The necessity of legally compliant data management in European cloud architectures
Introduction
Cloud Computing offers on-demand access to computational, infrastructure and data resources operated from a remote source. Recently, this form of service provision has become hugely popular, with many businesses migrating their IT applications and data to the Cloud to take advantage of the flexible resource provision that can bring benefits to businesses which need to be agile and respond quickly to new demands and requests from customers. As new products and technologies are offered in the near future, Gartner estimates that in the period 2010–2015, $112 billion will be spent by businesses and individuals on Cloud Computing offerings from vendors such as Amazon, IBM, Microsoft and many others (Pring et al., 2010).
The technical motivation for Cloud Computing is introduced in Buyya et al. (2009), Vaquero et al. (2008), but at a working level Cloud solutions provide a business with the option to outsource the operation and management of IT infrastructure and services, allowing the business and its employees to concentrate on their core competencies. This, together with pay as-you-go billing that reduces the need for up-front capital expenditure, means using Cloud Computing solutions allows services to be designed and tailored to the individual requirements of a business. However, Cloud Computing also moves functions and responsibilities away from local ownership and management to a third-party provided service, and brings with it a set of associated legal issues, such as data protection, licensing, intellectual property rights and the need to comply with necessary regulation. As more and more businesses become global in their outlook, concerns also remain over privacy of widely-distributed data and its processing. Regulations focusing on geographical locations may be a large obstacle to a widespread adoption of Cloud Computing solutions by companies (Svantesson and Clarke, 2010).
As a result of the pace of technical and economic progress in this field it is therefore important to determine the compliance of commonly-observed Cloud Computing patterns-of-use to legal constraints and requirements. In this paper we provide a method for and the results of an evaluation of commonly-observed Cloud use cases against the law applying to Cloud Computing. To do this we derive a general architecture for Clouds and use it to illustrate common Cloud Computing usage patterns. To point out where problems may arise, the use cases are assessed against evaluation criteria derived from the relevant Cloud Computing law for the data processing of end-user details and materials, including the roles and responsibilities necessary for legal compliance.
To clarify legal compliance in the identified usage patterns, we consider the Data Protection Directive (Directive 95/46/EC, 1995) of the European Union – a commonly accepted and influential directive in the field of data processing legislation. This is not the first research carried out in this field, e.g., a paper by Bygrave (Bygrave, 2000) investigates the possible impact of the directive on the activities of E-commerce operators, and later a deliverable of the OPTIMIS project (OPTIMIS, 2010) (which we refer to again in Section 2) studies in detail the applicability of this directive for their own Cloud deployment models. In this paper we take a step forward and examine use cases identified in a generalized architecture compiled from reports of international expert groups and research projects.
The remainder of this paper is as follows: Section 2 presents European law applying to Cloud Computing concentrating on data processing legislation, and introduces the relevant roles and the evaluation criteria derived from the data processing legislation for common Cloud Computing use cases; Section 3 describes and analyzes several Cloud architectures and derive a general Cloud architecture that encompasses their features. Section 4 uses specific use cases of the general Cloud architecture to show where legal questions may arise, and Section 5 discusses the recent European reform and future developments in this area. Finally, the findings are summarized in Section 6.
Section snippets
Legislation applying to the Cloud
As described in the introduction, Cloud Computing allows the outsourcing of computational power, data storage and other capabilities to a remote third-party. In the supply of any goods and services, the law gives certain rights that protect the consumer and provider, which also applies for Cloud Computing: it is subject to legal requirements and constraints to ensure Cloud services are accurately described and provided to customers with guarantees on quality and fitness-for-purpose. As Section
View of the European Commission
An expert group associated with the European Commission published their view on Cloud Computing in Jeffery and Neidecker-Lutz (2010). The report categorizes Cloud architectures into five groups, as shown in Fig. 1. Private Clouds (i) consist of resources managed by an infrastructure provider (IP) that are typically owned or leased by an enterprise from a service provider (SP). Usually, services with “Cloud-enhanced” features are offered, therefore this group includes SaaS (Software as a
General usage scenarios
The federated Cloud architecture described in Section 3.6 is now explored through a series of use cases to demonstrate where legal issues can arise in this general organizational structure. In these use cases the relevant actors and their roles (summarized in Section 2.2) will be identified and the necessary actions should be defined in order to prevent violations of the directive. As we will show, there are complications when personal data is transferred to multiple jurisdictions.
The most
Recent developments and future steps in European legislation
As we have seen in the previous section, new developments in legislation regulation applying to Cloud Computing are still needed. This situation is identified by Wong in Wong (2011), who gathered related steps of the Art. 29 Working Party to revise the directive and the European Commission has also initiated a public consultation8,
Conclusion
Many businesses are considering migrating their IT applications and data to Clouds to take advantage of the flexible resource provision such systems enable. However, remote resource provision brings with it new legal issues, such as data protection, licensing and intellectual property rights. In this paper we have gathered the corresponding responsibilities necessary for legal compliance from the Data Protection Directive of the European Union, and mapped the roles it describes to
Acknowledgments
The research leading to these results has received funding from the European Community's Seventh Framework Programme FP7/2007-2013 under grant agreement 215483 (S-Cube).
Szilvia Varadi ([email protected]) University of Szeged, Department of International and European Law, Szeged, Hungary.
References (27)
- et al.
Cloud computing and emerging it platforms: vision, hype, and reality for delivering computing as the 5th utility
Future Generation Computer Systems
(June 2009) European data protection, determining applicable law pursuant to European data protection legislation
Computer Law & Security Report
(2000)- et al.
OPTIMIS: a holistic approach to cloud service provisioning
Future Generation Computer Systems
(2012) - et al.
Privacy and consumer risks in cloud computing
Computer Law & Security Review
(2010) Data protection: the future of privacy
Computer Law & Security Review
(February 2011)The EU data protection directive: an engine of a global regime
(2008)- et al.
Cloud computing risk assessment: benefits, risks and recommendations for information security
(2009) - et al.
An SME perspective on cloud computing. Cloud computing – SME survey
(2009) 11 final, proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation)
(2012)
Commission Decision no. 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce
Official Journal
Opinion 1/2010 on the concepts of “controller” and “processor”
Opinion 8/2010 on applicable law
Cited by (8)
Cloud computing research: A review of research themes, frameworks, methods and future research directions
2018, International Journal of Information ManagementCitation Excerpt :As such, calls have been made for more transparency in the billing of cloud services (Yeo, Venugopal, Chu, & Buyya, 2010). Studies on legislation seek to provide ways by which cloud computing can be supported with the right laws (Varadi et al., 2012) in order to increase confidence of adopters. Some studies (e.g., Gray, 2013; Joint and Baker, 2011) allude to the non-existence of universal laws as one challenge facing cloud computing as it defies geographical boundaries.
Where do countries stand in cloud computing readiness? A country-level analysis of capacity and potential
2023, Journal of Information Technology and PoliticsCompeting Jurisdictions: Data Privacy Across the Borders
2021, Palgrave Studies in Digital Business and Enabling TechnologiesMacro factors affecting cloud computing readiness: A cross-country analysis
2020, Lecture Notes in Electrical EngineeringInvestigation of cloud computing systems in terms of Turkey and international legislation
2018, 26th IEEE Signal Processing and Communications Applications Conference, SIU 2018
Szilvia Varadi ([email protected]) University of Szeged, Department of International and European Law, Szeged, Hungary.
Attila Kertesz ([email protected]) MTA SZTAKI Computer and Automation Research Institute, Budapest, Hungary.
Michael Parkin ([email protected]) European Research Institute in Service Science, Tilburg University, The Netherlands.