CHAPTER 14
MANAGING LEGAL COMPLIANCE RISK AND PERSONAL DATA PROTECTION
Together with the widespread use of technologies and the evermore important role it plays in business, the adoption of cloud computing technology is growing at an unprecedented speed. According to Eurostat, in 2014, 24 percent of large enterprises made use of public cloud computing services (Eurostat 2014), and Gartner predicts the strongly marked public cloud growth to continue, with an expected 18 percent increase to âalmost $250 billion by 2017, including cloud advertisingâ (Anderson et al. 2013).
The vast majority of big businesses have already moved into the cloud as a consequence of its high capacity to enhance productivity, streamline information processing, and possibly above all decrease costs and increase margins. The US Federal Government has also recognized the power of cloud computing, exemplified in the federal cloud computing strategy that was designed as an outline for the adoption of cloud services by the government itself (Kundra 2011, p. 2).
The Asia Cloud Computing Association, an industry association that represents cloud ecosystem stakeholders in Asia, recently released a report titled âAsiaâs financial services. Ready for the CloudâA Report on FSI Regulations Impacting Cloud in Asia-Pacific Markets,â which covers the regulatory landscape for the cloud in Asia-Pacific and identifies regulatory obstacles in the adoption of cloud services in the financial services industry.
Based on their findings, the authors suggest five main recommendations for lawmakers:
1. There should be no separate regulations for the use of cloud providers.
2. Regulations should set a transparent process which needs to be followed to the adoption of cloud solutions (as if it were some other form of outsourcing) and no endorsement should be required for the utilization of cloud services.
3. The transfer of data into other authorities must be permitted, subject to proper safeguards (e.g., safety, business continuity, access, and audit).
4. Regulations should only identify the critical issues that should be addressed in outsourcing contracts which include cloud solutions. They shouldnât be prescriptive of the terms of an outsourcing contract which provides cloud services.
5. The use of independent third-party audits should be an acceptable alternative to audits carried out by financial services institutions (FSIs) and the regulators (Asia Cloud Computing Association 2015).
While the benefits of cloud computing technologies undoubtedly outweigh the risks, it is of utmost importance that the legal and regulatory aspects are fully understood and analyzed. In 2012, the European Commission adopted its âUnleashing the Potential of Cloud Computing in Europeâ cloud computing strategy (European Commission 2012), which was last updated on February 27, 2015. The strategy itself is the final product of policy, technology and regulatory landscape analysis, and stakeholder consultation. The strategy aims to improve European GDP by 1 percent by 2020 as well as to create 2.5 million jobs in the EU by way of cloud adoption across a wide range of sectors. The strategy focuses on three main actions, namely (i) cutting through the jungle of standards, (ii) safe and fair contract terms and conditions, and (iii) the establishment of a European Cloud Partnership to drive innovation and growth from the public sector (European Commission 2012). We will now take a glance at each of these three main actions. First of all, we should look at the so-called jungle of standards.
The maze of standards present in the regulatory sphere represents one of the most significant challenges to the development of the cloud (OECD 2014, p. 5). In fact, the plethora of standards we can observe generate uncertainty concerning adequate levels of personal data protection, interoperability, and portability, and for this reason the European Cloud Strategy aims to establish publicly available clouds that are both open and secure in full compliance with European regulatory standards (European Commission 2012, pp. 5â6). In the digital world, issues are often intertwined. Take, for example, the Digital Agendaâs e-commerce Directive, which demonstrates that a primary hindrance in the adoption of the cloud is âthe lack of appropriate standards in some areas, the lack of widespread adoption of existing standards and the potential for vendor lock-in due to the use of non-interoperable solutionsâ (European Commission 2012, p. 7). Organization of the jungle of standards would allow for adequate interoperability, data portability, and reversibility, critical considerations in the adoption of cloud computing services (Digital Agenda for Europe 2015). This will be achieved through the European Data Protection Regulation, a framework law that will foster an environment that allows for the safe adoption of standards and codes of conduct that users need to successfully verify security standards and the security of data transfers (European Commission 2012, p. 8). Cutting through the jungle of rules would mean allowing cloud users to experience interoperability, data portability, and, importantly, reversibility (Digital Agenda for Europe 2015).
Trust plays an essential role in cloud adoption, and in fact, the digital single market approach itself highlights the energy of this identification âof a proper set of criteria that can be certified in order to allow public and private procurers to be confident that they have met their compliance dutiesâ (European Commission 2012, p. 9). These standards and certifications, in turn, can be referenced as the terms and conditions supplied by cloud support suppliers for contractual fairness and transparency. As the Commission has pointed out, nevertheless, in its âUnleashing the Potential of Cloud Computing in Europe communication,â thereâs a need for specific frameworks that deal with both criteria and certifications as well as contract stipulations.
According to the commission, the objective of this cloud computing strategy would be the development of model contracts which would regulate:
1. Data preservation following the conclusion of the contract
2. Data disclosure and integrity
3. Data location and transfer
4. Ownership of the information
5. Direct and indirect liability change of service by cloud suppliers and subcontracting
14.1 DIGITAL AGENDA FOR EUROPE 2015
The European Cloud Partnership was established under the European Cloud Strategy to act as a place where industry and the public sector âwork on common procurement requirements for cloud computing in an open and fully transparent wayâ (Digital Agenda for Europe 2014). Its steering board provides advice to the commission to facilitate the positive effects of the cloud in the economy, stressing the importance of the public sector as a defining aspect of the cloud market (Digital Agenda for Europe 2014a).
Moreover, the OECD stresses in âCloud Computing: The Concept, Impacts and the Role of Government Policyâ that standard contracts are often on take-it-or-leave-it terms, thereby not allowing the cloud customer to adequately negotiate the contract terms that the client may not fully understand, resulting in considerable uncertainty even for the providers. Service-level agreements (SLAs) need to address better aspects such as the outage, which could be promoted in policy through the concretization of industry codes of conduct (OECD 2014, p. 5).
Regarding privacy, the OECD observes that a genuinely global interoperable approach on the part of governments is the key to maximizing the potential for cloud deployment, suggesting that policymakers define âwhose laws apply to the data stored in the cloud, including who can access this dataâ (OECD 2014, p. 6). Bradshaw, Millard, and Walden (2010, p. 44) emphasize the importance of careful examination of cloud contract terms and conditions specified for disclosure, data storage location, which is not always considered in contracts outside of the EU, and the identity of underlying service providers.
The terms and conditions of many cloud computing contracts represent legal challenges for the adoption of cloud services. This is underlined by Bradshaw, Millard, and Walden whose research on the terms and conditions offered by cloud computing providers demonstrates that standard cloud contracts, in fact, provide a shallow level of certainty in comparison to outsourcing contracts (2010, p. 3). This chapter is inspired by the authorâs participation in two projects, CloudWATCH D3.5 Legal Guide to the Cloud: How to Protect Personal Data in Cloud Service Contracts1 and Cloud Security Allianceâs Privacy Level Agreement [V2] A Compliance Tool for Providing Cloud Services in the European Union,2 each of which explores fundamental aspects of cloud computing contracts relevant to the study undertaken herein. Drawing heavily on this experience, the author aims to further an understanding of the legal compliance risk in the cloud, how it can be managed, as well as to...