The European Union's General Data Protection Regulation (GDPR) will impose rules and costs on cloud computing companies so onerous that it could help big players - such as Amazon, Google and Microsoft - to dominate Europe's cloud computing market.
That is the warning of data protection expert Kuan Hon, consultant lawyer at law firm Pinsent Masons, speaking at the recent Cloud and Infrastructure Summit 2016.
The GDPR, she says, blurs the distinction between data controllers and data processors, with responsibility flowing down the digital supply chain and adding an administrative burden on both companies commissioning services, as well as the services companies themselves.
Between now and 25 May 2018, companies with cloud contracts will need to make sure that they are updated to take account of the introduction of GDPR - there will be no transitional arrangement whereby old contracts are allowed to expire before they are changed.
"[It will be a] big change for sub-processors," said Hon. "Prior consent will be needed and notification of changes, as well as what they call a 'terms flowdown'. So, for example, you could have a contract with a software-as-a-service (SaaS) provider, which has to have certain minimum terms under GDPR.
"However, the SaaS providers' contract with their own infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) provider also needs to have pretty much the same terms because that's a requirement of GDPR. It's really hard to know how far down the chain this has to go," said Hon.
"This is not just cloud computing, this is all supply chains," she added.
But for UK and European companies in cloud computing, enforcing the required terms and conditions on their suppliers might not be possible - unless they are as large and as powerful as Microsoft, Google and Amazon.
Hon believes that this could be an unintended consequence of the new laws.
The EU, on the one hand, wants to encourage small and medium-sized enterprises (SMEs) in cloud computing and technology with initiatives such as the Digital Single Market. But, on the other hand, laws like the GDPR set a high bureaucratic barrier that start-ups and SMEs may struggle to overcome.
"Because of the 'flow down' requirements it may be impossible for a cloud provider to actually comply with all of these requirements, unless they are one of the giants; one of the Amazons, Googles or Microsofts, because they control the supply chain and they can force these flowdown provisions.
"[But] if you're a small SaaS provider, and you are trying to negotiate with Amazon, Google or Microsoft, it's going to be hard to get them to accept these extra obligations. Some of them might, but it's going to be difficult. So, really, I believe this is going to drive business towards the cloud giants who control their supply chain," warned Hon.
Last week, it was suggested that if organisations in the UK had been subjected to the same data protection regime in recent years as the GDPR will introduce they could have been hit by fines totalling £122bn.
Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away