Compliance by Contract: the Impact of Governmental Cloud Procurement Mechanisms on Privacy and Security in Cloud Computing (completed)
The goal of the project is to provide a better understanding of the role of contracts in procuring cloud-computing services. The research will evaluate terms and conditions used in cloud computing services and the general contractual structure of cloud computing agreements.
Project by Kevin McGillivray
About the Project
The following dissertation focuses on the legal implications of the adoption of cloud computing from the perspective of states or governments. At its core, cloud computing is a method of providing users with on-demand computing services, generally delivered over the Internet. Documents that previously moved from the filing cabinet to the personal computer have now moved further to server parks located around the globe. This movement from local to centralized storage has fundamentally changed the way users interact with their data. With the help of cloud computing, ubiquitous computing has become a reality. Data is essentially available anywhere—and accessible on multiple devices.
Generally, as long as cloud computing services function properly, they have remained outside of the public’s interest. However, revelations of access to data by the United States (U.S.) government, massive data breaches, profiling of users by private companies, and large-scale copyright infringement have all brought attention to the use and regulation of cloud computing. Migrating data or services to cloud computing is more than just a technical exercise—it is also a process raising many novel legal questions.
In addition to the technical systems that make cloud computing possible, cloud-computing services are bound together by various legal instruments including contracts, privacy policies, and increasingly industry standards. Combining these instruments with the demands of national regulations, the compliance picture quickly becomes complex. The dissertation analyzes this picture from the perspective of states focusing primarily on risks arising from data protection and security needs and the contracts and procurement methods used to manage those risks.
Although cloud computing may reduce computing expenses, it also has the potential to impact data privacy, law enforcement investigations, and even state sovereignty for government users. In addition to the reservations of adopting cloud expressed by private businesses or consumers, governments have additional concerns. From a practical perspective, government users are often subject to publically mandated computing and security requirements from which they cannot derogate. Some of these requirements pose a direct barrier to adopting cloud while others simply make cloud less attractive.
Additionally, governments represent citizens who are the beneficiaries of potential savings from cloud services, but also bear the burdens of oversights in procurement and operation of those services. Taking into account their position of public trust and responsibility to the public generally, governments are commonly required to exercise a higher level of transparency and accountability than are private businesses or consumers contracting for their own computing needs. Simply stated, if the state loses control over its data, it will have significant consequences for its ability to govern.
Selected Research Questions
When governments become users of cloud computing services, which legal/compliance obligations apply to their use of the services—particularly in the areas of data protection and data security from an EU perspective?
What tools do governments use or are they developing to make certain they meet their legal obligations? Is purchasing power a sufficient condition to obtain compliant cloud services?
How are the needs of states different from other types of users? Does the use of cloud computing by states impact critical aspects of governmental transparency and accountability?
To provide a better understanding of how these procurement plans function, and their potential and pitfalls, I examine the contracting/procurement tools of two of the largest and most developed systems currently in use, namely the Government Cloud (G-cloud) system in the U.K. and the Federal Risk and Authorization Management Program (FedRAMP) system in the U.S. In evaluating procurement or cloud adoption systems, I examine what ought to be included in the contracts governments enter into with private CSPs based on compliance obligations required by data protection and to some extent procurement and other legal regulations.
In addition to evaluating what ought to be in the contracts, based on actual agreements obtained through Freedom of Information Act (FOIA) disclosures from the U.S. government and Freedom of Information (FOI) disclosures from the UK, I evaluate what is included in the contracts between government agencies and CSPs. On the EU side, I also evaluate publically available standard agreements offered as part of the UK Government Cloud (G-cloud) framework. The question then becomes whether there is a compliance gap between what the procurement systems require and what the contracts actually contain. If such a gap exists, what are the potential problems or risks created for citizen and government data?
Although this dissertation primarily considers the role of governments as users or adopters of cloud computing, states are also taking on additional roles. Governments act as contributor in standards development and research, regulators, and even as cheerleaders in the cloud computing market. For example, by developing model contract terms and playing an active part in standards development, governments take an important and central role in the private ordering that is used to largely regulate cloud computing. Based on this interaction, I consider whether states should take a more “active” or different role in regulating cloud computing through greater direct regulation via legislation, developing standards, or through other means such as co-regulation?
The PhD was delivered spring 2019.
University of Oslo