smart 2016/0032 switching of cloud services...
TRANSCRIPT
SMART 2016/0032 Switching of Cloud Services ProvidersCloud St akeholders’ Meet ing
Brussels, 12 Decem ber 2017
Arthur van de r Wees, Arthur ’s Legal & Douglas Hayward , IDC
© IDC
All rights reserved, Arthur’s Legal B.V.
Start with Common Understanding: Definitions
Data is not a four letter word
International Telecommunication Union (TU-Y Y.2060) and The Internet of Things European Research Cluster (IERC)
Data
Data of any form, nature or structure, that can be created, uploaded,inserted in, collected or derived from or with cloud services and/or cloudcomputing, including without limitation proprietary and non-proprietarydata, confidential and non-confidential data, non-personal and personaldata, as well as other human readable or machine readable data.
EC Cloud Service Level Agreement Standardisation Guidelines
3D approach | Multi-story of connected data types | Classified data | Sensitive data | Personal data | Derived data | Proprietary data | IPR |
Encrypted data, with or without Tokenization | Distributed Data
Every (sub)category of data needs to be addressed separately
‘You may retrieve Your Content from the Services,Effect of Termination
only if you have paid any charges for any post-termination use of the Service Offerings and all other amounts due, and (…)’
‘You will not have access to your data stored on the Services during a suspension or following termination.’
Access to Data
To the Service Offerings‘We may change, discontinue or depreciate any of the Service Offerings.’
‘ ...we will provide you with the same post-termination data retrieval assistance that we generally make available to all customers.’
Post-Termination
In publicly available Cloud MSAs & SLAs:
Main Strategic & Legal Challenges found in this Study 2016-0032
1. Absence of an Exit Plan2. Lack of Transparency3. Lack of Communication and Cooperation4. ‘Take it of Leave it’ Approach5. Ineffective & inconsistent Use of Standards6. No Relevant Attributes or adequate services levels in place 7. No Remedies or Lack of Sufficient Remedies
60% 60% 0% 0%Most do not specify the amountof time that data is retained or deletes data upon termination.
Data Retention
Most do not specify the amount of time granted or deletes data
upon termination
None of the scrutinizes CSPsspecify a mechanism for data
transport
None of the scrutinized CSPsspecify the format for data
transport
Data Retrieval Interface Format
1. Assessment2. Preparation
3. Negotiation & Contracting4. Execution & Operation
5. Updates & Amendments6. Escalation
7. Termination & Post
Repeat
The Portability Legal Life Cycle:When should Portability be considered? In all Phases.
© IDC7
Use Case Phases 1, 2 & 3: Pre-Agreement Phases 4, 5 & 6: ExecutionPhase 7: Termination & post-Termination
Total (€)
Simple
• Internal resource cost for data classification and deriving data structure and patterns (24*75 = EUR 1.800,-)
• External resource cost for exit procedure support (40*125 = EUR 5.000,-)
Internal resource cost for executing the exit procedure (160*75 = EUR 12.000)
LimitedEUR 18.800,- + limited cost in phase 7
Medium Complex
• Internal resource cost for data classification and deriving data structure and patterns and requirements (48*75 = EUR 3.600,-)
• External resource cost for exit procedure support (120*125 = EUR 15.000,-)
Assuming that the customer in this use case had stored quite a large amount of data in these cloud services, migration may take for example 3 months, for 2–3 FTE, which indicates a maximum internal resource cost of EUR 100.800,- (3*160*3*70 = EUR 100.800,-)
Medium-LargeEUR 119.400,- + medium-large cost in phase 7
Complex
• Internal resource cost for data classification and deriving data structure and patterns and requirements (64*75 = EUR 4.800,-)
• External resource cost for exit procedure support, including extensive impact scenario analysis, and exit plan preparations (200*125 = EUR 25.000,-)
In case the customer succeeds in transferring the services, this may take for example 6 months, for 2 –3 FTE, which indicates a maximum internal resource cost of EUR 201.600,- (6*160*3*70 = EUR 201.600,-)
Very large (company may fail)
EUR 231.400,- + verylarge cost in phase 7
Analysis of portability costs: Use cases
Use Case Phases 1, 2 & 3: Pre-Agreement Phases 4, 5 & 6: ExecutionPhase 7: Termination & post-Termination
Total (€)
Simple
• Internal resource cost for data classification and deriving data structure and patterns (24*75 = EUR 1.800,-)
• External resource cost for exit procedure support (40*125 = EUR 5.000,-)
Internal resource cost for executing the exit procedure (160*75 = EUR 12.000)
LimitedEUR 18.800,- + limited cost in phase 7
Medium Complex
• Internal resource cost for data classification and deriving data structure and patterns and requirements (48*75 = EUR 3.600,-)
• External resource cost for exit procedure support (120*125 = EUR 15.000,-)
Assuming that the customer in this use case had stored quite a large amount of data in these cloud services, migration may take for example 3 months, for 2–3 FTE, which indicates a maximum internal resource cost of EUR 100.800,- (3*160*3*70 = EUR 100.800,-)
Medium-LargeEUR 119.400,- + medium-large cost in phase 7
Complex
• Internal resource cost for data classification and deriving data structure and patterns and requirements (64*75 = EUR 4.800,-)
• External resource cost for exit procedure support, including extensive impact scenario analysis, and exit plan preparations (200*125 = EUR 25.000,-)
In case the customer succeeds in transferring the services, this may take for example 6 months, for 2 –3 FTE, which indicates a maximum internal resource cost of EUR 201.600,- (6*160*3*70 = EUR 201.600,-)
Very large (company may fail)
EUR 231.400,- + verylarge cost in phase 7
Analysis of portability costs: Use cases
Example Pre-Contractual Cost (per deal): EUR 18.800
Annual Cloud Services Running/ Subscription Cost: EUR 15.000
Example Pre-Contractual Cost (per deal): EUR 18.800
Annual Cloud Services Running/ Subscription Cost: EUR 120.000
Example Pre-Contractual Cost (per deal): EUR 231.400
Annual Cloud Services Running/ Subscription Cost: EUR 600.000
Ethics & Accountability
Law & Legislation Official Policies
Standardisation & Certification
Market Self-regulatory& Contractual
Risk Allocation& Insurance
Technology
Case Law
Human & Society
Ecosystem for Technology & The Rule of Law
Next Generation Policy InstrumentsTechnology Neutral
Business Model NeutralInterpretation Neutral
HybridPrinciple-Based
Semantic InteroperableObjective & Measureable
Facitating both CSCs and CSPs
Personal Data Processing & Article 20 GDPR
Right to Data Portability20.1 The data subject shall have the right to receive the personal data concerninghim or her, which he or she has provided to a controller, in a structured,commonly used and machine-readable format and have the right to transmit thosedata to another controller without hindrance from the controller to which thepersonal data have been provided, …
Personal Data Processing & Article 20 GDPR
Right to Data Portability20.2. In exercising his or her right to data portability pursuant to paragraph 1, thedata subject shall have the right to have the personal data transmitted directly fromone controller to another, where technically feasible.
20.3. The exercise of the right referred to in paragraph 1 of this Article shall bewithout prejudice to [the right to be forgotten]. […]
20.4. The right referred to in paragraph 1 shall not adversely affect the rights andfreedoms of others.
Customer Data both personal & non-personal Data
What Right to Data Portability?
All rights reserved, Arthur’s Legal B.V.
EC StudySMART 2016-0032
• Main goals of this study and methodological approach• Assessment of Technical and Economic and Legal issues• Analysis of portability costs and compliance costs• Assessment of potential measures and policy scenarios• Economic impacts of portability policy scenarios • Conclusions and recommendations
16© IDC
Summary of key findings
Goals of the study
17
The m ain objective of th is study is to ga the revidence on practices re la ting to switch ing ofcloud se rvices provide rs, with a specific focus ont he bar r iers pot ent ial ly prevent ing dat apor t abil it y and/or applicat ion por t abil i t y, andt he policy m easures needed t o overcom et hese bar r iers.
The study a im s a t suppor t ing policy-m ak inga im ed a t facilita ting switch ing of cloud se rvicesproviders by business users and priva te use rs, inthe con text of the DSM.
The study is expected to cont r ibut e inpar t icular t o t he European Cloud Init iat iveand t he Free Flow of Dat a In it iat ive.
Provide find ings about the ir causes, suggest counte rm easures and good practices
In te ract with the com m unity of cloud stakeholders
Assess the lega l, technica l and econom ic feasib ility of poten tia l m easures
Evidence on technica l, lega l, econom ic issues when switch ing cloud providers
Assess com petitiveness, innovation and econom ic im pacts on the cloud m arke t
Collect feedback from stakeholders
Draw conclusions and recom m endations
Methodological approach Desk re search Fie ld re search
• 16 Case stud ie s on cloud custom ers• 9 Case stud ie s on cloud se rvice p rovide rs• Additiona l on line su rvey run from March 2017
Stakeholde r va lida tion (workshop) in May 2017 Additiona l da ta collection on cloud m igra tion costs in June /Ju ly 2017 Additiona l da ta collection on com pliace costs when dea ling with ob liga tion to facilita te
switch ing, or ensure transparency in Octobe r 2017• 9 cloud se rvice providers involved , 4 responses collected
Econom ic m ode l e stim ating the poten tia l im pacts on dem and of public cloud m easured as to ta l spending in the EU, based on three a lte rna tive policy scenarios
18
Data Schema / Data Model Access of da tase ts to unde rlying in frastructure Business logic be tween da ta Sem antics / Meaning of da ta
19
Applica tion functiona lity
Middleware software
Unde rlying in frastructu re
Technical assessm entCloud use rs need to be aware of:
For da ta export to work easie r, it is requ ired an understand ing of how da ta is organ ized in a cloud se rvice
20
SaaS
PaaS
IaaS
Technical assessm entCom plexity of portab ility increases as you go up the stack
Higher com plexity
Lower com plexity
Dat a por t abil i t y works if vendors:
build se rvices based on open standards APIs and p rotocols for da ta m ovem ent
a re transparen t abou t: da ta m ode l / da ta schem a / da ta sem antics
Dat a int erdependencies tend to increase with :• Type of cloud service consum ed: h igher
com plexity in SaaS ve rsus IaaS• Size of organizat ion
Technical assessm entKey f indings:
21
• Few organizat ions have a clear cloud por t abil i t y plan in place today. Most are still experimenting with cloud consumption
• The r isk of vendor lock -in exist s if vendors st ar t t o build int ellect ual proper t y at dat a form at /access levels (e.g. proprietary APIs, proprietary data archiving, other proprietary protocols)
© IDC 22
Assessm ent of pot ent ial policy scenar ios
Introduction of portability right allowing cloud customers to export data/app from a CSP and import them to another CSP, strengthening the free exercise of choice of services for consumers and business within the DSM
The common denominator of soft law instruments (standards, codes of conduct, model contracts) is their voluntary nature and absence of redress mechanisms. Here the issue is not so much the existence or not of appropriate measures relevant for portability, but the level of engagement by the entire spectrum of stakeholders
This option would leave relevant action for portability to Member States without entailing any action at EU level. In this context, MS would be expected to implement the requirements of the Treaty of the EU regarding free movement of goods, services and establishment and deepening the engagement of stakeholders
Option 1: Mandatory EU Policy
Option 2: Soft Law Measures
Option 3: No Action
© IDC 23
Assessm ent of pot ent ial policy scenar ios
Introduction of portability right allowing cloud customers to export data/app from a CSP and import them to another CSP, strengthening the free exercise of choice of services for consumers and business within the DSM
The common denominator of soft law instruments (standards, codes of conduct, model contracts) is their voluntary nature and absence of redress mechanisms. Here the issue is not so much the existence or not of appropriate measures relevant for portability, but the level of engagement by the entire spectrum of stakeholders
This option would leave relevant action for portability to Member States without entailing any action at EU level. In this context, MS would be expected to implement the requirements of the Treaty of the EU regarding free movement of goods, services and establishment and deepening the engagement of stakeholders
Option 1: Mandatory EU Policy
Option 2: Soft Law Measures
Option 3: No Action
Positive impacts on business continuity;
Adding value to ported data;
Enhancing customer’s sense of control over data
with new guarantees of data access and ownership
These measures can be beneficial, as they may
contribute to the increase of awareness within the community of relevant
cloud stakeholder
This scenario would entail a series of negative
consequences hampering Digital Single Market both at micro and macro level
Policy impact scenario methodology
24
Cloud Type
Territory
Industry
Organ iza tion size
1. Basis: IDC public-cloud forecasts 2017-21
Scenario: No EU Policy
Act ion
Scenario: Mandat ory
Policy
Scenario: Sof t Regulat ion
2. IDC forecasts p rojected to 2021-25
3. Multip le rs added (see le ft)
© IDC 25
Econom ic im pact s of por t abil i t y policy scenar ios For each of the policy scenarios conside red by th is study, IDC estim ated the poten tia l im pacts on dem and of public cloud m easured as to ta l spending in the EU
© IDC 26
Econom ic im pact s of por t abil i t y policy scenar ios
No EU Policy Scenar io - Im pact on Dem and: 18.7% CAGR dur ing t he per iod 2018-2025, m arket r ises f rom €19.5 bi l l ion in 2018 t o €64.9 bi l l ion in 2025 SMEs (unde r 250 em ployees) tend to lag beh ind la rge en te rprise s in te rm s of take -up of pub lic cloud because of
lack of skills and re la tive lower m aturity, as we ll as lower ra te s of m ovem ent towards d igita l transform ation Sectors where the re a re confidence and trust barrie rs to cloud adop tion will grow m ore slowly
Soft Law Measures - Im pact on Dem and: 19.7% CAGR dur ing t he per iod 2018-2025, m arket r ises f rom €19.5 bi l l ion in 2018 t o €68.8 bi l l ion in 2025 By 2025, European pub lic cloud dem and is p red icted to be 6% la rge r than unde r the ‘No EU Policy Action ’ scenario This represen ts a d iffe rence of €3.9 b illion in pub lic cloud dem and for 2025 be tween the th ree scenarios.
Mandat ory EU Policy Im pact on Dem and: 20.5% CAGR dur ing t he per iod 2018-2025, m arket r ises f rom €19.5 bi l l ion in 2018 t o €71.9 bi l l ion in 2025 By 2025, European pub lic cloud dem and is p red icted to be 10.9% la rge r than unde r the ‘No EU Policy Action ’
scenario This represen ts a d iffe rence of €7.1 b illion in pub lic cloud dem and for 2025 be tween the th ree scenarios.
Recommendations to the EU Mem ber St at es
27
Encourage Awareness of t he Need for ‘Exit Plans’ in cloud cont ract s Nationa l Governm ents a re invited to encourage awareness of the need for clea r and we ll-
de fined "exit p lans" tha t con ta in appropria te m easures to will guaran tee tha t da ta and /or app lica tions can be ported be tween cloud se rvices with m in im al, reasonab le and p re -agreed costs and de lays.
Encourage Dissem inat ion of Best Pract ices of cloud m igrat ion and dat a por t ing Nationa l Governm ents a re invited to encourage d issem ina tion of best p ractices facilita ting
p rom otion of grea te r leve ls of portab ility in accordance to the bu ild ing b locks and othe r com ponents
Allocat e Reasonable Levels of Resources t o Monit or Com pliance Nationa l Governm ents a re invited to a lloca te reasonab le re sources to the com pe ten t au thority
to be assigned with the supe rvisory role to m onitor com pliance . For instance , aud iting of cloud se rvice p rovide rs requ ire s investm ent in appropria te organ iza tiona l re sources and expe rtise .
Recommendations to Organizat ions
28
Im plem ent ‘Exit Plans’ f rom cloud cont ract s Com panies of a ll size s, includ ing both cloud se rvice p rovide rs and the ir custom ers, shou ld
p rovide and im plem ent concre te cloud-se rvice “exit p lans ’’.
Meaningfull and ef fect ive redress Contractua l agreem ents be tween organ iza tions of a ll sizes should provide for “m eaningfu l and
effective ’' redress, in case the portab ility re la ted requirem ents (e .g. service leve l ob jectives) se t in thecontract are not m et.
Treat Por t abil i t y St rat egically, and Plan for it . Organ iza tions of a ll size s, includ ing both cloud se rvice p rovide rs and the ir custom ers, shou ld
conside r portab ility of da ta and app lica tions stra tegic, and p rovide for it with in the ir business con tinu ity p lans.
Obt ain Dat a Subject ’s Consent Before Por t ing Their Dat a Organ iza tions acting in the ir capacity as cloud se rvice custom ers ob ta in con tractua lly
appropria te consen t in orde r to request the ir cloud se rvice p rovide r to port the da ta of the da ta sub jects.