U.S. and European governmental bodies have enacted laws in recent years that police technology companies’ use of personal data. So far, the response from the cloud vendors — and regulators — has been a mixed bag.
The EU implemented the General Data Protection Regulation (GDPR) more than two years ago, and in early 2020, the California Consumer Privacy Act (CCPA) took effect. To varying degrees, these regulations codify an individual’s right to control his or her personally identifiable information. Businesses that collect and store that data within these jurisdictions must take steps to prove they’re compliant.
Some cloud providers have done more to adapt to these regulations, updating cloud services so they’re easier for customers to use in compliant ways. At the same time, the extent to which GDPR and CCPA will actually be enforced remains unclear, which contributes to the inconsistency surrounding the cloud market’s reaction to the laws.
Take a look at how the GDPR and CCPA compliance regulations affected the cloud ecosystem so far, and what to expect going forward.
GDPR, CCPA and cloud computing
The influence of the GDPR, CCPA and similar regulatory frameworks on public cloud vendors is two-fold.
First, cloud vendors must ensure their services are compliant with requirements involving data transparency, “privacy by design,” transparency in data processing and other factors related to regulatory frameworks.
So far, cloud companies seem to be faring well on this front. None of the major cloud providers have faced lawsuits involving allegations of GDPR or CCPA violations in their cloud computing services, at the time of publication. Amazon has been sued for alleged GDPR violations and Google was fined GDPR noncompliance, but those incidents were related to other facets of their sprawling businesses.
The second and more complicated challenge cloud vendors face in the era of GDPR and CCPA is how to help customers ensure compliance while using their platforms. Most public cloud providers acted early and offered guidance on how customers could comply.
Amazon launched GDPR Center in late 2017, several months before the GDPR went into effect, to help users understand how to comply with the regulations. Around the same time, it introduced additional data security features for its Amazon S3 data storage service, including default encryption, permission checks and cross-region replication capabilities. These security features were touted as a way to help customers comply with the GDPR — although they were not designed solely for that purpose. Amazon also announced that six of its cloud services, including EC2, S3 and Elastic Block Store, comply with the CISPE Code of Conduct, a framework intended to measure whether a cloud service enables users to maintain GDPR compliance.
Microsoft also offers guidance on GDPR and launched the Azure Policy service to help customers achieve GDPR compliance. It provides a checklist to help customers determine whether their use of Azure services is GDPR-compliant.
Google Cloud Platform (GCP) stands out a bit in that its GDPR resource hub focused on outlining GCP’s own compliance with the GDPR, rather than helping GCP customers comply. Still, Google offers some assistance. This solution includes automated alerts for suspicious logins and data de-identification, which can help meet GDPR compliance needs. These tools are described on Google Cloud’s GDPR resource portal.
For the most part, Amazon, Google and Microsoft have focused their GDPR and CCPA responses on providing guidance rather than actual compliance tools. Apart from the handful of tools and feature enhancements, none of the cloud vendors rolled out major offerings to assist with modern compliance requirements.
Instead, they use compliance hubs to direct customers to rely on cloud services that were part of their platforms long before the GDPR and CCPA compliance requirements came into effect, such as identity and access management frameworks and data encryption tools.
Few compliance cases to date
The lack of concrete GDPR or CCPA compliance offerings from cloud vendors reflects the fact that, to date, there have been few legitimate regulatory actions related to users of these cloud platforms. This especially applies to SMBs that rely on standard public cloud services for everyday operations. These companies remain woefully underinformed about GDPR requirements. For example, 90% of British SMBs are unaware of the law’s main tenets, according to a 2019 survey.
So far, most GDPR-related fines and governmental investigations involve large companies with enormous IT infrastructures that, in many cases, involve bespoke cloud services. There are ongoing cases involving allegations of compliance violations against British Airways, which relies in part on a custom-built private cloud infrastructure, and Marriott, which uses managed cloud services from IBM. There has been some increase in private litigation surrounding GDPR noncompliance, although those cases, too, appear to center on large companies, like Amazon.
CCPA lawsuits, on the other hand, seem to target small and medium-sized companies rather than large enterprises. Few details are available about these cases because of their recent release, but they could prove to be better examples of how smaller companies that rely on public clouds will be affected. However, the CCPA remains so recent that it is too soon to say how it will impact the industry.