Cloud Computing is perhaps the "hottest" topic in the technology sector at present, with some industry experts predicting that the global Cloud Computing market will be worth approximately US$150 billion by 2014. In order to take advantage of this Cloud Computing explosion, both suppliers of cloud services and customers will need to be alive to the key regulatory and contractual risks associated with Cloud Computing. In the first of this two-part series, we look at:
- What is meant by 'Cloud Computing' and its benefits;
- How Cloud Computing is currently regulated;
- Whether a licence is required to provide cloud services;
- Key data protection issues; and
- Key security issues.
What is Cloud Computing?
The term 'Cloud Computing' covers a broad range of internet-based IT services. Whilst there is no universal definition, at its most basic Cloud Computing refers to users being able to access software through the internet and store data on suppliers servers rather than maintaining their own IT infrastructure for this purpose. In broad terms, the types of services provided by suppliers as Cloud Computing will fall into one or more of the following categories:
- Software as a Service (SaaS): where customers access and use software (e.g. applications for word-processing, spreadsheets, email, and customer relationship management) through the internet rather than storing it on local computers;
- Platform as a Service (PaaS): where the customer is able to use cloud-based computing platforms for deploying applications on the internet (to other third parties) without having to invest in and manage the underlying hardware and software; and
- Infrastructure as a Service (IaaS): where customers can use computer infrastructure (e.g. servers, software, data centre space and network equipment) as a service through the internet.
What are the benefits of Cloud Computing?
Cloud Computing offers numerous potential benefits including reduced capital and operational expenditure, more flexible working, 'on-demand' software and data storage, and lower carbon emissions.
How is Cloud Computing currently regulated?
Cloud Computing is not currently subject to specific regulation. However, customers and suppliers of Cloud Computing may be potentially subject to a range of laws: for example, data protection legislation (please see below) and any relevant industrysector regulations (e.g. financial services and healthcare).
Is a licence required to offer Cloud Computing services?
Despite the lack of specific regulation, in certain jurisdictions the provision of Cloud Computing services will require the supplier to obtain a licence. For example, in China the provision of SaaS, PaaS or IaaS services will require the supplier to obtain a Type 1 Value Added Telecom Business Licence.
The situation may be further complicated where Cloud Computing services are 'bundled' with other services, such as internet connection, as such other services may be subject to specific regulatory and/or licensing requirements.
What are the key data protection issues?
Storing and processing customer data at remote data centres gives rise to potentially complex data protection issues which need to be addressed in order to avoid customers and suppliers breaching applicable regulations:
- Data Export Restrictions: in many jurisdictions the export of data to other jurisdictions is prohibited or subject to onerous restrictions;
- Monitoring Data Handling: customers will commonly be under data protection obligations to ensure that suppliers only handle personal data stored in the cloud in accordance with the customer's instructions and take appropriate measures to keep the data secure. Suppliers and customers need to consider what practical audit and data access rights can be agreed which will enable the customer to ensure compliance by the supplier;
- Regulated Industries: customers operating in regulated industries such as financial services or healthcare may be subject to even more stringent data protection obligations given the financial value or sensitivity of data such as bank details and medical records;
- Multiple Jurisdictions: complying with data protection regulations will be further complicated if the customer data are split up and stored by the supplier in different data centres all over the world. Such data are potentially subject to: (i) the data protection laws of every jurisdiction in which it is stored; and (ii) inspection by local law enforcement authorities (e.g. under anti-terrorism legislation); and
- Service Agreement Terms: drafting the service agreement terms to ensure compliance with applicable data protection law may be especially challenging if multiple data protection laws apply.
What are the key security issues?
Cloud Computing commonly involves large volumes of data being transferred by the customer to the supplier's remote servers for storage and processing. Building customer confidence in relation to the security of information stored in the cloud will be critical to customers.
Suppliers will wish to minimise their potential liability for losing or leaking customer data but service agreement provisions that seek to limit or exclude liability or statutory warranties too broadly will serve to decrease customer confidence and may also be unenforceable, particularly where customers are consumers.
Customers may wish to have the option of enhanced security Cloud Computing services. For example, suppliers could offer to construct a 'private cloud' in a fixed jurisdiction with enhanced security and segregated data. For particularly sensitive data, customers may even require the option of selecting the supplier employees who will manage the services and have access to the relevant servers.
What are the other key issues?
In the second of this two-part series, we look at:
- Ensuring quality of the cloud service;
- Exit strategies and switching suppliers;
- Key IPR issues; and
- Due diligence of a Cloud Computing company.