This article can also be found in the Premium Editorial Download "IT in Europe: Cloud computing: Data security outlook."
Download it now to read this article plus other related content.
Enterprise cloud computing has been a hot topic for several years now. While it may seem like there’s been plenty of time of think through cloud computing legal issues and
To me, cloud computing legal issues split down into three key domains. First, there is the contractual framework that is required to ensure good service levels. Second, there is the regulatory environment that applies to the processing of data. Third, there is the issue of applicable law, which is about the jurisdictional confusion that flows from the way that (a) cloud services are organised and (b) the legitimate aim of nation states to have access to intelligence for national security, law enforcement and other high-level public concerns.
Ensuring good service levels
Creating a suitable contractual framework for ensuring good service levels should never be a problem, because a contract outlining a cloud service agreement is like any other outsourcing contract, and outsourcing law has developed a massive degree of sophistication over the past 20 years. Thus, one would expect the typical cloud computing contract to include consideration of issues such as service location, sub-contracting, technology refresh, downtime, dispute handling, price, exit and so on.
Problems will arise if there is inequality in the bargaining power of the parties, which can manifest itself with a take-it-or-leave-it attitude.
Where problems will arise is if there is inequality in the bargaining power of the parties, which can manifest itself with a take-it-or-leave-it attitude, or where the cloud service provider is unable to answer fundamental questions, such as where is data is located, or who will be accessing it. Be wary of these sorts of interactions, because if this is the profile of the pre-contractual relationship, it’s easy to see why this may not augur well for the post-contractual relationship.
In most cases, though, negotiation is possible, and so the resulting service-level agreements (SLAs) become critical documents. As with any contractual relationship, the greater the clarity, the lower the risk of satellite disputes around points of detail. One common dispute area concerns the compensation mechanisms for downtime; parties should try to be clear on whether cash rebates are paid, or service credits issued, or some other mechanism put in place.
The regulatory environment
The law has traditionally held the view that commercial organisations are free to agree the contractual framework of their relationships. However, this traditional approach breaks down when regulation or consumer protection law becomes applicable.
Most organisations deploying a public or hybrid cloud service will face regulatory obligations of some sort, even if these arise as a result of company law, the need for good record-keeping and the need to limit unnecessary operational risk. Additionally, some sectors of the economy are specifically regulated (financial services, pharma, telecoms, etc.), and where organisations process personal data, there is general regulation through data protection law.
It is vital that organisations contemplating cloud computing understand their regulatory obligations. Taking data protection law as an example, there are regulatory expectations about reporting security breaches as well as concrete statutory obligations to manage personal data to limit the scope for unnecessary processing. If the contractual framework for cloud services does not “map” fully to the regulatory environment, the organisation will be put in breach of law, with potentially harsh consequences (in the UK, the data protection regulator can now issue fines of up to £500,000 for breach of the Data Protection Act).
One common vision of cloud involves international data flows, where information moves from country to country, across many geographical borders. The extent to which data flows across such borders is case-specific, but regardless the applicable law issue needs to be fully factored in to pre-contractual planning. For example, US legislation has a long-arm approach for national security purposes, as represented by the Patriot Act, which means some forms of data can be subject to compulsory, secret export to the US. Yet, EU data protection law is against surreptitious transfers of personal data out of Europe, and some countries, like France, even have specific “blocking statutes” to prevent certain forms of international data flow. The key point to remember is international laws can often be contradictory in scope and purpose, which can cause operational difficulties for multi-nationals who are left to resolve these tensions. So, if the law requires data to reside only in particular countries, this needs to be spelled out in the contract to avoid potential serious problems downstream.
In conclusion, cloud computing legal issues can pose complex problems, but the comforting message is these problems are manageable. What is needed is a clear understanding of the operational goals of the proposed cloud computing arrangement, a specific effort to transfer those goals into contractual mandates, and a consultation with your organisation’s counsel to not only eliminate any potential contractual ambiguity, but also ensure the contract’s legal language marries up with the business strategy.
About the author:
Stewart Room is a partner at Field Fisher Waterhouse LLP. Follow him on Twitter @stewartroom, or visit www.stewartroom.com.
This was first published in September 2011