The legal risks of cloud services
by Andrea Moriggi
Cloud computing is a skyrocketing business. It has become crucial for companies to reduce costs, improve network and storage security, and offer a wide range of services with relatively limited resources. It is no secret that large corporations such as Microsoft and Amazon for instance, have completely redefined their business around this highly-profitable technology. However, all this does not come for free, and the legal implications of this technology are delicate, numerous and often hidden in complexity.
The first part of this article will focus on describing the characteristics of this technology and the concept of optimal resource allocation. In the second part there will be an overview of the most relevant issues around cloud computing and its three service layers.
Optimal IT Resource management in cloud computing
«A strategy is nothing but good intentions unless it’s effectively implemented».
Prof. Clayton M. Christensen – Harvard Business School
Cloud computing has been defined as the «model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources». Although definitions of cloud computing are commonly contested, most authors agree that the three following characteristics always apply to cloud computing technologies:
- Elasticity: defined as the ability to «scale rapidly outward and inward commensurate with demand».
- Multitenancy: which allows the service to be available – through virtualization and resource pooling – over a wide set of devices.
- Economics: through which consumers use the service on-demand, and for the time strictly needed.
In this context, what has come to be referred as the “optimal resource allocation” or “optimal IT resource management” of this technology, is the fact that it allows the user to buy only the service that he actually needs, without requiring costly investments for the purchase of the infrastructure that would become – anyways – outdated, shortly after. Moreover, it is part of the ideal “optimally managed” scenario the fact that the cloud provider bears all the costs of set-up, maintenance, updates, security, management and also – and most importantly – all the energy costs necessary to run the infrastructure, while the client will be only charged under a pay-per-use or charge-per-use criteria at a small fraction of them. In the following section, the three service models that allows this optimal allocation will be explained, along with the legal issues that they naturally carry with them.
Service layering in cloud computing and its issues.
«Every kid coming out of Harvard, every kid coming out of school now thinks he can be the next Mark Zuckerberg, and with these new technologies like cloud computing, he actually has a shot.»
Marc Andreessen – Netscape founder
Cloud companies usually provide one or more service layers to their clients; these services can contain both a physical as well as an abstraction layer. The physical layer is the hardware necessary to support the cloud services (such as servers, wires, physical infrastructures and storage capacity), while the abstraction layer is the algorithm (software) which allows the interaction between the physical components.
The three models described below are used to define the different types of services that usually go under the general name of “Cloud” computing. These are:
- Infrastructure as a Service (IaaS): this model provides servers (either physical or virtual), cloud-based storage as well as applications that the administrator will use to set up its service. This layer has been defined also as the “pay-as-you-go service”.
- Software as a Service (SaaS): means «the capability provided to the consumer […] to use the provider’s applications running on a cloud infrastructure». In this model «the applications are accessible from various client devices» through a client interface managed by the cloud provider. This service has also been defined as the «cloud-based foundation for software on demand» or the «consumer-use layer», since services are provided seamlessly to the end-users.
- Platform as a Service (PaaS): it is a platform within which developers can build and deliver their applications.
The concept of “service layering” that applies to the various cloud services, in fact, could be either intended as the single layer of infrastructure/software/platform provided, or as the combination of more than one of the services (for instance, frequently, IaaS e SaaS or PaaS and SaaS).
In view of this, affirming that the legislation in which cloud computing operates is complex is probably an understatement. This is due both to the different jurisdiction where it inevitably operates as well as because some regulatory requirements may vary from country to country. The possible legal issues that arise when it comes to this technology are, indeed, related to almost every technical profile that characterize this technology. From data privacy and data security to data property, copyright and IPRs, freedom of information, contractual issues (civil liability for stolen or lost data as well as services interruption), and even to VAT treatment of such services. However, the impression is that businesses are underestimating legal risks related to this technology, while they prefer to focus their attention more on business risks, which are typically short-term issues threatening profits and margins. According to the IDC Enterprise Panel, in fact, the challenges and risks that are preventing businesses to adopt cloud computing are (in order of importance) security issues, performances, availability, difficulty to integrate and customize with in-house IT and preoccupation of increasing costs. All of them are far to be legal issues, but are rather only business-driven concerns.
Bringing back the initial question, what are the legal issues that arise from cloud computing and its multiple-layer structure? Starting off with data privacy, one of the first issues that we should bear in mind when thinking about cloud computing is related to the applicability of the European General Data Protection Regulation (GDPR). In fact, if the data processed by the cloud provider is “personal data” and it is related to UE citizens, so the provider would need to be compliant with the new EU privacy regulation, even if its servers or its headquarters are located abroad, which is the case of most cloud providers (Amazon, Alphabet, Microsoft, IBM – all the largest providers are, indeed, located in the United States). Commentators believe that «data encrypted and secured to recognized standards should not be considered ‘personal data’ in the hands of those without access to the decryption key» since they offer nothing else than “utility infrastructure services”. If we accept the validity of this theory, all the European privacy implication such as data anonymization, sharding of fragmentation data and encryption, will not apply to cloud providers that don’t have access to decryption keys. Adopting this view could definitely bring an advantage to large companies, particularly to those that offer services such as IaaS or PaaS. For SaaS services, however, excluding the applicability of the GDPR without sufficient grounds, could turn into a delicate and possibly dangerous decision – not only for the possible fines that go up to €20 million or 4% of the worldwide annual revenue (whichever is higher), but also for the reputation of the company. Moreover, is it proven that the larger the company, the more likely will be to comply with the highest level of privacy required by law anyways, with no stretch. Customers are becoming more and more aware of privacy risks and are taking such concerns very seriously; on the other hand, companies do not want to be seen as “law avoiders” or bad actors, and tend to accommodate this higher-level of compliance, also as a differentiation strategy from smaller competitors (who can’t usually afford it). Moreover, this is a choice drive by the fact that companies know very well that the provider’s client can hold personal data relating to its customers on the cloud, and therefore, the client will be likely to require a higher privacy standard and guarantees before entering into any negotiation.
As for data property, if it is true that the «essence of cloud computing is that a customer entrusts its own digital information, together with that of third parties, to the cloud computing service provider» (particularly true in case of IaaS and PaaS, where the cloud provider is nothing more than a “utility infrastructure service”) so what happens to the ownership rights related to it? And also, does cloud generate a new kind of information property right? The information that the cloud provider receives and stores is beyond any doubt owned by the client, because it is generated outside the cloud. No one would think that putting data in the cloud would be able to change its ownership status, that is – among others – protected under copyright law. When it comes to information generated inside the cloud, however, the situation changes. The most controversial case, for instance, happens in data mining cases where the cloud generates/finds new content. In fact, in these events, it is not sure who owns such content, and if contract law does not provide a clear answer, we would find ourselves in a legal grey area open to interpretations and speculations. It is undiscussed that contract law does not usually cover all the aspect of a contract, and in cases like this – where such circumstance is not specified – the uncertainty might bring the parts to litigate upon the property of the mined data.
Litigation, indeed, is another complex issue that might arise. The correct applicability of the law in relation to any pathologic event that involves the contract (for instance for any breach), is certainly matter of civil law, that, however, lay itself open to strategic choices as for the forum choice or for the choice of alternative dispute resolution mechanisms. This is made even more complex by geographical issues, since cloud services usually involve extra-territorial entities; this would make any form of transnational litigation prohibitively costly with the consequent likeliness for the client to be somehow forced to withdraw his claims. The parties need to consider carefully whether to accept a clause with a foreign jurisdiction for their cloud contracts (given that they have any sort of negotiation power), since claims and disputes are all but infrequent in the cloud industry.
Another legal risk is related to the costs that the company might suffer as a consequence of data breach within the cloud. In fact, not only the company would have to declare the breach to the supervisory authority, but also to the data subject. This poses some threats for its reputation as well as it exposes the company to civil liability that might arise because of the breach. In similar cases, for instance in scenarios of loss of data, the company might suffer financial damage due to the compensation that would have to provide to the customer both for the actual loss as well as for the loss of profits as a consequence of the breach. The same applies to services interruption and a myriad of other examples concerning customers’ data. Imagining all this in a more delicate environment, for instance, in relation to services such as healthcare, public safety or the military, puts ease to see how this could impact a broader spectrum of subjects, and therefore, leaves a gigantic question mark on how citizens can expect some protection from these services to be always working. Even if public law is unfortunately of little use in giving answers, the hope is that regulators will find a way to ensure that these services are not only protected with civil law, but, since they’re becoming essentials to the society, they will be granted some sort of public-law safeguard.
Concluding with privacy-related issues, it is worth mentioning the principle that states that no data can be transferred outside the European Union without an adequate level of protection, according to article 45 of the GDPR. In the case of the US, the cloud provider need to be indicated in the “Privacy shield list” available on the official International Trade Administration of the U.S. Department of Commerce. Otherwise, as a general rule, the company can only store data in European data centers.
Another – and last – delicate point, is related to the liability of the cloud provider for illegal content uploaded by their clients. In the EU, the Directive 2000/31/EC (E-Commerce directive) protects cloud providers with an exception for liability in case the cloud provider only engages in the activity of caching data (thus, when it does not modify of have actual knowledge and control over the information). However, this is not the case in many other countries, where – especially in common law jurisdiction – the law might not be clear enough and a revirement from the highest courts is always around the corner.
«Big Law will finally start to go big in the cloud.»
Dennis Garcia – Associate General Counsel, Microsoft Inc.
Cloud minimizes the costs of transforming a concept from the ideal to the reality stage, making the implementation software easier than ever before. What is technically easy, however, could bring serious legal complications, and in the same way that the cloud environment is made by different layers of services (Software, Platform and Infrastructure as a service), it is also made by several layers of risks which include every thinkable area of the law.
Despite cloud computing being around for quite a long time, legislators around the world – with few exceptions – haven’t really made an effort to adapt regulations to fully reflect the complexity of this increasingly important technology. Let’s think about information ownership, for instance. On the one hand, it might be good for companies to be able to navigate the vacuum left by worldwide regulators comfortably, and at a fast pace. If it undoubtedly positive that cloud providers move and adapt nimbly in the thorny issues that this technology naturally brings with it, on the other hand, there is always the spectrum of the danger that leaving such open margins may lead to abuses that will eventually go in the opposite direction of innovation. In this sense, we have noticed that companies are more worried about the short-term business implications rather than legal issues. Using the words of Max Weber «the rationalization and systematization of the law in general and … the increasing calculability of the functioning of the legal process in particular, constituted one of the most important conditions for the existence of … capitalistic enterprise, which cannot do without legal security». If this is assumption is true – as I believe – then we would need more legal certainty to keep innovating and let the society benefit from new technologies.
 Through Amazon Web Services
 M. Valsania, Microsoft, ricavi oltre i 100 miliardi grazie al cloud, Il Sole 24 Ore, 20 July 2018, available at: http://www.ilsole24ore.com/art/finanza-e-mercati/2018-07-20/microsoft-bilancio-alto-grazie-cloud-ricavi-oltre-100-miliardi-072229.shtml?uuid=AED0rkPF
 The Cloud segment of Microsoft Inc.
 Compared to the same trimester in 2017
 T. Mell – P. Grance, The NIST Definition of Cloud Computing, US Department of Commerce, 2012
 B. Halpert, Auditing Cloud Computing: A Security and Privacy Guide, John Wiley & Sons, 2011, p. 2
 See supra note n. 5
 See supra note n. 6
 See P. Kumar – R. Kumar, Optimal resource allocation approach in cloud computing environment, 2016 2nd International Conference on Next Generation Computing Technologies (NGCT), Dehradun, 2016, pp. 112-117
 The concept of pay-per-use and pay-per-charge is mentioned in T. Mell – P. Grance, The NIST Definition of Cloud Computing, see supra note n. 5
 See supra note n. 5
 As it is pointed out by Hold, Millard, Walden, «These services may be viewed as a spectrum, from low-level functionality (IaaS) to high-level functionality (SaaS), with PaaS in the middle» in The Problem of ‘Personal Data’ in Cloud Computing. What Information is Regulated?, Queen Mary University of London, School of Law Legal Studies Research Paper, 2011
 Jamsa, Cloud computing, Jones & Bartlett Publishers, 2012, p. 6
 Defining IaaS, PaaS and SaaS, IBM, 2018, available at: https://www.ibm.com/cloud/learn/iaas-paas-saas
 See supra note n. 5
 See supra note n. 5
 Jamsa, Cloud computing, cit., p. 8
 K. Selden, Rethinking the Cloud: Legal Aspects of Cloud Solutions, University of Colorado, Technical Services Law Librarian, 2013, p. 34
 See supra notes n. 13 and n. 14
 See A.S.Y. Cheung – R.H. Weber, Privacy and legal issues in cloud computing, Celtenham and Northampton, MA, Elgar Law technology and society, 2015
 IDC Survey, 2008. As reported in T. Dillion – C. Wu – E. Chang, Cloud Computing: Issues and Challenges, IEEE International Conference on Advanced Networking and Applications, 2010, p. 1
 According to customer’s answers.
 Regulation 2016/679/UE
 Under article 4 of the GDPR, processing means «any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction».
 Pursuant to article 4 of the GDPR, personal data means «any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person».
 K. Hon – C. Millard – I. Walden, The Problem of ‘Personal Data’ in Cloud Computing. What Information is Regulated?, Queen Mary University of London, School of Law Legal Studies Research Paper, 2011, p. 8
 See supra note n. 26
 Above the level required by law
 C. Reed, Information “Ownership” in the Cloud, Queen Mary University of London, Legal Studies Research Paper, 2010, p. 2
 See supra note n. 26
 Supra note (C.Reed), p. 6
 Forum shopping does not have to be necessarily seen with a negative connotation. As it is pointed out by P. Paschalidis, Freedom of Establishment and Private International Law for Corporations, UOP Oxford, 2012, par. 25, «Bad forum shopping is a choice of jurisdiction of an available forum, which is not a natural forum, with the sole purpose and knowledge that the opponent is most likely to lose there».
 Pursuant to article 33 of the GDPR, «In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons».
 Article 34 of GDPR: «When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay».
 According to article 45 of GDPR «A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation». On this matter, see also the Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and the free movement of such data n. 12555/15, available at: http://data.consilium.europa.eu/doc/document/ST-12555-2015-INIT/en/pdf
 A full list of companies is available at: https://www.privacyshield.gov/list
 P. Van Eeche, Cloud Computing Legal issues, DLA Piper, 2014
 According to article 13 of the E-commerce directive, «[…] Member States shall ensure that the service provider is not liable for the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients of the service upon their request, on condition that:
(a) the provider does not modify the information;
(b) the provider complies with conditions on access to the information;
(c) the provider complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry;
(d) the provider does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information; and
(e) the provider acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement […]».
 Quoted in D.M. Trubek, Max Weber on Law and the Rise of Capitalism, Yale Law School Legal Scholarship Depository, 1972