Cloud computing: the legal issues for businesses

Business and technology lawyer Richard Abbott outlines the legal issues faced by companies making the move to cloud computing. Cloud computing is increasingly used by businesses for storing data, with benefits including easier management of data, access to up-to-date technology and the ability to adjust the amount of data storage needed. The storage of data is, in effect, outsourced, so rather than a user hosting data on its own server, it is hosted remotely on the internet. The user will share resources such as the management and storage of data with other data users. Everyday examples of cloud computing include Hotmail and Facebook & services which are used by millions of people every day. However, there a number of legal issues that should be considered by providers and customers before making the leap. Due Diligence Prior to entering into a contract, a customer will need to carefully research potential service providers to ensure that they are capable of providing the necessary service and that they have proven solvency. The customer can use the Invitation to Tender to ask for references and for necessary company information to help establish the suitability of a potential service provider and their ability to host the data appropriately. Credit checks should also be undertaken. The risks of using an unsuitable service provider could include the loss of valuable data which, in turn, could cause considerable loss and damage to the customer. The customer will also need to check that its data is held in a transferable format so that it can easily be moved to another service provider at the end of the contract term. Physical Location of Data Data is stored in ‘the Cloud’, which is another word for the Internet. As a result, it could be stored anywhere in the world. It is vital to ensure the physical location of data is agreed as this will have an impact on issues such as data protection and the applicable legal jurisdiction to resolve disputes. Under European and British data protection legislation, it is illegal to export personal data outside the European Economic Area (EEA) unless the security of personal data is adequately protected, e.g. by incorporation of the EU Model Clauses. The hosting of personal data by a service provider outside the EEA would amount to export under EU and British law. In addition, people are legally entitled to access to any data held about them and it must be adequately secured. Thus any cloud computing contract will need to take account of these issues. If there is a contractual dispute between the customer and the service provider, the dispute will be settled under the jurisdiction set out in the contract. If both the customer and service provider are based in England or Wales and the data is held locally, this should not be a problem, as English law will almost certainly apply. However, if one or both parties are based abroad and the data is held abroad this could be more of an issue. Even if both parties are UK based, the data could still be held abroad. Care needs to be taken to ensure that data complies with the laws of any country in which it is held. Data Security Any Cloud Computing agreement will need to cover issues such as security, data privacy and disaster recovery. Consideration will need to be given to the damages and indemnities that will apply in the event of data loss. For example, will the contract include damages for loss of data and loss of profits and, if so, what liability cap should be in place? A number of questions will arise, such as who controls the data, where it is being held and processed and where and who can access it. The contract will need to ensure that data is adequately secured and complies with legal and audit requirements. Ownership of Data Ownership of data needs to be set out in the contract and adequate legal safeguards included to cover intellectual property infringement. Data will remain under the ownership of the customer, but care should be taken in the contract to ensure that the customer also retains ownership of any back-ups or other data created whilst being hosted by the service provider. The protection of intellectual property rights (IPR) will be a particular concern. As well as defining who owns which material, the parties will normally indemnify each other against any third party claim of IPR infringement. Service Levels It is vital to ensure performance levels and continuity of service are assured, as considerable damage could result to a business if it is unable to access its data as and when required. These will be set out in the Service Level Agreement and may well allow the customer to claim credits for failure to meet key performance indicators. The industry is not regulated, so the customer will need to ensure the level of service is adequately set out in the contract. The parties will need to agree on disaster recovery to ensure that data is not lost forever. Exit strategy Lastly, consideration needs to be given as to how and within what timescale a customer can recover its data or transfer it to another provider at the end of the contract term.