Is the Cloud cloudy?
By Richard Milchior- Partner Granrut Société d'aovcats
Posted: 14th February 2013 10:20
For the last two years, Cloud computing has had an incredible growth. The recent forecasts are mentioning a turnover which should be around €29 billion including 1.7 billion in France at present, and expecting to rise to 5 billion by 2015. Everybody wants to be a part of a growing market where the future is.
Hundreds of articles have now been written worldwide to explain how beautiful the Cloud is (mainly by software companies and management or consulting people). Hundreds more written by lawyers explaining how dangerous it could be.
In addition entities such as the European Commission, the various data privacy authorities national as well as the G29 which groups all the European Data protection authorities have commissioned studies, prepared reports and established or proposed some charter or guide lines concerning the use of Cloud Computing.
In parallel, a new trend: the creation of national cloud is being organised in several countries with the dual objective of competing with the US giants and of protecting the national sovereignty. This article summarise the arguments most often used by those in favour of the Cloud and those afraid of it and offers the answers proposed to find out about their relevance and try to propose a new solution.
The companies offering a Cloud service explain:
- That Cloud services are a source of savings since for instance you have a storage area which is flexible according to your need and you pay according to your use.
- You do not have to pay the licence and install the software that you need since you will pay according to the use and they will be available remotely
- A level of reliability which is usually between 99 and 100% is mentioned and sometimes guaranteed.
- The technological knowledge of the provider is also mentioned and it is true to the biggest provider of cloud services are companies which have been active on the computer field (hardware and software) or in the internet or e-commerce world for several years and sometimes more.
- The newer companies will on the contrary explain that they are more agile and have been created specifically to provide this kind of services and are therefore better prepared and equipped to provide them.
The lawyer and the authorities have a different view.
- They explain that from a technical point of view, you may have data protection issue especially in the data are transferred to another country.
- They mention that using the services of an US company which will host the data in the US creates the possibility to see those data being examined or transferred to the Homeland Security on the basis of the Patriot act.
- They recall that some big providers have suffered some stoppage during several hours and that the clients were not able to work during those "long period" of time.
- They mention that the client should check if a reversibility clause exists to be sure to be able to recover their information when the agreement ends.
- They point out that some contracts mention that the service can be interrupted with an 8 hours advance warning or even less.
Relief is not really available since you may have to go to a remote (remote for European and even American) state court located for instance in San Antonio ,TX or in an exotic location where you may then have to bear the cost of an US litigation. How will you deal with this when your service can be cut in the next hours?
The provider of national clouds states that their data remain located inside their national territory which minimise the risk of loss or theft of data in other countries and can also minimise some costs since the information travel less.
The major advantage advanced being nevertheless the protection against economic intelligence (in other words economic spy) being known that some states have been known as spying companies of foreign countries to help their own companies.
If national clouds are being promoted, we are nevertheless far away from a European Union Cloud which could be promoted with the assistance and under the Umbrella of the European Commission.
A European cloud is as relevant as the launch of the Galileo satellite to maintain the European independence in space.
The solution offered by the creation of charter or guide line.
The solution offered seems to have been prepared by people leaving outside of the real world.
It is advised for instance to request to know where the servers are located or to obtain a right of audit. Those are for instance two solutions mentioned by the ICO (the UK authority for data privacy).
People are also advised to request a reversibility clause to be able to recover their data.
This type of advice is given to everybody.
These simply forget that a single person or a SME will not deal with a real person but will be offered the possibility to click on a contract without any possible discussion.
Very often no address or phone number is available. It is obvious that the big provider do not want to discuss those contracts with everybody but ask you to sign (in fact to click accept) for a template agreement.
The situation may be different for big companies which may have a bargaining power. However even for them, one can wonder how many of them did ever try to find out if the reversibility mentioned in the agreement works for real and if one is able to reuse the "reversed "data.
Those who have tried to recover safeguarded data or have lived the migration from one software when everybody tries to make things work, understand the problem one may face when the other party is not cooperative as this may happen with some provider that you are leaving.
A very fragile way protecting the interest of all parties has been opened by the agreement between IBM and a data protection authority allowing a right to audit to the clients.
If the single client (small or even big) do not have the bargaining power, the intervention of the Data privacy authorities or the One of the European commission may either lead to behavioural or contractual engagement from the supplier and in last resort a consumer protection regulation protecting the clients of the Cloud to ensure safety quality and reliability could or should be envisaged. Other improvements have been shown by the fact that Amazon has agreed to position some storage centre in Ireland to guarantee the Brittany region that its data will remain in Europe.
The future could be to create as it exist in the data protection field some standard contractual clauses whose implementation in the contract will be recommended and will be enough to guarantee the customer –at least from a legal point of view. The contract should mention that it applies clauses which supersede any contrary disposition. If this is not enough the creation of a minimum regulation if possible at the EU level should be envisaged but all of this should happen quickly in the next year or two.