With IT moving so rapidly, it’s not only the user community that can struggle to keep pace – apparently the law is having trouble too.

With judges and regulators left puzzling the establishment response to each new development, iQ talks to Nigel Miller, Commerce & Technology Partner at technology law specialists Fox Williams LLP, about the legal issues surrounding just three – Cloud Computing, behavioural advertising, and user-generated litigation.

LEGALITY CLOUDS THE ISSUE
From out of the blue, one might say, the last year or so has seen the technology and wider business press dominated by discussion on Cloud Computing – IT services delivered, in various guises, on demand, via the Internet – a good deal of it positive.

Certainly there is a increasingly compelling business case for cloud-based IT delivery – much of which has been discussed here in the pages of iQ. But according to Nigel Miller, Commerce & Technology Partner at city legal firm Fox Williams LLP, in common with several other areas of technology provision, the Cloud is by no means a straightforward proposition from a legal standpoint.

“(With Cloud Computing) your data – which may include the personal details of your clients and customers – is transferred to and held by a third party, and this raises some crucial issues under UK and EU data protection laws.”

There is now an almost continuous news flow about data security breaches in both the public and private sectors, he says, and various authorities and regulatory bodies are toughening their stances in response. “The powers of the Information Commissioner (the UK data protection watchdog), for instance, are being increased to include the power to impose substantial fines. And the FSA (Financial Services Authority) has also flexed its muscles several times, most recently fining HSBC more than £3 million for data security lapses in relation to its customer details.”

“These may not be substantial fines relative to the size of the organisation, but perhaps more important is the negative impact that such breaches (and the attendant publicity) can have on customer confidence and goodwill.”
While few businesses may realise it, he explains, under data protection law firms using Cloud service providers (SPs) retain ultimate responsibility for the security of the data itself.

“You are expected to ensure that the SP delivers ‘sufficient guarantees in respect of technical and organisational security measures’. Accordingly, in order to comply, you must put in place contractual terms that require the SP to comply with obligations equivalent to those imposed by data protection legislation.”

“The standard T&Cs (Terms & Conditions) of many Cloud providers – most particularly those based outside the UK or EU – don’t generally comply with these requirements.” Technically, so far as the Cloud is concerned, it doesn’t matter where data is located; it can reside in a datacentre anywhere in the world, which may in turn be mirrored to another centre in another location for increased performance and backup. This again can throw up some complex legal issues.

“UK and EU data protection laws – devised before the cloud was conceived – remain pre-occupied with the location of personal information. With certain limited exceptions, businesses are prohibited from transferring personal information outside the European Economic Area (EEA) unless it conforms to certain strict preconditions wherein adequate legal safeguards for the data’s security are put in place.”

THE ANSWER?

Read more