BSA Cloud Report


The 2013 BSA Global Cloud Computing Scorecard — the first-ever report to track year-over-year change in the international policy landscape for cloud computing — shows that cloud readiness is improving, if unevenly.

These findings come against the backdrop of the massive and well-documented movement to cloud services by consumers, businesses, and governments. What hasn’t been documented until now is the less steady improvement in the policy environment to support global cloud computing, with some countries making big strides to improve their cloud readiness while others, including some of the world’s largest technology markets, have stalled or even backtracked.

Download the Global Scorecard

BSA Global Cloud Computing Scorecard

Cloud Computing Chart Click here to view the evaluation of all the countries.

Scorecard Themes

The Scorecard examines major laws and regulations relevant to cloud computing in seven policy categories as well as each country’s ICT-related infrastructure and broadband deployment. These policy categories align with the BSA’s Cloud Computing Guiding Principles, which underpin the Scorecard’s analytical framework and its suggestions for providing a workable framework to allow for the growth of cloud computing.

  • Data Privacy

    Cloud users will fully accept and adopt cloud computing only if they are confident that private information stored in the cloud, wherever in the world, will not be used or disclosed by the cloud provider in unexpected ways. National privacy regimes should be predictable and transparent and should avoid unnecessarily burdensome restrictions on cloud service providers such as registration requirements for data controllers and cross-border data transfers. Cloud providers should be encouraged to establish privacy policies that are appropriate for the particular cloud service they provide and the business model they use.

    The Scorecard shows that most countries have data protection frameworks and have established independent privacy commissioners. Many laws are based on a mix of the Organisation for Economic Co-operation and Development Guidelines, the European Union Directive, and the Asia-Pacific Economic Cooperation Privacy Principles. Unfortunately, registration requirements for those who hold or process data or for data transfers may act as barriers to taking up cloud services. Such requirements exist in some countries, including in some EU countries for registering cross-border transfers.

    Australia, Canada, Japan, and Korea score well in the privacy section, as they have comprehensive privacy regimes without any onerous registration requirements.

    Singapore and China introduced new privacy laws in 2012, and existing laws were revised in Australia and Indonesia. Singapore received a big boost to its score and ranking for introducing a modern, balanced privacy regime. China received a smaller boost, as its approach is limited to the introduction of some basic privacy and security principles to a narrower class of data. Unfortunately, privacy reform in several countries has been delayed, with proposals in Brazil, India, South Africa, Thailand, and Turkey failing to gain parliamentary support.

    Privacy laws in the EU and the United States are also the subject of significant debate and reform. The EU has proposed replacing the existing directive with a regulation containing some positive elements for consumers but potentially some new administrative burdens for cloud service providers. The draft regulationis the subject of ongoing debate. In the United States, the Obama administration has announced a commitment to general privacy legislation, although in practice this may be difficult to develop in the absence of a broader consensus among lawmakers. In the meantime the United States is working on implementing the new Consumer Privacy Bill of Rights, which could provide a layer of protection through enforceable codes of conduct, and the key regulators are becoming more active in enforcing existing sectoral privacy protections.

  • Security

    Consumers of cloud computing and other digital services (including both private-sector and government users) need assurance that cloud service providers understand and appropriately manage the security risks associated with storing their data and running their applications on cloud systems. This section of the Scorecard examines whether security criteria and the ongoing testing of security measures are the subject of regulation in each jurisdiction. The security section also examines electronic signature laws and Internet censorship or filtering requirements.

    France, Japan, Italy, the United Kingdom, and the United States all score well in this section. China, Indonesia, Thailand, and Vietnam score poorly.

    The Scorecard reveals that most countries have clear, technology-neutral electronic signature laws. In addition, security requirements are in place in most jurisdictions, and security audit requirements were generally absent. However, some overly prescriptive security requirements have begun to appear. These include a new regulation in Indonesia that — among other negative developments — requires service providers to locate their data centers inside the country and proposed legislation in Korea that would create unilateral security standards.

    A number of countries have implemented Internet filtering or censorship regimes that may act as a barrier to the expansion of the digital economy and cloud computing. The key intention of the schemes is to address criminal conduct, including distribution of illegal material, particularly child pornography. However, several of the filtering or censorship schemes regularly block sites that express political dissent. In 2012 Russia introduced new Internet censorship rules, and its score in this section fell significantly. On a positive note, Australia dropped plans for mandatory filtering, and its score improved.

  • Cybercrime

    Because cloud computing involves the aggregation of massive amounts of data in large data centers, it creates new and highly tempting targets. As criminals turn their attention to these vaults of information, it will become increasingly challenging to protect such data centers from both physical and cyberattacks. Governments should ensure that domestic laws provide an effective mechanism for law enforcement, and for cloud providers themselves, to combat unauthorized access to data stored in the cloud. This section examines these issues as well as rules relating to investigation and enforcement, including access to encrypted data and extraterritorial offenses.

    The Scorecard finds that most countries have either computer crime laws or cybercrime laws and that many of these laws are broadly compliant with the Convention on Cybercrime. Many countries in the study (Australia, EU members, Japan, and the United States) have now ratified the Convention, and several other countries are considering signing. Unfortunately, a few key jurisdictions still have gaps and inconsistencies in their cybercrime laws. For example, Canada and Korea have not updated their criminal laws, and Russia has chosen a legal approach that does not follow international best practice.

    Australia, France, Germany, and Japan score extremely high in the cybercrime section. Canada, China, Korea, Russia, and Vietnam score poorly. The country that shows the most improvement is Brazil, which finall

    This section also examines rules on investigation and enforcement, including access to encrypted data and extraterritorial offences. There is a greater divergence in results in these fields.

  • Intellectual Property Rights

    Providers of cloud computing and digital economy technologies and services, as with other highly innovative products, rely on a combination of patents, copyrights, trade secrets, and other forms of intellectual property protection. Thus, to encourage investments in cloud research and development, as well as infrastructure, IP laws must provide strong incentives for these investments and clear protection and vigorous enforcement against misappropriation and infringement. Online intermediaries should have incentives to behave responsibly, and they should enjoy safe harbors from liability when they do so.

    This section also examines investigatory and enforcement approaches, where there is a wide diversity of approaches and significant inconsistency. There are also concerns over the enforcement culture and resources available in some jurisdictions. Even countries with up-to-date IP laws sometimes fail to enforce these laws, and piracy rates remain high in many jurisdictions. The Scorecard reveals that countries are moving toward a consistent approach on many key rights and protections. Gaps exist, however, in the IP laws of some jurisdictions.

    Significant law reform in intellectual property has occurred in the past year. Canada, India, Malaysia, and Russia passed important amendments to their copyright laws, bringing them in line with international standards. Malaysia signed the World Intellectual Property Organization (WIPO) Copyright Treaty. Enforcement also improved in several countries.

    There were still some disappointments: Brazil failed to update its copyright laws, and Italy dropped promising online copyright regulations that had been in development for more than two years.

    The leading countries in this section are Australia, Malaysia, Singapore, and the UK. The stragglers include Brazil, Indonesia, Thailand, and Vietnam.

  • Standards/International Harmonization of Rules

    Data portability and seamless use of interoperable applications are key considerations for cloud computing and digital economy applications. Consumers are demanding interoperability in the cloud computing space, and industry is working hard through standards development organizations and other international avenues to meet this demand. Government support of these efforts and the avoidance of technological mandates are important.

    This section of the Scorecard examines whether or not governments encourage standards to be developed through voluntary, industry-led standards processes. This section also examines international harmonization of e-commerce rules, tariffs, and relevant trade rules. The Scorecard reveals that governments take an inconsistent approach to standards development and that many ad hoc decisions are made in the absence of national frameworks and policies. Tariffs and trade barriers for online software and applications are rare, although a few jurisdictions still maintain tariffs on new technology products that are used to access cloud services.

    In 2012 a positive development in this section was the finalization of cloud computing standards by the US National Institute of Standards and Technology.

    The leading countries in international harmonization are Australia, Canada, India, Malaysia, and the United States, which all scored full marks in this section. Argentina, Brazil, Russia, and Vietnam score poorly.

  • Promoting Free Trade

    Cloud services operate across national boundaries, and their success depends on access to regional and global markets. Restrictive policies that create actual or potential trade barriers will slow the evolution of cloud computing.

    This section of the Scorecard examines and compares government procurement regimes and efforts to remove barriers to free trade, including countries’ requirements and preferences for particular products. The section also examines whether countries have joined the WTO Agreement on Government Procurement, which liberalizes such policies. The leading countries in this section include Canada, Germany, Japan, and Spain.

    The Scorecard finds that a number of countries still provide preferential treatment for domestic suppliers in government procurement. Indonesia, South Africa, and Vietnam score poorly in this section.

    This section also notes some very negative developments in Indonesia, where a new regulation introduces onerous requirements for electronic service providers, including potential requirements to locate data centers within the country and to hire local staff.

  • Infrastructure

    This section of the Scorecard examines and compares the infrastructure that is available in each country to support the digital economy and cloud computing. It is based on detailed comparative statistics on a range of important ICT indicators, including the presence of a national broadband plan, a country’s International Connectivity Score and International Internet Bandwidth. In addition, the Scorecard includes statistics on the number of subscribers for various services, reflecting the importance (and growth) of mobile broadband subscriptions.

    Based on those factors, Japan, Korea, Singapore, and the United States score highest in this component of the Scorecard. Brazil, China, Poland, Russia, and Singapore show the most improvement in their infrastructure score for 2013.

    Infrastructure is enhanced in those countries that have developed or are developing national broadband access networks. Several countries, including Japan, Korea, and Singapore have implemented impressive national broadband networks. In 2012 China announced a major national broadband plan to accommodate a projected 800 million Internet users by 2015.

    Japan and Korea dominate the percentage of fiber Internet connections, with each having twice the level of penetration of any other country. Japan and Korea have more than half of the 60 million global fiber connections, followed by Russia with 9 million connections and the United States with 6 million.

    Singapore stands out as having both the highest score in the infrastructure section and maintaining leading growth rates in a number of areas, such as International Internet Bandwidth.

    The United States leads in the size of its public cloud services market and the sheer volume of the number of active mobile broadband subscriptions.

    While major infrastructure improvements are under way in a number of countries, broadband penetration remains very inconsistent and some countries have both low infrastructure scores and low growth rates. There is a risk that some countries do not yet have the infrastructure (or plans) in place to take full advantage of the digital economy and cloud computing.