The term “cloud computing” is often used to describe a broad range of remote access computing services, many of which have been around for a number of years.
The term “cloud computing” is often used to describe a broad range of remote access computing services, many of which have been around for a number of years. However, these days a cloud computing environment is generally one in which users have access to applications and data storage services on demand and delivered over an external network, on a user-pays basis. Providers also draw a distinction between public and private clouds, but the focus of this article will be on public cloud services.
The term “legal risks” in this context refers to issues that may expose a cloud provider or user to legal liability, issues which arise from an applicable legal system, and issues which can and should be addressed from a legal perspective in order to create an effective and trustworthy cloud services relationship. The UAE does not have a comprehensive set of laws, regulations and/or official standards specifically for the provision of cloud computing services, and general laws apply. In the absence of a prescriptive legislative framework, however, providers and users must come together in a relationship of trust in order to facilitate the use of a financially advantageous service relationship.
In terms of risk management, users of cloud services are often placing in the hands of third parties responsibility for direct control of critical data and applications. If there is an outage or a security breach, the cloud user could be exposed to claims from its own customers, a failure in business continuity, and potentially reputation damage, even though the cloud provider or a third party telecommunication service provider was responsible for the default. Many SME’s will investigate cloud services and be presented with a service contract which offers the cloud services “as is”, without the cloud provider assuming any risk, and with an exclusion of the cloud provider’s liability to the extent permitted by applicable law. Whether or not a cloud provider and cloud user negotiate a services contact will depend on the parties and the value of the contract. However, even if SME’s must accept stand terms without negotiation they should conduct serious due diligence and contingency planning to mitigate exposure to legal risks.
The claims which a cloud user may bring against a provider when things go wrong, outside the scope of contractual rights, are limited and may not prove to be effective – particularly if the cloud provider is located offshore. For instance, claims for compensation under the UAE Civil Code (number 5 of 1985) will require the cloud user to prove the value of the loss claimed, and this might be difficult. The UAE Federal Law number 2 of 2006 concerning Cyber Crimes focuses on the criminal actions of the hacker, but does not provide a framework which specifically addresses the claims which a cloud user may have against a faulty cloud provider. Other than the law applicable in the DIFC, there is no single data protection / privacy law in the UAE, and the range of laws which speak about the protection of secrets (for instance the Penal Code) do not provide a detailed legislative framework that might protect cloud users from the mishandling of personal and sensitive information. The UAE does not have an information security law as such. However, there can be information security policies which are of vital importance to individual organizations and government departments. For instance, the Abu Dhabi System and Information Centre has developed and implemented an information security policy under Federal Law number 1 of 2006 concerning Electronic Transactions and Commerce with which Abu Dhabi government entities must comply. Ironically, this places added pressure on Abu Dhabi government entities who wish to outsource applications and data storage to a cloud provider, as it is the government entities who nonetheless remain subject to the obligation to be compliant with the ADSIC information security policy.
In the space available it is not possible consider all of the legal / contractual issues arising, and the following points are a summary of some key issues: