Cloud computing is rapidly becoming a buzzphrase in IT-reliant businesses. Its proponents include some of the largest technology companies in the world. But while enterprises may be able to save money by moving into the cloud it is difficult to see how they can do so with their customer’s personal information without breaching EU data protection law.
Household names like Google, Amazon and Microsoft are racing each other to create rival global platforms for the storage and manipulation of data. They have sent their marketers out amongst us to proclaim the Good News- Cloud Computing will reduce costs and improve service when compared to the traditional self-built and run server rooms most significant organisations are used to.
McKinsey Consulting helpfully offered a definition of Cloud Computing in a recent report on the topic : “Clouds are hardware based services offering compute, network and storage capacity where; hardware management is highly abstracted from the buyer, buyers incur infrastructure costs as variable OPEX, and infrastructure capacity is highly elastic”.
Or, as the rest of us might understand it, that you get to sub-contract out part, some or most of your storage and information processing requirements to an already vastly tooled up company and you access it as you need it across the internet.
Clouds, being amorphous, fuzzy and everywhere, were chosen as the perfect metaphor for this kind of service. But a metaphor can obscure the reality of what’s being offered- to send data out to external companies and store it in their datacentres across the world, without any transparency as to what jurisdictions the data now resides.
Ireland has a particular interest in the development of cloud computing. Google, Microsoft and Amazon have all located major data centres around Dublin. It has been mooted that having these services available will enable Ireland’s entrepreneurs launch global web-based businesses without having to make enormous capital investment.
The difficulty arises when we apply the cloud computing model, developed in the US, to data relating to people in the EU. There is a gap in privacy standards between the two jurisdictions, with the EU protecting its citizens’ personal data in legislation.
Personal Data is defined by Directive 95/46 as “any information relating to an identified or identifiable natural person” and processing same as “collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.
Ireland’s Data Protection Acts implement this European law into local legislation. The Irish Data Protection Commissioner helpfully defines a Data Controller so that you might more readily recognise if you are one; “A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information.” So, the controllers are the people who have the responsibility for the data as it is being processed, no matter where or by whom. The entities they pass the data on to to be dealt with in a specific way are defined as data processors. Cloud computing providers would fall into this class.
But though Irish enterprises work under these European-wide legislative protections of our personal data, the cloud computing model is less sympathetic to our data controllers’ responsibilities.
The FAQ for Amazon’s Cloud offering, called S3, baldly announces that “Amazon S3 allows customers of Amazon S3 to store their data in the EU; however, it is up to the customers of Amazon S3 to ensure that they comply with EU privacy laws.” Furthermore, their Terms of Service states, in all caps for emphasis, that they do not warrant “THAT THE DATA YOU STORE WITHIN THE SERVICE OFFERINGS WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED.”
This ‘as-is’ approach clashes fundamentally with the responsibility of a Data Controller to ensure the security of the data they pass on to a data processor. There is the additional complication that, unlike Amazon, not all the cloud computing service providers will promise to keep the data uploaded from the EU in the EU. The result is the possibility of breaching the laws which prevent EU citizen’s personal data being exported to jurisdictions with less stringent protections.
The Irish Data Protection Commissioner’s office is under-resourced, having only a handful of investigations officers for the entire country. It is hardly likely that he will prioritise clamping down on cloud computing providers who are creating high-value employment in Ireland. Nonetheless, for Irish entrepreneurs and IT professionals who are considering taking the cloud computing route , it is important that they do so with an awareness of the difficulties it could throw up later in a due diligence situation.
Buying or selling a company is like a house purchase. Before the buyer closes the deal, they’re going to want to be reassured that the last owner didn’t do anything that might see them inheriting a legal headache. It may only be when the first wave of early-adopter companies start to be acquired that we will get a clear picture of the full cost of moving to cloud computing.
Some of us geeks are aware of this, and have been watching the developments for awhile. See here, for example, for some of my thoughts about EU privacy laws vs. Google: http://www.jroller.com/MasterMark/entry/google_teh_evil_cloud_economics
I happen to think that legal, regulatory and other compliance issues are THE issue with regard to “cloud computing”, far more so than, say, the much more frequently cited bugbear of “security”.
An interesting postscript to this post turned up today, when Google admitted that, along with Microsoft and Amazon and all other US-incorporated companies, under the Patriot Act it was required to hand over any information requested of it by US intelligence agencies even when that data was administered by their foreign subsidiaries which operated in jurisdictions such as the EU where that practice would be illegal; and that they would not be permitted to disclose that this had taken place.