In short, yes, regulation can be a friend to business adoption of cloud computing, when done thoughtfully and not used as a pretext for pursuing political or competitive goals. Given the abuses seen recently, particularly in consumer-facing cloud computing, it is clear that regulation is needed to maintain consumer and business trust in cloud. And the industry is coming around to this, as seen by some large cloud companies such as Facebook and Salesforce who are calling for greater regulation.
There seems to be two growing approaches to this issue:
- Laws governing data localisation
- Laws regulating how data is used and shared.
Data localisation is the act of storing data on any device that is physically present within the specific country where the data was generated. A number of countries have recently introduced data localisation laws, most notably Russia and China which are noted for containing broad restrictions on data transfers. Most countries though, have some limited data localisation laws, especially where it concerns national security, but other countries have gone beyond that.
Data localisation seems a somewhat blunt tool, not as thoughtful as other methods to regulate data protection, and arguably there to serve the interests of government and local business more than individual users. It also leads to misperceptions that can lead to companies not pursuing the best and safest available technology. And from a compliance and governance perspective, it adds complexity and cost for business, stifling the ability of business to gain the full benefits of cloud computing.
Regulation of Data
The GDPR though, which focuses on data subject rights and the regulation of how data is used, shared and protected by business, was more thoughtful and as a result, has spurred positive change. Prior to the introduction of the GDPR in May 2018, many wrongly stated that the GDPR required data to be kept in the EU (akin to data localisation laws). In fact though the introduction of GDPR was introduced as one of the pillars to support the EU’s Digital Single Market Strategy, the aim of which is to create the right environment for citizens and businesses to benefit from the “free movement of persons, services and capital..under conditions of fair competition, and a high level of consumer and personal data protection”1. So, data localisation within the EU would arguably go against those aims, which ultimately requires the free flow of data.
The GDPR does require personal data to be protected when transferred outside of the EU, and a framework has been built to ensure that data is only transferred to countries or businesses where such data can be protected, either by way of an adequacy finding or through other mechanisms, such as Standard Contractual Clauses. Consequently, many cloud computing businesses now use the GDPR as their benchmark on which to operate their businesses.
The GDPR has also influenced and perhaps even inspired wider change. We see this not only in Europe, but also in countries like India and Brazil, where laws have changed to strengthen privacy protections. Our attitudes and expectations of privacy are changing, and laws around the world are having to catch up, but that has to be done thoughtfully. Whilst there have been many critics of the GDPR, and it certainly has its flaws in this digital age, there is a lot to celebrate, and it has certainly sparked a shift in law making.
One recent and notable change is the change coming in the state of California, under the California Consumer Privacy Act (CCPA for short), due to take effect at the beginning of 2020, which is strikingly similar to the GDPR in certain areas. But importantly, it is different to the GDPR, for example, it focuses almost solely on protection of an individual’s rights (‘data subject’ rights under the GDPR). Whilst the CCPA is certainly not perfect and needs clarification and refinement, it is an important shift, especially given its location in California, the world’s fifth largest economy, the home of Silicon Valley and many of the worlds cloud computing companies. Added to this, the debate about a US federal law is accelerating, and, if done well it, will be a game changer globally.
To conclude, the most successful cloud companies are those that have made trust a priority from the beginning. Regulation is necessary and is good for business, to reinforce and maintain that trust, but only if done thoughtfully and for the right reasons.