informa
/
News

Tangled Data Protection Laws Threaten Cloud, Critics Say

Technology group calls for "Geneva Convention" to address complex maze of data laws that affect growth of cloud computing and global trade.

As IT leaders get more comfortable moving their data operations into the cloud, concerns are growing about conflicting international laws that govern data generated in one country and stored in another.

Policymakers around the world are fueling those concerns. Anxious to protect data privacy and security, they are advocating requirements to store certain types of data domestically, says Daniel Castro, a senior analyst with the Information Technology and Innovation Foundation.

Those policies, however, are not only creating headaches for technology managers moving data across the globe, they're also bumping up against delicate free trade agreements that involve senior government officials well beyond the reach of the typical CIO's office.

"We're finding that companies are being caught in the middle [between conflicting privacy and security laws]," said Castro in an interview with InformationWeek. The economic stakes have grown so significant that the ITIF recommended this week that the US and its trade partners develop a "Geneva Convention" to address the conflicts and what appears to be a growing wave of "data nationalism."

[US legal system isn't exactly at the vanguard in keeping up with technology. Read Electronic Privacy Laws Need An Overhaul .]

"The notion that data must be stored domestically to ensure that it remains secure and private is false," says Castro. But, he warned, "Misunderstandings about the security and privacy of data are resulting in policies that negatively affect innovation, productivity, trade, and consumer welfare."

In an effort to clarify the current state of international data laws and help avert a movement toward more protectionist policies, the ITIF released a position paper on Dec. 9 entitled "The False Promise of Data Nationalism." In it, Castro notes that exports of digitally enabled services from the US alone totaled $356 billion in 2011, a five-fold increase since 2007.

At the same time, Castro argues, economies of scale for storing and processing data in large cloud computing facilities make it increasingly impractical and more expensive to restrict data to smaller datacenters located in different countries.

However, over the past few months, Castro says he has observed leaders in variety of countries "talking about data from the perspective of where it's stored being integral to privacy and protection." Part of what's elevating policymakers' concerns, he says, are revelations about US government surveillance practices, following the leak of National Security Agency documents.

At the heart of the legal debate over data protection is how countries apply different security standards to data and what data owners must do when certain types of data -- typically involving personally identifiable information -- are disclosed either inadvertently, voluntarily, or by government mandate.

Determining which laws govern the disclosure of data can be complicated. As Castro notes in his report, "Multiple countries may assert jurisdiction over data due to the nationalities of the individuals or organizations that own the data, the service providers storing the data, the individuals or organizations accessing the data... or where the data is stored."

While the global data policy debate might appear to be of remote concern to federal agencies, whose data are routinely processed and stored in US-based facilities, it does affect the multi-national cloud service providers agencies rely upon, which bear the economic costs and legal uncertainties of international data laws.

Microsoft executive vice president and general counsel Brad Smith has been barnstorming the globe, calling on governments, particularly in Europe, to establish greater uniformity in how cloud computing companies are regulated. The lack of uniformity makes it difficult to establish and execute contract terms and conditions with international customers.

"Governments must take steps to ensure that existing regulatory frameworks are suited to the cloud," he said in one of his earliest blog posts on the subject, nearly three years ago. Smith insists that cloud computing's potential to spur economic growth depends on governments getting involved in developing "more balanced and predictable rules governing cloud vendors" and facilitating easier movement of data across borders while maintaining legal protection for consumers.

From the ITIF's view, the need to resolve data handling rules goes beyond cloud computing and to the larger issue of international trade, which increasingly depends on the free movement of data around the world.

"What people don't realize is this isn't something technology companies can address by themselves," Castro says. "There's a tremendous economic impact if governments don't get involved in dealing with data protection laws -- or worse, take an isolationist's approach to Internet governance and trade."

Wyatt Kash is editor of InformationWeek Government. He has been covering technology trends in government since 2004.

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)