Cloud computing – outsourcing the services but not the liability
22nd October 2012
Whilst the economic advantages of cloud computing services are compelling, there are major legal risks which, in certain situations, outweigh the potential cost benefits.
Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. When we talk about cloud, we are referring to a wide ambit of services, notably Software as a Service (SAAS), Platform as a Service (PAAS), Infrastructure as a Service (IAAS) and Database as a Service (DAAS).
Earlier this year, the European Commission proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights. Moreover, there are substantial discrepancies between the 27 EU Member States in respect of their implementation of the 1995 rules and this, in turn has led to divergences in enforcement.
Key legal concerns include data protection, breach of contract and breach of confidence.
Key obligations under the UK Data Protection Act, mirrored throughout the whole EU, relate to taking appropriate technical measures to keep personal data secure and not exporting it to jurisdictions which don’t have equivalent data protection regimes.
In the olden days when data were stored on a specific, possibly local server under your direct control or that of your ISP, life was relatively simple. However, once you engage data services from cloud providers, can you really keep track of where such data is located and how secure it is?
These are not just academic questions. If the data is not kept securely or is transferred without permission of the data subject outside the EU (or jurisdictions deemed equivalent), not only do you face the very real possibility of a fine from the Information Commissioner (up to £500,000) but also being sued by your clients for breach of contract and/or confidence. This, in turn, may have adverse financial and reputational consequences for you. Risks tend to be particularly high in the fields of financial services and healthcare.
Notable associated issues which are problematic in this nebular context include:
- if you receive a “subject access request” for access to personal data by one of your customers, are you sure that you will be able to comply when the data are no longer under your control and may be stored thousands of miles away by a sub-sub-sub-contractor of your direct cloud services provider?
- can you be sure that you will be in a position to meet compliance obligations to keep certain types of data for certain periods?
- what if your data/content which is perfectly legal in your jurisdiction ends up, without your knowledge or approval, hosted in a jurisdiction where it is deemed illegal in respect of IPR, Compliance or other matters?
- will you be able to access and recover your data if your provider or one of its subcontractors goes bust?
The fact that you are not in control of where your data ends up does not mean that you are not responsible. You will remain the “data controller”. The cloud provider will, typically, only be a “data processor”. In light of this you need to ensure that you carry out appropriate due diligence on your cloud provider to determine its financial solidity, chosen subcontractors and where your client data would be located/hosted.
There are certain other steps that you can take to limit your exposure, notably:
- impose appropriate contractual restrictions on your provider to prohibit it from doing anything that would expose you to liability and incorporate appropriate contractual indemnities in your favour if it does not comply;
- take out relevant insurance cover;
- make sure that by entering the cloud you are not breaching any contractual obligations that you have to your clients;
- avoid, where possible, cloud providers who will co-mingle your data with other customer data – if they do so, your risks will be far higher in various respects;
- ensure that relevant data are encrypted;
- determine how easy the cloud provider makes it to migrate to another provider or to take operations in-house.
It is useful to consult the Information Commissioner’s guidelines for businesses moving data into the cloud. According to the ICO, companies should review the personal data that they process and establish whether there is any which should be kept outside the cloud due to legal, regulatory or contractual considerations.
Finally, if all else goes wrong, you should at least ensure that you have appropriate data backups. For obvious reasons, these should be housed far away from the original source.