Cloud computing has enjoyed relative freedom from regulation but, as the services they provide grow in importance, this might change, writes Anna Guégan. Anna is a Policy Adviser in the Technical Policy and Market Access team, working with clients on cloud-computing regulation in key markets around the world. She can be reached at firstname.lastname@example.org.
Once, British poet William Wordsworth could wander lonely as a cloud. He might well choose a different simile today, as the cloud now provides good company: Airbnb, Netflix, and Pokémon Go to name just three fellow travellers. Corporations benefit not (just) from Pikachu-hunting, but through private or public voice-over-IP (VoIP) services, online help desk platforms or data processing services.
Prior to the arrival of cloud computing, processing and storage had to be done on one machine, whether it was the mainframe of old or personal computers from the 1990s onward. This required a lot of processing power and large machines. Today, a much smaller app can be downloaded onto a machine with a comparatively tiny amount of storage, while data processing can be done over the Internet. Instead of maintaining servers and scaling up by purchasing hardware and data centres, cloud computing can be scaled quickly to respond to user demand cheaply. It’s this flexibility that has allowed these services to reliably supply the first 10, then the first 10 million, users.
Cloud and policy
Telecommunications regulations tend to be designed around infrastructure located in a single jurisdiction. In this framework, services and technologies are bound to infrastructure in the jurisdiction where their customers are located. Regulators can charge licensing fees for networks operation, services to third parties, or the use of resources. They can also attach administrative and technical duties, such as local incorporation, allowing legal intercept and other data retention or protection capabilities as appropriate to their policy goals. Cloud-computing services, with infrastructure potentially thousands of miles away from customers and head offices, defy this model. Until recently, this has not troubled too many policy-makers, although some notable services have been banned in some areas.
But now, cloud-computing is the topic of a number of public consultations. For example the Telecom Regulatory Authority of India (TRAI) and the Communications and Information Technology Commission (CITC) of Saudi Arabia have recently published consultation papers on cloud computing. Likewise, Brussels is currently reconsidering the light-touch regime currently in place in most of the European Union in its proposals for an EU Directive establishing a European Electronic Communications Code and for the amendment of the ePrivacy Directive.
A survey of over 60 countries around the world reveals that three major parameters affect the level of regulatory obligations for the operation of a cloud-based service in a new market:
- The nature of the end-user
Private networks are less regulated than public networks. If they do not use natural resources (such as spectrum or land), private and closed-user-group networks are frequently not subject to any licensing at all. Moreover, private networks may also be exempted from other obligations such as providing a capability for legal intercept, data retention or localisation (whereby a provider has to keep data in country).
Although data protection developments should be monitored in individual countries, a light-touch regime is likely to remain in place for private networks as opposed to networks open to the public. Issues such as legal intercept and cross-border data transfer are usually less critical for private network, regardless of the technology facilitating the network. Development in cloud regulation is thus unlikely to affect the status quo on this aspect.
- Whether the service looks to connect to the Public Switch Telephony Network (PSTN)
The Public Switch Telephone Network (PSTN) is at the centre of national telecommunications regulations. Regulators safeguard the good functioning of telephone networks and ensure the cooperation of all operators so that they can interconnect. Connection to the PSTN takes place if a call is made directly from the cloud-computing service to a phone number. For example, depending on the country, Skype offers the possibility to call phone numbers or to obtain a phone number for an account. In that case, access to the PSTN may be completed directly by the cloud-computing service, requiring a licence, or provided by an authorised third party.
Although connection to the PSTN is likely to remain heavily regulated, it may not maintain its importance for telecommunication in the medium term. Indeed, the exponential development of Internet-based medium of communication circumvent the PSTN and may make it redundant. The weakening of the PSTN would represent a dramatic shift in traditional consideration of the telecommunication sector and lead to the refocus of regulations on services regardless of connection to the PSTN.
- Scope of the service
Communication services are often defined to include the Internet infrastructure service providers but to exclude the value-added or over-the-top (OTT) services. OTT service providers lease connections from a telecommunications carrier. As a result, the responsibility for most of the licensing, as well as other obligations such as legal intercept, falls on the carrier.
The light-touch regime for OTT services is one of the aspects that is currently undergoing the most changes. OTT services are expected to be increasingly subject to new rules with dedicated regulatory frameworks. The trend to share the regulatory responsibility between the local service provider and the OTT services is what we have observed in the last few months. This reflects in different ways depending on the countries, with the issue of data security remaining one of the hottest topics. Concretely, where all requirements – licensing, standards and technical capabilities – are currently borne by the telecom carrier, OTT services are increasingly likely to be found accountable.
Cloud-computing technology is extending the opportunity of innovation and economic development while diversifying the range of services available to the consumer. The immaterial nature of the service is challenging the way regulators traditionally regulate the sector. This is a snapshot of the current situation, where regulators are generally content to leave cloud services be. This will change, with many countries currently reviewing one or another aspect associated with this type of services.
As the number and significance of services provided by cloud service providers grows, regulators’ attitudes are changing. They are increasingly realising the potential and risks of these services. There is now movement to design a more sophisticated regulatory approach. The outcome of these revisions will shape the future of cloud-computing services.
Anna is a Policy Adviser in the Technical Policy and Market Access team, working with clients on cloud-computing regulation in key markets around the world. She can be reached at email@example.com.