‘It’s amazing how they can transmit the internet through the clouds, isn’t it? What jurisdiction are they even in?’ I checked that my friend wasn’t in fact referring to Google’s Loon project or Facebook’s solar-powered drones (where these are pertinent questions[[http://www.theatlantic.com/technology/archive/2013/08/can-we-trust-google-with-the-stratosphere/278797/]]) and then offered to lend him this book: Renzo Marchini’s ‘Cloud Computing: A Practical Introduction to the Legal Issues’ (2nd edn.).
My point? This text is much more workaday than stargazing. The first chapter considers whether cloud computing is a ‘paradigm shift’ (groan). It briefly explores the differences between more traditional, less fashionable, terms such as ASP and service bureau, and the ‘cloud’ terms SaaS, PaaS, IaaS. These terms have become hackneyed, of course, and in the real world are rarely evident. Nevertheless, it would be a helpful introduction for the entirely uninitiated, and this chapter sets the tone for a book that is pitched as ‘a useful and easy to read handbook’.
Chapter 2 deals with jurisdictional issues. It’s beyond reasonable to expect a full treatment of this topic in 11 pages; instead the author points to some practical tips and provides some common-sense observations on FISA orders / foreign law enforcement requests. Overall, more sensible advice than even the Article 29 WP has recently managed.[[http://www.scl.org/site.aspx?i=ed42713]]
Chapter 3 covers security breaches. It’s a high level overview of certain most applicable security standards, along with helpful commentary such as: ‘It is important to note that a cloud provider claiming to comply with BS ISO/IEC 27001 is only self-assessing’. I particularly appreciated the section ‘Provider liability for data’: a five paragraph exploration of categories of ‘real world’ damages arising from loss of data by a cloud provider. I can see this section being useful to bring the topic alive for my own clients.
The book then goes on to cover the topic of data protection regulation. Here it goes into more depth. It is perhaps not unreasonable to spend five of the sixteen chapters on this subject, given its gravity, although the chapter on ‘data protection basics’ is perhaps for a different audience than the later section entitled ‘drafting the BCR-Ps’. The chapter on ‘Data protection: the proposed reforms and the cloud’ is forgivably brief at this time, but will need to be beefed-up considerably in any third edition of this book; many of the nuances of the proposed GDPR texts are significant and material.
The latter chapters of the book return to the breezy approach, and deliver some real nuggets. For example: the page on the topic of ‘The viral effect of the cloud – the Affero Licenses’ is short but expertly written, introducing us to the issue of this viral licence, noting the pitfalls as they specifically relate to cloud providers and explaining that extra care needs to be taken cf. usual GPL style licenses. Also noteworthy is the chapter on ‘Access to data on exit’; it should be required reading for all business-folk wanting to use the cloud.
On the other hand, the section on escrow could be improved with a more practical discussion of how to create cloud-based infrastructure which can be used with, or in some cases mitigate the need for, traditional escrow, eg through the use of containerised deployment and/or other best practice DevOps.
Finally, the book introduces certain issues relating to some specific use-cases: financial services, public sector and consumer. The book rounds itself out with a quick look at tax issues relating to the cloud: short but innovative for a text like this.
Overall, I enjoyed this work. It is stated to be suitable for both lawyers and non-lawyers alike. In my own day-to-day, I can see how certain clients might appreciate reading an appropriately highlighted copy of this book. I’d also happily recommend this book to generalist colleagues, trainees and junior IT lawyers asked to advise on the cloud for the first time.
Even for those of us in this Society, many of whom (I expect) will consider themselves reasonably well acquainted with ‘cloud computing’, a new perspective is always helpful. It fulfils its promise of being an easy read and a useful ready-reckoner.
Cloud Computing: A Practical Introduction to the Legal Issues (2nd Ed.) by Renzo Marchini (2015) is published by the British Standards Institute, ISBN 978 0 580 8229 (http://shop.bsigroup.com) RRP £45
Chris James is Senior Legal Counsel (Digital Ventures and Comms Services) for Telefónica.