Cloud Computing Law (Second Edition)
In a recent article, Gartner predicted that end-user spending on public cloud services would grow 21.7 per cent between 2021 and 2022.1‘Gartner Says Four Trends Are Shaping the Future of Public Cloud’ (Gartner Newsroom, 2 August 2021), <https://www.gartner.com/en/newsroom/press-releases/2021-08-02-gartner-says-four-trends-are-shaping-the-future-of-public-cloud> (accessed 28 November 2021). To reach $482 billion. Garter predicted that by 2026, it would exceed 45 per cent of all enterprise IT spending, up from less than 17 per cent in 2021.2Ibid.
Does the rapid expansion of global cloud adoption warrant a 648-page book on cloud computing law? Probably not. Rather, it has been the increasing sophistication of cloud technologies and services giving rise to novel and complex issues, which makes the second edition of Cloud Computing Law a valuable tome for the bookshelf of lawyers whose work involve cloud or data protection.
Chapters 1 and 2 are an overview of cloud technologies, services, and offerings; and control, security, and risk in the cloud. They are more technical in nature, discussing matters like virtualisation, cloud computing storage models, and resource management. But have no fear – the authors have generally managed to explain the technical and abstract concepts in simpler English. I suggest reading these chapters as they provide a foundation to understanding various legal issues surrounding the cloud.
Chapter 3 is about contracts for cloud services. In it, the authors review general terms relating to cloud contracts such as forum selection, dispute resolution, duration, termination, retention deletion, and variation. As the authors had conducted surveys of standard Terms of Service (ToS) in 2010, 2013, 2015, and 2019, they were able to provide information on market trends over the last decade. They concluded that the ToS they surveyed of 40 services offered by 32 providers, had remained fairly stable. Areas which had not changed much included liability caps, termination and variation clauses, and data retention post-termination. Areas where pronounced shifts had occurred were localisation, choice of law and forum, and having different terms for consumers and businesses. Unfortunately for lawyers and laypersons, the authors described ToS surveyed as still being lengthy, consisting of various documents and sub-documents (which could link to further sub-documents) incorporated by reference. Déjà vu – I recall having had to review over 10 long ToS documents for a procurement of less than SGD15k in value.
Chapter 4 discusses the negotiation of cloud contracts. The authors advise that care needs to be taken in reviewing the basis upon which cloud providers agree to retain data in a particular jurisdiction. This is because: (a) it may not apply to all the provider’s services; (b) many providers only guarantee that the data will be stored at rest in a particular location (which could mean that the data could transit other jurisdictions); and (c) the fact that data is stored in a particular jurisdiction does not mean that law enforcement agencies will not be able to require the provider to hand over customer data, or intercept data in transit. One thing inhouse lawyers may be glad to hear, is the authors’ observation that cloud providers have been willing to amend their ToS to help their customers meet regulatory requirements. The terms are also refined through discussions with regulators. However once some providers had decided that their terms complied with the regulatory requirements, they would refuse to amend the ToS any further.
In chapters 5 and 6, the authors bravely discuss information ownership, ownership rights, data sharing and data trusts, and digital assets in the cloud. They observe that English law does not recognise property rights in customer data, while the US courts have been more open to recognising property rights in digital assets. They suggest caution when it comes to expanding property rights to cover digital assets, as it could have significant unforeseen consequences such as a clash with other rights relating to information such as copyright, data protection, privacy, and duties of confidence. In addition, rights and remedies based on property in rivalrous tangible items might not be a good fit for digital information, which is non-rivalrous in nature i.e., it can be possessed by many persons at one time, and such simultaneous possession does not diminish the ability of any one possessor to use the information.
Chapter 7 talks about consumer protection in the cloud, with many references to EU and English law – the book was, after all, published in the UK.
Chapters 8 to 11 are where the action is for data protection, privacy, and cybersecurity lawyers. Chapter 8 examines the rights and remedies that cloud users may enjoy under the GDPR. Chapter 9 examines the roles and responsibilities of controllers and processors in the context of cloud computing. Chapter 10 looks at the GDPR’s application to international data transfers in clouds. Chapter 11 examines the EU regulatory framework for cybersecurity, and its implications for cloud services.
Chapter 12 is about the public sector data and procurement law in the context of the cloud. Chapter 13 talks about access by law enforcement agencies (LEAs) to customer data in the cloud. This chapter provides a good overview of the international instruments and well-known laws under which law enforcement can seek access to data in the cloud (and stored overseas), and spends a couple of pages on related privacy issues, as well as forensic and evidentiary matters. The authors comment that while instruments such as the Cybercrime Convention and the US Clarifying Lawful Overseas Use of Data (CLOUD) Act can be viewed as eroding traditional sovereign rights, they also recognise an extra-territorial extension of criminal jurisdiction, which may strengthen sovereignty in a transnational cloud environment.
Chapter 14 touches on competition issues such as the application of EU Competition Law to cloud computing, interoperability, and user portability. The book takes just a slight technical turn in Chapter 15, where it talks about cloud standards, including data protection and security standards. It also flags out some considerations when drafting or reviewing service level agreements (SLAs), and discusses the means by which standards can be given legal effect e.g., contract, certification. Chapter 16 focuses on the tax treatment of cloud computing transactions, an issue which is probably more germane to cloud providers than customers.
If I could make a wishlist of what I would like to see in the next edition (and hopefully it will be sooner than 8 years!), it would be: (a) an examination of types and popularity of insurance to manage cloud risks; (b) a review of the SLA landscape including the negotiability of service levels and remedies for breach of them; (c) a survey of cloud providers’ policies regarding access requests received from LEAs, and the feasibility of negotiating a contractual obligation (if not already present) on cloud providers to notify the target of such requests before acceding to them; and (d) that the surveys on ToS be done closer to the date of publication of the book.
But overall, Cloud Computing Law is the most comprehensive book I have come across on cloud law, well worth its price. Some law books are an exercise in ego filled with bombastic language, whereas this book uses plain English and is generally concise. Truly an enjoyable read!
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of the author’s employer.