Cloud computing: European Guidelines for Lawyers

CCBE guidelines on the use of cloud computing services di Michele Iaselli

Categories: Business Law
Typology: Articles

Cloud computing: European Guidelines for lawyers

CCBE guidelines on the use of cloud computing services

These guidelines are of considerable importance because, in view of the particular development that has characterized cloud computing in recent times and the sensitivity of the legal data processed by Lawyers, they are meant to take stock of the situation regarding the various risks associated with cloud computing.

The document is addressed to the CCBE’s member bars and Law societies and represents a useful reference for Lawyers who wish to make informed decisions when advising on or consider using cloud computing services.

As is known, cloud computing is a system of deployment of resources based on computer "clouds" created and managed by large providers, who can provide storage and processing services to end-users.

For its characteristics, this system represents the solution of the moment for many large and small businesses and professionals, who cyclically need considerable resources and who are not able to bear the high costs.

In fact, the strategic importance of "cloud computing" is that its large-scale diffusion would overcome the current system characterized by a myriad of remote clients, each with a stand-alone workstation or "in-house" server (think of companies and the amount of data that they have to deal with), in favor of a regime of "Software as a Service" (or "Storage as a Service"), consisting of use of software and hard disks delivered by the providers and accessible through the web browser. No more programs to be run or data to be stored on individual PC’s, but large integrated systems, undefined, of servers and processors, from which to draw memory and processing capacity according to your needs.

This system involves the outsourcing of IT services by the end-users to the cloud provider. Therefore, in this way, companies or professionals will cease to manage data and applications, delegating this service in outsourcing, with large savings on the management of IT personnel and physical facilities.

Therefore, it is clear that the Software as a Service model is the foundation of cloud computing. It seeks to define a new concept of software, independent of its physicality of asset and oriented to meet the users' needs.

The need to develop an EU wide strategy on cloud computing has been highlighted in the European Commission Digital Agenda for Europe. The three broad areas to be addressed in this context in order to ensure that Europe maximizes the benefits from cloud computing include:

  • The legal framework: this concerns data protection and privacy, including the international dimension.
  • Technical and commercial fundamentals.
  • The market.

As the guidelines clearly point out, law firms as well as other businesses use cloud computing for many reasons.

The reduction of costs constitutes one consideration. Cloud computing might involve decrease in expenses to purchase servers and software or to hire IT staff to maintain the servers. In addition, since many cloud computing applications include access from anywhere, an easy setup of off-site work can save rent and travelling costs as well as facilitate joint working amongst the offices of multi location law firms.

Furthermore, because the user can access the files stored on the cloud by simply accessing the Internet, such a system might enable lawyers to provide their services in novel and more efficient ways, to the benefit of their clients.

Nevertheless, alongside many significant benefits, cloud computing also brings its own set of risks and challenges for Lawyers, most significantly in relation, first to questions of data protection, second, to professional obligations of confidentiality and, third, to other professional and regulatory obligations incumbent on the lawyer. The Lawyer will also require to be sensitive to purely commercial risks to which he may be exposed, for example by a temporary unavailability of his cloud service causing disruption to his business.

In particular, cloud computing has two major drawbacks:

  • the loss of control of personal data;
  • the concentration of data in the hands of a few individuals.

The first can only be prevented by raising the computer literacy level of the average user, who today more and more often and unknowingly discloses personal data concerning him/her in exchange of conveniences, services and sociality.

To put it simply, typing specific words in search engines is not a neutral transaction. The query, maybe recurrent, reveals our way of being, our tastes, a trend. This information, which eludes our control, serves to put us on file, mainly for the purpose of targeted advertising and marketing.

On the other hand, conscious individual choices cannot overcome the risk of concentration. A lot of data, held by so few, could be the prelude to blackmail, of the restriction of individual freedom as well as the invasive control of peoples' lives. In fact, the loss of data management by the owner who should entrust it to outside companies is clear.

Furthermore, with reference to the legal profession, the guidelines identify specific problems such as issues relating to professional secrecy and data protection, extraterritoriality, deontological or regulatory requirements and to contracts with cloud computing service providers.

In the light of all these concerns, it is imperative that Lawyers, when considering deploying cloud computing in their offices, take necessary steps to ensure that client data is protected, that client confidentiality is maintained and that the concerns identified are adequately addressed.

Therefore, the guidelines try to give helpful advice to professionals in view of the above-mentioned objectives, considering that as a general rule, data protection laws and professional secrecy principles must be regarded as milestones when using cloud computing services.

Lawyers considering using cloud computing services should first make a preliminary examination and think about the type of service model which would suitably fulfil current and future needs of their offices.

Furthermore, before contracting, a Lawyer, as the end user of the cloud service, should verify the experience, reputation, specialization, the registered address and location of the cloud computing service provider. In addition, he should separately consider other factors such as the providers’ solvency, reliability, ownership and capital adequacy, any potential conflicts of interests, the risks of any misuse of the stored information and the exact localization of the storing servers.

Subsequently, the lawyer must carry out a risk analysis in relation to personal data processed and assess the technical, physical and organizational security measures adopted and to be adopted.

When evaluating cloud services, lawyers should make a comparison with their current in-house IT infrastructure. Such evaluation would enable the law firm to decide if switching to a separate cloud service might reduce or increase risks.

Another important assessment for the lawyer is related to the ability to recover data in the event of the failure of the cloud service provider, failure of the law firm or contractual dispute between the provider and Law firm.

These recommendations are, therefore, subject to a number of contractual precautions that Law firms should adopt and which are appropriately synthesized in the guidelines.

An important principle quoted in the document is transparency, under which lawyers should give prior notice to their clients that the firm uses the cloud computing services.

The guidelines conclude with some general considerations where bars and law societies are invited to increase awareness among their members for greater vigilance and to adopt high-level precautions.

(Altalex, 15 January 2013. See the ebook in Italian "Cloud computing" by Ernesto Belisario, Altalex Editore 2011.)

 

 

Share on: Share this article on Facebook Share this article on Linkedin Share this article on Twitter Share this article on GooglePlus