A balanced approach to the cloud
This article was first published in Data Protection Law & Policy in July 2012.
Cloud computing is not a fashion or a swanky new name given to technology outsourcing. Cloud computing is not a marketing plot to sell more Internet connections and fibre optics. Cloud computing is not a twisted way of helping data hungry governments get their hands on corporate secrets. Cloud computing is in fact the most obvious business application of networked computing and essentially what the Internet was created for in the first place. However, the unstoppable growth and increasing power of cloud service providers and the suspicion of their critics have jointly contributed to a climate where controversies and horror stories abound, which is unfortunate when data protection and the cloud are in fact made for each other.
The development of cloud computing is commonly associated with the evolution of the Internet giants. It is kind of obvious that the Internet pioneers with massive servers and an even greater vision would be the ones to spot the opportunities presented by the cloud. The rest is now history and today, the leading cloud service providers are technology powerhouses that dictate the way businesses, governments and consumers can make the most of the information economy. This position of power is very visible and often criticised for being incapable of accommodating requests for specific levels of data protection.
Rightly or wrongly, the cloud providers' stance is seen by the EU data protection authorities as obstinate and the recent Article 29 Working Party Opinion on cloud computing makes that very clear. So whilst coyly acknowledging the potential benefits of cloud computing, the Working Party firmly focuses on the risks that it presents for data protection and sets out a detailed 'wish list' of how to overcome them. However, as if trying to compensate for the perceived inflexibility of the cloud providers, the Opinion of the authorities has set the bar for compliance with data protection in the context of cloud computing considerably above today's standards. The risk with that approach is that both customers and providers of cloud computing services may regard it as so unrealistic that rather than attempting to get close to it, they may decide to simply ignore it.
The EU data protection regulators should certainly be praised for being brave in setting their expectations. But unfortunately some of those expectations are not only over and above the actual legal requirements, but they are also unachievable in a commercial world. Once the potential customer of cloud services gets past the risk analysis stage – which is correctly identified by the Working Party as a crucial first step – the key element of the commercial relationship is the contract between customer and provider. So not surprisingly, the regulators have focused their efforts on emphasising that the imbalance in the contractual power of a small controller with respect to a large service provider should not be considered as a justification for the controller to accept contractual terms which are not in compliance with data protection law.
The challenge is that if the standards for compliance involve things like getting the names of all subcontractors commissioned by the provider, being told about the locations of all data centres, getting the provider to help the customer comply with its obligations and inform that customer of changes to the cloud, plus adding an array of technical measures ranging from isolation to portability of data, compliance is simply never going to happen. We cannot afford that to be the case when so much of the world's information is already residing in the cloud. Clearly, the right balance needs to be achieved by making sure that cloud customers can choose wisely and spot responsible providers, whilst those providers are encouraged to adopt the right practices.
Ultimately, it is not about who is in the strongest position to negotiate a contract, but about taking privacy and data security responsibilities truly seriously. Aiming for a realistic level of compliance does not mean letting cloud providers off the hook. The regulators' frustration is more than justified when uncompromising providers try to hide behind an empty Safe Harbor registration. Data protection is not an unachievable aim but an essential ingredient of cloud computing. Like in all immature markets, it is still too early to distinguish fully between the good and the bad players but that is not to say that a balanced and realistic approach to the cloud will not result in an optimal level of data protection.