Cloud Computing and the Law: Still Shrouded in Uncertainty?

February 10, 2010

About the only issue that is clear about cloud computing and the law is that it is here and it is about to become an enormous market. But as the 60 plus delegates to the SCL’s stimulating seminar on the legal issues of Cloud Computing drifted away, their thoughts on how to manage this change were probably drifting haphazardly back and forth like the snow skittering round the offices of  Slaughter and May. Operability, data security, data protection, service levels agreements and the role of national governments will all need to be assimilated by legal advisers but, unfortunately though understandably, as yet no-one seems quite sure how. 

Tim Cowen, a barrister turned consultant working on the Open Computing Alliance (not to mention Visiting Professor at the City of London Law School), opened the discussion by tackling  the fundamental question: what is cloud computing? He traced its origins to the creation of huge server farms by Google, Amazon, IBM and Microsoft (apparently their farm in Ireland is the size of 22 cricket pitches). The ability to share traffic and resources between their different servers created excess capacity that is now rented out as server space and to host software for third parties. The credit crunch has accelerated this demand, with organisations seeking ways to cut costs and also update existing capabilities. As Tim noted, the rental model of cloud computing means that it is not  capital expenditure, leaving badly dented balance sheets intact. Given this fertile ground, the growth in the value of the market for cloud computing services is forecast to be exponential: a market worth virtually zero at present is expected to grow to $800 billion by 2013. In the UK, the prediction is for a market size of £44bn in ten years. 

Having got the audience interested, Tim set out some of the challenges and questions that legal advisers will need to tackle as their clients clamber on to the bandwagon. Some of the issues concern contractual liabilities and service levels. For example, at a basic level, who is responsible for the speed of data transfer, the supplier or the user? After all, once the data has left the farm, how will the users’ own data infrastructure cope? Drafting contracts is also problematic in this new world as parties grope towards common acceptance of scope and terminology. For this reason, Tim displayed a risk register, developed by the OCA, identifying 40 potential areas of risk that need to be mitigated. Codes of practice are also being developed to provide a better framework for service levels. He did sound a note of caution though. The apparent cost savings of moving to cloud computing may be reduced or even halted by legacy and interoperability issues. That bit of essential software developed in-house, sitting on an IBM mainframe, may not be available on the cloud solution for technical reasons or because the ownership rights may not be clearly defined. This, in Tim’s view, is one of the biggest issues that is not being talked about enough at present and due diligence will be crucial. 

Data security and data protection was the other big topic touched on by Tim but tackled in more concrete terms by the evening’s second speaker, Ulrike Weinbrenner, EMEA general counsel for “software as a service” company, salesforce. Tim had already countered objections that data security in cloud computing is compromised by recalling that the recent well-publicised data loss stories are all due to laptops, usb keys and the like going astray. This weakness just does not arise in the cloud computing environment as the data is held in a server farm. Ulrike took this point further: asked whether financial services firms should be wary of taking up the salesforce software because of data security risks, she straightforwardly replied that the banks are not doing such a great job at the moment given that the German Chancellor, Angela Merkel, is currently buying personal banking data of suspected tax evaders that has been lifted from Swiss banks. She also described salesforce initiatives designed to build trust and confidence in their security. For example, they allow companies audit rights so that the user’s appointed experts can test and verify the procedures in place. After all, she went on, without such robust systems their business would disappear.   

More problematic, in her view, are the issues of data protection. Differences in national policies prevent salesforce from offering their services in some territories as the data cannot be exported to their servers in the US. In this light, initiatives to develop international codes of practice were to be welcomed. The nature of cloud computing also gives rise to potential ambiguity as to where the data is stored, given that it could be spread over a network in different territories, and who is the data controller for data protection purposes. While Tim thought that this issue was still to be resolved, Ulrike was clear that in the salesforce model the user is the data controller. 

Perhaps Ulrike’s most controversial point was left till last; she concluded her talk by stating that service level agreements will die out. In the ensuing discussion Rob Samroy of Slaughter and May, who chaired the meeting, thought that SLAs were a means of mitigating risks so will still be on the agenda. Tim Cowen took a longer view – the crucial factor being whether cloud computing evolves to a more monopolistic market so that suppliers are able to ape the utility companies; he rightly pointed out the difficulties in suing one of them for loss of service. 

This event was just a taster of the legal issues bubbling up from the cloud computing world. Many more questions were raised on the night without being definitively answered so expect to see   further debate in the very near future. 

David Chaplin is an SCL member and a director of Bath Publishing, the online law publishers: