TSM - The Usage of Cloud Type Services is not Voided of Legal Risks

Claudia Jelea - Avocat & Consilier in domeniul marcilor

Cloud Computing is a cool concept, often employed in the IT domain and vertiginously booming. According to a report of HIS Technology from February 2014, it is estimated that until 2017, companies will pay 235.1 billion $ for cloud services - that is three times more than in 2011. Among the giants that share the cloud market there are Amazon, Google, Microsoft, Barracuda Networks, Dropbox, etc. - each one of them with their own cloud "specialization".

In the month of May, when I took part in Cluj to the IT Camp event, one of the intensely approached topics was the usage of Microsoft Azure. The present experts enlarged upon the technical challenges regarding this cloud platform.

But it is worth knowing that, besides the technical challenges, there are also the legal ones, which cannot be neglected and which can greatly influence the activity of the "players" from the industry. The reason? The cloud providers constantly face a dilemma: they have to provide solutions as advantageous and as innovating as possible from the technical and commercial point of view, but, at the same time, they have to comply with the rules regarding data protection and security (those regarding physical persons). But this balance is sometimes hard to achieve. Microsoft Romania saw the necessity of dealing with the issue of personal data in the cloud. On the 4th of June, they organized in Bucharest an event dedicated to cloud computing, inviting also a representative of ANSPDCP (The Competent Authority in the Domain of Personal Data). Some challenges were approached from the perspective of enterprise services provided by Microsoft (Windows Azure, Dynamics CRM Online and Office 365).

From my clients" experience I know that there are some controversial problems and, as I was expecting, there were many questions. To some of them, the answers given by the representative of authorities clearly pointed to the fact that in the vision of authorities, the cloud has in practice some "grey zones" which remain to be interpreted from case to case by the experts.

Important to remember

There are different types of cloud services and models which trigger in practice varied consequences, with differentiated legal obligations.

For instance, while Microsoft Dynamics CRM is Software as a Service (SaaS), Microsoft Azure is Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) for Virtual Machines.

Their technical differences lead also to differences from the legal point of view. One of the differences is that in PaaS, on principle, the data is not kept and processed by the cloud provider. This means that, for example, the enterprise client of Microsoft (which usually, only makes the Azure platform available for its own clients) does not collect personal data provided when they create applications or store information in Azure. Consequently, if it does not have access and does not use the personal data stored by its clients, it shouldn"t be held under legal obligations regarding the notification of the competent authority, the implementation of some security provisions, the special conditions under which data can be revealed to other people, etc.

In the end

Many times, the usage of cloud services can be an area of quicksand from the legal point of view. That is why it is necessary to acknowledge the fact that it implies certain risks. Whether and how they can be eliminated or at least minimized differs from case to case, according to the type of cloud service and the client"s power of negotiation.

In the case of those cloud services for which no adhesion contracts are signed (like the enterprise contracts, which, generally, cannot be negotiated), it is advisable that the provider and the client negotiate some clauses regarding, for instance: the functionality and availability of the services, the place of data storing, both parties" liabilities regarding personal data, intellectual property and liability limitation.