Managing legal risks arising from cloud computing

by DLA Piper
Contact

[co-author: Phillip Kelly]

On 26 June 2014, the European Commission announced that it had been presented with guidelines on the standardisation of Service Level Agreements (SLAs) for cloud computing services.

The publication of the guidelines represents only the latest step in the Commission’s wider European Cloud Strategy, which was launched in 2012 with the objective of delivering a net gain of 2.5 million new European jobs, and an annual boost of €160 billion to European GDP by 2020.

The size of the market for cloud services across the EU, and the opportunities for growth that have already been identified, are indicative of the benefits that cloud services can bring to businesses of all sizes.   It is easy to see why there has been such a high take-up of cloud services and why the market is predicted to grow at such a rapid rate.  With the necessary infrastructure being the responsibility of the cloud service provider (CSP), the customer is spared the maintenance costs, capital expense and IT resource time typically associated with in-house IT projects.  Equally, because the infrastructure sits with the CSP, necessary resource and capacity can be acquired by the customer as and when it is needed, which can lead to very significant efficiency savings.

However, cloud services also bring risks, particularly for businesses with potential exposure to litigation or regulatory investigations, where documents may need to be accessed on a time sensitive basis and where any failings in document retention could result in significant negative consequences.  This article considers the nature of those risks and the steps that businesses can take to protect themselves in the context of the evolving cloud services market.

Summary of EU guidelines

The Commission’s publication of the guidelines for standardisation of SLAs for cloud services is undoubtedly a positive step towards assisting businesses across the EU in managing the risks associated with cloud services.  The guidelines have been prepared by a Cloud Select Industry Group, which included major CSPs such as Amazon, Google, Microsoft, Oracle and IBM and international professional service firms including DLA Piper and PwC.

The guidelines identify the types of objective criteria that should be included within SLAs to enable customers to measure performance.  Such criteria include the following:

  • availability levels, CSP response times, support and maintenance commitments and data retention policies;
  • security standards, including in respect of service reliability, user authentication, data encryption and security auditing rights;
  • data management standards, including in respect of data classification, data mirroring, backup and restoration policies, data lifecycle and data portability; and
  • personal data protection standards, including in respect of data protection compliance, data processing, notification of disclosure requests and limitations on the circumstances in which data can be transferred cross-border.

Users of cloud services within the EU will be better placed to control and monitor risk if the guidelines are adopted by CSPs within their standard form SLAs.  The Commission has indicated that it expects that adoption of the guidelines will lead to greater trust in cloud solutions, which in turn will lead to increased revenues for CSPs as the market continues to grow.

The objective of generating greater trust in cloud solutions should be also furthered when the proposed EU Data Protection Regulation finally comes into force.  The intention behind that Regulation is to create a single pan-European law for data protection, replacing the current position where, although the EU Data Protection Directive (No 94/56/EC) sets minimum measures for data protection, it is open to member states to implement stricter requirements.  This results in inconsistencies in national data protection laws and competing provisions applying to services that are provided across more than one member state.

Risks arising from the use of cloud services in the context of legal proceedings

Whilst the risk profile of using cloud services across the EU will likely change once the SLA guidelines and the EU Data Protection Regulation are adopted fully, businesses with exposure to litigation and regulatory investigations should be aware of the types of risks that are inherent when using cloud services.  In particular, the varying requirements under the laws of different European jurisdictions in relation to the retention, search for and disclosure or production of documents in the event of domestic or foreign litigation and varying data protection/privacy laws, can all lead to complications in the context of cloud storage solutions.

While typically more of an issue in common law jurisdictions (such as England, where parties to litigation are under a duty to retain and then disclose relevant documents in their control), cloud storage of documents may mean that document disclosure issues can also arise in civil law jurisdictions where obligations to produce documents are typically far more limited.  Particular issues arise in this context in relation to cloud document storage because of the attendant uncertainties concerning the physical location of cloud data.  As explained above, cloud storage is usually provided by a third party and located remotely from the business, often in another jurisdiction, in multiple jurisdictions, or even in changing locations.  In practice, therefore, a company’s data is often divided and stored in different countries and may become subject to the laws of the jurisdiction in which it is stored (e.g. where the CSP’s servers are located).

This can become problematic because of the varying laws, even across European jurisdictions, in relation to the collection of documents for foreign proceedings.  For example, while the search for and collection of data in the control of a party may be mandated by one law, the law of another European can prohibit the search for or disclosure of documents located in that jurisdiction for use in foreign proceedings.  The English court considered this issue (although not in the context of cloud services) as recently as last year in the cases of Secretary of State for Health and others v Servier Laboratories Ltd and others and National Grid Electricity Transmission plc v ABB Ltd and others, effectively deciding that documents stored in France must be disclosed notwithstanding that French law gave rise to a risk of prosecution for doing so.  Businesses may therefore end up in a position where the use of cloud storage solutions and the requirement to collect documents in the event of litigation exposes them to potential breaches of local laws even where they may not have been aware that their documents were located in the relevant jurisdiction.

Another key risk arising from cloud services in the context of disputes is the possibility of applications for third party disclosure being made directly against CSPs to compel them to provide documents within their control.  This is highly undesirable both for CSPs and customers and leads to the risk of conflicts between the CSP’s contractual obligations to customers and legal requirements imposed by, for example, a court order mandating disclosure.

Businesses should also be aware that the cross border nature of cloud storage could lead to the possibility of governments, law enforcement agencies or regulatory bodies in jurisdictions where data is stored being able to access their documents for the purposes of investigations or surveillance.  Generally speaking in these circumstances (unless the request can be challenged because it does not comply with applicable laws), the CSP will have little option other than to give access to its customer’s documents.  While it has always been the case that governments generally have rights under national laws to access privately held data in circumstances where national security or serious crime is an issue, cloud users should be particularly aware that the multi-jurisdictional features of cloud storage mean that documents may be susceptible to access by different governments across the world.

The particular legal issues that arise in the context of cloud computing can be mitigated against by businesses keen to use it because of the significant commercial advantages that it provides.  Ideally, cloud customers should undertake due diligence into their CSPs at the outset to determine which jurisdictions documents are likely to be stored in and therefore which national laws will be at play.  It is also good practice to engage with CSPs about their procedures for dealing with disclosure requests from third parties (whether courts or government/regulatory bodies) in order to gauge the CSP’s awareness of the issues and their processes for considering and responding to such requests.

It is also important for customers to select CSPs who can easily facilitate the preservation of documents in the event of litigation or investigations by implementing the immediate suspension of auto-deletion procedures (thereby preventing possible adverse inferences in the event of the loss of data) and who offer sophisticated search tools that can provide benefits in any litigation or investigation.

The use and reach of all three varieties of cloud computing is expanding, and although undoubtedly a positive development for businesses across Europe, its limitations and risks should not be overlooked. Businesses should be cautious when deciding whether to utilise the technology, the CSP they choose, and the extent to which cloud storage is implemented, particularly in light of the difficulties that could arise in the context of document retention, litigation and investigations. This is particularly relevant as a result of the differing nature of technology and privacy laws across the EU, and whilst steps are now being taken to increase certainty and cooperation between and across states, different interpretations and approaches to disclosure and document retention will continue to cause difficulties for businesses. However, as long as businesses (especially those operating cross border) are aware of the issues and have open communication with CSPs, the actual and potential benefits of using cloud computing technology appear to far outweigh the risks.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DLA Piper | Attorney Advertising

Written by:

DLA Piper
Contact
more
less

DLA Piper on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!