Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.
Find out moreWe are excited to share the latest edition of the Law Update, beautifully and appropriately titled “Sustainable Horizons: The Saudi Arabian Vision.” Giving special honor to the Kingdom’s 2030 vision, this update focuses on a collection of both informative and inspiring articles.
For those in construction, you can learn about how the tendering environment impacts risk-pricing for contractors, the updates on the legal framework of the construction industry and how contractors can protect themselves against financial difficulties.
There is good news too from the kingdom’s banking sector, from which the practice of “Open Banking” is being pushed for! But what is open banking? We’re answering that too.
Also . . . Are there any women trail blazers in Saudi Arabia you can name? We’ll help you with that. We cover how the Middle East has been making strides in empowering women in the entrepreneurial space,most notably in STEM fields.
Read the full editionDavid Yates
June 2011
The term “cloud computing” is often used to describe a broad range of remote access computing services, many of which have been around for a number of years. However, these days a cloud computing environment is generally one in which users have access to applications and data storage services on demand and delivered over an external network, on a user-pays basis. Providers also draw a distinction between public and private clouds, but the focus of this article will be on public cloud services.
The term “legal risks” in this context refers to issues that may expose a cloud provider or user to legal liability, issues which arise from an applicable legal system, and issues which can and should be addressed from a legal perspective in order to create an effective and trustworthy cloud services relationship. The UAE does not have a comprehensive set of laws, regulations and/or official standards specifically for the provision of cloud computing services, and general laws apply. In the absence of a prescriptive legislative framework, however, providers and users must come together in a relationship of trust in order to facilitate the use of a financially advantageous service relationship.
In terms of risk management, users of cloud services are often placing in the hands of third parties responsibility for direct control of critical data and applications. If there is an outage or a security breach, the cloud user could be exposed to claims from its own customers, a failure in business continuity, and potentially reputation damage, even though the cloud provider or a third party telecommunication service provider was responsible for the default. Many SME’s will investigate cloud services and be presented with a service contract which offers the cloud services “as is”, without the cloud provider assuming any risk, and with an exclusion of the cloud provider’s liability to the extent permitted by applicable law. Whether or not a cloud provider and cloud user negotiate a services contact will depend on the parties and the value of the contract. However, even if SME’s must accept stand terms without negotiation they should conduct serious due diligence and contingency planning to mitigate exposure to legal risks.
The claims which a cloud user may bring against a provider when things go wrong, outside the scope of contractual rights, are limited and may not prove to be effective – particularly if the cloud provider is located offshore. For instance, claims for compensation under the UAE Civil Code (number 5 of 1985) will require the cloud user to prove the value of the loss claimed, and this might be difficult. The UAE Federal Law number 2 of 2006 concerning Cyber Crimes focuses on the criminal actions of the hacker, but does not provide a framework which specifically addresses the claims which a cloud user may have against a faulty cloud provider. Other than the law applicable in the DIFC, there is no single data protection / privacy law in the UAE, and the range of laws which speak about the protection of secrets (for instance the Penal Code) do not provide a detailed legislative framework that might protect cloud users from the mishandling of personal and sensitive information. The UAE does not have an information security law as such. However, there can be information security policies which are of vital importance to individual organizations and government departments. For instance, the Abu Dhabi System and Information Centre has developed and implemented an information security policy under Federal Law number 1 of 2006 concerning Electronic Transactions and Commerce with which Abu Dhabi government entities must comply. Ironically, this places added pressure on Abu Dhabi government entities who wish to outsource applications and data storage to a cloud provider, as it is the government entities who nonetheless remain subject to the obligation to be compliant with the ADSIC information security policy.
In the space available it is not possible consider all of the legal / contractual issues arising, and the following points are a summary of some key issues:
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.