Julian Box, CEO and Founder of Calligo
It’s widely understood that a core pillar of cloud computing is the storage of data throughout various geographical locations. Storing data globally improves resilience, access and performance.
But with the recent introduction of various international, national and industry-specific privacy regulations that require data to be kept within prescribed borders, this nonchalant global approach to data storage is at odds with data residency requirements.
It also creates problems when data that is potentially relevant to a certain jurisdiction is stored beyond its borders and its legislative powers. The best-known example of this issue is when the US government struggles to access data it deems relevant to national security because it is stored abroad, and subject to local data laws, often making it illegal for the CSP to disclose the data. This is the exact situation highlighted in the US government’s recent case with Microsoft and attempts to access US-relevant data held by Microsoft in Ireland.
The US government’s national security concerns therefore directly conflicted with the main principles of cloud computing. Clearly, this was untenable.
What is the CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act, or more simply the CLOUD Act, was signed into US law in March this year in order to clarify this conflict. This has shaken up the industry, causing various opinions from cloud, privacy and security communities alike. The Act itself makes it easier for the US government to access information that they believe is of interest for national security when held by US-headquartered CSPs in countries other than the US, without infringing the privacy rights of the individual.
Of course, the CLOUD Act also provides mechanisms for Microsoft et al to quash warrants where disclosure is contrary to local laws. Such a situation is the likely outcome of any use of the CLOUD Act, in which case, the US government’s main recourse would then be to pursue the diplomatic processes of either a local warrant or a Mutual Legal Assistance Treaty (MLAT) with the country in question. They are currently slow and typically politically sensitive processes, which is why one wasn’t relied upon in the Microsoft Ireland case.
But the recognised effect of the CLOUD Act is that it will encourage the US to simplify the processes around the international diplomatic agreements between the US and other countries – the so-called Mutual Legal Assistance Treaties, or MLATs – in order to make accessing data abroad easier.
So, in total, the CLOUD Act is the trigger for the US Government to accelerate the process of simplifying access to data deemed pertinent to its investigations held by any US-headquartered cloud provider, anywhere in the world.
What is the practical impact on the CSP industry?
This question is best answered by looking at the CLOUD Act alongside other privacy regulations, not just in isolation.
Privacy has become such a vital issue that many nations, governments and industry sectors are now devising their own rules and legislation. For example, India has just presented its first data privacy bill, following in the footsteps of the GDPR itself, and more nations are anticipated to follow later in the year. However, this will inevitably create an enormous variety of legislative frameworks for businesses and cloud providers to conform to – regardless of how they may conflict with each other.
As an example, a global health insurer needs to be simultaneously aware of the CLOUD Act, Canada’s PIPEDA, Japan’s APPI, HIPAA, the GDPR and the data privacy requirements of any number of financial services regulators. And this is before more nations such as India pass new legislation, or the EU’s ePrivacy Regulation finally comes into force.
And it doesn’t stop there. As we rely more on technology in society, even more legislation will come into play. We have already seen this through the introduction of GDPR, a response to the inadequacy of previous privacy regulations in this increasingly digital age. The use of IoT and smart cities will undoubtedly trigger questions, concerns and more legislation.
So, to return to the question, what does this mean for CSPs?
We’ve seen businesses are becoming increasingly conscious of and concerned with where and how their data is stored, as well as the legislative obligations and ramifications of using cloud services. As such, they will inevitably seek advice directly from cloud suppliers on how to best store data to ensure both privacy and practicality.
But few CSPs are able to provide this advice. Few are sufficiently informed to offer guidance on how to best address national and industry-specific laws and regulations. Their teams remain focused solely on the technical aspects of performance and resilience, seeing privacy legislation more as an issue rather than as an opportunity to offer added value through impartial, authoritative and accurate advice.
The reality is that a modern business requires a whole new type of CSP – one that has its finger on the pulse in an intricate industry that is constantly updating. Privacy is just too explosive an issue to not address it suitably. As the business world, therefore, continues to transform, and the cloud industry along with it, the CSPs that are able to adapt to offer guidance on the genuinely most privacy-appropriate cloud service will be the ones that shape the industry’s future.