“Cloud Computing”, “Private Cloud Computing”, “Hybrid Cloud Computing”

At the risk of oversimplifying this model, cloud computing is basically an outsourcing arrangement with a backbone of software as a service (SaaS) – or vice versa – accessed through the Internet. There are some really basic considerations that everyone should address before considering any of these types of arrangements that are not unique to “the cloud”.

As a purchaser of these services you should make certain that your contracting arrangement protects your data/content from both a technological security perspective and from an ownership perspective. In a SaaS/cloud computing service model you will not have a lasting license to the software and may not know where your data is stored. At a minimum you should ensure that your data/content is properly backed up, in a format that can be transferred to another service or brought “in-house”. You cannot abdicate responsibility for doing the due diligence to ensure that the cloud computing model will fulfill your current and future business needs and regulatory requirements.

From a service provider perspective, you need to ensure that if you do not actually own the hardware of the cloud that you have an unrestricted ability to access them wherever they are located, and if necessary shut down other parties’ access to the content and retrieve all copies on very short notice. You need to make certain that from a technological security perspective that your software and your customers’ data/content are properly protected. You may not actually own the equipment and / or the software providing the services, but you need to be able to exercise control to the greatest extent possible.

Those are some basic guidelines to consider when using or providing these types of services.

Now for the key legal issue raised by SaaS/outsourcing/cloud computing: unless the hardware, software and back up of data are guaranteed to be located in and limited to specific countr(ies)/legal jurisdiction(s), then neither the customer nor the service provider can fully assess what laws may be applicable to them.

The protections afforded personal information, proprietary information (e.g. intellectual property rights) and confidential business information vary between jurisdictions. Moreover the interpretation of laws will vary within a jurisdiction depending upon the political agenda of the then current government.

Countries have different libel and slander laws. What might not be considered to be libel in one jurisdiction could be considered libelous in another jurisdiction. The responsibilities and liabilities associated with defamatory matters is also not uniform between countries; in some jurisdictions, intermediaries (such as ISPs, social networking services etc.) have more onerous responsibilities to assess and deal with defamation that is being disseminated utilizing their systems.

Prohibited activities, and restrictions on activities, vary from jurisdiction to jurisdiction. For example if you sign up for a cloud service that streams advertising as part of its standard business, will the advertising comply with the laws where you are providing the services?

Because cloud computing is an evolution of SaaS and outsourcing, many aspects of the legal concerns it raises are “déjà vu all over again” (Yogi Berra). That doesn’t mean that they have been properly addressed by legislators and / or the courts; so in contracting for the services, the parties will need to make sure that they deal with them to their satisfaction.