Our examination of common legal concerns in cloud transactions most recently focused on specific contractual issues to resolve before finalizing a cloud provider relationship. Continuing this look at common legal concerns in cloud transactions, we turn our attention to the broad range of government regulations of data that may constrain or alter the relationship between a company and its service providers.
When considering cloud service providers, companies often face special regulatory challenges due to the related loss of direct control over data and infrastructure, and the multijurisdictional nature of many cloud computing offerings.
It’s helpful to understand that the service provider often determines the physical location of data at rest and the route of transmission. Compounding this dynamic is the fact that data may be transferred through and stored in two or more geographic locations, serially or in parallel, subject to two or more sets of laws and regulations. The effect? Users of cloud services can easily face challenges related to jurisdictionally-based data requirements.
The sheer volume of regulation regarding protection of personally identifiable information can be daunting. In the U.S. alone, personal data storage and transmittal may be regulated under numerous federal statutes, as well as under any applicable Federal Trade Commission rules and regulations and/or state laws and regulations.
A company dealing with the regulation of its stored data must successfully manage the multi-jurisdictional location and flow of that data in the cloud. Moreover, companies must also manage the loss of direct control over the placement of data storage and the transmission of data. Even if a vendor allows purchasers to dictate the geographic locations of cloud services, this “local instance” feature may not guarantee that this data will never be stored or transmitted outside the requested geographic area. Nor does it guarantee whether, conversely, the “local instance” concept is mainly a functional innovation for solving geography-based technical problems.
A company seeking to outsource data storage to the cloud should carefully consider its responsibilities to comply with the various regulations governing its outsourced data in any jurisdiction in which that data rests or may rest. The company should also factor those considerations into its choice of a cloud provider, its creation of an outsourcing plan with that provider, its contract negotiation, and its ongoing management of the mutual relationship.