CSA Legal Information Center Arrow to Content

Introduction to the Legal Information Center

Confusion about legal issues is one of the biggest issues facing both cloud providers and cloud customers. Laws regarding government access to data vary in respective countries. Laws governing privacy protections for citizens and cross-border export of data also differ according to jurisdiction. There is also a great deal of hype and misinformation around specific laws, such as the Patriot Act in the United States.

The CSA Legal Information Center is an expert-led community resource for global legal issues impacting cloud computing. Our mission is to provide unbiased information about the applicability of existing laws and also identify laws that are being impacted by technology trends and may require modification.

Legal Information Center Sponsor

Ask a Legal Expert

Have a question about a thorny legal issue related to cloud? Just ask! The CSA Legal Information Center is staffed by legal experts ready to help you. We will endeavor to answer as many questions as we can, please send your question to [email protected]. Please be aware that the experts will provide general answers based upon the questions received, and may be missing important context. We are not providing legal advice in any matter, please remember to consult your own attorneys ;)

Questions

Q. What is a good strategy for moving my data into the Cloud?

A: My first reaction is to ask you whether you have conducted proper due diligence to evaluate your data, and determine those that can / cannot be moved to the cloud. Cloud is not appropriate for *any* type of the data unless some specific measures are taken. Some data are more valuable or more sensitive than others. They may require more protection, or you may not be allowed to move them to the cloud because of legal or other types of restrictions. For example, your company may be bound by a contract – such as a non-disclosure agreement or a services agreement - that prohibits your company from doing certain things, or that requires the customer’s prior approval before doing certain things. You or your customer may be subject to stringent rules. For example, the Rules of Ethics that apply to lawyers require lawyers to ensure the confidentiality and availability of files that they hold on behalf of their clients or that pertain to the client’s case. These and other rules regarding competence and accountability may prevent lawyers from using cloud for certain purposes. Thus, the strategy should start first by evaluating your data, your operations and your needs, and determine the restrictions that are attached to each category of data, i.e. the contracts, rules, laws, regulations as well as the technical and operational requirements regarding these data. As a rule of thumb, it is generally more prudent to start with less sensitive data, and data that are not regulated.

Q. What is happening with the European Union with the new Data Protection Regulation?

A: The European Union is considering a significant overhaul of its laws regarding the protection of personal data, which would be based on one single document, the EU Data Protection Regulation, and would move away from the current regime where there are 27 different national data protection laws. The Regulation is still in the formation stage. Think of it as a bill. A first draft of this “bill” was published in January 2012. Since that time, there has been a considerable amount of lobbying to suggest changes to, or removal of, certain provisions. At this point, it is unlikely that a final draft will be approved and effective before the end of 2013. Once the Regulation is finally adopted, it will become effective and enforceable two years later. In the meantime, companies should start evaluating what the changes that the new EU Data Protection Regulation would bring, and the extent to which the company would be able to meet these new requirements. For example, the new Regulation would grant individuals a “right to portability”, which would require companies to provide customers with a copy of their data when the customer moves to a different service.

Q. Which law applies to data held in a cloud?

A: This is an excellent question but one that is very difficult to answer because countries around the world do not respond in the same manner and it is difficult to predict what a particular court will rule. In a recent, highly publicized case against Facebook in Germany, the court ruled that Facebook was subject only to the law of the country in which it has its headquarter. The case had to do with a requirement on the sign-up page of the German version of Facebook. A privacy organization had filed a lawsuit against Facebook to require Facebook to make certain changes. Facebook European headquarters are located in Ireland. The German court ruled that German law did not apply because Facebook is registered as a company in Ireland, and not in Germany, thus Irish law should apply. While Facebook has operations in Germany, the court found that the Facebook German subsidiary is only an ad sales and marketing organization that is not concerned by the specific lawsuit. There is a similar case pending in France against Twitter with similar issues, and it will be interesting to find out what the French court of appeals will rule. The globalization of services has created havoc in the way court determine jurisdiction and applicable laws. Today, it is very difficult to predict which way a court will rule.

Q. As a user of cloud services, I read a lot about the ability for governments to gain access to my information and the information of my customers. In reality, how often does this happen?

A: It is impossible to give a definitive answer about the prevalence of government access to data stored by cloud providers. Some provider requests, such as those related to national security, may be required to be confidential. However, a very useful resource is the small but growing trend towards transparency reports. Google has the most extensive transparency report, which provides statistics on the number of requests for user data as well as data removal requests, broken down by country. We think this is good information and we hope to see all cloud service providers follow this trend. We also encourage you to read the CLIC whitepaper related to this topic, "What Rules Regulate Government Access To Data Held By US Cloud Service Providers"

Q. Should I be concerned that my cloud service provider does not have custom E-Discovery services?

A: It definitely warrants further investigation on your part before you need it. In most cases, your cloud service provider should at a minimum have documented capabilities for responding to requests for data related to litigation. Ideally a customer and provider should have an understanding of mutual E-Discovery obligations within the Service Level Agreement. According to the CSA Cloud Data Governance survey, 59% of cloud service providers have a capability to locate and search all of a customer's data.

Legal Information Center Sponsor

Videos

RSA 2014 – Trust in the Cloud: How Leading Companies Build Trust

RSA 2014 – Trust in the Cloud: How Leading Companies Build Trust

Event sponsored by SpringCM

Release Date: April 01, 2014

RSA 2014 – Trust in the Cloud: Evaluating Data Handling Practices

RSA 2014 – Trust in the Cloud: Evaluating Data Handling Practices

Event sponsored by SpringCM

Release Date: April 01, 2014

RSA 2014 – Trust in the Cloud: Legal Background – Francoise Gilbert

RSA 2014 – Trust in the Cloud: Legal Background – Francoise Gilbert

Event sponsored by SpringCM

Release Date: April 01, 2014

RSA 2014 – Trust in the Cloud: Introduction – David Cullinane

RSA 2014 – Trust in the Cloud: Introduction – David Cullinane

Event sponsored by SpringCM

Release Date: April 01, 2014

Legal Information Center Sponsor

Legal Information Center Sponsored Resources

Planning for E-Discovery in the Cloud

Planning for E-Discovery in the Cloud

Release Date: May 21, 2013

Cloud Computing: What Damages in Case of Outages

Cloud Computing: What Damages in Case of Outages

Service interruptions are inevitable regardless of whether the cloud service provider is a small company or a large company. When a cloud service goes down, users lose access to their data; they may also be deprived from the processing capabilities that are provided as part of the cloud offering.

Release Date: May 21, 2013

Article 29 Working Party Cloud Computing Opinion: A Blow to Safe Harbor

The Article 29 Data Protection Working Party—which includes representatives of the data protection authorities of each of the European Union member states—recently issued an opinion on cloud computing that could impact U.S. cloud providers.

Release Date: February 22, 2013
Verson: 1.0

What Rules Apply to Government Access to Data Held by US Cloud Service Providers

What rules regulate government access to data held by US cloud service providers.

Release Date: February 22, 2013
Verson: 1.0

CSA Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery

This domain highlights some of the legal aspects raised by cloud computing. It provides general background on legal issues that can be raised by moving data to the cloud, some issues for consideration in a cloud services agreement, and the special issues presented by electronic discovery under Western litigation.

Release Date: November 14, 2011

Offsite Resources Version Release Date URL
US Dept of Commerce Clarifications regarding US-EU Safe Harbor Framework and Cloud Computing N/A N/A Link (pdf)
Article 29 Working Party Opinion on Cloud Computing WP 196 N/A 07/01/2012 Link (pdf)
United Kingdom ICO Guidance on the use of cloud computing 1.1 10/02/2012 Link
Ethics Opinion regarding use of cloud by attorneys - Massachussetts Bar N/A N/A Link
Ethics Opinion regarding use of cloud by attorneys: New York State Bar N/A N/A Link
Microsoft Law Enforcement Requests Report N/A N/A Link
Google Law Enforcement Transparency Report N/A N/A Link
PCI Data Security Standard (PCI DSS) Cloud Computing Guidelines 2.0 2013 Download
US Department of State/Department of Justice: Five Myths Regarding Privacy and Law Enforcement Access to Personal Information in the European Union and the United States 1.0 2012 Download
European Parliament: Directorate General for Internal Policies: Fighting cyber crime and protecting privacy in the cloud 1.0 2012 Download
Proposed EU directive concerning measures to ensure a high common level of network and information security across the Union 1.0 2013 Download

Legal Information Center Sponsor

Legal Information Center News

February 21, 2013

Executive Briefing: US and Foreign Laws Regulating Government Access to Cloud Data on Feb 28, 2013

The Cloud Security Alliance and Box.com are hosting a “by invitation only” executive briefing in San Francisco for users and vendors of cloud services, focusing on Government Access to Data Held in the Cloud, which will take place on Thursday February 28, 2013 from 8am to 11am at the Sir Francis Drake Hotel, Franciscan Room,…

Legal Information Center Sponsor

Page Dividing Line