KEY ICT POLICY PRINCIPLES: SIIA Guide to Cloud Computing for Policymakers


SIIA Guide to Cloud Computing for Policymakers[1]

Policymakers are rightly interested in fostering the growth of cloud computing to seize the economic benefits, and to protect their citizens against any potential for harm.  Yet, because cloud computing is not a single technology or business model, for policy making purposes, there is no such thing as “the cloud.” 

…There is no need for cloud-specific legislation or regulations to provide for the safe and rapid growth of cloud computing, and in fact, such actions could impede the great potential of cloud computing.

Today, there are a number of existing and proposed public policies that could hurt the development of cloud computing, such as requirements for the location of computer facilities in particular jurisdictions, or restrictions of cross-border data flows – policymakers should take great effort to remove or avoid such types of policies…

…One-size-fits-all policies cannot apply properly to all the various technologies and business models that comprise cloud computing.

Policymaker concerns about specific issues can and are being addressed through industry-led voluntary action, public-private partnerships and best practices enforced through contracts and existing legislation. 

SIIA recommends that policymakers embrace the following key principles in their efforts to develop policies that encourage the economic benefits of cloud computing and ensure that users are protected:

  • Avoid cloud-specific rules and policies, in favor of policies that apply broadly to a wide range of technologies and services, and those that maintain a level playing field for cloud computing and all approaches to remote computing and data storage.
  • Promote open standards for software and data interoperability, and avoid policies that would favor one particular business model or technology over another.
  • Promote policies that allow to the greatest extent possible, unrestricted transfer of data across borders.
  • Encourage rules governing data to travel with the data in order to adequately recognize varying jurisdictional requirements, and ensure data subjects do not lose protection when their data is stored and processed in “the cloud”, or in any remote computing environment.
  • Avoid localization mandates, or any policies that would give preference to data processors using only local facilities or operating locally.
  • Seek interoperable privacy regimes in which countries recognize each other’s privacy rules to the greatest extent possible.
  • Embrace a global approach to cybersecurity that recognizes the global nature of interconnected systems and provides for data to be protected regardless of where it is located, and that seeks international consensus standards that avoid fragmented, unpredictable national requirements.









  • 避免专门针对云计算的法规和政策。而应该制定能够广泛应用于通用技术和服务的政策,和那些维持云计算公平竞争环境和各种远程计算接入和数据储存的政策。
  • 促进软件的开放标准和数据互操作性,避免偏向某一种商业模式或技术的政策。
  • 促进允许最大程度的、无限制的数据跨境传输的政策。
  • 促进数据流动规范并充分照顾不同司法管辖权要求的规则,确保数据在“云”中存储和处理时,或在任何远程计算环境中都不会失去保护。
  • 避免本地化要求,或任何要求数据处理器只能使用本地设备或只能在本地运营的政策。
  • 寻求建立可互操作的隐私保护制度,使各国最大程度地实现各自的隐私法规。
  • 促进全球性信息安全方案的建立,能够尊重互联系统的全球性特征,无论在何地,都能提供受到保护的数据,寻求国际共识标准,避免分散的、不可预测的国家要求。

[1] As compiled by SIIA Public Policy Division in July 2011. Please see