The vast majority of big businesses have already moved into the cloud as a consequence of its high capacity to enhance productivity, streamline information processing, and possibly above all decrease costs and increase margins. The US Federal Government has also recognized the power of cloud computing, exemplified in the federal cloud computing strategy that was designed as an outline for the adoption of cloud services by the government itself (Kundra 2011, p. 2).

The Asia Cloud Computing Association, an industry association that represents cloud ecosystem stakeholders in Asia, recently released a report titled “Asia’s financial services. Ready for the Cloud—A Report on FSI Regulations Impacting Cloud in Asia-Pacific Markets,” which covers the regulatory landscape for the cloud in Asia-Pacific and identifies regulatory obstacles in the adoption of cloud services in the financial services industry.

Based on their findings, the authors suggest five main recommendations for lawmakers:

While the benefits of cloud computing technologies undoubtedly outweigh the risks, it is of utmost importance that the legal and regulatory aspects are fully understood and analyzed. In 2012, the European Commission adopted its “Unleashing the Potential of Cloud Computing in Europe” cloud computing strategy (European Commission 2012), which was last updated on February 27, 2015. The strategy itself is the final product of policy, technology and regulatory landscape analysis, and stakeholder consultation. The strategy aims to improve European GDP by 1 percent by 2020 as well as to create 2.5 million jobs in the EU by way of cloud adoption across a wide range of sectors. The strategy focuses on three main actions, namely (i) cutting through the jungle of standards, (ii) safe and fair contract terms and conditions, and (iii) the establishment of a European Cloud Partnership to drive innovation and growth from the public sector (European Commission 2012). We will now take a glance at each of these three main actions. First of all, we should look at the so-called jungle of standards.

The maze of standards present in the regulatory sphere represents one of the most significant challenges to the development of the cloud (OECD 2014, p. 5). In fact, the plethora of standards we can observe generate uncertainty concerning adequate levels of personal data protection, interoperability, and portability, and for this reason the European Cloud Strategy aims to establish publicly available clouds that are both open and secure in full compliance with European regulatory standards (European Commission 2012, pp. 5–6). In the digital world, issues are often intertwined. Take, for example, the Digital Agenda’s e-commerce Directive, which demonstrates that a primary hindrance in the adoption of the cloud is “the lack of appropriate standards in some areas, the lack of widespread adoption of existing standards and the potential for vendor lock-in due to the use of non-interoperable solutions” (European Commission 2012, p. 7). Organization of the jungle of standards would allow for adequate interoperability, data portability, and reversibility, critical considerations in the adoption of cloud computing services (Digital Agenda for Europe 2015). This will be achieved through the European Data Protection Regulation, a framework law that will foster an environment that allows for the safe adoption of standards and codes of conduct that users need to successfully verify security standards and the security of data transfers (European Commission 2012, p. 8). Cutting through the jungle of rules would mean allowing cloud users to experience interoperability, data portability, and, importantly, reversibility (Digital Agenda for Europe 2015).

Trust plays an essential role in cloud adoption, and in fact, the digital single market approach itself highlights the energy of this identification “of a proper set of criteria that can be certified in order to allow public and private procurers to be confident that they have met their compliance duties” (European Commission 2012, p. 9). These standards and certifications, in turn, can be referenced as the terms and conditions supplied by cloud support suppliers for contractual fairness and transparency. As the Commission has pointed out, nevertheless, in its “Unleashing the Potential of Cloud Computing in Europe communication,” there’s a need for specific frameworks that deal with both criteria and certifications as well as contract stipulations.

According to the commission, the objective of this cloud computing strategy would be the development of model contracts which would regulate:

Moreover, the OECD stresses in “Cloud Computing: The Concept, Impacts and the Role of Government Policy” that standard contracts are often on take-it-or-leave-it terms, thereby not allowing the cloud customer to adequately negotiate the contract terms that the client may not fully understand, resulting in considerable uncertainty even for the providers. Service-level agreements (SLAs) need to address better aspects such as the outage, which could be promoted in policy through the concretization of industry codes of conduct (OECD 2014, p. 5).

Regarding privacy, the OECD observes that a genuinely global interoperable approach on the part of governments is the key to maximizing the potential for cloud deployment, suggesting that policymakers define “whose laws apply to the data stored in the cloud, including who can access this data” (OECD 2014, p. 6). Bradshaw, Millard, and Walden (2010, p. 44) emphasize the importance of careful examination of cloud contract terms and conditions specified for disclosure, data storage location, which is not always considered in contracts outside of the EU, and the identity of underlying service providers.

The terms and conditions of many cloud computing contracts represent legal challenges for the adoption of cloud services. This is underlined by Bradshaw, Millard, and Walden whose research on the terms and conditions offered by cloud computing providers demonstrates that standard cloud contracts, in fact, provide a shallow level of certainty in comparison to outsourcing contracts (2010, p. 3). This chapter is inspired by the author’s participation in two projects, CloudWATCH D3.5 Legal Guide to the Cloud: How to Protect Personal Data in Cloud Service Contracts¹ and Cloud Security Alliance’s Privacy Level Agreement [V2] A Compliance Tool for Providing Cloud Services in the European Union,² each of which explores fundamental aspects of cloud computing contracts relevant to the study undertaken herein. Drawing heavily on this experience, the author aims to further an understanding of the legal compliance risk in the cloud, how it can be managed, as well as to...