Big Legal Issues Affecting
23 March 2016
Dr Kuan Hon
@kuan∅ | firstname.lastname@example.org
Already law ! – contracts from 1 Oct 2015
The Insolvency ( Protection of Essential
Supplies ) Order 2015
Adoption expected 2016, effective in 2 yrs
Network & Information Systems Security
Directive ( NIS Directive )
General Data Protection Regulation ( GDPR )
If cloud customer goes bust...
More info http://bit.ly/ITinsolvency
Cloud provider can’t use contractual right,
exerciseable upon administration or
“voluntary arrangement”, to -
Terminate contract - unless eg new charges
unpaid >= 28 days
Stop supply of service - unless notice to office-
holder to terminate without personal guarantee of
new charges, & none within 14 days
• Purpose – where rescue / restructuring, ie
breathing space only
• Liquidation, bankruptcy - can still exercise
contractual right to terminate
• Not just cloud services – supply of
o Data storage / processing ( which must
include cloud ! ), webhosting, computer
software / hardware, IT info / advice /
All data, not just “personal data”
Security obligations + breach / incident notification
obligations + penalties for infringement – 2 classes
Operators of essential services
Banks, healthcare, transport, utilities, Internet
infrastructure ( IXPs, DNS service providers, top level
domain name registries )
Essential service relying on DSP, incident at provider
“Digital service providers” ( lighter obligations )
Incl. ALL cloud providers - IaaS, PaaS, and SaaS
( Also search engines, online marketplaces )
NIS Directive implications
Cloud contracts ( operators using cloud for
“essential service” )
Breach / incident notification to authorities
systems & processes
preparation / rehearsal – all stakeholders
New processor ( cloud provider ) obligations
Security, breach notification to customers,
international transfers, records, DPO - 2% / €10m
New processor ( cloud provider ) liability for
compensation if “involved” in processing
Choice of who to sue – bigger pockets ?
Claim back against others at fault iff paid in full
New detailed, prescriptive requirements regarding
contract terms, incl. cloud contracts
Audit rights + regulators can demand info / audits
“Assist” cloud customer ( vs. commodity cloud )
Cloud and other processor contracts - change of
law / change control clause now !
Providers - allocate responsibilities & liabilities,
indemnities; costs / pricing
Both - new required terms - 2% / €10m
Cloud-appropriate standard contract terms ?
CIF, Eurocloud, CSA put forward for approval ?
Approved certifications, codes of conduct
Breach notification / preparation too !
Different authorities than under NIS Directive ?
Killing cloud quickly with DP ?
The GDPR's coming, soon to be law they say
Middle of 20-18 may be the fateful day !
What will this mean for clo-ud ?
Will cloud be here to sta-ay ?
Don't want to be pessimistic, not sure how we'll find a way
Killing cloud quickly with DP, killing cloud quickly, with DP,
tearing up SaaS, PaaS and I-aaS
Killing cloud quickly, with DP…?
Full article www.scl.org/site.aspx?i=ed46375
Photo of Roberta Flack by Roland Godefroy CC BY SA 2.5
Dr Kuan Hon
Half lawyer | half geek | mostly harmless
Email: k @ my domain below; also
www.kuan∅.com | blog.kuan∅.com