (ii) entry into force by the end of 2018; and (iii) codes of conduct in place by mid to late 2019.
There are clearly a number issues that the Commission needs to think through. For example the extent to which the CoC would apply to outsourcing generally or only to cloud services. If the latter, what is a cloud service? Will it apply when CSCs migrate to entirely different applications (eg Oracle to SAP) or only for IaaS or PaaS?
Cyber Security Act
As part of its review of ENISA, the Commission proposes legislating in the area of cyber security certification schemes. The proposal is that ENISA would define the framework for such schemes and where schemes comply with the framework, they would be recognised across Europe. Use would be "voluntary" though Member States could not introduce new national schemes! There would be national bodies that would undertake the certification review. Representatives from Germany were very keen to ensure that any new Act would be consistent with the processes set up by BIS, the German Federal Office of Info Security and its Cloud Computing Compliance Controls Catalogue. Again the Commission has set a very aggressive timetable (i) adoption by the Council and Parliament by mid 2019; (ii) the scheme taking effect immediately.
Unfair Cloud Computing Contract Terms
The Commission has engaged E&Y to undertake a study on "the economic detriment to SMEs arising from unfair and unbalanced cloud computing contract terms". As you may know, the Commission has previously undertaken a number of projects re cloud computing contract terms which CIF has responded to. I currently do not have a time line for this study.
An obvious question relating to each of the matters above is to what extent, if at all, should UK CCSPs pay attention to initiatives that will come into effect after Brexit has occurred. This of course will depend on the terms of any transition arrangements negotiated by the UK Government's crack negotiating team lead by David Davis. CCSPs who provide services into the EU post Brexit will need to be alert to any compliance issues affecting services in any event.
DCMS are consulting on the proposals re certification schemes – as set out below. Members wishing to provide feedback for CIF’s response can contact me on email@example.com by 9th Feb 2018.
About the Author: Conor is a consultant with the international law firm Hogan Lovells (a partner between 1998 and 2014), where he was practising exclusively in contentious and non-contentious aspects of computers and communications law.
His work has included advising in relation to numerous outsourcing transactions, Cloud Computing and SaaS projects, systems development and integration contracts as well as acting for clients in various disputes involving failed projects. He also has extensive experience in advising clients in relation to cyber-security and dealing with the aftermath of security breaches including acting in civil litigation and criminal prosecutions relating to computer hacking
He is the chair of the Cloud Legal SIG and is also a Visiting Industry Senior Lecturer in the Centre for Commercial Law Studies, Queen Mary University of London. Conor is recognised in both Chambers and the Legal 500 legal directories as one of the leading IT lawyers in the UK.