The migration of computing into a cloud of massive data centres spread all over the world is giving regulators a headache as they find themselves on the back foot of an industry-driven trend.
Policy Summary
The term ‘cloud computing’ describes a whole range of infrastructure, software, data or applications residing in the ‘cloud’ – that is to say, off your own premises and accessed via the Internet.
A study carried out by the University of Milan, published in late 2010, estimated that cloud computing has the potential to create 1.5 million new jobs in Europe over the next five years.
The greatest commercial benefit of the cloud is that the services that use it can hone economies of scale by cutting out hardware costs and reducing their costs per unit as demand increases.
For customers, it makes tons of information potentially accessible from any device that is connected to the Internet.
While businesses and governments wax lyrical about the benefits of cloud computing, EU regulators have been more wary, as further take-up of cloud systems would mean a large swathe of public and commercial data would migrate to servers possibly located outside national borders or even on other continents.
Despite the EU’s best efforts, laws to protect and store data are outdated and cannot cope with the legal problems presented by cloud computing, such as determining who owns data which is no longer handled in situ.
When a company processes data in the UK, stores it on a server in Ireland but sends it via France – as it may have a subsidiary there – it is not yet clear which country’s law would prevail in a legal dispute.
Regulators who have recognised this maze of unanswered questions are busy consulting industry and data protection authorities, while industry is busy trying to make its mark on an as yet unformed legal framework.
In November 2010, EU Digital Agenda Commissioner Neelie Kroes called for cloud-computing providers to build data security into their services and products. And at the 2011 World Economic Forum in Davos, she said the EU was working post-haste to update its data protection rules.
The Commission will consult with industry and data protection authorities this year before releasing its cloud computing strategy in 2012.
Issues
Who is accountable?
Cloud computing comes mainly in three guises:
* Infrastructure (data centres);
* Online platforms (operating systems), and;
* Applications (web-based email, online office applications, file-sharing).
The industry-led trend is being touted as a utility of the future, like gas or electricity. Some applications, such as online office documents developed by Google, even threaten to derail industry giants such as Microsoft’s Office.
But it is a utility that relies and will continue to rely on data stored across borders, forcing businesses and regulators to demand the same laws on data and privacy pretty much everywhere.
Aside from uncertainty over which countries’ laws are applied, the Queen Mary Research Centre in London has identified two other key legal concerns that are making businesses and governments think twice:
* Some cloud providers keep the location of the data secret, putting users off, and;
* Users may not have a direct relationship with the provider who may outsource to one or more other storage or processing providers. This blurs the line between data controller and data handler, begging the question: who owns the data?
In a recent speech, EU Digital Agenda Commissioner Neelie Kroes explained that every European citizen or company should know two things: that their cloud supplier protects their personal data in line with EU rules and that the governments of all countries hosting servers have adequate data protection and privacy rules.
The Article 29 Working Party, a group of experts from national data protection agencies, argues that the European Union should apply the law of the country in which the service originates, i.e. the data centre’s location.
The cloud provider industry, including the likes of Microsoft, Amazon and SAP, to name a few firms, would like an international agreement either under trade rules or in international fora to harmonise the legal regimes relating to data.
Where to put my data?
Some data protection authorities would prefer to have servers with EU data inside the bloc to make life easier for regulators and lawyers alike.
Within the US government, data that is classified as low risk can move to an offshore centre, while medium and high-risk data stays on American shores.
However, for commercial data that seems an unrealistic ask, as everyone knows that call centres, which process data on servers in India, for example, can’t all migrate to the EU.
In the EU, this will be a decision left to member states. In Germany, for example, local authorities are asked to store data within the country’s borders. These guidelines do not of course affect commercial data.
Rewriting data protection rules
The European Commission admits that its Data Protection Directive is outdated and is currently reading industry responses to a consultation before reviewing the law.
The current directive sets out guidelines for data controllers who process and handle the data. But the EU will need to tweak these definitions, as cloud computing allows the processing and handling of data to be carried out at a far-flung data centre if businesses so wish.
The current Data Protection Directive requires data to either be stored in the European Economic Area (EEA) or in a territory that has equivalent legal privacy laws.
As of September 2009, the Commission decided that Argentina, Australia, Canada, Switzerland, the Faroe Islands, Guernsey, the Isle of Man, Jersey and the United States had adequate protection for privacy.
Money talks
The enthusiasm for cloud computing stems mainly from the huge cost-savings businesses and governments are promised by moving their IT systems to the cloud.
The global cloud computing market is estimated to be worth €40 billion by 2014.
Ireland’s tech-driven economy was told by Microsoft it should rebrand itself as a cloud computing hub to gain 20,000 jobs. Annually, that could bring €9.5 billion in sales by 2014, and provide 8,600 jobs, according to a recent study by the Good Body consultancy.
One of the key economic drivers for the current level of interest in cloud computing is the fact that businesses can scale down their costs as the cloud allows them to “pay as you go”.
Pay per use, in tech terms, means smaller firms can concentrate on paying their operational IT costs alone and get on with getting their services to market. Add to that faster acquisition of the tools needed to get a business going, earlier market entry, higher returns on investment and a carbon clear conscience and it all sounds too good to be true.
The estimated cost savings are not lost on governments either, but the public sector is unsurprisingly more wary of moving its data to the cloud because of its sensitivity. Some countries, like Germany, even have rules against outsourcing public data.
The UK is busy building its G-Cloud, an onshore government-owned cloud infrastructure for public authorities, which is expected to bring about £3.2 billion (€3.76 billion) in savings per year.
As promising as the cloud sounds, the technology is still in an experimental phase, and in the EU, with a lack of regulation and different rules for different countries, take-up is not what it could be.
Security and data privacy
Cloud computing has been described as putting all of your eggs in one basket. But if that basket gets hit, is everything lost? What if everyone’s personal data, bank account details, credit history, criminal records and tax payments moved to the cloud and got lost?
Regulators will need to act quickly as new research shows that clouds are not being upfront about the services they provide.
A study by the Queen Mary experts in London concludes that cloud business contracts sometimes waive responsibility for data storage or delete data if it not used for a while. Such contracts are usually difficult to understand as they sometimes amount to 60-page documents written in dense legalese. Many users, however, want the cloud precisely because they need to store data they no longer use but may well need in the future.
While essential security aspects are addressed by most tools, the cloud is potentially geographically vast and may need more prescriptive rules on data replication and distribution.
Customers are also concerned that they will no longer “own” their data, as they are not the de facto data handler if it is hovering in a cloud somewhere. This could also create difficulties in accessing data or in moving to another supplier.
In a recent survey, customers’ top concern was the security of their data in the cloud, followed by performance, privacy and cost.
The EU’s ePrivacy Directive, which was updated in 2009, created data breach notifications whereby any communications provider or Internet service provider (ISP) must inform individuals about data breaches of their personal information.
Germany, which is recent years has seen a dramatic increase in data breaches, revised its data protection rules to go beyond the EU regulation.
To try and smooth over legal discrepancies, the industry suggests that a worldwide agreement could be found under World Trade Organisation (WTO) rules for online services and software.
Positions
Viviane Reding, who was responsible for the ‘Information Society’ portfolio in the last European Commission, described cloud computing as an important tool for SMEs to generate business: “If SMEs could access computing power over the Web, they would no longer need to buy and maintain technologies or IT applications and services. Such Web-based services are the medicine needed for our credit-squeezed economy.”
EU Digital Agenda Commissioner Neelie Kroes said: “If we want our digital markets to grow, users need to feel comfortable spending online. If companies are to take advantage of all the potential benefits of ‘cloud computing’, they need to know their business secrets will not be intercepted.”
DigitalEurope, a trade association representing the European information and communications technology industry, said: “The rules governing international transfers of personal data outside Europe are outdated and bureaucratic. They are unfit in the era of cloud computing. They make it complex and burdensome for companies to comply with applicable rules, they are inconsistent with the goal of a Digital Single Market, and they do not lead to a better end result.”
“The law needs to catch up,” said Brad Smith, general counsel at Microsoft. “Cloud computing is a critical part of the future and quite central to all that we’re doing.”
EuroCloud, the pan-European cloud computing business network, said: “Customers are sending us a signal, ‘please make technology as easy as possible’ – rethink the IT model in offering immediate availability, anywhere, anytime, and at a predictable cost. That’s what the cloud represents […] The opportunity is incredibly huge: to imagine, create and build a new worldwide industry.”
Udo Helmbrecht, executive director of the European Network and Information Security Agency (ENISA), believes cloud computing is an attractive solution for governments seeking to save money on IT systems. “Since we are in a time of belt-tightening, this new economic model for computing has found fertile ground and is seeing massive global investment.”
“With the development of cloud computing solutions, EU-US collaboration on cross-border data transfer is also essential,” said Luigi Gambardella, executive board chairman at ETNO (European Telecommunications Network Operators Association).
“The evolution in technology represented by cloud computing presents European businesses, governments and individuals with tremendous potential for efficiency gains and cost savings,” said Francisco Mingorance, senior director of government affairs for BSA (Business Software Alliance).
“It is time to step back and view the many ostensibly unrelated dossiers currently on the European agenda through the lens of cloud computing, in order to ensure the right policy environment is put in place to deliver on the promise of the cloud in Europe,” Mingorance continued.
“Given the fluidity of relationships in the supply chain of cloud computing services, it should be clear which data controller can be held accountable by data subjects and which DPA,” read a statement from the European Digital Rights Initiative, an NGO.
There exists an urgent need to clarify existing data protection concepts and definitions such as ‘personal data’, ‘data controller’, ‘data processor’ and ‘consent’, particularly in light of technological developments, such as cloud computing, which do not fit clearly into one definition or another,” said Martin Whitehead, director of GSMA Europe, which represents the European mobile phone industry.
“Gaining and maintaining the trust and confidence of individuals that their information is protected and secured (and assured that it is being used appropriately for the reasons for which it was collected) will be a challenge that must be faced and addressed not only by organisations but also the current legal and regulatory framework,” read a statement from IT security firm Symantec.
He is also the inventor of the patented meshDETECT, Secure Prison Cell Phone Solutions.
LinkedIn Profile
- The Customer Edge Drives the Need for NaaS - June 25, 2023
- Blockchain Evolves And Secures - January 13, 2019
- Bessemer Ventures’ 2018 Cloud Computing Trends - February 25, 2018
