Legal storm gathers in the cloud

Nigel Miller, partner at City legal firm Fox Williams, leads the firm's technology law group, where he spends time navigating the legalities of cloud computing.

Is the UK legal system ready for a service like cloud computing?
Nigel Miller: There is a notion that technology moves faster than law does -- law at snail's pace and technology at the speed of light. It is impossible for law to keep pace with technical development. Can law cope with new cloud services? The answer is yes and no. Where the answer is no is mainly in data protection and privacy legislation that was put in place long before cloud emerged into the mainstream.

Who is to blame if something goes wrong? Cloud providers or the end users?
NM: The main thing is if you are following a cloud computer model you may well be passing to a third party the personal information of your customers, such as financial information and purchase history. That data will be held on servers in data centres managed and controlled by third parties but you will still remain responsible for the security of the data. The fact that it is outsourced doesn't absolve you; if anything goes wrong you are still primarily responsible

The Data Protection Act says that if you entrust a third party to handle your data there are certain things you must do. You must exercise due diligence -- show that you have checked providers' suitability to hold the data, their technology, their security. And you must include certain key data security clauses into your contract with the service provider.

The problem is that you are often dealing with service providers based outside of the UK or Europe and their contracts often don't address the requirements of UK and European data protection legislation.

Which type of companies most need to be aware of the legal pitfalls?
NM: Many SMEs are going for the cloud model to gain the business benefits in terms of cost and access to technical expertise. They are not primarily focused on the legal and policy-type issues. They assume that the companies providing the cloud computing services have everything in place, but in the event, for example, of a data security breach they would nevertheless be required to demonstrate they had been diligent in checking out the suitability of the service provider.

The Data Protection Act (DPA) states that one cannot move personal data outside of the European Economic Area (EEA) without certain safeguards being in place. However, the essence of cloud computing means that the data can be held anywhere. Does the DPA need updating?
NM: European data protection legislation is quite focused on where the data is located, but in the cloud model it doesn't matter where the data is located. It may be in different places, perhaps in the U.S., and then backed up to somewhere different, and even the user or customer may not know where it is stored.

How can UK companies work with cloud providers who may hold data outside Europe?
NM: If your service provider is based in the U.S., one way is to engage with a company that has signed up to the Safe Harbor agreement that companies in the U.S. sign up to, to say they will meet standards as good as the Data Protection Act. Maybe the most convenient way, though, would be to look at the contract provisions. There are recommended "model" contract terms that can be included to ensure adequate safeguards for the data. However, the standard T&Cs of service providers based outside of Europe are unlikely by default to include clauses required by the UK Data Protection Act.

Transferring data across borders is at the serious end of data protection legislation contravention. However, the information Commissioner does allow people to outsource data processing offshore if they have carried out risk assessments and exercised due diligence. You can self-certify that adequate safeguards are in place, but this requires more than just "box ticking."

The information Commissioner's Office provides a lot of information on its website and has audit checklists, but it is not just a box ticking exercise. It requires individual risk assessment based on the type of data, where it is going and who will hold it.

If something goes wrong and the service provider loses the data, you are exposed to liability to your customers who may suffer damage such as identity theft. The standard terms and conditions of cloud computing providers tend to exclude all liabilities you can think of. They are saying, "We are not liable to you," and yet you may be liable to your customers. It comes down to looking at the contracts and not assuming it is all okay. In the UK we have a concept that you can't exclude all liability beyond what is reasonable, but if the supplier is outside the UK that may not be the case.

About the interviewee: Nigel Miller specialises in commercial contracts and regulation, information technology, intellectual property, data protection and e-commerce. He deals with negotiation, drafting and advice on a variety of commercial contracts, both domestic and international, and on compliance with UK and EU business regulation.

He is a fellow and past chairman of the Society for Computers & Law. He is also a past president of the International Federation of Computer Law Associations and a member of the Legal Advisory Group of the Federation against Software Theft (FAST).

With three young daughters, Nigel plays tennis occasionally and can be found in a City gym before most people are out of bed.

Read more on Cloud computing services