by Shaya Silber
Cloud computing refers to the access of digital information from anywhere with an internet connection. It’s hardly a new concept. Technically, most people have been cloud computing for well over a decade. Anyone with an email account “cloud computes” every time they log in to check or send a message. In most cases, the email messages are not stored on the computer. Rather, they are accessed and saved in the cloud.
Traditionally, companies would house their data locally. For example, each employee’s computer accessed one central server, which was owned, operated and housed by the company. The company would typically have its own computer technician(s) who would oversee the installation and maintenance of the company’s information systems. However, this approach is being gradually perceived as cumbersome and expensive.
Companies are now opting to utilize cloud computing. Rather, than managing their own internal IT departments, companies are turning to subscription based (sometimes even free) cloud-computing options. In most cases, it’s more cost efficient and less cumbersome. It can make a lot of business sense. However, this approach presents new risks that a company must turn its attention to.
One of the central features of cloud computing is that information is stored remotely. Your information may be stored in various locations, which may change over time and which may be beyond your control. When you are operating a business that is collecting and/or handling sensitive information this can become somewhat tricky. For example, in many cases, a company is accountable for and must be aware of the whereabouts of all of its information (this obligation may stem from industry regulation or elsewhere). With cloud computing, this is difficult, if not impossible. Furthermore, when storing your information in the cloud, it often becomes subject to foreign laws, which may apply different standards with respect to privacy law, access, and seizure.
The issue of where your information is stored, and which privacy laws apply to it, is a murky one. There is some debate as to whether there are advantages to storing your information in certain jurisdictions. At the moment, there is no international privacy standard that is applied to cloud computing. This may lead to jurisdiction shopping.
It may be legally advantageous to use a cloud service provider that stores your information on servers located in Canada. The reason for this is because Canadian privacy law, which is primarily governed by PIPEDA, has strict access guidelines. This is in contrast to the American Patriot Act which gives a broader scope for the search and seizure of private information. These jurisdictional issues raise novel concerns, which have yet to be deeply examined judicially, and should become clearer in the months and years to come (for example, if an American company stored their information on Canadian servers, they may still be obliged to produce the information as per the Patriot Act). In any case, discuss your plan with a lawyer prior to any implementation.
Some of the other legal issues that revolve around cloud computing is protecting the private information of clients, affiliates and other business information from potential mishandling. For example, in the event that you terminate your relationship with your service provider, can you be confident that you will be able to effectively retrieve all of your information in a timely, safe, and secure method? How certain can you be that your provider will properly destroy all confidential information?
The above concerns are not fatal to the implementation of cloud computing in a business environment. While it’s impossible to guarantee the smooth operation of cloud computing, you can address the issues contractually at the outset of the relationship.
When entering an agreement with a cloud service provider, you should turn your attention to some key issues. For example, stipulate best practice measures with regards to securing the information, or guarantees of industry standards, if any. Furthermore, it is important to ensure that the limitation of liability provisions do not exonerate the service provider for breaches of privacy and security obligations. You should also obtain guarantees with regards to the continuous functioning of the system, and a detailed backup plan in the event of system failure. Of course, all of the above-mentioned guarantees must be accompanied with clear and strict consequences for failure to meet said obligations.
Also, it is important to ensure that the contract’s disclaimers do not exclude liability for certain fundamental aspects of the service. Furthermore, there must be a crystal clear understanding of the governing law of the relationship. Ambiguity with respect to jurisdiction of a contract can be disastrous where the parties and activities to a relationship are scattered across the globe.