Innovations in recent years have led to a major explosion in the consumption and processing of data.
Cloud computing is a particular innovation that is growing rapidly worldwide with more and more businesses, government entities, and consumers adopting cloud services.
As you are probably aware, cloud computing is a type of computing that relies on sharing computing resources through remote access and universal data storage, rather than having local servers or personal devices to handle applications.
If GCC countries are serious about positioning their major centres as strategic business hubs, they need more high specification data centres to store the increasing volume of data and to attract leading international cloud providers.
From a consumer perspective, there are three main reasons why having more local data centres and internet exchange points are important to the overall customer experience for cloud services:
According to datacentermap.com there are currently 104 co-location data centres across 14 Middle East countries.
By comparison there are:
There are 8 listed in the UAE. Malta and Lithuania also have 8. Cyprus has 12.
Based on a scorecard system developed by BSA – The Software Alliance (www.bsa.org) to measure ‘cloud readiness’ of a country, there are some aspects in the current legal and regulatory regimes of GCC countries that may need to be addressed for the GCC to be assessed as a more favourable environment for cloud computing.
By way of example only, in the UAE context (which broadly represents a median for the regional regimes) the following are likely to be seen as potential issues:
There is also an aspect of the UAE legal system that could potentially be misconstrued as a regulatory hurdle. The UAE uses the inquisitorial system, which is a legal system where the court or a part of the court is actively involved in investigating the facts of the case, as opposed to an adversarial system where the role of the court is primarily that of an impartial referee between the prosecution and the defence. Under the inquisitorial system, which is tied to common Civil Law, the truth is uncovered through questioning those most familiar with the dispute by a judicial authority. It’s up to an ‘independent’ prosecutor or investigating magistrate to distinguish between reliable and unreliable evidence. Accordingly, under Federal Law No. 35 Concerning the Penal Procedures Law, the Public Prosecution (not the police) , in proceeding with an investigation, can order a person in possession of something which the Public Prosecution deems should be seized or perused, to submit it (see Article 78). This could include data held by data hosting providers.
Those more used to an adversarial system, where judges focus on the issues of law and procedure and act as a referee in the contest between the defence and the prosecutor, are often uncomfortable with the investigative powers of the public prosecution. However, the inquisitorial system is not unique to the Middle East. If the cloud related aspects of a business are in France, Germany, or Japan the public prosecutions will have similar powers.
Proposed Cloud Regulation in KSA
To address objectives that include encouraging investment in a local cloud industry Saudi Arabia’s Communications and Information Technology Commission (‘CITC’) has recently undertaken public consultation on the proposed regulation of cloud computing.
The CITC is proposing a Cloud Infrastructure and Services License (‘CISL’) for Cloud Service Providers (’CSPs’) with data centres, or other key cloud infrastructure, in the Kingdom and those processing or storing sensitive user content.
The proposed regulations seek to address many of the gaps outlined above. For example:
There are some aspects of the proposed regulation that do require careful consideration. It is proposed that no ‘Level 3’ user content can be transferred outside Saudi Arabia. While the higher Level 4 classifies concerns highly sensitive or secret content belonging to concerned governmental agencies or institutions (and it is understandable that there may be a reason to localise such content), the ‘Level 3’ classification in the proposed regulations is much broader and includes ‘sensitive’ user content of private sector companies or organisations. What is ‘sensitive’ is not defined.
However, overall, the CITC’s proposed cloud-specific regulations should be welcomed as a positive move to benefit users of cloud services and for the development of the cloud industry in Saudi Arabia, and will hopefully act as a prompt for appropriate cloud-specific regulation in other GCC jurisdictions.