Engaging the cloud:Legal issues to consider when using the cloud 31 May 2012 Huub de Jong
• 900 lawyers full service law firm• Focus on high tech and regulated sectors• Innovative solutions to the world’s most technologically advanced companies to •Commercial help them realise their business goals •Regulatory and administrative •Intellectual property •Privacy and data protection •EU & competition law •Outsourcing •Dispute resolution •Employment •Corporate M&A •Notary
Overview● What is cloud computing?● Data protection compliance in the cloud● Data management issues to consider when drafting cloud service agreements
What is Cloud Computing?● It depends who you ask….● A simple definition is: "Delivery of IT Services provided using the internet"● Cloud Computing can take various forms
Different forms of Cloud Computing Infrastructure Software as a Platform as a as a Service Service (SaaS) Service (PaaS) (IaaS) Application Application Application Platform Platform Platform Internal Customer Boundary External Infrastructure Infrastructure Infrastructure
Potential Benefits and Risksof Cloud ComputingBenefits RisksReduced infrastructure costs and potential reduced licence Reliance on online connectivity - the internet could be thefees (e.g. pay for usage) single point of failure within an organisation. How long can the business survive without access?Anytime, anywhere access Lack of integration with legacy systemsPart of green ICT agenda – organisations can outsource Compliance issues – data protection, encryption,their carbon usage to organisations geared up to manage Sarbanes-Oxley…and minimise that impactPotentially improved support & maintenance Contracting on fixed standard terms with limited warranties, indemnities etcCosts should decrease as number of users increase Risk of hidden extras (e.g. if capacity or usage or storage goes beyond set amounts)Reduced internal management overheads - both cost and Data goes outside the corporate firewall, so securitytime concerns, risk of data loss, concerns around data portability, exit, insolvency of supplier….
EU Data Protection Directive•Applicability of EU Data Protection Directive•Lawful (international) processing•Safe Harbour and•EU Standard Contractual Clauses•What about compliance in the US?•Future: EU Data Protection Regulation and large fines?!
US Patriot Act – I’m not a US lawyer! •Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 •FISA Orders en National Security Letters •applicability •confidentiality •Is the US Patriot Act used in the EU? •What happens in the future: …?
US Patriot Act vs.EU Data Protection Directive POSITION EU ● controller remains responsible ● legal ground and transparency ● options to transfer to third parties are limited ● no generic exception for foreignPOSITION US legislation● processor must deliver● confidentiality● not limited to US boarders● no (generic) exception for EU data protection legislation
behandling af følsomme personoplysninger i cloud-løsning• Google Apps’ use by teachers in municipality of Odense• Google Ireland Ltd is processor• data processed in Google Inc’s datacenters in US and Europe Odense has, in reality, no control of Odense has, in reality, no control of how the data will be processed how the data will be processed Odense cannot actively ensure Odense cannot actively ensure security measures are upheld security measures are upheld Danish DPA willing to reconsider … if Danish DPA willing to reconsider … if Odense continues work on the case Odense continues work on the case and seeks solutions and seeks solutions
The terms and conditions of suppliers ● As a general rule, customer data● We may disclose to parties will not be transferred to data outside Dropbox files stored in centers outside that region [ie your Dropbox and information EU/EEA]. about you that we collect when ● There are, however, some we have a good faith belief that limited circumstances where disclosure is reasonably customer data might be accessed necessary to … comply with a by Microsoft personnel or law, regulation or compulsory subcontractors from outside the legal request specified region (e.g., for● we will remove Dropbox’s technical support, encryption from the files before troubleshooting, or in response providing them to law to a valid legal subpoena) enforcement
Data Management in the Cloud – Drafting issuesto consider● Use of data • Seems obvious, but need to be clear what provider can do with the data● Data ownership • Again, may seem obvious – but occasionally providers seek to own content generated in the cloud● Security standards and segregation • Require provider to comply with industry best practice • Consider the need for encryption when data in transit • Require data to be kept in a way which it is easily accessible and avoid risks of contamination
Data Management in the Cloud – Drafting issuesto consider● Portability of data • Make sure consider exit situation • Consider what happens if the provider is insolvent – early warnings? • Include language to ensure that data returned on demand (regardless of outstanding fees etc)● Consider the need for back-ups • Be conscious of exclusions on liability for data loss • Consider costs of restoring lost or deleted data • Issue of malicious deletion of data● Staff issues • Most likely point of failure
Negotiating Cloud Services Agreements(£) – service element that may attract additional charges – vary between vendorsImplementation Service Exit / Transition •Configuration •Availability and •Notice assistance (£) performance provisions and •Acceptance service levels (£) termination Process •Service credits rights •Migration from (£) •Data portability legacy systems •Scaling – •Configuration •Integration with storage, users information other systems (£) •Transition (£) •Support (£) support (£) •Training (£) •Back-up and •Escrow (£) •Migration in - data recovery (£) •Migration out - Data Protection •Data Protection Data Protection Compliance & Security Compliance •Audit rights
Thank you www.huubdejong.nl Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is regulated by the Solicitors RegulationAuthority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. www.twobirds.com