Why should governments wait to follow the European Commission's lead before legislating for cloud computing services within their national boundaries? And what binding rules apply anyway?
It is a law among emerging technologies that is almost as immutable as Moore's Law itself: formal legislation around a technology will necessarily lag x years behind. For the period of x, the regulatory environment for the given technology will appear woefully inadequate to dispassionate observers. So it goes with the burgeoning cloud-computing services market.
But while that inevitable lag means there is little, if any, cloud-specific legislation currently in operation, there are clear rules around IT outsourcing and data protection that are equally applicable.
As it currently stands, European data-protection law is derived from the Data Protection Directive (DPD) 95.46/EC adopted by the European Commission (EC) in 1995, which was drafted without knowledge of the then-nascent Internet, or of the development of online or cloud-based services, and which therefore can seem arcane when now applied to ICT management issues and disputes.
"The problem with legislating for specific technology is that by the time you do it, it is already out of date," says Alexander Brown, ICT partner at legal firm Simmons & Simmons. "There is so much legislation coming out of the EU which adds another layer of time... It started reviewing existing Data Protection directive two years ago, and it is likely the [outcomes] will not come into force until 2014-15, so there is a five-year leap time on changing the law. And five years is a lifetime in [this area of] technology."
The aim of that original directive was to create harmonised data-protection laws across Europe; but, in practice, countries have all applied its terms in slightly different ways, leading to a patchwork of different legal obligations for businesses operating in countries across Europe. This is a key point, because these days most commercial entities operate internationally, owing to the Internet. Further data-protection regulations are often applied to specific industries, such as the financial data regulated in the UK by the Financial Services Authority (FSA), that cloud service providers and their customers need to take into account when developing their strategies.
In January 2012 the EC proposed a comprehensive reform of the EU's 1995 data-protection rules, seeking to "strengthen online privacy rights and boost Europe's digital economy". "A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3bn a year," claimed EU justice commissioner Viviane Reding. "The initiative will help reinforce consumer confidence in online services, providing a much-needed boost to growth, jobs, and innovation in Europe."
Despite the absence of specific regulation pertaining to cloud computing, and barring a few significant differences around data location, the migration of data, applications and services to a hosted cloud platform is simply another type of outsourcing – itself a business model which is already well-governed.
As is often stated, there is nothing particularly new about the cloud-computing proposition or operating model; so, theoretically, existing laws and regulatory compliances as they apply to the standard practice of enterprise computing should just as well apply to cloud. The extent to which terminology and jargon have a bearing on the legalities has yet to be fully tested.
"If you look at the 'cloud' as just another form of outsourcing, any regulation that applies to outsourcing equally applies to the cloud," says David Bradshaw, analyst at market research firm IDC. "It is not a brand-new type of service delivery, but a well-developed area. The complication with the cloud is that the data centre where a server is located could be in another country, another continent – the US, Ireland, Germany, or elsewhere."
Meanwhile, there are definitely clear rules around outsourcing, some specific to vertical markets like financial services, asserts Luke Scanlon, technology lawyer at legal firm Pinsent Mason, "but the key difference with the cloud is that we are talking about the virtualisation of assets and infrastructure and transfers to locations that a lot of the time are undisclosed and which could be stored in multiple areas of jurisdiction".
USA Patriot Act 'not unique'
There are two related but separate areas of legal jurisdiction which are directly applicable to the cloud services market, however, according to Scanlon. The first, most visible aspect is that of 'data sovereignty' – rules governing how and where certain data sets should be stored within national boundaries and outlining the rights of governments to access that data whenever they need to do so.
One item of legislation that has had a profound effect on the cloud data sovereignty debate is the USA Patriot (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act, which some lawyers consider one of the most misunderstood laws ever drafted. Enacted by the US Congress after the 11 September 2001 terrorist attacks, one of the many provisions the Patriot Act grants is for the US government to demand access to personal data stored by US-registered cloud service providers in data centres outside the US.
It has been demonised in some quarters, with European cloud service providers using it as a stick to knock their US counterparts – claiming, for example, that customer data is safer with them beyond the reach of American authorities. In fact, says IDC's David Bradshaw, the Patriot Act is probably the best example of clear legislation pertaining to data protection in the cloud services market that has been enacted to date.
"The Patriot Act is a great piece of legislation with a very stupid name," says Bradshaw bluntly, "and actually the gold standard on how you control data privacy and the closest thing in the world to clear rules on government interference in the matter; most EU countries, and particularly the UK, have nothing like it."
Many IT strategists are deterred from keeping sensitive data in the cloud because of fear of government intervention and possible legal action, according to a February 2013 survey from Lieberman Software. It suggested that government and legal interference put off 48 per cent of respondents from entering the cloud environment. "IT managers do not want governments snooping around in their corporate data," says Lieberman Software president/CEO Philip Lieberman. "If a government or official body wanted to see what data a company was holding in the cloud, the cloud host involved would be legally obliged to provide them with access. This means there is very limited privacy in cloud environments. IT managers know it is much easier to hide data within their own private networks."
And, despite a few media scare stories and blatant marketing hogwash, European governments already have the right to access personal data stored in the cloud under various international crime and counter-terrorism rules. Simmons & Simmons recently undertook an analysis on behalf of a US cloud service provider which looked at government rights of access in five European countries, for example: it found that governments can invariably acquire rights to access to data stored in cloud services when they want to.
"Funnily enough, the rules are not dissimilar to the Patriot Act," says the firm's ICT partner Alexander Brown, "and because of rules with EU member states and mutual law enforcement arrangements, it is actually much easier for the German government to get hold of data residing in the UK than it is for the US government to get hold of data that is residing in Germany."
Pinsent Mason's Luke Scanlon adds: "Various governments do have legislation covering voluntary access – and sometimes involuntary access – to data that is stored in the cloud."
Compliance and the cloud
Separate to the issue of so-called data sovereignty is verification of compliance requirement, which relates to data security and protection, or the rights of individuals to have control over data pertaining to them. The difficulty here is how to verify compliance, usually achieved by allowing regulators to conduct audits, a process often complicated because the information is stored on virtual resources spread across multiple legal jurisdictions.
"It is often not clear where the data is at any one time, and customers need to allow for that in the contracts they sign with cloud service providers," Scanlon says. "In the UK, the Information Commissioners Office (ICO) takes the view that independent third-party certification could be used in lieu of exercising its own auditing rights, but the other side of that are specific rules on exporting data outside the European Union, and these needed to be respected unless there is agreement beforehand."
As a heavy consumer of cloud services, the EC has proposed a strategy that includes a set of pan-European standards for the cloud service market as part of a wider move to encourage broader adoption of cloud services among European businesses and public-sector organisations.
The four key aims involve ensuring data portability – making it easier for customers to migrate workloads and data from one cloud service to another; an EU-wide certification of trustworthy cloud service providers; model contracts for cloud computing that make legal obligations clear; and a 'European Cloud Partnership' between public sector and the cloud industry tasked with identifying the specific needs of government institutions and making sure European cloud service providers can meet them, seen by some on the other side of the Atlantic as a form of protectionism against incursion by US competitors, but welcomed by technology vendors for (at least) providing a greater degree of clarity.
Precise details are yet to emerge, particularly around the legal obligations, but the proposal will rely heavily on the draft Data Protection Regulation formulated by the EU Article 29 Working Party. This calls for harmonisation of member states' disparate national laws concerning digital content and the location of data, and calls for the setting of fair standards of compensation in the event of downtime, ownership of data and dispute resolution.
"The EC legislation is welcome because it tightens up the rules on privacy, which is not so much an issue in the UK, but certainly is in Germany and other EU countries," explains David Bradshaw at IDC. "In terms of developing the cloud services market it is levelling up the treatment of data privacy, rather than down, and the EU is keen to promote adoption of cloud within member states, particularly smaller businesses."
It is impractical for national governments to press ahead with their own legislation around cloud-computing requirements until the EC has implemented its proposals, says Pinsent Mason's Scanlon; this is one reason why public sector initiatives to emerge have focused on best-practice guidance and service provider certification efforts. The UK G-Cloud initiative, for example, deals only with how government departments procure cloud services, rather than mandate how they should be regulated.
"The difficulty there is that the law throughout Europe is subject to EU legislation and that is in a state of flux because of data-protection regulations," Scanlon continues, "so until those laws are finalised it would be unwise [to proceed] – any approach different from the EU approach would only be in place for a couple of years. National regulators need to ensure that they interpret those regulations so they are in compliance with those laws, and certainly the ICO is working with regulators from other nations along those lines."
One additional challenge is that most cloud services and providers are set up as international operations for redundancy and resiliency reasons, making it even more difficult for one European government to introduce practical legislation on a sovereign basis. The more connected the world becomes, the less joined-up are the rules governing that connectedness, it seems.
"National governments want to encourage the adoption of cloud computing with the public sector," (see 'Gathering clouds', E&T Vol 8 Issue 2) "but they could not dictate the relaxation of any regulation that might apply, because they would make themselves a hostage to fortune and set themselves up for something to go wrong and blame to be applied," says Alexander Brown at Simmons & Simmons. "Also, so much regulation comes from Europe, so it is not really for the UK government for example, which already has a more lax data protection regime than Spain, Germany or France, to change things."
Experts give the view that companies should worry less about the law and more about understanding the differences between the various, multiple elements of cloud services and how applicable they are to their own business needs.
"I am not that sure the situation is that unclear," says IDC's David Bradshaw. "Ultimately the CIO of any organisation is responsible for what happens, even when the processing is trusted to a third party, so it is up to them to ensure that the third party is capable and trustworthy, and that does not really change. Rather than get stuck on the legal issues, government departments need to make sure they comply with legal requirements but check that the service works as they need it to."
Simmons & Simmons regularly gives legal advice primarily to corporate customers looking for guidance on what data assets can and should be stored within cloud services, and what should remain within the control of their own IT systems in accordance with UK data protection rules. At the same time it also gives counsel on negotiating individual terms of cloud services contracts and service level agreements.
"Clients have to understand what they are buying, whether it's SaaS (software-as-a-service), IaaS (infrastructure-as-a-service), or PaaS (platform-as-a-service), public or private cloud, and everything in between - and precisely what they are going to get out of the deal," declares Alexander Brown.