The dematerialization of data has taken on particular significance with the development of cloud computing. This solution provides simplified, cost-effective access to certain services without the need to purchase hardware, by storing data that can be accessed at any time via secure Internet access on outsourced servers.
The implementation of cloud computing solutions raises numerous technical issues for IT Departments (localization, certification, service level guarantees, etc.). Legal issues must not be overlooked, in order to prevent the consequences of any damage and determine responsibilities.
As in the case of Internet law, cloud computing has experienced rapid growth, necessitating a determination of the law applicable to this new practice, with a view to protecting its users while providing a legal framework for its use.
When a company outsources its data to a service provider, it retains the status of data controller within the meaning of the French Data Protection Act. It will therefore be liable for the consequences of fraudulent use or loss of its data, even though it no longer has control over this data, which is, by definition, outsourced.
Particular attention should be paid to liability limitation clauses, which are valid insofar as they do not empty the essential obligation of the contract of all substance.
Service contracts incorporating cloud computing should include mechanisms for limiting access and providing enhanced security for sensitive data. In addition, to ensure that data can be retrieved at any time, it is strongly recommended that a reversibility clause be included, and that its content and application details be specified.
At the heart of companies’ concerns lies the issue of confidentiality, a notion that varies according to the nature of the data stored and the desired level of protection.
In addition to controlling access conditions, confidentiality protection is closely linked to the location of data storage, which is often difficult to know with any certainty. In fact, if there are no restrictions when the contract is signed, storage servers can be hosted anywhere. Indeed, outside the European Union and without specific company agreements or Safe Harbour agreements, an adequate level of data protection cannot be guaranteed. It is therefore advisable to include a specific clause in the contract with the service provider, requiring data to be stored in a country offering an adequate level of protection in line with EU regulations.
At the end of last year, the specialist press reported on the average quality of cloud contracts offered by certain providers, particularly foreign ones. It is in the interests of both providers and customers to have a quality contract. The commercial development of a service also depends on its contractual environment…
