2018 BSA Global Cloud Computing Scorecard

Summary

Germany provides strong protection for cloud services, through a combination of comprehensive cybercrime legislation as well as an up-to-date cybersecurity strategy. Germany also has modern electronic commerce and electronic signature laws.

Germany has comprehensive privacy legislation, but it includes onerous registration requirements that may act as a cost barrier for the use of cloud computing.

Germany has a strong commitment to international standards and interoperability.

In the area of intellectual property, Germany offers good protection but there are some areas in which improvement could be made including further trade secrets protection.

Germany is making good progress on extending broadband access to the population. Its current target is to ensure that all households have access to broadband with speeds of at least 50 Mbps by the end of 2018.

Although Germany’s overall rank has improved since the last Scorecard — from third to first place — this stemmed largely from the rebalancing of the Scorecard methodology. The country’s improved scores in the security section of the report also contributed to the increase.

Summary

Japan has a comprehensive suite of modern laws that support and facilitate the digital economy and cloud computing.

Japan has comprehensive privacy legislation, with a new central regulator in place and strong enforcement provision.

Japan ratified the Convention on Cybercrime in 2012, setting a positive example for other countries.

Japan’s intellectual property laws cover the full range of protections relevant to cloud computing, but improvements can be made in areas of protection against circumvention of technological protection measures.

Japan is very active in the development of international standards.

Japan is characterized by having one of the most extensive broadband fiber deployments in the world, with the largest number of fiber users in the world. Japan has an actively managed competitive access regime and has had at least six significant information technology (IT) strategies and plans over the past decade. Typically, the targets are met, and there is progression to the next strategy. This puts Japan in a unique position, with one of the most complete broadband infrastructures in the world. The high scores in this section of the scorecard positively impact Japan’s overall ranking position.

Japan’s ranking decreases slightly — from first to second — mostly because of improvements by Germany.

Summary

The United States has comprehensive and up-to-date laws for e-commerce, electronic signatures, and cybercrime.

The United States has signed and implemented the Convention on Cybercrime and plays a leading role in the investigation of global cybercrimes.

Although there are no general privacy laws in place, the United States does have useful sectoral privacy laws and an active regulator. There is an ongoing debate in the US regarding the balance between national security surveillance and privacy protection. There are numerous, but inconsistent, state data breach notification laws in place in the United States.

The United States scores well in the intellectual property section of the report. The country has signed all of the relevant international agreements, and a strong intellectual property enforcement culture is in place.

The United States is an active participant in international standards development processes and an advocate of free trade and harmonization.

The United States has high levels of Internet use, but access to fast broadband remains patchy. The National Broadband Plan has a goal that by 2020 at least 100 million households will have download speeds of 100 Mbps and upload speeds of 50 Mbps. Not all parts of the plan have been adopted or fully funded; however, significant parts of the plan have been implemented.

The United States’ position in the 2018 Scorecard rankings fell slightly — from second to third.

Summary

The United Kingdom has a comprehensive set of cyberlaws. Data protection laws are particularly strong, with regular enforcement. However, businesses are required to register their data sets with the regulator, which seems to be an unnecessary burden on business and may act as a barrier to some cloud services.

The United Kingdom is updating its laws to reflect the provisions of the EU General Data Protection Regulation (GDPR), which will come into force in May 2018. This update continues despite the BREXIT process.

The United Kingdom is free from Internet censorship and filtering, and up-to-date laws are in place for e-commerce and electronic signatures.

The United Kingdom is a signatory to the Convention on Cybercrime. There is significant debate in the United Kingdom on the regulation of law enforcement access to data, and some proposals could have a potential negative effect on cloud computing.

Advanced intellectual property laws are in place and are regularly enforced, although there is still a gap in relation to trade secrets protection and enforcement. The United Kingdom also scored very well in the information technology (IT) infrastructure section of this year’s report.

The United Kingdom’s ranking improved substantially, and the country went from ninth to fourth place in the 2018 Scorecard rankings. The UK released a national Cyber Security Strategy in late 2016 and outperformed other nations in the Security rankings.

Summary

Australia promotes cloud computing through a mix of modern laws, regulations, and standards. For example, Australia has a strong commitment to international cooperation, free trade, and interoperability. Key laws are based on international models, and Australia is an active participant in the development of international standards.

Australia has up-to-date cybercrime laws and ratified the Convention on Cybercrime in 2012. Australia also has comprehensive electronic signature and electronic commerce laws. Australia’s data protection legislation is current and is broadly compatible with global frameworks.

Intellectual property laws in Australia provide good protection for cloud computing services and the digital economy. However, Australia provides limited “safe harbor” protections in the Copyright Act 1968, and the level of protection for cloud service providers remains uncertain.

Australian information technology (IT) infrastructure is reasonably well developed. Australia revised its model for the National Broadband Network in 2014. It is forecast to provide 8 million connections at speeds of 25–50 Mbps through fiber to the node (FttN) and hybrid fiber-coaxial (HFC) connections by 2020.

Overall, Australia’s Scorecard results were similar to the results reported in 2016. The country’s slight improvement in the ranking — from sixth to fifth — is mostly a result of other countries’ weaker performance in the areas relevant to cloud computing that are reflected in the Scorecard.

Summary

Singapore has modern digital economy laws in most areas. For example, the Electronic Transactions Act 2010 implements the United Nations Convention on Electronic Contracting, which Singapore has ratified. Singapore also has up-to-date cybercrime laws and intellectual property laws.

Singapore privacy law provides a balanced approach between protecting personal information and facilitating innovation in cloud computing and the digital economy. However, there have been some recent trends suggesting Singapore may be looking to establish unique national standards for the IT sector. For example, Singapore adopted the Singapore-specific Multi-Tier Cloud Security (MTCS) Singapore Standard, which arbitrarily assigns levels to cloud computing services imposing distinct requirements on particular levels.

Singapore has some minor Internet censorship in place but generally promotes innovative business practices that are free from tariffs and government intervention. Singapore is generally committed to adopting international standards throughout the IT and security sectors.

Singapore has excellent information (IT) infrastructure and is developing a national network to bring high-speed fiber to the home.

There were very few changes in Singapore’s results from the previous Scorecard. The minor jump in the rankings — from seventh to sixth — is a result of the rebalancing of the Scorecard methodology.

Summary

Canada’s data protection regulations are compatible with globally recognized frameworks that facilitate international data transfers. In 2015, Canada also ratified the Council of Europe Cybercrime Convention and implemented computer crime legislation that apply to most cybercrimes, although there are some limitations. Canada’s Cyber Security Strategy, however, is not considered to be current and is undergoing review.

In 2014, Canada ratified the WIPO Copyright Treaty, sealing a recent period of improved copyright regulation and enforcement in areas relevant to cloud computing. However, Canada’s results in this section are somewhat affected by the limited protection offered to trade secrets.

Canada also achieves strong results in the sections covering international standards and the promotion of free trade.

Finally, Canada scores well in the information technology (IT) infrastructure section of the scorecard. In December 2016, the Canadian Radio-television and Telecommunications Commission issued a policy declaring high-speed broadband as an essential service. According to the policy, by 2021 90 percent of premises are to have access speeds of at least 50 Mbps download and 10 Mbps upload and unlimited data allowance. The remaining 10 percent of premises are to achieve this target by 2026–2031. This universal goal has been supplemented by a fund to pay for relevant projects.

There were very few changes in Canada’s results from the previous Scorecard. The minor difference in Canada’s position in the rankings — a slide from fourth to seventh — was caused not by policy changes in Canada but by the rebalancing of the Scorecard methodology.

Summary

A combination of comprehensive cybercrime legislation and up-to-date intellectual property protection benefits cloud services in France. France also has up-to-date electronic signature and electronic commerce laws in place.

Comprehensive privacy legislation exists in France, although it includes onerous and cumbersome registration requirements that appear unnecessary.

There is no clear or comprehensive government policy or strategy on cloud computing in France, although France has invested heavily (through the French sovereign wealth fund) in supporting several local cloud service providers.

France’s national broadband plan, France Très Haut Débit, is a 10-year-funded initiative launched in 2013 and updated in 2015. It covers a range of infrastructure and constructions programs, which use a range of technologies. The overall broadband target for the France Très Haut Débit plan is 100 percent coverage of France with speeds in excess of 30 Mbps by 2022.

There were very few changes in France’s results from the previous Scorecard. The minor difference in France’s position in the ranking — a slide from fifth place to eighth — is based on the rebalancing of the Scorecard methodology.

Summary

Italy’s data protection laws are comprehensive but include certain registration requirements that are onerous and appear unnecessary, as well as some limitations to data flows like other European Union countries.

Italy provides adequate intellectual property protection for cloud computing services, including appropriate “safe harbor” protection from liability for third-party infringement.

Italy has strong cybercrime laws and a comprehensive cybersecurity strategy in place, which works in conjunction with the Italian Digital Agenda — a government-led initiative to invest in digital development.

In addition, Italy has modern electronic signature laws and electronic commerce laws, and it is committed to international standards and interoperability.

Italy’s overall ranking fell slightly — to ninth from eighth in the 2016 report. This was the result of better performance by other countries, particularly in IT Readiness and Broadband Deployment, as well as the rebalancing of the Scorecard methodology.

Summary

Spain has comprehensive privacy legislation, although it relies heavily on registration requirements that could act as a barrier for cloud computing services.

Spain has up-to-date cybercrime legislation and has ratified the Convention on Cybercrime. Spain also has comprehensive electronic commerce and electronic signature legislation, and Internet service providers (ISPs) are free from any Internet filtering or censorship.

Some minor gaps exist in intellectual property protection, and enforcement is poor particularly in relation to circumvention of technological protection measures.

Spain is a very active participant in international forums and supports international standards development and interoperability.

Spain recorded significant gains in information technology (IT) infrastructure in recent years. In the Digital Agenda for Spain, released in 2013, Spain reaffirmed its commitment to achieve the European Commission set targets for all households to have download speeds of at least 30 Mbps by 2020, and 50 percent of households at 100 Mbps by 2025.

Spain’s overall scores remained fairly steady. The country’s position in the Scorecard rankings improved slightly — to 10th in 2018 from 11th in 2016.

Summary

Poland has up-to-date electronic signatures, electronic commerce, and cybercrime laws. These laws provide a good platform for promoting confidence in cloud computing and the digital economy.

Although Poland has a comprehensive data protection law in place, data controllers are bound by registration requirements. In addition, data breach notification requirements are limited.

Poland has a good regime for the protection of intellectual property, including specific rules for Internet service provider liability. However, some gaps still exist in copyright enforcement and protection against the circumvention of technological protection measures.

Poland promotes innovation and interoperability and has nondiscriminatory policies for government procurement.

Poland’s National Broadband Plan 2014–2020 was adopted in January 2014 and remains valid until 2020. The plan sets the targets that, by 2020, 100 percent of households and companies should have access to Internet connectivity of at least 30 Mbps and 50 percent of households and companies have access to Internet connectivity of 100 Mbps.

Poland’s place in the Scorecard rankings fell one place in 2018, from 10th to 11th.

Summary

Korea has a strong commitment to the promotion of the digital economy, and its laws and standards are generally based on international models. Korea scored well in the IT readiness and broadband deployment section of the scorecard.

Although Korea has a personal data protection law in place, it imposes complex and inflexible notice and consent requirements, which effect data flows that are paramount for cloud computing.

Korea’s strong intellectual property laws facilitate the development and use of cloud computing services. However, the implementation and enforcement of these laws could be improved in some instances. Korea’s cybercrime law does not cover the full range of relevant issues.

Korea is an active proponent of free trade and interoperability and is a member of the World Trade Organization (WTO) Agreement on Government Procurement. However, one current area of concern is that Korea imposes a national encryption standard for the procurement of information technology (IT) security devices and related equipment, when a suitable international encryption standard is available.

In addition, some IT products that have already passed international Common Criteria for Information Technology Security Evaluation are required to undergo additional local testing in Korea.

Overall, Korea’s position in the Scorecard rankings remains unchanged from 2016.

Summary

Mexico has implemented many relevant cyberlaws, including privacy legislation, rules on data breach notification, and up-to-date cybercrime legislation.

Improvement is required in intellectual property protection and enforcement in Mexico. Significant gaps in legal coverage and enforcement remain. Intellectual property safe harbor has not been implemented for cloud service providers in Mexico and the bar for prosecution of intellectual property crimes is high.

Mexico also scores poorly in the section on promoting free trade.

There is no specific national broadband plan in Mexico and no speed or connectivity targets have been published. The country continues to face challenges in delivering a modern information technology (IT) infrastructure that can facilitate cloud computing.

Overall, Mexico’s Scorecard ranking improved slightly, from 15th place in 2016 to 13th in 2018.

Summary

Malaysia has modern electronic signature laws, and electronic commerce laws in place. These measures provide good level of protection for computing in Malaysia.

Malaysia has data protection regulation in place that is generally compatible with globally recognized frameworks. However, the law does not include data breach notification provisions and data controllers are required to register with the Personal Data Protection Department.

Malaysia has specific provisions in place for law enforcement access to encrypted data that, in some instances, may act as de facto mandate for the use of specific security technology.

Malaysia’s copyright laws are aligned with international standards, although enforcement remains patchy.

Malaysia has a moderate level of broadband penetration. In 2015, the government committed to new broadband targets: by 2020, 100 percent of households in capital cities and high-impact growth area to have access to speeds of 100 Mbps and 50 percent of households in suburban and rural areas to have access to speeds of 20 Mbps.

Malaysia fell slightly in the Scorecard rankings — from 13th place in 2016 to 14th place in 2018.

Summary

South Africa’s comprehensive privacy law is gradually being implemented. The country also has some useful cybercrime and electronic commerce laws in place.

However, some limited Internet filtering and censorship still occurs, which may inhibit development of the digital economy, and South Africa has only very basic copyright laws, which are not aligned with current international best practice. In Mid-2015, the Government of South Africa started a process to amend the copyright law, but the process has faced considerable delays. South Africa has not yet signed the WIPO Copyright Treaty.

Another potential barrier in South Africa is the existence of a complex system of domestic preferences in government procurement opportunities.

South Africa has low levels of broadband penetration, but they have been improving in recent years. The government released ambitious targets in December 2013 for the South Africa Connect plan.

South Africa’s ranking in the 2018 Scorecard fell slightly — from 14th to 15th — based largely on the rebalancing of the Scorecard methodology.

Summary

Turkey’s Law on the Protection of Personal Data came into force in April 2016. Turkey has also signed the Convention on Cybercrime, which came into force in the country in 2015. These developments help create a positive environment for building trust in cloud services.

However, Turkey continues to have some gaps in other areas that affect cloud computing. For example, rules on Internet content regulation may act as a barrier to cloud services.

Intellectual property protection in Turkey is reasonably up-to-date, but enforcement is patchy.

Turkey’s progress toward integration with the European and international communities has stalled, and some domestic preferences are still in place for government procurement opportunities.

The government has an ambitious target of providing fast broadband to 95 percent of households by 2020.

Turkey’s overall ranking rose from 19th in 2016 to 16th in 2018 mostly because of its new privacy law, which came into force in 2016, and the rebalancing of the Scorecard methodology.

Summary

Argentina has data protection laws in place and is updating some aspects of the law. There are effective laws in place on cybercrime and electronic signatures in the country. Although Argentina’s scores for IT infrastructure (and broadband access in particular) improved since the Scorecard was first launched in 2012, progresses in this area is still necessary.

The country has a poor track record of protecting and enforcing intellectual property rights relevant to cloud computing. For example, Argentina does not provide specific “safe harbor” protection for intermediaries. Some gaps also exist in the important areas of standards development and technology neutral and nondiscriminatory government procurement of information technology (IT).

Argentina also scored poorly on promotion of free trade because it imposes numerous tariffs and other trade barriers that negatively affect the digital economy.

There were very few changes in Argentina’s results from the previous Scorecard. Argentina fell slightly in the 2018 report rankings mostly because of progress made by other countries.

Summary

Brazil recognizes the importance of information technology (IT) and the digital economy, but has struggled to implement a policy framework to foster the development of cloud computing. Some trade barriers to IT innovation remain in Brazil. Gaps also exist in the technology neutral and nondiscriminatory government procurement of IT.

Brazil still does not have specific privacy legislation in place, and is falling behind its peers in this area. Brazil has some gaps in intellectual property protection and enforcement in areas relevant cloud computing. Although positive trends are present, there is room for improvement. Brazil has implemented an effective intellectual property “safe harbor” process for cloud service providers. On the other hand, the Brazilian Patent and Trademark Office has a large backlog of pending applications, which prevents patents from being issued in a timely manner. Similarly, Brazilian courts also have a large backlog of cases.

However, Brazil does achieve better scores in relation to security and infrastructure, with significant improvements recorded in relation to Internet freedom in the past years.

Although Brazil’s overall rank changed substantially since the last Scorecard — from 22nd to 18th — this improvement did not stem from major improvements in Brazil’s policy or IT infrastructure development. Rather, this change was caused mostly from the rebalancing of the Scorecard methodology to reflect the developments that have occurred since the Scorecard was first launched and by other countries’ poorer performance in the areas relevant to cloud computing that are reflected in the Scorecard.

Summary

Thailand’s laws and policies in relation to cloud computing and the digital economy are patchy, with strengths in some areas and significant gaps and weaknesses in others.

Thailand has implemented comprehensive cybercrime legislation, which helps to enhance confidence in information technology (IT). Thailand also has good laws for electronic commerce and electronic signatures. However, Thailand has no privacy laws, and this is a major weakness.

In January 2015, two Copyright Amendment laws were approved: the Copyright Act (No. 2) B.E. 2558 (A.D. 2015), and Copyright Act (No. 3) B.E. 2558 (A.D. 2015). These two new laws implement many of the key provisions of the WIPO Copyright Treaty. They also introduced an Internet service provider (ISP) liability scheme for copyright infringements that applies in broad circumstances.

Additional risks in Thailand include mandatory Internet censorship (some of which is clearly political in nature) and filtering, and procurement preference policies.

Overall, Thailand’s position in the Scorecard rankings has risen slightly since 2016 — from 21st to 19th — mostly because of incremental improvements in the Cybercrime and Intellectual Property Rights sections. Improvements in the IT Readiness and Broadband Developments based on the Thailand Digital Economy and Social Development Plan 2016 are also ongoing.

Summary

Laws and regulations in India have not entirely kept pace with developments in cloud computing, and some gaps exist in key areas of protection; notably, India has not yet implemented effective privacy legislation, although work is underway to address this issue.

India has a comprehensive national cybersecurity strategy in place and strong cybercrime legislation. Some laws and standards in India are not technology neutral (e.g., electronic signatures), and these may be a barrier to interoperability.

This year’s report notes that India imposes some local security testing requirements in addition to international testing requirements. These local testing arrangements have been the subject of criticism by India’s trading partners, including the European Union.

There is a gap in trade secrets protection in India. In addition, guidance for examiners on how to evaluate patent applications for software-enabled inventions is lacking, although the revocation of guidelines that would have prevented most computer related inventions from being subject to patent protection if novel hardware was not present is a step in the right direction. Furthermore, India still has not ratified the WIPO Copyright Treaty.

Overall, India’s ranking in 2018 is 20th. India fell two places because of its poor results in the Data Privacy and IT Readiness and Broadband Deployment.

Summary

Russia has a patchwork of laws that apply to the digital economy and cloud computing, and these laws contain significant gaps and limitations.

For example, its laws on both privacy and cybercrime do not follow recognized international standards. Russia requires personal data of Russian citizens to be stored on servers based in Russia. This requirement has a significant negative effect on the digital economy.

In addition, any personal data information system (even a simple database) must be certified by the Federal Service for Technical and Export Control (FSTEC). Furthermore, only hardware and software that has been approved by the FSTEC and the Federal Security Service (FSB) can be used for personal data processing in Russia. Russian allows certain flexibility regarding whether local or international standards should be used but no preference is given to international standards.

Russia also has cumbersome Internet filtering and censorship regulations that act as a barrier to cloud computing. Russia mandates the use of certain products and software in government procurement opportunities.

Russian law addresses copyright infringement liability, as well as “safe harbors” from such liability for intermediaries, including cloud service providers, that comply with relevant requirements. However, Russia has a poor record of intellectual property enforcement in general, and laws protecting against circumvention of technological protection measures are limited and poorly enforced.

Overall, Russia’s place in the Scorecard rankings fell sharply in 2018. The negative effect of the data localization regulations and lack of promotion of free trade contributed to the country’s ranking falling by four spots — from 17th to 21st.

Summary

The continued promotion of indigenous development policies that discriminate against foreign technology companies continue to hinder China’s cloud computing readiness progress.

China does not follow international models in key areas that are relevant to cloud computing. For example, the privacy and security provisions in the 2015 National Security Law and 2016 Cybersecurity Law are controversial and have been the subject of extensive international debate. Key concerns include data localization mandates, extensive and duplicative tests, audits, and certifications. These concerns are exacerbated by pending and/or unclear implementing guidelines.

China achieved the lowest results from all countries in the areas of international standards and it also scored very poorly in the section on free trade promotion. China imposes a range of onerous local certification and accreditation requirements that are in addition to (and often inconsistent with) international cybersecurity standards and general IT standards. China also imposes local testing requirements for cybersecurity products.

Extensive regulation of Internet content, including mandatory Internet filtering and censorship, remains a key issue in China.

China’s poor results in relation to laws and regulation were partly offset by strong progress in IT infrastructure, which explains the slight improving in its ranking — from 23rd place to 22nd place.

Summary

Indonesia continues to update and reform laws and regulations in the information technology (IT) sector, and the result is not always positive for cloud computing.

Regulations impose significant barriers for cloud service providers, including requirements for providers to register their services with a central authority and rules that force some providers to establish local data centers and hire local staff.

Copyright law in Indonesia is now mostly aligned with international models. However, several key aspects of the new law await more-detailed regulations before they can be implemented. In addition, improvements could be made in the areas of enforcement and safe harbor protection for intermediaries.

A gap in Indonesian regulatory environment exists in the areas of interoperability, free trade, and government procurement, negatively affecting cloud computing.

The Indonesian Broadband Plan was finalized in December 2013 and implementation began in 2014 with the objective to increase “meaningful” broadband penetration. However, information on implementation of the plan is limited.

Overall, Indonesia fell three places in the Scorecard rankings (from 20th to 23rd), as the country’s rank was overtaken by others.

Summary

Vietnam continues to work on the development relevant cyberlaws that could enhance confidence in the digital economy and facilitate cloud computing. However, gaps still exist in key areas.

Vietnam has laws and regulations in place for electronic commerce and electronic signatures. However, only very limited laws are in place for cybercrime and Vietnam has not developed a national cybersecurity strategy yet.

Vietnam’s privacy laws are not comprehensive, but a patchwork of sectoral provisions provide some protection.

Vietnam continues to impose severe censorship and restrictions on Internet content. An additional risk is that Vietnam has not yet developed appropriate laws and policies on interoperability and government procurement. Also, some trade barriers may hamper the development of cloud computing and the digital economy.

There is also a gap in intellectual property protection and enforcement in Vietnam. Broadband penetration in Vietnam remains low, although there has been strong growth in a number of key infrastructure indicators in recent years.

Due to the many legal and policy gaps existing in Vietnam, as well as the poor performance in IT readiness and broadband development, the country has remained entrenched in last place — 24th — since the Scorecard was first launched.