2016 BSA Global Cloud Computing Scorecard

Confronting New Challenges

Download the Report
Tweet This!


The 2016 BSA Global Cloud Computing Scorecard ranks the cloud computing readiness of 24 countries that account for 80 percent of the world’s IT markets. Each country is graded on its strengths and weaknesses in seven key policy areas.

This year’s results reveal that almost all countries have made healthy improvements in their policy environments since the release of BSA’s previous Scorecard in 2013. But the stratification between high-, middle- and lower-achieving country groups has widened, with the middle-ranking countries stagnating even as the high achievers continue to refine their policy environments.

See Full Checklist

Scorecard Themes

The 2016 BSA Global Cloud Computing Scorecard reveals significant changes in the policy environment for cloud computing in key global economies since the previous Scorecard in 2013. Many of the changes are positive, especially in the field of data protection and intellectual property protection.

- Data Privacy

Users of cloud computing continue to be concerned with the protection of private information they store in the cloud. The revelations regarding widespread national security surveillance have increased scrutiny of the issue and its scope.

Cloud users need to trust that their data, which may be stored anywhere in the world, will not be used or disclosed by a cloud provider in unauthorized ways. Countries can provide these assurances with appropriate privacy laws. But it is a delicate balance: unnecessarily burdensome restrictions will hinder the important advantages of cloud computing that users want and need.

This section of the Scorecard examines how countries are managing these competing interests. Overall, the concern for privacy has produced many positive results around the globe, including significant law reform, greater oversight of national security agencies, a strengthening of security and encryption regimes by key cloud service providers and a greater public awareness of data privacy issues.

But in some nations, governments have proposed stronger restrictions on the cross-border transfer of data without further benefits. If those proposals become law, they could negatively impact cloud service providers.

Since 2013, most countries have data protection frameworks in place and have established independent privacy commissioners. Many of the protection laws are based on the Organisation for Economic Co-operation and Development Guidelines, the European Union Data Protection Directive and the Asia-Pacific Economic Cooperation Privacy Principles.

However, some countries still have registration requirements for data controllers and cross-border data transfers in place, and a small number of countries have adopted or proposed prescriptive data localization regimes that would require cloud providers to restrict the free flow of data or build costly — and unnecessary — servers in order to provide services in a specific market.

Canada and Korea have the highest score in the privacy section, offering comprehensive privacy regimes with no onerous registration requirements. Because Japan continues to update and reform its privacy laws, it also scores well in this section. South Africa received a big boost to its score and ranking for introducing a comprehensive privacy regime.

Unfortunately, privacy laws are still absent or insufficient in several countries. Brazil, Thailand and Turkey have no comprehensive laws in place, while laws in China, India, Indonesia and Vietnam remain very limited.

One notable development is the introduction of a new data protection framework in Russia containing prescriptive data localization requirements, such as a new law requiring that the personal data of Russian citizens be stored on servers based in Russia. This new regime is likely to act as a significant barrier to cloud service providers, and Russia’s score and ranking fell as a direct result.

Privacy laws in the European Union and the United States continue to be the subject of significant debate and reform. The EU is close to the final implementation of a new regulation. The proposed General Data Protection Regulation (GDPR) contains many positive elements, and it should drive improved harmonization of laws across Europe. But the proposed regulation presents some challenges and potential administrative burdens for cloud service providers, including its liability regime, extension of data processor burdens, and the potential for jurisdictional clashes on access to data by authorities.

(Editor’s note: Following the completion of the research underlying this year’s research, the United States and European Union have continued to move closer to finalizing a new agreement, the Privacy Shield, that will allow data to continue to be shared across borders. This is an important development that was not finalized in time to fully be considered for this report.)

In the United States, officials have not made significant progress on development of general privacy legislation, but work has increased on improving oversight of national security agencies and improving legal redress avenues for overseas data subjects.


+ Security

Users of cloud computing and other digital services need to be certain that cloud service providers can manage the security risks of storing their data and running their applications on cloud systems. These concerns have been intensified by a number of recent high-profile, international cybersecurity attacks, including breaches that range across the economy,
from health insurance providers to hotel chains and
even toymakers.

This section examines how countries regulate security criteria and test security measures. It also examines the status of electronic signature laws and the Internet censorship or filtering requirements some countries are imposing with a view to stemming certain Internet-related crimes. Overall, many countries have responded to emerging threats to cybersecurity by developing and implementing new cybersecurity frameworks, laws and policies.

The Scorecard indicates that most countries now have security requirements in place. Most also now have clear, technology-neutral electronic signature laws. Overall, cybersecurity scores have risen significantly when compared with the last Scorecard.

France, Japan, Italy, the United Kingdom and the United States all score well in this section. China, Indonesia, Malaysia and Vietnam score poorly.

The Scorecard also reveals some overly prescriptive security requirements that duplicate accepted international standards and/or impose onerous local requirements. For example, Russia requires service providers to locate their data centers inside the country, and several countries have introduced local security testing requirements.

Several countries also continue to impose Internet filtering or censorship regimes that may act as barriers to the expansion of the digital economy and cloud computing. The intention of the schemes may be to address criminal conduct, including distribution of illegal material such as child pornography, but some are blocking sites that express political dissent.


+ Cybercrime

Because the massive quantities of valuable data held in cloud-computing data centers have attracted the attention of organized crime, governments must address these ever-evolving threats with robust legislation, investigation and enforcement.

This section examines cybercrime laws, as well as rules relating to investigation and enforcement, which includes access to encrypted data by investigators and the prosecution of extraterritorial offenses.

Overall, the Scorecard indicates that most countries are rising to the challenge of protecting data from cyberattack and physical security breaches. Most have legislation combatting the unauthorized access of data stored in the cloud. Most also have now implemented computer crime laws or cybercrime laws, many of which are broadly compliant with the Convention on Cybercrime.

Indeed, many countries in the study — Australia, Canada, EU Member States, Japan and the United States — have now ratified the convention. Australia, France, Germany and Japan score extremely high results in the cybercrime section.

Unfortunately, a few key jurisdictions still have gaps and inconsistencies in their cybercrime laws. China, Korea, Russia and Vietnam scored poorly.

Countries diverge when it comes to enforcement, investigation and prosecution of cybercrime. In particular, many countries are debating the extent to which law enforcement should be allowed access to encrypted data. The resolution of these issues and their impact on global policy remains to be seen.


+ Intellectual Property Rights

As with other highly innovative and fast-evolving products, providers of cloud computing services rely on a combination of patents, copyrights, trade secrets and other forms of intellectual property protection. To encourage investment in cloud research and development, intellectual property laws must provide clear protections and vigorous enforcement of misappropriation and infringement. Online intermediaries should be offered incentives to operate responsibly and should enjoy safe harbor from copyright liability when they do so.

This section examines the intellectual property protections in place in each country, as well as their investigatory and enforcement approaches.

Overall, the Scorecard reveals significant reform in intellectual property laws since the last Scorecard, although gaps and inconsistencies still exist, especially with regard to enforcement.

Australia, Italy and Korea received the highest scores for intellectual property protection due to their robust legislative schemes. Canada updated and improved its intellectual property laws. Significant gaps in the laws of Brazil and Vietnam left these countries with the poorest results.


+ Support for Industry-Led Standards and International Harmonization of Rules

Users need data portability and seamless interoperable applications if they are to make full use of cloud-computing services and the digital economy. IT industry organizations are developing international standards that will ensure optimal portability. Government support for these voluntary, industry-led efforts is highly important. Countries must also promote global harmonization of e-commerce rules, tariffs and relevant trade rules.

This section examines the extent to which governments have encouraged industry-led processes and promoted harmonization of e-commerce rules.

The Scorecard reveals that some countries have moved away from accepting international standards and international certifications, most notably China, India, Indonesia, Korea and Russia.

Although tariffs and trade barriers for online software and applications continue to be rare, they are still hindering new technology products used to access cloud services in a few countries. Argentina, Brazil and Russia all scored poorly in this section.


+ Promoting Free Trade

Cloud services operate across national boundaries, and their success depends on access to regional and global markets. Restrictive policies that create actual or potential trade barriers will inhibit or slow the evolution of cloud computing.

This section examines government procurement regimes and the existence or absence of barriers to free trade, including each country’s requirements and preferences for particular products. The section also examines whether countries have joined the World Trade Organization Agreement on Government Procurement, which liberalizes such policies.

The Scorecard reveals that a number of countries still provide preferential treatment for domestic suppliers in government procurement, or have introduced other barriers to international trade. Vietnam and China recorded the lowest scores, while Canada and the United States scored the highest.


+ IT Readiness and Broadband Deployment

Digital economies and cloud computing require extensive, affordable broadband access, which in turn requires incentives for private sector investment in infrastructure and laws and policies that support universal access.

This section of the Scorecard examines and compares the infrastructure available in each country to support the digital economy and cloud computing. It is based on detailed comparative statistics on a range of important IT indicators, including the presence of a national broadband plan, a country’s International Connectivity Score and International Internet Bandwidth. In addition, the Scorecard includes statistics on the number of subscribers for various services, reflecting the importance (and growth) of mobile broadband subscriptions.

Overall, most countries have improved their infrastructure score significantly since the last Scorecard, with the biggest improvers being France, Russia, South Africa, Thailand and the top-scoring United Kingdom. Several countries, including Japan, Korea and Singapore, have high scores reflecting their implementation of impressive national broadband networks.

Despite major infrastructure improvements under way in a number of countries, broadband penetration remains very inconsistent. As a result, some countries continue to have low infrastructure scores. Countries that do not yet have sufficient infrastructure continue to be at risk of missing the economic benefits of the digital economy and cloud computing.


Country Reports

See the summaries and full report below for detailed information on each Member State.

+ 1Japan84.78


Japan has a comprehensive suite of modern laws that support and facilitate the digital economy and cloud computing.

Japan has comprehensive privacy legislation, which it plans to strengthen by introducing a new central regulator, complemented by stronger enforcement provisions that will come into force in 2017. 

Japan ratified the Convention on Cybercrime in 2012, setting a positive example for other countries.

Japan’s intellectual property laws cover the full range of protections relevant to cloud computing.

Japan is very active in the development of international standards.

Japan is characterized by having one of the most extensive broadband fiber deployments in the world, with the largest number of fiber users in the world. Japan has an actively managed competitive access regime and has had at least six significant information technology (IT) strategies and plans over the past decade. Typically, the targets are met, and there is progression to the next strategy. This puts Japan in a unique position, with one of the most complete broadband infrastructures in the world.

Overall, Japan’s score increases slightly in 2015, and the country easily retains its top spot in the overall rankings — a position it has held since publication of the first scorecard in 2012.

+ 2United States82.36


The United States has comprehensive and up-to-date laws for e-commerce, electronic signatures, and cybercrime.

The US has signed and implemented the Convention on Cybercrime and plays a leading role in the investigation of global cybercrime.

Although no general privacy laws are in place, the US does have some useful sectoral privacy laws and an active regulator. There is ongoing debate and reform in the US regarding the balance between national security surveillance and privacy protection.

Intellectual property protection in the United States remains mixed. The US has signed all of the relevant international agreements, and a strong enforcement culture is in place. However, multiple conflicting court decisions leave considerable legal uncertainty about what constitutes an online copyright breach.

The United States is an active participant in international standards development processes and an advocate of free trade and harmonization. The US recorded a significant improvement in the free-trade section of the report, as it continued to remove barriers to international information technology (IT) interoperability.

The United States has high levels of Internet use, but access to fast broadband remains patchy. The National Broadband Plan has a goal that by 2020 at least 100 million households will have download speeds of 100 Mbps and upload speeds of 50 Mbps. Not all parts of the plan have been adopted or fully funded, however significant parts of the plan have been implemented.

Overall, the United States improved its ranking by one place to 2nd through a combination of positive policy developments and improved IT infrastructure.

+ 3Germany82.02


Germany has comprehensive cybercrime legislation and up-to-date intellectual property protection in place. The combination of these laws provides reasonable protection for cloud computing services in Germany.

Germany also has modern electronic commerce and electronic signature laws. Like most European countries, Germany has comprehensive privacy legislation, but it includes onerous registration requirements that may act as a cost barrier for the use of cloud computing.

Germany has a strong commitment to international standards and interoperability.

Germany is making good progress on extending broadband access to the population. Its current target is to ensure that all households have access to broadband with speeds of at least 50 Mbps by 2018.

Germany rose one spot in the rankings, from 4th in 2013 to 3rd in 2015.

+ 4Canada80.91


Canada is one of the big improvers in the 2015 rankings, moving up from 9th position in 2013 to 4th position this year.

This jump in the rankings was based on significant improvements in privacy law, cybercrime law and intellectual property protection, plus reasonable gains in information technology (IT) infrastructure.

Between 2013 and 2016, Canada strengthened its privacy legislation and introduced a national data breach notification requirement. In 2015, Canada also ratified the Council of Europe Cybercrime Convention and implemented world-class cybercrime legislation.

Canada finally ratified the WIPO Copyright Treaty in 2014, sealing a recent period of improved copyright regulation and enforcement.

Finally, in 2014, the Canadian Radio-television and Telecommunications Commission (CRTC) revised its target for broadband Internet access services across Canada. As a result of the Canadian government’s Digital Canada 150 program, the CRTC expects all Canadians to have access to broadband speeds of at least 5 megabits per second (Mbps) for downloads and 1 Mbps for uploads by 2017.

+ 5France80.74


France provides strong protection for cloud services, through a combination of comprehensive cybercrime legislation and up-to-date copyright protection. France also has up-to-date electronic signature and electronic commerce laws in place.

Comprehensive privacy laws exist, though French privacy legislation includes onerous and cumbersome registration requirements that appear unnecessary.

France is one of the biggest improvers in the Scorecard in relation to information technology (IT) infrastructure.

France’s national broadband plan, France Très Haut Débit, is a 10-year-funded initiative launched in 2013. It covers a range of infrastructure and constructions programs, which use a range of technologies. The overall broadband target for the France Très Haut Débit plan is 100% coverage of France with speeds in excess of 30 megabits per second (Mbps) by 2022.

France’s IT infrastructure progress helped it to improve one spot from 6th in 2013 to 5th in the 2015 rankings.

+ 6Australia80


Australia promotes cloud computing through a mix of modern laws, regulations, and standards. For example, Australia has a strong commitment to international cooperation, free trade, and interoperability. Key laws are based on international models, and Australia is an active participant in the development of international standards.

Australia has up-to-date cybercrime laws and ratified the Convention on Cybercrime in 2012. However, Australia’s score in the section on security and cybercrime was impacted by new, cumbersome data retention requirements.

Australia also has comprehensive electronic signature and electronic commerce laws. Australia’s privacy laws are up to date, although a proposed data breach notification requirement has not yet been implemented.

Intellectual property laws in Australia provide a comprehensive and balanced layer of protection for cloud computing services and the digital economy. However, some uncertainty remains regarding Internet service provider (ISP) liability for copyright breaches that occur when subscribers participate in peer-to-peer sharing of copyrighted material, especially in relation to enforcement.

Australian information technology (IT) infrastructure is reasonably well developed. However, Australia revised its model for the National Broadband Network in 2014. It is forecasted to provide 8 million connections at speeds of 25-50 Mbps through fiber to the node (FttN) and hybrid fiber-coaxial (HFC) connections. This level of coverage is very limited compared to previous proposals. No rollout timetable has been released, however trials of the FttN and HFC were underway as of 2015.

Overall, Australia’s scorecard results fell slightly in the 2015 report, as the country was overtaken by other fast- moving countries. A small reduction in the IT infrastructure score (due to a lower broadband score) and the problems identified above with the new data retention scheme, resulted in Australia falling from 2nd place to 6th place in the Scorecard rankings.

+ 7Singapore79.5


Singapore has modern digital economy laws in most areas. For example, the Electronic Transactions Act 2010 implements the United Nations Convention on Electronic Contracting, which Singapore has ratified. Singapore also has up-to-date cybercrime laws and intellectual property laws.

Singapore privacy law has now come into force, and provides a balanced approach between protecting personal information and facilitating innovation in cloud computing and the digital economy.

Singapore has some minor Internet censorship in place but generally promotes innovative business practices that are free from tariffs and government intervention. However, in mid-2015, Singapore terminated its membership as a Certificate Consuming Member of the Common Criteria Recognition Agreement (CCRA). This represents a setback in efforts to harmonize international certification arrangements. 

Singapore has excellent information (IT) infrastructure and is developing a national network to bring high-speed fiber to the home. 

Singapore’s score improved slightly, but its ranking fell two places — to 7th — in 2015 as it was overtaken by fast-improving countries. Only one point separates the countries between 4th place and 7th place in the 2015 rankings, so even small changes have an impact.

+ 8Italy79.32


Italy has strong cybercrime laws and strict privacy laws. Like many European Union countries, Italy’s privacy law includes onerous registration requirements that appear unnecessary.

Italy’s copyright law also provides adequate protection for cloud computing services. In 2014, new regulations established broader grounds for Internet service providers (ISPs) to be held liable for content on their sites, through the establishment of a notice and takedown regime, backed by large fines.

Italy has modern electronic signature laws and electronic commerce laws, and Italy is committed to international standards and interoperability.

The Italian government approved the Italian Strategy for Ultra-Broadband Networks in March 2015. This strategy aims to achieve the objects of the European Commission’s Digital Agenda for Europe by deploying services with speeds of 100 mbps to densely populated areas (approximately 50% of the population) and services with speeds of 30 mbps to other areas.

Italy’s overall rank rose to 8th in 2015 (from 10th in the 2013 report). This was the result of higher scores in information technology (IT) infrastructure and intellectual property.

+ 9United Kingdom78.88


The United Kingdom has a comprehensive set of cyberlaws. Data protection laws are particularly strong, with regular enforcement including large fines. However, businesses are required to register their data sets with the regulator, which seems to be an unnecessary burden on business and may act as a barrier to some cloud services.

The UK is free from Internet censorship and filtering, and up-to-date laws are in place for e-commerce and electronic signatures.

The UK is a signatory to the Convention on Cybercrime but has been criticized for not yet implementing one of its key provisions.

Advanced intellectual property laws are in place and are regularly enforced, although there is still a gap in relation to the exact role of Internet service providers (ISPs) in copyright enforcement. The Digital Economy Act 2010 established a limited copyright liability regime for ISPs. However, key sections of the act, including the notice and takedown provisions, are not in force. 

The UK already has high rates of Internet use and broadband penetration, and the UK recorded impressive results in the information technology (IT) infrastructure section of this year’s report (they were the third-biggest improver in IT infrastructure). 

Overall, the United Kingdom’s results remained steady, but the country’s ranking slipped slightly from 7th place in 2013 to 9th place, as it was overtaken by faster-moving nations.

+ 10Poland76.7


Poland has up-to-date laws for privacy, electronic signatures, electronic commerce, and cybercrime. These laws provide a good platform for promoting confidence in cloud computing and the digital economy.

Poland also has one of the most comprehensive regimes for the protection of intellectual property, including specific rules for Internet service provider (ISP) liability.

However, some gaps still exist in enforcement, and Poland has recognized that intellectual property enforcement requires greater skills and resources.

Poland promotes innovation and interoperability and has nondiscriminatory policies for government procurement.

In 2013, the Polish government released the latest approved broadband plan, which adopts the European Commission set targets for all households to have download speeds of at least 30 Mbps by 2020 and 50% of households at 100 Mbps by 2025.

Poland moved up two spots in the rankings, to tenth, based on impressive gains in both its legal and regulatory framework and information technology (IT) infrastructure.

+ 11Spain76.25


Spain has comprehensive privacy legislation, although it relies heavily on a data registration process that could act as a barrier for cloud computing services.

Spain has up-to-date cybercrime legislation and has ratified the Convention on Cybercrime. Spain also has comprehensive electronic commerce and electronic signature legislation, and Internet service providers (ISPs) are free from any Internet filtering or censorship.

Some minor gaps exist in intellectual property protection, especially regarding ISP liability.

Spain is a very active participant in international forums and supports international standards development and interoperability.

Spain recorded significant gains in information technology (IT) infrastructure in 2015 (the fifth-biggest mover out of the 24 countries in the study). In the Digital Agenda for Spain, released in 2013, Spain reaffirmed its commitment to achieve the European Commission set targets for all households to have download speeds of at least 30 megabits per second (Mbps) by 2020, and 50% of households at 100 Mbps by 2025. 

Spain’s overall scores remained fairly steady. The country’s rank has not changed since 2013, and it is still placed 11th in the 2015 rankings.

+ 12Korea75.54


Korea has a strong commitment to the promotion of the digital economy, and its laws and standards are generally based on international models.

Korea’s modern, comprehensive privacy laws and strong intellectual property laws facilitate the development and use of cloud computing services. However, cybercrime law does not cover the full range of relevant issues.

Korea is an active proponent of free trade and interoperability and is a member of the World Trade Organization (WTO) Agreement on Government Procurement.

However, one current area of concern is that Korea imposes a national encryption standard for the procurement of information technology (IT) security devices and related equipment, when a suitable international encryption standard is available.

In addition, some IT products that have already passed international Common Criteria for Information Technology Security Evaluation are required to undergo additional local testing in Korea.

Korea has an extensive and established FttH/B infrastructure. In January 2014, Korea announced it would invest $1.7 billion into developing a 5G mobile broadband network, with a target of a fully commercial service operating by 2020.

Overall, Korea’s results have fallen and the country’s ranking went from 8th in 2013 to 12th in 2015.

+ 13Malaysia69.66


Malaysia has modern electronic signature laws, electronic commerce laws, and privacy laws in place. These measures provide a strong level of protection for the  digital economy and cloud computing in Malaysia.

Malaysia’s copyright laws are aligned with international standards, although enforcement remains patchy.

Malaysia has a moderate level of broadband penetration. In 2015, the government committed to new broadband targets: by 2020, 100% of households in capital cities and high-impact growth area to have access to speeds of 100 Mb/s and 50% of households in suburban and rural areas to have access to speeds of 20 Mb/s.

Malaysia remained steady in its position at 13th place.

+ 14South Africa61.3


South Africa recorded the biggest overall improvement in this year’s Scorecard, jumping an impressive six places from 20th place in 2013 to 14th in 2015.

This result was built on significant gains in information technology (IT) infrastructure (South Africa was the fastest improver in this section of the report) and the introduction of new privacy legislation. South Africa’s comprehensive privacy law, the Protection of Personal Information Act 2013, was enacted in August 2013.

South Africa also has some useful laws for cybercrime and electronic commerce.

However, some limited Internet filtering and censorship still occurs, which may inhibit development of the digital economy, and South Africa has only very basic copyright laws, which are not aligned with current international best practice. They have not yet signed the WIPO Copyright Treaty.

Another potential barrier in South Africa is the existence of a complex system of domestic preferences in government procurement opportunities.

South Africa has low levels of broadband penetration, but they are improving quickly. The government released ambitious targets in December 2013 for the South Africa Connect plan.

+ 15Mexico60.79


Mexico has implemented many relevant cyberlaws, including privacy legislation, rules on data breach notification, and up-to-date cybercrime legislation.

Intellectual property laws in Mexico generally meet international standards, but enforcement action is rare and the bar is set very high for prosecution. Considerable improvement is required to gain confidence in intellectual property protection in Mexico. Proposals to update Mexico’s copyright law to include a multiple notice and takedown regime were pursued in 2012 and 2013, but these efforts appear to have stalled.

In 2013, Mexico adopted a formal policy on technology neutrality as part of the National Digital Mexico Strategy. The strategy commits Mexico to the use of “technological solutions favoring neutrality and interoperability.”

Internet use and broadband penetration remain very low in Mexico, and the country continues to face challenges in delivering a modern information technology (IT) infrastructure that can facilitate cloud computing. In 2014, the Mexican president announced a plan to develop a broadband network with a focus on expanding Mexico’s wireless capability with a view to increase market competition.

Overall, Mexico’s ranking did not change in 2015, remaining in 15th place. However, the country recorded impressive gains in both its legal / regulatory settings and its IT infrastructure.

+ 16Argentina57.98


Argentina has effective laws in place on cybercrime, electronic signatures, and data protection. However, Argentina’s laws on intellectual property have not kept pace with modern technology. There is no direct coverage of important issues such as the unauthorized “making available” of copyright material online, and there is no notice and takedown regime in place for infringing material. Argentina also has a poor track record of enforcing copyright laws, with lengthy court delays and few prosecutions. Some gaps also exist in the important areas of standards development and technology neutral and nondiscriminatory government procurement of information technology (IT).

There were very few changes in Argentina’s results between 2013 and 2015 although Argentina’s scores for IT infrastructure (and broadband in particular) improved. 

One moderate setback was the imposition (since 2014) of a series of legal and tariff barriers on e-commerce activities. These include prohibitions on the import of specific products (for example, smartphones), tax surcharges on most electronic goods of up to 40%, an annual cap on the amount consumers can purchase via online shopping from international sites, and arequirement for ordinary consumers to register with the government as “importers” if they make international purchases. These measures act as a serious barrier to cross-border e-commerce and have also resulted in a booming black market for imported goods and services. These measures are linked to broader economic and currency issues in Argentina, but their impact on the IT sector is significant.

Argentina maintains its place in the rankings at 16.

+ 17Russia56.39


Russia has a patchwork of laws that apply to the digital economy and cloud computing, and these laws contain significant gaps and limitations.

For example, its laws on both privacy and cybercrime do not follow recognized international standards. From September 2015, it is a legal requirement that data operators store the personal data of Russian citizens on servers based in Russia. Large foreign-based data operators have been given extra time to comply with the law (until early 2016), but the law will have a significant negative impact on the digital economy.

In addition, any personal data information system (even a simple database) must be certified by the Federal Service for Technical and Export Control (FSTEC). The personal data operator can use only hardware and software for personal data processing that has been approved by the FSTEC and the Federal Security Service (FSB). The local requirements are not compliant with generally accepted international standards, and Russia does not participate in the Common Criteria Recognition Agreement (CCRA). 

Russia also has cumbersome Internet filtering and censorship regulations that act as a barrier to cloudcomputing. Russia mandates the use of certain products and software in government procurement opportunities. 

Russian copyright law was amended in August 2013. The new law includes amendments to Part IV of the Civil Code, providing for third-party liability, as well as safe harbors from such liability for Internet service providers (ISPs) that comply with relevant requirements. 

Amendments were also made to the Civil Procedure Code that provide injunctions after notice and takedown (and by court order only) to block infringing materials or limit access to infringing websites. However, the application of these provisions is severely restricted as they currently only apply to movies and television programs.

In June 2014, Russia announced plans to build a fiber-optic network that will reach settlements of over 250 people that are not already connected to a broadband network. 

Overall, Russia’s score fell sharply in this year’s Scorecard. The negative impact of the data localization regulations contributed to the country’s ranking falling by three spots— from 14th in 2013 to 17th in 2015.

+ 18India56.08


The law in India has not entirely kept pace with developments in cloud computing, and some gaps exist in key areas of protection; notably, India has not yet implemented effective privacy legislation.

India’s cybercrime legislation also requires updating to conform to international models. Some laws and standards in India are not technology neutral (e.g., electronic signatures), and these may be a barrier to interoperability.

This year’s report notes that India imposes some local security testing requirements in addition to international testing requirements. These local testing arrangements have been the subject of criticism by India’s trading partners, including the European Union.

However, copyright laws have improved in recent years, although India still has not ratified the WIPO Copyright Treaty.

The development of India’s technology sectors remains challenging, with low levels of broadband and personal computer penetration.

Overall, India’s ranking in 2015 is 18th. India fell one place (from 17th in 2013) due to its poor results in relation to promoting free trade and international standards.

+ 19Turkey54.41


The biggest change in Turkey since the last report is in the field of cybercrime. Turkey signed the Convention on Cybercrime in 2010 and ratified it in 2014. It came into force in Turkey in 2015.

However, Turkey continues to have some gaps in its coverage of other cyberlaws. For example, there is currently no data protection law in Turkey.

Turkey also has rules on Internet content regulation that may act as a barrier to cloud services.

Intellectual property protection in Turkey is reasonably up-to-date, but enforcement is patchy.

Turkey is making progress toward integration with the European and international communities, but some domestic preferences are still in place for government procurement opportunities.

The government has an ambitious target of providing fast broadband to 95% of households by 2020. Turkey recorded modest gains in information technology (IT) infrastructure in this year’s report.

Turkey’s overall score remains steady, but its ranking fell one place from 18th in 2013 to 19th in 2015.

+ 20Indonesia49.45


Indonesia continues to update and reform laws and regulations in the information technology (IT) sector, and the result is not always positive for cloud computing.

Regulations impose significant barriers for cloud service providers, including requirements for providers to register their services with a central authority and rules that force some providers to establish local data centers and hire local staff.

Indonesia’s new copyright law (2014) strengthens copyright protection and enforcement processes. However, several key aspects of the new law await more-detailed regulations before they can be implemented. Copyright law in Indonesia is now closely aligned with international models.

Indonesia has not yet developed effective laws and policies regarding interoperability, free trade, and government procurement.

The government continues to work to increase “meaningful” broadband penetration. The Indonesian Broadband Plan was finalized in December 2013 and implementation began in 2014.

Overall, Indonesia’s rank rose one spot to 20th (from 21st in the 2013 report). Falls in security, free trade and international standards were offset by significant improvements in IT infrastructure.

+ 21Thailand48.85


Thailand’s laws and policies in relation to cloud computing and the digital economy are patchy, with strengths in some areas and significant gaps and weaknesses in others.

Thailand has implemented comprehensive cybercrime legislation, which helps to enhance confidence in information technology (IT). Thailand also has good laws for electronic commerce and electronic signatures.

However, Thailand has no privacy laws, and this is a major weakness.

In January 2015, two Copyright Amendment laws were approved: the Copyright Act (No. 2) B.E. 2558 (A.D. 2015), and Copyright Act (No. 3) B.E. 2558 (A.D. 2015). These two new laws implement many of the key provisions of the WIPO Copyright Treaty. They also introduced a rudimentary Internet service provider (ISP) liability scheme for copyright infringements.

Additional risks in Thailand include mandatory Internet censorship (some of which is clearly political in nature) and filtering, and some technology mandates.

Overall, Thailand’s results improved since 2013, and the country’s ranking has risen two places to 21st. This result was built on significant improvements in both intellectual property protection and IT infrastructure.

+ 22Brazil48.55


Brazil recognizes the importance of information technology (IT) and the digital economy, but has struggled to implement relevant laws and regulations. Some trade barriers to IT innovation remain in Brazil.

Brazil still has no privacy legislation in place, and is falling behind its peers in this area. Brazil has some gaps in intellectual property protection and received the lowest overall score for intellectual property in the current scorecard. Brazil has not signed the WIPO Copyright Treaty and has not updated its copyright laws to cover new technology. Online piracy in Brazil is widespread, and prosecutions are rare. Significant court delays add to the problems facing copyright holders in Brazil.

However, Brazil does achieve better scores in relation to security and infrastructure, with significant improvements recorded in relation to Internet freedom since the last report in 2013.

Brazil’s overall rank has not changed since the 2013 Scorecard, and the country is still placed 22nd in the 2015 rankings.

+ 23China47.89


Information technology (IT) innovation and development in China have been hindered by poor enforcement of intellectual property rights and the continued promotion of indigenous development policies that discriminate against foreign technology companies.

Indeed, in 2015, China’s ranking is 23rd, down from 19th in the 2013 Scorecard.

China still has major gaps in areas like privacy law and cybercrime law, but its poorest results are in relation to promoting free trade.

This year’s report notes that China imposes a range of onerous local certification and accreditation requirements that are in addition to (and often inconsistent with) international cybersecurity standards and general IT standards. The Chinese government regularly publishes lists of approved products for cybersecurity, including encryption products, anti-virus software and even basic operating systems. These lists exclude some organizations and products that have met international standards. China also imposes local testing requirements for telecommunications and IT products that include cybersecurity products.

Extensive regulation of Internet content, including mandatory Internet filtering and censorship, remains a key issue in China.

China’s poor results in relation to laws and regulation were partly offset by strong progress in IT infrastructure.

+ 24Vietnam43.66


Vietnam continues to develop relevant cyberlaws that could enhance confidence in the digital economy and facilitate cloud computing. However, gaps still exist in key areas.

Modern laws are in place for electronic commerce, electronic signatures, and intellectual property. However, only very limited laws are in place for cybercrime.

Vietnam’s privacy laws are not comprehensive, but they were improved by several minor regulations, including new data breach notification requirements that were introduced in 2014.

Vietnam continues to impose severe censorship and restrictions on Internet content. An additional risk is that Vietnam has not yet developed appropriate laws and policies on interoperability and government procurement. Also, some trade barriers may hamper the development of cloud computing and the digital economy.

Broadband penetration in Vietnam remains low, although there has been very strong growth in a number of key infrastructure indicators.

Overall, Vietnam’s results have improved slightly since the 2013 Scorecard, but the country’s ranking has remained entrenched in last place — 24th.

Case Studies


The BSA Global Cloud Computing Scorecard examines the legal and regulatory framework of 24 countries around the world, identifying 66 questions that are relevant to determining readiness for cloud computing. The questions are categorized under the aforementioned policy categories, and are generally framed so as to be answerable by “yes” or “no.” The answers are also color coded:

YesIndicates a positive assessment, which is generally considered to be an encouraging step toward the establishment of a favorable legal and regulatory environment for cloud computing.

NoIndicates a negative assessment and the presence of a potential barrier to the establishment of a favorable legal and regulatory environment for cloud computing.

PartialIndicates that the assessment is positive in part, although some gaps or inconsistencies may exist that require further remedial work.

Not ApplicableIndicates a fact-finding question on relevant issues.

The Scorecard aims to provide a platform for discussion between policymakers and providers of cloud offerings, with a view toward developing an internationally harmonized regime of laws and regulations relevant to cloud computing. It is a tool that can help policymakers conduct a constructive self-evaluation, and determine the next steps that need to be taken to help advance the growth of global cloud computing.

Responses for the infrastructure portion of the Scorecard are color coded based on the scale below. That is, the “highest” answer to a particular question (e.g., the largest population or highest number of Internet users) is indicated in bright green, and the color for other responses graduates down to the lowest response in red.