This article is written by Oruj Aashna, a student of Calcutta University. The article talks about the cloud computing model and its legal perspective concerning possible issues to the cloud paradigm.
Over the past several years, remarkable advancements in technology have had a significant impact on law practice. The booming of technology is not a free hitch. As a result, the sentiment of legal control has also come along. Every advancement of technology is coupled with an application of one or more laws that needs adjustment to meet current standards. It is of no surprise that the law of technology is catalyzing, which has made the boundaries of law surrounding technology more extensive than before.
Some of the technologies which have a tremendous legal impact are artificial intelligence, encryption technology, crypto assets, drone and space technology. One such development that needs legal interference and routine regulation adjustment is “Cloud Computing.” This article addresses possible arguments against cloud computing and the regulations commanding the cloud computing paradigm.
What is cloud computing?
The United Nation’s National Institute of Standard and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on demand network access to the shared pool of configurable computing resources which can be supplied with minimal management effort and service provider interaction. Simply put, cloud computing is easy and accessible computing support provisioned by a third party (cloud service provider) to an end-user or organization, usually via a web browser or web service.
Cloud computing provides greater flexibility to businesses as applications and services can be deployed in less time, allowing companies to shift the burden of maintaining the infrastructure to the cloud service provider. This shift of responsibility enables the organization to concentrate on business-oriented projects rather than infrastructure management.
- For example, suppose a company has a variable requirement of particular specification like RAM/processor/hard disk for any specific operation. In that case, it will not have to incur the extra cost or time to deploy said infrastructure if provisioned the same from a cloud service provider. Therefore, cloud computing enables businesses to reduce cost, plus it helps scale up rapidly outward and inward commensurate with demand.
- Some examples of cloud services commonly used are Dropbox, Gmail, Google spreadsheet, AWS, and Flexi scale.
- Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) are three main cloud service models. Businesses outsource storage and data to entities with a Cloud service model.
The said outsourcing could possibly lead to unauthorized access to the data and third-party access. From here on out, the question of legal issues arises.
Issues in cloud computing
One of the most difficult areas today is the cloud. The core of the issue is the nature of the cloud and the biggest problem that follows is the way personal data is processed in the cloud having no visibility as to what is happening with the data. Given below are some of the issues that can arise while utilizing cloud computing service.
Data privacy and security
When diving into the benefits of cloud computing, one shouldn’t overlook the security issues it comes along with. The concern comes to attention when we start sharing applications and sensitive data to a shared cloud environment. The data transmitted are likely to data breach and have third party unauthorized access. The fluid nature of cloud computing lacks a regulatory framework, and sometimes it isn’t easy to match the privacy standards of various jurisdictions. The cloud service provider in this place has control over your data, and the consumer has to adhere to the ‘reasonable’ security standards they provide. When talking about ‘reasonable,’ it could be any cybersecurity standard like ISO/IEC 27001 and 27002, ISC 15408, and other national and industry-specific standards.
Data stored in the cloud are either encrypted or unencrypted. Data encryption is currently the only method ensured by the cloud service provider to protect data and keep it confidential, which is discussed in the next segment. Even in the unencrypted method, the service provider uses two keys, i.e., public and private. While the public key can enable data to everyone, the private key is meant to protect from non-private access.
Now, the question is whether there is any window that gives access to the Government or its agency? In most cases, there are possibilities open for the Government to seek into the data even if the data is encrypted. There are vulnerabilities built by the service provider itself, which allows the Government to get into data for any purpose of law enforcement and inspection.
- For instance, AWS, in their Data Privacy FAQ, specifies that they will disclose customer content if they are required to do so to comply with the law or Government’s order. They are using this provision to build the backdoor for government authorities.
In India, Section 69 of the Information Technology Act mandates a person in charge of computer resources to extend all possible support to the law enforcement agencies. Such lawful interference stretches to any information stored in the computer device regardless of what computer resources’ attributes are.
One of the major issues one could have in cloud services is data loss. Even though the data is not physically stored on a local hard drive, it is stored somewhere in the physical location and can be susceptible to the same failure as the hard drive. Data loss is possible in cloud computing even though it is structured in a way to keep the data protected, it can potentially attract technology failure or human error.
The question is, who is responsible for such loss. The cloud service provider follows the Shared Responsibility Model, which means that the service provider may be responsible for the security “of” cloud whereas the consumer will be responsible for what’s stored “in” cloud. The shared responsibility suggests that the service provider will be responsible for providing data security via their infrastructure. The consumer on other hand is responsible for the data stored there. The cloud service provider is solely there to provide sufficient protection, but the consumer has to handle the service’s configuration. This means that in the event of data loss, the service provider won’t take responsibility for compensating for such loss. Moreover, the end-user or the company’s client will not blame the service provider for their data loss because they entrusted their data to the company and not the cloud provider.
In most cases, the cloud computing contracts (SLA) have fixed terms and leave little or no room for negotiation. However, if the cloud service provider is a small service provider, the customer may have a chance to negotiate the terms of the contract. The flexibility of the agreement also depends on the cloud service model the customer is opting for.
Cloud computing service providers may become dependent on third-party vendors to provide their services effectively. This indicates that if the third-party vendor fails to provide their services to cloud computing service providers or if there arises a conflict between the two parties (the vendor and cloud service provider), the consumer may face a potential risk of losing their data.
This is to note that cloud service providers, in most cases, do not hold themselves responsible for the failure in third-party vendor performance. Apart from failure on the vendors’ end, the cloud service provider can terminate the agreement if the relationship with the vendor gets affected. This will adversely affect one’s business, whose data is stored in the cloud. Therefore, it is periodically pushed to allocate the potential risk that can cause failure from such dependency.
Jurisdiction issues are mostly associated with the location of data and governing law at that locality. Data stored in the cloud are spread across multiple jurisdictions resulting in multiple jurisdictional claims of the data and conflict in-laws of the same subject matter. Countries like Russia and the EU have strict data localization laws that only allow those providers to process their citizen’s data only if they comply completely with their localization laws. Localization of data or data residency restricts the storage of data within the country’s border. India, on the other hand, provisions for extra-territorial jurisdiction. The service provider delivers the subject matter related to jurisdiction and governing laws in their SLAs.
Jurisdiction is also coming into attention when the cloud service provider subcontracts with other service providers to leverage their services. In such a scenario, it becomes even more challenging to allocate the actual jurisdiction of the cloud, where data is stored.
- The first and foremost important and comprehensive law for regulating and protecting personal data is the EU’s GDPR. The GDPR places equal liability on data controllers as well as data processors (such as cloud providers, SaaS vendors, payroll service providers). All the organizations providing cloud services have initiated to comply with the terms of GDPR.
- In 2009 European Union Agency for Cybersecurity came up with a cloud computing Risk Assessment that acknowledged the cloud computing Business Model’s upcoming security risk. The assessment is also followed by practical recommendations, widely referred to by E.U. members and outside the E.U.
- The issue of cloud security and privacy has been addressed in E.U. and the United States collectively. International Safe Harbor Privacy Principles, formulated by E.U. and U.S.A., which is now known as the Privacy Shield Framework, allows only those entities in the U.S. which comply with the E.U. data protection. Even though the privacy shield is no longer a valid mechanism (after GDPR advent) for data transfer, data privacy requirements existing in the privacy shield are still very relevant and valid.
- In India, cloud computing has no recognition under any specific regulation. Still, it is regulated indirectly under the Information Technology Act, 2000 (the “Act”) and Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rule 2011 (“Rules”).
- Section 43A of the Act and the IT Rules 2011 provide guidelines for body corporations who own sensitive data to maintain proper security practices to secure personal and sensitive data or information of the consumer. The Act and the Rules set out a regulatory framework for creating, collecting, storing, processing data stored in an electronic device. cloud computing service providers have to comply with the provisions given in the Rules.
- In addition to the Act and Rules, the service provider using cloud computing in the banking and insurance sector is subject to specific confinements. Cloud service providers in India may also be required to comply with the Information Technology (Intermediaries Guidelines) Rules 2011 prescribed under the Act.
- In 2019 a Personal Data Protection Bill (PDP) was tabled in the Parliament, the first comprehensive Act that ensures privacy and security of data of Indian citizens. The Bill is similar to that of the EU’s GDPR, which is the most stringent security and privacy law today.
Cloud computing can be used for different purposes by different entities, so data security and protection concerns can differ. The degree of risk associated with cloud computing differs depending on who is accessing it and the confidentiality level of such data. For example, a consumer using a public cloud application has relatively less security concern than a Government agency using a private cloud for internal data sharing. Thus the security steps practiced thereof also differ. Nevertheless, the risk does not make the cloud paradigm evil.
We cannot ignore the benefits it comes with, such as cost savings, scalability, on demand service, broad network access, and rapid elasticity. Cloud computing supplies exceptional benefits to its consumers by providing new computing methods. The risk associated with cloud computing is not uncommon and difficult to allocate. There’s always a window to mitigate risk through technology investment and due diligence from the client’s end. Cloud computing is a safe place, provided the consumer and providers follow the security measures for the same.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: