It wasn’t long ago that a European politician described cloud computing as outsourcing computer storage to the United States. In the early years of the cloud that was possibly fair, but things have changed dramatically recently, as our latest European Cloud Adoption and Risk Report shows.
The report, available here, shows that cloud usage is continuing to increase in Europe, with the average company now using 1,038 different services, an increase of 33% over the same quarter last year.
The report also includes data on the security controls, authentication and logging capabilities available from cloud services – showing that it is possible, if a customer chooses wisely, to deploy cloud services offering enterprise-style security capabilities.
The greatest change seen since the last report six months ago is the number of cloud services offering to store data in Europe or other countries that the European Union (EU) considers to have “adequate” levels of data protection laws. Previously, only 14% of services offered that option, now that has expanded to 27% of services.
This massive change can be explained as a response to three drivers: 1) the increase in demand from European customers, 2) the performance improvements delivered by locating the data close to the users, and 3) the strong data protection demands in European countries and the customer’s preference for data to be kept in the EU.
The EU countries have strict data protection laws around the collection, use, and storage of personal data and these are to be strengthened further when the EU GDPR (General Data Protection Regulation) comes into force in 2018. In addition, the ruling from the EU Department of Justice in October 2015 that invalidated the US Safe Harbor agreement means that anyone with data on EU individuals (the data controller) needs to be careful about transferring that data outside the EU as they can be subject to court cases from individuals and investigation (and fines) by the country’s data regulator.
The laws do not say that data cannot be transferred outside the EU, however they do put in regulations that need to be followed, so it is very useful to IT, legal, and compliance departments to know where cloud providers store data on EU residents.
The EU currently has three categories of countries that they consider to have appropriate data protection laws; the 28 countries of the EU itself, the three countries inside the European Economic Area that are not in the EU (Norway, Liechtenstein, and Iceland) and eleven countries considered by the EU to have “adequate” data protection laws (Switzerland, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, and Uruguay).
It is clear that cloud providers have realized the difficulty these rules place on their customers and many providers who used to offer data storage only outside the EU have introduced options in recent months to store that data inside the EU (if requested). In Skyhigh’s previous Cloud Adoption & Risk in Europe Report, only 14.3% of services stored data inside the EU, this has now increased to 27% of services.
Again, it is worth stating that there’s no law forbidding data being transferred to other countries, however legally there needs to be in place a commitment on behalf of the data processor (the cloud provider) to the data controller in those cases using mechanisms such as EU Model Clauses or Binding Corporate Rules. It is the responsibility of the data controller to ensure that these are in place, and that users do not transfer data to cloud services outside these countries unless with the appropriate legal basis.