From a strictly regulatory point of view, it’s not easy to be in the cloud services game. The good news: service providers can actually take advantage of data privacy regulations (even archaic ones) to get a leg up on their competition.
So said Jeffrey J. Blatt, Of Counsel at Tilleke & Gibbins International and a board member of Sri Lanka Telecom, who spoke at Broadband & TV Connect Asia in Hong Kong this week about the regulatory challenges faced by cloud service providers.
In essence, Blatt said, while “the cloud” may seem nebulous from the user’s point of view, from a regulatory POV it all comes down to where the actual data is physically located. That’s the jurisdiction where local laws will apply, including data privacy, taxation, and lawful intercept of customer data.
The last one is particularly thorny in countries where the government can compel service providers to disclose customer data as part of a legal investigation or a civil lawsuit, as well as prevent them from even telling their customers about the disclosure.
But they’re all potentially problematic, not least because many jurisdictions are way behind the technology curve when it comes to data privacy, Blatt said. Complicating things is that jurisdictional lines sometimes get blurred when governments try to assert extraterritorial authority (as the US and the EU are known to do, for example).
However, Blatt said that cloud service providers who understand local laws well enough can use that to differentiate themselves from other cloud service providers.
“For example, does the local government require you by law to hold the keys to your client’s encrypted data so they can get it from you? If not, then don’t hold them,” Blatt said. “You can’t hand over what you don’t have.”
Meanwhile, larger companies that host cloud services in multiple countries can do their homework when choosing locations where they install or lease the physical servers. “Focus on the countries with favorable privacy laws,” Blatt suggested.
Better yet, he added, give your customers the ability to choose for themselves. “For example, Amazon gives customers the option of hosting their content either inside or outside the US.”
Blatt recommended that cloud service providers use their local regulatory knowledge to create differentiated VAS that address real-life concerns for cloud-based services.
“For example, let customers encrypt their own data with their own keys and store it for them in your cloud,” he said. “Also, you can provide retail customers with access to search engines like Duck Duck Go and ixQuick that prevent tracking and sale of their data and identity.”
Another VAS possibility, he said, is to “provide customers with access to SaaS and SaaP (software as a product) solutions that leverage laws and regulations in your country to provide higher levels of privacy, security and business continuity.”