International cloud regulations: the right approach?
Mon 4 Jan 2021
A cohesive cloud regulation strategy is necessary to avoid regulatory conflict, safeguard sensitive data, and protect consumers, writes Nicole Capella
The U.S. government is reportedly considering an executive order that would give the Commerce Department unprecedented powers in restricting international operations of U.S. cloud companies.
If passed, the Commerce Department could prohibit companies like Amazon and Google from partnering with foreign companies that provide a ‘safe haven’ to hackers, and prevent those companies from doing business in the U.S. It would also require companies to retain personal data of foreign customers, which could further complicate international cloud operations.
Cloud computing supports business operations in a globalised environment, by freeing companies from the need to retain data and manage processes in an on-premises data centre. However, with different countries creating their own regulations governing cloud in their country and internationally, issues are bound to arise.
First, are these types of regulations effective? Can they help to protect data privacy, prevent cyber crime, or have an unduly negative impact on trade? And second, if there is a conflict between the regulations of different countries, how will it be decided which one has authority over the other?
To conduct business internationally, a company must sometimes be able to send data from one country to another. However, cross-border data transfer is one of the primary topics of international cloud regulatory conversations.
Some countries require data to be stored locally, in data centres within country borders. Others require companies to follow strict guidelines for cross-border data transfer: for example, the European Data Protection Board (EDPB) governs which data is transferred, the tools that are used, and whether ‘onward transfers’ of the data can be applied after the first one.
In India, data can be transferred outside the country as long as it is stored within India as well. And in China, data must be evaluated for any potential risk to national security before it can be transferred outside the country.
Prevention of Cybercrime
The EU recently released an update to the Directive of Security for Network and Information Systems, known and NIS 2. The new security guidelines address new technologies, including 5G; as well as providing standards that can be adopted by other companies to help influence the global cybersecurity framework.
Australia, on the other hand, has stated specifically in their Cyber Security strategy that businesses must “Take responsibility for enhancing their own cybersecurity, just as they are responsible for the safety and quality of their products.” The government has made the commitment to work closely with industry in creating laws and regulations that will support businesses in these efforts, particularly in critical industries such as healthcare, utilities, and food production.
When each country is responsible for creating their own regulations, problems will arise in making the regulations work together. In the case there more than one regulation applies to a certain action, for example, data retention, which country’s law will have supremacy over the other?
For example, if the U.S. establishes a law that states that data must be stored in-country, that may conflict with the Chinese regulation that says the same thing for China. If duplicate data is not allowed under either provision, where should the data be stored?
Interference with Business Operations
The proposed U.S. regulation would allow the Department of Commerce to prohibit partnerships between U.S.-based companies and foreign companies at the government’s discretion.
This is likely to complicate international business operations, adding a layer of approvals to potential partnerships. Moreover, administering the new regulation and changing processes can increase the costs of international business, which can affect the costs of products and services to the consumer.
International Cloud Strategies
There are a few different approaches that can be taken to create an effective international cloud strategy. One is to watch and wait – allowing countries that have already created these strategies to work as test cases, and adopt the parts of those regulations that work the best in other countries. The issue with this, however, is the urgency of protecting essential industries and private personal data from expensive, destructive cybercrime.
A better approach would be for governments and businesses to create international standards for cloud computing and security. While it would be complicated to ensure that different priorities are managed, and that everyone’s voices are heard, a cohesive strategy is necessary to avoid regulatory conflict, safeguard sensitive data, and protect the consumer from possible negative outcomes.