Cloud computing opens a legal Pandora’s Box

25 Feb 2009

The technological utopia of cloud computing could meet its nemesis in the form of national regulations and issues around legal jurisdiction, a legal expert has warned.

Philip Nolan, partner at leading business law firm Mason Hayes+Curran, was speaking at an event organised by the Irish Software Association (ISA).

He said that with an increasing array of cloud-based services available, and with the promise of reduced IT costs, there are issues associated with cloud computing which businesses would need to take into consideration, such as concerns about the location of data, the viability of cloud-based services over the long term and negotiating contracts for cloud-based services.

“It is a mistake to believe that, because the cloud service delivery model is new, it is unregulated. There is an extensive pre-existing framework of regulation which applies to IT, software and e-commerce, which will be applicable to cloud-computing models, even though it may not have been drafted with cloud computing in mind.

“Although cloud computing is all about providing services remotely from what might appear to be global ‘cloud’, that cloud is still going to be subject to national regulations. The companies building the massive server farms that are going to support this cloud are going to have to think in terms of jurisdiction and so, in terms of location.”

Nolan pointed out that Ireland may be a particularly suitable candidate for locating the massive server farms the cloud is based on, not only because of the country’s strong international broadband links and the availability of qualified IT personnel, but also thanks to its mild climate, which is important in controlling the cost of cooling the hardware.

“One of the core concerns in relation to cloud computing services is going to be the location of customer data,” Nolan continued. “Various regulators will be interested to know where, and for how long, certain data is kept. Foremost among them is the Data Protection Commissioner and his EU counterparts.

“There is a big issue, for example, around transfers of data outside the European Economic Area: this can only be done under certain strict conditions. Also, with petabytes of data stored up in the cloud, data retention can become a thorny problem: legislation imposes different retention periods for different types of data (employment records, tax records, health and safety files, etc), while data-protection law says you can only keep personal data for as long as necessary.

“If stored in certain jurisdictions, data which customers might believe to be secure could, in fact, be subject to disclosure through, for example, the broad discovery powers of judges in the US, or extensive government surveillance powers under the US Patriot Act or the UK Regulation of Investigatory Powers Act,” Nolan added.

Discussing the commercial appeal of cheaper IT services promised by cloud computing, with vendors touting a pay-as-you-go model, Nolan pointed out that, in some cases, legal assurances given by service-providers reflect that lower price. A number of the services currently on offer are provided with ‘as-is’ warranties and little support or maintenance.

“Some of those terms and conditions may not stand up to Irish and EU consumer and contract law. Legislation such as the Unfair Terms in Consumer Contracts Regulations and the Consumer Protection Act of 2007 impose limits on the kinds of terms and conditions, in particular in relation to exclusions of liability, which businesses can adopt in their transactions with consumers, and these rules extend to cloud transactions.

“Even in a business-to-business context, cloud providers may not be able to exclude all risk relating to service interruptions or data loss,” he warned.

Nolan’s advice to businesses looking to invest in cloud-computing services would be to: research the viability of the vendor; examine the issue of liability for service interruptions and data loss; confirm whether the provider is including access to all future features and enhancements; see what protections are in place if the vendor goes bust; and confirm all the locations of the servers in the vendor’s cloud infrastructure.

By John Kennedy