This workshop was convened in May 2010 as a part of a multi-disciplinary transatlantic effort, which evolved into series on legal and policy issues related to cloud computing. The meetings focused on the ways in which private actors, users, and governments alike can work together towards best practices in a cloud environment. Our overarching goal was to stimulate conversations among diverse stakeholders regarding the risks and opportunities associated with cloud computing, and to explore the potential of next generation governance models in dealing with these challenges. We aimed to surface and identify concrete insights, including areas for future research, policy proposals, and other tangible outcomes.
Workshop discussions touched upon on a variety of topics, including:
- Data Privacy: Privacy interests and the respective rights and obligations of the various parties operating in the cloud have been among the most pressing issues since the advent of cloud computing. These considerations and the increasingly sensitive nature of the data stored in the cloud may support the need for a regulatory data protection framework that addresses individual rights and related issues, such as data quality/integrity, processing transparency, and international transfers. What are consumers’ legitimate privacy expectations for data stored by a cloud service? Should consumer data that is entrusted to a third party receive the same privacy protections as data stored on a home PC? Can service providers alone take the necessary steps to create greater transparency, clarity and confidence in the cloud or is government action required? What might these alternatives look like in practice? What is the role of technology and consumer education? What can be learned from privacy legislation in Europe?
- Data Retention: Economic regulation as well as national security obligations increasingly require the development, implementation, and operation of data retention practices which have to be balanced against other legitimate concerns. When a cloud service is offered on a global scale and customer data is stored in multiple data centers, what law applies to the retention requirements for that data? If a service provider is required to retain data for customers located in a particular jurisdiction for a defined period of time because the service targets customers within that market, how does the service provider practically determine which of its customers fall within the retention requirement? Is European data retention harmonization a realistic possibility? What strategies should be pursued with regard to trans-Atlantic standardization, not to mention globally?
- Data Security: Closely linked to privacy issues are concerns regarding data security, standards, contractual rules, and legal obligations. Such issues may suggest the need to guarantee and supervise data security measures that are preventive and operational. What are the security threat-scenarios in the cloud? Are there best practice approaches to security policies? How can or should the legal system help increase security and how does it interact with technological design? What is the relationship between enhanced security and privacy? What are the costs of security?