Most businesses will be familiar with cloud computing. Many companies have moved their IT operations to the cloud, or consume cloud-based software as a service (SaaS) applications and tools such as Salesforce, Dropbox or Microsoft Office 365.
But cloud computing is not without its risks. What if hackers attack your cloud provider or its service is unavailable? As a data controller, you will be primarily liable under data protection law.
Cloud providers may also operate business models based on standard non-negotiable terms which can pass the risk onto the user. Ensuring compliance with data protection law (GDPR) can be a headache when appointing a cloud provider.
Also, it’s worth considering how easy it will be to get your data back or port it elsewhere if required,
There is also the risk of losing control of your data unexpectedly; Google has just announced the transfer of UK user data to the USA, for example.
Although many cloud providers will offer to localise data for you, this may cost you more than their basic service.
Regulators too have had cloud computing in their sights.
The use of the cloud in the financial services sector in particular has been the subject of regulatory scrutiny.
Financial services companies can’t outsource their regulatory responsibilities here – they remain firmly on the hook.
Currently, the legal risks of cloud computing are generally well-understood, even if legal advice is required to navigate those risks. However, the future of the cloud, while exciting, presents new threats to businesses.
These risks are due to the growth of the Internet of Things (IoT), which means connected devices at home, in the street or at work.
Smart devices for personal and home use – including autonomous vehicles and drones as well as industrial applications such as factory robots – are all data intensive. They collect massive amounts of data, which needs processing exceptionally quickly in the case of a robot, a drone or an autonomous vehicle – where an individual’s life or property might be at stake.
Data-intensive artificial intelligence (AI) is also increasingly used for image recognition as well as the operation of the devices themselves.
All this data requires processing at the edge of a network close to the devices generating the data. Here the classic cloud computing model breaks down.
It’s too slow to pass all this data to a centralised cloud server at a large data centre for processing. The device needs the ability to process the data very quickly and minimise “latency” – the time taken for data to travel over a network.
This can be achieved by using edge computing – putting processing power at the edge of a network, close to where sensors collect the data. Advances in computing make this possible. Already “mini data centres” are springing up putting computing power close to where it’s needed.
Edge computers, when connected over a network, form what is called a “fog” – a network of distributed computing resources – which process data very quickly as needed and also connect with the cloud for overall communication and control.
The growth of 5G networks will only encourage this as they allow fast high-capacity local data flows but also require local data processing resource too – so more mini data centres.
This interconnected environment is set to expand rapidly but raises a lot of new legal issues. Who owns all the data sensors collect and which is then processed?
If the data is personal data, how is compliance with data protection law ensured? How do users exercise the rights data protection law gives them?
Also, what about the risk of security breaches? The general view is that a distributed network with lots of remote devices connected to it is likely to be inherently less secure than a large data centre or cloud server ring-fenced with security, which are easier to monitor for breaches.
There are ways around this – for example encrypting data both when in transit and “at rest” (when stored on a device) but encryption is power intensive and can also slow things down.
A problem with regulation is that it can quickly become out of date as technology advances. The GDPR was an attempt to reboot data protection law for the age of Facebook and Google. But when it comes to the IoT and AI, the GDPR already risks being left behind.
Complying with the GDPR in this new world requires several steps including:
- a data mapping exercise to examine the personal data flows involved and if the data is lawfully collected and processed
- considering how the computing resources/AI involved make decisions
- identifying who are the data processors and data controllers
- looking at further compliance steps – data processing/data sharing and transfer agreements, updated transparency notices and security due diligence, for example.
These steps may become unworkable as 5G and AI take off, and the IoT expands to every facet of our lives at work, when we travel and at home.
We are literally at the edge of an IoT, AI and 5G revolution – how the law responds to this challenge and protects both our privacy yet facilitates innovation will be an increasingly pressing topic as the new decade advances.