There is widespread agreement that cloud computing offers businesses, governments and individuals significant potential benefits. These benefits include operational efficiency and cost savings, along with expanded applications and services.
Despite these notable anticipated benefits, commercial acceptance of cloud computing in this country and elsewhere has been somewhat slower than many expected. An important factor behind this apparent reluctance to embrace cloud computing is uncertainty regarding regulatory compliance issues associated with activities in the cloud. There is uncertainty as to the specific regulatory requirements applicable to the cloud. There is also uncertainty as to the appropriate methods and processes to ensure regulatory compliance for cloud operations.
The New Zealand government displayed some ambivalence toward cloud computing, from a regulatory perspective. The government expressed noteworthy support for, and confidence in, cloud computing through the Department of Internal Affairs, which identified a shift toward use of cloud computing as one of its current priorities for government information and communications technology. Internal Affairs set the ambitious goal of beginning its transition to cloud computing this year, and operating seventy percent of its computing activities through the cloud in five years.
Yet the government, through the Inland Revenue Department, also cautioned potential cloud users. Late in 2010, Inland Revenue issued a Revenue Alert reminding New Zealand taxpayers that they have an obligation to ensure their tax records are properly retained and available to be produced upon request by the tax authority.
Inland Revenue warned taxpayers that it is not clear whether all cloud computing systems would enable taxpayers to meet that regulatory obligation.
On the one hand, for the New Zealand government, cloud computing is mature and attractive enough that it is willing to launch an aggressive move to shift government computing operations to the cloud expeditiously. Yet, on the other hand, the government is warning its citizens that cloud operations may pose important regulatory compliance issues.
Among the key regulatory challenges presented by cloud computing are issues associated with regulatory jurisdiction and compliance responsibility. Every cloud user must be concerned at all times about several issues. In which jurisdictions will my data be stored? What are the regulatory requirements associated with my data in those jurisdictions? Who is legally responsible for management of my data in those jurisdictions, me or my cloud provider?
Who is legally entitled to have access to my data in those jurisdictions? What are my legal remedies in those jurisdictions if something goes wrong? What are my legal remedies in my home jurisdiction if something goes wrong in other jurisdictions? Does the fact that I am storing the data in another jurisdiction subject me to other legal requirements of that jurisdiction?
Does it constitute some type of violation of a regulation, law, or contractual commitment in my home jurisdiction? What happens to my data if my cloud service provider goes out of business or is acquired?
The New Zealand government has adopted a strategy to address many of the regulatory compliance issues. When it moves government operations to the cloud, the authorities here are requiring that the cloud essentially be a New Zealand cloud. New Zealand government data will not be stored offshore.
This approach helps to simplify the regulatory compliance questions. By mandating a New Zealand-only cloud, there is no question which regulatory requirements apply to the data stored in the cloud and to the operations of the cloud. The New Zealand cloud will be governed by New Zealand’s rules.
Authorities in some other countries will likely adopt an approach similar to that chosen here. Although this approach offers notable regulatory clarity, it does not provide a foolproof solution. This system, in effect, limits the scope of the cloud. Prohibition of offshore data storage places a geographic boundary on the cloud. Although many of the benefits offered by cloud computing can still be provided, by limiting the geographic scope of the cloud some benefits may not be realised.
New Zealand’s requirement of use of New Zealand-based clouds applies only to the government’s use of cloud computing. It does not apply to commercial or other users. However, it is conceivable that other users might choose to participate only in clouds that are confined to their home national jurisdiction, where presumably, they are comfortable that they know what regulatory requirements apply to them, and they are confident that they can effectively comply.
Alternatively, some users might engage in a form of “forum shopping”, using clouds that are based in jurisdictions that have enacted a framework of laws deemed by the user to be most favourable to the strategic and operational needs of its organisation. Some cloud service providers might develop multi-jurisdictional regulatory compliance as a value-adding service for their customers. Those cloud service providers will market the ability to comply with regulatory obligations in multiple jurisdictions as a method of obtaining a competitive advantage over some of their competitors.
Regulatory compliance should be a critical issue for cloud service providers and their customers. That compliance is an essential part of cloud service, and it can provide a source of competitive advantage for diligent cloud providers. Cloud users must make sure the service agreements and terms of service they accept are comprehensive and balanced enough to ensure necessary regulatory compliance. The cloud offers great opportunities for users, yet also significant legal compliance challenges. Caution and prudence are vital to ensure regulatory compliance in the cloud.
• Jeffrey Matsuura is a Fulbright Senior Scholar in the law faculty at the University of Otago. He is a lawyer with the American law firm, the Alliance Law Group, where he specialises in legal issues associated with the technology industry.