IT law and cloud computing specialists Charles Park and Christopher Mann of Pinsent Masons said that EU financial services rules also present a sizeable regulatory barrier to businesses in that sector that are looking to utilise the cloud.
A survey by Redwood Software, of 100 UK and 200 US senior IT decision makers at a range of companies with more than 1,000 employees, has revealed that 58% of US businesses use cloud computing for "private data storage" purposes compared to just 35% of UK firms.
The survey also showed that whilst 47% of US companies use cloud facilities for "capacity management", just 24% of UK firms do likewise. Fewer than a half of UK companies have considered using the cloud to deliver a "more integrated supply chain", compared with 81% of US businesses, according to Redwood Software.
The software provider also said that its survey had recorded more positive attitudes towards cloud computing from US companies than from their counterparts in the UK.
Charles Park said that UK businesses may have an unduly negative attitude to the security associated with outsourcing.
"I think there is a more conservative approach towards, for instance, security risk," Park said. "The UK attitude is 'it is inherently less safe with a third party' whereas there is a strong argument the reverse is true, if you opt for a reputable supplier with industry-accredited security levels. The industry has generated a lot of hype, so caution, if not scepticism, is understandable."
Park added that the greater prevalence of start-up firms in the US is likely to be another factor, as the pay-to-use model suits their cash flow requirements. Christopher Mann said that cloud providers may have engaged in more "lobbying" for business and on regulatory issues in the US because of the complex nature of operating in the EU market. However, he said there had been signs that this trend was changing.
"The approach to regulation in the EU is pretty fragmented – in spite of intentions to the contrary," Mann said. "This is particularly so in the cloud space given that relevant rules, even if they are somewhat harmonised, can be approached and interpreted differently. I expect this compounds the tendency for providers to see the US as a bigger market and so prioritise any necessary lobbying there. However, we have seen cloud providers lobbying in the EU of late – part of this may be the natural progression as the US market becomes more saturated."
Last year the European Commission outlined plans to create new model contract terms that businesses could use in forming contracts and service level agreements with cloud computing providers in a bid to improve businesses' trust in using cloud technology. The European Telecommunications Standards Institute (ETSI) has also been asked to help set out what new standards are required for the way that cloud services work. Those standards could relate to data security, interoperability and data portability, the Commission said.
Shortly after the Commission had issued its 'communication', titled 'Unleashing the Potential of Cloud Computing in Europe', financial services expert John Salmon of Pinsent Masons warned that the document contained insufficient detail to guide firms in the sector in their efforts to comply with EU auditing requirements.
"No mention is made of what an organisation should do when faced with conflicting demands from EU and foreign regulators in respect of the same data," Salmon said in his blog at the time. "It seems that the consensus among financial regulators across Europe is that the Markets in Financial Instruments Directive (as amended) (MiFID) ties their hands in respect of cloud auditing requirements, at least for organisations bound by its requirements. As a consequence, the FSA in its interpretation of the Senior Management, Systems and Controls sourcebook must follow suit."
MiFID states that investment firms must in respect of the outsourcing "of critical or important operational functions or of any investment services or activities ... take the necessary steps to ensure that ... the investment firm, its auditors and the relevant competent authorities must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the competent authorities must be able to exercise those rights of access."
Salmon had said that the Commission had missed an opportunity to provide practical guidance on how financial services firms could comply with the MiFID rules in the context of cloud computing.
"The EU's strategy could have stated that 'effective access to data' may not in all circumstances be taken to mean that a customer must be able to detail the exact location of data at all times," he said. "It also could have questioned whether 'effective access to business premises' requires physical inspection. Had the Commission taken this approach, it could have gone a long way to achieving its stated purpose of moving European markets, especially financial ones, toward becoming 'cloud-active' as the communication put it."
The Information Commissioner's Office (ICO) has previously outlined its conditional support for businesses using independent auditors of cloud providers' data and security practices when evaluating whether cloud providers meet the standards required by the EU's stringent data protection rules for the processing of personal data.