With its promise of remote storage and delivery of services and applications, cloud computing by its nature is a technological framework without borders.
But unlike the virtual realm, the world that appears on a map poses a long list of challenges both to the adoption of cloud computing and the extent to which service providers are willing or able to take their operations global and open up data centers or other operations in new and emerging markets.
[Related: Foreign Cloud Privacy Issues Dismissed by U.S. Officials]
In an effort to make sense of that patchwork, the software trade group BSA today is releasing its second annual global cloud-computing scorecard, an evaluation of 24 countries’ laws and regulations on a host of issues that bear on a company’s decision to open shop in a new market.
Examining topics like cybersecurity and privacy, free-trade policies, broadband infrastructure and laws against cybercrime, the survey found wide swings in the relative “cloud-friendliness” of the policies in the countries it considered.
“I would say that it is a solid mix. There has been a lot of progress that we’re very hopeful about,” says Chris Hopfensperger, technology policy counsel at the BSA. “I think the thing that we see though at the end of the day is that there’s good laws and bad laws and you end up with really patchy progress.”
The 24 countries the BSA evaluated for its cloud scorecard account for around 80 percent of the global information and communications technology market.
For the second year in a row, the BSA ranked Japan as the friendliest environment for cloud providers, citing a high rate of broadband adoption, strong laws against cybercrimes and a solid framework to promote security and protect users’ privacy.
Australia follows in the No. 2 spot, also unchanged from last year, while the United States moved up a position, switching places with Germany to rank No. 3 on the cloud scorecard, though the authors of the report attribute that advance more to the ongoing development of standards and infrastructure supporting cloud computing than any substantive policy measures enacted by the government.
Top 5 Countries for Cloud Computing:
- Japan — High marks across the board; led the pack in data privacy, security protections; at or near the top in cybercrime laws, broadband penetration
- Australia — Tied for highest ranks on laws against cybercrime and support for industry standards and global harmonization of rules
- United States — up one spot from last year on development of standards; trails only Singapore in ICT readiness/broadband deployment
- Germany — Dropped one spot, like other EU countries, on fear potentially restrictive privacy laws, protectionist policies
- Singapore — Biggest single gainer year-over-year, up five spots on strength of new data privacy law BSA deems a sensible, “progressive” balance between consumer protection and flexibility for industry
The BSA’s scorecard acknowledges some encouraging signs of activity on the privacy front in the United States, including the Obama administration’s expression of support for new consumer-protection legislation and the development of a so-called privacy bill of rights. At the same time, the report notes “the absence of a broader consensus among lawmakers” on what provisions should be included in an online privacy bill.
[Last Year’s Ranking of Cloud-Friendly Countries]
Apart from that debate over broad consumer-privacy protections, the BSA, along with a great many cloud-service providers, is actively lobbying for an update to the Electronic Communications Privacy Act (ECPA), a 1986 statute that set parameters for law-enforcement authorities to wiretap phones and gain access to a computer’s data transmissions. But as it is applied today, that law, which long predated the general use of email (let alone the cloud), has created considerable uncertainty about the legal protections afforded to Web-based services, as well as some odd circumstances like the ability for authorities to obtain emails without a warrant from a Webmail provider if the communications are older than six months.
5 Worst Countries for Cloud Computing:
- South Africa — Poorest marks on data privacy of any country evaluated
- Indonesia — Despite advances in privacy laws, remained near the bottom of the rankings for regulations requiring foreign firms to register services and build local data centers
- Brazil — Climbed two spots out of last place thanks to new cybercrime law, but ranked weakest on support for industry standards and global harmonization of rules
- Thailand — Dead last among surveyed countries for data security protections
- Vietnam — Lowest score of any country evaluated for free-trade policies
“We are actively and aggressively pushing for ECPA reform,” Hopfensperger says. “We really think the time has come to amend a 1986 law that no longer really reflects the technological realities today.”
The head of the Senate Judiciary Committee, Vermont Democrat Patrick Leahy, has indicated that he plans to work to advance ECPA reform legislation in the new session of Congress.
Of the constellation of policy issues that affect the spread of cloud services, Hopfensperger says that none is of greater concern than security and privacy, stressing that consumers and businesses alike will be reluctant to shift data to the cloud unless they are confident that their information will be adequately protected from cyber attacks and not exploited for purposes that they would consider invasive.
“Privacy and security are probably talked about more than any other [issue] for a variety reasons. But they are really two sides of the same coin,” he says. “Both are key to engendering trust in the cloud. Obviously, cloud computing does no good if people don’t want to put their data in the cloud.”
While the path forward for privacy legislation in the United States remains far from certain, the October 2012 passage of a privacy law in Singapore helped vault that country five spots in the BSA’s cloud rankings, moving up from No. 10 to No. 5, making for the biggest single gainer in the scorecard.
The BSA praises Singapore’s law for taking a “light-touch” approach that codifies a set of principles intended to affirm individuals’ right to control their personal information, while at the same time acknowledging that cloud providers have a legitimate need to collect, use and even disclose that data in certain cases. That type of flexible approach, rather than overly prescriptive regulations, is critical to nurturing a regulatory environment that fosters the expansion of cloud-based services, according to the BSA.
[Related: Email Privacy Tops Tech Agenda at Judiciary Committee]
Singapore “took a big step in 2012,” Hopfensperger says, “because they adopted a privacy law that balances the important consumer protections with the need for companies to be able to move data and continue to innovate.”
In contrast, each of the European Union member countries that the BSA evaluated in its scorecard slipped at least one place, owing in large part to the uncertainty associated with an ongoing effort to reform the body’s privacy laws. That debate has aired proposals that alarm the BSA and some of its member companies, including the imposition of “new administrative burdens” and limitations on providers’ ability to review data for security purposes, rather than the risk-based, contextual approach to data protection that the group advocates.
The BSA also warns against protectionist policies that favor domestic cloud providers while subjecting foreign companies to bureaucratic and operational requirements.
Indonesia, for instance, dropped one place to 21st on the BSA’s list due to new regulations requiring cloud providers to register with a central authority and mandating that some set up data centers in the country staffed by local workers.
The BSA finds similar concerns with other countries that rank poorly on its scorecard. Indeed, the five countries at the bottom of the list — in descending order, South Africa at No. 20, trailed by Indonesia, Brazil, Thailand and Vietnam — received the lowest scores of any nation on the BSA’s “supporting free trade” criterion.
“The real problem areas I think we would say is that some of the countries that are at the bottom of the ranking — Indonesia, Vietnam — some of these countries are really taking active steps to chop off a piece of the cloud for themselves,” Hopfensperger says. “These things really run counter to what we view as an international approach to cloud policy.”
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.