Cloud computing as the new standard in online data ...

Cloud computing as the new standard in online data management: how the shift in data handling technologies for the web has also altered the focus in regulatory principles under EU and US law.

Cloud computing as the new standard in online data management: how the shift in data handling technologies for the web has also altered the focus in regulatory principles under EU and US law Xenofon KONTARGYRIS PhD Candidate in Cloud Computing Regulation/ Research Associate, Jean Monnet Chair for European Constitutional Law and Culture, School of Law, Aristotle University of Thessaloniki, Greece [email protected]

Lina PAPADOPOULOU Ass. Professor, Jean Monnet Chair for European Constitutional Law and Culture, School of Law, Aristotle University of Thessaloniki, Greece [email protected]

Abstract The paper aims to provide an illustrative overview of the current perceptions in European Union and US law on how to effectively transit from the legal framework governing online data management before the introduction of cloud computing technologies to the new environment being shaped today with the rapid expansion of cloud computing. Starting with a technical overview of the various forms of cloud applications, the paper then concentrates on the most pressing concerns the new technology poses on regulators and discusses the main approaches about settling these matters among EU and US legislators. In particular, the most fervent issues relating to data privacy, fair competition and contract law in the cloud services market are presented along with an assessment on the maturity of the so far proposed regulatory settlements. Keywords: cloud computing, privacy, security, competition, law

I.

Technical overview

It is often argued that technology advances much faster than life or people’s knowledge about it. An immediate result of the previous saying is the fallacious use of the term ‘cloud computing’ as a generic phrase by which all uses/applications of cloud technologies are described. This is not exactly correct. Therefore, before proceeding with the analysis of the legal challenges cloud technologies pose, a clarification of the broad picture regarding cloud applications is essential. a. Defining ‘cloud computing’ Cloud computing has wrongfully been established in daily jargon as the term encompassing the whole spectrum of cloud technologies and the applications/uses of them.

1

EUTIC 2013

However, if we would try to give a comprehensive definition of cloud computing (standing for cloud technologies), we could say that: cloud computing is “a colloquial expression that refers to a variety of different types of computing processes that involve a large number of computers connected through a real-time communication network (typically the Internet)”1. In other words, cloud computing is a jargon term without a commonly accepted nonambiguous scientific or technical definition. The popularity of the term is mainly due to its use in marketing campaigns for hosted services in the sense of provision of application services that run client server software on a remote location. When used in a strictly scientific context, cloud computing describes distributed computing over a network and stands for the ability to simultaneously run a program on several computers connected to each other. a. What cloud technologies are really about Cloud technology applications are basically divided into two major groups, depending on the kind of processes (i.e. the tasks) performed ‘away’ from the end user’s device; that is on the distant server where the service used each time is hosted2. These groupings are cloud storage services and cloud computing services: ‘Cloud storage services’ refers to saving data to an off-site storage system maintained by a third party. Instead of the users storing information on their computer's hard drive or other local storage device, they save it to a remote database. The Internet provides the connection between the end users’ computers and the database3. A simplified depiction of a cloud storage arrangement is as follows:

4

1

Carroll M., Kotzé P., Merwe van der A., 2012, “Securing Virtual and Cloud Environments”; In: Cloud Computing and Services Science, Service Science: Research and Innovations in the Service Economy, edited by I. Ivanov et al., Springer Science+Business Media, LLC 2 Hickins M., "Cloud Computing Gets Down to Earth." eWeek, January 21, 2008. p. 14 3 O’Brien J. A., Marakas G. M., Computer Software. Management Information Systems 10th ed., 2011, p. 145, McGraw-Hill/Irwin 4 Strickland J., How cloud storage works?, 2008 [Accessed on-line on site: http://computer.howstuffworks.com/cloud-computing/cloud-storage.htm, date accessed 21/09/2013]

2

Cloud computing as the new standard in online data management: how the shift in data handling technologies for the web has also altered the focus in regulatory principles under EU and US law.

‘Cloud computing services’ refers to the practice of using a network of remote servers to store, manage, and process data, rather than a local server or a personal computer. Cloud computing relies on sharing resources to achieve coherence and economies of scale similar to a utility (like, for instance, the electricity grid) over a network. At the foundation of cloud computing is the broader concept of converged infrastructure and shared services5. The cloud also focuses on maximizing the effectiveness of the shared resources6. Cloud resources are, as a rule, not only shared by multiple users but they are also dynamically re-allocated as per demand; thus a cloud server can shift resources to different tasks, types of processes, even time zones in order to achieve an optimal allocation of processing means as well as energy7,8. A simplified depiction of a cloud computing arrangement is as follows:

9

II.

Benefits and drawbacks of cloud technologies

a. Gains from the introduction of cloud applications As with all technological breakthroughs cloud technologies come both with advantages and concerns. In particular, cloud storage has brought with it numerous advances over 5

Mell P., Grance T., "The NIST Definition of Cloud Computing; Recommendations of the National Institute of Standards and Technology", National Institute of Standards and Technology [Accessed on-line on site: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf date accessed 21/09/2013] 6 Naone E., "Computer in the Cloud." Technology Review, Sept. 18, 2007 [Accessed on-line on site: http://www.technologyreview.com/Infotech/19397/?a=f date accessed 21/09/2013] 7 Carr N., "'World Wide Computer' is on horizon." USA Today. February 25, 2008 8 McAllister N., "Server virtualization." InfoWorld. Feb. 12, 2007 [Accessed on-line on site: http://www.infoworld.com/article/07/02/12/07FEvirtualserv_1.html date accessed 21/09/2013] 9 Strickland J., How cloud storage works?, 2008 [Accessed on-line on site: http://www.howstuffworks.com/cloud-computing/cloud-computing.htm, date accessed 21/09/2013]

3

EUTIC 2013

traditional data storage. For starters, if you store your data on a cloud storage system, you can access that data from anywhere as long as you have Internet access. In fact, with the right storage system, you could even allow other people to access the data, turning a personal database into a collaborative project10. Similarly, cloud computing applications also come with undoubted advantages for end users. Most importantly, clients are able to access their applications and data processed through them from anywhere at any time. They can have immediate access to the cloud computing system via any computer connected to the Internet. Cloud computing is bound to bring hardware costs or the need for advanced hardware on the client side down11. From a corporate point of view, companies that rely on computers will not have to buy a set of software or software licenses for every employee anymore once they switch to cloud applications. Instead, the company only pays a metered or flat rate fee to a cloud computing provider. Companies with massive storage needs currently even rent physical space to store servers and databases because they don't have it available on site. Cloud computing offers these businesses the option of storing data on someone else's hardware, removing the need for vast physical space on the front end. Corporate cloud computing users might even save money on IT support given that streamlined hardware, at least in theory, has fewer problems than a network of heterogeneous machines and operating systems. Provided that the cloud computing system's back end is a grid computing system, then the client could take advantage of the entire network's processing power. It is not uncommon for scientists and researchers to work with calculations so complex that it would take years for individual computers to complete them. On a grid computing system, the client could send the calculation to the cloud for processing through the processing power of all available computers on the back end, significantly lowering the calculation time12. b. The concerns raised from cloud computing applications13 The two primary concerns about cloud storage are reliability and security. To secure data, most systems use a combination of techniques, which, however, apart from ensuring high levels of security for the data they store for their clients, also become the root for a series of legal concerns. The most important tools to ensure security for cloud services include: Encryption, i.e. the use of a complex algorithm to encode information stored on the services data hubs14. Authentication processes, i.e. requiring from front end users to create a user name and password in order to gain access to the applications management interface and modify their data/profile etc15. 10

Markoff J., "Software via the Internet: Microsoft in 'Cloud' Computing." New York Times. Sep. 3, 2007, p. C1 11 "Report sees big shift in IT delivery." IT Week. London. Nov. 5, 2007 12 Swanson B., Gilder G., "Unleashing the 'Exaflood.'" Wall Street Journal. Feb. 22, 2008, p. A15 13 Millard C., 2011, “Cloud computing: identifying and managing legal risks”, Google/Oxford Internet Institute [Accessed on-line on site: http://www.slideshare.net/CloudLegal/millard-cloudcomputingkey-legal-and-regulatory-challenges-oiigoogle-lecture-brussels-feb-2011 date accessed 21/09/2013] 14 Brodkin J., “Gartner: Seven cloud-computing security risks”, Network World [Accessed on-line on site: http://www.idi.ntnu.no/emner/tdt60/papers/Cloud_Computing_Security_Risk.pdf date accessed 21/09/2013] 15 Id. 13

4

Cloud computing as the new standard in online data management: how the shift in data handling technologies for the web has also altered the focus in regulatory principles under EU and US law.

Authorization practices, which usually consist of the client listing the people who are authorized to access information stored on the cloud system. Big scale corporate users have multiple levels of authorization allowing for different extent of access to data stored on a cloud system for each one of their users/employees depending on their hierarchical status, the tasks they are supposed to perform etc.16. Even with these protective measures in place, many worry that data saved on a remote storage system is vulnerable. Trying to fight off this quite credible belief, cloud storage companies invest a lot of money in security measures in order to limit the possibility of data theft or destruction. Reliability, is just as important as security, as an unstable cloud storage system is a liability. While most cloud storage systems try to address this concern through redundancy techniques, there is still the possibility that an entire cloud storage facility could crash and leave clients with no way to access their stored data. However, as cloud storage companies live and die by their reputation, it is logical that they invest vast amounts of capital to provide the most secure and reliable service possible. The biggest challenges raised from the introduction of cloud computing applications are security, similarly with the thoughts made above about cloud storage applications, and privacy. The pressing issue for privacy is predominantly rooted in the very nature of cloud computing services, i.e. their permitting users to access them and their data from wherever they are. This feature raises great stakes for cloud service providers to take every measure possible to secure an uncontested level of privacy for their users. Last but not least, cloud technologies also affect a great deal of neighboring economic and regulatory fields, such as the security of the data stored on cloud facilities, the change of balance cloud services bring about in several markets, i.e. the market for hardware, IT maintenance and support (and the potential breaches of fair competition in these markets) and also the penal responsibilities in case of criminal acts facilitated through cloud technologies or the data circulating through them and who can be held responsible for them17. With the exception of the latest field (which is in itself too vast and merits specialized study), in the following chapters of this paper we will examine some of the most primary issues cloud technologies raise in the regulatory sectors described above.

III.

Data protection and privacy: what cloud computing fundamentally alters

Cloud computing is primarily about moving digitalized information around the web. The huge bulk of this information usually also classifies as personal data, bearing details about people’s identities, addresses of residence, personal finances etc. Expectedly, one of the primary concerns raised along with cloud applications is how secure these transfers are. However, the response to this question greatly varies depending on the structure of each computing service, the path the data circulated through a cloud application follow and the level of maturity, technically wise, of the service. 16 17

Id. 13 "The future of IT? It's not all bad news, Nick Carr says." Network World. Jan. 14, 2008. Vol. 25, Iss. 2. p. 8

5

EUTIC 2013

The starting point of any discussion regarding privacy in the cloud must be the understanding that several forms of cloud services are in their infancy. In other words, many times we are dealing with immature technological structures18. As a consequence, in both the European and the US market, operators of such cloud computing structures must undertake appropriate Privacy Impact Assessments (PIAs) before launching their product19. These PIAs are, for the moment, more of a necessity developed from the market than officially institutionalized by law20. This market call for guaranteed privacy has been illustratively expressed in several briefing papers circulated by the OECD, which echo the voice of the markets on both banks of the Atlantic: “Companies that wish to provide Cloud services globally must adopt leading-edge security and auditing technologies and best-in-class practices. If they fail to earn the trust of their customers by adopting clear and transparent policies on how their customers’ data will be used, stored, and protected, governments will come under increasing pressure to regulate privacy in the Cloud.”21 The legal perceptions established about data management through the cloud are heavily affected by one very decisive factor: whether the data flow is domestic or transborder. Domestic data flows through the cloud can be defined as data transfer or modification via cloud services which are hosted on servers within the same jurisdiction as the end user’s operating machine (i.e. laptop or other similar device). On this occasion, regulatory principles in the US and the EU remain principally the same, as the path data follow does not essentially differ from the assumption used for the regulatory structures governing online data management before the introduction of cloud technologies. In particular, online data legislation (for issues of privacy, security and service reliability) in the EU and the US, in the pre-clouds, era was formulated around the notion that data were introduced online by the end user from a specific physical point within a specific market, hence a specific jurisdiction, and were stored in their entirety at a service facility, i.e. storage hub, which was also in a specific point within a specific jurisdiction. So long as this jurisdiction is the same for the entry and storage points, no significant change in regulatory principles should be expected. Therefore, even in the cloud era, the main issues regarding online data circulation through ‘domestic clouds’ remain the following: • is the collection of data carried out in an appropriate manner; • is the data used appropriately; • is the data disclosed only where disclosure is appropriate; • is the data stored and transmitted safely; • how long will the data be retained for;

18

Cavoukian A., “Privacy in the Clouds: A White Paper on Privacy and Digital Identity”, Information and Privacy Commissioner of Ontario 2009 [Accessed on-line on site: http://www.ipc.on.ca/images/Resources/privacyintheclouds.pdf date accessed 21/09/2013] 19 Gellman R., ‘Cloud Computing and Privacy’, presented at the World Privacy Forum, 2009 [Accessed on-line on site: http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf date accessed 21/09/2013] 20 Mather T., Kumaraswamy S., Latif S., Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance, 2009, O'Reilly Media 21 “OECD Briefing Paper for the ICCP Technology Foresight Forum”, 14 October 2009 [Accessed on-line on site: http://www.oecd.org/dataoecd/39/47/43933771.pdf date accessed 21/09/2013]

6

Cloud computing as the new standard in online data management: how the shift in data handling technologies for the web has also altered the focus in regulatory principles under EU and US law.

• what are the circumstances under which the data subject can access and correct the data; and • is the data subject sufficiently and appropriately informed about these matters?22 As far as Europe is concerned, the EU has already from the pre-cloud era achieved a considerable level of efficacy in the field of data privacy; the Data Protection Directive23 is in full application throughout all Member States while the EU countries are also signatories to the European Convention on Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and correspondence," subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence essentially covering also data and correspondence circulated via the Internet. In the US, on the contrary, the introduction of cloud technologies has caused widespread controversy as to the rules applicable in the field of data privacy even in the case of domestic data transfers through clouds24. This is so due to the fact that the field of online privacy and data circulation is an area largely regulated by the States themselves instead of the federal government25. When it comes to transboundary movement of data with the use of cloud technology services, both Europe and the US currently face a growing amount of regulatory challenges. In Europe, the Data Privacy Directive is largely constructed on the assumption that data circulating the web are moving from one EU jurisdiction to another (or others but still within the EU) or, at the greatest extreme, from within the EU to a specific third jurisdiction (and one with which, preferably, the Community has a bilateral treaty regarding online data)26. Similarly, the State-oriented pre-cloud era US legislation on online data and privacy leaves great loopholes now with the advent of cloud technologies. So far, the most common grounds for determining jurisdictional prevalence was, usually, where the data ended up27, i.e. where the servers hosting the service used were located, or, exceptionally, where the data originated from28,29. However, the very essence of cloud computing is the ultimate exploitation of resources located across various latitudes worldwide. As a result, all of the above regulatory structures are practically void, let alone the great shakes the notion of online privacy recently faced 22

Jansen W., Grance T., "Guidelines on Security and Privacy in Public Cloud Computing", National Institute of Standards and Technology [Accessed on-line on site: http://csrc.nist.gov/publications/nistpubs/800144/SP800-144.pdf date accessed 21/09/2013] 23 Officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data 24 Dannatt G., 2012, “How Cloud Computing Complicates the Jurisdiction of State Law” [Accessed on-line on site: http://www.printfriendly.com/print/v2?url=http://www.eir.info/2012/09/14/howcloud-computing-complicates-the-jurisdiction-of-state-law/, date accessed 21/09/2013] 25 Segall S., Jurisdictional Challenges in the United States Government's Move to Cloud Computing Technology, 23 Fordham Intell. Prop. Media & Ent. L.J. 1105 26 Vaciago G., 2012, “Cloud Computing and Data Jurisdiction: A New Challenge for Digital Forensics”, IARIA 2012 [Accessed on-line on site: http://goo.gl/sQwtt date accessed 21/09/2013] 27 Often quoted as ‘Jurisdiction of destination’ 28 Often quoted as ‘Jurisdiction of source’ 29 Reed C., 2010, “Information 'Ownership' in the Cloud”, Queen Mary School of Law Legal Studies Research Paper No. 45/2010 [Accessed on-line on site: http://ssrn.com/abstract=1562461, date accessed 21/09/2013]

7

EUTIC 2013

across the Atlantic, in light of the NSA scandal, otherwise often quoted as ‘the Edward Snowden case’30. Wary as they may have been of cloud technologies and their rapid expansion in most online applications, the peoples of the EU and the United States had been traditionally assured that government agencies were their ‘guardian angels’ against ICT tycoons, such as Facebook or Google, by strictly monitoring how the latter made use of, commercialized and exploited personal information accumulated by their users on their servers. Bitterly, as it turned out a few months ago, this ‘safety guarantee’ was more of a fallacy as, primarily in the USA, government watchdogs ‘traded’ the ‘approved privacywise’ certification of these companies in exchange for direct governmental access to the information users accumulated on their servers. This troubling turn of events has in fact fueled the regulatory trends now prevailing in Europe and the States, although, of course, things are still at the stage of academic discourse or, even less, at the stage of exchange of different approaches among stakeholders. In Europe, following a tradition of trying to stand above the US in delicate matters, such as online privacy, interested parties are increasingly promoting the idea of ‘European cloud computing services’31, i.e. the creation of such a regulatory landscape that will encourage either EU-headquartered firms to offer cloud services to the continent or existing global players to set up subsidiaries legally and physically within EU territory in order to offer their services to European clientele adhering to the EU legislation. From a teleological point of view, however, it is easy to realize that the promoters of such an idea are essentially trying to adapt cloud technologies to the geographical and regulatory boundaries preceding technologies used to be confined in. Although it is too early to draw any conclusions, such a veiled attempt to set up land or market boundaries to cloud technologies will probably fail, if it is not already outdated given the extent at which cloud services have already penetrated the online world. On the other hand, the US have forced themselves to a change of policy towards transparency, as far as online regulation is concerned. In America’s rapidly growing online multi-billion business the standard used to be, more or less, ‘let consumption grow and just keep people assured that they are safely roaming the Internet; they are OK with that’! However, latest developments have forced the US government itself to put on the table a new doctrine of ‘transparent governing of online services’32, promising that, in the future, equal attention will be paid not only to imposing on ICT businesses strict regulatory patterns but also to making sure these are actually respected and also that the responsible authorities themselves do not turn a blind eye on malpractices as the ones exposed by the ‘Snowden case’. However, if one attempts to turn words into reality, the only way to effectively keep 30

Greenwald G., MacAskill E., "NSA Prism program taps in to user data of Apple, Google and others", The Guardian, June 6, 2013 [Accessed on-line on site: http://www.theguardian.com/world/2013/jun/06/us-techgiants-nsa-data date accessed 21/09/2013] 31 “Europe pushes own digital ‘cloud’ in wake of US spying scandal” 29 August 2013, euractiv.com [Accessed on-line on site: http://www.euractiv.com/infosociety/prism-cloud-european-silver-lini-news-530004 date accessed 21/09/2013] 32 Gorman S., Lee E. C., Hook J., “Obama Proposes Surveillance-Policy Overhaul”, 9 August 2013, The Wall Street Journal [Accessed on-line on site: http://online.wsj.com/article/SB10001424127887324522504579002653564348842.html date accessed 21/09/2013]

8

Cloud computing as the new standard in online data management: how the shift in data handling technologies for the web has also altered the focus in regulatory principles under EU and US law.

the above promises would be to have ICT firms from now on working within specific boundaries, i.e. only where the US have direct jurisdiction or where there is a bilateral cooperation in the field of ICT effectively permitting the USA to extend their regulatory arm. An initial assessment of this new doctrine shows it will be too hard to implement for the same reason as previously stated in the case of Europe: cloud services have already penetrated the ICT market at a rate beyond return and are totally ignorant of such restrictions as geographical borders or markets33.

IV.

Cloud technologies, fair market competition and reliability

ICT is among the most innovative and ever evolving domains of human intellect right from its start. Its very nature, i.e. conceptualizing new methods of performing conventional tasks more quickly, in a mechanized manner and without constraints of a time or geographical nature, offered great added value to people’s lives and, therefore, pushed progress in the domain at a strikingly faster pace than any other sector of human activity. This, however, meant that early players in the ICT market benefitted from extremely positive economies of scale, profit margins and, consequently, liquidity that allowed them to fortify their infrastructure to a great extent. Having secured a considerable position in the market was not enough though to ensure that they would also lead the road to innovation. ICT subsectors, such as cloud computing, were increasingly pioneered by start-ups, i.e. small scale businesses that were put together by visionary entrepreneurs who possess bright ideas for future IT services but, nevertheless, lack the capital to directly compete with traditional ICT tycoons. Therefore, the market for cloud computing services poses certain challenges EU and US regulators need to tackle: a. Barriers to entry Given the landscape above, new companies primarily focused on the provision of cloud services find it particularly hard to enter the market34. Or, even if they manage to do so, they succumb at some point to some hard-to-resist buy-out offer by one of the heavy players around. This in turn keeps consumers’ concerns about security, fair pricing etc., always on the rise. From the European perspective, although the matter has not yet been examined in the context of a purely cloud computing technologies case before the Court of the European Union (CEU), we could credibly suppose that the observations and firm stance adopted by the Commission in face of other big ICT legal disputes will also apply in the field of cloud computing35. On the other hand, US regulators have been so far very reluctant in intervening in the market transformations (buy-outs, mergers etc.) in the ICT sector. This does not seem 33

Sotto J. L., Treacy C. B., McLellan L. M., 2010, “Privacy and Data Security Risks in Cloud Computing”, Electronic Commerce & Law Report, 15 ECLR 186 34 Kepes B., “Barriers To Entry – Overcoming The Cloud Cost Conundrum”, 9 October 2012, Rackspace.com [Accessed on-line on site: http://www.rackspace.com/blog/barriers-to-entry-overcoming-the-cloud-costconundrum/ date accessed 21/09/2013] 35 Almgren T., “Barriers to market entry and EC Competition law”, Ekonomiska institutionen Magisteruppsats, Affärsjuridiska programmet [Accessed on-line on site: http://www.divaportal.org/smash/get/diva2:19800/FULLTEXT01.pdf date accessed 21/09/2013]

9

EUTIC 2013

to change either in the specific case of cloud computing services, as demonstrated by recent developments36. b. Service reliability of new entrants against competitors As it was previously mentioned, most cloud computing services are destined to handle crucial data of their users. Therefore, since the early steps of the cloud services market, regulators have pushed for cloud service providers to undertake tough performance assessments in order to prove themselves secure enough to handle their customers’ sensitive information. However, these performance assessments usually require in order to be successfully passed a high level of infrastructure, resilient stuff and security protocols that cost huge sums of money to be put in place. On the other hand, as demonstrated above, most of the frontrunners in the cloud services market and those offering pioneering or quickly adopted services are start-ups, which, in principle, do not even begin with their own infrastructure, let alone having the liquidity to implement right from the start all safeguard technologies that long-existing ICT tycoons possess. Consequently, fair competition in the market is again at risk as new entrants face this reliability doubt over their big and better prepared competitors. From a regulatory point of view, neither Europe nor the US have adopted so far a specific framework trying to balance this jumpstart big ICT providers have over start-up pioneers in the cloud market. Probably, this is the best non-intervention regulators from either of the two markets have taken so far: they just leave markets operate on their own and assimilate innovation, whenever there is a need for further capital or facilities in order to take the next step.

V.

Cloud computing and consumer protection though framework contracts: has the desirable degree of protection been achieved?37

The pace at which cloud applications advanced and were adopted by consumers has proved to be much faster than the progress at which relevant contract law could develop, formulating the necessary principles and provisions that would ensure a lawful relationship between service providers and consumers. Until now, there are two main conclusions that could be drawn in this matter38: a. big-size cloud service providers have the possibility to unilaterally propose contracts for their services to customers given their popularity and consumers’ tendency to quickly adopt new tools launched by them without really questioning the terms and conditions on which these are made available. On the contrary, small-size cloud service providers are more cautious or even officially offer as an option the negotiation of custom contract services; sometimes, this is even a comparative advantage for them over their big competitors.

36

See, for example, the latest Instagram and tumblr buy-outs, an illustrative review of which can be found at http://nypost.com/2012/04/15/silicon-alley-now-gold-st/ [date accessed 21/09/2013] 37 Svantesson D., Clarke R., "Privacy and consumer risks in cloud computing", 2010, Computer law and security review, 26 (4), 391-397 38 McDonald S., “Legal and Quasi-Legal Issues in Cloud Computing Contracts” [Accessed on-line on site: http://net.educause.edu/section_params/conf/ccw10/issues.pdf date accessed 21/09/2013]

10

Cloud computing as the new standard in online data management: how the shift in data handling technologies for the web has also altered the focus in regulatory principles under EU and US law.

b. there are quite many occasions where a careful study of terms of service (ToS) of cloud services reveals that there are currently in use many clauses, originating from the pre-cloud era, which are inappropriate or unenforceable for cloud services, even illegal at times39. So far, official regulators have not expressed themselves regarding the specific changes in concept and reasoning that need to be adopted so that cloud services contract law matches indeed the realities of provision of cloud services. However, numerous expert groups either in Europe or in the US insist that framework legislation regarding cloud computing services urgently needs to be updated. Actually, all agree that, as it has been noted previously, ToS for cloud services need to be rearranged overcoming the old standard that ICT service providers and their facilities were particularly located in (a) specific place within (a) precisely determined jurisdiction(s). Bearing these in mind, the following crucial issues need to be determined in order to have more balanced and in touch with reality ToS for cloud services in the future: • Fairer distribution of burden in cases of loss or damage caused by failure of the cloud computing service: currently, in most cases, the service provider has minimal, or even, no liability over such instances40. • More detailed terms under which subcontracting is permissible and to what extent: as things stand now, it not uncommon for cloud service providers to subcontract part of their tasks to third parties making it virtually impossible, in cases of damage or loss of data, to track down who is responsible for the incident. Even if this primary responsibility is finally attributed, the complicated path data follow from the moment they leave the end user’s control makes it virtually impossible to press compensation charges against a particular firm. • Currently, given that many cloud service providers are new start-ups, it is the standard to read ToS where it is clearly provided that the service may be modified or be discontinued without cause, period of notice or liability towards users41. This is definitely a favourable condition for the way the cloud market moves, i.e. with quick buy-outs of successful start-ups from big size ICT firms, but it leaves many times customers exposed to nasty conditions as those described above. Therefore, a fair adjustment needs to be made in this respect, so that the consumer is protected against arbitrary business moves on behalf of the firms. • For the moment, customers have limited or no ability to recover data following termination of service when it comes to cloud services. This is the case either if the user chooses to terminate use of the service by himself or if the service provider stops operating as a result of termination of business, buy-out, change of business scope etc. Oddly enough, this is also the case for huge companies working on cloud computing standards, such as Facebook, where deleting someone’s profile does not immediately mean that the data stored on the provider’s servers are also removed. Understandably, such practices raise consumers’ concerns regarding their safety

39

Kuan Hon W., Millard C., Walden I., “Negotiating Cloud Contracts; Looking at Clouds from Both Sides Now”, 16 Stan. Tech. L. Rev. 81 (2012) 40 Id 33 41 Id 33

11

EUTIC 2013

when using these services and regulators both in Europe and the US have realized they need to press the market for respective adaptations in this matter.

VI.

Conclusion

Summing up all observations made so far, one could draw the following conclusive remarks regarding the regulatory approach the EU and US take in the field of cloud technologies: • Regulators need to assimilate one fundamental characteristic of cloud computing applications before they can effectively produce legislation about it: this new way of online data handling is not determined or confined by geographical borders, physical installations, jurisdictions or national and regional markets. • Consequently, this regulatory field needs a totally different perspective from those taken on any law sector to date; public authorities as well as private stakeholders having vested interests in the cloud computing market need to put forward their ideas regarding effective governing of this market bearing in mind its suprageographical nature. • These preconditions for effective governing of the upcoming cloud economy naturally presuppose a more liberal approach to the issues at hand both in Europe and in America; so long as regulatory efforts are not ‘liberated’ from basic assumptions stemming from the pre-cloud era no efficient management of the cloud technology and its vast applications can be truly achieved.

12