
Cloud Computing - More Regulation, Better Regulation?


Dr W Kuan Hon, Director, Privacy, Security & Information Law, Fieldfisher
Cloud computing is now largely mainstream, its adoption accelerated by the Covid-19 pandemic. Although not mentioned in the EU's recently-proposed AI Regulation, increasingly cloud isused for, indeed indispensable to, many AI applications, with the Regulation's impact assessment citing cloud alongside AI in relation to boosting innovation, and Annexes to the European Commission's accompanying Communication emphasising the importance of next-generation cloud and a European cloud federation.
I started researching cloud law over a decade ago. Laws have always affected cloud use indirectly, but increasingly target cloud directly. If more regulation is necessary for important policy objectives like improving security, that's understandable. But cloud regulation must take account of cloud's nature, particularly how cloud differs from classic outsourcing/sourcing: quick to access, cost-effective, flexible and scalable because it's multi-tenant, standardised, commoditised, self-service and pre-built (subcontractors engaged in a reversed direction than with traditional outsourcing), often multi-layered (SaaS built on IaaS/PaaS). It must take also account of the differences between IaaS/PaaS and SaaS, the former involving use of technology infrastructure/equipment, the latter the online use of software applications which can vary hugely in their purposes and functions.
Take data protection, although disregarding for now the political football of data location vs. intelligible access! IaaS/PaaS, and many SaaS, services are purpose-neutral. Customers decide what data to upload. Providers don't necessarily know if that includes personal data. Despiteinitial concerns, cloud providers squeezed their square-peg standard terms to match, albeit ill-fittingly, the GDPR's round-hole requirements on contract terms between controller/processor-customers and processor/subprocessor-providers, assuming that personal data would be hosted. However, inadequate awareness of and allowance for cloud's characteristics still persists.
For instance, the UK G-Cloud framework(currently G12), intended to facilitate and encourage public sector cloud uptake, requires buyers' prior consent to subprocessors -when they're already in place under pre-built services. Also, buyers can dictate individualised security requirements, although cloud security is standardised. Indeed, cloud providers' security expertise and measures often exceed customers' – it's well-known that most cloud breaches to date, ignoring outages, have beendown to customers' misconfiguration rather than providers' security failings.
Or, consider the EU NIS Directive, which directly regulates cloud services alongside online marketplaces and search engines as "digital services" (it also regulates "essential services" – basically, critical infrastructure such as transport, utilities, healthcare). "Digital services" are subject to security and incident reporting obligations, focusing mainly on service availability and business continuity for customers. IaaS and PaaS are in scope. However, it's unclear if SaaS qualifies as a "cloud computing service" under NIS, so different SaaS providers take different approaches in practice. The UK NIS regulator, the Information Commissioner, simply says SaaS services are in scope to the extent they're "scalable" and "elastic". This seems somewhat circular, as by definition all cloud services are scalable and elastic, although none are infinitely so. Yet, fines of up to £17m are possible in the UK for "digital service" security failures that significantly impact service provision.
Legal certainty is critical. How can you comply with laws if it's unclear what laws require of you? Apart from the NIS SaaS uncertainty, there's the EU P2B Regulation.IaaS/PaaS services hosting e-commerce websites selling to EU consumers could be "online intermediation services" under P2B, which requires changes to standard terms as well as policies/processes. It seems lawmakers didn't intend cloud to be in scope. But they didn't explicitly exclude cloud, resulting in uncertainties (generally, cloud providers assume it doesn't apply).
As well as taking due account of cloud's nature, regulation should be appropriate, proportionate and clear. Under the proposed NIS 2 Directive, cloud services will become "essential", subject to tougher requirements than currently. For legal certainty and consistency, let's hope lawmakers will consider specifically whether different types of cloud services should be regulated differently, and make any differences clear, before they finalise this and other future laws.
ON THE DECK
Featured Vendors
TEERHUB TECHNOLOGY PRIVATE LIMITED (TTPL): "Collaboration to Cognitive" a Microsoft Services Providers Journey
Integrated Business Systems: Solutions for Accessing and Leveraging Data in a Mobile and Interconnected World
StratusLIVE: Advancing Nonprofit Success with Relationship-Focused Enterprise CRM Software & Business Intelligence Solutions
Data Systems Analysts: Providing Comprehensive Secure Collaboration Solutions to the Federal Government
Kollective Technology: Software Defined Enterprise Content Delivery Network for Scalable, High Quality Video
Highpoint Technology Group: Crafting Business Enabling Solutions through the Power of Microsoft Technologies
IntelliPoint Technologies, LLC: Enabling Efficient Operations through Dynamics GP and Network Automation
Imaginet: Developing InnovativeSolutions, Gaining Productivity and Visibility of the Microsoft Lands
Strategic CRM: Providing CRM Insights, Enhancing Customer Experience, and Promoting Channel Optimiza
Time Saver Technologies: Enabling Construction Companies to perk-up their Business and Planning Proc
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
The Evolution Of Commercial Office Developments Through Digital Twin
How AI can help save us from the fallout of the Great Resignation
Driving Innovation Through Robust Technologies
Building Safe Communities
The Six Pillars Of 21st Century Policing
Change Management: Part 1: Don’t Bump The Fish Bowl
