Cloud Computing climate change for legal contracts ?

EuroCloud Ireland & Irish Computer SocietyJuly 1st 2010

Philip Nolan/ Jeanne KellyPartners, Mason Hayes+Curran

Overview

• Well documented problems• Changing Cloud = Changing Rules• Competitive Contracts• Data Protection• On the horizon?

Cloud Law 1.0

• A new technology = new legal challenges• Challenges now well known:– No contract between provider and end user– As-is clauses– Data protection obligations– Multiple jurisdictions

• But the cloud keeps evolving

World Economic Forum: Exploring the Future of Cloud Computing

– Established benefits (scalability, elasticity, cost) only represent the tip of the iceberg.

– Second wave of cloud computing benefits on the horizon:• Increased ease of collaboration • Levelling the playing field between big and small firms• Emerging economies likely to leapfrog to higher levels

of development

New Applications for the Cloud

• Moving rapidly beyond ‘traditional’ cloud uses– IaaS– Storage– SaaS

• E.g. GS1 Ireland– DataSync.ie– Tracking Medication

Cloud Law 2.0

• Shift in the attitude towards legal issues• Not merely an obstacle, but a commercial

opportunity– Providers starting to compete on terms – Real choice

• Regulators specifically considering the cloud

LA-Google SaaS Contract

• Approved October 2009• City of Los Angeles shifting to Google Apps for

email, word processing etc… • Even police records• Key government organisation making the shift

to the cloud• Reason for the decision?

LA-Google SaaS (2)

• PC World April 8 2010– “Google moved early to make this a contest over

which company offers the best contract terms and legal protections in cloud environment”

• Contractual terms operated a source of competitive advantage

So what did Google agree to?

• City can cancel at will• Extensive right to audit the data• Google cannot release or view data without

prior approval• Penalties for loss of service• Unlimited Liability for security and data breach

Terms are a differentiator

• LA an exception?• Less negotiating power• But real competition and choice• Not just doom and gloom.

Example 1: Microsoft Azure

• Generous use of Service Credits • Provision of limited warranty• Implement reasonable security measures

Example 2: Google Apps Premier

• Google will protect users’ confidential information to the same standard it protects its own

• No liability cap for breaches of confidentiality• Compliance with SLA – Warranty

Example 3: Hosting 365

• Service will be provided with due skill and care• Will comply in all material respects with SLA• Fixed term contract

Key idea

• Vendors can and do compete on terms of service offered – legal aspects are a source of competitive advantage

• Not all terms are made the same, purchasers have a real choice.

Data Protection

• Four big developments– Opinion 1/2010– New Model Contracts– Data Breach Notification– Schleswig-Holstein DPA opinion

• Operate within existing framework

Opinion 1/2010

• Article 29 Working Group• Refined core distinction between “processors”

and “controllers”• Processors retain discretion as to most

suitable technological and organisational means

New Model Contracts

• Exporting data out of EEA is tricky• Approved Contract Terms• Now allow for sub-processing

Draft Security Breach Code

• Very common in US• Must inform DPC unless:– Data inaccessible due to security measures– < 100 individuals, who have been informed

directly and not financial or sensitive personal data

• No materiality threshold• Detailed report required » possible expense

Schleswig-Holstein DPA Opinion

• 18 June 2010• SAS 70 Type II Certificates ≠ legal compliance• Data protection law is a separate matter

On the Horizon

• European Commission, Opportunities For Cloud Computing Beyond 2010

• Cloud Governance key– Standards for Clouds: Open Source or Proprietary?– Cloud mobility: Avoiding Lock in

Cloud Computing climate change for legal contracts ?

EuroCloud Ireland & Irish Computer SocietyJuly 1st 2010

Philip Nolan/ Jeanne KellyPartners, Mason Hayes+Curran