Cloud computing involves handing over your data to a third party. This is called outsourcing and as with any outsourcing arrangement it comes with legal implications.
When outsourcing IT you no longer have control over your IT infrastructure and data, but you are still responsible for it. You have to check and understand your supplier contracts to ensure compliance with data protection and privacy laws, such as GDPR (General Data Protection Regulation).
Cloud providers are by and large US corporations. The laws that they have to comply with, regarding data and privacy, are based on US laws. You have to comply with EU/UK law.
Under US law, there is no right to privacy for your data in the cloud as it is deemed public. This is contrary to EU law where privacy is a human right. This means that having personal data in the Cloud may not be legal under GDPR.
US Cloud providers say they are committed to being GDPR compliant but being committed does not mean they are in fact compliant. And achieving and maintaining compliance is difficult as it is the US government that make the laws. The current US administration is focused on ‘America First’ so data privacy is seen as a barrier to tracking down terrorists and criminals.
Even where US companies have opened up EU data centres there are problems as the US government sees these as US subsidiaries.
Microsoft admitted as far back as 2011 that
‘We can hand over Office 365 data without your permission’
Unless US Cloud providers can protect the privacy of data in the UK and Europe in law, they are dead. And they are battling with their own government.
Even if you ignore the legalities of holding data in the cloud there are other issues too:
US cloud vendors provide non-negotiable contracts that they can re-write at anytime – you have no control or influence. Your data is in their hands wholly on their terms. Any legal dispute will mean a trip to the US for you to undertake legal action.
Legally data doesn’t exist. You have no rights to your data. You surrender your data to cloud providers. If your data is lost you have no legal protection whatsoever. You must have a local physical backup at all times. Not an easy thing if you have gigabytes of data off-site somewhere.
If you fall out with your Cloud provider how will you move away from them and keep your IT running?
Cloud providers can increase prices and services can be withdrawn as they deem fit. If you find yourself in a situation where things aren’t working out then how do you exit and keep your business going?
An on-premise server with your data and email under your control is a big step to keeping your data private.
The Safest Place for your Data and Email is On-site
Why We Can No Longer Trust Microsoft
Why GDPR Compliance is Difficult in the Cloud
GDPR: Killing cloud quickly?
Risks of Outsourcing Your Data Center