- Cloud Essentials
- Software as a Service
- Accounting / Financial
- Asset Management
- Business Intelligence
- Business Process Management
- Compliance & Risk Management
- Content Management
- Document Management
- Help Desk Management
- IT / Application Management
- Project Management
- Transportation & Logistics
- Infrastructure as a Service
- Platform as a Service
Crossing boundaries - why cloud still runs into legal problems
Cloud computing uses technology to break down national borders but unfortunately legal systems cannot be evaded so easily
Facebook’s $1bn acquisition of Instagram shows how quickly you can build a global business and how much you, your investors, and your 11 employees can make if you get it right.
Over the past two years, Instagram has gone from zero to 35 million users of its mobile photo-sharing app, and although it has yet to generate any revenue, this remains an impressive feat. But it would not have been possible without a great product, the exploding popularity of mobile phone apps, affordable access to flexible computing resources, and the capacity to scale Instagram services to meet demand.
Like many other businesses, Instagram has grown by making clever use of public cloud infrastructure and services (many from Amazon), which it has mixed with some cutting edge open source software (and it explains its technology stack here). Having on-demand access to the same sort of computing resources and global reach as the largest multinational clearly has its advantages. But it can have disadvantages too, because if you are going to operate internationally you need to be aware of (at least some of) the very many statutory rules and regulations out there.
Different countries have different laws on matters such as data protection, money laundering, tax, the prevention of terrorism, and more. How much of this national legislation affects your business will depend on myriad factors. These range from the country or countries where your business has what the local government considers to be a ‘permanent establishment’ (on which more, below), to the countries where data is physically stored or processed by you, or any cloud service provider (CSP) in the supply chain. ‘It’s a complicated area,’ says Alistair Maughan, a partner at the international law firm Morrison Foerster.
Some CSPs are explicit about where they store and process your data; some give you a choice; some are less transparent. But even when you do have this information, it isn’t always clear which laws apply: for example, the United States (US) Medicare Act and Patriot Act have ‘extra-territorial effects’ which may give them precedence over EU data privacy laws, even when US companies store and process data from the EU within the EU (a matter recently debated in the European Parliament). ‘Generally speaking, the law that’s applicable is the law of the country where the data controller is located,’ says Maughan, and in the UK this is the Data Protection Act (DPA).
This is based on the European Union (EU) 1995 EU Data Protection Directive, so you might expect all 27 members to have the same laws. They don’t: each member state has interpreted the EU directive differently, so reforms are on the way to modernise and harmonise the rules across the EU, as CloudPro has outlined here. Personal data should be transferred outside the EU only to countries that provide an adequate level of protection, so you need to know which countries CSPs in the supply chain are using to store and process your data, and check whether each country provides an adequate level of protection, which you can do here.