Cloud Computing, Export Controls and Sanctions
This is a summary of an article originally published in the August 2015 edition of The Journal of Internet Law and is reprinted with permission of Aspen Publishers.
Cloud services offer organisations in all sectors a wide range of potential benefits including the ability to use software from any device, to carry over files and settings to other devices seamlessly, to store, back-up and access data remotely, and in effect to lease the use of software or hardware instead of purchasing, maintaining, securing and upgrading it themselves.
By using these services, a user’s data, software or technology may be routed through and stored in multiple countries to maximise server efficiency and data security, but often without the knowledge or intent of the user (except in the case of private clouds).
A key aspect of all such services is that they provide access from anywhere to data located anywhere. In doing so, they draw a rapidly-increasing number of organisations into conducting what are, in effect, cross-border transfers of information.
While the great majority of such transfers fall outside export controls and sanctions, nonetheless some will be prohibited or require a licence. Violations of these laws, though hard to detect, can attract heavy fines, imprisonment and reputational damage. Both cloud service users and providers need to be aware of whether and if so how the regulations apply to their activities.
This article offers an overview of the law, how it applies to cloud services users and service providers and what steps they can take to ensure compliance.