One of the new provisions most likely to affect non-European businesses attempting to do business in the E.U., or European businesses seeking to use non-European cloud service providers, revolves around data transfer to non-E.U. countries. The extant data protection laws already prohibit data transfers to countries outside the E.U. that don't have data protection laws of the same strength as the E.U.'s laws-the U.S., for instance--unless specific compliance steps have been taken.

"Prospective E.U. customers of SaaS services face significant legal hurdles if they wish to make use of third-party vendor software that runs through a Web browser and involves the hosting of the customer's data-including personal data-outside Europe," Graham Hann and Sally Annereau of Taylor Wessing wrote in a white paper commissioned by VMware and Ospero. They noted that the hurdles include security rules for diligence and oversight of outsourced processing, rules restricting exports of personal data outside of the E.U. and threats from overseas regulator 'long arm' requests for personal data.

"Concerns about the difficult in overcoming these hurdles, worries about compliance risks leading to regulator enforcement litigation and damage to reputation, coupled with uncertainty about the future shape of proposed E.U. law protecting personal data, has made E.U. business wary of switching to cloud-based SaaS solutions hosted outside of Europe," they say.

The proposed legislation would give organizations more options for dealing with this prohibition, specifically with regard to binding corporate rules (BCR), which govern multinational businesses.