European Open Science Cloud: opportunities & risks European Open Science Cloud: opportunities & risks

The EU’s European Open Science Cloud goes live this year — offering secure and seamless access to a vast store of European scientific research data. Initially open to research and educational institutions, access will broaden to public and commercial sectors. Is your organization ready to use it?

The EU’s multi-billion euro project to create a cloud-based platform to share research data across the European scientific community is due to go live later this year. Initially launched in 2016 as part of the European Cloud Initiative, the European Open Science Cloud (EOSC) aims to use the vast stores of unused data as a resource for innovation.

The EOSC offers high-performance computers to store, process and manage data as well as high-speed connectivity to securely share it. By offering access to a wealth of scientific data across disciplines, the cloud platform will help bring new solutions to market and ensure EU-science continues to play a leading global role.

The EU Commission President Ursula von der Leyen, speaking at the World Economic Forum in Davos in January 2020, explained that EOSC will add new value to vast stores of unused data. She emphasized that "data is a renewable resource as much as sun and wind" and that "every 18 months we double the amount of data we produce, 85 percent of which is never used".

Aligned with the EU’s Digital Single Market strategy, the EOSC will initially offer European educational and research institutions the possibility to access and reuse the publicly funded research data. Broader public and commercial access is to follow.

It’s not yet clear what usage restrictions and embargoes may be applied, but as soon as the governance and usage framework are finalized, access will open up to the broader public sector, commercial enterprises and international players. Although it’s meant to be free for scientists and educational institutions — commercial players could be required to pay for access.

As the "protection of a person’s digital dignity" is the "overriding principle" behind the EOSC’s handling of data, von der Leyen also announced, that the EU Commission will introduce new privacy rules for artificial intelligence, separate from the EU’s General Data Protection Regulation (GDPR).

Until these new rules are complete, the GDPR’s provisions as well as the exceptions set out in the laws of the member states will be applied. These regulations strike a balance between the principles of freedom of academic scientific research and education and the right of informational self-determination.

It’s important to emphasize the GDPR contains various requirements which also apply to research and education. These requirements apply to Swiss organizations where:

• processing activities relate to the offering of goods or services to data subjects in the EU,
• monitoring of data subjects' behavior is made, as far as their behavior takes place within the EU, 
• organizations contractually agree on the application of the GDPR.

The new requirements under the GDPR for research and educational institutions focus, in particular, on transparency and documentation requirements, such as the conditions for consent (Art. 7), the establishment of records of processing activities (Art. 30), data protection impact assessments (Art. 35) and complying with the rights of data subject (Art. 12-22).

At the same time, the GDPR provides a series of derogations for the processing of personal data for scientific or historical research purposes or for statistical purposes, such as for the:

• general purpose limitation (Art. 5 (1) b)
• storage limitation (Art. 5 (1) e)
• general prohibition of the processing of special categories of personal data (Art. 9 (2) j)
• information to be provided to data subjects (Art. 14 (5) b)
• right to be forgotten (Art. 17 (3) d)
• right to object (Art. 21 (6)).

Additionally, member state law may also provide further derogations for the processing of personal data for scientific or historical research purposes or statistical purposes (Art. 89 (2)).

Cloud solutions may offer a significant added value with regards to the flexibility and scalability of services, the availability of data, the increased security for processing, costs and required resources.

However, you must consider the typical requirements and pitfalls associated with using cloud solutions. This will continue to affect also those areas which are out of the focus of the EOSC, such as an organization’s HR data management, accounting and procurement.

A major obstacle to using cloud services is the lack of knowledge about the details of the various cloud services (e.g. IaaS, PaaS, SaaS) and cloud platforms (e.g. Public, Private or Hybrid clouds) and the legal and regulatory obligations and restrictions (e.g. data protection law and special confidentiality obligations).

There’s also often a poor understanding of the coherent risks (e.g. loss of control over data, misuse of data, access by foreign authorities) and risk-mitigating measures (e.g. encryption technologies, such as encryption in transit and at rest; keep control over encryption key management) and financial aspects.

As long as an organization has no transparency about these aspects, it does not have an adequate basis for a decision making to using or not to using cloud solutions.

It is therefore advisable for an organization to address the requirements of cloud solutions and the cloud-specific challenges at an early stage.