This document summarizes some key legal issues to consider when using cloud computing services. It defines cloud computing and outlines its different forms. It discusses potential benefits like reduced costs but also risks around data security, compliance, and dependence on internet connectivity. The document then focuses on data protection compliance, specifically regarding the EU Data Protection Directive, US Patriot Act, and transferring data to third parties. Finally, it provides suggestions for issues to address in cloud service agreements like data ownership, security standards, portability, and exit plans.

1. Engaging the cloud:
Legal issues to consider
when using the cloud
31 May 2012
Huub de Jong

2. • 900 lawyers full service law firm
• Focus on high tech and regulated sectors
• Innovative solutions to the world’s most
technologically advanced companies to •Commercial
help them realise their business goals •Regulatory and administrative
•Intellectual property
•Privacy and data protection
•EU & competition law
•Outsourcing
•Dispute resolution
•Employment
•Corporate M&A
•Notary

3. Overview
● What is cloud computing?
● Data protection compliance in the cloud
● Data management issues to consider when drafting
cloud service agreements

4. What is cloud computing?

5. What is Cloud Computing?
● It depends who you ask….
● A simple definition is:
"Delivery of IT Services provided using the internet"
● Cloud Computing can take various forms

6. Different forms of Cloud Computing
Infrastructure
Software as a Platform as a
as a Service
Service (SaaS) Service (PaaS)
(IaaS)
Application Application Application
Platform Platform Platform
Internal
Customer
Boundary
External
Infrastructure Infrastructure Infrastructure

7. Potential Benefits and Risks
of Cloud Computing
Benefits Risks
Reduced infrastructure costs and potential reduced licence Reliance on online connectivity - the internet could be the
fees (e.g. pay for usage) single point of failure within an organisation. How long
can the business survive without access?
Anytime, anywhere access Lack of integration with legacy systems
Part of green ICT agenda – organisations can outsource Compliance issues – data protection, encryption,
their carbon usage to organisations geared up to manage Sarbanes-Oxley…
and minimise that impact
Potentially improved support & maintenance Contracting on fixed standard terms with limited
warranties, indemnities etc
Costs should decrease as number of users increase Risk of hidden extras (e.g. if capacity or usage or storage
goes beyond set amounts)
Reduced internal management overheads - both cost and Data goes outside the corporate firewall, so security
time concerns, risk of data loss, concerns around data
portability, exit, insolvency of supplier….

8. Data protection compliance

9. Cloud computing vs. US Patriot Act

10. EU Data Protection Directive
•Applicability of EU Data Protection Directive
•Lawful (international) processing
•Safe Harbour and
•EU Standard Contractual Clauses
•What about compliance in the US?
•Future: EU Data Protection Regulation and large fines?!

11. US Patriot Act – I’m not a US lawyer!
•Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001
•FISA Orders en National Security Letters
•applicability
•confidentiality
•Is the US Patriot Act used in the EU?
•What happens in the future: …?

12. US Patriot Act vs.
EU Data Protection Directive
POSITION EU
● controller remains responsible
● legal ground and transparency
● options to transfer to third
parties are limited
● no generic exception for foreign
POSITION US legislation
● processor must deliver
● confidentiality
● not limited to US boarders
● no (generic) exception for EU
data protection legislation

13. behandling af følsomme personoplysninger
i cloud-løsning
• Google Apps’ use by teachers in
municipality of Odense
• Google Ireland Ltd is processor
• data processed in Google Inc’s
datacenters in US and Europe

 Odense has, in reality, no control of
Odense has, in reality, no control of
how the data will be processed
how the data will be processed

 Odense cannot actively ensure
Odense cannot actively ensure
security measures are upheld
security measures are upheld

 Danish DPA willing to reconsider … if
Danish DPA willing to reconsider … if
Odense continues work on the case
Odense continues work on the case
and seeks solutions
and seeks solutions

14. Contractual issues to consider

15. The terms and conditions of suppliers
● As a general rule, customer data
● We may disclose to parties will not be transferred to data
outside Dropbox files stored in centers outside that region [ie
your Dropbox and information EU/EEA].
about you that we collect when ● There are, however, some
we have a good faith belief that limited circumstances where
disclosure is reasonably customer data might be accessed
necessary to … comply with a by Microsoft personnel or
law, regulation or compulsory subcontractors from outside the
legal request specified region (e.g., for
● we will remove Dropbox’s technical support,
encryption from the files before troubleshooting, or in response
providing them to law to a valid legal subpoena)
enforcement

16. Data Management in the Cloud – Drafting issues
to consider
● Use of data
• Seems obvious, but need to be clear what provider can do
with the data
● Data ownership
• Again, may seem obvious – but occasionally providers seek
to own content generated in the cloud
● Security standards and segregation
• Require provider to comply with industry best practice
• Consider the need for encryption when data in transit
• Require data to be kept in a way which it is easily accessible
and avoid risks of 'contamination'

17. Data Management in the Cloud – Drafting issues
to consider
● Portability of data
• Make sure consider 'exit' situation
• Consider what happens if the provider is insolvent – early
warnings?
• Include language to ensure that data returned on demand
(regardless of outstanding fees etc)
● Consider the need for back-ups
• Be conscious of exclusions on liability for 'data loss'
• Consider costs of restoring lost or deleted data
• Issue of malicious deletion of data
● Staff issues
• Most likely point of failure

18. Negotiating Cloud Services Agreements
(£) – service element that may attract additional charges – vary between vendors
Implementation Service Exit / Transition
•Configuration •Availability and •Notice
assistance (£) performance provisions and
•Acceptance service levels (£) termination
Process •Service credits rights
•Migration from (£) •Data portability
legacy systems •Scaling – •Configuration
•Integration with storage, users information
other systems (£) •Transition
(£) •Support (£) support (£)
•Training (£) •Back-up and •Escrow (£)
•Migration in - data recovery (£) •Migration out -
Data Protection •Data Protection Data Protection
Compliance & Security Compliance
•Audit rights

19. Thank you
www.huubdejong.nl
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is regulated by the Solicitors Regulation
Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members
who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
www.twobirds.com