1 / 19

The Gathering Cloud computing - Legal considerations

Aberdeen Edinburgh Glasgow. The Gathering Cloud computing - Legal considerations. David Goodbrand, Partner. 28 February 2013. What is cloud computing?. IT services delivered over the internet Increased data storage and processing capacity cost benefits back-up on high quality servers

jasmine-khorvash
Download Presentation

The Gathering Cloud computing - Legal considerations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AberdeenEdinburgh Glasgow The GatheringCloud computing - Legal considerations David Goodbrand, Partner 28 February 2013

  2. What is cloud computing? • IT services delivered over the internet • Increased data storage and processing capacity • cost benefits • back-up on high quality servers • high quality service support • (too) quick and easy to set up • BUT are people aware of what they are signing up to?

  3. What do you mean by cloud? • Service as opposed to Product • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS) • What type of Cloud? • Private • Community • Public • Hybrid

  4. It is all about balancing: • Risk • Cost • Control • Responsibility on customers to conduct proper due diligence

  5. Benefits and Risks Benefit Risk Solution may not precisely match corporate need Contracting on fixed standard terms with limited protections Lack of control over data and content Potentially increased compliance costs • Low, fixed cost. • Improved support and maintenance • Minimises hardware investment cost • Reduces internal management overhead

  6. Legal issues • Data Protection • Standard terms • Intellectual property rights • “Lock-in”

  7. Data Protection Principles For Data Controller 1. Fair and Lawful Processing 2. Specified and Lawful Purposes 3. Adequate, Relevant and Not Excessive 4. Accurate and Up To Date 5. Not Kept Longer Than Necessary 6. Recognise Data Subject Rights 7. Appropriate Security Measures 8. No Transfer Outside EEA Without Protection

  8. Legal issues – data protection • “Personal data” inevitably transferred to cloud service provider (“CSP”) • Customer remains “data controller” • CSP becomes “data processor” • Will CSP comply with customer’s obligations under the Data Protection Act 1998? • Can CSP sub-contract? • Can CSP transfer data to third party?

  9. Legal issues – data protection contd:- • Data subject must be informed who processes their data and for what purposes. • Is this possible where data processor is CSP or a sub-contractor? • Where does responsibility for security breach lie? • With customer • Personal data not to be transferred outside EEA (with certain exceptions not including USA). • Where is CSP (or its sub-contractor(s)) based?

  10. New Data Protection Laws: Headline Proposals • Compulsory security breach notifications to authority and data subject • Expert data protection officer if 250+ employees • Privacy impact assessments for sensitive data use • Joint and several liability for controllers and processors • Sliding scale of fines– max 2% of annual turnover • Right to be forgotten: erase all data on request

  11. Legal issues – CSP’s standard terms • Usually tick box to agree to CSP’s Standard T&Cs • Terms will be very favourable to CSP • Risk allocation • Certain risks passed back to the customer • Limited warranties given and liabilities taken by CSP • E.g.. loss of data • Data back up • UK - Exclusions need to be reasonable under UCTA

  12. The battle ground? • Service levels/availability • Service credits? • Disaster recovery/business continuity • Escrow? • Assign-ability? • Termination rights • Audit rights – transparency • TUPE risk

  13. Governing Law and Jurisdiction • Favourable jurisdiction for CSP • Most CSPs will be based outside UK and agreements tend to be subject to US State law • What is the law? • How easy would it be to enforce your rights? • EU consumer protection and UK’s UCTA should not be relied on to provide protection

  14. Legal issues – Intellectual Property Rights • Although a service – still need a licence to use • What are terms of the licence? • Third party licences? • Does CSP provide indemnity against infringement of third party rights?

  15. Content licensing • Do terms provide licence from customer to CSP to allow CSP to use customer content? • Important because: • data protection issues • potential infringement of third party IP • confidentiality issues • Ensure any use of content by CSP is restricted • Can CSP remove data from servers?

  16. Legal issues – “Lock-in” • What is the term of the contract? • Can data be moved easily to another CSP? • What happens on termination? • Can all copies of data created be located and deleted? • Can CSP guarantee sub-contractors will delete all copies of data they possess? • All personal data should be deleted for data protection purposes on termination

  17. Future developments? • Law still trying to catch up with cloud computing after recent surge in its use • Draft EU General Data Protection Regulation proposed by European Commission • EU’s Article 29 Working Party has drafted an opinion which addresses key challenges for future • Make processor more accountable • Prohibit disclosure by data controllers to third country (even to judicial or administrative authority) where no international agreement in place authorising disclosure • European Governmental Cloud for public bodies in EU member states • Encourage growth of European cloud market – could help foster common standards throughout EU

  18. David GoodbrandPartner +44 (0)131 473 6125 Direct Dial +44 (0) 7802 933 272 MobileDavid.Goodbrand@burnesspaull.com

More Related