Out of the rapid growth of cloud computing technologies, we are starting to see a shift in how the law and regulation keep up. A major question mark looming over the sector is its lack of standardized guidance. Cloud computing is not governed by a specific “cloud law,” and no direct regulation applies to its services. Instead, the legal and regulatory landscape is made up of a matrix of different rules, as wide as the scope of the technology itself, spanning multiple industries and geographies.
Given this breadth, there has been a gradual shift from legislative solutions to industry standardization as a means of closing the gap between regulation and the eye of the technological innovation storm.
Whilst there is no direct legislation, some UK regulators, most notably in the financial services sector, have in recent years published guidance on the use of cloud technologies. This guidance focuses on how the technology can be used in compliance with existing regulatory rules, and whilst it has not set out a step-by-step process for deploying cloud technologies in compliance with regulatory requirements, it has shown that the regulators consider that there is no fundamental reason why firms cannot use cloud services in a regulatory compliant manner.
However, a key barrier preventing the widescale adoption of cloud solutions in heavily regulated sectors remains: there is a lack of certainty as to exactly what standards would likely be acceptable to regulators. The key, it would seem, is standardization.
One example is the publication of the ISO 27018 standard, by the International Organization for Standardization, covering the processing of personal data in the cloud. This standard has been a direct response to one of the EU regulators’ key aims: to introduce an auditable compliance framework for cloud service providers, that promotes trust and the rapid adoption of cloud computing in all sectors of the economy to boost productivity (see the European Commission’s 2012 European Cloud Computing Strategy).
ISO 27018 is the first privacy-specific international standard for the cloud, and seeks to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a data processor. Its aim is to help public cloud service providers comply with their applicable obligations when acting as a data processor and be transparent to their cloud service customers.
Whilst much of the content of ISO 27018 is based on EU data protection laws, the standard goes slightly further and addresses more procedural aspects, by ensuring that cloud providers implement policies for the return, transfer and disposal of personal data to customers (for example, at the point when the service comes to an end) and subject their services to independent information security reviews at scheduled intervals (or at points when significant processing changes occur).
Aiding customer choice
In the selection of a cloud service provider, it is important for a customer to find one that will meet its legal obligations. Whilst each cloud service customer must ensure compliance with the specific laws to which it is subject, one set of laws that will apply to the majority of cloud customers will be privacy and data protection laws. Here, ISO 27018 can help customers as:
ISO 27018 provides a practical base from which to start creating confidence that cloud industry players are dealing with personal data properly, paving the way for more clarity on legislation and regulation. For now, this is one example of an industry standard closing the gap between legal frameworks and the rapid growth of technology. If such standardization continues, law and regulation may stand a chance of keeping up with the pace of innovation.