Cloud computing – how safe is it from a legal perspective?
In recent years, cloud computing has grown from being a promising business idea to a rapidly expanding quarter of the IT industry.
Given the current economic landscape, companies are increasingly realising that simply by using cloud services they can gain fast access to best-of-breed business applications and/or upgrade their IT infrastructure and resources, at very affordable rates. But as more and more valuable data and information on both individuals and companies is placed in the cloud, the question is how safe is it from a legal perspective?
What is cloud computing?
At its most basic, cloud computing is the delivery of IT as services over the internet. Cloud users don’t need to buy or install software and companies don’t have to run their own application and data servers. Cloud Service Providers (CSPs) host applications and provide the computing power from their data centres, benefiting from massive economies of scale and dramatically lowering the costs of IT service provision.
Despite its recent exponential growth, it is not a new phenomenon. Cloud computing is a development from models that were popular towards the end of the last millennium. Now with bandwidth ever increasing and with major IT suppliers such as Google, Microsoft and Amazon opening up cloud services on a one-to-many basis, it is likely to become a serious consideration for many companies as time moves on.
What are its key features and benefits?
There are a number of common characteristics of cloud services, including:
On-demand self-service: customer can access computing capabilities automatically as needed, without intervention from the supplier.
Broad network access: computing capabilities are available over the network and accessed through standard mechanisms any time, anywhere.
Resource pooling: CSP’s computing resources are pooled to serve multiple customers using a multi-tenant model, resulting in low costs for the customer.
Rapid elasticity: computing capabilities can be quickly scaled up or down, depending on the customer’s needs, allowing him to respond to business demands without risking being over- or under-resourced.
Measured service: the customer’s resource usage can be monitored and controlled. In other words, the customer pays for what he uses.
Low fixed periodic service charges: can include support and maintenance.
What are the legal risks?
The key issues are data security and the lack of contractual protection available via the non-negotiable standard terms on which the services are normally provided.
Cloud computing is very accessible for smaller businesses but there are big risks: potentially you could find that your data has been chopped up and is being stored on different servers in any number of different countries worldwide, leaving you in complete breach of the data protection laws.
UK requirements. Cloud services give rise to complex data protection compliance issues. The party responsible for deciding the purposes and manner in which personal data are processed (the data controller) must ensure that when processing of personal data is sub-contracted, the terms of that contract require the subcontractor (the data processor) to process personal data only in accordance with the data controller’s instructions and to ensure that appropriate technical and organisational measures are taken to keep the personal data secure in accordance with the Data Protection Act 1998 (DPA).
Standard terms. In almost all cases, the business buying cloud services will be the data controller, and the CSP will be the data processor. Many of the standard terms for cloud services do not include these provisions, or they qualify them by excluding all liability. They are therefore often insufficient to satisfy the requirements of the DPA. Businesses should attempt to negotiate more protection than that provided in the standard terms although, in practice, providers are often unwilling to negotiate.
Data exports outside the EEA. In addition to security requirements, EU data protection laws also impose restrictions on the export of personal data outside the EEA (subject to certain limited exceptions) unless one of various conditions are met. A key difficulty in cloud services is that it is often impossible to determine precisely where personal data have been transferred in the cloud, which increases the challenge of complying with this requirement.
Many providers have taken the position that this is the customer’s problem, and that the customer should be responsible for ensuring that one of the conditions justifying export (such as obtaining consent) is met, but this is unlikely to be practical for many organisations. Some providers will restrict the processing of personal data within their European cloud infrastructure, but this will almost always come at an additional cost. As such, current cloud services offerings may not be appropriate for functions and services with a significant personal data component.
Multiple jurisdictions. Information stored in global cloud infrastructure is potentially subject to the laws of every jurisdiction in which it is stored. This potentially makes that data accessible by law enforcement authorities in those jurisdictions, and may trigger requirements for the supplier to retain the data locally under applicable data retention laws.
Data in the cloud can be exposed to risks of unauthorised disclosure as a result of security breaches, particularly where the data is unencrypted. Breaches could have major repercussions on a customer’s business, especially if it contains confidential information, intellectual property or personal data and face the risk of claims and negative publicity.
Availability and service terms
Many cloud services are provided on standard non-negotiable supplier terms. Providers are currently reluctant to give warranties as to the availability or quality of service or to accept any significant liability in relation to service failure. Loss of data is also typically excluded.
If you need clear and pragmatic legal advice, we’re here to help so please get in touch.