Published by Outsource magazine, January 2011.

Cloud computing has been much discussed over recent years and is thought by many in the industry to represent the future for IT and data management. The model – whereby data storage and processing is carried out by a service provider on the internet (or in "the Cloud") rather than on the hard drives and/ or servers of individual entities – is particularly attractive to the SME community as it allows them to avoid the need to build and maintain extensive hardware infrastructure to support data warehouses. It also gives businesses great flexibility to scale-up or down their IT requirements as necessary with the minimum of cost. Familiar to people in the consumer space (facebook and hotmail both examples of services operating in "the cloud"), bringing "cloud computing" to business is now a fiercely competitive battleground with all the big IT players – such as Google (including in partnership with IBM), Microsoft and Apple – offering cloud-based products in varying forms that are suitable for business use. However, as well as other concerns (such as the inherent loss of control involved in using this model), the issue of privacy and in particular a company's ability to successfully comply with European data protection regulations could act to (at least partially) limit the uptake of cloud computing.

Data Protection - Legal Framework

The law on data protection in the UK is primarily governed by the Data Protection Act 1998 (the "DPA") which itself is derived from a European Directive on data protection (95/46/EC) (the "Directive"). The DPA legislates the use of information relating to a living and identifiable individual ("personal data") in the UK (with broadly equivalent acts across Europe also based on the Directive). What constitutes "personal data" is interpreted widely and has been held to cover information ranging from ISP and email addresses to more obviously sensitive information such as health records. Accordingly, almost every business will process personal data of some sort – whether it be contained in emails, personnel records relating to employees or client databases and so any UK company which seeks to outsource the management and storing of that information into the "Cloud" would need to comply with the provisions of the DPA. In light of this, there are perhaps three main areas which provide challenges in using cloud computing – namely:

  • Security
  • Transparency
  • Overseas Transfers

Security

An issue in outsourcing of any kind, the perception of data security concerns will be particularly pronounced where a business's data is being hosted in the cloud. Obviously, this is partly due to the loss of control over infrastructure that outsourcing to the cloud represents – but also due to the fact that the major cloud providers are prime targets for cyber attack. There is also an issue that many of the big service providers have a far from unblemished record in the area of data protection. Google, for instance, was recently censured by the Information Commissioner (the UK data protection regulator) for data protection breaches relating to the collection of data for its StreetView service – and the Information Commissioner was quoted in The Times on 8 November 2010 expressing deep reservations about the UK Government involving Google in a proposed new anti-terror database. Although not specific to cloud computing, this example demonstrates that regulators will look closely at the steps taken by companies in delegating the handling of their processes to external providers.

Perhaps most fundamentally, however, the DPA prescribes certain steps are taken by companies when using service providers – many of which will be difficult to implement when signing up to cloud computing. In particular, a written contract (which would include a "click-through" or "shrink-wrap" agreement) must be in place which mandates that the service provider must act only on the customer's instructions and offer sufficient guarantees as to the technical and organisational security measures it has in place to guard against loss or misuse of data. Although a company will enter into contractual terms with its supplier, the reality of the cloud model – whereby a relatively standard and commoditised service is offered to many customers – makes it unusual for a service provider to agree to the level of specificity or liability for loss or damage to data required by the DPA – at least without an additional cost.

Transparency

In addition to its security requirements, the DPA also stipulates that the individual to whom the data relates (the so-called "data subject") must be provided with certain information as to the identity of the party using or holding their data and the purposes for which that data will be used. Similarly, they have rights to access that information and rectify any inaccuracies. When using a cloud service, the identity of who is processing the data or where it is being processed is more difficult than when either storing the data in-house or processing it on one external physical data warehouse. This is particularly the case given what the Information Commissioner (in its recently issued "Personal Information Online – Code of Practice" (the "ICO Guidance"), describes as the "complex chains of contractors and subcontractors" inherent in cloud computing which mean that "organisations may not be certain who is processing personal data on their behalf". For the same reasons, dealing with data subject access requests can be more difficult when the location of that data needs to be tracked down. In each case, the DPA represents an obstacle to the operation of the flexible and dynamic model that is the heart of cloud computing.

Overseas Transfers

Finally, and not unrelated to the other issues discussed above, is the restriction in the DPA (and in the equivalent legislation across Europe) on the transfer of personal data outside European Economic Area ("EEA"). This restriction prohibits transfers outside the EEA unless it is to a so-called "adequate" jurisdiction, certain "adequate safeguards" are put in place or an exemption (such as consent) applies. How to navigate all of these conditions is a deeply complex area which is outside the scope of this article. Suffice to say that the much wider circulation of data inherent in cloud computing and the processing of data across multiple jurisdictions that it envisages makes the traditional means of compliance (such as the use of standard EC-approved contractual terms approved by the EU) much more difficult to implement. Instead it seems likely (and there have already been moves in this direction by providers such as Amazon) that cloud service providers will be forced to develop more restrictive "EU compliant" models which (at a price) either keep all data within Europe or make other commitments to ensure the "adequacy" of the data protection offered.

Solutions

The benefits of cloud computing are such that the above considerations will likely only dampen rather than derail the take-up of the service across Europe. Similarly, the differences with other contracting models can be exaggerated - as the Information Commissioner points out in the consultation preceding the ICO Guidance "the compliance issues it [cloud computing] raises are not substantively different to those that arise when using a contractor in a more traditional context". Nonetheless, although not necessarily different, the issues involved in adopting a cloud model can be harder to solve. To assist, the ICO Guidance sets out some questions to ask of a potential service provider including:

  • "Can it confirm in writing that it will process data in accordance with your instructions and will maintain an appropriate level of security?...;
  • Can it guarantee the reliability and training of its staff...?;
  • What capacity does it have for recovering from a serious technological or procedural failure?"

Interestingly, the ICO Guidance also suggests that the service provider sends the customer copies of its information regularly, in an agreed format and structure so that the customer "holds useable copies of vital information at all times". It also suggests it will be good practice to encrypt data prior to it being transferred to any online services company to reduce the risk of misuse by hackers.

What next?

All these recommendations are useful and reflect a genuine intention on the behalf of the Information Commissioner to assist organisations to navigate the DPA in a business-friendly way. In practice, however, the implementation of these rules will likely come at a price to the customer in increased service charges as well as potentially lessening the advantages in terms of flexibility and freedom from administrative burden that may have attracted them to the model in the first place. Short of full-scale amendments to the data protection legislation to reflect the many technological advances and changes since it came into force, this slightly compromised version of cloud computing seems to be the most likely model that will exist in Europe for the foreseeable future.

Footnote

1. http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_information_online_cop.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.