OpinionsSecurity Compliance

In a cloud services arrangement, the customer and cloud service provider are often located in different jurisdictions, with the customer having very little visibility as to where the customer's data will be located. This inherent feature of cloud services arrangements gives rise to jurisdictional issues which may not be immediately apparent to customers entering into cloud services contracts. In this article, we look at these jurisdictional issues from both a data protection and a regulatory perspective.

Where the cloud services arrangement involves some processing of personal data, which will almost always be the case, the cloud service provider will need to meet the requirements of the customer's local data protection laws, if any. The principles of data protection laws which seem to cause the most tension with cloud services would be distinctions between data controllers and data processors, security obligations and restrictions on data transfers.

Data protection laws in general apply to data controllers (the person who determines the purpose and the manner in which any personal data is to be processed) and not to data processors (the person who processes data on behalf of the data controller) who only has to comply with security obligations. Cloud service providers will have little or no control over the nature of the data processed on their servers or through the use of their services. That being the case, they are naturally reluctant to and will not accept liability for data quality, complying with individual rights or potentially obtaining individual consent to the processing of personal data.

Cloud service providers will argue that they are merely processors and that the customer is the data controller and will often include language in their service contracts to this effect. The position adopted by cloud service providers shifts the entire risk and burden of data protection compliance on the customer and this can be unfair and impractical for the customer who may have little or no control over matters such as the security of the personal data or data transfers.

Most data protection laws also require that "appropriate technical and organizational measures" are taken to protect personal data. Therefore when engaging a cloud service provider, the customer must select a cloud service provider who can offer appropriate guarantees of security, ensure that the security arrangements are evidenced in a written contract and take reasonable measures to ensure compliance.

As it is the customer that will ultimately be liable under any data protection law for breaches of security caused by the data processor, customers are increasingly requiring audit rights to be included in cloud services contracts. There has been a strong pushback from cloud service providers in this regard as many cloud service providers use shared infrastructure for different customers and audit access may in itself compromise confidentiality and security. Many cloud service providers also find multiple audit requests from customers disruptive to their business operations.

Lastly, it is also important to note that there are data protection laws, such as the European Data Protection Directive that prohibit the transfer of personal data to countries that do not offer adequate protection. This may be difficult for the customer to comply with as often the customer does not have any visibility as to the country or countries to which their data may be transferred, by the cloud services provider, for storage and processing.