A colleague and I are presently researching the role of cloud computing in international trade. The "location independent" nature of cloud computing poses all sorts of complex--and fascinating--challenges for policymakers. Is it possible for them to safeguard the security of data without undermining the very benefits that cloud computing offers through "dynamic assignment" of data to physical servers in various places? The matter is particularly thorny with respect to sensitive data, such as much of the information kept by governments.
The issue came to a head recently in response to a solicitation issued by the U.S. General Services Administration, the U.S. government's chief procurement agency, for a variety of cloud computing services. Two potential bidders for the contract protested that its requirements on the location of data centers were unduly restrictive. The solicitation required that such data centers be located in "designated countries," as specified under the Federal Acquisition Regulations. Those countries include members of the WTO's Government Procurement Agreement, partners to U.S. free trade agreements, least developed countries, and Caribbean nations... but not many of the world's biggest emerging markets, such as China and India. The U.S. Government Accountability Office agreed with the protestors.
The GAO's decision on the matter makes for fascinating reading (really!) for anyone interested in the nexus of cloud computing and trade policy. Here's one of the more interesting nuggets from the decision:
"GSA has provided no explanation for why its security concerns would be less acute in relation to data stored or processed in designated countries, which include, for example, Yemen, Somalia, and Afghanistan, versus data stored or processed in non-designated countries, such as Brazil, India or South Africa. Further, GSA has acknowledged that it has no basis to differentiate between countries with acceptable data rights regulations and those with unacceptable data rights regulations."
It seems likely that this is one of the first words--rather than the last--in the debate over how to structure policies on cross-border data flows so as to facilitate trade, yet safeguard data.There are many, many unsettled areas of policy related to cross-border data flows, such the applicable country/ies of jurisdiction for data moving across multiple countries, protection of intellectual property in the cloud, and how to best protect the privacy of individuals' data. We are exploring these issues and more in our research. I look forward to sharing it here once it is ready.