This chapter evaluates the key data protection requirements and compliance obligations that governments must account for when entering into contracts with cloud service providers. The chapter concentrates on data protection issues that pose particular barriers for governments attempting to adopt cloud-computing services.

The chapter focuses primarily on understanding how the General Data Protection Regulation (GDPR) impacts the use of cloud computing. This requires an analysis of applicability and jurisdiction, applications of principles, understanding roles and responsibilities under the law, contractual obligations on sub-processors, liability for compliance, and limits on data transfers among others. The chapter also provides an overview of US data privacy law.

The chapter further evaluates recent case law and guidance from the European Data Protection Board (EDPB) and national data protection authorities to draw conclusions regarding GDPR cloud compliance obligations. Specifically, the chapter focuses on challenges and limits to cross-border transfers of data following the CJEU decision in the “Schrems II” case.

This chapter provides an overview of cloud computing technology. The explanation includes an overview of the differences between traditional outsourcing and cloud computing and how server virtualization makes cloud computing possible. The chapter also identifies the major players in the provision of cloud computing services and the primary cloud computing service and deployment models. The chapter evaluates central security concerns and risks including loss of availability and risks to data portability.

This chapter evaluates the unique obligations governments have when they commit citizen data to cloud service providers. In particular, the chapter focuses on how the responsibilities of governments are different than other types of cloud computing users focusing on specific procurement obligations, and other legal requirements.

The chapter also evaluates issues related to “data sovereignty”, outsourcing of government functions, and the potential risk to citizens from outsourcing critical infrastructure. Further, barriers that governments face when procuring cloud computing services including data localization restrictions, difficulties in comparing costs to traditional IT services, and ill-suited contract templates designed for traditional IT-outsourcing being applied to cloud computing services.

The chapter also explains that since operations or services are outsourced to cloud, governments must have the means to monitor them in order to retain a certain level of control over the operations they are outsourcing. The chapter examines government procurement programs in the United States, United Kingdom, and European initiatives to adopt cloud computing at the government level.

This chapter evaluates the application of jurisdictional principles to cloud computing services and the core challenges for governments and others. The chapter considers the interplay of jurisdiction—the ability of a court to hear a dispute—in the context of physical location, intelligible access to data, and the physical location of servers.

In particular, the chapter focuses on areas of uncertainty, such as the categorization of services and the location of data and limits to current approaches. The chapter argues that the traditional territorial approach to jurisdiction is a poor fit to account for the properties of cloud computing services and data more generally arguing that data poses unique legal challenges to applying traditional jurisdiction principles.

The chapter provides an analysis of access to cloud computing services for law enforcement and intelligence purposes by the US government. This includes an analysis of the “Microsoft Warrant” case, the US CLOUD Act and its possible conflicts with the General Data Protection Regulation (GDPR), and access by US intelligence agencies under FISA Section 702 and Executive Order 12333.

This chapter contains the first part of the book’s study on cloud computing contracts evaluating the organization and structure of cloud computing contracts in addition to their content. This includes an evaluation of Service Level Agreements (SLAs), the use of master-service and framework agreements, issues related to subcontractors and subcontracting, third-party rights, and liability considerations.

The study applies a qualitative analysis of based on both secondary and original data. Secondary data is derived from various research projects in the EU and elsewhere. Original study data is derived from contracts obtained by the author through Freedom of Information (FOI) requests. This study is original in its method and scope in the governmental context. Additionally, the chapter applies government cloud audits and other guidance form the UK G-Cloud and US FedRAMP programs.

Provides an omnibus conclusion on government cloud computing adoption and a look forward to impending challenges.

Technological progress could constitute a huge benefit for law enforcement: greater efficiency, effectiveness and speed of operations as well as more precise risk analyses, including the discovery of unexpected correlations, which could feed nourish profiles. A number of new tools entail new scenarios for information gathering, as well as the monitoring, profiling and prediction of individual behaviours, thus allegedly facilitating crime prevention: algorithms, artificial intelligence, machine learning and data mining. Law enforcement authorities have already embraced the assumed benefits of big data. However, there is a great need for an in-depth debate about the appropriateness of using algorithms in machine-learning techniques in criminal justice, assessing how the substance of legal protection may be weakened. Given that big data, automation and artificial intelligence remain largely under-regulated, the extent to which data-driven surveillance societies could erode core criminal law principles such as reasonable suspicion and the presumption of innocence, ultimately depends on the design of the surveillance infrastructures. This contribution first addresses the so-called rise of the algorithmic society and the use of automated technologies in criminal justice to assess whether and how the gathering, analysis and deployment of big data are changing law enforcement activities. It then examines the actual or potential transformation of core principles of criminal law and whether the substance of legal protection may be weakened in a ‘data-driven society’.