Flying Into the Cloud: Chart Your Course Very Carefully

This post was written prior to our January 2017 merger, under our previous firm name, Aikins, MacAulay & Thorvaldson LLP.

The computer world always seems to develop creative and descriptive labels for new service offerings. “Cloud computing” is a recent service offering to emerge and be so labelled.

Think of a cloud as something that, while not solid, can’t be seen into or through. This is a useful way to approach “computing in the cloud.”

The consulting firm Gartner, Inc. defines cloud computing as “a style of computing where scalable and elastic IT-enabled capabilities are delivered as a service to external customers using Internet technologies.”

In practical terms, cloud computing is a business model whereby a customer:

  • contracts with a third party to store the customer’s data on the third party’s computer system, which could be located anywhere;
  • uses a computer or other device to access that data through the Internet only when it needs to do so, but from virtually anywhere so long as there is Internet connectivity;
  • reduces (potentially significantly) IT costs, since there is no longer a need to own a computer system to store and process its data and typically the third party is paid a fee that is based on how often the customer accesses the third party’s system; and
  • relies on the third party to protect its data, wherever it may be.

From a lawyer’s perspective, this is outsourcing on steroids.

While there is no doubt that the proponents of cloud computing are able to argue the benefits of the “significant reduction in IT-related costs” and “access anywhere” attributes, these benefits are typically accompanied by a number of significant risks for customers, including:

  • The cloud computing business model is predicated on cost reduction for customers. In order to offer very affordable pay as you go fees to its customers, a cloud computing service provider needs to minimize its own costs. This means that there is an incentive to 1) locate its computer systems in low cost jurisdictions (typically not here in Canada!), 2) offer the service using standard form, non-negotiable contracts, and 3) include in these contracts provisions that limit its liability as much as possible. Bottom line – these are not customer friendly contracts!
  • Most private sector organizations carrying on business in Manitoba, including those in the construction industry, have privacy obligations under Canada’s Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA. These obligations include being “responsible for personal information in [your] possession or custody, including information that has been transferred to a third party for processing”, and using “contractual or other means to provide a comparable level of protection while the information is being processed by a third party.” While some cloud computing agreements include provisions that refer to protection of personal information, others don’t. More importantly, even those that do also include other provisions that limit the service provider’s liability in the event of a privacy breach to a very low amount. Finally, legislation to amend PIPEDA is currently before Parliament. Among other things, this legislation will impose an obligation on organizations to advise the Federal Privacy Commissioner and individuals of a privacy breach in certain circumstances.
  • Some regulated industries entitle the regulator to conduct periodic audits of the data holdings of organizations in that industry. Such an audit can only be conducted if access is provided to the computer system where the data is being stored. Such access is typically never contemplated by a cloud computing agreement.

Given these risks, organizations can’t just focus on cost reduction when considering whether or not to engage in cloud computing.

Quite to the contrary, it is recommended that cloud computing only be considered by an organization if it has been properly advised as to the risks associated with that agreement. In addition, unless the agreement provides appropriate protection (which may be very difficult to negotiate, given the cloud computing business model), it is also recommended that cloud computing never be utilized where the information proposed to be put into the cloud is highly sensitive.

This article was originally published in Upword magazine, Q1, 2012 issue.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.

David Carrick is a partner and head of the Technology Law practice at Aikins, MacAulay & Thorvaldson LLP.