Cloud Governance European Commission

28 September 2011 - A Workshop on Security in Nairobi, Kenya


Cloud computing has emerged as a key trend in the Internet world. The ability to provide virtualised infrastructures, processing functions and/or applications "on the fly", to scale them according to the need and to allow organisations to outsource IT functions to a third party can greatly enhance efficiency, effectiveness and economy of their operations.
On the other hand, the concentration of data – often of a very sensitive nature – and processing functions to third parties, often clustered in specific countries, raises a number of concerns which need to be duly addressed to develop the necessary trust in this technology. In the absence of clear "rules of the road", cloud computing will hardly deliver the benefits it promises.
Such concerns are different in their nature and in the specific stakeholders they tend to impact. Businesses can fear that outsourcing key operational IT functions to third parties could pose a significant risk and could therefore want appropriate guarantees, either in the form of Service Level Agreements, insurance contracts or others, before "going in the cloud"; citizens would want to ensure that their personal data correctly handled; consumers would want to make sure that their rights are recognised and enforced no matter where a particular transaction "in the cloud" takes place.
Most of these issues have a very relevant public policy dimension, for example understanding what is the "correct" juridisction and legal system that should apply; how to ensure cross-border enforcement of judicial decisions; how to guarantee a level-playing field for industries that either use or produce cloud-based services in different parts of the world.
Purely private- or public-led approaches would be neither appropriate nor effective. It is necessary to facilitate multi-stakeholder and inclusive discussions and "out of the box" approaches towards a governance structure that would best tackle these challenges. For example, self- or co-regulatory solutions, partially based on "ethical standards" agreed via public-private dialogue, could contribute in this direction.
This workshop would be an occasion to compare different "visions" of what should be the ideal governance structure for cloud computing services; whether it would in any particular way differ from the general approach to Internet governance; and try to identify common grounds on which a globally coordinated approach could be pursued.


A brief substantive summary and the main events that were raised:

• Katarzyna Szymielewicz (Foundation "Panoptykon") said that cloud computing should be considered as a great phenomenon. However, it creates new risks, in particular in the area of privacy. Governments may gain more opportunities to access data. Also, private companies may be willing to use data for different purposes, for instance creating digital profiles to improve advertisement targeting. Users are not aware of those practices and the nonnegotiable terms of services place consumer in weaker position. Finally, other issues concerning cloud computing should be addressed, including data portability, data ownership, data security and cross boarder issues.

• Megan Richards (European Commission) said that use of cloud services should provide opportunities to develop new services and lead to greater economic growth. However, "cloud" is varied and complex and poses certain risks that are inherent in a digital environment – some with potential global implications. In order to ensure that benefits of cloud use can be developed in full knowledge of all issues, the Commission has launched public consultations on cloud computing with all stakeholders.

• Pilar del Castillo (Member of the European Parliament) emphasised the need to create a competitive cloud market where the freedom of choice of service provider is ensured. To this end, data portability in the cloud must be ensured.

• Andrea Renda (Centre for European Policy Studies) said that cloud requires addressing different topics, for instance increased need for the stability of data. Also, net neutrality should be addressed in comprehensive way. What is needed is a more intensive discussion on technological issues. Therefore, a debate on different issues is needed in the spirit of multistakeholder approach.

• Jeremy Malcolm (Consumers International) emphasised the need to create soft law norms, in particular at international level. He gave an example of United Nations guidelines on consumer protection and of different other principles developed in this area.

• Nasser Kettani (Microsoft) said that consumers should be able to balance different values. Therefore, should consumers be willing to be provided services for free, providers in exchange may have access to personal data. A flexible legal framework is needed to reflect different trade-offs.

• Patrick Ryan (Google) explained that users are actually aware of privacy problems. Also, further education may be promoted to raise the general awareness. The most important issue in the area of cloud computing consist of ensuring data portability.


The following points were raised in the discussion by the participants to the workshop:

- There is a need to ensure the high degree of competition on the cloud computing market

- A discussion on the role of standardisation in the area of cloud computing is necessary

- Data portability should be ensured

- Consumers using cloud computing services should be adequately protected

- Developments in cloud computing should be monitored by public authorities, as well as by civil society

- Moreover, different business models should be considered (for instance users may prefer to pay in exchange for having increased level of security and privacy)