The cloud represents one of the most important changes in enterprise computing since the invention of the computer itself. The cloud provides organisations with the opportunity to outsource their computing capability to a third party provider of networks, servers, storage, applications or services located in multiple jurisdictions. We set out below a summary of the legal issues that both cloud providers and cloud customers must consider when providing or receiving cloud services (i.e. IaaS, PaaS and SaaS) in the European Union (EU). These issues are in addition to other contractual issues that must be considered when allocating risk in any technology transaction or service agreement.
General Data Protection
Any business that operates in the European Union is likely to collect, store, process and transfer personal data. The processing of such personal data is subject to the European Data Protection Directive (95/46/EC) and the European Privacy and Electronic Communications Directive (2002/58/EC) (together, the EU Data Protection Framework), which are both implemented differently across all the EU Member States.
The regulatory regime imposes obligations on those who are involved in the ‘processing’ of ‘personal data’. The definition of ‘processing’ and ‘personal data’ under the EU Data Protection Framework is so wide that most cloud arrangements will involve to some extent the processing of personal data by the cloud provider, whether on its own behalf or on behalf of a cloud customer.
The obligations imposed under the EU Data Protection Framework apply to the data controllers, being the entities that ultimately decide how the personal data is processed. However, many of these obligations are passed through to the data processers (e.g. the cloud providers), who process personal data on behalf of the data controllers. Failure to comply with the EU Data Protection Framework can result in enforcement action being taken against the data controller, which can include significant fines or criminal prosecution.
In January 2012, the European Commission released a new and comprehensive rewrite of EU data protection law, which promises to have a major impact on companies doing business in the EU, including the introduction of a 'country of origin' approach to data protection compliance in the EU and obligations being imposed upon both data controllers and data processors. The proposed regulation will therefore significantly impact cloud providers and cloud customers.
A fundamental cornerstone of the EU Data Protection Framework is the obligation to ensure that the data is kept secure, with personal data being protected against the unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, such personal data. Weaknesses in information security has become a fundamental threat to the success of cloud computing. The growth in cyber crime and the increase in data breaches have ensured that cloud providers invest heavily in secure platforms.
Information security concerns the availability, confidentiality and integrity of data. The ISO/IEC 27000 series of standards addresses information security management and includes a certification process in relation to information security management systems (ISO/IEC 27001). All cloud providers and cloud customers must consider what security standards apply to their data.
International Transfer of Data
A key issue with cloud arrangements in the EU is the issue surrounding the international transfer of data. The cloud is by its very nature territorially neutral and personal data can therefore transfer between numerous jurisdictions depending upon server capacity and availability. The EU Data Protection Framework is extremely prescriptive about how and when personal data can be transferred and cloud customers and providers therefore need to consider numerous mechanisms, including US Safe Harbor, Binding Corporate Rules and Model Contractual Clauses. There are also significant issues with cloud providers transferring data outside of the EU for regulatory reasons (e.g. the USA PATRIOT Act) without the knowledge or consent of the cloud customer. This has been a particularly controversial area, but not necessarily a new issue unique to the cloud or indeed the US.
Data Breach Notification
The proposed General Data Protection Regulation is proposing to impose a general requirement on all businesses to notify data protection authorities and data subjects in the event of a data breach. It is proposed that notice of data breaches must be provided to the data protection authority ‘where feasible’ within 24 hours, and to affected data subjects ‘without undue delay.’ While breach notification has recently become a requirement for telecommunications and internet service providers in the EU, the General Data Protection Regulation extends this requirement to all organisations. Given the increase in global cyber risks and the reputational impact and associated costs of data losses and breaches, this aspect of the reform is likely to have a significant impact on cloud providers and customers.
The relevant rights and obligations of the parties under a cloud arrangement will vary from country to country depending upon the applicable law. This will be important when an issue arises, such as a breach of contract, negligent act or an infringement of intellectual property rights. In the EU, there are various regulatory requirements imposed on the choice of law pursuant to the Rome I and Rome II Regulations, including the freedom of the parties to determine the applicable law that relates to a contractual or non-contractual obligation. It will be important for both cloud providers and cloud customers to understand the risks associated with various events in jurisdictions where the applicable law is different to that anticipated.
E-Commerce in the EU
The Electronic Commerce Directive (2000/31/EC) imposes various requirements on cloud providers when they are providing cloud services. EU businesses operating online only have to ensure that their activities are lawful in the 'country of origin'.
Perhaps the most important aspect of the Electronic Commerce Directive, and consequently the most controversial, is the regulatory regime dealing with intermediary liability, which by its nature includes the liability of the cloud provider for the data that it hosts. The purpose of this regime is to ensure that intermediaries of data or content are exempt from liability (i.e. a safe harbour) in circumstances where they are not responsible for the relevant data or content themselves. The Electronic Commerce Directive distinguishes between acting as a ‘mere conduit’, ‘caching’ and ‘hosting’. In respect of acting as a ‘mere conduit’, the provider of services that simply transmit data or content over a communications network will not be liable for the data or content to the extent that they do not initiate or receive the transmission or do not modify the content of the transmission. In respect of ‘caching’, the provider of services that facilitate the automatic, intermediate and temporary storage of data or content for the sole purpose of making more efficient the content's onward transmission shall not be liable for the nature of the content provided that certain conditions are met. Finally, in respect of ‘hosting’, the provider of hosting services shall not be liable for the content hosted on their services provided that certain conditions are met (e.g. no knowledge of unlawful content and expeditious action to remove the content on becoming aware). This is likely to be a key area of concern for cloud providers and cloud customers, particularly in light of recent European case law dealing with intermediary liability and concerns around actions required to be taken against infringers.