Main content

Don't undermine Europe's cloud SLA work with US-targeted data protection paranoia

Stuart Lauchlan Profile picture for user slauchlan June 29, 2014
Europe's work on cast-iron cloud SLAs for buyers has produced some promising guidelines, but linking them to data protection demands might undo a lot of good work globally.

Late last week another step was taken down the road of the European Union's cloud computing strategy with the release of guidelines, a first step towards standardised building blocks for Service Level Agreements (SLAs) terminology and metrics.

The European Commission adopted its Strategy in relation to cloud computing  back in 2012. That strategy called for model terms for cloud computing service level agreements for contracts between cloud providers and professional cloud users.

With that in mind, in February 2013 the Cloud Select Industry Group – Subgroup on Service Level Agreement (C-SIG-SLA) was set up to work towards the development of standardization guidelines for cloud computing service level agreements between cloud providers and cloud service customers.

The C-SIG delivered its work late last week when European Commission Vice-President Neelie Kroes said:

This is the first time cloud suppliers have agreed on common guidelines for service level agreements. I think small businesses in particular will benefit from having these guidelines at hand when searching for cloud services.

The guidelines are intended to help the buy side user ensure essential elements are included in plain language in contracts they make with cloud providers.

You can read the whole set of guidelines here, but some relevant items include:

  • The availability and reliability of the cloud service.
  • The quality of support services they will receive from their cloud provider.
  • Security levels.
  • How to better manage the data they keep in the cloud.

Patrick Van Eecke

Contributors to the guidelines include Arthur's Legal, ATOS, Cloud Security Alliance, ENISA, IBM, Microsoft and SAP, Telecom Italia, and law firm DLA Piper.

Patrick van Eecke of DLA Piper commented:

The lack of a common contracting template has been a real stumbling block to the roll-out of cloud computing in Europe. For this reason, guidance on developing a standardized Service Level Agreement that can be adopted by both providers and users is hugely welcome.

International buy-in

Of course, for this to really matter, it’s going to need international buy-in, particularly from the US-dominated cloud services market. Given the global nature of the cloud, cloud contracts often span different jurisdictions, with varying applicable legal requirements, in particular with respect to the protection of personal data hosted in the cloud.

To that end, the engagement of the likes of Oracle and Microsoft in the C-SIG is helpful. The group is working with the International Standards Organization (ISO) Cloud Computing Working Group, to present a European position on SLA Standardisation.

But this is about having input into the ISO work, not a guarantee that the European definitions will be accepted, either in part or in their entirety.

With that in mind, it’s to be hoped that the C-SIG can be left to its own devices without ‘helpful’ commentary from on high.

Viviane Reding

For example, Vice-President Viviane Reding last week proclaimed:

Today's new guidelines will help generate trust in innovative computing solutions and help EU citizens save money. More trust means more revenue for companies in Europe's digital single market.

So far, so good. But then she couldn’t resist getting on her personal hobby horse of enforcing more draconian European data protection rules when she added:

This is the same spirit as the EU data protection reform which aims at boosting trust. A competitive digital single market needs high standards of data protection. EU consumers and small firms want safe and fair contract terms. Today's new guidelines are a step in the right direction.

So the SLAs to protect cloud buyers - a good thing - are directly linked to increasingly shrill demands of the US that it toes the line with the European Commission’s post-PRISM paranoia vision for data protection - not a good thing.

That association alone might well make a few US cloud services providers pause for thought as Reding’s vision for data protection is largely seen in some quarters as nakedly protectionist and anti-US.

If that’s the case then the ambition to get the European SLAs incorporated into international standards may be undermined.


A grey colored placeholder image