Cloud computing is becoming more popular because it offers an efficient and cost-effective storage solution. But who owns data in the cloud? As a general rule, the answer to this question lies in the agreement between the user and cloud service provider. Reviewing and understanding the agreement before signing it is, therefore, a vital step in order to protect your data in the cloud. This article will explain what cloud computing is, as well as the steps you should take in the event of data loss or breach.

What is Cloud Computing?

Cloud computing means accessing software online over a network rather than software stored locally on your computer. There are different types of clouds. You can have private clouds, which can be either a server onsite or offsite. 

Another option is a community cloud. This is where a number of organisations with similar regulatory requirements share servers and, thus, a cloud.

Alternatively, there is the public cloud. This is where many people and businesses use one set of cloud servers. It is, therefore, a cheaper option because users share the cost. However, the public cloud has a number of risks: 

  • the security of your data may be compromised;
  • your data may be stored offshore in a number of countries; or
  • the agreement between you and the provider may be less open to negotiation (especially if you are an individual).

Popular examples of cloud service providers are Google, Amazon Web Services and Microsoft Office 365.

The Importance of the Agreement

Generally, whoever creates the data owns the data. However, it is likely that the agreement between you and the cloud service provider gives the provider the right to access and use your data. To adequately protect your data, you should ensure that the cloud service provider is bound by obligations to keep the data confidential.

Therefore, when you are signing up to use a third-party cloud service provider, you need to consider:

  • your obligations to protect your own customers’ data;
  • who else you want to protect your data from;
  • what you want to be able to do with your data; and
  • whether the agreement with the provider meets these requirements.

If you are not happy with the agreement, it is crucial to negotiate more favourable terms or consider looking elsewhere for a provider that can meet your needs. It is important to agree to terms that best protect your data in the cloud. 

Rights to Access Your Data

Ideally, service providers will only have access to your data to the extent required to meet their service obligations. However, they may have the right to use your data to create new data sets, which they can then analyse for their marketing purposes. After de-identifying the personal information in the data, service providers may also have the right to sell your data.

It is important to remember that you may also have an obligation to your customers to protect their data. When considering this, make sure you are familiar with your privacy policy and your agreement with the service provider. This is where you are likely to have made data security assurances to your customers and it is essential you follow through on these promises.

Warranties of Data Security

Read over the agreement to check what kinds of warranties the cloud service provider is making. They may be promising a percentage of uptime, for example, which means you should be able to access your data this percentage of the time. But what about the security of your data? Are there any warranties of security?

Usually, to limit their liability, it is likely the service provider will attempt to refrain from making any warranties that your data is safe from alteration, loss or breach. However, it is in your best interests to see a warranty here, so you can hold the provider accountable. At a minimum, you want the agreement to stipulate that you will be notified if a breach or loss does occur.

Disclosing Your Data

In your own privacy policy, you have hopefully set out how cloud service providers can use your personal information, including during storage on a third-party cloud. Similarly, service providers may set out in their agreements how they intend to disclose or use data. It is usually best if their disclosure of your data to further third parties is limited.

Even with a limitation, there are always exceptions. Specifically, the service provider may need to disclose your data in the event of a government request or a subpoena by the court. It is also important to keep in mind that the legal obligation to disclose may vary from country to country. If your cloud provider is storing your data on a European server, for example, they will need to comply with EU obligations to disclose.

Your Rights to Access Your Data

Even though it is your data, you should maximise your own access rights in your agreement with the cloud service provider. This is because the service provider has some physical control over your data while it is stored with them.

Therefore, you need clear terms and conditions which set out your right to access. This can include a warranty of uptime and the right to receive a copy of your data in a portable format. For example, does this only happen on request or at specific points throughout the term of the agreement? Does this right still stand after you terminate. If so, for how long? You should also see a promise to destroy your data within a specified period after termination.

Data Breaches

You may be required to notify any customers affected by a data loss or breach. This obligation arises if:

  • you are an APP entity under the Privacy Act;
  • the data breach is considered likely to result in serious harm to the customer affected; and
  • you were not able to undertake remedial action to prevent the likely risk of serious harm.

In this instance, it will be a notifiable data breach, and you will need to notify those affected and the Office of the Australian Information Commissioner.

To avoid finding yourself in this situation, it is best to take preventative steps. These could include using a reputable cloud provider and looking for warranties in the agreement. If you are unsure or are storing sensitive or highly regulated data, consider using a private cloud and backing it up, potentially even offline.

Key Takeaways

Ultimately, you own your data. However, when you are using a cloud service provider, they may have control over the data stored with them. Therefore, it is important to protect your data in the cloud by reviewing and negotiating your agreement with the provider.

Vital clauses to look for are data security warranties, limitations on disclosure and clear terms setting out your rights to access the data. If you need assistance reviewing and negotiating your agreement with a cloud service provider, get in touch with one of LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Jacqueline Gibson
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
If you would like to receive a free fixed-fee quote for a legal matter, please get in touch using the form on this page.