The cloud and data jurisdictions

It has become commonplace to think about financial spaces where offshore logics apply – for example transactions conducted in a different currency within the City of London.

We know that offshore spaces raise complex questions of sovereignty and jurisdiction. But, to what extent is data within the cloud similarly offshore?

Volha attended the 5th Annual Cloud World Forum in London.

cloud

One of the prominent speakers was Mr Francisco García Morán, Chief IT Advisor of the European Commission, who presented a comprehensive update on the recent Commission’s efforts aimed at promoting and regulating cloud services within the EU as an important element of its Digital Agenda for Europe (http://ec.europa.eu/digital-agenda/en). (In 2012, the Commission issued an influential and widely-cited Expert Group Report on the subject of cloud computing ‘Advances in Clouds: Research in Future Cloud Computing’ (http://ec.europa.eu/digital-agenda/en/news/final-expert-group-report-advances-clouds-2012)).

A number of presentations provided competing definitions of cloud computing, one of the most comprehensive being that of the National Institute of Standards and Technology (NIST) of the US Department of Commerce: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (NIST, 2011:2; Special Publication 800-145). Absence of a common definition notwithstanding, it is widely acknowledged that ‘not all clouds are created equal’; indeed, there are different service and deployment models, with the former ranging from Software as a Service (SaaS) to Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), and the latter including private, public and hybrid clouds.

Emphasising the significance of the rise of cloud computing, many speakers referred to the so called ‘nexus of forces’, which “describes the convergence and mutual reinforcement of four interdependent trends: social interaction, mobility, cloud, and information” (http://www.gartner.com/technology/research/nexus-of-forces/). Despite the potential of cloud computing, uptake of cloud services is rather cautious, with the biggest challenges being concerns around data security and regulatory and compliance issues (Ovum, 2012, cited by OneStopClick Research in their ‘Survivors’ Guide to the Cloud’, 2013:6).

While the above ‘Survivors’ Guide’ dismisses “[f]ears about where data is held, how resources may be shared with other companies, and how to maintain performance levels outside the organisation” as irrational, emotional and unjustified (6), many speakers suggested that security and compliance considerations were becoming increasingly important, as was data sovereignty. This position was also echoed in a number of questions raised by the audience, for example, ‘what happens if national legislation applicable to the cloud service provider compels him/her to supply information to the third parties irrespectively of where data is located?’; ‘how can one verify where the data is actually held?’, etc.

Such questions, and discussions that followed, also highlighted an increased awareness of the privacy and data protection issues informed in no small part by the recent revelations about PRISM and other similar security programmes.

Oracle