Cloud-friendly regulation: The EU’s strategy towards emerging economies

In terms of astronomy, Chile is a privileged country. It seems to have wonderful conditions for astronomic observations due to the permanent clear skies and the low levels of light pollution. These are the reasons that led the European Southern Observatory Agency and its international partners to establish the world’s biggest telescope –the project is called ALMA–¹ in the Chilean Atacama desert.² ALMA was put into operation in January 2013, and instantly became the centre of media attention.³ The joy of technological transfer seemed to be complete, until the government realised that producing spectacular images of the universe was just one part of the challenge; the second step was the procedure of storing, analysing, and interpreting the data that ALMA was spitting out at an outrageous rate. Seven terabytes per session to be crunched by local computing power represents a challenge that the national available infrastructure is not able to meet. Luckily for the project, data can be processed in the cloud; sadly for the government, the country still plays a minor role in the cloud computing market.

Strong global demand motivates European cloud strategy

This explosive global demand, especially in emerging economies, is a cornerstone of the European cloud strategy. The European Commission explicitly addressed [PDF] the challenge of a growing demand of cloud services vis-à-vis the slower progress of engineering science and the need to provide a “cloud-friendly” environment in Europe in order to be at the forefront of global cloud developments.⁴ Within the EU’s strategy for fostering a cloud-friendly environment both domestically and globally, two quite distinct approaches, and a third mixed one can be found, albeit not being named explicitely. They all address how international regulatory frameworks can be harmonized in so far that they satisfy EU demands.

Approach #1: Free trade agreements that come with conditions

The first approach follows the logic of international trade law. It seeks to secure certain standards through the conclusion of free trade agreements.⁵ Targeted regulatory preferences are included in these agreements, whereby the implementation will then be a task for the respective governments. On top of the ordinary trade provisions states that are powerful can insert cognite regulatory preferences in the negotiations. Less powerful states are likely to accept the inclusions because the agreement itself represents an achievement.

This strategy of positive conditionality envisioned by the Commission is not new. It was also adopted by the US in the first years of the new millennium in regard to the regulation of internet service providers (ISPs). The US government began negotiating free trade agreements with third countries, making them conditional upon the adoption of specific internet-related regulatory package. The set of internet provisions was introduced in the free trade agreements that the US signed with Chile, the Dominican Republic and CAFTA, Morocco, Colombia, Australia, Bahrain, Peru, Korea, Panama, and Oman, establishing a factual scheme of “hub and spoke” where the US is at the centre.

“Notice and take down” - an example from the USA

These treaties contain similar clauses that bind the parties to the “notice and take down” framework, a regulatory scheme introduced by the Digital Millennium Act, by which ISPs do not bear responsibility for the content that end users are channelling through to the internet service. That immunity, however, is conditional to the immediate response to eventual copyright infringement, as soon as the provider is notified. In other words, content that appears as contravening copyrights, shall be removed by the ISP without any kind of judicial procedure. They also bind the parties to implement ICANN’s Uniform Dispute Resolution Policy.

From the moment the agreements are adopted, they become an obligation stemming from international public law that states import into domestic legislation.

The EU included this approach in the current free trade negotiations with India and Singapore, especially concerning the reduction of non-tariff barriers to e-commerce that could hinder the expansion of the cloud industry.⁶

Approach #2: Deliberate and inform

The second approach of the EU’s cloud computing strategy is fostering an intra-European dialogue with relevant actors. In order to address current problems and challenges of cloud computing within the European digital single market, the Commission has called into life the European Cloud Partnership with the intention of promoting cloud adoption. This instance seems to aim at socialising stakeholders with the functional requirements of an expanding cloud market. As cloud services proliferate, matters of public procurement, private contracting and standardisation will be primordial.⁷

Interestingly, this latter multi-stakeholder approach seems to be diffusing across regions; this time not based on the mechanism of conditionality but on possible emulation based on benchmarking against the European experience.

Beginning in 2011, and specially related to internet regulation, emerging economies began subjecting the regulation of specific aspects relevant to the digital economy to a more nuanced deliberative process. Academics and their scholarly insights –especially comparative analysis– seems to play a predominant role here. Contrary to the critical theory movement of the 1970s, which advocated that the necessary economic autonomy would be achieved by isolating Latin American markets from the industrialised world, now the global regulatory constellations seem to be a crucial point that has to be acknowledged when discussing new regulatory frameworks. Moreover, this trend does not appear to be a reaction to international conditionality; it seems to be rather a proactive strategy of norm setting based on a transparent process of benchmarking.

When instruments of regulation are considered good they may be emulated

The Chilean government, for instance, is currently debating its new framework for data protection and intellectual property. It decided to call into being an open multi-stakeholder forum in order to discuss the benefits and pitfalls of internet regulation under the perspective of cloud computing.⁸ In May 2013 global and local players will be discussing their views on what should be the best solution for a country interested in fostering its cloud industry and achieving acceptable levels of rights protection.

The same debate is taking place in Turkey, with almost exact motivations and the same focus: data protection, cloud computing and big data. Three of its most known universities are hosting an international conference on internet regulation, against the backdrop of a new data protection framework, which is currently being debated.⁹

Stakeholders are interested in experiences on EU level

Both states are explicitly acknowledging the impact of globally relevant regulations like the EU data protection proposal. Governments are interested in European experiences as a reference point. Contrary to negotiations about free trade agreements the deliberations are now public and more transparent. There appears to be no external conditionality driving this impulse, even though it is interesting that both states are recent members of the Organisation for Economic Co-operation and Development, where they were confronted with existing guidelines on privacy standards. Furthermore, they are constantly being measured up against their peers.

Leading a global discussion nationally is nonetheless a challenge. The current difficulties of the Brazilian project on its Marco Civil da Internet¹⁰, testifies to it. Questions on details of intellectual property invoked a complex discussion that threatens to become a deadlock. This happened despite the fact that Marco Civil da Internet aims at securing general internet rights first, as opposed to establishing surveillance and repression.¹¹ It shows how difficult it is to make progress in fields were there were previously no rules at all.

Approach #3: Certification of legal adequacy as a mix of emulation and conditionality

Finally, there is a novel European mechanism that seems to combine both approaches. Article 25 of the current Data Protection Directive¹², contains a requirement for data to be transferred outside of the EU. It commands that data related to European citizens can be transferred outside EU borders only if the legal system of the host country provides a similar degree of protection. This will be established by a decision of the Commission, which can certify the adequacy of the incumbent law.

It should be noted that this mechanism does not use traditional hard law to implement regulatory preferences like free trade agreements do. However, it still uses the mechanism of positive conditionality. Third states are free to decide how they frame their system of legal protection and rule of law; if they meet the levels that are satisfactory to the EU, they will be allowed to store and use data related to Europeans.

Mechanism favours emulation and requirements

The described developments in Chile, Turkey and Brazil do not seem to acknowledge this last mechanism explicitly. However, it remains to be seen whether they will discuss their impact during the deliberations on what should be an “adequate” national level of data protection for the cloud industry. The power of this mixed diffusion mechanism based on emulation and conditionality should not be underestimated, especially considering the profuse international cooperation within the network of data and privacy commissioners.¹³

Be it as it may, even if there is a new mode of deliberation for norm setting at national levels, it will probably coexist with the traditional approach based on conditionality. The US-driven initiative on the proposed Trans-Pacific Partnership Agreement follows the strategy of setting rules through trade agreements instead of broad deliberation, a procedure that has been fiercely criticised by some NGOs.¹⁴ It remains to be seen how these three approaches to the diffusion of regulation find their way into society and how the digital economy adapts or reacts to it. For now, there is much to discuss and deliberate.

1 ALMA is the acronym for Atacama Large Milimeter/submilimeter Array, a single telescope located on the Chajnator plateau, at 5000 m. Altitude in northern Chile. The project is a partnership of the European Southern Observatory (ESO), the U.S. National Science Foundation (NSF) in cooperation with the National Research Council of Canada (NRC) and the National Science Council of Taiwan (NSC) and the National Institutes of Natural Sciences (NINS) of Japan in cooperation with the Academia Sinica (AS) in Taiwan.

2 See the inaugural ceremony at http://www.eso.org/public/videos/eso1312b/

3 For instance, The New York Times, At the End oft he Earth, Seeking Clues to the Universe, 08 April, 2012; a digital version is available at http://www.nytimes.com/2012/04/08/world/americas/high-in-chilean-desert-a-huge-astronomy-project.html?_r=0

4 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, “Unleashing the Potential of Cloud Computing in Europe”, COM (2012), 27.9.2012, p. 2, http://ec.europa.eu/information_society/activities/cloudcomputing/docs/com/com_cloud.pdf

5 Orientation Paper “Cloud Computing, Software and Services”: “The Commission services continue to actively engage with on FTA negotiations with third countries, as well as take part in the market access for a specifically on the chapter for e-communications, but also for goods, investment and e-commerce.”

6 “Unleashing the Potential of Cloud Computing in Europe” op. cit., p. 15

7 See https://ec.europa.eu/digital-agenda/en/european-cloud-partnership

8 See conference „Chile Hub Digital para la Región“, May 16, 2013, www.chilehubdigital.cl, hosted by the Minsitry of Economy

9 See the conference „Future of Data Protection: Great Expectations“, April 2013, http://tlpc.modap.org

10 Brazil's Marco Civil da Internet is a proposed legislation aiming at securing the rights and responsibilities of Internet users and service providers. It was drafted by means of an open, participatory process, and regulates privacy, freedom of expression, online liability, net neutrality and open government.

11 See interview of Ronaldo Lemos, one of the drafters of this initiative., http://direitorio.fgv.br/node/967

12 Art. 41 of the proposal for a EU Regulation on Data Protection

13 See for instance, the 34th International Conference of Data Protection and Privacy Commissioners in Punta del Este, http://privacyconference2012.org/english/

14 See for instance the statement of the Electronic Frontier Foundation: https://www.eff.org/issues/tpp