KEY ICT POLICY PRINCIPLES: SIIA Guide to Cloud Computing for Policymakers

SIIA Guide to Cloud Computing for Policymakers^[1]

Policymakers are rightly interested in fostering the growth of cloud computing to seize the economic benefits, and to protect their citizens against any potential for harm.  Yet, because cloud computing is not a single technology or business model, for policy making purposes, there is no such thing as “the cloud.” 

…There is no need for cloud-specific legislation or regulations to provide for the safe and rapid growth of cloud computing, and in fact, such actions could impede the great potential of cloud computing.

Today, there are a number of existing and proposed public policies that could hurt the development of cloud computing, such as requirements for the location of computer facilities in particular jurisdictions, or restrictions of cross-border data flows – policymakers should take great effort to remove or avoid such types of policies…

…One-size-fits-all policies cannot apply properly to all the various technologies and business models that comprise cloud computing.

Policymaker concerns about specific issues can and are being addressed through industry-led voluntary action, public-private partnerships and best practices enforced through contracts and existing legislation. 

SIIA recommends that policymakers embrace the following key principles in their efforts to develop policies that encourage the economic benefits of cloud computing and ensure that users are protected:

• Avoid cloud-specific rules and policies, in favor of policies that apply broadly to a wide range of technologies and services, and those that maintain a level playing field for cloud computing and all approaches to remote computing and data storage.
• Promote open standards for software and data interoperability, and avoid policies that would favor one particular business model or technology over another.
• Promote policies that allow to the greatest extent possible, unrestricted transfer of data across borders.
• Encourage rules governing data to travel with the data in order to adequately recognize varying jurisdictional requirements, and ensure data subjects do not lose protection when their data is stored and processed in “the cloud”, or in any remote computing environment.
• Avoid localization mandates, or any policies that would give preference to data processors using only local facilities or operating locally.
• Seek interoperable privacy regimes in which countries recognize each other’s privacy rules to the greatest extent possible.
• Embrace a global approach to cybersecurity that recognizes the global nature of interconnected systems and provides for data to be protected regardless of where it is located, and that seeks international consensus standards that avoid fragmented, unpredictable national requirements.

软件和信息产业协会(SIIA)的云计算政策指引

决策者们对于通过培育云计算来促进经济发展、保护公民避免潜在损害十分感兴趣。然而，由于云计算不是一个单独的技术或商业模式，从政策制定的角度，没有所谓的“云”。

……没有必要为云计算单独制定法律法规来保证云计算的安全和发展。事实上，这些措施会制约云计算的巨大潜力。

目前，有许多既有或制定中的公共政策或许会损害云计算的发展，例如，对于计算机设备位置特定司法管辖权的要求，或对跨境数据流的限制。决策者应该努力消除或防止这些形式的政策……

……一刀切的政策不能很好地应用于包括云计算在内的各种技术和商业模式。

决策者担心的一些问题能够或正在通过行业主导的自愿行动、公共部门与私人部门的合作，以及合同和现行法律支持的最优行为等方式来解决。

SIIA建议决策者在制定政策提高云计算经济利益和确保使用者保护的相关政策时，应遵循下列关键原则：

• 避免专门针对云计算的法规和政策。而应该制定能够广泛应用于通用技术和服务的政策，和那些维持云计算公平竞争环境和各种远程计算接入和数据储存的政策。
• 促进软件的开放标准和数据互操作性，避免偏向某一种商业模式或技术的政策。
• 促进允许最大程度的、无限制的数据跨境传输的政策。
• 促进数据流动规范并充分照顾不同司法管辖权要求的规则，确保数据在“云”中存储和处理时，或在任何远程计算环境中都不会失去保护。
• 避免本地化要求，或任何要求数据处理器只能使用本地设备或只能在本地运营的政策。
• 寻求建立可互操作的隐私保护制度，使各国最大程度地实现各自的隐私法规。
• 促进全球性信息安全方案的建立，能够尊重互联系统的全球性特征，无论在何地，都能提供受到保护的数据，寻求国际共识标准，避免分散的、不可预测的国家要求。