The accelerating shift from traditional on-premises information technology (IT) systems to cloud computing presents in-house counsel with a veritable obstacle course of compliance challenges and regulatory pitfalls. Virtually every industry today faces an expanding set of data security demands, while different countries often have their own unique privacy and data protection requirements.
Even global regulatory landscapes can change with the stroke of a pen, as with the recent invalidation of the long-standing Safe Harbor data transfer arrangement between the EU and United States. Today’s in-house counsel must master all of these requirements, explain them to their boards, and verify that their organization complies with them.
For a technology vendor, keeping a broad portfolio of feature-rich cloud services in compliance with an ever-changing regulatory landscape is a never-ending challenge. At Microsoft, our own lawyers engage daily with our cloud engineering teams to help them understand and implement the requirements of this complex and evolving regulatory universe.
This article discusses technical developments that in-house counsel need to understand as they evaluate cloud services and Microsoft’s own experience working to meet the exacting legal and compliance requirements accompanying these developments. Our fundamental message is simple: the economic and strategic advantages of cloud computing make it impossible to ignore, but the transfer of responsibility over sensitive data and applications from customers to cloud providers requires the formation of a new framework for establishing and maintaining trust between these contracting parties.
Why the Cloud is Surging
The cloud really is a revolution, and it really will change the world. In fact, it is already doing so.
To understand why the cloud is different, we can divide the past half century of computing into four epochs. The first was the epoch of the mainframe, behemoths so big and expensive they could only function inside dedicated buildings owned by giant corporations. This epoch was dominated by IBM.
The second epoch was that of the PC, launched in the early 1980s by Apple, Microsoft, and Intel. These inexpensive desktop computers were first marketed to hobbyists and consumers, but soon swept the corporate world, penetrating even the smallest organizations. By the 1990s, evolved versions of the PC known as servers also came to stand alongside mainframes in corporate data centers. But these servers still lacked the power to handle the most important “mission-critical” tasks.
By the latter half of the 1990s, the third epoch of computing emerged with the connection of hundreds of millions of client and server PCs into a vast global network. Known as the Internet, this network made possible countless new applications built on the reality that any individual could now instantly communicate with any other individual or access the information and processing power of any other computer on the planet.
Although we think of the Internet as the foundation of our modern high tech world, in reality the Internet epoch was only a brief interlude. Over the past few years, it silently mutated into something new, which we now call the cloud. This new epoch is a combination of the previous epochs, but innovations in software and hardware make the cloud almost unimaginably more powerful than previous computing paradigms. After the extreme decentralization of IT brought about by the PC and the Internet, the cloud is all about the recentralization of the world’s data and computing power into a relative handful of “hyper-scale” data centers. A single one of these facilities may house tens or even hundreds of thousands of PC-like servers packed into energy-efficient, massively interconnected racks spread out over the space of a football field or more.
Within the next ten years, the majority of business applications and virtually all consumer applications will be served from perhaps a few hundred of these huge cloud data centers, located in all of the world’s major geographies. Owing to its tremendous economies of scale, on-demand usage model, and pay-only-for-what-you-use billing, the cloud will progressively make inroads into the IT infrastructure of nearly all enterprises.
The Cloud is Transforming the Compliance Landscape
On-premises IT systems will remain a vital part of enterprise computing for many years to come, especially to handle particularly sensitive data or mission-critical workloads. However, the cloud is disrupting even on-premises workloads. In the past decade, most enterprise IT organizations have embraced the software technique known as virtualization, which allows each individual hardware server to be shared by multiple “virtual” servers, thus yielding significant cost savings due to more efficient utilization of expensive capital equipment. Having first been virtualized, traditional on-premises data centers are now being “cloudified” by an additional layer of automation and management software that transforms these on-premises facilities into what industry analysts call “private clouds.”
The economic and strategic benefits of cloud computing are too large for even the most risk-conscious organizations to forego. Indeed, because the cloud will increasingly be a strategic asset for innovation and productivity for companies across the economy, almost every business in the future will be a digital business.
But by shifting the permanent residence of data and applications to data centers owned by third parties that may be located in other countries or even on other continents, cloud computing introduces a level of legal complexity that requires a fundamentally new way of working and thinking by in-house counsel.
Meeting the Challenge of EU Data Protection Laws
Big data analytics will revolutionize the ability of enterprises to understand exactly what is happening in their markets and how to shape future outcomes. Such methods require enterprises to store and analyze vast quantities of data—so vast that the accepted term is “data lakes.” Realistically, such “lakes” of data can only be stored in the cloud and in many cases they will contain PII of customers and employees and will therefore fall under the strictures of data privacy laws, including the demanding new data protection laws recently passed by the European Union.
How can multinationals doing business on both sides of the Atlantic ensure that their strategic big data analytics programs will not run afoul of rules governing international data transfers? They should partner with cloud vendors who have spent years understanding what regulators require and how to implement both the technical and the legal components of a full-spectrum cloud compliance strategy.
Recent events demonstrate just how complex this challenge can be for enterprises that operate in multiple jurisdictions.
In October 2015, the Court of Justice of the EU abruptly invalidated the U.S.-EU Safe Harbor Framework, which was based on a 15-year-old agreement between the United States and the European Commission that had enabled thousands of enterprises to move personal information across the Atlantic while remaining in full compliance with the EU’s stringent data protection rules.
At Microsoft, we had long recognized that the collapse of Safe Harbor was a possibility and had already taken steps to prepare. Starting in 2010, we assigned a dedicated team of several dozen lawyers and public policy professionals the task of creating a new cloud contract based on the standard contractual clauses—often known as “model clauses”—that the Commission established pursuant to the EC’s 1995 Data Protection Directive.
Over a period of several years, our compliance experts met on numerous occasions with officials from the European Commission and the EU’s 28 member-state Data Protection Authorities (DPAs) to hammer out a solution. In April 2014, the European DPAs determined that the model clauses in our new enterprise cloud contract met their requirements for a valid legal framework governing international data flows. These clauses, which we now offer by default to all cloud customers, ensure that even without Safe Harbor, all personally identifiable information stored in the Microsoft cloud continues to meet Europe’s rigorous privacy standards no matter where it is located.
However, it is critical for compliance professionals and in-house counsel to understand that compliance will always remain a moving target. The model clauses we introduced in our standard cloud contracts are themselves under challenge and may give way to new regulatory requirements, just as the U.S. government and the EU have recently negotiated a new agreement called Privacy Shield to replace Safe Harbor. This is an important step toward creating a new legal framework to enable data to move between Europe and the United States in way that satisfies the data privacy and security concerns of both sides. The Privacy Shield has been ratified by the European Commission and all EU member states, but is certain to be challenged in court.
Building a Framework for Trust
Regardless of the outcome of Privacy Shield, enterprises will continue to grapple with changes in their legal and compliance requirements as they affect the use of cloud and other technology services.
At a time when technology has outpaced existing legal frameworks that govern how confidential data is protected, and governments are struggling to balance public safety with the right to privacy, enterprises must work continuously to ensure that the services provided by their technology vendors retain the trust of all stakeholders—including governments, corporations and individual consumers. For members of the legal and compliance community, trust is especially important to ensure that their clients meet regulatory obligations and community expectations while reaping the economic and strategic benefits of the cloud.
This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.