European companies using the cloud are potentially contravening data protection laws in the UK and Europe.
An investigation by Future Intelligence into the legal position of data stored in the cloud has found that many companies are running the risk of prosecution.
Legal experts contacted by Fi, say in its current form that the cloud technology system worth £14.4 Bn globally to the technology companies promoting it, puts companies trusting personal data in breach of data protection legislation.
“As it stands the cloud doesn’t comply with data protection,“ said Susan Hall, partner in the Technology, Trade and Media unit at the Manchester-based national legal practice Cobbetts.
“People go into the cloud for economies of scale and the very factors that lead to those economies of scale are the exact same factors that are likely to lead to the information that they store via the cloud being less well protected and less compliant with the data protection regime.”
Hall is not alone, every legal expert contacted by Fi confirmed that any company trusting its data to the cloud has virtually no protection against potential prosecution because cloud providers can neither guarantee that their cloud technology complies with existing EU data protection regulations nor will offer contracts indemnifying their clients in the event of any data loss.
A spokesman for the UK Information Commissioner’s Office confirmed that there were issues with the cloud.
“The legal experts are quite right. If you have an agreement with a cloud service provider it doesn’t absolve a company of its responsibilities under the Data Protection Act, which requires them to have adequate measures in place to protect the data that they control,” said the spokesman, adding that the European Council’s Article 29 Working Party on data protection is due to report on the issue later this month,
A chaotic situation that is jeopardising the development of Europe’s £4bn cloud sector, which the EU views as a key component of Europe’s recovery from economic recession: “the EU sees the cloud as a means to kick-start the EU software industry and to provide cheap access to technology for small businesses,” said Laurent Lachal, who monitors the cloud for the technology analysts Ovum. “There has been a flurry of studies to support Government cloud initiatives. It is seen as a Greenfield area for the development of applications for the internet and social networks”.
According to Lachal, one of the greatest potential benefits of the cloud is being seen as a mechanism to fuel small business and entrepreneurial start up growth by providing access to computing power and technology only currently available to big companies but according to the lawyers it precisely those smaller businesses which are most at risk from the legal risks posed by the technology.
The main reason for this is because the cloud works by allowing companies to house their data on computers that are continually moving the location of that data which can put those companies in breach of data protection legislation and leave them open to fines of up £500,000 that could rise to 2% of global turnover if new penalties being proposed by the EU are adopted.
The legal warning was underlined in the US on the 29th of June, when massive storms knocked out an Amazon data centre in Ashburn, prompting Congressional representatives to question the US Government’s move to place data in the cloud.
The White House Congressional subcommittee on commerce, manufacturing and trade is studying the risks of such a move and is attempting to schedule a hearing on the matter ahead of the August congressional recess.
“Last week’s powerful thunderstorms, along with the massive disruptions they caused, exposed some of the vulnerabilities of cloud computing,” the panel’s chairman, Rep. Mary Bono Mack (R-Calif.), said in a statement. “But I also believe the problems extend way beyond consumer convenience and customer service. There are some serious privacy issues which we need to look at as well.”
The risks posed by the cloud have been earlier stressed in the US by the American National Institute of Science and Technology which became so concerned about the issue that it wrote a paper trying to provide clarification and warned : “Clouds have the potential to aggregate an unprecedented quantity and variety of customer data in cloud data centres. This potential vulnerability requires a high degree of confidence and transparency that cloud providers can keep customer data isolated and protected.”
A detail confirmed by Professor Fred Cate of Indiana University, a highly respected data protection and legal expert, who advises the US Department of Homeland Security and the Defense Advanced Research Projects Agency.
According to Cate guaranteeing that copies of data are not left behind in the cloud is incredibly difficult because of the nature of internet technology.
While according to Kathryn Wynn, a data protection expert for the international law firm Pinsent Masons, the current situation means that companies using the cloud face the prospect of being legally liable for data that they have little effective control over.
“The problem is that the Data Protection Act does not really command any mechanism to allow organisations to ensure that its cloud arrangements are compliant. At the moment they can end up in a situation where they are technologically compliant but what matters is how secure its data is and they cannot guarantee that.”
The issue for companies wanting to use the cloud is that under the terms of the Data Protection legislation that they are liable for the data that they have collected and have a duty of care to make sure that they know what is done with it, including being sure that they know it has been destroyed.
A level of detail that cloud computing is hard pushed to be able to deliver as it is only able to offer cheap computing by allowing companies to share computer resources and the technology actually moves data around within computer centres and between computer centres in different parts of the world.
“It is perfectly possible that a backup of a company’s data could be left on a server because of a system failure without the company owning the data knowing, which would still leave that company liable for a copy they did not know about,” said Hall.
A point underlined by Kim Walker another legal expert for lawyers Thomas Eggar, which has been conducting research into the issues surrounding the law and technology with Southampton University.
“We’re at a point at the moment where we are asking for industry self-regulation where the cloud providers stress best practice in order to attract business. In reality though the chances of a customer being able to send someone to their cloud provider to be assured that their data is destroyed is remote,” said Walker, a partner in the firm’s technology and media team.
Earlier this month a survey by Varonis, a company specialising in data control, “found that 67% of respondents say that senior management in their organizations either don’t know where all company data resides or are not sure. “In addition, 74% of organizations reported that they do not have a process for tracking which files have been placed on third party cloud digital collaboration and storage services,” according to a spokesman.
Alarmingly, of those that are allowing cloud-based file synchronisation services, only 9% of the 400 companies surveyed companies have a process for authorising and reviewing access to cloud servers, with another 23% still developing access policies.
“The remaining 68% either have no plans in place that they are aware of, or live without formal processes for granting and reviewing access. Without control over access, or knowledge of where potentially sensitive organizational data resides, data is virtually ‘up for grabs’,” said the Varonis spokesman.
Not knowing what happens to your data is a massive risk, according to Chris Saunders of Mundays: “it makes sense for you to know where your data is in the cloud because it controls your liability. It becomes very important if your data is being transferred outside of the EU.
“If anything happens the cloud providers will say that they are not liable.”
Even the ICO’s own advice to companies looking to use the cloud that they should draw up explicit contracts with the cloud service providers has not offered companies any real protection.
“It really depends on the bargaining position of the customer,” said Pinsent Masons‘ Wynn. “If you’re a big global customer you might get some protection but if you are a small business you won’t get much more than the standards terms.”
Standard terms that Cobbett’s Hall says offer very little protection in the event of a data breach.
“The issue of how easy or not it will be for you to get a payout if things do go wrong is a big one and the answer is – not very. The cloud providers in the main make sure that the company whose data it is will bear the costs for any indirect or consequential losses.
“Usually the terms do this by having a low cap on liability, excluding loss of profits or business and clauses that state that the laws of California apply and that any legal case must be heard in California all of which are barriers to a reasonable payout. It’s very unlikely you would get an agreement that enforces compliance with the data protection act.”
The legal issues surrounding the use of the cloud threaten to stop the use of the technology viewed by many in the US and Europe as a potentially massive new market and the next development of the internet due to its potential to offer massive economies of scale to business by allowing them to share computer resources via the internet.