While it is clear that the cloud has the potential to offer a great deal for end-users, there are an assortment of potential legal risks and issues that should be considered and, where possible, mitigated, writes Dan Burge, partner at Denton Wilde Sapte.
Cloud computing is an emerging form of IT outsourcing which is promoted as offering particular benefits in flexibility, ease of use and cost. Central to this approach is the fact that the IT facilities offered by the supplier are provided via a network, or the "cloud", reflecting the traditional representation of the web. Cloud services typically include access to software, servers, storage and back-up facilities.
However, the major public cloud providers keep performance assurances and warranties to a minimum and essentially offer their products only on an "as is" basis drawn from the consumer services where they started. Many also retain the right to suspend their services at any time in the event of any unanticipated downtime or unavailability. Even where a breach occurs most public cloud providers require broad exclusions of liability.
There is a major disconnect between the confident claims of availability and resilience which cloud providers make for their services and their hesitance to accept risk.
Additionally, many cloud providers seek indemnities against any claim which is made against them as a result of any information, data or electronic material that a customer places into its cloud which causes it to breach a third party's intellectual property rights.
Some other common indemnities include those protecting suppliers against losses suffered from a customer breach of the services agreement or failures to secure their passwords or permitting unauthorised access to the service.
As cloud computing, by its design, transcends national borders, it complicates compliance with the various flavours of data protection legislation and ensuring the security of the data that is placed in the cloud.
European data protection law requires that the party which decides the purposes for which any personal data is held or processed and the manner in which it is held or processed (the "data controller") has sole responsibility for safeguarding the data.
The UK Data Protection Act 1998 includes obligations on data controllers to include certain specific provisions in written contracts with data processors. The law requires data controllers to ensure that personal data is processed with "appropriate technical and organisational measures" in place to prevent unauthorised or unlawful processing or accidental loss, destruction or damage.
The standard approach in many cloud providers' terms of service is to exclude liability for security of any data and provide that the customer retains full responsibility for data safety, contrary to the principles of the UK legislation. However, perhaps more significantly, the resources used in the cloud may be located in unknown (and unknowable) jurisdictions, so compliance cannot be assessed by the user.
While there are encouraging signs that commercial cloud-based service offerings are starting to outgrow their generalist and consumer-based origins, in most cases cloud providers have a long way to go before they match their technical promises with a robust commercial offering.