Guest blog post by Alban Schmutz, SVP Public Affairs at OVHcloud & Chairman of CISPE.
Take aim at the terrorists — not the infrastructure, nor private commercial data.
It is vitally important that Europe is able to address the terrorist threats we face. It’s equally important to ensure we do so in the most effective, targeted and proportionate ways.
Cloud infrastructure providers are extremely concerned about the implications of the Commission’s proposed Regulation involving online terrorist content. For one thing, it’s technically impossible for a cloud infrastructure provider to carry out the tasks described in the legislation. So we’ve been engaging in dialogue with policymakers, legislators and security specialists, particularly around the proactive measures included in the legislation that will require commercial organisations like us to – on behalf of the state – proactively monitor and filter all customer data and to block or disable content.
It goes without saying that we have unwavering support for the EU’s ambitions to crack down on terrorist and other illegal content. Our industry will continue to work diligently to remove any website for which we receive a judicial removal order, and supporting sanctions for any cloud infrastructure providers that fail to do so. With this legislation, however, the EU is simply targeting the wrong players and is asking infrastructure providers to do the impossible.
At an even more fundamental level, the Regulation poses a security threat to the core data assets and services of many European industries, services and governments, potentially slowing down their digital transformation while immediately ending some of the protections brought in by the General Data Protection Regulation (GDPR) only six months ago.
So, what is the case for cloud infrastructure providers being excluded from the proposed Regulation, at the very least from provisions relating to proactive automated monitoring and filtering?
First, the Regulation is actually scoped for online content sharing services like social media and video sharing (you know who I mean) and not infrastructure. We provide the underlying IT infrastructure: a little like the power cables or water pipes in the ground that provide essential but also rather boring utility services for a city and, far more importantly, for its many thousands of buildings, businesses, public services and citizens (even if they’re not aware they’re using them 99% of the time). In short, cloud infrastructure providers provide the building blocks for businesses and governments to manage their data and build their own systems and services: we’re the enablers, not the controllers.
This means we can’t even distinguish between what is “a piece of content” and what is not “a piece of content” – so how could we possibly access, monitor and take down that content? Social media, video and online content sharing services do have that control, right down to the most granular piece of content made available by users on their platform, so they can delete an individual comment and image, or target individuals. We cannot. Indeed, to block or remove a specific comment or photo, the infrastructure provider may need to take down an entire website or service, closing down access for other related services and impacting on a large number of other users, perhaps even closing down of services. It’s like asking the power company to turn off a single light bulb in a single apartment without shutting down power to the entire apartment block or city.
The wider ramifications are even more worrying. It really is unthinkable for the law to allow for the automated monitoring of the data held by cloud infrastructure users, such as public institutions (national governments, hospitals, law enforcement, EU Commission and Parliament, etc.) and companies and business professionals (lawyers, doctors, banks, insurers, utilities etc.) – none of whom typically make their content publicly available. For many industrial customers – building trains, designing aircraft and managing power plants – this could undermine the security of their operations and erode trust in the service.
Of course, we understand the tremendous pressure to deliver an agreement on this Regulation proposal, adopted by the Commission in mid-September, ahead of the forthcoming elections. But this does mean the Regulation is being rushed through EU legislative procedures, with numerous attempts to plug legal loopholes resulting in ambiguous language being added. Over the last weeks our member companies have heard from some parts of the Commission (not all) and some Member States that cloud infrastructure providers should be excluded. However, this is not written in the proposed Regulation.
Cloud infrastructure providers need clarity, not contradictory opinions or good intentions: legal clarity in the form of binding provisions, rather than ambiguous language and non-binding recitals, that excludes infrastructure providers from the scope of the Regulation. At the very least, such providers need to be excluded from Article 6, and 9 – specifically the “automated monitoring measures” that will result in technology mandates forcing companies to snoop on all the data that public institutions and corporate bodies entrust to our services and do not make publicly available.