Tangled Data Protection Laws Threaten Cloud, Critics Say - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cloud computing
09:06 AM
Connect Directly

Tangled Data Protection Laws Threaten Cloud, Critics Say

Technology group calls for "Geneva Convention" to address complex maze of data laws that affect growth of cloud computing and global trade.

As IT leaders get more comfortable moving their data operations into the cloud, concerns are growing about conflicting international laws that govern data generated in one country and stored in another.

Policymakers around the world are fueling those concerns. Anxious to protect data privacy and security, they are advocating requirements to store certain types of data domestically, says Daniel Castro, a senior analyst with the Information Technology and Innovation Foundation.

Those policies, however, are not only creating headaches for technology managers moving data across the globe, they're also bumping up against delicate free trade agreements that involve senior government officials well beyond the reach of the typical CIO's office.

"We're finding that companies are being caught in the middle [between conflicting privacy and security laws]," said Castro in an interview with InformationWeek. The economic stakes have grown so significant that the ITIF recommended this week that the US and its trade partners develop a "Geneva Convention" to address the conflicts and what appears to be a growing wave of "data nationalism."

[US legal system isn't exactly at the vanguard in keeping up with technology. Read Electronic Privacy Laws Need An Overhaul .]

"The notion that data must be stored domestically to ensure that it remains secure and private is false," says Castro. But, he warned, "Misunderstandings about the security and privacy of data are resulting in policies that negatively affect innovation, productivity, trade, and consumer welfare."

In an effort to clarify the current state of international data laws and help avert a movement toward more protectionist policies, the ITIF released a position paper on Dec. 9 entitled "The False Promise of Data Nationalism." In it, Castro notes that exports of digitally enabled services from the US alone totaled $356 billion in 2011, a five-fold increase since 2007.

At the same time, Castro argues, economies of scale for storing and processing data in large cloud computing facilities make it increasingly impractical and more expensive to restrict data to smaller datacenters located in different countries.

However, over the past few months, Castro says he has observed leaders in variety of countries "talking about data from the perspective of where it's stored being integral to privacy and protection." Part of what's elevating policymakers' concerns, he says, are revelations about US government surveillance practices, following the leak of National Security Agency documents.

At the heart of the legal debate over data protection is how countries apply different security standards to data and what data owners must do when certain types of data -- typically involving personally identifiable information -- are disclosed either inadvertently, voluntarily, or by government mandate.

Determining which laws govern the disclosure of data can be complicated. As Castro notes in his report, "Multiple countries may assert jurisdiction over data due to the nationalities of the individuals or organizations that own the data, the service providers storing the data, the individuals or organizations accessing the data... or where the data is stored."

While the global data policy debate might appear to be of remote concern to federal agencies, whose data are routinely processed and stored in US-based facilities, it does affect the multi-national cloud service providers agencies rely upon, which bear the economic costs and legal uncertainties of international data laws.

Microsoft executive vice president and general counsel Brad Smith has been barnstorming the globe, calling on governments, particularly in Europe, to establish greater uniformity in how cloud computing companies are regulated. The lack of uniformity makes it difficult to establish and execute contract terms and conditions with international customers.

"Governments must take steps to ensure that existing regulatory frameworks are suited to the cloud," he said in one of his earliest blog posts on the subject, nearly three years ago. Smith insists that cloud computing's potential to spur economic growth depends on governments getting involved in developing "more balanced and predictable rules governing cloud vendors" and facilitating easier movement of data across borders while maintaining legal protection for consumers.

From the ITIF's view, the need to resolve data handling rules goes beyond cloud computing and to the larger issue of international trade, which increasingly depends on the free movement of data around the world.

"What people don't realize is this isn't something technology companies can address by themselves," Castro says. "There's a tremendous economic impact if governments don't get involved in dealing with data protection laws -- or worse, take an isolationist's approach to Internet governance and trade."

Wyatt Kash is editor of InformationWeek Government. He has been covering technology trends in government since 2004.

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
12/18/2013 | 10:30:31 AM
Re: Who has access to what?
The complexities are immense, and getting more so.  Reminds me of what Amazon (the retailer vs the web services provider) faces in dealing with 50 state tax laws and the finer points of having a physical presence.  In this case, it would be like trying to decide whose laws apply depending on A) who bought the product + who made the product + who shipped the product + who invoiced the product + who carried the product + which distribution centers and trucks did the product sit in during transit + who received the product, etc.

The document from ITIF mentioned here helps frame this more clearly. Check it out at:  http://www2.itif.org/2013-false-promise-data-nationalism.pdf

User Rank: Author
12/13/2013 | 6:41:05 PM
Ulf Mattsson, thanks for sharing your observations about tokenization as an approach to data privacy, and referencing the report from the Aberdeen Group, that indicated "...Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". We'll have to explore that further.

User Rank: Author
12/13/2013 | 6:36:44 PM
Re: MS' stake?
Microsoft, as you know, has a huge stake in the future of cloud adoption, as one of the world's leading cloud computing service providers, both in terms of its global infrastructure as well as its SaaS and PaaS platforms that operate in -- and carry data across - the cloud, ie. Office 360 and Azure.  I can't speak for Smith. But I think his point would likely be, greater uniformity would help enterprises move to the cloud sooner. True, that lifts the tide for all boats, including Amazon and  Google.  But a boat the size of Microsoft is clearly going to benefit.

Lorna Garey
Lorna Garey,
User Rank: Author
12/13/2013 | 1:15:49 PM
MS' stake?
Wyatt, Why has Microsoft dispatched Smith on this barnstorming tour? What's its big stake in establishing greater uniformity in how cloud computing companies are regulated? Yes, it will help with international contracts, but it seems of equal or greater benefit to Amazon and Google.
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll