Cloud computing – how safe is it from a legal perspective?
08 November 2011
In recent years, cloud computing has grown from being a promising business idea to a rapidly expanding quarter of the IT industry.
Given the current economic landscape, companies are increasingly realising that simply by using cloud services they can gain fast access to best-of-breed business applications and/or upgrade their IT infrastructure and resources, at very affordable rates. But as more and more valuable data and information on both individuals and companies is placed in the cloud, the question is how safe is it from a legal perspective?
What is cloud computing?
At its most basic, cloud computing is the delivery of IT as services over the internet. Cloud users don’t need to buy or install software and companies don’t have to run their own application and data servers. Cloud Service Providers (CSPs) host applications and provide the computing power from their data centres, benefiting from massive economies of scale and dramatically lowering the costs of IT service provision.
Despite its recent exponential growth, it is not a new phenomenon. Cloud computing is a development from models that were popular towards the end of the last millennium. Now with bandwidth ever increasing and with major IT suppliers such as Google, Microsoft and Amazon opening up cloud services on a one-to-many basis, it is likely to become a serious consideration for many companies as time moves on.
What are its key features and benefits?
There are a number of common characteristics of cloud services, including:
On-demand self-service: customer can access computing capabilities automatically as needed, without intervention from the supplier.
Broad network access: computing capabilities are available over the network and accessed through standard mechanisms any time, anywhere.
Resource pooling: CSP’s computing resources are pooled to serve multiple customers using a multi-tenant model, resulting in low costs for the customer.
Rapid elasticity: computing capabilities can be quickly scaled up or down, depending on the customer’s needs, allowing him to respond to business demands without risking being over- or under-resourced.
Measured service: the customer’s resource usage can be monitored and controlled. In other words, the customer pays for what he uses.
Low fixed periodic service charges: can include support and maintenance.
What are the legal risks?
The key issues are data security and the lack of contractual protection available via the non-negotiable standard terms on which the services are normally provided.
Cloud computing is very accessible for smaller businesses but there are big risks: potentially you could find that your data has been chopped up and is being stored on different servers in any number of different countries worldwide, leaving you in complete breach of the data protection laws.
Data protection
UK requirements. Cloud services give rise to complex data protection compliance issues. The party responsible for deciding the purposes and manner in which personal data are processed (the data controller) must ensure that when processing of personal data is sub-contracted, the terms of that contract require the subcontractor (the data processor) to process personal data only in accordance with the data controller’s instructions and to ensure that appropriate technical and organisational measures are taken to keep the personal data secure in accordance with the Data Protection Act 1998 (DPA).
Standard terms. In almost all cases, the business buying cloud services will be the data controller, and the CSP will be the data processor. Many of the standard terms for cloud services do not include these provisions, or they qualify them by excluding all liability. They are therefore often insufficient to satisfy the requirements of the DPA. Businesses should attempt to negotiate more protection than that provided in the standard terms although, in practice, providers are often unwilling to negotiate.
Data exports outside the EEA. In addition to security requirements, EU data protection laws also impose restrictions on the export of personal data outside the EEA (subject to certain limited exceptions) unless one of various conditions are met. A key difficulty in cloud services is that it is often impossible to determine precisely where personal data have been transferred in the cloud, which increases the challenge of complying with this requirement.
Many providers have taken the position that this is the customer’s problem, and that the customer should be responsible for ensuring that one of the conditions justifying export (such as obtaining consent) is met, but this is unlikely to be practical for many organisations. Some providers will restrict the processing of personal data within their European cloud infrastructure, but this will almost always come at an additional cost. As such, current cloud services offerings may not be appropriate for functions and services with a significant personal data component.
Multiple jurisdictions. Information stored in global cloud infrastructure is potentially subject to the laws of every jurisdiction in which it is stored. This potentially makes that data accessible by law enforcement authorities in those jurisdictions, and may trigger requirements for the supplier to retain the data locally under applicable data retention laws.
Data security
Data in the cloud can be exposed to risks of unauthorised disclosure as a result of security breaches, particularly where the data is unencrypted. Breaches could have major repercussions on a customer’s business, especially if it contains confidential information, intellectual property or personal data and face the risk of claims and negative publicity.
Availability and service terms
Many cloud services are provided on standard non-negotiable supplier terms. Providers are currently reluctant to give warranties as to the availability or quality of service or to accept any significant liability in relation to service failure. Loss of data is also typically excluded.
If you need clear and pragmatic legal advice, we’re here to help so please get in touch.
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
In the world of business, contracts are the bedrock upon which deals are built. These carefully crafted documents are a testament to the mutual understanding between parties, outlining their respective…
A recent case has highlighted the importance of ensuring a company is incorporated with carefully drafted articles of association, if there is only one director. All limited companies must have…
This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…
By clicking Accept you are agreeing to the use of all cookies which will allow us to provide you with the most relevant experience when visiting or re-visiting this website. This means that your personal preferences will be remembered when you use this website. You can change your consent or choose specific settings by clicking "Cookie Settings". By clicking "Reject All" we will not use any non-essential cookies. Essential cookies will still be used for the website to function properly. Please see our cookie policy and privacy notice for more information about how we process your personal data.
Our website uses cookies to improve your experience while you navigate through our website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use our website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies but it may affect your browsing experience on our website. You can find our cookie policy here.
Necessary cookies are absolutely essential for our website to function and enable core functionality such as security and accessibility. These cookies do not store any personal information. You can block these cookies by changing your browser settings, but this may affect how the website functions.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
mgref
1 year
This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
yt-player-headers-readable
never
The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-installed
session
The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period
session
The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app
session
The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name
session
The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY
never
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat
1 minute
This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_s
1 year
This cookie is associated with Shopify's analytics suite.
G
1 year
Cookie used to facilitate the translation into the preferred language of the visitor.
vuid
2 years
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
VISITOR_INFO1_LIVE
6 months
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA
6 months
YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.