Book Review: Cloud Computing: A Practical Introduction to the Legal Issues

April 5, 2011

‘Cloud computing’ has, in recent years, become as ubiquitous a phrase in information technology marketing circles as  the phase ‘quantum’ has in New Age literature; and is sometimes used in contexts of only marginally more plausibility (‘To the Cloud…,’ anyone?). The concept can clearly stir strong reactions – whether Larry Ellison’s early dismissal of it as simply marketing spin or Richard Stallman’s dire warnings about technology lock-ins.  Critics charge that there is no technology breakthrough, that cloud computing is largely a logical, and hardly earth-shattering, development out of existing concepts such as Application Service Provision (ASP).  Yet it is hard to deny that the broadening of the availability of processing/storage elasticity, self-service provisioning and multi-tenancy arrangements appears to be capable of facilitating, not to say compelling, greater innovation and efficiency, from large corporations down to SMEs. 

In my experience (notably in the Higher Education sector),  when assessing whether adopting cloud services might offer advantages over existing IT provision, services and support,  would-be adopters are usually  perfectly capable of cutting through the thicket of marketing rhetoric surrounding the technology itself. The devil, as ever, usually lies in assessing the legal issues and risks, and determining whether and how these might influence or undermine a decision to adopt.  It is no coincidence that almost every cloud computing themed conference has one or more sessions dedicated to addressing general or specific legal concerns.   At such sessions, the majority of questions posed can be condensed into one: ‘Where can I find a source of information about the legal issues that is clear and practically focused, that gives me insight into the key questions I should be asking potential service providers and our legal advisors and that allows me to explain to management and others what the risks in cloud solutions might be, and how they could be addressed?’ Marchini‘s Cloud Computing:  A Practical Introduction to the Legal Issues is one of the first books to address that question with regard to UK law. 

The book begins with a brief overview of the relevant technology, including a helpful discussion of some of the key terminology – eg SaaS, IaaS,PaaS, virtualisation, multi-tenancy etc.  Chapter 2  considers which jurisdictions’ laws may apply to a cloud service, why determining this  in advance is important for both providers and acquirers of cloud services and how an English court would determine the answer. Chapter 3 examines the issue of information security, how far acquirers can plausibly conduct due diligence on providers of cloud services, the purpose and value of key security standards such as the ISO/IEC 27000 series and the role of contractual agreements in protecting the interests of both providers and acquirers.   

Chapters 4 to 7 deal with aspects of data protection and cloud computing, including an overview of the law, due diligence in the selection of a cloud provider, handling data transfers outside the EU and data security breach notification.   Data privacy has been one of highest profile aspects of the law relating to cloud computing, not least because national legal requirements deriving from the EU Data Protection Directive are often so profoundly unsuited to contemporary technology and commercial environments.  Key problems in cloud computing arise from a data controller’s lack of an ability to pinpoint the precise whereabouts of their data, and from the ease with which data may cross borders.   If rigidly interpreted, the law as it stands clearly places obligations upon data controllers which are difficult, if not impossible, to reasonably comply with.  Add to this, as Marchini points out, the fact that there is a distinct lack of clarity at present as to whether under EU law a cloud service provider is simply a data processor, or might in certain circumstances be considered a data controller (pp 46-51), and the scene is set for what appears to be an unhelpful complication of an already awkward relationship.  In the UK, at least, the book notes that the ICO has taken a more liberal approach than some other European regulators to these issues. 

Chapter 8 examines the issue of software licensing in the cloud, including transfer of existing licences, open source licences and the potential role of escrow agreements.  Chapter 9 considers another major concern for acquirers of cloud services: how to get their data out of a cloud service in useable form in the event of problems, particularly when that data may be held by a providing party several links down a chain of cloud providers from the one the acquirer has actually contracted with.  Chapters 10 and 11 consider Service Definitions and Service Levels, and provide some sage guidance on the need for careful examination and interpretation of cloud providers’ Service Level Agreements, particularly for those not accustomed to lawyerly ways of interpreting  words such as ‘availability’ and  ‘downtime’.   Chapter 12 considers the issue of liability, or perhaps more accurately, the avoidance of liability, for contractual failures.  Chapter 13 provides a brief overview of legal issues that may arise for specific sectors: financial services, public sector services and consumer services, demonstrating the need to for an acquirer to be conversant with the specific rules applicable to their sector.  The final chapter looks ahead to the future of ‘cloud law’, notably the possibility of initiatives to make customer data more portable between cloud service providers, the development of industry codes of practice, and the likelihood of data protection law reform easing some of the problems for cloud computing inherent in the existing framework. 

Cloud Computing‘s target audience is primarily those who wish to provide or acquire cloud services.  It aims to be a practical and accessible introduction to the legal issues for non-lawyers, and for lawyers who are unfamiliar with the technology and its specific issues.    As such, the discussion of the technology is relatively light touch, and the discussion of the law not excessively encumbered with the minutiae of statute and case law.   From my particular perspective, I would see it as a suitably pitched introduction to the topic for both my Computer Science MSc and Law LLM courses – enough law for the computer scientist and enough technology for the lawyers.    Material is explained concisely and with effective use of examples; important issues are highlighted through ‘Practical Tip’ sections in the main text, and via key point bullet-points at the end of each chapter.  Overall, I found little to quibble with in the explanation or interpretation.  I did find the discussion of coverage of HR data by the US Safe Harbor (p 73) a little unclear, and I wondered what AT&T, amongst others, might make of the assertion on the same page that it was unlikely that many cloud providers would be found amongst telecommunications carriers (Extend your reach with AT&T’s Cloud Services – http://www.business.att.com/enterprise/online_campaign/cloud_computing/).  However, these are minor points in a book that has much to recommend it.   

Andrew Charlesworth is Reader in IT Law and Director, Centre for IT & Law, University of Bristol