Are you considering a shift to the cloud for your organisation’s IT services? You’re not alone. Kiwi businesses are increasingly moving their operations or data to the cloud, with a Horizon Research survey of 200 local IT managers in 2014 confirming that over two-thirds of businesses use cloud services.
You don’t need to be a weather forecaster to predict the benefits that come from moving into the cloud, including greater flexibility and accessibility, and improved collaboration. Consider also the potential financial benefits from adopting cloud services: lower power costs, reduced capital expenditure, and less hardware redundancy with greater scalability.
But, there can also be stormy skies when moving to the cloud. Whether your business is a multi-national with divisions across the globe, or a local player keen to leverage technology services not available in-house, legal issues with the cloud include obligations in New Zealand and overseas, licensing issues, and data protection, access and transfer concerns.
This article outlines data protection, access, and transfer issues that must be considered when navigating your way into the cloud. These issues arise in several forms.
Data security and protection
Data security is a topical issue, with recent large-scale data breaches, including Ashley Madison, which was revealed in July 2015, and the United States Internal Revenue Service, which occurred during February to May 2015.
In the former case, a group of hackers stole and then leaked over 25 gigabytes of company data, including user details such as real names, home addresses, search history, and credit card transaction records. In the latter, personal information concerning hundreds of thousands of people (334,000 accounts according to the IRS) were unlawfully accessed by hackers using the IRS’s online tax system.
While both those cases featured unauthorised access to data, data loss and data corruption are also risks under the data security and protection umbrella.
While preventing unauthorised access is important, to achieve the benefits sought from cloud adoption (and to mitigate risks) it is also essential that your business has reliable access to its information and applications at all times. This access provides important protections such as ensuring business continuity if the cloud service provider becomes insolvent. It can also help to keep your options open so that your business is not “captured” by a particular vendor who holds your critical data, which could prevent you from migrating again.
While the term “ownership” is sometimes used in relation to data, this is something of a misnomer as property rights do not apply to data as such. (Database rights can protect compilations of data in some jurisdictions). Instead data “ownership” is primarily concerned with data control: who has (and who hasn’t) the right and ability to do what with which data.
A related topic to data control is data transfer. Transfer of data across national borders is heavily regulated internationally. For example, in the EU the general principle is that personal data must not be transferred to countries outside the EU that do not offer an “adequate level of protection”. In December 2012 the European Commission declared that New Zealand’s laws provide a standard of data protection that is adequate for the purposes of EU law.
There are exceptions to the general principle, which formerly included compliance with the “safe harbour” framework concerning the transfer of data from EU to the US. However, in October 2015 the European Court of Justice determined that the EU/US safe harbour framework is invalid. The reason? The US Government’s ready access to personal data. Just recently, on 2 February 2016, the European Commission announced that a new framework, the “EU-US Privacy Shield”, has been agreed to better protect EU citizens’ personal information transferred to US companies. Under this framework, US companies wishing to import personal data from Europe will be required to process personal information in accordance with strict obligations and will be subject enforceable redress mechanisms if an individual raises a complaint.
Closer to home, New Zealand’s Privacy Act enables the Privacy Commissioner to issue a “transfer prohibition notice” to prevent New Zealand being used as a gateway for personal information to be transferred to a country without appropriate safeguards. To date no such notices have been issued.
How can you protect your business’s interests?
It’s understandable that with so many complex legal issues at play, a move into the cloud is daunting. There are several measures you can take to better protect your business interests from some of the legal risks, including:
- Appropriate contractual arrangements:
a. adequate service levels; and
b. effective remedies for non-performance;
- Backup/alternative infrastructure;
- Due diligence of service provider to establish proven track record;
- Business continuity arrangements;
- Unconditional access to data and restrictions on access by unauthorised persons; and
- Having clear terms regarding data transfer.
Peter Fernando is a senior associate of Kensington Swan. He practises information technology and commercial contract law.