With the explosive growth of innovations in the Information Technology industry, the Legal provisions are currently lagging behind and desperately looking for ways to cope up with the never-seen-before advancements. Cloud computing, being one of such recent advancements, have raised a number of legal issues including privacy and data security, contracting issues, issues relating to the location of the data, and business considerations.
The abovementioned issues are the primary ones faced by almost all the nations across the globe. However, when it comes to the Indian scenario, a number of additional complicated issues are faced by India owing to lack of awareness and lack of resources. With the ‘Digital India’ initiative in the news, it is obvious that more and more individuals and organisations will be using online services and infrastructure via the Cloud in the near future; and it is, therefore, necessary to analyse our position thereon and discuss whether our legal system is ready for such a revolutionary change.
The legal issues that frequently arise in the cloud are wide-ranging. However, attempting a broad generalisation, mainly four types of issues arise therein:
- Privacy of data and data security
- Issues relating to contractual relation between the cloud service provider and the customer
- Complex jurisdictional issues, or issues relating to the location of the data and the set of laws applicable
- Commercial as well as business considerations
At the outset, it may very well be clarified that though cloud computing enables the customer access to computing, networking, storage resources just like traditional outsourcing services and Application Service Providers (ASPs), it has a legal nature quite different from these two owing to its distinctive features like ‘on-demand access’, and ‘unit-based pricing’ (pay-per-use).
Privacy and data security issues:
Seemingly, the main privacy/data security issue relating to the cloud is ‘data breach’. Data breach may be in the generic sense defined as the loss of unencrypted electronically stored personal information (Buyya, Broberg, & Goscinski, 2015). A data breach can cause loss to both the provider as well as the customer in numerous ways; with identity theft and chances of debit/credit card fraud to the customer, and financial harm, loss of customer, loss of reputation, potential lawsuits et cetera for the provider.
The American law requires data breach notification to be issued of affected persons in such case of a data breach. Almost all the states in the United States now require notification of affected persons upon the occurrence of a data breach.
Talking about the Indian scenario, most of the providers are seen to attempt at lessening their risk liability in case of a data breach scenario. However, as more sensitive information is entering the cloud every passing day, businesses and corporations have started negotiating the contracts so as to insert terms that expand the contractual obligations of the providers.
Problem arises when the data is subject to more than one jurisdictions, and the jurisdictions have different laws regarding data privacy. For example, the European Union Data Privacy Directive clearly states that ‘Data cannot leave the EU unless it goes to a country that ensures an “adequate level of protection”.’ Now, although such statement makes the EU provisions easily enforceable, but it restricts the data movement thereby reducing the data efficiency.
Clearly, licensing agreements are fundamentally different from Service agreements. Cloud essentially, in all its permutations (IaaS, PaaS, SaaS), is a service, and therefore is governed by a Service agreement instead of a Licensing agreement.
However, the main issue regarding the Cloud Service agreements is ‘contract of adhesion’. Owing to the limited expansion of Cloud Services in India, most of the time the ‘Click-wrap agreement’ model is used, causing the contract to be one of the contract of adhesion. It leaves no or little scope for negotiation on the part of the user/customer.
With the expansion of the Cloud computing, gradually the negotiation power of the large corporation will cause the Cloud Contracts to be standard and negotiated ones. However, at an individual level, this is still a far destination.
Legal provisions clearly cannot force the cloud providers to have a negotiating session with each and every customer. However, legal provisions may be made to ensure that the liability and risk responsibility clauses follow a standard pattern which compensates the user for the lack of negotiation during the formation of the contract.
Jurisdiction is the authority of a court to judge acts committed in a certain territory. Jurisdiction in case of legal issues relating to the Cloud services becomes difficult and critical because of the features of Cloud like ‘Virtualization’, and ‘Multi-tenancy’.
While virtualization ensures the requirement of less hardware and consumption of less power thereby ensuring computing efficiency, it also on the other hand makes it difficult for the cloud user or the cloud provider to know what information is housed on various machines at any given time.
Multi-tenancy refers to the ability of a cloud provider to deliver services to many individuals or organisations from a single shared software. The risk with this is that it makes it highly possible that the data of one user may be accessed in an unauthorised manner by another user since the data of various users are only virtually separated and not physically. Also, it makes it difficult to back up and restore data.
The cloud enables a great deal of flexibility in data location, which ensures maximum efficiency in data usage and accessibility. However, it creates a number of legal issues as well. It makes it quite possible a scenario that the same data may be stored in multiple locations at a given time. Now, if the multiple locations are subject to different jurisdiction and different legal system, there arises a possibility that there may be conflicting legal provisions regarding data in the two aforementioned different locations. This gives rise to most of the jurisdictional issues in Cloud computing.
Also, laws relating to confidentiality and Government access to data are different across different nations. While the Indian laws manage to strike a balance between national security and individual privacy, most of the nations do not prefer a balance and have adopted a biased view on this. Problem of conflict of laws arises herein, in such cases.
Commercial and Business Considerations:
Other commercial and business considerations like the urge to minimize risk, maintain data integrity, accessibility and availability of data as well as Service level Agreements have also significantly shaped the present as well as future of Cloud Computing in India. It also creates a number of foreseeable as well as unforeseeable issues that needs to be addressed by dedicated legislations therefor.
It is an accepted truth that Law always lags behind technical innovations, and the complexities of the Cloud innovations and related Cloud Services like Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) will force the law and legislations to catch up in order for an effective legal system that provides legal remedies to prevent and redress the resultant harms.
Raising awareness, ensuring universal access to information, and resource mobilizing are complimentary solutions that’ll never go wrong for the Indian scenario in order to add to the effectiveness of an effective legal system.
Note: This post first appeared here.
ABOUT THE AUTHOR
‘Passionate!’ That’s the only word he uses to describe himself. Questioning assumptions. Challenging hypocrisies. Making the planet a better place to live in. Can be found at www.anshumansahoo.com.