Cloud computing – the legal considerations

Lawrence Jones

Tuesday 24 November 2015

Hosting, processing and storing data remotely raises some specific legal issues for UK business. We explore just what you need to know to stay safe in the cloud.

Free from the shackles of fixed data storage, the cloud is powering an IT revolution across the world. But, in the post-Snowden world, staying on top of security is more important than ever.

It comes as no surprise that leading technology research firm Gartner has been forecasting that worldwide security spending is set to grow, with “roughly 10% of overall IT security enterprise product capabilities” being delivered in the cloud in 2015. But is it enough?

UK-based businesses are facing an increasing array of national and international legislation they need to abide by. We look at what UK businesses need to know to stay protected.

Data protection in the UK comes under the responsibility of the Information Commissioner’s Office (ICO). This governmental body is responsible for protecting consumer data, with the 1998 Data Protection Act (DPA) being its defining piece of legislation. The rise of cloud computing has created new challenges for data managers; a situation recognised by the ICO who have since published guidance on the issue – essential reading for anyone investing in a cloud computing solution.

According to Thomas Owen, Security Manager at UK hosting firm Memset, there are two specific parts of the DPA that IT managers need to consider: Principle 7, which says you must have appropriate security; and Principle 8, which controls transfers of data abroad. Both are potential headaches.

“It is your responsibility to ensure you have the right security precautions in place to prevent unauthorised access and accidental loss or damage to your data.” Owen explains. “You need to do due diligence to ensure your cloud provider has the right security in place.”

As well as having robust security in place, as data crosses borders, the legal requirements also change. The data must adhere to the privacy and data protection rules of the country in which it is stored. The content of information is important too, with some types of information potentially falling foul of copyright issues or content restrictions.

As a UK-based business your choice is limited, with the DPA’s eighth principal explicitly stating that: “Personal data shall not be transferred to any country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

Many cloud services are provided by US firms. As part of the Safe Harbor agreement, EU organisations have been able to information with US providers, a situation which worked well until things came to grinding halt earlier this year when the European Court of Justice decided that a user’s Facebook data was insufficiently protected.

The flow of data – and money – is going to be impossible to stop. Following the judgement, the European Commission and US authorities have committed to working together to find a solution, but it’s not yet clear when this will come about, nor indeed what the impact of such talks will be.

What is likely, however, is that businesses will need to adhere to a whole host of new rules.

This isn’t a theoretical risk – it’s live; and any organisation that stores information in the States needs to take action.

Matthew Rippon, Director at Particular Legal, a specialist IT legal firm, explains what this means: “Every business that depends on Safe Harbor to export data to companies operating servers in the USA for processing is now in breach of the DPA.”

The good news is that it’s simple to fix – with some specialist help. “There are standard clauses approved by the European Commission for the purpose of ensuring that data processors beyond the EU adhere to EU data protection standards. Businesses just need to form data processing agreements with their US-based suppliers based on those terms.” Rippon eplains.

Sounding a word of caution, Rippon notes that there are potentially many thousands of businesses currently out there that are in breach of the DPA.

In the post-Snowden world, it’s increasingly important to stay on top of the location and security of your data, particularly given the rising number and profile of cybercrimes. So called ‘e-discovery investigations’ can legally require businesses to produce electronically stored information (ESI).

Organisations have an obligation to maintain and produce data, regardless of where it is stored. It’s complicated however, with businesses only able to share information deemed legally acceptable by the host nation where that information is stored. If, for instance, a UK business used servers in France, you could only share the information that the French legal system allowed, not the UK legal system.

This can, in some cases complicate matters and cause problems for the business owner who has received the request. Recent legal developments, particularly within the EU, are aiming to bring clarity and consistency to data, including access and privacy.

Changing dynamic

Like everything in the tech world, the situation is changing rapidly and decisions need to be made with the future in mind. The UK’s DPA is soon to be replaced by the European General Data Protection Regulation, creating a whole new set of rules to play by.

Owens explains what this means: “The intention behind the GDPR is to refine some of the inadequacies and ambiguities of the DPA and its EU parent Data Protection Directive 95/46/EC, but it will also bring greatly increased penalties for non-compliance.”

The new regulation will replace all existing legislation across Europe and adherence isn’t optional. “Cloud purchasing decisions made at the moment should be cognisant of impending regulatory changes,” Owens adds.

So what can be done? Owens has some advice as to what to look out for when identifying a provider: “Look at security accreditations such as ISO27001 and PCI-DSS; the location of the data centre where your data will be held; and the general intelligence and maturity of their processes and technology stack.”

Given the data security issues and concerns, Owens is keen to point out that for many businesses choosing a UK provider could be the safest option. “A cloud service where the data is guaranteed to be held only within the UK is a much simpler and less risky option in terms of compliance,” he pursues.

With circumstances evolving so rapidly, it’s very clear that businesses should look to ensure that their data storage polices and systems are in step with any prevailing legal requirements.



Building the next-gen data centre

Where traditional and web-scale apps co-exist