A new domain for lawyers: Cloud computing, a French perspective
Everyone has heard about the new paradise that is being offered to minimize the cost of the information system: cloud computing.
This is an oxymoron however, since the salesmen and advertisers present this solution as a bright and clear one, nevertheless, it is sold under the word cloud, which when considered under its adjective, cloudy, infers that you are by definition in an unclear and perhaps even foggy situation, which will be demonstrated hereunder.
In a nutshell, cloud computing is the extension of manpower outsourcing in the information technology field.
There exist several options in order to modify the way one manages their hardware and software. In some cases, one may continue to have their private server and software located outside of the company. In others, the servers are consolidated outside of the company and the data is stored and safeguarded in a remote location.
As a result, one of the cloud consequences is that instead of buying new software licenses and new servers which may be temporarily too big, one will only pay for the software actually used, obtain updates without any additional costs and only pay for the data storage place actually used.
From the perspective of seeing cloud computing as a dream come true, one does not need to consider buying new equipment, one can save valuable office space, one pays as they consume, someone else is responsible for the maintenance and one always benefits from the latest software updates.
To be practical, one must consider the fact that, like in every activity, some people or SME are not in a position to discuss a contract with a cloud provider or a big entity, in order to avoid having to be in a position and in need to negotiate in order to be secured.
As usual, lawyers are not always involved in the process of IT transfers from inside to outside of the company. In addition to checking the technical capability of one’s cloud provider, one should also mention a few of the issues which exist and which should be considered, since the devil lies in the details.
1) Who is responsible for the treatment of the data?
It can be either the client or the cloud provider. This is especially important if the data is going to be sent and stored outside of the EU.
Concerning France, the data is subject to the data protection law under the implementation of the EU data protection directive.
According to article 3 of this law, the party responsible for the treatment of the data remains the client and not the cloud provider. This means that the client must make sure that the data protection formalities are respected and especially if personal data is to be sent outside of the EU.
If the transfer is made with a country which does not grant sufficient protection, the transfer is subject under the authorization of the concerned party. This is obviously a nightmare, as it requires both the obtainment of consent from each party and for the tracking of the authorization.
Concerning transfers with the US, the client must check if the cloud provider has joined the Safe Harbor Principles and whether or not it has renewed its participation.
As a partial relief for this concern, the EU commission has taken the cloud computing issue into consideration when it enacted its template clauses for data transfer on February 5th, 2010, in order to explain how to handle data transfers outside of the EU.
2) Will data confidentiality be respected, and will it be possible to recover ones data at the end of a contractual relation?
Following the data protection issue, the next classical question deals with the confidentiality of the data and its reversibility.
A clause concerning the confidentiality of data should exist in every contract, and its wording and value should be checked. This is even more important when certain types of data, such as health data, are concerned. However, the fact is that this does not exist in every contract.
This type of confidentiality must be provided by ensuring that all the necessary technical protections are being used, through either an agreement or a contract, by the party working for the cloud provider.
Nevertheless, one should keep in mind that if the data is stored in the US, some data providers have clearly stated that even if the data is foreign owned, they will obey the requests from Homeland Security and disclose any data stored in the US.
Otherwise, to ensure reversibility of data, software and hardware, at the end of the contract, it is wise to be informed on how the data stored in the cloud will be copied, in order to be able to claim a right to audit the center and to require from the beginning a reversibility plan. Even better, would be to try to enforce it through a simulation since one can otherwise face challenging issues in the end when trying to recover and reuse their data.
3) Applicable Law and Venue
This question, as in every contract, is rarely taken into serious consideration.
However, in case of a breach of contract or interruption of service, a French entity will not have the time and the money to sue a provider located in the US.
The examination of several agreements from a few US cloud providers shows that state law of any one of the US states, with the exclusion of any private international rule of law, is applied within a venue of the state court, as for instance, in San Antonio, TX.
Without questioning the quality or fairness of such jurisdiction, the acceptance of such a venue means purely and simply that a French person, a European private person or a SME will never sue their provider since they will not be able to spend neither the time nor the money on pursuing a lawsuit.
The implementation of mediation, perhaps through an online system such as the one already in use for domain names, would be a way to render this more equitable.
This is even more important when one takes the time to read the various agreements offered by the cloud providers which can easily be found on the Internet.
One can find contracts where the provider can unilaterally modify the agreement and there are others where the provider obtains a free worldwide non-exclusive license authorizing it to use any data it is storing for the client.
Another peculiarity to be considered is, in some contracts, the provider’s ability to terminate them within a 24h warning period and, in some cases of emergency, even within an 8h warning period.
Furthermore, it is common practice with a client who is looking for or has already found a cloud service on the Internet, for a lower price, to not conduct the necessary due diligence in order to negotiate a more favorable contract and often times does not even scroll down to read the very long contract it is asked to read on its computer screen.
This practice can even be true for big companies as directors of important organizations sometimes explain, in front of public audiences, that they often times choose a cloud provider without conducting any prior due diligence before they consider ceding their data to a cloud provider which can sometimes create major turmoil for the company.
In a nutshell:
If you consider the safety of your personal or company data important, if the quality and continuity of a service is vital or at least important, and last but not least, if you do not want to risk being criminally liable for violation of data privacy rules, you should take serious caution and have your technical staff involve in-house or external lawyers before entering into the enchanting world of cloud computing.
Richard Milchior has been a partner of the firm since 1 April 2005. His fields of work are intellectual property, EC law, domestic competition law and pharmacy law.
He began his career in 1979 with the firm “Lafarge Flécheux Ghestin”, then with the firm “Raoul Castelain” from 1981 to 1982. He was then partner with “Robert Collin & Associés”, from 1983 to 1995. He became of counsel with “Nauta Dutilh” until 1999. In 2000, he was a partner in the firm “Milchior Smilevitch”. He works in French and in English.
After graduating from the Paris IEP (“Sciences Po”) in 1977, Richard Milchior turned towards law, with an honours degree in Private Law (Paris X Nanterre) in 1978, which he completed with an honours degree in Economic Science (Paris X Nanterre) in 1979. He was admitted to the bar in 1979, then obtained a postgraduate degree (DEA) in General Private Law (Paris II) and a postgraduate degree (DEA) in Criminal Law (Paris II) in 1981. In 1982, he obtained his Ph.D. on “Copyright and the Common Market”, then, in 1983, he graduated as Master of Comparative Jurisprudence (New York University). He graduated in mediation in 2008 from the University of South Florida (Tampa). Richard can be contacted on+33 1 53 43 1515 or by email at firstname.lastname@example.org