Although we managed to negate most of their privacy concerns by including appropriate clauses, the issue of the "Cloud and Jurisdiction" raised an interesting dilemma, which for now seemed relatively easy to resolve, but might yet prove difficult with the advent of POPI and new EU Data Protection legislation, recently proposed. I will address the proposed EU changes in an upcoming post.
But before I continue, let's clarify certain concepts.
What is "Cloud Computing"?
The US Department of Commerce's National Institute of Standards and Technology (NIST), defines "Cloud Computing" as follow:
"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."
In layman's terms, "Cloud Computing" refers to applications and services offered over the Internet. These services are offered from data centers all over the world, which collectively are referred to as the "cloud." This metaphor represents the intangible, yet universal nature of the Internet.*
Examples
Examples of "Cloud Computing" include online backup services, social networking services, and personal data services.
Reasons for using the "Cloud"
Most organisations are considering and some are already using "Cloud Computing" to reduce cost by converting capital expenditure into operational expenditure.
This is purported to lower barriers to entry, as infrastructure is typically provided by a third-party and does not need to be purchased for one-time or infrequent intensive computing tasks. Pricing on a utility computing basis is fine-grained with usage-based options and fewer IT skills are required for implementation (in-house).**
Security could also improve due to centralization of data, increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data (e.g. personal information), and the lack of security for stored kernels.
No surprise then that privacy advocates have their doubts about the "Cloud".
This discussion is however not focused on the security or postives and negatives of "Cloud Computing", but rather on the issue of jurisdiction when faced with "Cloud" services.
POPI, the "Cloud" and Jurisdiction
Although section 3 of working draft 5 of the POPI Bill deals with the application of the proposed Act and section 74 will regulate the manner in which a responsible party is allowed to transfer personal information outside of South Africa, the multi-faceted question remains;
Whose jurisdiction would apply when an organisation (foreign or local), utilises "Cloud" service providers (located in or outside South Africa), to process its personal information (belonging to locals or foreigners)?
I recently read an interesting article, relevant to this issue by Michael Chertoff (US secretary of homeland security from 2005 to 2009), which might cast some light.
There is no doubt that jurisdiction is already relevant to the many organisations utilising "Cloud" services, but I could only imagine that jurisdiction would become even MORE complicated in South Africa once the Protection of Personal Information (POPI) Bill is promulgated into legislation.
SA courts in the near future might have to decide, but for now, a comparative analogy might be drawn from the US - EU examples highlighted in the Chertoff article.
Click here to read his article.
I think the basis of this article needs further debate. Please comment or write to me for further discussion.
* Techterms.com
** Wikipedia