Cloud computing hits snag in Europe

By bundling the processing power of thousands of computer servers, a company, for example, could allow two employees from different countries who speak different languages to communicate directly by phone, using voice recognition software to process what is being said and translation programs to interpret it into another language.

The result, ideally, would be a seamless conversation, without struggle and without the limitations of speaking a foreign language.

“We’re not quite there yet, but it’s coming,” Eric E. Schmidt, the chief executive of Google, a promoter of the technology, said at a gathering of cellphone industry executives after evoking the image at a convention in Barcelona in February.

Such cloud-based breakthroughs face a formidable obstacle in Europe, however: strict privacy laws that place rigid limits on the movement of information beyond the borders of the 27-country EU.

European governments fear that personal information could fall prey to aggressive marketers and cybercriminals once it leaves the jurisdictions of individual members, a concern that may protect consumers but one that hinders the free flow of data essential to cloud computing

“There are restrictions on cloud computing in Europe,” said Bob Lindsay, privacy director in Europe for HP, which makes servers and other equipment for cloud data centres. “This isn’t killing the business, but it is slowing its evolution, compared with what is taking place in the US.”

Cloud computing, which allows companies to tap enormous computing power via the Internet without having to invest in the infrastructure themselves, has grown rapidly in the United States under a legal system that permits the sale and transfer of many forms of private data.

For its clients, the lure of cloud computing is the savings made possible by cutting in-house corporate information technology departments and hardware and software purchases.

According to the research firm Gartner, global sales of cloud services will rise 17 percent this year, to $68.3 billion from $58.6 billion in 2009.

About half of what Gartner defines to be cloud services are, in fact, the computing power involved in the display and tracking of Internet ads. The rest is sales of computing services, mostly to large businesses.

Global sales of cloud services are poised nearly to double by 2012, to $102.1 billion, Gartner estimates. But Europe is expected to remain a relatively modest user of cloud services, accounting for only $18 billion this year, or about 26 percent of the global total. By 2012, Gartner estimates, Europe’s proportion of global cloud sales will rise to 29 percent, even though the bloc’s economy is larger than that of the United States.

Facing legal obstacles in Europe, the U.S. businesses with the greatest stake in cloud computing — primarily Microsoft, Google, HP and Oracle — are lobbying lawmakers to loosen restrictions on cross-border data transfers. Alternatively, some are developing new methods to make cloud computing work within Europe’s complicated legal landscape. At the HP Labs in Bristol, England, researchers are devising ways to encrypt data before it is sent into a cloud computing centre and then decrypt it after it leaves the cloud, thus addressing the privacy concerns of many European governments.

Privacy control personalised

Another solution being studied is to give individuals the ability in advance to set the degree of privacy control on each part of their personal information in the cloud by digitally tagging bits of the data. Under this model, a person could make an e-mail address available to marketers, while shielding a phone number and street address from unwanted solicitations.

In that aim, HP plans to begin testing new software that complies with European privacy laws this year. Called HP Privacy Advisor, the software will handle the transfer of data between HP offices within Europe as well as to those outside of the Union.

“The benefits and impact of the cloud are so great, and the legislative and technical issues are what they are at the moment,” said Siani Pearson, one of HP’s lead researchers on cloud computing technologies at its laboratory in Bristol. “But we can make sure that the benefits of the cloud come even within the existing framework.”
In Europe, the legal definition of what constitutes personal data is much broader than it is in the United States, extending to information like names, addresses and phone numbers in phone books.

Another obstacle is the European Data Privacy Directive, the main body of European law governing international data transfers, which generally prohibits the movement of EU data outside the external borders of the European Union.

The European Commission has approved only a handful of other countries to provide cloud computing services — the United States, Argentina and Canada. Israel and Andorra have applied for approval to be designated as computing centres.

Companies that want to process EU data in countries that have not been approved— India and Malaysia are growing hubs for cloud computing data centres — must negotiate and enter into binding legal agreements with data processors called service level agreements, which ensure that the personal information of EU citizens will be handled in accordance with EU regulations.

But such agreements, while increasingly common, are costly, time-consuming to prepare and difficult to enforce, said Lindsay, HP’s privacy director, who is based in Milton Keynes, England. Backers of cloud computing technology are hoping the European Commission will loosen the rules applying to international data transfers during the review of its data protection directive, which was drafted in 1995, in the early days of the Internet.

During the review, which began last year and is not expected to be completed before mid-2011, companies like Microsoft have urged the commission to streamline existing laws on international data transfers.

The laws require companies to get the approval of several national data protection regulators for a single data transfer flowing through their jurisdictions.

Under this framework, a Microsoft affiliate in Bulgaria, for example, seeking to send Bulgarian consumer data to a cloud centre in the United States, might have to apply for and receive approval from regulators in a series of countries along the transmission route, which in this case could include Romania, Hungary, Austria, Germany and the Netherlands.

In a letter sent in December 2009, John Vassallo, Microsoft’s associate general counsel in Brussels, asked the commission to change the EU’s data protection directive to assign varying levels of privacy restrictions to different kinds of data, which could ease the transfer of some personal information, like names and addresses, for commercial marketing purposes if consumers gave their consent.

“As the patchwork of worldwide data protection laws has become increasingly difficult to navigate,” Vassallo wrote to the commissioners, “Microsoft has repeatedly called for a comprehensive, workable global privacy framework that is consistent, flexible, transparent and principles-based.”