While it is clear that the cloud has the potential to offer a
great deal for end-users, there are an assortment of potential
legal risks and issues that should be considered and, where
possible, mitigated,writes Dan Burge, partner atDenton Wilde
Sapte.
Cloud computing is an emerging form of IT outsourcing which is
promoted as offering particular benefits in flexibility, ease of
use and cost. Central to this approach is the fact that the IT
facilities offered by the supplier are provided via a network, or
the "cloud", reflecting the traditional representation of the web.
Cloud services typically include access to software, servers,
storage and back-up facilities.
However, the major public cloud providers keep performance
assurances and warranties to a minimum and essentially offer their
products only on an "as is" basis drawn from the consumer services
where they started. Many also retain the right to suspend their
services at any time in the event of any unanticipated downtime or
unavailability. Even where a breach occurs most public cloud
providers require broad exclusions of liability.
There is a major disconnect between the confident claims of
availability and resilience which cloud providers make for their
services and their hesitance to accept
risk.
Additionally, many cloud providers seek indemnities against any
claim which is made against them as a result of any information,
data or electronic material that a customer places into its cloud
which causes it to breach a third party's intellectual property
rights.
Some other common indemnities include those protecting suppliers
against losses suffered from a customer breach of the services
agreement or failures to secure their passwords or permitting
unauthorised access to the service.
As cloud computing, by its design, transcends national borders,
it complicates compliance with the various flavours of data
protection legislation and ensuring the security of the data that
is placed in the cloud.
European data protection law requires that the party which
decides the purposes for which any personal data is held or
processed and the manner in which it is held or processed (the
"data controller") has sole responsibility for safeguarding the
data.
The UK Data Protection Act 1998 includes obligations on data
controllers to include certain specific provisions in written
contracts with data processors. The law requires data controllers
to ensure that personal data is processed with "appropriate
technical and organisational measures" in place to prevent
unauthorised or unlawful processing or accidental loss, destruction
or damage.
The standard approach in many cloud providers' terms of service
is to exclude liability for security of any data and provide that
the customer retains full responsibility for data safety, contrary
to the principles of the UK legislation. However, perhaps more
significantly, the resources used in the cloud may be located in
unknown (and unknowable) jurisdictions, so compliance cannot be
assessed by the user.
While there are encouraging signs that commercial cloud-based
service offerings are starting to outgrow their generalist and
consumer-based origins, in most cases cloud providers have a long
way to go before they match their technical promises with a robust
commercial offering.