Cloud service users face confusing legal landscape

Lawyers say companies should study the data protection laws in all the countries where their cloud provider operates

Cloud computing has great benefits for businesses but legal uncertainties threaten to hamper adoption, said a group of lawyers speaking during a seminar in Seattle this week.

"We will have to create a robust legal system and we will have to do it sooner rather than later and before we have the cloud computing equivalent of an offshore oil rig blowout," said Barry J. Reingold, a partner at Perkins Coie in Washington, D.C.

Lawyers speaking at the Law Seminars International event on Monday offered advice about the types of research companies should do before signing up for cloud services to make sure they can protect themselves from potential legal fallout.

One of the most important issues facing companies that wish to store or process data in the cloud is determining which legal systems have jurisdiction over the data. "It's a can of worms," said Andy James, a lawyer with Osborne Clarke.

A company using a cloud service could have users all over the world and those users' information could be shifted to facilities around the globe. "So there are four possible legal locations for the information at any moment," James said. Laws applicable to the location of the company's headquarters, the location of the servers, the location of the consumer and the location of the communications equipment transmitting the information between the user and the provider could all potentially apply.

Unfortunately, he said, different jurisdictions have made different choices on which of those locations to base their cloud rules on.

In the U.S., businesses must be aware of federal and state laws. On the federal level, legislation like the Health Insurance Portability and Accountability Act and the Children's Online Privacy Protection Act defines how businesses handle certain kinds of data like information related to health and children.

In addition, 45 states have laws covering how companies must secure customer data. "Although many state statutes are similar, there are enough outliers that you need to think about them," said Reingold. For instance, some states define personally identifiable information as including a mother's maiden name, biometrics and birth dates while others only include more basic information like name, Social Security number and driver's licence number. Others call out specific technologies that companies must use to secure data.

A new Massachusetts law that went into effect earlier this year covers any company that owns or licenses personal information about a Massachusetts resident. "Is there a cloud provider out there who doesn't essentially do that," Reingold wondered. "I guarantee virtually all of our clients have to think about that."

But things can get even more complicated when data is stored in various international locations.

"The reason we can have this service that is inexpensive is because [cloud providers] can put their servers anywhere and can shift loads based on things like where the cost of energy is lower," said Francoise Gilbert, a lawyer with IT Law Group.

But that movement of data around the world can create a challenging legal environment for companies using cloud services.

She splits the world into three categories. Countries within the European Union follow a privacy regime that applies to any kind of personal data. The U.S. and a few others, including Chile and South Africa, write laws based on the type of data, such as health or financial records. The final group has no protection laws for personal data.

Some companies may initially think it's a good strategy to find a provider with data centers in countries that have no data protection laws. "Don't shout victory," Gilbert advised. "The problem is that often these countries tend to have regimes where the government has more rights than maybe we're used to."

India, a hotbed for outsourced services, is a good example. The country recently changed its technology act, and observers had hoped that it would add language to protect data but instead it gave the government more rights, Gilbert said. "It gives the government the right to come in and ask for information on your servers without a warrant," she said.

Europe and a few countries that have adopted a similar model including Tunisia, Morocco and Uruguay have clear laws covering what kinds of personal data companies can store and whether they can move that data in and out of the country. Those rules tend to cover a wider set of data than companies in the U.S. might expect, Gilbert said.

"Every time I have a new client they say, 'It's OK, we don't handle personal information,' and I say, 'Oh yeah?'" she said. In the U.S., companies that don't handle financial or health information or have any business with children often think they're in the clear. "The rest of the world tends to think of anything you have attached to your person as private. So the fact that someone has travel plans is personal, the names of your spouse and children is personal information," she said.

"In every type of business you are going to be collecting personal information, so don't think privacy is not for you," she said.

Beyond personal information, some countries like those in the EU make considerations for what they call sensitive data, which may include a person's religious affiliation, membership in a trade union or sexual preference. In the U.S., companies may collect some of that information to look for diversity in their workforce. But if they use a cloud provider with data centers in Europe, European law prohibits them from storing that kind of data. "If you have a payroll system in a country that has a concept of sensitive information, you have a problem," she said.

Many of the speakers at the seminar expressed hope that governments around the world might do a better job of making it easier for businesses to use cloud computing services. But for now, they haven't done a great job. "The legal system has been far, far outpaced by technology," said Reingold.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cloud computinglegalUSA government

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Nancy Gohring

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Ada Chan

Dynabook Portégé X30L-G

I highly recommend the Dynabook Portégé® X30L-G notebook for everyday business use, it is a benchmark setting notebook of its generation in the lightweight category.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?