Source: European Parliament
The Commission aims to support an enhanced availability and uptake of European cloud solutions across the EU through the upcoming Cloud and Artificial intelligence Development Act[1].
The main objective is to at least triple the EU’s overall data centre capacity within the next five to seven years[2] and ensure that highly critical use cases in the EU are served by highly secure EU-based cloud capacity[3].
The Act will be complemented by a single EU-wide cloud policy for public administrations and public procurement[4].
Moreover, the Commission has approved the ongoing implementation of the Important Project of Common European Interest on Next Generation Cloud Infrastructure and Services[5].
Also, through the co-financing under the Digital Europe Programme, the Commission also supports the deployment of an EU marketplace for federated cloud services[6] to facilitate the provision and the procurement of cloud services across the EU by EU cloud service providers[7].
The Commission’s adequacy decision on the EU-US Data Privacy Framework[8] is based on the key safeguards included in Executive Order 14086 (EO 14086) adopted by the President of the United States[9].
In particular, EO 14086 introduced safeguards to ensure that the collection and use of personal data of Europeans by United States intelligence agencies is limited to what is necessary and proportionate in pursuit of defined national security objectives.
Moreover, EO 14086 established the Data Protection Review Court, providing EU citizens with a redress mechanism with binding investigatory and remedial powers.
EO 14086 continues to be in place, providing key safeguards to data transferred from the EU[10], and addressing all the points raised by the Court of Justice in its Schrems II judgment[11].
- [1] Mission letter from the President of the European Commission to the Executive Vice-President-designate for Tech Sovereignty, Security and Democracy: https://commission.europa.eu/document/download/3b537594-9264-4249-a912-5b102b7b49a3_en?filename=Mission%20letter%20-%20VIRKKUNEN.pdf.
- [2] This will be achieved by streamlining the permitting procedures and improving access to suitable sites, energy and funding for data centres that meet ambitious resource efficiency requirements. This is an important opportunity for European data centre operators and cloud service providers will have an important role to play in meeting this objective.
- [3] Such highly critical uses cares in the EU are characterised by high sovereignty and operational autonomy requirements.
- [4] The aim will be to assist the Act’s implementation in the public sector, guide public authorities in their cloud procurement decisions and empower them to leverage their purchasing power more strategically.
- [5] IPCEI CIS/8ra Europe’s Next Generation Cloud Infrastructure and Services — 8ra: https://www.8ra.com/ Seven Member States will provide up to EUR 1.2 billion in public funding, expected to unlock an additional EUR 1.4 billion.
- [6] Project DOME DOME Mark etplace: https://dome-marketplace.eu/dashboard.
- [7] Such providers offer highly trustworthy, curated cloud services that serve the interests of crucial sectors dealing with sensitive data, such as the public sector.
- [8] Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (notified under document C(2023)4745) (Text with EEA relevance) C/2023/4745 OJ L 231, 20.9.2023, p. 118-229 https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.
- [9] Executive Order 14086 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’.
- [10] Its requirements and safeguards have also been recently assessed in the Commission’s report of 9 October 2024 to the European Parliament and the Council on the first periodic review of the functioning of the adequacy decision on the EU-US Data Privacy Framework COM(2024) 451 final: https://commission.europa.eu/document/25695177-8073-4ce3-bf81-eb816dc6b468_en.
- [11] C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (‘Schrems II’), 16 July 2020, ECLI:EU:C:2020:559.