Cloud service users face confusing legal landscape

Lawyers say companies should study the data protection laws in all the countries where their cloud provider operates

Cloud computing has great benefits for businesses but legal uncertainties threaten to hamper adoption, said a group of lawyers speaking during a seminar in Seattle this week.

"We will have to create a robust legal system and we will have to do it sooner rather than later and before we have the cloud computing equivalent of an offshore oil rig blowout," said Barry J. Reingold, a partner at Perkins Coie in Washington, D.C.

Lawyers speaking at the Law Seminars International event on Monday offered advice about the types of research companies should do before signing up for cloud services to make sure they can protect themselves from potential legal fallout.

One of the most important issues facing companies that wish to store or process data in the cloud is determining which legal systems have jurisdiction over the data. "It's a can of worms," said Andy James, a lawyer with Osborne Clarke.

A company using a cloud service could have users all over the world and those users' information could be shifted to facilities around the globe. "So there are four possible legal locations for the information at any moment," James said. Laws applicable to the location of the company's headquarters, the location of the servers, the location of the consumer and the location of the communications equipment transmitting the information between the user and the provider could all potentially apply.

Unfortunately, he said, different jurisdictions have made different choices on which of those locations to base their cloud rules on.

In the U.S., businesses must be aware of federal and state laws. On the federal level, legislation like the Health Insurance Portability and Accountability Act and the Children's Online Privacy Protection Act defines how businesses handle certain kinds of data like information related to health and children.

In addition, 45 states have laws covering how companies must secure customer data. "Although many state statutes are similar, there are enough outliers that you need to think about them," said Reingold. For instance, some states define personally identifiable information as including a mother's maiden name, biometrics and birth dates while others only include more basic information like name, Social Security number and driver's licence number. Others call out specific technologies that companies must use to secure data.

A new Massachusetts law that went into effect earlier this year covers any company that owns or licenses personal information about a Massachusetts resident. "Is there a cloud provider out there who doesn't essentially do that," Reingold wondered. "I guarantee virtually all of our clients have to think about that."

But things can get even more complicated when data is stored in various international locations.

"The reason we can have this service that is inexpensive is because [cloud providers] can put their servers anywhere and can shift loads based on things like where the cost of energy is lower," said Francoise Gilbert, a lawyer with IT Law Group.

But that movement of data around the world can create a challenging legal environment for companies using cloud services.

She splits the world into three categories. Countries within the European Union follow a privacy regime that applies to any kind of personal data. The U.S. and a few others, including Chile and South Africa, write laws based on the type of data, such as health or financial records. The final group has no protection laws for personal data.

Some companies may initially think it's a good strategy to find a provider with data centers in countries that have no data protection laws. "Don't shout victory," Gilbert advised. "The problem is that often these countries tend to have regimes where the government has more rights than maybe we're used to."

India, a hotbed for outsourced services, is a good example. The country recently changed its technology act, and observers had hoped that it would add language to protect data but instead it gave the government more rights, Gilbert said. "It gives the government the right to come in and ask for information on your servers without a warrant," she said.

Europe and a few countries that have adopted a similar model including Tunisia, Morocco and Uruguay have clear laws covering what kinds of personal data companies can store and whether they can move that data in and out of the country. Those rules tend to cover a wider set of data than companies in the U.S. might expect, Gilbert said.

"Every time I have a new client they say, 'It's OK, we don't handle personal information,' and I say, 'Oh yeah?'" she said. In the U.S., companies that don't handle financial or health information or have any business with children often think they're in the clear. "The rest of the world tends to think of anything you have attached to your person as private. So the fact that someone has travel plans is personal, the names of your spouse and children is personal information," she said.

"In every type of business you are going to be collecting personal information, so don't think privacy is not for you," she said.

Beyond personal information, some countries like those in the EU make considerations for what they call sensitive data, which may include a person's religious affiliation, membership in a trade union or sexual preference. In the U.S., companies may collect some of that information to look for diversity in their workforce. But if they use a cloud provider with data centers in Europe, European law prohibits them from storing that kind of data. "If you have a payroll system in a country that has a concept of sensitive information, you have a problem," she said.

Many of the speakers at the seminar expressed hope that governments around the world might do a better job of making it easier for businesses to use cloud computing services. But for now, they haven't done a great job. "The legal system has been far, far outpaced by technology," said Reingold.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags USA governmentlegalcloud computing

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Nancy Gohring

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?