Cloud Computing is the new buzzword for businesses. While it is not an entirely new concept, its application to businesses in new and unique modes along with the scale of adoption of new techniques have made it a fairly current subject. Consider your regular email and social networking sites; these are all examples of cloud computing in their simplest manner. However, today we see a proliferation of new tools of cloud computing that have made businesses turn around and take notice of the immense advantages that cloud computing has to offer. A range of operations can now be performed on the cloud without the need for capital investments in purchasing, setting up, operating, and managing systems within the business.

Cloud computing covers a gamut of services and can broadly be categorized as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) modes. All of these services require storage of information, at times of a sensitive nature, in the ‘cloud’. Businesses have readily embraced these modes of services. As a consequence, an immense quantum of business in innumerable industries and various business operations, from the day-to-day mundane tasks to collaboration and operative tasks, are being performed ‘in the cloud’. In such a scenario, it is imperative that the legal implications of using cloud computing services be understood by a business and that steps be taken to overcome the challenges and mitigate the risks presented by it.

The legal issues arising out of cloud computing can be broadly categorized as operational, legislative or regulatory, security, third party contractual limitations, risk allocation or mitigation, and those relating to jurisdiction.

Operational legal issues concern legal issues that arise from the use of cloud computing services on a day-to-day basis and include concerns such as access to information of the business and manner of storage of the said information. It is imperative that such issues be addressed prior to availing services of a service provider and be adequately dealt with in the contractual negotiations. Also, included in operational issues are those of upgrade and vendor lock-in. This would imply that the business must consider as to whether, while performing its operations, it would be able to upgrade to newer operating procedures and systems and who, and to what extent, shall be responsible for the process.

Another operational concern that a business must consider is data portability. Would it be possible, in the event of discontinuation of relationship between the vendor and the business or in case of technical, financial or other difficulties, for the business to access its information through other applications or service providers? It is essential for businesses to consider such a scenario, since there have been several instances of data being lost due to technical hitches or due to the vendor closing up shop. Such contingencies, if provided for and dealt with in the contract between the parties can go a long way in eliminating risks and also allocating liability in case of loss.

Legislative and regulatory issues are another aspect of cloud computing that present an area of considerable ambiguity. Cloud computing as such is an unregulated field with a patchwork of legislation and regulation in limited jurisdictions. The problem presented by this is that data concerning individuals of a certain jurisdiction may warrant certain standards that may not be necessary at the jurisdiction where the data is being stored or processed or accessed. For example, any data that relates to nationals of the European Union must comply with certain basic guidelines on data protection as provided for under the European Union’s Data Protection Directive. However, such considerations are not essential for data stored in India and neither is the service provider bound by such regulation.

The question that arises here is how does one ensure compliance with the myriad legislative and regulatory frameworks? A form of ‘hybrid system’ is required to be formulated and implemented wherein the regulatory requirements of all jurisdictions are taken into account and this can be the best evaluation and implemented at the stage of contractual negotiations.

Security is probably the biggest concern for any business. When operational data is stored online on an outsourced server that is accessible in a controlled manner or otherwise, to multiple users, there is bound to be anxiety among data owners of its safety and protection from manipulation. For Intellectual Property owners, the anxiety is greater with respect to the protection of valuable data and trade secrets. In addition, legislative and regulatory policies in some cases require certain types of data to be protected with certain prescribed standards. In such cases, regardless of the location of the server or the service provider, it is essential that the business ensures that these guidelines are met. However, every user must ensure that their service provider is reliable and would ensure safety of the data. Here the rule of ‘Caveat Emptor’ would prevail.

Another question that arises is related to the ownership of the intellectual property in the information. The manner of storing information and databases themselves are copyright protected in most jurisdictions. The challenge that cloud computing presents is that the data is stored on the service provider’s system and the owner of the material cannot exercise more control over it than to merely access and manipulate and process the data.

In certain situations, there exists no doubt, such as a cloud computing service provider owns the infrastructure and any applications being run on it, while the user owns the content, data, and results obtained from using those applications. However, in cases where results are obtained by converging software or by multiple users working on segments of a work, the questions of ownership of IP in the work may become worrisome. While no straitjacketed rule may be prescribed and it depends on each case, it is important that every business must first obtain clarity on these issues before data is made available to the vendor.

Risk allocations and mitigation is an important consideration that can mean the difference between advantageous use of the cloud computing model or disadvantageous. Certain questions of risk allocation, such as liability in case of breach of security by a third party, may present difficulties for the business. The question of who would be liable in such a case, despite adequate safety measures by the vendor, is a question that remains unanswered and depends upon the law in various countries. It is also essential, for both the business and the service provider, to ensure that adequate safety measures are taken by it and to be transparent about them. This can go a long way to establish the liability of the vendor at the time of a trial or discovery process. Contractual negotiations also play a vital part in determining liability of the parties for inter-parte faults and resultant losses.

Another question that may be troublesome for intellectual property owners is related to jurisdiction. Any data stored in a cloud, by its very definition, is on the Internet and accessible at any location in any part of the world. However, the proprietor of the information is at one location and so is the server of the service provider. Questions of jurisdiction are bound to arise in such a scenario. Here too, the myriad rules of various jurisdictions have to be taken into account. The parties can, through contract, determine the governing law and jurisdictions. However, in certain cases, even this agreement may not be able to oust the jurisdiction of multiple courts, especially when legislation in this respect specifically provides for jurisdiction.

Contractual negotiations with a cloud computing service provider are of immense importance in protecting data and intellectual property over the cloud. These issues must be clarified, with professional assistance if necessary, as the first step towards establishing a relationship with the vendor. How much liability a vendor accepts for the data and its protection shall be a question of vital importance in case of breach in the data or service.

However, it must also be stated that while cloud computing does in fact present challenges to the business world, the advantages that it provides are many. The issues concerning intellectual property that arise and the risks that emerge for intellectual property owners, while being serious, are no more greater or challenging than those posed by use of the Internet even prior to cloud computing.

The author is Partner, Lall Lahiri & Salhotra