This article previously appeared in Technology and Commercial Contracts Newsletter, November 2011.

Capturing the Cloud

Cloud computing is the delivery of software and data storage solutions via the internet with the associated hardware generally located in datacentres far from the cloud customers' main business premises. Just like businesses access the energy grid to meet their energy requirements, cloud customers access the cloud to meet their IT requirements. Using the internet as an IT platform brings with it a host of benefits: businesses may no longer need to invest heavily in purchasing hardware or licensing software; instead, they are offered access to IT solutions "on tap", and can use the cloud to store data and as a means of delivering software "as a service." Sharing server capacity is not only economical but is environmentally friendly, and can give businesses access to software, storage and security features that they might not otherwise be able to afford. However, while cloud computing offers many benefits and opportunities to businesses, it also presents challenges that need to be overcome before its full potential can be realised.

While cloud computing is not new, the momentum behind it has never been so great: Apple's iCloud and Chromebook, Google's cloud-based laptop have raised the profile of cloud computing considerably by bringing it to the general public, while ever-increasing server capacity, network access and virtualisation of computer resources (which allows for the leveraging of IT hardware and software capabilities by virtue of economies of scale) are making cloud computing a viable and attractive IT solution to businesses of all sizes. There are broadly speaking two kinds of clouds: public and private. The private cloud, also known as the internal or proprietary cloud, provides dedicated network services to a single or limited number of users and is typically managed by the organisation it serves. The public cloud on the other hand is more open in nature (although still secure) and is based upon the true cloud computing model whereby the latest IT solutions are made available to the general public over the internet, bringing cost-savings and almost infinite scalability. Examples of public cloud providers include Window's Azure Services Platform and IBM's Blue Cloud. A third model, the hybrid cloud, blends characteristics of both the private and public cloud. It is the public cloud that is the focus of this article.

Data Protection Laws: Dark Clouds or Just a Storm in a Tea Cup?

Current data protection laws are problematic from a cloud computing perspective; they operate on a national basis, whereas cloud computing operates on a transnational basis. While this poses challenges, it also presents opportunities: the development of cloud computing can enable the creation of a single market for IT services in Europe, going to the heart of the European project. This is an opportunity that should not be missed: legislators and policy makers at national and European level should work together to ensure that the right regulatory and legal framework is in place to facilitate the full realisation of the value of cloud computing to the business world. This can be achieved by creating a regulatory environment that takes into account the international nature of cloud computing and the large scale invisible flow of data across national borders.

Security in the Cloud

In order for businesses to migrate to cloud computing, they need to be confident that their data will be kept secure. To achieve this, the cloud provider's security and privacy policies must be fully transparent if the user is to trust the cloud provider with its data. Data confidentiality, integrity and availability are vital to any business. Therefore, any business wishing to avail of cloud computing services should ensure that before entering into a cloud computing contract the following are adequately provided for:

  • Strict access requirements to datacentres to prevent physical theft or interference with the IT hardware;
  • Encryption of all data sent to and received by the cloud provider and such other cloud security software as is necessary. This is an essential part of ensuring that all data held in the cloud will be safeguarded; and
  • Scheduled data backup and safe storage of backed-up data.

Locked in the Cloud

There is a legitimate concern among potential cloud customers that migrating their IT solutions to the cloud will result in "lock-in" with the chosen cloud provider. There are two obvious ways in which this can arise. Firstly, if the customer wishes to switch cloud providers it may be faced with interoperability issues: different cloud platforms may not support migration from one cloud to another. To overcome this, cloud providers might consider working together toward establishing agreed standards to facilitate the movement of data across different clouds platforms. Secondly, users of cloud services will require contractual provisions which obligate the cloud provider to assist the cloud customer to migrate its' IT requirements and data out of the cloud and back-in house with additional provisions governing the retention and destruction of all the cloud customer's data, particularly confidential or proprietary data.

Liability in the Cloud

Most cloud computing contracts will contain comprehensive limitation of liability provisions including both a financial cap on liability and an exclusion clause for indirect losses, and in most cases a separate exclusion clause for data loss and data breaches. A common feature of cloud computing contracts involves linking the financial cap in liability to the amount of fees paid by the cloud customer under the contract, often limited to a time-specific period, eg the previous twelve months.

As with most commercial agreements, whether a cloud provider will negotiate a limitation of liability clause for data loss and contract breaches depend upon the circumstances of the particular contract. Factors include the cloud-based service to be provided, the sensitivity of the data in question, the size of the customer and the overall value of the contract. Typically, cloud providers will not enter into any negotiations regarding contractual provisions with small or medium sized customers, especially in relation to limitation of liability clauses – the contracts are offered on a "take it or leave it" basis. However, larger customers should seek to use any leverage they have, due to their size or potential spend on cloud services, to obtain a better allocation of risk for data loss and contract breaches; this could be achieved by negotiating for an increase in the cloud provider's cap on financial liability. Ultimately, any negotiation on these provisions will depend upon on the bargaining strength of the respective parties.

Floating Across Jurisdictional Lines

Just as real clouds float across geographic boundaries, so too does the data stored in virtual clouds. This can cause difficulty in deciding on a governing law clause in a cloud computing contract, particularly if the cloud provider and the cloud customer are located in different jurisdictions, and the data is stored in datacentres across numerous countries. The most common approach at present is for the contract to be governed by the laws of the country where the cloud provider is based, irrespective of the storage location of the data, where the cloud customer's place of business is or the application of the cloud customer's national data protection laws.

Global Solutions for Global Problems

The issues identified above must be tackled at a global level: cloud computing is technology with a global reach and therefore should be regulated accordingly. With this in mind, a number of issues need to be addressed. European and international policy makers should strive to create a legal and regulatory framework that facilitates cloud computing through harmonising data protection legislation, at least at a European level, to allow for the transfer of data in the cloud while ensuring that data confidentiality, integrity and availability are always respected. Furthermore, cloud providers should work together to establish interoperability standards that allow the migration of data between clouds or its transfer out of the cloud. Cloud computing is part of the smart economy, and given the ever increasing globalisation of economic markets, it naturally follows that cloud computing must not be hampered from operating on a transnational basis.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.