20 September 2010

Cloud Computing discovers the Internet Border

Cloud Computing continues to take centre stage in the Internet Borders discussion, as now we see the New York Times getting the story (mostly) right. The NYT article, titled "Cloud Computing Hits Snag in Europe" is available on big screen here; mobile device users should click here.

The main problem under discussion is Data Protection law. The author mentions that a number of companies are working on technology-based solutions to comply with a blizzard of different rules, but only touches briefly on the number one challenge to Cloud Computing as we know it today: the "internationality" of a given "cloud".

The author of the NYT article correctly points out that one way to enable the "export" of personal data from the EU is to sign up to a data export agreement between an EU customer/exporter and non-EU service provider/importer. (I've helped to structure these in my legal practice.) But one important point is missed: the EU customer must AGREE to such a plan.

If the EU customer does not agree to export personal data outside the EU, then the service provider/supplier is simply not allowed to do it. This type of restriction is on the increase as more and more customers realise that their least-cost compliance strategy may be to avoid export of personal data entirely. Such requirements have become incredibly commonplace, for example, in public sector data processing contracts. It's also becoming commonplace where contracts relate to processing "sensitive" personal data, such as health records. (Cautionary note to non-EU service providers: be careful when bidding for such processing work. Check to see whether or not you will be able to use a non-domestic "cloud". Otherwise your entire profit margin could be eaten when you have to build and operate a domestic data centre.)

Prediction: I continue to believe (as I mentioned here last week) that where consumer data is concerned, the end-game for everyone concerned will be to restrict the locality where processing activity takes place. 

Prediction translated into English: Service providers will (sooner or later) be forced into a business model where (much of) European consumer data does not move outside of (and is not accessible outside of) Europe.