Midway assessment - Compliance by Contract: the rise of governmental cloud procurement mechanisms and their impact on privacy and security in Cloud Computing.

   Commentator

• Professor Dan Svantesson, Bond University, Australia

Leader of the assessment

• Professor Trygve Bergsåker, Departement of Private Law

Supervisors

• Professor Lee A. Bygrave, Department of Private Law
• Professor Knut Kaasen, Scandinavian Institute of Maritime Law
   

For outline and draft text, contact Kevin McGillivray.
 

Background

The following dissertation focuses on the legal implications of the adoption of cloud computing from the perspective of states or governments. At its core, cloud computing is a method of providing users with on-demand computing services, generally delivered over the Internet. Documents that previously moved from the filing cabinet to the personal computer have now moved further to server parks located around the globe. This movement from local to centralized storage has fundamentally changed the way users interact with their data. With the help of cloud computing, ubiquitous computing has become a reality. Data is essentially available anywhere and accessible by multiple devices.

Generally, as long as cloud computing services function properly, they have remained outside of the public’s interest. However, revelations of access to data by the United States (U.S.) government, massive data breaches, profiling of users by private companies, and large-scale copyright infringement have all brought attention to the use and regulation of cloud computing. Migrating data or services to cloud computing is more than just a technical exercise—it is also a process raising many novel legal questions. In addition to the technical systems that make cloud computing possible, cloud-computing services are bound together by various legal instruments including contracts, privacy policies, and increasingly industry standards. Combining these instruments with the demands of national regulations, the compliance picture quickly becomes complex. The dissertation analyzes this picture from the perspective of states focusing primarily on risks arising from data protection and security needs and the contracts and procurement methods used to manage those risks.

Problem Statement

Although cloud computing may reduce computing expenses, it also has the potential to impact data privacy, law enforcement investigations, and even state sovereignty for government users. In addition to the reservations of adopting cloud expressed by private businesses or consumers, governments have additional concerns. From a practical perspective, government users are often subject to publically mandated computing and security requirements from which they cannot derogate. Some of these requirements pose a direct barrier to adopting cloud while others simply make cloud less attractive. Furthermore, governments represent citizens who are the beneficiaries of potential savings from cloud services, but also bear the burdens of oversights in procurement and operation of those services. Taking into account their position of public trust and responsibility to the public generally, governments are commonly required to exercise a higher level of transparency and accountability than are private businesses or consumers contracting for their own computing needs. Simply stated, if the state loses control over its data, it will have significant consequences for its ability to govern.

Selected Research Questions

1. When governments become users of cloud computing services, which legal/compliance obligations apply to their use of the services—particularly in the areas of data protection and data security from an EU perspective?
2. What tools do governments use or are they developing to make certain they meet their legal obligations? Is purchasing power a sufficient condition to obtain compliant cloud services?
3. How are the needs of states different from other types of users? Does the use of cloud computing by states impact critical aspects of governmental transparency and accountability?

To provide a better understanding of how these procurement plans function, and their potential and pitfalls, I examine the contracting/procurement tools of two of the largest and most developed systems currently in use, namely the Government Cloud (G-cloud) system in the U.K. and the Federal Risk and Authorization Management Program (FedRAMP) system in the U.S. In evaluating procurement or cloud adoption systems, I examine what ought to be included in the contracts governments enter into with private CSPs based on compliance obligations required by data protection and to some extent procurement and other legal regulations.

In addition to evaluating what ought to be in the contracts, based on actual agreements obtained through Freedom of Information Act (FOIA) disclosures from the U.S. government, I evaluate what is included in the contracts between U.S. federal agencies and CSPs. On the EU side, I evaluate publically available standard agreements offered as part of the UK Government Cloud (G-cloud) framework. The question then becomes whether there is a compliance gap between what the procurement systems require and what the contracts actually contain. If such a gap exists, what are the potential problems or risks created for citizen and government data.

Most recent article

McGillivray,Kevin (2016). FedRAMP, Contracts, and the U.S. Federal Government’s Move to Cloud Computing: If an 800-pound Gorilla Can’t Tame the Cloud, Who Can? The Columbia Science and Technology Law Review (STLR).  ISSN 1938-0976.  17 (336), s 336-401.