Cloud computing, whereby various types of computing resource are delivered “as a service” via the Internet, is undergoing a stage of rapid technical and commercial evolution. Substantial efforts and resources are being devoted to the development of infrastructure, products and services for the cloud. The economic and societal impacts of such investments are already significant and look set for sustained growth. There is, however, widespread uncertainty as to the legal and regulatory status and implications of several essential aspects of cloud computing. Concerns regarding the security of cloud ecosystems and services are common and there is considerable scope for misunderstanding between key stakeholders. For example, terms such as ‘network security’ and ‘data protection’ may mean very different things to policymakers, risk managers, computer scientists, lawyers and, of course, providers and users of cloud services. It is also increasingly common for politicians and regulators to make statements regarding things like ‘data sovereignty’ and ‘data location’ without explaining how such concepts might work in practice.
Meanwhile, many organizations are embracing cloud computing enthusiastically as a means to improve business processes and flexibility while, potentially at least, making substantial cost savings along the way. Others are proceeding at a more measured pace. Cautious adopters include companies that operate in heavily regulated sectors such as financial services and healthcare, as well as government agencies and other large organizations with substantial investments in legacy IT systems and processes. Indeed, in numerous and diverse contexts, cloud computing is proving disruptive for both individuals and organizations. Although many outcomes are extremely positive, scope for confusion and concern remain due both to a lack of understanding regarding cloud technologies and services, and a lack of clarity regarding the roles and responsibilities of cloud users and providers.
Over the past five years, computer scientists at the University of Cambridge Computer Lab and lawyers in the Centre for Commercial Law Studies at Queen Mary University of London (QMUL) have been working in separate teams on various technical and legal aspects of cloud computing. Although significant progress has been made in addressing both technology and governance issues, it has become increasingly clear that some of the most important challenges will only be solved in a collaborative environment in which relevant technical and legal skills can be combined. To that end the Microsoft Cloud Computing Research Centre (MCCRC) has been established with generous support from Microsoft. MCCRC is, appropriately for a cloud research project, a virtual centre in which cloud experts from the Cambridge Computer Lab have begun working closely with members of the Cloud Legal Project at QMUL on some of the most critical issues in cloud computing.
It is intended that the work undertaken by MCCRC will demonstrate thought leadership in various complex and difficult areas where technology and regulation intersect and have an impact on the safe and successful development of cloud computing. The focus will be on specific challenges that require a multi-disciplinary approach and that are of vital importance to individuals, governments and businesses globally. While not every problem that is tackled will be soluble, at least in the short term, it is intended that the rigorous scrutiny and analysis undertaken by the participants in MCCRC will stimulate a constructive debate and facilitate the development of appropriate solutions.
MCCRC has been set up to run for an initial period of three years and the research agenda will evolve in response to technological and regulatory developments. Work has begun on the technical and legal implications of proposals to design and deploy jurisdiction-specific clouds, for example an ‘EU-cloud’ or a cloud dedicated to a particular country. Whether such initiatives are appropriate, or indeed possible, will depend on fundamental technical considerations, for example regarding network design, information flow control, and virtualization technology, as well as complex legal issues relating to applicable law and jurisdiction, and the regulation of international data transfers.
This collaborative research project is being led jointly by Jon Crowcroft, Marconi Professor of Communications Systems in the Computer Laboratory at the University of Cambridge, and Christopher Millard, Professor of Privacy and Information Law in the Centre for Commercial Law Studies at Queen Mary University of London. We both had the pleasure of inaugurating the MCCRC at the Microsoft Centre in Brussels last month with guests from the EU institutions, NGOs and industry, and a lively discussion about resilience, privacy and law enforcement access to data in the cloud.
Christopher Millard is Professor of Privacy and Information Law at the Centre for Commercial law Studies, Queen Mary University of London. He is also a Research Associate at the Oxford Internet Institute and is Of Counsel to the law firm Bristows. He has over 30 years experience in technology law, both in academia and legal practice, and has led the Cloud Legal Project at QMUL since it was established in 2009. He is Editor and Co-Author of Cloud Computing Law (Oxford University Press, 2013) and is a founding editor of the International Journal of Law and IT and of International Data Privacy Law (both Oxford University Press). He is a Fellow and former Chairman of the Society for Computers & Law and past-Chair of the Technology Law Committee of the International Bar Association.