The European Commission is consulting widely on cloud computing. In brief, for newcomers to the topic, cloud computing is the storage of data on servers outside your personal ownership.
There are mega-providers out there who will store your data for a fee which is cheaper than having your own server. The problem is that you don’t know where the data is stored, maybe in the EU, maybe anywhere else in the world, and under what conditions.
The Commission gives some reasons as to why it is interested in the topic, principally economical: ‘One study has predicted a Compound Annual Growth Rate of 19.5% in Cloud Computing. According to Gartner, the industry is poised for strong growth through 2014, when worldwide cloud services revenue is projected to reach $148.8bn.' Europe wants a piece of the action.
But serious questions arise, and in particular for lawyers. The consultation is not aimed at lawyers, but at the whole spectrum of individual and corporate activity. One of the difficult questions is to know whether special provisions need to be built in, either at Commission level or at the level of the professional organisation, to ensure that lawyers’ ethics, and especially the lawyer’s duty to keep client information confidential, are protected.
So what are the problems? Here is a list of some of them (with thanks mostly to the American Bar Association Commission on Ethics 20/20):
- cloud computing providers might be subject to local rules obliging them to hand over European lawyers' data on a cloud service to (non-EU) national authorities;
- there might be unauthorised access to confidential client information by a provider’s employees (or sub-contractors) or by outside parties (for example, hackers) via the internet;
- information might be stored on servers in countries with fewer legal protections for electronically stored information;
- a provider might fail to back up data adequately;
- there might be unclear policies regarding ownership of stored data;
- the provider’s procedures for responding to (or when appropriate, resisting) government requests for access to information might be non-existent or inadequate;
- there might not be policies for notifying customers of security breaches;
- there might be insufficient data encryption; and
- lawyers need to consider the extent to which they must obtain client consent before using cloud computing services to store or transmit a client’s confidential information.
At the launch earlier in the summer of Microsoft’s Office 365, the following question was put to the managing director of Microsoft UK: 'Can Microsoft guarantee that EU-stored data, held in EU-based data centres, will not leave the European Economic Area under any circumstances - even under a request by the Patriot Act?' And the answer? 'Microsoft cannot provide those guarantees. Neither can any other company.' As Microsoft is a US-based company, so the thinking goes, it has to comply with local laws (the US, as well as any other location where one of its subsidiary companies is based). 'Customers would be informed wherever possible', but no guarantee could be given - only if a gagging order, injunction or US National Security Letter permits it.
So, what sensible relationship can there be between lawyers and cloud computing? What does the SRA’s new code of conduct have to say about it? Nothing specific, since it is principle- and outcome-based, but there is this: ‘IB(4.3) you only outsource services when you are satisfied that the provider has taken all appropriate steps to ensure that your clients' confidential information will be protected.' Can you outsource to Microsoft in the circumstances above? Can you outsource to any company based in the US? Can you use cloud computing at all? The CCBE will shortly be considering its response to the consultation.
No comments yet