Back to school…but is it time for a change?
Whilst the economic advantages of cloud computing services are compelling, there are major legal risks which, in certain situations, outweigh the potential cost benefits.
Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. When we talk about cloud, we are referring to a wide ambit of services, notably Software as a Service (SAAS), Platform as a Service (PAAS), Infrastructure as a Service (IAAS) and Database as a Service (DAAS).
Earlier this year, the European Commission proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights. Moreover, there are substantial discrepancies between the 27 EU Member States in respect of their implementation of the 1995 rules and this, in turn has led to divergences in enforcement.
Key legal concerns include data protection, breach of contract and breach of confidence.
Key obligations under the UK Data Protection Act, mirrored throughout the whole EU, relate to taking appropriate technical measures to keep personal data secure and not exporting it to jurisdictions which don’t have equivalent data protection regimes.
In the olden days when data were stored on a specific, possibly local server under your direct control or that of your ISP, life was relatively simple. However, once you engage data services from cloud providers, can you really keep track of where such data is located and how secure it is?
These are not just academic questions. If the data is not kept securely or is transferred without permission of the data subject outside the EU (or jurisdictions deemed equivalent), not only do you face the very real possibility of a fine from the Information Commissioner (up to £500,000) but also being sued by your clients for breach of contract and/or confidence. This, in turn, may have adverse financial and reputational consequences for you. Risks tend to be particularly high in the fields of financial services and healthcare.
Notable associated issues which are problematic in this nebular context include:
The fact that you are not in control of where your data ends up does not mean that you are not responsible. You will remain the “data controller”. The cloud provider will, typically, only be a “data processor”. In light of this you need to ensure that you carry out appropriate due diligence on your cloud provider to determine its financial solidity, chosen subcontractors and where your client data would be located/hosted.
There are certain other steps that you can take to limit your exposure, notably:
It is useful to consult the Information Commissioner’s guidelines for businesses moving data into the cloud. According to the ICO, companies should review the personal data that they process and establish whether there is any which should be kept outside the cloud due to legal, regulatory or contractual considerations.
Finally, if all else goes wrong, you should at least ensure that you have appropriate data backups. For obvious reasons, these should be housed far away from the original source.
Skip to content Home About Us Insights Services Contact Accessibility