In March 2018, the US government passed legislation referred to as the CLOUD Act (Clarifying Lawful Overseas Use of Data), permitting United States law enforcement the ability to access data of any US citizen or US company hosted by USA based corporations, regardless of the jurisdiction the data resides in. Just months later in May of 2018, the European Union (EU) passed the General Data Protection Regulation which defines how EU citizen data should be handled both within the EU and abroad. It places a significant legal burden on “processors” and “controllers” of information, regardless of whether they operate within the EU or not.
Both these pieces of legislation, for different reasons, have far-reaching international impacts on the ICT business domain. They also present opportunities in the ICT business domain, particularly in the commercial cloud sector.
In part one of our series, we provided an overview of both the USA CLOUD Act and the EU GDPR and how they can be "used" to grow the commercial cloud sector in the Caribbean and focused on the USA CLOUD Act and the potential opportunities for extrinsic cloud service providers. In this second article in our two-part series, we will focus on the EU GDPR and the business opportunities presented to extrinsic cloud service providers.
Defining the GDPR
In comparison to the USA CLOUD Act, the European Union’s General Data Protection Regulation (GDPR) is at the other end of the law enforcement spectrum, being concerned with data privacy issues. According to Article 1 of the GDPR, which became law on the 25th of May 2018, the purpose of the GDPR is to lay “down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data” on the basis that “the protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her”.
Similar to the USA CLOUD Act, the GDPR addresses the fundamental issue of the extra-jurisdictional reach of the legislation. Again, like the CLOUD Act, the GDPR has a mechanism for “qualifying” countries on the basis of their data protection legislation and other related standards as “a third country may be declared as offering an adequate level of protection through a European Commission decision (‘Adequacy Decision’), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions”.
However, it does offer other avenues at the level of the commercial enterprise where that entity operates in a jurisdiction that is not covered under an “Adequacy Decision” namely:
- in the case of a group of undertakings, or groups of companies engaged in a joint economic activity, companies can transfer personal data based on so-called binding corporate rules;
- contractual arrangements with the recipient of the personal data, using, for example, the standard contractual clauses approved by the European Commission;
- adherence to a code of conduct or certification mechanism together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data.
Where to Host Your Data: Opportunities Under the GDPR
As has already been addressed in this article, the European GDPR focuses on securing and ensuring data privacy for EU citizens. CARICOM countries operate within an agreed CARIFORUM/EU economic partnership agreement (EPA). This EPA not only deals with the reduction of tariffs and the transfer of goods but addresses access to EU markets for services, including that of ICT services. While the Agreement has a range of references to "technology" probably the two stand out ones are in Articles 112 and 142 which respectively state:
“The EC Party and the Signatory CARIFORUM States shall endeavour to facilitate the transfer of technology on a commercial basis to commercial presences in the Signatory CARIFORUM States.”
“The EC Party shall facilitate and promote the use of incentives granted to institutions and enterprises in its territory for the transfer of technology to institutions and enterprises of the CARIFORUM States in order to enable the CARIFORUM States to establish a viable technological base.”
There is an opportunity to use the EPA as an entry point to access the European cloud computing market. If CARICOM countries can define and enact data privacy legislation comparable with or an improvement on European legislation this can open the door to a whole new commercial sector for the Caribbean. It is critical that, unlike the financial services sector where countries were playing catch-up regarding OECD taxation issues, CARICOM countries take the initiative to develop a robust legal framework on data privacy and security.
However, to be clear, while CARICOM legislation could remove legal impediments to accessing the EU commercial cloud market, service providers in the region would have to prove their capacity in maintaining the highest internationally recognized standards in security and service management right through the cloud infrastructure stack, from the data centre to tiered application architecture.
It should be noted that the commercial cloud services market in Europe is dominated by USA-based enterprises like Google, Amazon and Microsoft. A 2016 report by the USA Department of Commerce International Trade Administration on cloud markets noted that:
“Competition is not the only challenge for U.S. companies. In some large markets, there has been discussion or enactment of regulatory measures that may impose disadvantages on foreign firms. In addition to general privacy considerations, many foreign buyers have expressed concerns about who might have access to their data. Following some surveillance disclosures in recent years, trust-related issues have increasingly caused hesitations amongst those considering purchasing of cloud services from U.S. vendors, especially those vendors who do not store data locally.”
The report goes on to say that US vendors had resorted to storing data in-country as a consequence of these concerns. However, much has changed in the USA since 2016 when this report was compiled. There is a new administration, new foreign trade policies, and of course the CLOUD Act. These developments may increase unease and reluctance, particularly by European entities to use cloud services run by US companies, or by enterprises that use the USA to host data or SaaS environments. It should also be noted that a minimal number of countries and territories have been endorsed under the European Commission’s ‘Adequacy Decision’ list, and the USA is not one of them!
With the right transparent forward-looking regional legislation in place, as part of the CARICOM Single ICT Space strategy, a drive to achieve the ‘Adequacy Decision’ status in the EU, the right infrastructure investment, and the attainment of internationally recognized service delivery standards, Caribbean countries can be an attractive cloud services delivery alternative for European companies.