With cloud computing , technology has advanced more quickly than the law’s ability to effectively address its implications.
Consider the U.S. Patriot Act. It was recently revealed that U.S.-based cloud providers may have to comply with Patriot Act requests for data that’s located in a provider’s European data centres, even though this conflicts with the European Union’s 1995 Data Protection Directive.
In response to that conflict, the European Commission recently announced that it plans to propose reforms to the EU directive by the end of January 2012.
Of course, cloud computing was not even a buzzword when the directive was first formulated in 1995. But all of this serves as a good reminder to ensure that your cloud-computing contract effectively addresses issues associated with data location and legal requests for data access.
Data location
When you use a cloud computing provider, your data travels over the Internet to and from one or more externally managed data centres. It may be in, or processed by, data centres in multiple locations around the world.
A variety of legal issues can arise when a customer’s data resides in a cloud provider’s data centre in a different country than the one in which either the customer or the customer’s clients reside. Different countries, and in some cases even different states, provinces or municipalities, have different laws pertaining to data.
A key question about cloud computing remains unresolved: Which law applies to my organization’s data in the cloud: The law where I’m located, the law where my data’s located, or the law where the data subject is located? International consensus on this issue has not yet been achieved.
Most contracts specify the governing law under which any disputes would be resolved, as well as the location of the court where such disputes would be heard. With cloud computing, applicable laws governing your data could include the laws where your organization is headquartered, where your cloud provider is headquartered, where your cloud provider’s data centres are located, where the subjects of the data reside, and potentially the laws of the countries that your data passes through on its way to, from and among the cloud provider’s data centres.
For these reasons it’s essential for a cloud-computing contract to identify the geographic region within which the data centres hosting your data, and potentially the headquarters of the cloud provider, may be located, and to address the cloud provider’s obligations to keep your data in those regions. Otherwise, the overlaps and potential conflicts between the possible governing laws could make legal and data access compliance impossible.
Legal requests for data access
Should any of your data become the subject of a subpoena or other legal or governmental request for access, you have more direct control in managing the release of that data when your data is in-house than when it’s in the cloud.
A third party can request access to your data directly from your cloud provider, and your data could be released without your consent, or even your knowledge. (The Patriot Act specifies that data releases be done in secret.) To retain some measure of control, your contract with the cloud provider should:
* Require the cloud provider to notify you regarding its receipt of any such request. This clause should specify the time frame within which such notice should be provided, and in all cases notice should be given ahead of granting access to any of your organization’s data.
* Obligate the cloud provider to limit its disclosure of your data to the extent legally possible, and to cooperate with your efforts to appropriately manage the release of any data.
If your due diligence investigations of the cloud provider’s standard practices and procedures reveal that it has a policy in place that meets your data access requirements, you should codify that in the contract, and include a copy of that policy as an attachment.
There is more to be said about contractually addressing issues pertaining to your data when it has been consigned to a cloud provider. I’ll talk about some of them next month. Until then, I hope everyone has a happy holiday, and remember: We’re all in this together, so let me know if I can help.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.