Cloud Computing

Apple will announce iCloud, its cloud computing service, at its annual developers conference in San Francisco next week.

Cloud Computing is one of the most recent growth areas of IT and it is anticipated that it will continue to grow to reach revenues in the region of $150 billion in the next two years.

The key advantage is clearly efficiency. It is thought that most organisations rarely use more than 15% of the computing power which is available on their desk top computers. This could, mean that by using the “Cloud” would allow a business to pay just for that 15% whilst at the same time, having access to, almost unlimited resources for when they are needed.

This is all clearly positive stuff, however the “Cloud” raises questions about reliability and risk. Whilst as an individual you may be prepared to put personal information about yourself on the web, businesses should think very carefully about the implications of passing over control of certain critical functions. At the very least, if you are going to enter into a “Cloud” type arrangement, new agreements with your IT provider will be required which are inevitably going to be more complex than the traditional service level agreements.

There is inevitably a risk that “Cloud” deals may not be as flexible as you would like. As a business, you need to be sure that where you put data in the “Cloud” that you can retrieve that data as quickly as possible. Businesses should be asking the Cloud provider how they can guarantee confidentiality, accessibility and how they intend to maintain the integrity of the data. What industry of accreditations do they hold? Do they have a proven tack record?

There is then also the spiky issue relating to data protection as you will no longer be certain where your data is stored, a serious question when it comes to considering compliance with Data Protection law.

The eighth data protection principle in the Data Protection Act of 1998 states that data controllers (the companies using the “Cloud” service) are not allowed to transfer personal data outside of the European Economic Area countries, unless the country to which the data is being transferred “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

So how can a data controller use Cloud Computing whilst ensuring that they are complying with the Act? The first option is to obtain the relevant person’s consent before sending their data into the “Cloud”. Another option would be to anonymise all the data which would mean that it is not personal data, however, this is not always feasible. Neither of these seem ideal.

The third option would be to agree a contract with the Cloud provider which would include a set of model clauses which have been approved by the European Commission. These model clauses, however, are complex and it is anticipated that if the business engaging the Cloud provider is a small organisation then the provider would just refuse to agree to them. As it stands, most Cloud providers are reluctant to agree to the stringent Data Protection Clauses and the contracts offered by are offered very much on a “take it or leave it” basis.

There is a move to try and tackle this by the establishment of the Common Assurance Metric (“CAM”), an initiative to produce quantifiable standards that will enable Cloud providers to demonstrate that they have attained a particular standard. CAM was launched on Monday 7^th February and is supported by key industry players such as Microsoft. What it would mean for businesses contemplating entering into a “Cloud” arrangement is that rather than having to go through an in-depth investigation into each potential provider, the business would be able to see the CAM rating which is held by that provider. However, whilst CAM does have the potential to offer a certain level of reassurance, it will not resolve the problem of compliance with the Data Protection Act. It may be that a change in Data Protection Legislation is required and this does seem to have been acknowledged by the Information Commissioner. However, it must be recognised that legislation is always behind technology and cannot be implemented over night.

It is, therefore, an issue of risk and judgment that each business will have to take on board before moving to the “Cloud”. It is inevitable as time goes on that the level of services offered by the “Cloud” will increase, the costs will go down and generally businesses will find themselves getting more comfortable with the practice. In the meantime, it is hoped that regulators and legislators alike working with groups such as CAM will catch up with technology and work out what is considered to be good practice on the Cloud.

Written by Michelle Craven, a Director in the Nelsons' Commerce and Technology group. To find out more about our Commerce and Technology group, click here.

Printable Version

Blogs

Share this on LinkedIn

Subscribe to the Nelsons Law RSS service and get all the news as it is added. Simply copy the address from the box below into your RSS reader software:

Nelsons Solicitors Limited is a limited liability company registered in England and Wales Registration Number 07219010. A list of Directors is available for inspection at its Registered Office: Pennine House, 8 Stanford Street, Nottingham NG1 7BQ. Authorised and regulated by the Solicitors Regulation Authority. Authorised and Regulated by the Financial Services Authority.

VAT No: 385 184 329

Trading as Nelsons and nelsonslaw. Also located in Derby Tel: 01332 372372 and Leicester Tel: 0116 222 6666. Copyright © Nelsons Solicitors Limited.
Terms of Use | Privacy Policy | Accessibility | Sitemap

Legal Services Nottingham | Legal Services Derby | Legal Services Leicester

[smaller]

Change text size

[larger]