Disputation: Kevin McGillivray
LL.M Kevin McGillivray at the Department of Private Law will be defending the thesis Government Cloud Procurement: Contracts, Data Protection, and the Quest for Compliance for the degree of Ph.D.
Aug. 23, 2019 10:15 AM–11:00 AM, Gamle festsal, 1. etg. Urbygningen
- Associate Professor Emily Weitzenboeck, Oslo Metropolitan University (leader)
- Professor Dan Svantesson, Bond University (1. opponent)
- Prof. Dr. Rolf Weber, Zürich University (2. opponent)
Chair of defence
Vice dean Alf Petter Høgberg
- Professor Lee Andrew Bygrave
- Professor Knut Kaasen
Introduction, Issues and Approach
The primary focus of the dissertation is to examine the challenge that governments face when moving from traditional IT outsourcing solutions to cloud computing services. The central query of the dissertation is whether governments can adopt cloud computing services and still meet their legal requirements and other obligations to citizens. In assessing this question, the dissertation considers the interplay of the technical properties of cloud computing services along with the numerous and complex legal requirements applicable to cloud adoption and use.
In particular, the dissertation examines the challenge of addressing contracting and procurement requirements, data protection obligations, and jurisdictional uncertainties when using an opaque, global, multi-tenant technology such as cloud computing. In addition to the legal and technical challenges, the dissertation also examines the use of contracts, soft law, and other tools in addressing legal requirements. Much of the contractual analysis stems from an original qualitative study of contracts obtained through requests made under the US Freedom of Information Act (FOIA) by the candidate in addition to government audits and reports.
Research Focus and Questions
The primary research questions addressed in the dissertation include:
• When governments become cloud clients or users of cloud computing services, what are the primary legal requirements applicable?
• How will the General Data Protection Regulation (GDPR) apply to and affect the use of cloud computing services? What are the main challenges of complying with data privacy laws while using cloud services?
• What procurement procedures, standard contracts or technical means are governments in the European Union (EU) and the United States (US) applying or developing to meet legal requirements when adopting cloud computing?
• Have these procurement procedures and risk assessment programs been effective or helped governments to meet legal requirements, particularly in the area of data privacy?
• How are the needs of governments potentially different from other types of users (e.g. private enterprise) in light of transparency, accountability and legitimacy concerns?
Based on the questions analysed above, the dissertation considers whether cloud computing is ever an appropriate technology for governments to employ given the challenges its use poses to data privacy, data security and data sovereignty. In other words, after accounting for the significant legal constraints, is cloud computing technology ever truly compatible with the legal needs of governments?
Analysis and Findings
In making its evaluation, the dissertation defines a baseline of legal requirements by evaluating specific legal instruments regulating privacy, such as application of the General Data Protection Regulation (GDPR) and specific procurement or contracting requirements to cloud computing. The dissertation then assesses whether these sources provide legal constraints that limit or eliminate cloud computing as a viable means of computing for many governments.
In addition to the evaluation of concrete responsibilities and adoption barriers for governments seeking to use cloud computing, a recurrent question focuses on a state’s responsibility to its citizens by asking the following: what does the use of cloud computing mean for transparency, accountability, sovereignty, and the duty of the state to its citizens more generally? The dissertation further evaluated the additional obligations that governments have to their citizens, including transparency and accountability, and considered how governments should account for these requirements when they adopt cloud.
Although the dissertation does not conclude that cloud computing ‘changes everything’ or requires new laws across the board, it attempts to answer a central cross-section of the many questions cloud computing raises in addition to outlining the potential unintended consequences of moving government IT to cloud computing infrastructure. Finally, the dissertation outlines and analyses possible solutions to compliance challenges focusing on improving contracts, applying soft law, and technical means to obtain compliance.