In September 2011, Dutch Security and Justice Minister Ivo Opstelten told the parliament that U.S. companies will be excluded from bidding for IT services contracts because of fears that the U.S. Patriot Act may allow data to be compromised. Royal Dutch Shell Plc, Europe’s largest oil company and one of Microsoft’s biggest clients in the region, last year decided to store its data in Germany with T-Systems, while leaving Microsoft to run software applications. And German authorities are considering rules to prevent U.S.-based firms from bidding for cloud solutions in Europe. These examples demonstrate that protectionism is now treading on unconventional turf and impacting the cloud computing industry.
The issues around localization are not new but are certainly amplified due to the nature of cloud computing. One looming key question is if jurisdiction of the source of the data still applies if the data processed is stored in the cloud in another jurisdiction.
In an ideal sense, laws governing the data at the source should traverse with the data anywhere and should supersede all other local laws. In fact, the U.S. government, under the Obama administration, proposed cyber security legislation with the explicit objective of barring local jurisdictions from requiring location of data processing facilities in their local area. The administration’s proposal stated:
“The Federal Government has embraced cloud computing, where computer services and applications are run remotely over the Internet. Cloud computing can reduce costs, increase security, and help the government take advantage of the latest private-sector innovations. This new industry should not be crippled by protectionist measures, so the proposal prevents states from requiring companies to build their data centers in that state, except where expressly authorized by federal law.”
And the US-EU Safe Harbor – a streamlined process for U.S. companies to comply with the EU Directive 95/46/EC on the protection of personal data – is a step in the right direction to establish guidelines around localization rules.
The Safe Harbor Privacy Principles – to which U.S. companies registering their certification must adhere – are:
- Notice – Individuals must be informed that their data is being collected and about how it will be used.
- Choice – Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security – Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
- Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement – There must be effective means of enforcing these rules.
In theory, companies that are certified under the Safe Harbor should be able to seamlessly provide cloud services in Europe and the United States.
However, I do not believe these measures go far enough, as there will still be many groups that leverage protectionism to stifle growth using data protection concerns as a basis. But these data security issues can be mitigated by contracts between vendors and buyers where the laws governing the data should travel with the data and by creation of an open standards-based cloud infrastructure that can be embraced by regulators in the United States and European countries.
Localization rules should not be the justification to create barriers to cloud adoption or squelch healthy competition. Further, this type of turf war has implications beyond cloud adoption; it could also set a bad precedent that could easily seep into other areas, such as networking hardware or storage sales, where it can also encourage protectionist sentiments.