For the European Union, data is a core priority for economic growth, whether to facilitate personalized medicine or autonomous vehicles.  Between 2018 and 2025, the value of the data economy in Europe is projected to nearly triple, from €301 billion to €829 billion, and the number of data professionals is expected to nearly double. Given that the size of data is forecasted to grow fivefold during this time period, cloud services are central to extracting economic value from data by storing and sharing it. If data is the new oil, cloud services are the wells, rigs, and pipelines fueling the digital economy.

To maximize opportunity from this wider digital transformation, the Commission adopted last year a strategy for data (see our previous post), including cloud services.  Below, we list several cloud initiatives planned for 2021 and 2022, as the EU is expected to rebound from the Covid-19 pandemic at nearly 4% GDP growth per year (approximately twice its historical average). As some European officials have noted, the full value of data is still an open and evolving concept and can fluctuate even more than oil prices. Likewise, the rules and standards that should apply to cloud services are an open policy field, where the European Commission and EU Member States have not made ultimate decisions and require complex analysis and input from the industry and other stakeholders.

The privacy and public policy team at Covington will keep monitoring any further initiatives in this space and identify engagement opportunities to help shape the emerging policies.

  • EU Cloud Federation

In the first quarter of 2021, the European Commission, together with Member States, will create a European Alliance on Industrial Data and Cloud.  The purpose of this alliance is to develop an EU Cloud Rulebook that will include self-regulatory norms and standards regarding security, energy-efficiency, data protection, interoperability and fair competition.  The Alliance will be composed of representatives from Member States, cloud computing providers and industrial cloud users and should mobilize up to €10 billion for the creation of a European Federated Cloud.

In October 2020, the EU Member States signed a declaration to build the next generation cloud for businesses and the public sector in the EU, a so-called EU Cloud Federation.  The European Federated Cloud is meant to be a set of joint technical solutions and policy norms in order to foster EU cloud services that are interoperable across Europe.  These technical solutions and policy norms should offer a high standard in terms of data protection, cybersecurity, data portability/reversibility, interoperability, transparency, openness, energy efficiency, performance and reliability.

  • Cloud Certification Scheme

In December 2020, ENISA launched a public consultation on a new draft candidate cybersecurity certification scheme (“EUCS”) in a move to enhance trust in cloud services across Europe.  The consultation was open until February 7, 2021. The draft EUCS is a voluntary program that will offer certificates valid across the EU for 3 years (with the possibility of renewal).  It is applicable for all kinds of cloud services and covers three assurance levels: “Basic,” “Substantial,” and “High.”

  • Data Space Initiatives

In the next five years, the European Commission intends to fund the establishment of EU-wide common, interoperable data spaces in strategic sectors, which will operate on cloud services. In November 2020, the European Commission proposed a Regulation on European Data Governance (see our prior blog post), which aims to facilitate data sharing across the EU and between sectors.  The draft regulation will now be debated and negotiated by the European Parliament and the Council of Ministers. The Commission also noted that more specific proposals on European data spaces are expected in 2021, and will be complemented by a Data Act to foster business-to-business and business-to-government data sharing.

In parallel, the European Commission published in December 2020 its inception impact assessment of policy options to establish a European Health Data Space (“EHDS”).  The EHDS will provide a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data) throughout the EU (see our prior blog post).  In addition to the consultation on the inception impact assessment, the Commission proposes to organize several targeted consultation activities and events with stakeholders regarding the EHDS in 2021.

  • EU Data Protection Code of Conduct for Cloud Service Providers

Within the next couple of years, the Cloud Select Industry Group hopes to receive the European Data Protection Board’s approval of the EU Cloud Code of Conduct.  The code aims to set requirements and recommends procedures to raise the level of data protection in cloud services. In September 2020, the EU Cloud Code of Conduct General Assembly announced that they would add to the code a module on data transfers.  The Assembly hopes that the code can be used as an approved transfer mechanism and as an alternative to other transfer mechanisms such as standard contractual clauses.

  • Codes of Conduct on data portability and cloud switching

Before November 2022, the European Commission will evaluate the two codes of conduct on data portability in the cloud prepared by the working group on switching cloud providers and data porting (“SWIPO”): one for “infrastructure-as-a-service” and another for “software-as-a-service.”  The objective of the SWIPO Codes of Conduct is to reduce the risk of vendor lock-in by cloud service providers and allow end-users to easily switch cloud services.

  • European Open Science Cloud

In 2021, the Commission aims to establish a common framework for managing user identity and access and will put together standards, tools and services allowing researchers to find, access and reuse results stored in the European Open Science Cloud (“EOSC”). The EOSC is an environment for hosting and processing research data to support EU science.  It aims to develop a trusted, virtual, federated environment that cuts across borders and scientific disciplines to store, share, process and re-use research digital objects (such as publications, data and software) following FAIR principles.

  • Gaia X

In the first semester of 2021, Gaia-X aims to release the first European cloud products and solutions based on its framework.  Gaia-X is a project that aims to develop common framework for a European data infrastructure and create a consortium between public and private companies.  It counts with more than 300 members, amongst them many European and multinational companies.  GAIA-X aims to identify the minimum technical requirements and services necessary to operate the federated GAIA-X Ecosystem that respects the principles of Security by Design and Privacy by Design.

Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.