European cloud laws are a mess, says Dominic Pollard. Let’s update them!
Legal, regulatory and compliance issues are often cited as the biggest barriers to the adoption of cloud computing services. And, after a rummage through the books looking for cloud laws, this is no surprise.
Cloud computing will inevitably open up this proverbial can of worms; as soon as an organisation outsources its data storage to a third party, in this case a cloud provider, there are serious considerations to be made. A lot of personal data has restrictions over exactly where it can be stored. Some must be kept within the country, some within the European Union. Furthermore, financial data must be stored for at least seven years while European data-sovereignty laws also require organisations to keep all of their customer data in the customer’s own country. This can become very difficult for international companies.
Patrick Van Eecke, a partner at global law firm DLA Piper’s Brussels branch, states that the emergence of cloud computing “exposed the age, formality, and complex application of the current laws”. Indeed, it is only when a disruptive influence enters the fray that people blow the dust off the gargantuan collection of law books and uncover exactly what oddities lurk inside. Did you know, for example, that in York it is perfectly legal to shoot a Scotsman with a crossbow upon seeing one, except for on a Sunday? This is an illustration, albeit an extreme one, of how legislation can often fail to keep pace with developments in the world around them.
EU says lock up your data
Current EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection.
Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein but makes transferring data outside of this area difficult.
While businesses and governments wax lyrical about the benefits of cloud computing, EU regulators have been more wary; further take-up of cloud systems would mean a large swathe of public and commercial data would migrate to servers possibly located outside national borders or even on other continents. With many cloud providers hosting data in servers around the world, getting guarantees that satisfy the legislation of national and international governing bodies proves a difficult task.
Since the 1995 Data Directive many EU member nations have implemented their own policies with this legislation integrated into it. This has led to a set of rules which govern Europe being superseded by each country’s own legislation which has been built on top of it. This creates a confusing mesh of differing law books.
The point is made all the more poignant when brought into comparison with the cloud laws in the US which are comparatively far more relaxed.
Contributing to the trouble of ensuring everything remains above board is the lack of clear of uniform legislation around data ownership and data location, namely the fact that there is a distinct lack of new laws – either within the UK or the EU – to have been implemented since the advent of cloud computing. Here in the UK we have the Data Protection Act of 1998 which brought English legislation more in line with the European Directive of 1995. Both, while creating laws around how data can be used, how long it can be kept and where it can be stored, fail to account for the complexities of multinational cloud vendors.
Mark Webber, partner at law firm Osborne Clark and regular speaker at The Cloud Circle’s events, has stressed on many occasions that much of the legislation around the ownership, location and protection of data actually pre-dates the creation of the Internet itself.
In essence, the laws by which cloud users and suppliers are held accountable in the UK and Europe are outdated and ineffective, in turn this is stunting the growth of the market across Europe. Webber says: “As of today there is no specific ‘cloud law’. There is law that may be applicable to a cloud solution but as every cloud solution is slightly different you need to look under the hood and make an assessment as to what may be applicable.
“In fact, none of the current laws even contemplated cloud computing when they were drafted. Therefore, given some of the potential complexities of cloud solutions, the existing laws can present hurdles when implementing a cloud solution.”
If a company within the UK processes data locally which is then stored in a data centre in the Netherlands but is also sent and backed up in a server in Ireland, it is unclear which of the three nations’ laws would apply to the data. The absence of overarching EU legislation to help clarify laws surrounding the storage and transfer of data has created confusion around which law book reigns supreme. Moreover, there is the further problem of actually being able to decipher where your cloud provider is storing data as many fail to state exactly which data centre your files will end up in. The laws restricting personal data to within the EEA makes matters even more difficult too.
Breaking the shackles
One of the cloud’s greatest strengths is how it helps organisations break free of the shackles of on-premise IT infrastructures and think on a global scale. Furthermore, the reliability benefits of cloud are chiefly that data is backed up in multiple data centres. The cost savings it can deliver come about because the data centres are often located off the beaten track.
The time has surely come for the EU to implement fresh legislation for data hosted in the cloud which all member states can then adhere to. Rather than having outdated or conflicting pieces of legislation which create too many cracks through which either users or suppliers can slip, a complete updating of the 1995 European Data Protection Directive is now needed, with a far greater focus on cloud computing and the storage of data hosted and transferred in the cloud.
Andrew Stokes, chief scientist at Deutsche Bank Global Technology, demonstrated the need to address the problem when he said in his keynote presentation at the IT World conference a couple of months ago: “Each geography has its own unique sector and laws. We’re in 75 countries; we need a superset of these regulations that make sense and that we can comply with.”
Webber says: “Cloud legislation can be very complex and very difficult to fully comply with. At times, if strictly adhered to it may severely restrict the solution or available options. There are undoubtedly some who either elect to or simply negligently end up with an element of legal risk taking.”
The lack of clear legislation relating directly to data hosted in the cloud has resulted in a great deal of emphasis being placed on standards and accreditation from sources outside of the EU or national governments. The Cloud Security Alliance and the Jericho Forum, to name but two, are examples of organisations which have proposed guidelines and best practice tips for those storing data in the cloud. These involve ensuring you know where your supplier will be storing your data and taking due diligence to ensure that personal data does not end up anywhere it shouldn’t while remaining aware of the legal restrictions placed upon your data depending where the data centre it sits in resides.
The existence of such organisations underlines the lack of cloud-specific legislation, resulting in users and suppliers having to write many governance and compliance issues into Service Level Agreements (SLAs) themselves.
Increasing the law?
At least it is on the EU’s radar. A statement read: “Cloud computing will play a major role in tomorrow’s economy, creating new jobs and growth. It has to be ensured that there will be sufficient supply of cloud computing facilities and services so that European companies of all sizes, government institutions and citizens can use these to develop innovative services. To this end cloud supply must be compatible with European legislation (e.g. in the area of data protection) and technically secure. It should also make extensive use of standards and other means to ensure interoperability so that all potential users can take full advantage of cloud computing.”
The European Commission (the executive body of the EU responsible for proposing legislation) has signalled its intent to address this issue, creating a specialist party to create recommendations for new legislation for cloud computing across the continent. Indeed the Article 29 Working Party met last month to examine laws regarding the transfer of data from one service provider to another, but these are simply recommendations as the EU looks to revise its existing data laws, no new legislation has been made of yet.
Megan Richards, Deputy Director General of Information Society and Media for the European Commission, said that new data protection legislation is currently passing through the European Parliament, and the proposals will be finalised within the next year come into effect within the next two and a half years.
However, Webber’s concerns remain. He comments: “It’s clear we have a new Data Privacy Regulation coming to replace the EU’s Data Privacy Directive. However, although it may introduce some new tools to move data internationally, if anything, it is tightening the EU’s data regime and introducing new rules and penalties for non-compliance.”
Nevertheless, organisations will certainly be hoping that these changes are implemented sooner rather than later to ease the headache caused by the existing legislature or lack thereof. With the EU failing to keep pace with technology, member nations have found themselves shackled within the EEA, making cross-Atlantic or Asiatic data sharing far more complicated.
With enterprises having offices around the world and the cloud underpinning their entire IT infrastructure, new laws need to support and not inhibit the globalisation that cloud computing has enabled. Placing restrictions on data purely by location and not by a standardisation of the facility where it is stored will only serve to shackle the growth of cloud and the chance of it realising its true potential in the UK, EU and beyond.
Dominic Pollard is editor at The Cloud Circle.