Photo Credits: Tobias Fischer (Unsplash)
Aishwerya Kansal is an IPilogue Writer, IP Innovation Clinic Fellow, LL.M Graduate (2020) at Osgoode Professional Development, and IP Law Clerk at Bereskin & Parr LLP.
OVERVIEW OF CLOUD COMPUTING
Cloud Computing has become an important technology in promoting global businesses during the pandemic. The technology has helped facilitate remote work. One of its most significant benefits is lowering the costs to store, retrieve, and maintain the security of data. However, cloud storage and data services raise several legal issues for cloud computing providers and users. There are multiple Cloud Service Providers (CSP) such as Amazon, Google, Verizon, Sales Force, and Microsoft, giving customers several options to choose from. Distributed data, stored in multiple locations, have shown to be cost effective, reliable, scalable, and fault-tolerant. However, consumers may be unaware of the technology’s enormous potential and the need for it to be regulated on a global scale in order to avoid complications arising out of the cross-border exchange of data. In order to prevent complications, consumers should be widely aware of recent advancements in cloud technology’s potentials and the evolving regulatory landscape.
Could computing is a form of software technology which provides information services on a virtual platform without the need for extensive infrastructure and dedicated access points. Common forms of cloud computing include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). SaaS is a software application over the internet which allows users access rather than allowing storage and local use. Any application that is run through the cloud service falls under this category. Dropbox is a form of SaaS, whereas Microsoft windows, a computing platform, is a form of PaaS used for running or developing applications.
Cloud computing’s rapid growth leaves limited time for identifying and implementing the regulatory frameworks necessary to protect users’ privacy and data security. Efforts to build a unified regulatory framework have already begun. Enthusiasm about building a unified framework has created common ground among nations about information privacy regulation.[1] For example, the European Union rolled out a comprehensive proposal addressing general data protection regulations (Draft Data Protection Regulation).[2] Similarly, the United States Federal Trade Commission introduced its bill aimed at data privacy for consumers in addition to providing a detailed report in 2012 titled “Protecting Consumer Privacy in an Era of Rapid Change" ("FTC Report 2012"). Despite efforts to protect users’ cloud data, some legal issues remain unresolved.
LEGAL ISSUES IN CLOUD COMPUTING
Cloud computing involves collaborative efforts from different parties in providing services. Therefore, it is challenging to ensure compliance with a regulatory framework if one were to be put in place. A few of the underlying issues involve vendor performance, service levels, data privacy, security contract termination, and transition issues. In order to attempt to resolve these issues, the law needs to address the following items : (1) cross border concerns regarding storage and transfer of cloud data, (2) data ownership issues, and (3) control and access to cloud data.
From the user’s perspective, a major issue is the location of the data storage and the data transit which depends on factors like contractual obligations as well as the service and deployment model between the CSP and users. Under some circumstances, CSPs have chosen to confine the routing of information to certain locations. In cloud technology, data’s exact location cannot be easily established. The law is particularly ambiguous with respect to jurisdictional issues concerning cloud information. Therefore, it is crucial that users take the issue of data storage locations and transit routes into account before moving their data to cloud. Though data should be owned by the user who uploads it to the cloud, the service level agreements (SLA) and CSP contract should explicitly state possession, custody, and control including the ownership and access to the information stored in the cloud. Users’ dependency on cloud computing services, along with an increased difficulty in controlling, accessing, and owning data, will grow in the absence of laws regulating cloud computing services. Service providers and other contracting parties should have bargaining power when deciphering standards of agreement clauses.
The federal government in PIPEDA has laid down fairness restrictions on businesses when they engage in collecting, using, and disclosing personal information. Canadians mostly use cloud-based services provided by the United States and other countries. It is implied that private sector privacy legislation does not prohibit entities from using a foreign service provider. The Federal Commissioner has asked that any entity in Canada that outsources its information or its processing to third party countries should inform its customers of this practice and provide information about the foreign country’s laws on data privacy. In Canada, the courts first adjudicated on cloud computing settings in a class action lawsuit against Facebook. Cloud computing services are not limited to external online storage used by social media and email services. Many other internet services involve cloud computing. The court in the class action against Facebook had to decide whether the social media company was reasonably notifying its users of principles governing their privacy policy and whether they were mentioned in advertisements on the platform.
CONCLUSION
Cloud has provided new options for storage and transmission of data. It has also introduced a whole new gamut of risks. Simplification of the laws is essential in promoting widespread adoption of cloud technology. The need for simplifications was concurred by the World Economic Forum. A standardized approach to the privacy and security of data with respect to cloud services would benefit the consumers and service providers in any disputes that may arise. Once adequate regulation for cloud computing is in place and rights and liabilities of users and service providers are well laid out, the industry could go on to create highspeed virtual freeways to keep the world connected. Effective regulations would address rights and liabilities, while having flexibility to incorporate future developments in the field.
[1] Nancy J King & VT Raja, "What do They Really Know about Me in the Cloud: A Comparative Law Perspective on Protecting Privacy and Security of Sensitive Consumer Data" (2013) 50:2 Am Bus LJ 413
[2] Commission Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), at 1, COM (2012) 11 final (Jan. 25, 2012) [hereinafter Draft Data Protection Regulation], available at http://ec.europa.eu/justice/data-protection/ document/review2012/com_20121 len.pdf.