People using the cloud for data storage must be aware of several dangers. One of the most widely known dangers is the loss of direct control over data. It is possible to contractually limit the use of data by the cloud provider. However, contracts usually underestimate the issue of cloud provider’s bankruptcy.
What is bankruptcy?
Different countries employ different legal regulations of bankruptcy. However, the majority of them share the same basic principle. When the cloud provider as a debtor cannot meet its obligations to one or more of its creditors, it files a petition for bankruptcy.
After the petition, the business and legal activities of the petitioner – cloud provider – are concentrated in the bankruptcy court. The court constitutes a single forum, in which all parties involved (usually creditors) may influence the situation of the petitioner. The situation usually leads to the liquidation or reorganization of the petitioner.
What about data?
One of the most common methods to satisfy the claims of creditors is the sale of the petitioner’s assets. It is possible to sell data of the cloud provider. At this point, data stored by the cloud provider might be used without the consent of a person, whose data are stored.
There is a very small level of legal regulation of the rights of data owners in case of cloud provider bankruptcy. After all, there is a small level of regulation of cloud computing in general. However, some countries started to tackle these issues.
Right to get data back in Luxembourg
In Luxembourg, the new law introduced a right to claim back intangible and non-fungible movable assets from a bankrupt company. This should allow for the recovery of data from bankrupt providers of distance IT services or cloud computing solutions. The person, whose data are stored, must actively pursue data recovery.
In order to recover data, it is recommended to include provisions into a contract on how to separate your data from other data of a cloud provider. Moreover, the contract should deal with the issues of the cost of the separation. Finally, it should address the data deletion and create its clear procedure.
What if you are not in Luxembourg? Own your data!
If you are not in Luxembourg, you need a protection resulting from another basic principle of bankruptcy law. The bankruptcy court may only deal with assets in the ownership of the petitioner. It means that if the contract clearly stipulates that the cloud provider is not the owner of the data, the bankruptcy court should not be allowed to sell data without consent.
However, determining ownership is not always easy. David Caplan (in his wonderful analysis) highlighted two issues that might cause problems: Who owns the user’s name or the right to sell that name (or its buying habits, etc.) as a part of a customer list? Who owns the software code that makes the application interact with the server’s operating system, if the user is a software developer?
As a best practice, he suggested to specify all parties involved at the time of the cloud contract finalization. The contract should clearly delineate who owns data and who has the right to control dissemination of the information, code, etc., that will be placed in the provider’s hands.
With regard to the costs of the data recovery, it is necessary to stress that in case of bankruptcy, the cloud provider usually does not have resources to separate data or recover them. That’s why it is recommended to accept certain costs of data recovery, so that it is technically possible to recover them.
Problems with multiple parties in the cloud service
The situation gets even more complicated in case that the cloud provider outsource some of its services. Then, the bankruptcy of any of them might impact the data owner. The best method is to prevent this situation in the contract. For further and deeper analysis in US context, look at the analysis of David Caplan.
Your best type of defense against potential loss of data in the cloud, is the contract, its quality and proper due diligence of the other party. It is necessary to deal with the issues of legal ownership of data and rights to disseminate data. Moreover, the contract should specify technical and financial details of data recovery.
Hopefully, the legislation will get better in this area and would lead to better and more predictable solutions of these situations for all involved parties. Until then, the primary instrument is the cloud contract, so be careful.
Note: This article is intended as a summary of issues. Its purpose is not a to provide legal advice or create an attorney-client relationship between you and the author of this article.