Legal troubles on the horizon for Cloud Computing in the EU?
One of the blogs I most enjoy reading these days is McGarr Solicitors. They seldom fail to produce posts which are clever, in the best sense of that much-abused word. Whether it’s pointing out that NAMA is illegal under EU legislation or pointing out that what you read in a Dail transcript is not what was actually said in the Dail on the day, they always manage to quietly, without much fuss, drop a mental hand grenade on the conference table.
Today’s post is no exception. Cloud computing has become one of the central buzzwords in the IT industry, or at least the web-based portion of it. However, until now, I only know of one case (which I cannot disclose details of) where the ambigous physical location of the data storage device being used by the cloud was an issue; and I’ve not yet come across a case where the physical location of the processors in use was an issue.
The problem lies in the fact that despite the point that some EU member states have a fetish for CCTV cameras and observing every waking moment of their citizens, there remain EU laws on the security of personal data as held online. And if that data is sent to another jurisdiction, with different laws, it’s possible for that data to be comprimised legally in that jurisdiction but illegally in the jurisdiction of the company who transferred that data to the Cloud and thus into the hands of those who comprimised it. And while legal action against (for example) the US is unlikely, prosecuting the offending company in the EU is quite viable.
Given the presence in Ireland of the three main players in the Cloud game (Google, Amazon and Microsoft), this is an issue that we’re going to run headlong into in the years to come. As I see it, we have two solutions – change the code or change the law.
Frankly, I think we’ll all have moved to something better than the Cloud by the time we’d have the law changed 😀
So are we about to see features like “sticky bits” or analogues of them start appearing for the Cloud? And at that point, is it even the Cloud anymore?
And how much of an issue is this likely to be in practical, day-to-day terms? As McGarr puts it:
The Irish Data Protection Commissioner’s office is under-resourced, having only a handful of investigations officers for the entire country. It is hardly likely that he will prioritise clamping down on cloud computing providers who are creating high-value employment in Ireland. Nonetheless, for Irish entrepreneurs and IT professionals who are considering taking the cloud computing route , it is important that they do so with an awareness of the difficulties it could throw up later in a due diligence situation.
Buying or selling a company is like a house purchase. Before the buyer closes the deal, they’re going to want to be reassured that the last owner didn’t do anything that might see them inheriting a legal headache. It may only be when the first wave of early-adopter companies start to be acquired that we will get a clear picture of the full cost of moving to cloud computing.
As I said, McGarr blog posts rarely fail to make you think anew on their topic…