There is little doubt today that the computing experience is undergoing a powerful transformation. Increasingly consumers and businesses alike are harnessing computer power in the cloud. Governments are developing their own cloud strategies. Cloud computing offers new benefits for almost every part of society – whether in healthcare, teaching, economic growth and job creation or the functioning of government – all centred on greater efficiency, cost savings and innovation gains.
To realise these benefits and to enable widespread cloud adoption, there are also challenges that must be addressed along the way. It is only if these challenges are addressed that users will have the confidence needed to embrace cloud computing. Some of the most significant challenges are squarely in the bailiwick of the legal community. The legal community – whether represented by those in private practice, in industry or within the public sector or working for regulators – has the opportunity to play a central role in how quickly we make progress in building confidence in the cloud.
We can debate the detail of what cloud providers should be doing to comply with the law like traditional providers of computing services. We can debate how far the concepts and definitions can be stretched and tinkered with around the edges to squeeze them in. But let’s cut to the chase: the fact is that UK legislation is simply inadequate in the face of the technological advances of cloud computing.
So, what to do about it? First we must recognise that legislation isn’t actually the only problem or answer, we need to think more broadly about information exchange and best practice. Therefore we mustn’t just rush into introducing swathes of new legislation in an attempt to address perceived problems and speculated future usage. We have been there before: we IT lawyers are already surrounded by the skeletons of electronic signature legislation, which was years in the making and hours in the penetrating and analysing – but barely a minute in effective deployment. Equally, we mustn’t just stand by and pontificate about the difficulties as legislation gets chipped away or morphs into an even more cumbersome shape.
In this article I draw out the key problem areas in our existing legislation and practice and offer up my suggestions for workable solutions, picking out some suitable candidates in existing review programmes as well as putting forward some alternative solutions. It is hoped that this will be just the start of an important dialogue generating further discussion and ideas.
The words expressed and proposals made in this article are mine alone and do not necessarily represent the views of Microsoft.
1. Procurement
The UK’s public procurement legislation, derived from EU law, sets out a framework which requires the open advertisement of public contract opportunities above a certain size followed by a prescribed process designed to ensure that only suitably qualified providers are asked to bid against a clear specification and method of contract award. Overall, it is not the regulatory framework which poses the greatest barrier to the uptake of cloud computing by the UK public sector but the lack of support for public sector purchasers in failing to give them the tools to understand the relevant market.
Key areas of concern relate to how a public purchaser: (i) defines its contract requirement; and (ii) frames its contract award criteria (ie the criteria which determine the ‘winning’ bid). My suggestions for change are as follows.
(i) Change the Standard Forms
One obvious course of action would be to address the rather binary and unsophisticated procurement standard forms (in particular the OJEU notice) which are used to articulate the contract requirement to the market.
(ii) Promote Pre-procurement
The other, more practical, solution is to promote pre-procurement contact with industry as standard practice and for government to provide increased training and education amongst public purchasers, such as engagement in market testing exercises so that they appreciate the breadth of the market’s offering.
This is particularly important in the IT world to ensure that public purchasers are aware of, and comfortable with, the increasingly broad and innovative ways in which software can be delivered to public sector users. All too often, the way in which a contract requirement, which includes the technical specification, is defined unnecessarily limits: (i) what the public sector can discuss with bidders during the procurement process and (ii) the content of the final contract.
We can improve things by making requirements output-based – so, focusing on the quality of the ‘product’ delivered, its flexibility, scalability, reliability, security etc. Instead, there is a danger that public buyers can fall into safer, box-ticking habits which the nature of the regulated procurement process can encourage.
From the outset purchasers must complete a standard form advert which is published in the Official Journal of the EU. This form asks for a purchase to be labelled as a ‘supply’ or a ‘service’ and for the contract to be described using the CPV codes (an EU nomenclature). These regulatory requirements can encourage the purchaser to settle on a standard line of contract description which may not attract the widest bidding pool, promote innovation or, ultimately, offer best value for money. In the case of software, traditionally, purchasers would tick the ‘supplies’ classification. This is precisely the sort of current thinking which makes it likely that there will be discrete UK public procurements for cloud computing contracts as they will be something different, which needs to be set apart, so that the appropriate box (most probably ‘services’) can be ticked and a distinct sector of the IT marketplace engaged with.
It may be that the desired output – software on public users’ screens – could be delivered via packaged goods and/or delivered online. Thus, a well-informed, confident public purchaser might decide to tick the box for, say, services but make it clear at the end of the OJEU notice (in the ‘Additional Information’ section) that it is also willing to consider and compare more standard methods of software delivery.
An output approach would demonstrate a possible, practical work-around to the limitations of the procurement rules (and standard forms) which the public sector could use in order to run the optimal procurement.
The other key element of the procurement process is the contract award methodology which is supposed to ensure that ‘good’ performance from bids is appropriately rewarded. Of course, this envisages that the public sector has an ‘ideal provision’ with ideal characteristics in mind. Again, unless a public purchaser is confident in relation to the likely offering from the marketplace, it may often revert to the standard award criteria of (say) price, delivery date, reliability of product and so on without considering whether these criteria reflect the current marketplace and deal appropriately with the current innovative offerings in terms of their advantages and risks.
2. Civil Actions
Strong deterrence through civil enforcement of the data protection laws will be critical to the protection of data belonging to users of cloud services. Under English law, users whose personal data are processed by unauthorised persons, or accidentally lost, destroyed or damaged, could potentially make a claim for damages for breach of a statutory duty.
Assuming that a user can establish a cause of action for breach of statutory duty, a fundamental issue remains to be addressed, however: customers, unlike cloud providers, are unlikely to have the means to bring actions for damages. Online security would, therefore, be significantly improved if the law allowed providers to bring representative civil actions for breach of statutory duty on behalf of their customers.
New legislation allowing cloud providers to bring representative actions for breach of statutory duty on behalf of users whose data has been violated would be one option. Breach of statutory duty, however, is a common-law principle and is not defined in statute. An alternative approach might be to seek to persuade courts to include the cloud provider within the class of persons able to seek a statutory remedy, and to allow the cloud provider to take over the cause of action from a customer or group of customers.
An initial survey of other legislation relevant to e-commerce indicates that in most cases they either do not create a civil cause of action (ie they specifically create criminal offences) or if they do create such a cause of action it is described as being for an individual, rather than a person (including a corporate person). As such it may well be that such causes of action are not yet available. One possible remedy would therefore be to seek amendment of such legislation to (a) give a corporate person a right of action, and (b) establish that a cloud provider would fall into such a class of persons.
The EU Commission has announced plans to widen the power to sue under the Data Protection Directive to include ‘data protection authorities and … civil society associations, as well as … other associations representing data subjects’ interests’ (Commission’s Outline Proposals on Data Protection reform, para 2.1.7). At present Article 22 of the Data Protection Directive provides rights to a ‘person’ to bring action in respect of breach of his or her rights; this is thus clearly limited to an individual natural person, and the transposition into English law via the Data Protection Act 1998 reflects this (s 13 refers to ‘individuals’). An important way forward may therefore be to revise the definition of the class to which the Data Protection Directive grants a remedy so that it includes the hosts of data subjects’ data where they are not themselves responsible for the loss.
3. Data Protection
There are several problems with existing data protection legislation. The key ones are explored below.
3.1 Transparency
The EU Data Protection Directive 95/46/EC requires that data controllers provide data subjects with a minimum amount of information. These provisions were drafted long before the development of technologies such as cloud computing which require data subjects to transfer vast amounts of personal data to data controllers and which facilitate the constant transfer of that data across national borders. In order to inspire sufficient confidence among users that the data they place in the cloud will be safe, providers must be required to disclose a far greater degree of information to their customers than the Data Protection Directive currently provides for. In particular, providers should disclose details of any breaches which they commit of the data protection laws in relation to their customers’ data. They must also make clear to their customers what measures they have in place to prevent such breaches in the first place.
To me, there seem to be two obvious and one ‘nice to have if it were possible’ solutions. They are:
(i) Regulatory Solution
Legislative change on breach notification is already in play and there is clearly an appetite for further reform. The EU telecoms regulatory package reforms, announced in November 2009, include a requirement to notify data security breaches which will be implemented via an amendment to the 2002 Directive on Privacy and Electronic Data Communications (the PEC Directive).
It is not clear whether cloud providers would be covered by this but, fortunately, on 4 November the Commission announced that it is to examine whether a more general obligation to notify personal data breaches (to individuals and authorities) should be introduced (in its Communication ‘A comprehensive strategy on data protection in the European Union’). If further legislation is to be adopted, there is no reason why it should be an exact replica of the provisions inserted into the PEC Directive. A number of different approaches and permutations for a breach notification obligation should be explored.
(ii) Self-Regulatory Solution
However there are, I believe, real advantages in adopting a scheme of self-regulation as opposed to or alongside a regulatory solution and it is disappointing that we have not heard any proposals of such a nature.
What kind of trade association could do this? A good example is the UK’s Advertising Standards Body. This body acts, to a large extent, to sanction those in the advertising market who abuse its rules. If this body did not exist then it is very likely that Government would have established a regulatory body to do the same task. Another example is the Internet Watch Foundation, founded many years ago to allow ISPs in the UK to have a jointly funded regulatory body to deal with child abuse photos on the Internet. This Foundation continues to work well and has removed the need for unwieldy legislation in the area whilst, studies suggest, continuing to help protect children from online threats.
A trade body could therefore be set up: (i) to develop a common standard on transparency with which all members would be obliged to comply; or (ii) to produce a model contract clause to be included in all cloud service contracts. The common standard or contractual clause would provide that any cloud provider which failed to meet its transparency obligations would have to disclose such breach to customers and publicise the breach on its web site. Failure to do so could result in a fine by the trade association. The advantage of a contractual clause over a simple standard is that, in addition to the fine, it would give customers a right to bring a contractual damages claim in the event that a provider failed to meet its obligations.
(iii) RAPEX-Type Solution
A more ambitious solution would be to replicate something along the lines of the EU RAPEX system for the recall of dangerous consumer products. There is a similarity between the situation in which a manufacturer is required to disclose a fault in one of its products which could cause harm to purchasers and that in which a data controller allows its users’ data to be accessed by unauthorised persons, which also creates risks for users. RAPEX facilitates the rapid exchange of information between Member States and the Commission on measures taken to prevent or restrict the marketing or use of products posing a serious risk to the health and safety of consumers. Both measures ordered by national authorities and measures taken voluntarily by producers and distributors are reported by RAPEX. The EU has also entered into an agreement with China to achieve exchange of information between the EU and China on product safety, which suggests that this model could be extended to improve transparency even beyond the EU’s borders.
The potential advantage I see in this sort of EU-driven approach to transparency is that it could lead to disclosure of data protection breaches across the EU (and possibly beyond) in a very short time.
3.2 Data Transfer and Data Security
It is widely acknowledged that, given the vast quantities of complex data that are being transferred by users to providers of cloud services, more explicit rules than those currently contained in Principle 7 of the Data Protection Act need to be developed in order to reassure customers that their data will be adequately protected. In short, it must be made clear precisely what such ‘appropriate measures’ providers must put in place, instead of leaving it to the providers to decide what is ‘appropriate’.
The eighth data protection principle, on data transfers, is rendered equally inadequate by cloud technology as it simply does not take account of the way in which cloud computing works. Each data centre owned by a given provider anywhere in the world may hold a full copy of the data held at that provider’s other data centres. As different jurisdictions currently afford different levels of data protection, centres governed by different national laws will only be able to provide partial copies of their data to other data centres in different jurisdictions.
So, how might we go about changing this?
The Data Protection Directive is already under review by the European Commission and the RAND Review’s findings make clear the shortcomings of the rules on data export and transfer to external third countries (which correspond to Principle 8). However, reform of the Data Protection Directive is not likely to be the most effective means of adapting data protection rules for cloud services for two reasons. First, cloud services will require constant transfer of data both within and outside the EU. It therefore makes little sense to direct all our efforts into improving harmonisation within the EU only. Second, it is doubtful that the Directive can be sufficiently adapted to the needs of this new and rapidly growing technology.
In my view, the only viable solution would be a globally harmonised data protection standard so that all cloud providers across the world would be required to guarantee the same levels of protection. Such a standard would address the problems identified in relation to both Principles 7 and 8. It would, firstly, provide detailed guidance on the measures that providers are required to take in order to prevent unauthorised processing of personal data and against accidental loss or destruction. Secondly, it would remove the need for an assessment of the ‘adequacy’ of other jurisdictions’ data protection regimes because providers who had signed up to the standard would all be committed to achieving the same standards, irrespective of the place in which they were established or in which they hold users’ data.
The Commission and Member States should support this approach, given that Article 27 of the Data Protection Directive expressly encourages ‘codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the various sectors.’
Given the number of standards and guidelines that already exist on data protection, it may well be preferable to use an existing standard as a starting point as opposed to drafting from scratch. A good candidate is the Joint Proposal on International Standards for the Protection of Privacy, which was approved by the data protection authorities of 50 countries within the framework of the 31st International Conference of Data Protection and Privacy in November 2009 (the Madrid Resolution).
This proposed standard, which it is hoped will form the basis for the agreement of a universally binding standard in future, has clearly been drafted with newer technologies (including cloud computing) in mind. This then would appear a sensible place for the development of a bespoke standard for data protection in cloud services and a self-regulatory body (along the lines discussed) could play a significant role in forming and enforcing this.
4. Data Retention
At present, the EU’s Data Retention Directive 2006/24/EC (implemented in the UK by the Data Retention (EC Directive) Regulations 2009) states that, irrespective of the country of origin of data, providers of public communications services and networks are subject to the rules on data retention in the jurisdiction in which the data are generated or processed.
Definition debates aside, let’s assume for the moment that cloud providers are subject to the Data Retention Directive.
Article 6 of the Directive states that Member States shall ensure that data is retained for periods of between six and 24 months. This wide differential has been picked up by Member States in their implementing legislation. The problem this poses can be made clear with a simple example: if 100% of the data held at a provider’s data centre in Member State X belonged to a company which operated only in Member State Y, the provider’s obligations in relation to the retention of that data would be governed, according to EU law, by the rules applicable in X. If, however, the provider has copies of the same data in both countries and X’s data protection law requires it to destroy the data after six months while Y’s law requires the provider to retain the data for a minimum period of 12 months, it will breach Y’s law by complying with that of X, and vice versa.
Given the quantity of data which will be transferred, and the frequency with which it will be transferred across borders within the EU, this will be a very real problem for providers and a ludicrous outcome.
Sadly, setting a new uniform retention period appears a vain hope for the simple reason that Member States are likely to find it difficult to agree on what that period should be. Were this not the case, the current Directive would probably have included a fixed period.
A better idea, I believe, would be for the UK to approach the European Commission with regard to introducing a ‘passporting’ regime, similar to that which has been adopted in the financial services sector. Put very briefly, providers (or any other company) would choose a ‘home state’ within the EU, whose data retention laws they would commit to comply with. By virtue of doing so, they would be permitted to offer services across the EU with the certainty that, irrespective of where they are operating, they will not breach the laws implementing the Data Retention Directive and Data Protection Directive if they continue to respect the laws of their home state. This approach has worked well under the E-money regime.
This solution does not, however, address the issue of conflicts between the data retention laws of EU and non-EU states. The most comprehensive solution to this problem would be to seek a multilateral agreement with other nations so that providers never find themselves in a position in which, by virtue of conflicting public international laws, they must breach one country’s law in order to comply with another. The World Trade Organisation may be the appropriate forum in which to pursue such an agreement.
In the interim, the EU could enter into bilateral agreements with as many foreign jurisdictions as possible. These agreements would state that no cloud provider could be required to breach the data laws of one country in order to comply with those of another. In the example above, therefore, the provider would not be required to destroy the data it holds in Territory X until a period of 12 months had passed because to do so would cause it to breach the laws of Territory Y. Effectively, providers would always be required to comply with the most cautious of the conflicting laws concerned (that which required them to retain the data in question for the longer period). This is a solution already used for double taxation so it should be familiar to the Commission.
Overall, cloud users must not be compelled to make a trade-off between all of the benefits of the cloud on the one hand and privacy, security and a coherent legal and regulatory framework on the other. Law and regulation have an important part to play in building confidence in the cloud. The era of cloud technologies is very exciting but, in order for cloud technology to flourish, these and other issues need to be debated and addressed.
Dervish Tayyip is Head of UK Legal at Microsoft Limited.