L EGAL RECOMMENDATIONS

At the present time, most of the legal issues involved in cloud computing will be resolved during the evaluation of contracts, ToUs, User Licensing Agreements (ULAs) and SLAs by the customer. It is important to differentiate between the case of a small to medium sized organisation which would make a choice between different contracts offered on the market, and a larger organisation, which would be in a position to negotiate clauses. In the legal analysis of this paper, we take the perspective of the small-to-medium sized organisation which is assessing different contracts, SLAs, etc, offered on the market, since this is the more common case. This is because the business model of cloud

computing differs from that of outsourcing: in order to deliver some of the benefits to its customers, cloud computing relies on the economies of scale from providing a low cost, commodity service, as opposed to a service specifically tailored to a customer’s needs. Larger organisations may however use the same considerations when negotiating contracts. While past experiences with similar Internet technologies provide some guidance to allow customers and cloud providers to assess the security risks involved in cloud computing, it is necessary for both to consider the unique nature of cloud computing when evaluating these risks.

Although there is much common ground, certain standard contract clauses may deserve additional review because of the nature of cloud computing. Particular attention should be paid to rights and obligations relating to notifications of breaches in security, data transfer, creation of derivative works, change of control, and access to data by law enforcement entities. Because the cloud can be used to outsource critical internal infrastructure, and the interruption of that infrastructure may have wide ranging effects, attention should be paid to whether the standard limitations of liability adequately represent allocations of liability, given the parties’ usage of the cloud, or the allocation of

responsibilities for infrastructure [see

Division of responsibilities

Until legal precedent clarifies concerns in relation to data security that are specific to cloud computing, customers and cloud providers alike should look to the terms of their contract to effectively address risks.

The following is a list of areas the customer should pay particular attention to when assessing SLAs, ToUs, ULAs and other agreements for cloud services:

technical security measures and organisational measures governing the processing to be carried out, and ensuring compliance with those measures

2. Data Security: attention should be paid to mandatory data security measures that potentially cause either the cloud provider or the customer to be subject to regulatory and judicial measures if the contract does not address these obligations.

3. Data Transfer: attention should be paid to what information is provided to the customer regarding how data is transferred within the cloud provider’s proprietary cloud, outside that cloud, and within and outside the European Economic Area.

4. Law Enforcement Access: each country has unique restrictions on, and requirements providing for, law enforcement access to data. The customer should pay attention to information available from the provider about the jurisdictions in which data may be stored and processed and evaluate any risks resulting from the jurisdictions which may apply.

5. Confidentiality and Non-disclosure: the duties and obligations related to this issue should be reviewed.

6. Intellectual property: in the case of IaaS and PaaS, intellectual property, including original works created using the cloud infrastructure, may be stored. The cloud customer should ensure that the contract respects their rights to any intellectual property or original works as far as possible without compromising the quality of service offered (e.g. backups may be a necessary part of offering a good service level).

7. Risk Allocation and limitation of liability: when reviewing their respective contract

obligations, the parties should underscore those obligations that present significant risk to them by including monetary remediation clauses, or obligations to indemnify, for the other party’s breach of that contract obligation. Furthermore, any standard clauses covering limitations of liability should be evaluated carefully.

8. Change of Control: transparency concerning the cloud provider’s continuing ability to honour their contract obligations in the case of a change of control, as well as any possibility to rescind the contract.

The legal recommendations expressed are generally from the cloud customer perspective.

L

E

C

We recommend that the European Commission study or clarify the following:

1. Certain issues related to the Data Protection Directive and Article 29 Data Protection Working Party recommendations warrant clarification. In particular:

2. Under which circumstances the Cloud Provider may be classified as a Joint Controller; 3. The application of Section 25(2) of the Data Protection Directive as applied to the processing

of data in countries outside the European Economic Area during the data’s transfer from one cloud provider to another, or within the company’s cloud. 2

4. The impact of data transfers to, and from, countries outside the European Economic Areas, if those countries do not ensure an adequate level of protection for the data.

5. Whether the concept of “transferring data” should be re-examined in the light of

technological advancements since the Directive was originally drafted, particularly in light of an accountability-based legal approach (e.g. as proposed by the Galway project (51)). 6. Whether cloud providers should have an obligation to notify their customers of data security

breaches, and what information those customers should be required to pass on to end customers. This could also be accomplished through contractual clauses so it should be investigated which means would be more effective. For example, legislation on breach reporting could be difficult to enforce and could even act as a disincentive to transparency. 7. Whether it is necessary for Member States to clarify how the intermediary liability exemptions

of the eCommerce Directive (articles 12-15) apply to Cloud providers.

8. The differences in Member States regarding laws governing enforcement requests by various public authorities for data stored in the cloud, in particular with a view to evaluate the differences of the level of protection vis-à-vis government requests of personal data stored on premise (home or businesses), and personal data stored in the cloud.

How best to support a minimum data protection standards and privacy certification schemes, based on accountability concepts which is common across the globe or at least all the EU Member States. More details on the five legal issues can be found in ANNEX I.