Presentation on theme: "The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow."— Presentation transcript:
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow
What is cloud computing? IT services delivered over the internet – Increased data storage and processing capacity – cost benefits – back-up on high quality servers – high quality service support – (too) quick and easy to set up BUT are people aware of what they are signing up to?
What do you mean by cloud? Service as opposed to Product – Software as a Service (SaaS) – Platform as a Service (PaaS) – Infrastructure as a Service (IaaS) What type of Cloud? – Private – Community – Public – Hybrid
It is all about balancing: Risk Cost Control Responsibility on customers to conduct proper due diligence
Benefits and Risks Benefit Low, fixed cost. Improved support and maintenance Minimises hardware investment cost Reduces internal management overhead Risk Solution may not precisely match corporate need Contracting on fixed standard terms with limited protections Lack of control over data and content Potentially increased compliance costs
Legal issues Data Protection Standard terms Intellectual property rights “Lock-in”
Data Protection Principles For Data Controller 1. Fair and Lawful Processing 2. Specified and Lawful Purposes 3. Adequate, Relevant and Not Excessive 4. Accurate and Up To Date 5. Not Kept Longer Than Necessary 6. Recognise Data Subject Rights 7. Appropriate Security Measures 8. No Transfer Outside EEA Without Protection
Legal issues – data protection “Personal data” inevitably transferred to cloud service provider (“CSP”) Customer remains “data controller” CSP becomes “data processor” Will CSP comply with customer’s obligations under the Data Protection Act 1998? Can CSP sub-contract? Can CSP transfer data to third party?
Legal issues – data protection contd:- Data subject must be informed who processes their data and for what purposes. – Is this possible where data processor is CSP or a sub-contractor? Where does responsibility for security breach lie? – With customer Personal data not to be transferred outside EEA (with certain exceptions not including USA). – Where is CSP (or its sub-contractor(s)) based?
New Data Protection Laws: Headline Proposals Compulsory security breach notifications to authority and data subject Expert data protection officer if 250+ employees Privacy impact assessments for sensitive data use Joint and several liability for controllers and processors Sliding scale of fines– max 2% of annual turnover Right to be forgotten: erase all data on request
Legal issues – CSP’s standard terms Usually tick box to agree to CSP’s Standard T&Cs Terms will be very favourable to CSP Risk allocation – Certain risks passed back to the customer Limited warranties given and liabilities taken by CSP – E.g.. loss of data – Data back up UK - Exclusions need to be reasonable under UCTA
The battle ground? Service levels/availability Service credits? Disaster recovery/business continuity Escrow? Assign-ability? Termination rights Audit rights – transparency TUPE risk
Governing Law and Jurisdiction Favourable jurisdiction for CSP Most CSPs will be based outside UK and agreements tend to be subject to US State law – What is the law? – How easy would it be to enforce your rights? EU consumer protection and UK’s UCTA should not be relied on to provide protection
Legal issues – Intellectual Property Rights Although a service – still need a licence to use What are terms of the licence? Third party licences? Does CSP provide indemnity against infringement of third party rights?
Content licensing Do terms provide licence from customer to CSP to allow CSP to use customer content? Important because: – data protection issues – potential infringement of third party IP – confidentiality issues Ensure any use of content by CSP is restricted Can CSP remove data from servers?
Legal issues – “Lock-in” What is the term of the contract? Can data be moved easily to another CSP? What happens on termination? – Can all copies of data created be located and deleted? – Can CSP guarantee sub-contractors will delete all copies of data they possess? – All personal data should be deleted for data protection purposes on termination
Future developments? Law still trying to catch up with cloud computing after recent surge in its use Draft EU General Data Protection Regulation proposed by European Commission EU’s Article 29 Working Party has drafted an opinion which addresses key challenges for future – Make processor more accountable – Prohibit disclosure by data controllers to third country (even to judicial or administrative authority) where no international agreement in place authorising disclosure – European Governmental Cloud for public bodies in EU member states – Encourage growth of European cloud market – could help foster common standards throughout EU
David Goodbrand Partner +44 (0) Direct Dial +44 (0) Mobile