The gathering cloud computing legal considerations
1 / 19

The Gathering Cloud computing - Legal considerations - PowerPoint PPT Presentation

  • Uploaded on

Aberdeen Edinburgh Glasgow. The Gathering Cloud computing - Legal considerations. David Goodbrand, Partner. 28 February 2013. What is cloud computing?. IT services delivered over the internet Increased data storage and processing capacity cost benefits back-up on high quality servers

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' The Gathering Cloud computing - Legal considerations' - nadine-snyder

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The gathering cloud computing legal considerations



The GatheringCloud computing - Legal considerations

David Goodbrand, Partner

28 February 2013

What is cloud computing
What is cloud computing?

  • IT services delivered over the internet

    • Increased data storage and processing capacity

    • cost benefits

    • back-up on high quality servers

    • high quality service support

    • (too) quick and easy to set up

  • BUT are people aware of what they are signing up to?

What do you mean by cloud
What do you mean by cloud?

  • Service as opposed to Product

    • Software as a Service (SaaS)

    • Platform as a Service (PaaS)

    • Infrastructure as a Service (IaaS)

  • What type of Cloud?

    • Private

    • Community

    • Public

    • Hybrid

It is all about balancing
It is all about balancing:

  • Risk

  • Cost

  • Control

  • Responsibility on customers to conduct proper due diligence

Benefits and risks
Benefits and Risks



Solution may not precisely match corporate need

Contracting on fixed standard terms with limited protections

Lack of control over data and content

Potentially increased compliance costs

  • Low, fixed cost.

  • Improved support and maintenance

  • Minimises hardware investment cost

  • Reduces internal management overhead

Legal issues
Legal issues

  • Data Protection

  • Standard terms

  • Intellectual property rights

  • “Lock-in”

Data protection principles for data controller
Data Protection Principles For Data Controller

1. Fair and Lawful Processing

2. Specified and Lawful Purposes

3. Adequate, Relevant and Not Excessive

4. Accurate and Up To Date

5. Not Kept Longer Than Necessary

6. Recognise Data Subject Rights

7. Appropriate Security Measures

8. No Transfer Outside EEA Without Protection

Legal issues data protection
Legal issues – data protection

  • “Personal data” inevitably transferred to cloud service provider (“CSP”)

  • Customer remains “data controller”

  • CSP becomes “data processor”

  • Will CSP comply with customer’s obligations under the Data Protection Act 1998?

  • Can CSP sub-contract?

  • Can CSP transfer data to third party?

Legal issues data protection contd
Legal issues – data protection contd:-

  • Data subject must be informed who processes their data and for what purposes.

    • Is this possible where data processor is CSP or a sub-contractor?

  • Where does responsibility for security breach lie?

    • With customer

  • Personal data not to be transferred outside EEA (with certain exceptions not including USA).

    • Where is CSP (or its sub-contractor(s)) based?

New data protection laws headline proposals
New Data Protection Laws: Headline Proposals

  • Compulsory security breach notifications to authority and data subject

    • Expert data protection officer if 250+ employees

    • Privacy impact assessments for sensitive data use

    • Joint and several liability for controllers and processors

    • Sliding scale of fines– max 2% of annual turnover

    • Right to be forgotten: erase all data on request

Legal issues csp s standard terms
Legal issues – CSP’s standard terms

  • Usually tick box to agree to CSP’s Standard T&Cs

  • Terms will be very favourable to CSP

  • Risk allocation

    • Certain risks passed back to the customer

  • Limited warranties given and liabilities taken by CSP

    • E.g.. loss of data

    • Data back up

  • UK - Exclusions need to be reasonable under UCTA

The battle ground
The battle ground?

  • Service levels/availability

  • Service credits?

  • Disaster recovery/business continuity

  • Escrow?

  • Assign-ability?

  • Termination rights

  • Audit rights – transparency

  • TUPE risk

Governing law and jurisdiction
Governing Law and Jurisdiction

  • Favourable jurisdiction for CSP

  • Most CSPs will be based outside UK and agreements tend to be subject to US State law

    • What is the law?

    • How easy would it be to enforce your rights?

  • EU consumer protection and UK’s UCTA should not be relied on to provide protection

Legal issues intellectual property rights
Legal issues – Intellectual Property Rights

  • Although a service – still need a licence to use

  • What are terms of the licence?

  • Third party licences?

  • Does CSP provide indemnity against infringement of third party rights?

Content licensing
Content licensing

  • Do terms provide licence from customer to CSP to allow CSP to use customer content?

  • Important because:

    • data protection issues

    • potential infringement of third party IP

    • confidentiality issues

  • Ensure any use of content by CSP is restricted

  • Can CSP remove data from servers?

Legal issues lock in
Legal issues – “Lock-in”

  • What is the term of the contract?

  • Can data be moved easily to another CSP?

  • What happens on termination?

    • Can all copies of data created be located and deleted?

    • Can CSP guarantee sub-contractors will delete all copies of data they possess?

    • All personal data should be deleted for data protection purposes on termination

Future developments
Future developments?

  • Law still trying to catch up with cloud computing after recent surge in its use

  • Draft EU General Data Protection Regulation proposed by European Commission

  • EU’s Article 29 Working Party has drafted an opinion which addresses key challenges for future

    • Make processor more accountable

    • Prohibit disclosure by data controllers to third country (even to judicial or administrative authority) where no international agreement in place authorising disclosure

    • European Governmental Cloud for public bodies in EU member states

    • Encourage growth of European cloud market – could help foster common standards throughout EU

David GoodbrandPartner +44 (0)131 473 6125 Direct Dial +44 (0) 7802 933 272 [email protected]