Cloud Computing - climate change for legal contracts? - 1st July 2010

  

  

 delicious  

  

With the increasing use of cloud computing see article here, businesses are asking what are the legal implications that they face in adopting this medium in relation to data security and protection.With all the talk (and questions) about Cloud Computing, EuroCloud Ireland in conjunction with the Irish Computer Society organised the above seminar to discuss the legal aspects of Cloud Computing.

The interest level was demonstrated by over 170 people from a variety of business sectors and the public sector attending two morning seminars or viewing via a live web stream. Philip Nolan , partner at Mason Hayes+Curran and board member of EuroCloud Ireland was the main speaker and in his talk, Philip emphasised a number of points;

• He pointed out that as the cloud was developing most participants were primarily concerned about the one-sided contacts offered by cloud providers and the data protection difficulties arising when personal data is put into the cloud. However, Nolan stressed that these issues were largely the result of the uncertainty accompanying the shift to a new platform and could be addressed through an understanding of the underlying legal issues and by putting proper contracts in place.
• Nolan drew attention to the recent LA-Google cloud computing contract, under which the City of Los Angles is moving away from desktop software and local storage into the cloud. The terms of this contract, which include an unlimited right to damages for data breach, were very favourable to the city, Philip pointed out.
• Nolan also pointed out that the data protection issues surrounding the cloud had evolved considerably in recent months. The Article 29 Working Party, the EU’s data protection advisory group, was acutely aware of the complications posed by uploading data into the cloud. The Irish Data Protection Commissioner was also in the process of implementing a mandatory notification regime for data breach, a development that could provide additional reassurance for users of the cloud, while increasing costs for providers of cloud services.

In the follow-up Q&A, a lot of conversation centered around the Safe Harbour legislation of the USA and how the European Union deals with it. It was noted that if a company is in compliance with this legislation then the European Union recognises that company as been compliant with the European directives on data protection.

Some of the panel members noted that due diligence is always required to ensure that a company is fully compliant with the Act and not just paying lip service. There have been a number of reviews by European and Australian regulatory bodies which found that a percentage of companies while claiming compliance with the Safe Harbour principles were not in actual compliance.

There was a lot of discussion on the use of third party service providers by cloud service providers. The advice was that when companies are dealing with Cloud Service providers, they should also determine if any third parties are being engaged by the Cloud Services provider to manage certain aspects of the cloud service ( e.g. data backup or database administration services ). If third parties are being used, then the responsibilities of the cloud service provider in managing these third parties should be raised in the SLA talks and explicitly put into the contract .

To view the seminar in full online, please CLICK HERE

EuroCloud Ireland would like to thank the support of Michael Martin of Irish Software Innovation Network and Microsoft Ireland for this seminar.