Mythbusting: There are no good legal reasons to avoid Cloud Services

Cloud computing services are here. Find out how your organisation can take the necessary steps to benefit from these services, comply with legal requirements and, most importantly, stay ahead of the curve.

By Rob Bratby, Managing Partner, and Matthew Hunter, Principal Associate, Olswang Asia LLP


Cloud computing services are already widely used today, but their usage is forecast to rapidly increase over the medium term. Cloud computing services offer big benefits to users, but some organisations have been slow to take advantage. Sometimes, this is because organisations believe that there are legal restrictions in place on their use of cloud. By and large, this belief is a myth. This article describes the steps organisations could take in order to benefit from cloud computing services and yet stay in compliance with legal requirements.


Cloud computing services are a new delivery model for IT services. In short, instead of buying and maintaining (expensive) computer servers, cloud computing services allow organisations to store and access their data on servers owned and operated by third party cloud service providers (CSPs) over the Internet. At its simplest, it’s the difference between buying and renting computing power. There are material cost benefits, because the customer pays for the service as an operating expense without significant capital expenditure. The services are also more flexible and very quickly scalable. They can offer other technology and security advantages.


Individuals, start-ups, SMEs, large organisations and multinationals across industry sectors are using cloud computing services today. The public sector, too, is benefiting. However, only a fraction of the world’s data is currently held in the cloud, and the world is going to produce and use a lot more data in the future; the Internet of Things will produce infinite amounts of more data, and every organisation will eventually be able to use big data tools.


There can be organisational and technical challenges when migrating to cloud computing services; rarely would legal and regulatory requirements pose problems, although these are often cited as reasons against the adoption of cloud services.


We think that there are the three basic steps that organisations should follow in order to benefit from cloud computing services while complying with legal requirements.


Step 1: Understand what kinds of data you want to share with the CSP


Data tends to fit into some or all of the following categories:

(i) confidential data: eg business secrets, strategy information, competitive advantage data and marketing data

(ii) personal data: eg data about identifiable individuals like your staff, customers, clients and users

(iii) regulated data: eg data about patients, data about customers of financial services institutions and state secret information


Step 2: Understand what legal requirements apply to you and to the kinds of data you want to share with the CSP


If your data is confidential, the legal challenges are straightforward. You need to make sure that the CSP keeps your data confidential.


If your data is personal, then you need to make sure that your use of cloud computing services complies with the privacy laws in your jurisdiction. Typically, this means that you should ensure that the CSP keeps your data secure, will not use it for other purposes except as directed by you, and will return the personal data to you and delete any copies at the end of the arrangement.


The final category is the trickiest. It’s impossible to capture in this article all of the regulatory requirements that may apply to regulated data or to a regulated industry, as they vary by industry and geography. However, the requirements tend to cover the following kinds of questions. Have you carried out due diligence on your proposed CSP? Are you able to review, monitor and control the proposed arrangements? Are there appropriate audit rights? Will the CSP keep your data secure and is the CSP certified according to international standards? Are the CSP’s services reliable? Is the CSP transparent about the location of your data? Does the CSP promise not to use your data for other purposes? Can the CSP segregate your data? Does the CSP take responsibility for its subcontractors? Will the CSP return and delete your data at the end of the arrangement?


However, it is a myth to say that these types of data cannot be kept in the cloud. Provided that you find the right cloud services provider and follow the right procurement process, you should be able to use cloud services.


Step 3: Find a CSP that will help you meet these legal requirements


You need to ensure that you find the right CSP, one that can demonstrate to you (and sometimes your regulators) that it will meet these requirements.


ISO/IEC 27018 is a new international standard applicable to public CSPs that process personal data for their customers. You should check whether your CSP commits to it; if it does, it will help you to meet privacy law requirements when using the cloud computing services.


CSPs should be able to show a successful track record and demonstrate to you that they understand your legal requirements. They should be able to explain to you how their legal obligations in their contracts meet these requirements, and they should be willing to work with your regulators. Finally, they should be able to show you that they are audited and certified against these requirements.




Cloud computing services offer financial and operational benefits to organisations.


Provided an organisation follows the right process and chooses the right cloud service provider, there is no good legal or regulatory reason why they should not use cloud services.


- END -