BSA Global Cloud Computing Scorecard
The first-of-its-kind BSA Global Cloud Computing Scorecard ranks
24 countries based on seven policy categories that measure the countries’
preparedness to support the growth of cloud computing. Together, these
countries account for 80 percent of the global ICT market.
Click here to view the evaluation of all the countries.
The Scorecard examines major laws and regulations relevant to cloud computing in seven policy categories as well as each country’s ICT-related infrastructure and broadband deployment. These policy categories align with the BSA’s Cloud Computing Guiding Principles, which underpin the Scorecard’s analytical framework and its suggestions for providing a workable framework to allow for the growth of cloud computing.
This section of the Scorecard examines data privacy regulation and the presence and structure of privacy regulators in each jurisdiction. The section also examines registration requirements for data controllers and data breach notification requirements.
The Scorecard reveals that most countries have data protection laws in place and have established independent privacy commissioners. Many of these laws are based on a mix of the OECD Guidelines, the EU Directive or the APEC Privacy Principles. Unfortunately, registration requirements for data controllers or data transfers may act as barriers to the take-up of cloud services. Such requirements are common in some countries, including requirements for registering crossborder transfers in some EU countries.
Korea, which replaced its patchwork of privacy protections with modern and comprehensive legislation in 2011, scored 9.3 out of 10 available points to top the Scorecard’s rankings in the privacy section. At the other end of the spectrum, South Africa finished with just 2.8 points.
The Scorecard also reveals substantial pending data protection law reform, with major reviews and proposals in China, The European Union, India, Singapore, South Africa and the United States. This is an area of rapid legal development. Unfortunately, some key jurisdictions, including China, India, Indonesia and Singapore do not yet have any substantial data protection laws in place.
Such developments are important because cloud users will fully accept and adopt cloud computing only if they are confident that private information stored in the cloud, wherever in the world, will not be used or disclosed by the cloud provider in unexpected ways. National privacy regimes should be predictable, transparent and avoid unnecessarily burdensome restrictions on cloud service providers such as registration requirements for data controllers and cross-border data transfers. Cloud providers should be encouraged to establish privacy policies that are appropriate for the particular cloud service they provide and the business model they use.
Consumers of cloud computing and other digital services (including both private-sector and government users) need assurance that cloud service providers understand and appropriately manage the security risks associated with storing their data and running their applications on cloud systems. This section of the Scorecard examines whether security criteria and the ongoing testing of security measures are the subject of regulation in each jurisdiction. The Security section also examines electronic signature laws and Internet censorship or filtering requirements. Japan tops the Scorecard’s security section with 8.4 of the 10 available points; Thailand’s regime, on the other end of the scale, nets just 1.6 points.
The Scorecard reveals that most countries do have clear, technology neutral electronic signature laws. In addition, security requirements are in place in most jurisdictions, and security audit requirements were generally absent.
A number of countries — ranging from advanced markets like Korea (6.0 points on security) to developing countries like India (4.4) — have implemented Internet filtering or censorship regimes that may act as a barrier to the expansion of the digital economy and cloud computing. Some such regimes regulate criminal conduct, including distribution of illegal material, particularly child pornography. However, a number of the filtering or censorship schemes appear to include a strong political element, in that they regularly block sites that expressed political dissent. China, for example, restricts access to online content under a large and complex legal and technical regime that invokes the protection of national security and social order. This factor played a significant factor in China scoring just 2.0 points in the security section.
As cloud computing involves the aggregation of massive amounts of data in large data centers, it creates new and highly tempting targets. As criminals turn their attention to these vaults of information, it will become increasingly challenging to protect such data centers from both physical and cyber attacks. Governments should ensure that domestic laws provide an effective mechanism for law enforcement, and for cloud providers themselves, to combat unauthorized access to data stored in the cloud. This section examines these issues as well as rules relating to investigation and enforcement, including access to encrypted data and extraterritorial offences.
The Scorecard finds that most countries have either computer crime legislation or cybercrime legislation, and many laws are broadly compliant with the Convention on Cybercrime. Many countries in the study (the EU members, Japan and the United States) have signed the Convention, and several other countries are considering signing (Australia and Mexico are close). Unfortunately, a few key jurisdictions still have gaps and inconsistencies in their cybercrime laws. Canada, for example, signed the Council of Europe Cybercrime Convention in 2001, but it has failed to ratify the Convention for more than a decade. And while the country has a comprehensive computer crime law in place, it lacks essential online investigation and enforcement tools. Thus, while Japan, German and France scored a perfect 10.0 points in the cybercrime section, Canada trailed 6.2 points.
This section also examines rules on investigation and enforcement, including access to encrypted data and extraterritorial offences. There is a greater divergence in results in these fields.
Providers of cloud computing and digital economy technologies and services, as with other highly innovative products, rely on a combination of patents, copyrights, trade secrets and other forms of intellectual property protection. Thus, to encourage investments in cloud R&D and infrastructure, IP laws must provide strong incentives for these investments and clear protection and vigorous enforcement against misappropriation and infringement. Online intermediaries should have incentives to behave responsibly, and they should enjoy safe harbors from liability when they do so.
The Scorecard reveals that countries are moving toward a consistent approach on many key rights and protections. Gaps exist, however, in the IP laws of key jurisdictions, including Canada, India and Thailand. Russia, which finished in the 16th in the overall Scorecard rankings and far back in the IP section with just 8.4 out of 20 available points, serves as a prime example. The country was slow to make any progress on its bid to join the Agreement on Trade Related Aspects of Intellectual Property Rights, or TRIPS Agreement over several years. This and other holes in the country’s IP regime could expose cloud computing services to risks.
This section also examines investigatory and enforcement approaches, where there is a wide diversity of approaches and significant inconsistency. Concerns also exist about the enforcement culture and resources available in some jurisdictions. Even countries with upto- date IP laws sometimes fail to enforce these laws, and piracy rates remain high in many jurisdictions.
Standards/International Harmonization of Rules
Data portability and seamless use of interoperable applications are key considerations for cloud computing and digital economy applications. Consumers are demanding interoperability in the cloud computing space, and industry is working hard through standards development organizations and other international avenues to meet this demand. Government support of these efforts is important.
This section of the Scorecard examines whether or not governments encourage standards to be developed through voluntary, industry-led standards processes. This section also examines international harmonization of e-commerce rules, tariffs and relevant trade rules.
The Scorecard reveals that governments take an inconsistent approach to standards development and that many ad hoc decisions are made in the absence of national frameworks and policies. Many countries have well-established frameworks for standard-setting, and the United States’ National Institute for Standards and Technology is carefully eyeing cloud computing. The United States finished toward the top of this section, scoring 9.4 out of 10 points. At the other end of the scale, countries like Argentina (4.6) and Brazil (3.4) lack even a relevant framework for ICT standards. Government agencies should work with industry to accelerate standards development, where appropriate, and share user requirements with open standard setting organizations.
As it relates to e-commerce rules, tariffs and relevant trade rules, the Scorecard finds a great deal of consistency in e-commerce laws, with most countries implementing laws based on the UNCITRAL Model Law on E-Commerce and / or the UN Convention on Electronic Contracting. Several countries, including Singapore, Russia and Malaysia, have signed / ratified the Convention, leading to even greater harmonization. Tariffs and trade barriers for online software and applications are rare, although a few jurisdictions still maintain tariffs on new technology products that are used to access cloud services.
Promoting Free Trade
Cloud services operate across national boundaries, and their success depends on access to regional and global markets. Restrictive policies that create actual or potential trade barriers will slow the evolution of cloud computing.
This section of the Scorecard examines and compares government procurement regimes and efforts to remove barriers to free trade, including countries’ requirements and preferences for particular products.
The Scorecard finds that a number of jurisdictions that still provide preferential treatment for domestic suppliers in government procurements, including Brazil (2.2 of 10 points), China (4.8), and Malaysia (3.8). In a positive development, Japan (9.2 points) and a growing number of other countries have become members of the WTO Agreement on Government Procurement, which liberalizes such policies.
ICT Readiness, Broadband Deployment
Cloud computing can achieve its full potential only if there is robust, ubiquitous and affordable broadband access. This can be achieved through policies that provide incentives for private sector investment in broadband infrastructure and laws that promote universal access to broadband.
This section of the Scorecard examines and compares the infrastructure that is available in each economy to support the digital economy and cloud computing. This section benefits from the inclusion of statistics on the number of subscribers for various products, reflecting the importance (and growth) of mobile broadband subscriptions.
Several countries have implemented impressive national broadband networks, including Japan (20.9 out of 30 points), Singapore (21.8) and Korea (21.7). Major infrastructure improvements are under way in Australia (21.3) and a range of EU countries. Broadband penetration remains very inconsistent, however, and there is a risk that some countries do not yet have the infrastructure in place to take full advantage of the digital economy and cloud computing. Progress lags, however, in countries like India (8.5) and South Africa (9.4).