Combating the legal data protection risks of iCloud

Apple’s iCloud has attracted a lot of attention, and take-up of business and consumer cloud services continues to rise. Businesses looking to operate a cloud model, either as user or provider, do need to be aware of, and combat, some key legal risks, most of which revolve around security and control of data under data protection laws.

The EU Digital Agenda Commissioner, Neelie Kroes, summed up these risks in her speech on November 25th 2010 at the University of Paris Dauphine, where she said that by “putting our personal data on remote servers, we risk losing control over that data”. So is data protection a brake on the expansion of the cloud model, or are these risks more easily surmountable than people think?

EU data protection laws are essentially built on two fundamental pillars – transparency and control. That is, users must be able to know how their data is used, where it’s held, and by who, and those holding it need to be able to control its use, location and security to protect users’ rights. A holder of personal data is, under EU data protection laws, legally responsible for the data as a ‘data controller’.

They bear the legal responsibility for how that data is handled, where it is held, and for ensuring transparency is given to users. So, for a business looking to move its data into the cloud it will need to think about whether it needs to inform customers and even staff as to where the data will be held, and by whom, and also whether it needs to obtain “consent” for such steps.

There are also specific data protection rules on exporting data outside the EU, and data being held on a cloud server outside the EU, or even made available outside the EU from a cloud server in the EU, will contravene these rules and will mean the data controller has to go through some additional hoops in order to be able to comply.

This can involve lawyers drawing up contracts, signing up for self-regulatory schemes, and putting in place company policies on data security and use. This is one reason why many major cloud providers such as Amazon Web Services have located their data centres in the EU (in that case in Ireland).

There are a number of steps that business wanting to embrace a cloud model will need to go through but in most cases none of them are likely to mean it cannot operate such a model – it just needs to ensure it builds in sufficient time and resource into its roadmap in order to identify the issues it needs to address and to address them adequately and in time.

Graham Hann is Head of IT and Telecoms at international law firm Taylor Wessing. Graham advises on all aspects of IT and intellectual property law with a particular emphasis on technology focused commercial transactions including systems/services supply and outsourcings. Graham advises widely on software distribution and licensing and also specialises in advising on Internet related issues as well as privacy and data protection.