UK: Cloud Computing And Data Sovereignty

A. INTRODUCTION

1. What is data sovereignty? The migration of computing to the cloud is raising novel legal issues around data as processed and stored in-cloud and as transited between user and cloud service provider. These evolving cloud data legal issues principally concern data rights, data protection (privacy), data security and data sovereignty. For lawyers specialising in the field these issues arise most frequently in the areas of regulation, contract and governance.

Data sovereignty distinguished from data rights, protection and security. From the cloud customer's perspective, there may be little apparent difference between data sovereignty (on the one hand) and data rights, data protection and data security (on the other). Whilst all four areas overlap, data rights (the intellectual property and other rights that arise in relation to data)², data protection (the legal rights and duties that arise specifically in relation to personally identifiable information)³ and data security (the mix of management, legal, technical, operational and governance controls that an organisation puts in place to ensure desired security outcomes for its data) are separate topics and not considered in detail here except as relevant to data sovereignty.

Elements of data sovereignty. Data sovereignty does not have a generally accepted defined – it is not even mentioned in any of the three recent UK surveillance-related reviews referred to at paragraph B.11 below. The term bears an intuitively understood meaning of when a person's right to deal as she or he wishes with her or his own data may be overridden, typically through involuntary disclosure to or access by a third party. This can arise of course if the person was using data in breach of someone else's contract, intellectual property or other rights or other applicable legal or regulatory duties, but a bit more analytically data sovereignty may be considered as the circumstances in and extent to which:

• a third party (typically but not always a government agency);
• has the power to access the data of another person (the corporate or individual customer);
• where that data is in the possession of the customer or someone else on the customer's behalf (the cloud service provider);
• with or without the consent or knowledge of the customer and/or the cloud service provider.

Data sovereignty on-premise and in-cloud. This could happen to data on-premise (on a personal device or in the server room for example) as well as in-cloud, and this paper focuses on data sovereignty issues particular to the cloud – whether in transit to or from, or stored or processed in, the cloud.

Data sovereignty viewpoints – government, Cloud SPs, CSCs and consumers. Data sovereignty affects four main types of actor - government, cloud service provider and corporate and individual cloud customer - and relevant issues differ for each. Government agencies are concerned principally with the scope of their data access powers, how those powers are authorised, and accountability for their use. For cloud service providers (Cloud SPs), the big issues are around trust and reputation in the market, and operationally around contract terms, policies and governance. For cloud service customers (CSCs) the issues are broadly similar to those for providers and generally obverse to them in contractual and policy terms. CSCs are concerned mainly about the security of their data – looking at trust from the other end of the telescope. This paper focuses on cloud data sovereignty as it concerns commercial actors in the value chain – Cloud SPs and CSCs.

2. Cloud computing: the NIST definition. Briefly, the classic NIST definition4 of the cloud specifies a type of computing with five key characteristics, three service models and four deployment models. The characteristics are on demand self-service, network/internet access, one-to-many provisioning (resource pooling or demand diversification), rapid scaling (elasticity) and measured (metered) service; the elements of the SaaS, PaaS and IaaS service models are shown at 1, 2 and 3 in Figure 1 below; and the four deployment models are private cloud (where infrastructure, platform and/or software are used solely for a single CSC), community cloud (solely for use by a community of CSCs, rather than a single CSC), public cloud (where service is provided to customers on a multi-tenant basis) and hybrid cloud (private cloud with access to public cloud to manage peaks).

To view the full article please click here.

Footnotes

* All URLs referred to in footnotes were accessed in between 5 July and 6 October 2015.

2 See Kemp, Legal Aspects of Managing Big Data White Paper (October 2014) available at http://www.kempitlaw.com/category/white-papers/

3 See Kemp, Big Data and Data Protection White Paper (November 2014) available at http://www.kempitlaw.com/category/white-papers/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.