In the second instalment of a three part series on cloud computing legal concerns, we will be looking at the critical issue of retaining ownership and rights over data which you upload to a cloud computing service.
Data which you may create or store using a cloud service will almost certainly be information which you have either created and own, or which you have a licence to use. Subject to its contents, it may also be subject to the laws of your jurisdiction (e.g. personal information collected in Australia will be subject to the Privacy Act 1988 (Cth)). This raises two concerns: one of data ownership, and one of data sovereignty.
Cloud service providers in the past once attempted to claim ownership of data uploaded to their services. Today, it is far more likely that you retain any ownership rights to the data. However, tied up in the general provision of services is often a “licence” to the cloud service provider to the data which you upload or create using the service.
Obviously, you should ensure that any cloud agreement does not assign any rights to the data uploaded to the service which is inconsistent with the obligations you have in respect of such data or the rights you may exercise over such data, particularly where the data may include sensitive commercial information, personal information or intellectual property.
Data sovereignty is the concept that law applies to data on the basis of where that data is located. In theory, this appears straightforward. In practice, there are major and real issues which companies are facing today.
The most common situation where an organisation may be caught out by a data sovereignty issue is a catch-22 situation where two jurisdictions claim that their law applies over data, with the organisation unable to comply with the laws of one jurisdiction without being in breach of the laws of the other. Microsoft recently encountered this problem in relation to emails between non-US residents stored exclusively in one of its data centres in Ireland. The United States government claimed that it was entitled to access these emails due to Microsoft’s US presence, while the Irish government relied on European Union provisions guaranteeing privacy of personal information from disclosure to external parties. These obligations are obviously in conflict with each other, leaving Microsoft in an undesirable position (Microsoft ultimately took a strong position in line with the European Union laws).
Closer to home, an example would be the handling of personal information under the Privacy Act. Personal information stored offshore must be dealt with in compliance with the Act. This causes obvious issues as many jurisdictions may not have the same level of protection for the privacy of personal information, particularly with respect to government’s ability to obtain such information.
Questions to consider
- What rights does the service provider claim over uploaded data? Do these rights conflict with any other rights granted to any other person?
- Where is the data physically stored? How many countries must the data travel through in transmission between your location and the data server? Are the laws of these countries compliant with the laws of Australia in relation to data access?
The final instalment of this series titled ‘Cloud Computing Legal Primer Pt 3: Do you have an umbrella ready in case it starts raining?‘ will be published here next week.