Universities are considering working with cloud products. Data protection and small print are giving them pause for thought.
The devil is in the detail – as far as the cloud is concerned, in data protection. This is often seen as the biggest stumbling block in cloud computing. Specifically, anyone who moves personal data into the cloud is still responsible for compliance with the Data Protection Act. The following requirements in particular must be borne in mind:
Appropriate technical and organisational measures must be in place to protect personal data against unauthorised access and loss, even when data processing is outsourced to third parties. This means that anyone wanting to use the cloud has to find out about the guarantees offered by the cloud provider in terms of data security.
In principle, the Act permits data processing by third parties. However, it imposes two restrictions. Firstly, the outsourcing partner is only allowed to process the data in the same way as the client would be allowed to do so. Secondly, no additional confidentiality requirements must exist that prohibit outsourcing. The client remains responsible for the security of the data being processed.
Commercial providers of cloud solutions in particular often have data centres spread across the globe. Clients' data are sent back and forth between them. The Data Protection Act prohibits the disclosure of personal data abroad under certain circumstances, namely when the privacy of those concerned would be "seriously endangered". According to the Act, this is especially the case in the absence of legislation that guarantees adequate protection in the destination country. The Federal Data Protection and Information Commissioner keeps lists of destination countries that are regarded as safe and those that are regarded as unsafe. The United States is only regarded as safe subject to certain conditions (see last paragraph), whereas the European Union countries generally have sufficient legislation in place. Large parts of Asia, Central and South America are regarded as unsafe. When it comes to a legally compliant choice of cloud provider, it is thus essential to know where the client data will be stored.
To sum up, therefore, we can say that the requirements of the law on data protection must be borne in mind when choosing a cloud provider. In other words, the standard contracts offered by commercial providers must be studied very carefully with regard to the following:
The small print defines the scope of the services provided. What promises are made? What guarantees does the provider offer, for example, in terms of availability? Attention must also be paid to the following aspects:
Contracts often include broadly worded disclaimers. These are legally permissible to some extent in most cases, but they can prove to be disadvantageous for the client when problems arise.
These provisions are not important for the client if there are no problems with the contract. When difficulties occur, however, they can determine whether or not legal claims are followed up. If the jurisdiction is in the US or Australia, it will often be too complicated and too costly for a Swiss client to assert any claim. If the applicable law and place of jurisdiction are Swiss, on the other hand, there is much less of a legal hurdle for the client.
What are the provisions on termination? Do they cover returning the data or transferring them to another cloud provider? Does the provider offer any assistance in such cases? Does the provider undertake to delete the client's data after termination of the contract? In conclusion, a critical eye needs to be cast over the terms and conditions. It may be better to store different types of data in different places. By taking this approach, it is possible to implement cloud solutions that comply with Swiss law.