Aberdeen
Edinburgh
Glasgow
The Gathering
Cloud computing - Legal considerations
David Goodbrand, Partner
28 February 2013
What is cloud computing?
• IT services delivered over the internet
–
–
–
–
–
Increased data storage and processing capacity
cost benefits
back-up on high quality servers
high quality service support
(too) quick and easy to set up
• BUT are people aware of what they are signing up to?
What do you mean by cloud?
• Service as opposed to Product
– Software as a Service (SaaS)
– Platform as a Service (PaaS)
– Infrastructure as a Service (IaaS)
• What type of Cloud?
– Private
– Community
– Public
– Hybrid
It is all about balancing:
• Risk
• Cost
• Control
• Responsibility on customers to conduct proper
due diligence
Benefits and Risks
Benefit
Risk
• Low, fixed cost.
• Improved support and
maintenance
• Solution may not precisely
match corporate need
• Contracting on fixed standard
terms with limited protections
• Minimises hardware
investment cost
• Lack of control over data and
content
• Reduces internal management
overhead
• Potentially increased
compliance costs
Legal issues
• Data Protection
• Standard terms
• Intellectual property rights
• “Lock-in”
Data Protection Principles
For Data Controller
1.
2.
3.
4.
5.
6.
7.
8.
Fair and Lawful Processing
Specified and Lawful Purposes
Adequate, Relevant and Not Excessive
Accurate and Up To Date
Not Kept Longer Than Necessary
Recognise Data Subject Rights
Appropriate Security Measures
No Transfer Outside EEA Without Protection
Legal issues – data protection
• “Personal data” inevitably transferred to cloud service
provider (“CSP”)
• Customer remains “data controller”
• CSP becomes “data processor”
• Will CSP comply with customer’s obligations under
the Data Protection Act 1998?
• Can CSP sub-contract?
• Can CSP transfer data to third party?
Legal issues – data protection contd:• Data subject must be informed who processes their
data and for what purposes.
– Is this possible where data processor is CSP or a
sub-contractor?
• Where does responsibility for security breach lie?
– With customer
• Personal data not to be transferred outside EEA
(with certain exceptions not including USA).
– Where is CSP (or its sub-contractor(s)) based?
New Data Protection Laws: Headline Proposals
• Compulsory security breach notifications to authority and
data subject
• Expert data protection officer if 250+ employees
• Privacy impact assessments for sensitive data use
• Joint and several liability for controllers and processors
• Sliding scale of fines– max 2% of annual turnover
• Right to be forgotten: erase all data on request
Legal issues – CSP’s standard terms
• Usually tick box to agree to CSP’s Standard T&Cs
• Terms will be very favourable to CSP
• Risk allocation
– Certain risks passed back to the customer
• Limited warranties given and liabilities taken by CSP
– E.g.. loss of data
– Data back up
• UK - Exclusions need to be reasonable under UCTA
The battle ground?
•
•
•
•
•
•
•
•
Service levels/availability
Service credits?
Disaster recovery/business continuity
Escrow?
Assign-ability?
Termination rights
Audit rights – transparency
TUPE risk
Governing Law and Jurisdiction
• Favourable jurisdiction for CSP
• Most CSPs will be based outside UK and agreements
tend to be subject to US State law
– What is the law?
– How easy would it be to enforce your rights?
• EU consumer protection and UK’s UCTA should not
be relied on to provide protection
Legal issues – Intellectual Property Rights
• Although a service – still need a licence to use
• What are terms of the licence?
• Third party licences?
• Does CSP provide indemnity against infringement of
third party rights?
Content licensing
• Do terms provide licence from customer to CSP to allow
CSP to use customer content?
• Important because:
– data protection issues
– potential infringement of third party IP
– confidentiality issues
• Ensure any use of content by CSP is restricted
• Can CSP remove data from servers?
Legal issues – “Lock-in”
• What is the term of the contract?
• Can data be moved easily to another CSP?
• What happens on termination?
– Can all copies of data created be located and deleted?
– Can CSP guarantee sub-contractors will delete all
copies of data they possess?
– All personal data should be deleted for data protection
purposes on termination
Future developments?
• Law still trying to catch up with cloud computing after recent surge
in its use
• Draft EU General Data Protection Regulation proposed by European
Commission
• EU’s Article 29 Working Party has drafted an opinion which
addresses key challenges for future
– Make processor more accountable
– Prohibit disclosure by data controllers to third country (even to
judicial or administrative authority) where no international
agreement in place authorising disclosure
– European Governmental Cloud for public bodies in EU member
states
– Encourage growth of European cloud market – could help foster
common standards throughout EU
David Goodbrand
Partner
+44 (0)131 473 6125 Direct Dial
+44 (0) 7802 933 272 Mobile
David.Goodbrand@burnesspaull.com
Q A