The necessity of legally compliant data management in European cloud architectures

https://doi.org/10.1016/j.clsr.2012.05.006Get rights and content

Abstract

Taking advantage of flexible resource provisions enabled by Cloud Computing, many businesses have recently migrated their IT applications and data to the Cloud, allowing them to respond to new demands and requests from customers. However, Cloud Computing also moves functions and responsibilities away from local ownership and management to a third-party provided service, and brings with it a set of associated legal issues, such as data protection, licensing, intellectual property rights and the need to comply to necessary regulation. In this paper we evaluate commonly-observed Cloud Computing use cases against the law applying to Cloud Computing to find where legal problems may arise. We derive a general architecture for Clouds and use it to illustrate common Cloud Computing usage patterns. The use cases are assessed against evaluation criteria derived from the relevant Cloud Computing law for the data processing of end-user details and materials, including roles and responsibilities necessary for legal compliance. The Data Protection Directive of the European Union has been used in this evaluation, as it is a commonly accepted and influential directive in the field of data processing legislation.

Introduction

Cloud Computing offers on-demand access to computational, infrastructure and data resources operated from a remote source. Recently, this form of service provision has become hugely popular, with many businesses migrating their IT applications and data to the Cloud to take advantage of the flexible resource provision that can bring benefits to businesses which need to be agile and respond quickly to new demands and requests from customers. As new products and technologies are offered in the near future, Gartner estimates that in the period 2010–2015, $112 billion will be spent by businesses and individuals on Cloud Computing offerings from vendors such as Amazon, IBM, Microsoft and many others (Pring et al., 2010).

The technical motivation for Cloud Computing is introduced in Buyya et al. (2009), Vaquero et al. (2008), but at a working level Cloud solutions provide a business with the option to outsource the operation and management of IT infrastructure and services, allowing the business and its employees to concentrate on their core competencies. This, together with pay as-you-go billing that reduces the need for up-front capital expenditure, means using Cloud Computing solutions allows services to be designed and tailored to the individual requirements of a business. However, Cloud Computing also moves functions and responsibilities away from local ownership and management to a third-party provided service, and brings with it a set of associated legal issues, such as data protection, licensing, intellectual property rights and the need to comply with necessary regulation. As more and more businesses become global in their outlook, concerns also remain over privacy of widely-distributed data and its processing. Regulations focusing on geographical locations may be a large obstacle to a widespread adoption of Cloud Computing solutions by companies (Svantesson and Clarke, 2010).

As a result of the pace of technical and economic progress in this field it is therefore important to determine the compliance of commonly-observed Cloud Computing patterns-of-use to legal constraints and requirements. In this paper we provide a method for and the results of an evaluation of commonly-observed Cloud use cases against the law applying to Cloud Computing. To do this we derive a general architecture for Clouds and use it to illustrate common Cloud Computing usage patterns. To point out where problems may arise, the use cases are assessed against evaluation criteria derived from the relevant Cloud Computing law for the data processing of end-user details and materials, including the roles and responsibilities necessary for legal compliance.

To clarify legal compliance in the identified usage patterns, we consider the Data Protection Directive (Directive 95/46/EC, 1995) of the European Union – a commonly accepted and influential directive in the field of data processing legislation. This is not the first research carried out in this field, e.g., a paper by Bygrave (Bygrave, 2000) investigates the possible impact of the directive on the activities of E-commerce operators, and later a deliverable of the OPTIMIS project (OPTIMIS, 2010) (which we refer to again in Section 2) studies in detail the applicability of this directive for their own Cloud deployment models. In this paper we take a step forward and examine use cases identified in a generalized architecture compiled from reports of international expert groups and research projects.

The remainder of this paper is as follows: Section 2 presents European law applying to Cloud Computing concentrating on data processing legislation, and introduces the relevant roles and the evaluation criteria derived from the data processing legislation for common Cloud Computing use cases; Section 3 describes and analyzes several Cloud architectures and derive a general Cloud architecture that encompasses their features. Section 4 uses specific use cases of the general Cloud architecture to show where legal questions may arise, and Section 5 discusses the recent European reform and future developments in this area. Finally, the findings are summarized in Section 6.

Section snippets

Legislation applying to the Cloud

As described in the introduction, Cloud Computing allows the outsourcing of computational power, data storage and other capabilities to a remote third-party. In the supply of any goods and services, the law gives certain rights that protect the consumer and provider, which also applies for Cloud Computing: it is subject to legal requirements and constraints to ensure Cloud services are accurately described and provided to customers with guarantees on quality and fitness-for-purpose. As Section

View of the European Commission

An expert group associated with the European Commission published their view on Cloud Computing in Jeffery and Neidecker-Lutz (2010). The report categorizes Cloud architectures into five groups, as shown in Fig. 1. Private Clouds (i) consist of resources managed by an infrastructure provider (IP) that are typically owned or leased by an enterprise from a service provider (SP). Usually, services with “Cloud-enhanced” features are offered, therefore this group includes SaaS (Software as a

General usage scenarios

The federated Cloud architecture described in Section 3.6 is now explored through a series of use cases to demonstrate where legal issues can arise in this general organizational structure. In these use cases the relevant actors and their roles (summarized in Section 2.2) will be identified and the necessary actions should be defined in order to prevent violations of the directive. As we will show, there are complications when personal data is transferred to multiple jurisdictions.

The most

Recent developments and future steps in European legislation

As we have seen in the previous section, new developments in legislation regulation applying to Cloud Computing are still needed. This situation is identified by Wong in Wong (2011), who gathered related steps of the Art. 29 Working Party to revise the directive and the European Commission has also initiated a public consultation8,

Conclusion

Many businesses are considering migrating their IT applications and data to Clouds to take advantage of the flexible resource provision such systems enable. However, remote resource provision brings with it new legal issues, such as data protection, licensing and intellectual property rights. In this paper we have gathered the corresponding responsibilities necessary for legal compliance from the Data Protection Directive of the European Union, and mapped the roles it describes to

Acknowledgments

The research leading to these results has received funding from the European Community's Seventh Framework Programme FP7/2007-2013 under grant agreement 215483 (S-Cube).

Szilvia Varadi ([email protected]) University of Szeged, Department of International and European Law, Szeged, Hungary.

References (27)

  • Commission Decision no. 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce

    Official Journal

    (August 2000)
  • Data Protection Working Party

    Opinion 1/2010 on the concepts of “controller” and “processor”

    (2010)
  • Data Protection Working Party

    Opinion 8/2010 on applicable law

    (2010)
  • Cited by (8)

    View all citing articles on Scopus

    Szilvia Varadi ([email protected]) University of Szeged, Department of International and European Law, Szeged, Hungary.

    Attila Kertesz ([email protected]) MTA SZTAKI Computer and Automation Research Institute, Budapest, Hungary.

    Michael Parkin ([email protected]) European Research Institute in Service Science, Tilburg University, The Netherlands.

    View full text