Small/Medium Enterprise – SME
CSP – Cloud Services Provider
AUP – Acceptable Use Policy
AI – Artificial Intelligence
T&C – Terms and Conditions
DSP – Digital Services Provider
FMCG – Fast Moving Consumer Goods
ISP – Internet Services Provider
The accelerated digital transformation of various industries is a global trend. Recently blockchain and AI turned into ubiquitous buzzwords. The importance of these phenomena is beyond doubt; however, their effect on the economy appears to be more one of expectations for now. The EU Commission has long acknowledged its key role in building the Digital Single Market on EU level in the global race lead by the technology giants in the US and Asia. A great deal of the SMEs, and even bigger enterprises still lack detailed knowledge for the nature of the cloud service, applicable regulation and the existing deployment and service models which directly affect the day-to-day operations of its corporate clients. This is understandable – the world around us is changing at a lightning speed and we have no capacity to truly get to know some of the technologies we use daily. That said, sometimes we delegate our most valuable intellectual property, customer service database and other critical functions of our organisation to the cloud and we may end up being liable for the results from functions and operation which we may not be able to fully grasp. Before we dig deeper into a “migration to the cloud” project, we need to check if the client is knowledgeable about the features of the cloud service it will be using. Below is a brief summary of the basics: 1. What is a cloud service? The correct answer would vary depending on the different models of service, elaborated below. Simply put, this is CPU, memory, OS and software applications which we access remotely via a secure connection according to our variable needs. 2. Service Models As-a-service is a meaningful expression. This is where the cloud’s potential comes from: it signifies that the user does not have to acquire the necessary software app, memory or processor unit and can use the almost infinite resources of its supplier instead. The parametres’ usage depends on the client’s needs which may change every minute (if so agreed) without a resulting downgrade of the quality: these are the so-called scalability and elasticity qualities of the cloud which allow the large corporate clients to minimise capital expenses / procure affordable IT resources to smaller companies. FMCG’ suppliers are a typical client with peak loads of the resources’ demand at certain times of the day or season. Cloud services are similarly appropriate for every company processing big data or large databases whose activity is marked by seasonality or cyclicity. Those features of the cloud service are, to a large extent, enabled by the virtualisation – the deployment of virtual machines (computers) which replicate physical ones: one physical server may be the environment for the parallel undisturbed setting up and functioning of several virtual machines (which includes the processors, OS and applications); each virtual machine may in its turn be dedicated to a different client. Infrastructure-as-a-Service (IaaS)
The basic version of this service is the renting out of bare metal (“physical infrastructure”) in premises which are safety-proof and equipped with electricity, broadband connectivity and AC. The client is free to install an OS and applications of their own choice on the rented machines (provided they are compliant with the law and the AUP of the cloud services provider) and to access them remotely via an encrypted tunnel (e.g. VPN). This provides great flexibility, the flip side being that the liability predominantly rests with the client in terms of information security and execution of the client contracts, regulatory requirements to the extent applicable, etc. This is a clear cut with respect to the distribution of risk, obligations and liabilities between the cloud services provider and the client.
In this piece, I will be using “platform” as OS, the transition between the physical infrastructure and the applications installed and operated under the control of the client. This type of service requires high level of IT competence on behalf of the client who must configure the whole system before it is accessed by the end user – one example is Microsoft’s Azure. The CSP’s responsibility with respect to information security and business continuity is considerably bigger compared to the IaaS model.
Pretty much everything we use as consumers falls into this category – chat programmes, social networks, cloud mailbox/storage. We have little choice or control over the functioning of the applications (outside our ability to adjust their settings within a pre-set range): but we also carry little, if any, responsibility, apart from being diligent enough to read the documentation of our supplier (I am doubtful whether someone actually does that) and refrain from uploading illegal content. This model incorporates the other 2 cloud variations and adds value on top.
3. Deployment Model
This approach is fit for resource-rich clients with a large amount of data who can make use of the cloud-enabled flexibility while still availing of their own dedicated infrastructure. To do this, clients need to acquire the infrastructure but its utilisation for their internal needs follows the cloud model. The physical computers can be in the client’s premises or in a bespoke datacenter (owned/maintained by a third party) equipped to meet the optimal requirements for air temperature, connectivity and power backup. The expenses for this deployment model are naturally many times higher than for the public cloud.
This is the most wide-spread and affordable deployment model which has enabled contemporary phenomena like the platform economy, on-demand media content, OTT communications, social networks, distance learning, big data (collection, storage and mining) and many others. The CSP owns, installs and manages the applications and rents or owns the platform and the physical infrastructure. This chain of CSPs which helps deliver the service to the end client is the cause why often reference is made to cloud layers which together represent the end cloud service. The public cloud predetermines similar or the same terms & conditions, service levels, information security standards for all clients. The data and client environments’ segregation can be achieved on hardware and software level in single-tenant scenarios or with virtualisation, i.e. software based only – for multi-tenants.
This is “the best of both worlds”, a cross-over between the public and private cloud. The sensitive information/data may be processed in the private cloud, while the rest is stored and accessed in the public one; or the business may use the public cloud’s resources during peak times to offload its private cloud (cloud bursting).
This deployment model is increasingly sought by corporate clients who are subject to stringent regulatory standards and outsourcing guidelines or caught by the EU information security legal framework (large banks are a typical example). Community clouds can be organised to meet relevant industry requirements in a certain region (EU/North America, Australia) and made available to such clients. As a rule of thumb this service is pricier but facilitates the participants in meeting their compliance standards.
4. Commoditisation of the cloud service For a cloud service to do its magic every time – i.e., be fast, flexible and affordable, it cannot be custom. The weaker the client’s control and the cheaper the service, the lower the chance for a customisation of its parameters to accommodate the client. This is good to know in advance for managing expectations’ purposes. There is no way for a small company willing to use several mailboxes to realistically expect that anything in its CSP’s T&C will be changed. the service will be offered on “take it or leave it” terms.
5. “Free” cloud services
Quite often the SaaS meant for consumers are “free” that is, they require no financial compensation from the consumer. “It is free and always will be” is the well-known mantra of the biggest social network. Free in this case means that we will not be paying money to use the service; but we will need to provide our personal data and consent to its processing – hopefully in line with the CSP’s extensive documentation; we will not be able the content generated by us to be used by the provider to train its AI, for example. Our data is valuable as it is heavily monetised by the CSP: it is used to tailor the audiences whose attention is being offered to the ad networks/advertisers for money. Besides, having big and rich data from which AI training datasets can easily be derived, is likely to generate billions of dollars for the AI owner. Against this background, this service is by no means gratuitous but is more of a barter. Consumers are entitled to require par quality with similar services available for compensation, transparency and security of processing of their personal data and content inclusive.
6. Regulation of the cloud
There is no comprehensive regulatory framework for the cloud services in the EU. The early days of cloud governance were marked by self-regulation, voluntary application of industry standards (used more as a marketing strategy) and contractor’s general terms implementation. Gradually this is changing; since 2016 the cloud services are categorised as digital services for the purposes of adhering to a minimum level of information security as per the Network and Information Security Directive 2016/1148, its implementing regulations and the national legislation transposing said directive. The set of rules places the CSPs under institutional control with respect to the applicable information security standards. For example, the new provisions create legislative certainty with respect to a set of minimum risk management measures fostering information security for digital services providers and establish criteria to determine whether a security incident has the potential to be of substantial impact . It is of note that only bigger CSPs will be affected by the Implementing regulation (no less than 50 clients, EUR 10 M annual turnover and above). Thus, it is worth checking in which category does your cool new app supplier fall before committing to many business functions/sensitive business information to it.
There is no need to say much of GDPR implications for CSPs: depending on their business model, they operate either as controllers or as processors of personal data; transfers of personal data given the way of organisation of cloud services is par for the course; subcontractors are plenty. Although there rarely exists such an option for “free” cloud services, paid services targeted at corporate clients quite often offer the choice of localisation of the client data at a data center within the EU, for backup purposes inclusive and the option for logical access (maintenance and business recovery services) to be carried out by experts based in the EU.
There is also a sector (soft) regulation of the cloud services in place for some industries – e.g. the EBA Guidelines on Outsourcing Arrangements which include cloud services and are effective from 30 September 2019.
Directive 2019/770 on Certain Aspects Concerning Contracts for the Supply of Digital Content and Digital Services must be transposed into national law by 2021. The definition of digital services is broad enough to include most SaaS supplied to end users. “Barter based” transactions are explicitly included where the trade-off is end-users’ personal data. In sum, the Contracts for Digital Content and Digital Services Directive is newer generation consumer and small business-oriented legislation aimed at retail clients’ protection vis-à-vis digital services providers.
Regulation 2018/1807 on the Free Flow of Non-Personal Data is meant to address the arbitrary or cumbersome national localisation requirements for data storage/processing which exist in some member states; it aims to enhance data portability between CSPs to foster competition and innovation provided that certain prerequisites are met.
Regulation 2019/1150 on Promoting Fairness and Transparency for Business Users of Online Intermediation Services is another cutting-edge piece of legislation aimed at leveling the playing field of the platform economy to urge online marketplaces and social networks (all of them CSPs) to take a more balanced approach against their business users. Up until now platforms, through their T&C and AUPs were able to impose the rules most favorable to them unilaterally on users. With the new EU framework the terms cannot go below a minimum standard of balance promoting transparency of rankings, disclosure of own offers, fair termination of contract rules, access to data, complaints-handling, etc.
SaaS providers and especially platforms must keep an eye on the progress of the planned EU Digital Services Act to fight illegal content online, which will allegedly put an end to the mere conduit defence of ISPs and information society services providers.
In sum, when dealing with a CSP and based in the EU, a SME or even a consumer may have considerably more rights and legal instruments to advance their interests compared to only a year ago. Admittedly, the legislation has been branching out incredibly fast for the last several years to provide solid basis for sustainable digitisation promoting consumer and human rights online and the rule of law. The more important the data or business function which is being upgraded to the cloud, the more careful the background check of existing possibilities to have guaranteed service levels, avoid user lock-in and ensure business continuity/disaster recovery while keeping the data within the EU there are, but the growing legal framework requires careful review and comparison to the terms of the CSP on behalf of the user for best results. That said, there are some basic rules of thumb and minimum standards on which an EU end-client may almost certainly rely going forward.
The emerging regulation is yet to show its effect on competition, innovation and demand for cloud services. Contrary to the popular belief that laws create unnecessary restrictions which stifle the digital industry, in fact rules serve to create predictability and boost consumer/business confidence.
The sequence of this article will aim to outline some of the crucial issues when contracting with a CSP and draw a roadmap to their extensive and sometime perplexing documentation.