Big Legal Issues Affecting Cloud

23 March 2016

Dr Kuan Hon @kuan∅ | k@kuan0.com

kuan.hon@pinsentmasons.com

Cloudscape 2016

@kuan∅

Canter through

� Already law ! – contracts from 1 Oct 2015 ¾The Insolvency ( Protection of Essential

Supplies ) Order 2015

� Adoption expected 2016, effective in 2 yrs ¾Network & Information Systems Security

Directive ( NIS Directive ) ¾General Data Protection Regulation ( GDPR )

@kuan∅

If cloud customer goes bust...

� More info http://bit.ly/ITinsolvency � Cloud provider can’t use contractual right,

exerciseable upon administration or “voluntary arrangement”, to - ¾Terminate contract - unless eg new charges

unpaid >= 28 days

¾Stop supply of service - unless notice to office-holder to terminate without personal guarantee of new charges, & none within 14 days

@kuan∅

More points • Purpose – where rescue / restructuring, ie

breathing space only • Liquidation, bankruptcy - can still exercise

contractual right to terminate

• Not just cloud services – supply of o Data storage / processing ( which must

include cloud ! ), webhosting, computer software / hardware, IT info / advice / assistance...

@kuan∅

NIS Directive � All data, not just “personal data” � Security obligations + breach / incident notification

obligations + penalties for infringement – 2 classes � Operators of essential services

¾Banks, healthcare, transport, utilities, Internet infrastructure ( IXPs, DNS service providers, top level domain name registries )

¾Essential service relying on DSP, incident at provider

� “Digital service providers” ( lighter obligations ) ¾ Incl. ALL cloud providers - IaaS, PaaS, and SaaS ¾( Also search engines, online marketplaces )

@kuan∅

NIS Directive implications

� Cloud contracts ( operators using cloud for “essential service” ) ¾provider notification

� Breach / incident notification to authorities ¾systems & processes ¾preparation / rehearsal – all stakeholders

� Insurance ?

@kuan∅

GDPR � New processor ( cloud provider ) obligations

¾Security, breach notification to customers, international transfers, records, DPO - 2% / €10m

� New processor ( cloud provider ) liability for compensation if “involved” in processing ¾Choice of who to sue – bigger pockets ? ¾Claim back against others at fault iff paid in full

� New detailed, prescriptive requirements regarding contract terms, incl. cloud contracts ¾Audit rights + regulators can demand info / audits ¾“Assist” cloud customer ( vs. commodity cloud )

@kuan∅

GDPR implications � Cloud and other processor contracts - change of

law / change control clause now ! ¾Providers - allocate responsibilities & liabilities,

indemnities; costs / pricing ¾Both - new required terms - 2% / €10m

� Cloud-appropriate standard contract terms ? ¾CIF, Eurocloud, CSA put forward for approval ?

� Approved certifications, codes of conduct � Breach notification / preparation too !

¾Different authorities than under NIS Directive ? � Insurance ?

@kuan∅

Killing cloud quickly with DP ?

The GDPR's coming, soon to be law they say Middle of 20-18 may be the fateful day ! What will this mean for clo-ud ? Will cloud be here to sta-ay ? Don't want to be pessimistic, not sure how we'll find a way Killing cloud quickly with DP, killing cloud quickly, with DP, tearing up SaaS, PaaS and I-aaS Killing cloud quickly, with DP…?

Full article www.scl.org/site.aspx?i=ed46375

Photo of Roberta Flack by Roland Godefroy CC BY SA 2.5

@kuan∅

Thank you! Dr Kuan Hon Half lawyer | half geek | mostly harmless

Twitter: @kuan∅ Email: k @ my domain below; also

kuan.hon@pinsentmasons.com

www.kuan∅.com | blog.kuan∅.com