Cloud versus Outsourcing: identical legal risks?

Recently I spoke at the Heliview Cloud Forum Spring Edition on the risks of “Do-it-yourself Cloud procurements”. Ordering Cloud services is now so simple that anyone from your organisation can pick up the phone and hook the business up to the Cloud in a matter of minutes. Of course that can have major legal consequences.

During the Q&A, the moderator asked whether my comments weren’t just as applicable to any outsourcing. ‘There’s nothing new here’, he claimed. (The Cloud Forum was supposed to promote the Cloud. Perhaps he thought I was spoiling the party!)

That raises the question indeed whether Cloud is just another form of outsourcing. Not true. There is much overlap, but there are important differences: differences which could play an important role in your business planning.

Perhaps the biggest difference is how easy it is to get into the cloud. Minutes instead of months of contract negotiations with a “normal” outsourcing provider. So easy that you might be tempted not to read the fine print of what you’re asked to sign up to.

And there’s the rub. Unlike your typical outsourcing contract, many Cloud providers will not accept any responsibility for security or privacy. In the Google Apps terms, for instance, you agree to give Google a “perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, …, modify, …, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services”. Can you imagine a “normal” (reputable) outsourcing provider demanding that from its customer?

But there are more differences. You might not be able to know where your enterprise’s (personal) data are physically being stored. This could cause your enterprise to be violating (Dutch, European) privacy laws; you might not have the right to preform audits required by your regulator(s); you may have a more difficult time moving your data from one supplier to another; and you may find yourself agreeing to dispute resolution taking place in far-off America.

Thus while there are a number of similarities (the biggest being that you hand over physical control of your data to a third party), there are also a number of differences. Unless you are aware of these differences and know how to address them, you may be walking your enterprise into a field of landmines.

Plaats een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

Deze website gebruikt Akismet om spam te verminderen. Bekijk hoe je reactie-gegevens worden verwerkt.