For the European Union, data is a core priority for economic growth, whether to facilitate personalized medicine or autonomous vehicles.  Between 2018 and 2025, the value of the data economy in Europe is projected to nearly triple, from €301 billion to €829 billion, and the number of data professionals is expected to nearly double. Given that the size of data is forecasted to grow fivefold during this time period, cloud services are central to extracting economic value from data by storing and sharing it. If data is the new oil, cloud services are the wells, rigs, and pipelines fueling the digital economy.

To maximize opportunity from this wider digital transformation, the Commission adopted last year a strategy for data (see our previous post), including cloud services.  Below, we list several cloud initiatives planned for 2021 and 2022, as the EU is expected to rebound from the Covid-19 pandemic at nearly 4% GDP growth per year (approximately twice its historical average). As some European officials have noted, the full value of data is still an open and evolving concept and can fluctuate even more than oil prices. Likewise, the rules and standards that should apply to cloud services are an open policy field, where the European Commission and EU Member States have not made ultimate decisions and require complex analysis and input from the industry and other stakeholders.

The privacy and public policy team at Covington will keep monitoring any further initiatives in this space and identify engagement opportunities to help shape the emerging policies.

  • EU Cloud Federation

In the first quarter of 2021, the European Commission, together with Member States, will create a European Alliance on Industrial Data and Cloud.  The purpose of this alliance is to develop an EU Cloud Rulebook that will include self-regulatory norms and standards regarding security, energy-efficiency, data protection, interoperability and fair competition.  The Alliance will be composed of representatives from Member States, cloud computing providers and industrial cloud users and should mobilize up to €10 billion for the creation of a European Federated Cloud.

In October 2020, the EU Member States signed a declaration to build the next generation cloud for businesses and the public sector in the EU, a so-called EU Cloud Federation.  The European Federated Cloud is meant to be a set of joint technical solutions and policy norms in order to foster EU cloud services that are interoperable across Europe.  These technical solutions and policy norms should offer a high standard in terms of data protection, cybersecurity, data portability/reversibility, interoperability, transparency, openness, energy efficiency, performance and reliability.

  • Cloud Certification Scheme

In December 2020, ENISA launched a public consultation on a new draft candidate cybersecurity certification scheme (“EUCS”) in a move to enhance trust in cloud services across Europe.  The consultation was open until February 7, 2021. The draft EUCS is a voluntary program that will offer certificates valid across the EU for 3 years (with the possibility of renewal).  It is applicable for all kinds of cloud services and covers three assurance levels: “Basic,” “Substantial,” and “High.”

  • Data Space Initiatives

In the next five years, the European Commission intends to fund the establishment of EU-wide common, interoperable data spaces in strategic sectors, which will operate on cloud services. In November 2020, the European Commission proposed a Regulation on European Data Governance (see our prior blog post), which aims to facilitate data sharing across the EU and between sectors.  The draft regulation will now be debated and negotiated by the European Parliament and the Council of Ministers. The Commission also noted that more specific proposals on European data spaces are expected in 2021, and will be complemented by a Data Act to foster business-to-business and business-to-government data sharing.

In parallel, the European Commission published in December 2020 its inception impact assessment of policy options to establish a European Health Data Space (“EHDS”).  The EHDS will provide a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data) throughout the EU (see our prior blog post).  In addition to the consultation on the inception impact assessment, the Commission proposes to organize several targeted consultation activities and events with stakeholders regarding the EHDS in 2021.

  • EU Data Protection Code of Conduct for Cloud Service Providers

Within the next couple of years, the Cloud Select Industry Group hopes to receive the European Data Protection Board’s approval of the EU Cloud Code of Conduct.  The code aims to set requirements and recommends procedures to raise the level of data protection in cloud services. In September 2020, the EU Cloud Code of Conduct General Assembly announced that they would add to the code a module on data transfers.  The Assembly hopes that the code can be used as an approved transfer mechanism and as an alternative to other transfer mechanisms such as standard contractual clauses.

  • Codes of Conduct on data portability and cloud switching

Before November 2022, the European Commission will evaluate the two codes of conduct on data portability in the cloud prepared by the working group on switching cloud providers and data porting (“SWIPO”): one for “infrastructure-as-a-service” and another for “software-as-a-service.”  The objective of the SWIPO Codes of Conduct is to reduce the risk of vendor lock-in by cloud service providers and allow end-users to easily switch cloud services.

  • European Open Science Cloud

In 2021, the Commission aims to establish a common framework for managing user identity and access and will put together standards, tools and services allowing researchers to find, access and reuse results stored in the European Open Science Cloud (“EOSC”). The EOSC is an environment for hosting and processing research data to support EU science.  It aims to develop a trusted, virtual, federated environment that cuts across borders and scientific disciplines to store, share, process and re-use research digital objects (such as publications, data and software) following FAIR principles.

  • Gaia X

In the first semester of 2021, Gaia-X aims to release the first European cloud products and solutions based on its framework.  Gaia-X is a project that aims to develop common framework for a European data infrastructure and create a consortium between public and private companies.  It counts with more than 300 members, amongst them many European and multinational companies.  GAIA-X aims to identify the minimum technical requirements and services necessary to operate the federated GAIA-X Ecosystem that respects the principles of Security by Design and Privacy by Design.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Bart Szewczyk Bart Szewczyk

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well as conducts international arbitration. He…

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well as conducts international arbitration. He also teaches grand strategy as an Adjunct Professor at Sciences Po in Paris and is a Nonresident Senior Fellow at the German Marshall Fund.

Bart recently worked as Advisor on Global Affairs at the European Commission’s think-tank, where he covered a wide range of foreign policy issues, including international order, defense, geoeconomics, transatlantic relations, Russia and Eastern Europe, Middle East and North Africa, and China and Asia. Previously, between 2014 and 2017, he served as Member of Secretary John Kerry’s Policy Planning Staff at the U.S. Department of State, where he covered Europe, Eurasia, and global economic affairs. From 2016 to 2017, he also concurrently served as Senior Policy Advisor to the U.S. Ambassador to the United Nations, Samantha Power, where he worked on refugee policy. He joined the U.S. government from teaching at Columbia Law School, as one of two academics selected nationwide for the Council on Foreign Relations International Affairs Fellowship. He has also consulted for the World Bank and Rasmussen Global.

Prior to government, Bart was an Associate Research Scholar and Lecturer-in-Law at Columbia Law School, where he worked on international law and U.S. foreign relations law. Before academia, he taught international law and international organizations at George Washington University Law School, and served as a visiting fellow at the EU Institute for Security Studies. He also clerked at the International Court of Justice for Judges Peter Tomka and Christopher Greenwood and at the U.S. Court of Appeals for the Third Circuit for the late Judge Leonard Garth..

Bart holds a Ph.D. from Cambridge University where he studied as a Gates Scholar, a J.D. from Yale Law School, an M.P.A. from Princeton University, and a B.S. in economics (summa cum laude) from The Wharton School at the University of Pennsylvania. He has published in Foreign AffairsForeign PolicyHarvard International Law JournalColumbia Journal of European LawAmerican Journal of International LawGeorge Washington Law ReviewSurvival, and elsewhere. He is the author of three books: Europe’s Grand Strategy: Navigating a New World Order (Palgrave Macmillan 2021); with David McKean, Partners of First Resort: America, Europe, and the Future of the West (Brookings Institution Press 2021); and European Sovereignty, Legitimacy, and Power (Routledge 2021).

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.