The introduction of the 'cloud' and its characteristics
as an efficient means of data storage and on-the-go access to
information is very appealing to modern businesses. It is natural
that businesses and individuals alike would desire a technology
that would accommodate their needs in an efficient and
cost-effective manner. Therefore, it is not surprising that the
number of businesses and individuals buying into the idea of cloud
computing has increased significantly over the years.
International Business Machine ("IBM"), a leading cloud service provider already predicted that seventy-five per cent of existing non-cloud applications will move to the cloud within the next three (3) years. If this prediction becomes a reality, it would mean that a good percentage of the world's data would be swinging in the 'cloud'.
Unfortunately, most business leaders underestimate the legal risks related to this technology as they prefer to pay more attention to the business risks threatening profits and margins. While it is impossible to rewind or prevent technological advancements that breed innovations like cloud storage and cloud computing amongst others, it is business-wise to pay attention to the legal implications of migrating data to the cloud before taking this defining step.
This article will briefly explain the concepts of cloud and cloud computing in simple terms, its features and types as well as an overview of some of the most relevant legal issues involved in cloud computing.
Explaining "Cloud" and "Cloud Computing"
So, what is the 'cloud'? The answer is simple – just visualize a company's Information Technology ("IT") department on a massive scale at a designated location. In other words, the cloud can be described as a virtual communication platform that provides application services and other data resources for an entity.
Cloud Computing on the other hand is the delivery of on-demand computing resources, from applications to data centers over the internet on a pay-for-use basis. The features of cloud computing which also double as its advantages are as follows:
- Scalability or elastic resources: the ability to scale up and down quickly and easily to meet changing demands.
- Metered Services: consumers have the opportunity to use the service on a pay-as-you- use basis.
- Self-services: consumers have self-service access to all IT resources required for operation.
- Multitenancy: allows the service to be available through virtualization and resource pooling, over a wide set of services.
- Economics: the service is highly economical as it allows consumer access to the service on-demand and for the time strictly needed.
There are three (3) models used to describe the types of Cloud Computing and these are:
i. Infrastructure as a Service (IaaS): this is the pay-as-you-go service that provides servers (physical or virtual), cloud-based storage and applications that the administrator will use to set up its service. An example of this is the iCloud service that allows people store information on the virtual storage platform and access their information from anywhere in the world.
ii. Software as a Service (SaaS): this model provides access to applications from various client devices through a client interface managed by the cloud provider. It is also described as the cloud-based foundation for software on demand as it ensures services are provided seamlessly to the end-users. A basic example of this is the OneDrive platform.
iii. Platform as a Service (PaaS): this is a platform within which developers can build and deliver their applications. This can basically be described as having a virtual laptop where one's software is housed and can be accessed remotely.
A central advantage to the above models of the Cloud Computing technology is that it allows users buy only the services they actually need without requiring costly investments for the purchase of infrastructure that could become outdated shortly after purchase. The cloud provider bears all the cost of set-up, maintenance, updates, security management and most importantly, all energy costs necessary to run the infrastructure, while clients are only charged under a pay-per-use or charge-per-use arrangement.
Some Legal Issues Involved in Cloud Computing
Data Protection: this is top on the list of legal issues that business owners need to understand before towing the 'cloud' way. There are data protection regulations that stipulate how information should be handled and business owners need to be aware of these regulations and the implications of not adhering to them. The European Union ("EU") released the General Data Protection Regulation ("GDPR") in 2018, which regulates the handling of data of EU citizens. The GDPR applies to companies outside the EU that offer goods/services whether paid or free to individuals in the EU. Accordingly, the GDPR will apply for example to a Nigerian company that offers goods/services to an individual in the United Kingdom and have access to personal data of such individual. In this instance, there are serious implications where the Nigerian company exports the citizen's personal data to the 'cloud' without obtaining the necessary consent and adhering to the data protection standard stipulated under the GDPR. Also, the Cloud Service Provider that will be involved in data processing must comply with the relevant provisions of the GDPR, otherwise the company will be liable for its non-compliance.
It is important to state here that Nigeria recently released its Data Protection Regulation and Companies need to be aware of the relevant provisions of the regulation on protection of data of Nigerians as well.
Another major concern around data protection is the sale of information by CSPs. It is no news that data is king, and people would pay lots of money to get access to data. There have been instances where some tech companies have been alleged to have sold people's data to government agencies and business competitors. Accordingly, companies need to ensure that their information are adequately encrypted with security details updated frequently.
Data Privacy: It is now globally understood that customers take privacy concerns very seriously and business owners would definitely not want to risk damage to their reputation as a result of unauthorized access to information which may ultimately lead to data leak. A company also stands at a risk of having sensitive corporate data and other confidential information stolen in the event of a security breach in the cloud. Therefore, it is the responsibility of a company seeking cloud services to require the highest privacy and security standard possible from the Cloud Service Provider ("CSP"). This is more important because a company cannot raise a defence of lack of custody in the event of data leak from the CSP's system. As a matter of fact, by agreeing to send its confidential information and other client data to the cloud, a company agrees to be held accountable for the consequences of data leak or even data theft. Therefore, a company needs to ensure that adequate firewalls are in place for required protection.
Furthermore, there are provisions in some Nigerian laws that allow government agencies retrieve information from a service provider upon obtaining a leave of the court. For example, section 39 of the Cybercrimes Act 2015 provides that where there are reasonable grounds to suspect that the content of any electronic communication is reasonably required for the purposes of a criminal investigation or proceedings, a Judge may on the basis of information on oath:
- order a service provider, through the application of technical means to intercept, collect, record, permit or assist competent authorities with the collection or recording of content data and/or traffic data associated with specified communications transmitted by means of a computer system; or
- authorize a law enforcement officer to collect or record such data through application of technical means.
It is good that the above law requires that leave of court be obtained before any information is retrieved, however it is not impossible that some government agencies might request for a company's sensitive information from CSPs hiding under the excuse of investigating the company.
Data Property: while it is true that data sent to the cloud by a company remains the Company's property and the CSP acquires no right whatsoever in the data; the ownership status of data generated inside the cloud using data mining techniques are not so clear. In this instance it is possible for a CSP to lay claim to newly generated data on the ground that it was generated in the cloud using its data analytics solutions. Accordingly, it is very important for a company to have a comprehensive legal document with the CSP to provide for these eventualities.
Another legal issue worth mentioning is the liability of a company for data loss by the CSP. Here, the company risks damage to its reputation and might suffer financial damage due to compensation that the company would have to pay to the customer for loss of data and where applicable, loss of profit as a result of the breach.
Data is king and should be treated as such. However, businesses should first determine whether the benefits of obtaining the service of the cloud outweigh the risks associated with the use of the cloud in terms of security and other legal considerations. It is very important that a company should consider the above legal issues and more, as much as it considers the business advantages presented by this technology before going the cloud route.