Cloud Computing: Regulatory Complexity Requires Systems Thinking

In a recent article Peter Wayner cautions that “No one knows which laws apply” in reference to the fact that a customer may be in one jurisdiction and the cloud instance they receive may be in another. He is correct in his assertion that this can cause regulatory complexity. In fact it could be far more complex than stated in his article. The customer may be in one jurisdiction, the provider’s corporate office may be in another, the applications may be in a third, and the data could even be in a fourth; and each jurisdiction may lay claim to regulatory control or revenue. In addition to Wayner’s advice I would add that that we need to pay even more diligent attention to emerging regulations. These can have an impact not only in terms of compliance, but they can also impact the bottom line of providers or their customers.

For example, one U.S. state is proposing a 4.5% sales tax that could impact cloud computing, or even a small business’ custom web site. This has raised concerns from their Chamber of Commerce that service providers would move out of the state. In this case the potential move is from state to state, but suppose a similar thing happened on a federal level and your provider decided to move their headquarter operations to another country. Even if your data and applications did not move, you might be subject to the regulations of that other nation. In addition there might also be implications in terms of compliance with data location and privacy regulations. So, what may appear to be a simple change to something like a sales tax could have an impact far beyond a simple increase in costs – and it could introduce much more complexity into the operations of both providers and consumers.

To further complicate things, today there are no standards across jurisdictions. For instance, a different U.S. state recently voted overwhelmingly – 65-2 – to exclude cloud computing services from their sales tax. Their House Majority Leader explained that they did so because they did not want to fall behind advancements in technology. Regardless of which you believe to be the better approach, my point here is there are differences that could introduce complexity and cost.

Now, I want to be clear. Though I have used some recent examples from the United States, this is not a United States only issue. Many governments are looking into this or are taking similar actions. And it is not only about taxes.

My point is that changes to regulations that impact one aspect of cloud computing can have a dramatic, and potentially unforeseen, impact in other areas. Thus, consumers of cloud computing services must consider such changes in the context of the entire system.

I am hopeful that those creating and changing these regulations are also taking a systems approach. Many governments are looking to cloud computing to help address their own service, cost and agility issues. Any complexity or cost that legislators or regulators add to the process will also have an impact on their own cloud computing initiatives. I believe this provides a real leadership opportunity for legislators. It also provides a leadership opportunity for providers to help drive these issues to a good place and to help their customers unravel this hairball.

“3D Maze” photo courtesy of stock.xchng

This blog is cross-posted at Cloud Storm Chasers. Follow @GeorgeDWatt