Using cloud type services is not risk-free (legal wise)
Cloud Computing is a cool concept, often used in the IT domain and vertiginously booming. According to a report of HIS Technology from February 2014, it is estimated that until 2017 companies will pay $ 235.1 billion for cloud services – that is three times more than in 2011. Among the giants that share the cloud market there are Amazon, Google, Microsoft, Barracuda Networks, Dropbox, etc. – each one of them with their own cloud “specialty”.
Microsoft Azure @ ITCamp in Cluj, Romania
In May, when I participated as a speaker at IT Camp event (in Cluj, Romania), one of the intensely approached topics was the usage of Microsoft Azure. The experts present at the conference enlarged upon the technical challenges regarding this cloud platform.
But it is worth knowing that, besides the technical challenges, there are also legal ones which cannot be neglected and which can greatly influence the activity of the “players” within the industry. Why is that? Cloud providers constantly face a dilemma: they have to provide solutions as advantageous and as innovating as possible from the technical and commercial point of view, but – at the same time – they have to comply with rules on personal data protection and security. But this balance is sometimes hard to achieve.
Cloud event in Bucharest, Romania
Microsoft Romania saw the necessity of dealing with the issue of personal data in the cloud. On the 4th of June 2014, they organized in Bucharest an event dedicated to cloud computing, inviting also a representative of ANSPDCP (Romanian privacy & data protection watchdog). Some challenges were addressed from the perspective of enterprise services provided by Microsoft (Windows Azure, Dynamics CRM Online and Office 365).
From my clients’ experience I know that there are some controversial aspects and, as I was expecting, the audience raised many questions. At times, the answers given by the representative of ANSPDCP clearly pointed to the fact that the cloud has in practice some “grey zones” which remain to be interpreted on a case-by-case basis by privacy & data protection experts.
Important to note
There are different types of cloud services and models which – in practice – trigger varied consequences, with differentiated legal obligations.
For instance, while Microsoft Dynamics CRM is Software as a Service (SaaS), Microsoft Azure is Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) for Virtual Machines.
Their technical differences lead also to differences from a legal point of view. One of the differences is that in PaaS, in principle, the data is not stored and processed by the cloud provider.
For example, this means that the enterprise clients of Microsoft (which usually, only make the Azure platform available to their own clients) do not collect the personal data provided to them when they create applications or store information in Azure. Consequently, if they do not have access to and do not use the personal data stored by their clients, they should not be obliged to comply with the related legal obligations (such as notification of the competent authority, implementation of certain security provisions and special conditions under which data can be revealed to other people, etc.).
As a final remark,
The usage of cloud services can be an area of quicksand from a legal standpoint. That is why it is necessary to acknowledge the fact that it comes with certain risks. Whether and how such risks can be eliminated or at least minimized differs from case to case, according to the type of cloud service and the client’s power to negotiate.
In the case of those cloud services for which no adhesion contracts are signed (like the enterprise contracts, which – generally – cannot be negotiated), it is always a good idea that both the provider and the client negotiate certain clauses regarding, for instance: the functionality and availability of the services, the place where the data is stored, both parties’ liabilities regarding personal data, intellectual property and liability limitation.