This document discusses the risks and benefits of cloud computing from legal perspectives such as employment and labour law, litigation and e-discovery obligations, and privacy law compliance. Some key risks discussed include issues around data ownership, business interruption if the service provider fails, security of personal information, and ensuring cloud contracts maintain legal control over user data and provide ability to retrieve data. Public bodies also have specific obligations to ensure personal information storage and access occurs only in Canada. Overall, the document emphasizes legal issues organizations should consider with cloud computing contracts and arrangements.

1. “Looking at Clouds from both Sides” –
Risks and Benefits of Cloud Computing
Employment and Labour Law Conference
May 24, 2012
Tamara Hunter

2. What is Cloud Computing?

3. What is cloud computing?
• technologies that provide computation, software,
data access and storage services that do not require
end-user knowledge of the physical location and
configuration of the system that delivers the services
(Wikipedia)
• delivered over a network (typically, the Internet)

4. Categories
• Infrastructure as a Service (“IaaS”) and Storage
• Delivers computer infrastructure, along with storage and
networking
• Software as a Service (“Saas”)
• Delivers software without the need to install and run
applications
• Platform as a Service (“PaaS”)
• Allows the development and deployment of applications
without the need to purchase specific hardware or software

5. Benefits
• Cost
• Scalability
• User mobility
• Customizability
• Reliability?
• Performance?
• Security?

6. Cloud Computing:
General Issues and Risks

7. General Issues and Risks
• Location and jurisdiction
• Data ownership
• Business interruption (service provider)
• Loss of access (customer)

8. General Issues and Risks
• Source code and escrow
• Migration
• Who can access?
• Backup and archiving

9. General Issues and Risks
• Security
• Destruction of data
• IP infringement

10. Cloud Computing:
Litigation (E-Discovery)

11. Key Obligations
• Disclosure
• must disclose every relevant document in possession,
control or power
• “document” is broadly defined
• Preservation
• must preserve all relevant documents
• Serious consequences for breach

12. E-Discovery
• Electronic documents increase scope, complexity and
cost of discovery process
• Courts aware of importance of electronic documents

13. Cloud Computing and Discovery
• Disclosure and preservation obligations still apply
• Court does not care if you store data in your building or
in the cloud – only cares whether you have possession
or control

14. Cloud Computing and Discovery
• Consider risks:
• lost data
• non-compliant data preservation practices
• platform not easily searched
• sub-outsourcing

15. Cloud Computing and Discovery
• Cloud computing contract is key
• Maintain legal control over data
• Due diligence on cloud provider
• Ability to retrieve data in any circumstance

16. Cloud Computing:
Privacy Law Compliance

17. • When you think about Cloud Computing, consider it
as “mega-outsourcing”

18. • Regular outsourcing is when you store your data on
your own servers, but you send certain data to an
outside service provider or a service, so they can
perform a function with the data and provide a product
(e.g. send personalized cheques to your customers or
process your payroll and arrange for direct deposits for
your employees).

19. • Cloud computing means you don’t have your own
servers anymore – you’ve “out-sourced” that whole
infrastructure

20. • The key privacy law compliance issue is security of
personal information

21. • Geographic location of personal information is a
significant privacy law issue, especially for public
bodies in British Columbia (and service providers to
public bodies) but the concern with geographical
location of data really boils down to a security issue

22. Public Bodies in B.C.: Section 30.1 of FOIPPA
• A public body must ensure that personal information in
its custody or under its control is stored only in Canada
and accessed only in Canada, [unless a specific
exception applies]
• Breach of s. 30.1 of FOIPPA is an offence
• Some cloud service providers are aware of this
requirement and offer cloud services that meet this
requirement

23. Québec – Private Sector Privacy Legislation
• If using service provider outside Québec to store or
process personal information, must take all reasonable
steps to ensure that the personal information will not be
used for purposes not relevant to the object of the file or
communicated to third persons without consent
• If cannot be satisfied that the personal information will
be properly protected, must not communicate the
information outside Québec (s. 17)

24. • What about professionals (e.g., doctors, lawyers,
accountants, etc.) and businesses handling highly
sensitive personal information (e.g. banks, credit unions,
insurance companies)?
• Ethical and contractual obligations around confidentiality
may also require specialized cloud computing solutions
• Community Cloud or Private Cloud may work (e.g. Law
Society Cloud for lawyers is being considered)

25. • Private Sector - still have obligation under PIPEDA,
PIPA, the Québec Private Sector Privacy Legislation
(and, possibly, contractual obligations) to make
reasonable security arrangements to protect personal
information from risks such as unauthorized access,
disclosure, destruction, etc.
• Standard Cloud Computing contracts may not sufficiently
protect customer/employee personal information
• Requirement for transparency/notification
(customers/employees have a right to know)

26. Security issues:
• What geographic locations could be involved? Rule
some out or stipulate acceptable jurisdictions
• Reputation/history of cloud provider
• What other data will be mingled with your organization's
data? Concern re: concentration of high-risk data
• Will your organization be able to access audit logs?

27. • How quickly could you be required to produce a copy of
your organization’s records? will your organization be
able to meet that timeframe?
• What obligations does the cloud provider have in the
event of an information security breach?
• Immediate notification to your organization?
• Indemnity for any damages and professional fees?

28. • What happens if the cloud provider goes bankrupt?
backup/escrow might not be sufficient without access to
the application software necessary to decode the stored
data
• Does the contract provide for a method for your
organization to audit the cloud provider’s compliance
with its contractual security obligations?

29. • Insurance – does your organization’s insurance
coverage for information security breaches or data loss
apply if your data is “in the clouds”?

30. Thank You
Tamara Hunter
Associate Counsel,
Head of Privacy Law Group, Vancouver
tamara_hunter@davis.ca
604.643.2952