Cloud computing – which includes Software as a Service (SaaS) and Platform as a Service (PaaS) – means that your programs and data are held on servers which are owned and managed by a third party. You then connect to them over the Internet.
There are many good business reasons for using cloud computing. You do not have the capital outlay for the server hardware, software licences and data centres. You can pay by subscription, or even on a “pay as you go” basis. Also, the servers are located in secure data centres and managed to a higher level than is normally possible or economic for most businesses.
But businesses should not be blinded by the advantages and rush into cloud computing without first considering the legal issues.
One of the key points is that your data – which may include the personal details of your clients and customers – is transferred to and held by a third party. This raises some crucial issues under UK and EU data protection laws.
There is an increasing news flow about data security breaches, in both the public and private sectors. In response, the powers of the Information Commissioner (the UK data protection watchdog) are being increased to include the power to impose substantial fines. Perhaps even more important is the effect that a data security breach can have on customer confidence with the resulting loss of goodwill.
Under data protection laws, if you engage a cloud service provider to look after your data, you remain responsible for the security of the data and must ensure that the service provider gives “sufficient guarantees in respect of technical and organisational security measures”.
In order to comply with this you must put in place appropriate contract terms which require the service provider to comply with obligations equivalent to those imposed by data protection legislation. The standard T&Cs of many cloud computing service providers – particularly those based outside the UK or EU – do not comply with these data protection requirements.
Transfer of data offshore
So far as the cloud is concerned, it does not matter where data is located. Data may be held in data centres anywhere in the world. And data held in one data centre may be mirrored to another centre in another location for increased performance and backup.
In contrast, UK and EU data protection laws – devised before the cloud was conceived – are very concerned with the location of personal information. With limited exceptions, you cannot transfer personal information outside the European Economic Area (EEA) unless you conform to certain strict preconditions where adequate legal safeguards for the security of the data are put in place.
If you are dealing with a US cloud service provider that conforms to the “Safe Harbor” Privacy Principles, then this is one solution, so long as the data does not then leave the US for another jurisdiction outside the EEA.
An alternative solution is to use the contract clauses that have been approved by the EU for data transfers – the so-called model clauses. Again, these impose on the service provider contractual obligations which are equivalent to the legal obligations imposed by EU data protection laws.
Failing to put in place one of the defined solutions that enable transfers of data outside the EEA is a major breach of the data protection laws. Again, typically, service providers will not adequately address these issues in their standard T&Cs.
Liability and risk
In terms of managing the risk of buying cloud computing services, a crucial element is the terms of the contract with the service provider. Bear in mind that, in the event of an outage or data security breach, you could be in breach of contract to your own clients. The worst of all worlds is for your clients to have a claim against you, while you have no remedy against the service provider who was at fault. You therefore need to consider carefully the T&Cs – and service level agreements – on which you are buying the cloud services.
Many service providers include extremely wide exclusion and limitation of liability provisions in their standard T&Cs. Typically, such terms say that the service is provided “as is” and at the customer’s own risk, that no warranties are provided and that the service provider will “not be liable for any direct, indirect, incidental, special, consequential or exemplary damages”. In other words, if something goes wrong, don’t claim from me !
Under English law, such heavily one-sided standard T&Cs which leave the customer with little or no remedy may not be enforceable. However, where the cloud service provider is based outside the UK, English law is unlikely to apply.
Users of cloud computing services are well advised not blindly to accept standard T&Cs but to check them carefully and insist on terms that comply with data protection laws, provide service level guarantees and offer a reasonable allocation of risk if things go wrong.