Wednesday, 2 November 2011

Cloud computing – do the data protection jurisdiction problems really matter?

Dr Julia Hornle and Kuan Hon are not very confident that all the legal problems surrounding cloud computing will be resolved in the foreseeable future. They were speaking last night at the Institute of Advanced Legal Studies at the University of London. They ought to know – as they are both academics at the Centre for Commercial Law Studies at Queen Mary, University of London, and have helped write a series of papers on the underlying issues. Whether enough people in the European Commission have the time and energy to adequately address the main legal issues is far from clear.

Their presentation was focused on the problems that are familiar to anyone who invents and tries to apply a new concept (in this case, cloud computing), to laws where those drafting the relevant laws had no idea that it would ever be expected to cover such matters. So what we are left with are teams of awfully clever lawyers explaining why, in certain circumstances, current laws don’t quite work (or don’t work at all). Does this really matter? Not if you’re an anarchist. But it would be helpful if decent folk might agree on a few basic ground rules, so that no-one gets hurt.

What are we talking about? In a nutshell, it’s mostly to do with what rules should apply when the different building blocks of scalable IT resources are provided from inside and outside the EEA to people inside and outside the EEA. I hope I’m not boring you yet.

If you really want to get bored, you can immerse yourself in the details of the issue, which means that you have to get familiar with the concepts of who holds the user’s data and where. To add to the complexity, you can throw in issues of multiple providers; data being replicated and deleted in different centres; data being sharded, chunked or fragmented; issues where the multiple locations data was being held in were constantly changing; and our old favourites encryption issues and the use or dependence on shared resources.

Still with it?

Julia and Kuan pointed to examples where EC data protection laws applied to different providers differently in different jurisdictions, as Member States occasionally interpreted the terms “establishment”, “context”, “use of equipment” and “transit” in different ways, depending on whether they wanted to attract cloud providers (which is what the French appear to want to do) or deter cloud providers (which is what at least one German Lander appears to want to do).

I won’t get any more technical – I promise.

But is there a relatively sensible way to unravel the complexity or fill in the gaps in the legislative drafting?

Julia and Kuan think there is, and suggested that some of the Article 29 Working Party’s ideas might work. These ideas follow the principles that the Commission has developed when regulating consumer contracts (ie when a consumer buys a product or service in one Member State for consumption in another Member Sate) or, say, in trademark infringement actions.

On the other hand, more commentators are thinking that it’s not the location of the data which is the key issue. After all, even if it’s all agreed in a contract with a cloud provider, how many people in their right minds are really ever going to read that contract, or know whether any of the parties are always adhering to that contract? There is more to life than contracts.

No, the real answer probably lies in encryption. What really matters is who can access the data in an intelligible form. If the encryption were strong enough, the data could be safe anywhere. What we really need to concentrate on is understanding whether the cloud provider can get at the data, and who can force the cloud provider to get at the data.

So, the lawyers will continue to comment on the limitations and adequacy of the current legal regimes for so long as clients have money to offer them.

And EEA Member States will continue to embark on their shrill campaign against (basically) American cloud providers, whose Patriot Act obligations occasionally cause people to wince. Does the location of the data really matter anymore? Not really. Let’s encourage the European Commission to focus on issues of security accountability and transparency instead.

Finally, Julia and Kuan commended the European lawmakers to adopt an awfully European negotiating line in this “phony war” against non EEA based cloud providers. The Commission should take a broader view, and cave in quietly, while protesting loudly, about these really tricky location/transborder data flow issues.