Cloud Legal Project was launched in 2009 and publishes research on a broad range of topics in Cloud Computing, which influences legislators, regulators and policy makers
Cloud computing is everywhere. Your smartphone backs up your pictures to Apple’s iCloud, while you stream music from Spotify’s cloud servers or upload a video to YouTube. And if your workplace uses Office 365, your work documents and emails are in the cloud as well.
Individual users benefit from having data and services that are available anywhere, on any device, and often at a low cost - or even free of charge. Business users gain access to state of- the-art computing resources on a rapidly scalable, pay-what-you-use basis, including powerful IT infrastructure and platform services provided by companies like Amazon Web Services and Microsoft.
Research by Gartner estimated the global public cloud services market to be $USD 186bn in 2018. What’s more, the demand for cloud services is projected to grow further and faster. Growth drivers include large scale deployment of mobile apps, widespread use of data analytics, and the emergence of the Internet of Things, as well as data and processing intensive services such as cloud-based machine learning and robotics. Taken together, the overall commercial and societal impact of the cloud is very substantial.
Nonetheless, cloud computing raises novel and sometimes difficult legal and regulatory questions, which can lead to considerable uncertainty. The Cloud Legal Project (CLP) aims to reduce that uncertainty by producing scholarly yet practical research papers on an extensive range of issues, and by sharing our ideas and analysis through academic journals, conferences and in the media. This article explains how the project developed and how it works and also highlights some of our key research on hot topics such as blockchain, machine learning and robotics.
In 2008, when few people had heard of ‘the cloud’, a conference presentation by Christopher Millard prompted Microsoft to request a proposal for academic research into the legal and regulatory implications of cloud computing. This led to the launch of the CLP in 2009, funded by a generous charitable donation from the Microsoft Corporation, with further funding every year since then. From the start, the project has covered a wide range of topics, including cloud contracts, consumer protection and data protection law. In addition to legal analysis, the project team has also conducted empirical research. This has included detailed comparisons of the terms of service and privacy policies commonly offered for standardised cloud services, as well as in-depth interviews with providers and users of cloud services, regulators and professional advisers in relation to negotiated cloud deals, including in regulated sectors such as banking.
Cloud Computing Law, edited by Christopher Millard, was published by Oxford University Press in 2013. Reviewed enthusiastically by both academics and practitioners, the book features contributions from various CLP team members that update and develop the project’s working papers. The team’s ongoing research also informs teaching at Queen Mary University of London, including through the LLM module in Cloud Computing Law which has been available via Distance Learning since 2014 and is to be offered in Paris from 2019.
Since 2014, the CLP team has undertaken joint research with the Department of Computer Science and Technology at the University of Cambridge, as collaborators in the Microsoft Cloud Computing Research Centre (MCCRC). The Cambridge Department is a world class research centre working in key areas fundamental to cloud computing, including distributed systems, networking and security. The MCCRC, which appropriately is a ‘virtual’ research centre, brings together technology lawyers and computer scientists to work together on cutting-edge research concerning cloud computing challenges at the intersection of technology and regulation.
Over the past 10 years, members of the CLP have produced papers on the legal and regulatory implications of a broad range of cloud computing topics, and multiple workstreams are ongoing. In addition, each year, the MCCRC focuses on a particular research topic, like the Internet of Things, blockchain or compliance-as-a-service. In September each year, the MCCRC team hosts an invitation-only symposium (alternating between London and Cambridge) to discuss work in progress with a group of carefully selected attendees from industry, legal practice, government, regulators and academia. This allows the team to gather informal feedback from a range of outside experts, which helps shape emerging findings. After the symposium, the team finalises research reports for publication via the Social Science Research Network (SSRN). These working papers then form the basis for academic articles that are published in highly-regarded journals in Europe and the US. Each new year the research process starts afresh, with new topics – as well as deeper dives into previous research areas. The CLP is committed to ensuring that a version of all of its research reports is made publicly available, free of charge, on SSRN. Many of these papers are read and cited widely. For example, a 2010 CLP analysis of cloud terms of service has been downloaded almost 9,000 times, placing it in the top 500 SSRN papers of all time.
The team also ensures that legislators, regulators and policy makers benefit from its research. To this end, we have provided guidance and submitted evidence to many organisations, including the UN Conference on Trade and Development, the UK House of Lords, and the International Organization of Securities Commissions (IOSCO).
Although CLP and MCCRC are funded primarily by Microsoft, the projects maintain full academic independence. From the start, Microsoft has made it very clear that it wants to see objective analysis of the key legal and regulatory issues that affect providers and users of cloud services regardless of any particular commercial interests. Indeed, the charitable status of the core funding ensures that the research team has a higher degree of academic independence than is possible in many cases where grants are provided by public sector agencies.
For more about how CCLS researchers work with Cambridge computer scientists, as well as insights into other hot topics in cloud computing law, see these blog post interviews:
While blockchain technology is subject to much speculation, one thing is certain: it raises difficult questions under GDPR. Indeed, some ar gue that blockchain and GDPR are fundamentally incompatible. Our research unpicks the technical differences between public and private blockchains, explains them for a non-expert audience, and highlights the challenges around using blockchain applications to process personal data unde GDPR. We found that it may be possible to overcome some of those challenges and devise blockchain applications that comply with important data protection principles.
For further details, search for “Blockchain Demystified” on SSRN.
Artificial Intelligence (AI) has been defined as teaching computers to do tasks that require some kind of ‘intelligence’ when done by humans. Machine Learning is a sub-category of AI referring to computer algorithms that can be trained to carry out tasks by learning from experience, as humans do, but potentially much more quickly and accurately. Our research focuses on how companies may use these algorithms to carry out profiling and automated decisions in a fair, lawful and transparent way to ensure that people’s data protection rights are respected.
For further details, search for “Machine Learning with Personal Data” on SSRN.
Our research focuses on identifying and addressing key legal and regulatory questions arising from the integration of physical robotic systems with cloud services, also called “cloud robotics”. We found that the interaction between cloud services and robots is often complex. Cloud computing may involve multiple service layers and (sub-)providers, with supply chains that are often opaque. As a result, significant challenges arise in relation to control, security, data protection and risk management. We argue that the current legal framework is ill-prepared to accommodate complex and dynamic ecosystems that include hybrid product-service categories like cloud robotics.
For further details, search for “Cloud Robotics Law and Regulation” on SSRN.
This project explores how blockchain technology might improve energy sustainability. Transparency is a fundamental aspect of sustainability, and blockchain could allow collection and sharing of reliable sustainability information. We show how blockchain can cope with a complex system of independent, sometimes overlapping, structures, and so facilitate sustainability of market based instruments such as emissions trading schemes and green certificates, through market incentives. Our research proposes a conceptual model of linked blockchains, each complying with its own local regulatory requirements, while still allowing information sharing.
For further details, search for “Blockchain for Governance of Sustainability Transparency in the Global Energy Value Chain” on SSRN.
Our research investigates the challenges governments and service providers face in applying corporate income tax rules to cloud services, and possible tax policy options to address these challenges. The current international tax principles were designed more than a century ago, when physical presence and active personnel involvement were required for the conduct of business. In a digital economy where mobility, intangibility, reliance on data, user participation and multi-sided business models have transformed the “where” and “how” of value creation, a question arises as to whether these principles are efficient and adequate in guaranteeing the fair allocation of taxing rights between the various states – or whether they should be reformulated, or even radically redesigned.
Our research analyses the key components of data protection contracts for commercial exchanges of personal data in civil and common law jurisdictions under the GDPR, focusing primarily on UK and Spanish law. Such contracts are in a state of flux as the GDPR perpetuates some of the still unresolved complexities of the Data Protection Directive, while giving rise to new and enhanced contractual obligations beyond those of the Directive.