Cloud Computing, Standards, and the Law

This chapter focuses on EU initiatives on cloud standards, particularly the work of the European Telecommunications Standards Institute (ETSI), the European Union Agency for Network and Information Security (ENISA), and the working groups set up by the European Commission; while acknowledging that cloud standardisation is obviously also a global issue. It addresses three questions. First, it considers why standards play a role in cloud computing and examines the standards most cited as important for cloud computing: data protection, data security, interoperability, data portability, reversibility, and Service Level Agreements (SLAs). Second, it assesses whether there is a problem with cloud standards and, in particular, the debate around the proliferation of cloud computing standards. Finally, the chapter studies how the adoption of cloud standards can be granted, or acquire, legal and regulatory effects under both public and private law regimes, which impact on both providers and users of cloud services. While technical standards for cloud appear to be developing as expected, informational and evaluative standards will inevitably take longer to emerge and may require greater stability within the legal frameworks in which they are intended to operate.

Information Ownership in the Cloud

This chapter discusses information ownership in the cloud. The law has struggled with ownership of digital information precisely because it is no longer recorded in permanent form on a physical object which can be owned. The law attempts to solve this problem by creating legal rights in some types of information, in the form of intellectual property rights. However, intellectual property rights are highly limited in scope in order to prevent the monopolisation of information. Thus, disputes over information ownership, and negotiations involving transfer of digital information, can be surprisingly difficult to resolve. The chapter then looks at copyright, database right, and the protection of confidential information. It shows that owning property rights in information, most likely copyright and database right, has little importance in terms of the cloud relationship. Cloud computing does, however, create some risks to confidential information because each player in the cloud is handing over some element of control to other players.

Placing the State in the Cloud

This chapter highlights issues of data governance and public procurement. It first examines some of the unique data governance considerations applicable to public sector decisions about cloud adoption; while acknowledging that data governance is only one element in a decision to move to cloud. The chapter then identifies potential obstacles in the EU procurement framework that is not adapted to, or creates de facto barriers to, public sector cloud adoption and considers how these barriers could be addressed. The first potential legal barrier to public sector take-up of cloud concerns public sector data governance and the legal requirements concerning the security of, and access to, public sector data. The second potential legal barrier concerns EU public procurement legislation and the extent to which it is not adapted to the cloud environment.

Regulation of International Data Transfers in Clouds

This chapter studies the regulation of international data transfers in clouds. The General Data Protection Regulation (GDPR) stipulates that any transfer of personal data from the European Union (EU) (as well as other European Economic Area (EEA) countries) to a third country or an international organisation is subject to restrictions to ensure that the level of protection provided by the GDPR is not undermined. The GDPR requires either adequate protection or appropriate safeguards for transfers of personal data to third countries. When assessing a data transfer to a third country, a number of factors must be considered. First, it is necessary to establish whether the processing of personal data falls within the scope of the GDPR. Second, the GDPR may apply either to the cloud provider or its customer, or to both. Third, it is necessary to establish when a 'transfer' of personal data from an EU Member State to a third country is taking place and how the protection of the data can be ensured. Fourth, in some circumstances, there may be an exception to the requirement to ensure continued protection following a data transfer.

Negotiated Contracts for Cloud Services

This chapter examines negotiated contracts for cloud services. Given that the use of cloud services has now become widely accepted and in light of the fact that providers' standard contract terms have evolved if not improved, do customers still deem it necessary to seek to negotiate contracts and if so, which issues are typically focused on? Are providers willing to negotiate or have they hardened their attitudes to negotiation? The chapter outlines providers' perspectives on cloud contract terms and customers' perspectives on cloud contracts including the role of integrators. It looks at the factors that customers take into account when considering specific terms, including whether or not to negotiate the terms in question or look at other methods of risk mitigation. The fact that data breach response and liability for data breaches tops the list of most-negotiated terms suggests that cloud providers and customers are still grappling with the General Data Protection Regulation's (GDPR) requirements and trying to come up with terms that will satisfy both customers' and providers' needs.

Control, Security, and Risk in the Cloud

This chapter discusses the risks in cloud computing. Concerns are often raised about decreased customer control and increased provider control of data in clouds, particularly regarding data security (confidentiality, integrity, and availability), fuelled perhaps by the relative lack of information available to customers regarding details of providers' components, suppliers, and mechanics. Colocation risks may also exist. One concern is the leakage of data to others sharing the infrastructure. Another consideration is that if hardware thought to contain a third party's target data is seized by authorities, data of other tenants sharing that hardware may be exposed also. Ultimately, cloud services differ in the degree of control and flexibility afforded to customers (and accordingly in their responsibility for security), and the extent to which providers or sub-providers can access user data. Much depends on a service's type and design. Prospective cloud users may manage their cloud risks not just through technological or contractual means, but also through insurance.

Consumer Protection in the Cloud

This chapter assesses consumer protection in the cloud. The majority of businesses seem to have recognised the EU consumer rights regime as setting out the standards of good business best practice which a good business should achieve, and so reflect that regime in their terms and conditions. But a minority of online sellers and suppliers do not, and because the likelihood of consumers going to court to enforce their individual rights is so low, this minority group is unlikely to mend their ways. This has led to an increased focus on using public law rather than private law to enforce compliance with EU consumer rights. The EU Unfair Commercial Practices Directive (UCPD) forbids misleading practices by businesses, and online businesses whose terms or practices deny the individual rights granted by law to consumers are increasingly facing enforcement action. The current focus is on well-known social media and sharing economy services, because success here sends a strong message to other, less visible, service suppliers. Cloud services are at present low on the list, partly because many consumer-facing cloud service providers are already largely compliant. The consumer service providers who are most at risk are those who are struggling to transition from a 'free' business model to a paid one.

Cloud Technologies and Services

This chapter defines what cloud computing is. The National Institute of Standards and Technology (NIST) has set out a commonly used definition of cloud computing. Under this definition, a 'computing capacity' will qualify as a 'cloud service' if it has the following five characteristics: on-demand self-service; broad network access; resource pooling; rapid elasticity; and measured service. In terms of business models, cloud computing resources are typically offered 'as a Service'. Traditionally, cloud computing services were typically described as falling into one or more of the following three service categories or models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The chapter then looks at the key concepts of the cloud supply chain.

Cybersecurity, Cloud, and Critical Infrastructure

This chapter addresses the emerging regulatory framework for cybersecurity and considers its implications for the provision and use of cloud services. It focuses on cybersecurity measures that target service providers on whom large numbers of consumers and businesses depend, rather than measures triggered by the nature of the data being processed. The chapter first reviews the main elements of the Network and Information Systems (NIS) Directive, one of the principal cybersecurity instruments in the EU. It then examines how cloud providers are regulated as Digital Service Providers (DSPs) under the NIS Directive. Cloud providers are also indirectly regulated by the NIS Directive, when they form part of the supply chain of a regulated operator of essential services (OES), the primary target of the measure. The chapter also looks at other EU legal instruments that impose cybersecurity requirements in relation to specific sectors and activities. Finally, it considers concerns that this new regulatory framework may lead to only incremental improvements in the cybersecurity of Europe's critical infrastructure and digital services, while generating substantial compliance activity, aimed at placating regulators and reassuring the general public.

Facilitating Competition in the Cloud

This chapter studies the application of competition law to the provision of cloud computing services. Competition law is understood as a set of rules enforced by competition authorities that are intended to protect the process of competition and enhance consumer welfare. These rules may allow intervention in the market when competition is distorted, but also have a primary precautionary purpose which intends to prevent the act or conduct of undertakings from resulting in competition being distorted and ensure healthy competition in the market. Although cloud computing is global, the chapter focuses mainly on developments within the EU, but where relevant, refers to academic commentary relevant to cloud from a US antitrust law perspective. The application of traditional competition law to the provision of cloud computing services has been slow. Competition in markets has often also been facilitated by alternative 'regulatory' mechanisms, some of which may help ensure competition in the provision of cloud computing services. The chapter examines two such mechanisms: public procurement rules and data portability requirements.