More and more businesses are asking themselves:
Is using cloud for the storage of our data a good solution?
The usual advantage is price and availability of data from anywhere. The most common disadvantage is the fact that “your” data would not be in “your” place, but somewhere else. That’s why the decision to use cloud includes the analysis of associated legal issues.
The first article about cloud in this website will focus on legal risks that a lawyer must analyze in the cloud service contract. It gives an overview of the issues, highlighted by academics and practitioners. However, the list is certainly not exhaustive.
In the area of cloud, the lawyer should consider these topics:
- The protection of personal data stored in cloud
In case that some of the data stored in the cloud are personal data, you should think about many obligations in connection with their protection (see their overview at data & it law). In general, European rules are more restrictive than rules from other countries. The regulation lacks explicit rules for several issues in this area, such as a cross-border transfer of data or the question which institution controls and punishes violation of the legislation. These topics must be resolved using present legal instruments or by a contract.
- The risk of data loss or damage
The cloud computing providers try to limit their liability, even though the risks are very high. The lack of proper legal regulation is obvious in this area. Therefore, the contract must deal with the issues of an access to data, limitation of liability, contract termination, third-party involvement, control by audits, including physical control, bankruptcy of a cloud provider, the modification of terms of service, etc. The contract should also include the provider’s obligation to report any data security breach.
- Liability for illegal data
The legal solution of this issue depends on the jurisdiction. In the European context, eCommerce Directive 2000/31/EC establishes no liability for services that consist of the storage of electronic information under specific conditions, such as no knowledge of the illegal nature and immediate resolution of the situation. The problem is that the protection focuses on storage, but not on processing activities. It is possible to continue with such examples from all around the world.
The contract should clearly specify the data ownership. Moreover, it should include obligations, how to deal with data after the termination of contract, especially the issue of data removal by the cloud provider.
The liability of the cloud provider might be limited, in case that damages were caused by force majeure. However, it is necessary to stress that the force majeure reason is applicable only in case that the cloud provider had mitigated the loss with all reasonable measures. Therefore, there might be a good reason to include a demonstrative list of these measures.
- Governmental request to get access to data
In case that the request is legal, the provider is, in general, obliged to accept the request. Therefore, several practitioners mentioned that it might be good for you to have some time to analyze your data before the provider gives them to officials.
Not even the best contract for a cloud service would protect you from a wrong partner. Accordingly, it is necessary to get as much information about your future partner as possible, conduct a proper due diligence and sign a contract only when you see minimal potential risk.
Note: This article is intended as a summary of issues. Its purpose is not a to provide legal advice or create an attorney-client relationship between you and the author of this article.