The $35 billion figure springs from a recent survey by the Cloud Security Alliance, which found that 56% of 500 respondents said the disclosures by the fugitive NSA systems administrator would cause them to lose non-U.S. business. Canada, plus Germany, France and other European countries, have rules that require companies to guarantee the privacy of data that originates within their borders. Most comply by keeping the data on storage inside its country of origin.
Daniel Castro, an analyst at the Information Technology and Innovation Institute, a technology think tank, used that figure to project that U.S. cloud service suppliers are likely to lose $22 billion to $35 billion in business to European rivals over the next three years. The rivalry is already well entrenched, with European governments investing in future competitors of U.S. companies.
Castro reported that Jean-Francois Audenard, the cloud security advisor to France Telecom, "said with no small amount of nationalistic hyperbole, 'It's extremely important to have the governments of Europe take care of this issue. ... If all the data of enterprises is going to be under the control of the U.S., it's not really good for the future of the European people.''' France recently invested 135 million Euros in a joint cloud venture with French business.
[ What can you learn from the NSA? See The NSA And Big Data: What IT Can Learn. ]
The losses by U.S. companies could be greater, concluded James Staten, lead cloud analyst at Forrester Research, after reviewing Castro's report. Castro's analysis looked only at the business that might be withdrawn from U.S. providers by foreign companies and concluded that 20% of that business was at risk of going away regardless of security questions. Staten said some cloud users in the U.S. will also have to bypass U.S. cloud providers and move part of their business overseas to satisfy their international units and customers. That would add $10 billion to Castro's total, he said.
"European Union rules require data about EU citizens be stored and retained in the EU ... so seeking an EU-based cloud provider or non-cloud IT provider would be a prudent tactic for a U.S. business," Staten noted in a lengthy blog post dated Aug. 14.
Staten wrote that Neelie Kroes, European Commissioner for Digital Affairs, summarized the problem: "If European cloud customers cannot trust the United States government, then maybe they won't trust U.S. cloud providers either. ... If I were an American cloud provider, I would be quite frustrated with my government right now." Between now and 2020, the consequences may be a shift in billions of dollars worth of business away from American suppliers to European suppliers, Kroes predicted.
The data privacy rules don't only apply in European countries. Canada has strict requirements on its citizen's medical records. Since the U.S. Patriot Act was passed, Canada has forbidden medical information on its citizens to be stored on U.S. servers. It's unlikely that concern would be eased by the Snowden revelations.
Pat O'Day, co-founder of the VMware-compatible cloud service, Bluelock, said there are many VMware customers in Canada that have an interest in a cloud supplier for backup and recovery purposes. Bluelock offers such a service, geared to work with the VMware product set. But he finds Toronto customers moving their data across the continent to suppliers in Vancouver "just to keep it on the north side of the border," rather than turn to a closer provider in Indianapolis.
"Both data and IP concerns were already driving decision-making behavior for our northern neighbors due to the Patriot Act. But the recent NSA situation is unfortunately underscoring and exacerbating the issue," O'Day said in an email.