Tech Law Blog

Export Control: How does it impact on Cloud Computing?

22 May 2014

Mason Hayes & Curran Technology Law Blog

This post, the second in our series on export control, discusses the application of dual use export controls to cloud computing. (Our last post on Dual Use Items and Intangible Exports can be found here)

Recent years have seen an exponential growth in cloud based services.  The European Commission (the “Commission”) estimates that revenues in the EU cloud sector could double to nearly €80 billion by 2020 and that cloud computing could contribute up to €250 Billion to EU GDP in 2020 and 3.8 million jobs.  However, the treatment of cloud computing under Irish and EU export control is far from clear and raises complex and serious questions for cloud service providers, users and regulators, particularly as the relevant legislation provides for criminal sanctions, including imprisonment.

What is cloud computing?

The US National Institute of Standards and Technology has described cloud computing as a “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”  This model is composed of five essential characteristics (e.g. on-demand self-service, resource pooling, etc.), three service models (i.e. software, platform and infrastructure as a service) and four deployment models (i.e. from private to public clouds).  

In essence, when a user purchases cloud computing services they are purchasing a ‘virtual machine’ that behaves like a physical computer but actually utilises resources from numerous interconnected servers.  In that manner, multiple virtual machines can operate on a single server, and multiple servers can contribute resources to a single virtual machine.

Why are export controls relevant?

Council Regulation (EC) No 428/2009 (the “EU Regulation”), which controls the export of dual use items (i.e. goods and technology which can be used for both civilian and military purposes in sensitive areas like electronics and information security), and is mandatory law in Ireland, defines an ‘export’ as including the ‘transmission’ by electronic means or ‘making available’ in an electronic form technology or software to a destination outside the EU (these are known as “intangible exports”).  As such, Irish and EU export controls apply to the ‘online’ world (such as cloud computing) as much as to the ‘offline’ world, and the Commission recognises that exports are increasingly transmitted rather than transported.  

Export controls can be triggered where, for example, exported files contain information which explains the operation of controlled goods like information security systems performing cryptanalytic functions or using quantum cryptography.  Export controls can also be triggered where the information itself is controlled, for example, information relating to the development of frequency hopping techniques used in the area of communications.

One essential characteristic of cloud models is ‘location independence’, in that the customer generally has no control or knowledge over the exact location of the cloud resources.  Moreover, cloud-based services are provided over networks which have become increasingly global, thus increasing the volume of worldwide information flows and the number of people who have access to this information.

The Commission recognises that this development presents a major challenge for export control, particularly due to the unsuitability of border controls and the difficulty for companies in ensuring compliance.  This increases both the compliance burden and the likelihood of inadvertent export control breaches.  Indeed, there are a range of scenarios in which an ’export’ within the meaning of the EU Regulation could take place without the prior knowledge of the cloud service provider and/or the user.  For example, an ‘export’ takes place where a person uploads technology to a company’s private cloud when: