Regulatory Developments

Last updated: 
2 months 3 days ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

QMUL Cloud Legal Project

Wednesday, June 6, 2012 - 10:42

An interesting series of papers on legal issues of cloud computing are being published by Queen Mary, University of London. The following are my summaries – any errors in them are my fault, not that of the authors.

I was particularly struck by Professor Chris Reed’s paper on “Information Ownership in the Cloud”, which points out that, while information on paper is protected by property law, converting that information to digital form means it is instead protected by a variety of intellectual property laws, which may not always produce the same results. In particular, to be protected by copyright a digital work must involve some degree of creativity so, for example, a computer-generated report may fail this test. European law does provide an additional database right that protects collections of information provided they involve a significant amount of effort to produce. Finally, between a cloud service provider and their customer there is likely to be a duty to keep information confidential. Each of these rights is created when and where the information itself is created, so information that either the customer or the provider places into the cloud will usually arrive with the protection of its “home” jurisdiction. However for information that is created within the cloud service – for example generated reports or usage histories, which may be of considerable commercial value – the situation is much less clear. It is possible that this new information acquires only the protection provided by the jurisdiction where it is created, so if a cloud is outside Europe then information will not be protected by database right and even within Europe different thresholds of creativity may be required to benefit from copyright. This, of course, assumes it is even possible to determine the location where particular cloud processing took place, which may be difficult in a globally distributed system! The paper therefore suggests that since it may be risky to rely on the law reaching the expected conclusion in any dispute, such matters should be explicitly covered in the contract between the service provider and the customer. However such a contract can only bind those two parties, unlike copyright or database right, which are binding on anyone who may obtain the information.

Simon Bradshaw's "Terms of Service Analysis for Cloud Providers" examines the standard contracts provided by a number of well-known cloud services and concludes that these may contain surprises for the unwary. It seems it is important to check what service providers actually promise to deliver, rather than assuming that it will be what you expect.

Professor Ian Walden points out in "Law Enforcement Access in a Cloud Environment" that international cloud services will further strain processes for international investigation by law enforcement agencies. Formal processes for mutual legal assistance tend to operate at real-world speed and assume that the relevant foreign jurisdiction can be identified. The resulting problems for internet investigations have, to some extent, been covered by the development of informal processes by law enforcement and service providers, however the increase in such investigations with the rapid adoption of the cloud model raises concerns both that these may not strike the right balance between privacy and protection and that they may not produce reliable evidence.

Kuan Hon considers in "Personal Data in Cloud Computing: What Data is Regulated?" how European Data Protection law might apply to cloud computing concluding, like me and the Information Commissioner, that the simple binary distinction between personal data and not personal data is no longer adequate and proposing instead that regulation be based on the risks that an individual will be identified and that their privacy will be harmed by this. A second paper "Who is Responsible for Personal Data?" considers how the definitions of “data controller” and “data processor” might fit the situation where a cloud service runs on a separate cloud infrastructure (e.g. Dropbox running on Amazon EC2) and concludes that the infrastructure provider may fall into one of these roles unknowingly as a result of the actions of their service provider customers. Rather than requiring all providers to behave like data controllers just in case this happens, she suggests that they be treated more like neutral intermediaries under the Electronic Commerce Directive, only having to adopt an appropriate data protection role if they act in a way that gives them both knowledge and control of the processing of personal data. The primary responsibility for data protection should remain with the organisation that knowingly collects, stores and processes that personal data.

Cloud computing
Data Protection Directive
Privacy
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo