The Death of the Cloud
The Cloud: a concept of genius, with its nature of simplicity and powerful, soft and fluffy values. The notion underlying it is that data is held in a disembodied form that is universal, as omnipresent as the clouds which envelop the world, intermeshing and interlinking so completely that there is only one single cloud which envelopes us all in a benign, sunny-day kind of way. Look at the icon. This heat-warming conception is closely allied with the idea of the internet as an open, regulation-free area, the digital commons, where intrusive controls do not trouble the liberty and openness to new ideas and the uninhibited exchange of information, maximising the potential of mankind and the access of all to the knowledge of the past and the present. Thus enabling the glorious new future.
This glittering vision has increasingly been compromised by contact with multiple realities; we are now able, if not obliged, to speak of the grounding or indeed the death of the Cloud. There have been a number of ways in which this attractive concept has been compromised. First – moderation (some say censorship) – look at the travails of Facebook and Twitter in recent days to see that the idea of a censorship-free zone where anything and everything can be said has been constrained by political interventions, events like the Cambridge Analytica Scandal, employee pressure and other factors
Then there are the National clouds we are increasingly seeing: Governments around the world have decided that it is now necessary to take control of those aspects of the Cloud which are being made available to their citizens. The Great FireWall of China, Saudi Arabia’s Kong Fahd Gateway and equivalents in Russia andNorth Korea are all well-known examples of steps taken to do this but even other countries (Germany being a leading example) have increasingly taken the view that what is being made available to their citizens needs to be reviewed and moderated in the national interest.
Another powerful disaggregator of the Cloud is the increasingly invasive data protection legislation which is applicable around the world. The EU data protection regime has been widely regarded as the gold standard in this and it is yet to be seen whether it will effectively become a de facto standard or will instead be driven out by somewhat less strict regimes such as those applicable in California or elsewhere. The general principle seems to be increasingly accepted, however, that following perhaps the European experiences of the 20th century it is necessary for there to be strict controls over the ways in which and purposes for which data is retained and processed by those to whom it is entrusted.
Effectively data protection regimes have become a proxy trade war, in the sense that corporates operating in low intensity regimes have greater business opportunities to profit from the day to day holding process than those operating in high intensity regimes. This has two primary consequences. The first is that there is a commercial advantage for those companies operating in the low intensity regimes since they have access to more income streams and commercial opportunities; conversely the stricter regimes operate as a de facto trade barrier making it more difficult for operators in low intensity regimes to access individuals and data located in the territories operating stricter regimes. This combat plays out on three levels: the first being in relation to fundamental human rights where the privacy of personal data as a principle often finds itself in conflict with First Amendment-type rights of free expression and access to information; the second is in relation to access to markets where rights of establishment and free operation are constrained by the application of stricter data protection principles; and the third, which underpins the other two, is around the protection of inalienable individual/human rights in data relating to the individual in question. This is an area which has yet to be fully explored in the law and a variety of interim solutions have been found; however, until the unifying principle is adopted to deal with that very vexed topic, it is inevitable that national partitioning of markets and business behaviours will continue and perhaps increase.
This in turn means that, whereas data used to be stateless, effectively it now needs both a defined residence and, if it wants to travel, a passport. Companies are increasingly forum shopping to decide in which jurisdiction they choose to locate and process certain kinds of data. The exit of the UK from the EU has led, for example, to Google relocating its data processing facilities to Ireland in order that they continue to retain their EU data passport just as many individuals have done. Facebook, on the other hand, has relocated some of its relevant activities from Ireland to the United States, apparently taking the different view that the ability to move the data around is not as important as the ability to process it freely.
Thus data protection regimes are creating ‘data havens’ in the same way as tax regimes create ‘tax havens’. Choice of jurisdiction is going to be an important commercial issue for many operators and this again fragments the universality of the Cloud. Which choice of jurisdiction may well depend intimately on the nature of the business being carried out, and how important the data is and what use is made of it. Thus data protection laws are at the front line of international commerce and trade.
This leads me to the final (in every sense) fact that nothing is certain except death and taxes. The taxation of data is already upon us and most jurisdictions are now seeking to find ways in which to impose taxes on use made in their jurisdiction of data which has either been generated there or even supplied from outside. Thus again the localisation of data has important financial consequences and companies are giving very careful thought to this, in conjunction with the data processing rules which can often have opposite effects. Governments are carrying out complex balancing acts of seeking at the same time to exert a maximum of precautionary supervision over the storage and processing of data, taxing it as profitably as possible and yet not driving it abroad. The author of that was Colbert and he said the object is to pluck the largest quantity possible of feathers from the goose with the minimum possible hissing. That 18th century truth remains surprisingly applicable in the 21st century.
Chris Watson is one of the world’s leading communications law experts. He is Head of the CMS Technology, Media and Communications group and leads an international team of over 300 lawyers.
Chris works with an extensive range of clients in the TMC space. He has been recognised in The International Who’s Who of Telecoms & Media Lawyers 2018 as a ‘Most Highly Regarded Individual’ in which he is described as “exceptionally bright”, and boasts an “amazingly international practice”. He is also included as one of only 15 Global Elite Thought Leaders in the Who’s Who Legal Data – Telecoms & Media 2019.