Davis Wright Tremaine hosted its fourth conference on the legal, regulatory, and commercial landscapes surrounding these rapidly emerging fields. What are the big lessons for your business?

Cloud computing and big data have grown into essential services for businesses in nearly every economic sector, according to the attendees at DWT’s Cloud & Big Data Conference on April 21. Held in the middle of “Cloud Central” at DWT’s Seattle office, and well-attended by innovative business leaders, legal experts, venture capitalists, and technologists, the conference served as an intense, one-day exploration of cutting edge legal, business, and technology issues for cloud and big data companies and their clients. Here were some of the key takeaways based on what panelists and participants shared

1. Contracting in the Cloud: know your needs when seeking cloud services.

Cloud computing has become a “mission critical” level service for most businesses, and the rise of private, third-party cloud service providers has made it an easily accessible resource for companies. Indeed, private cloud service providers have become  important partners for many companies, extending computing services to those who are looking to control costs or who simply don’t have the ability or need to build their own cloud service. But just as someone wanting to fly across the country needs to know if they just need a seat on the plane or a whole chattered jet before arranging a trip, companies need to know their cloud service needs before seeking to contract with a provider. These needs are shaped by a variety of factors, such as the company’s data at issue, the applicable regulatory environment, and the company’s risk tolerance. Additionally, a company’s resource needs may ultimately make it more economical to build its own cloud network than to use a third-party cloud service provider.

2. Contracting in the Cloud: know your provider’s limits on service customization.

Companies looking to contract with a third-party cloud service provider should know upfront the nature of the services offered, and conduct due diligence on the provider’s data storage, access, and security practices. But companies should understand that issues of scalability and service delivery generally prevent third-party cloud providers from being able to provide highly customized services on a per client basis. Because the popular cloud service model is premised on supplying comparable services to multiple clients around the clock, such a provider is unlikely to be willing to draft highly particularized service contracts for each individual client. Such a provider may be unwilling, for example, to contractually agree to give a particular company preferential treatment when faced with computing capacity limitations, if that benefit to one would impact its service to the provider’s other clients. This lack of customization is not necessarily problematic: since greater service customization generally increases costs, standardized services and contract terms allow cloud service providers to deliver their service at a lower cost to their clients. It also ensures that a cloud provider’s other clients generally will not be able to negotiate terms into their respective contracts that are favorable to them but detrimental to your company’s use of the provider’s service (and vice versa).

3. Contracting in the Cloud: know where there is room to negotiate and educate

While cloud providers may have difficulty contracting for customized service with each client, there are other areas where providers and their clients can and likely should negotiate in order to set expectations under the contract. For instance, parties should negotiate during the contracting phase how the client would regain exclusive control over its data if either party chooses to terminate the relationship, in order to avoid any unnecessary delay in the client’s ability to access its information. Additionally, a cloud provider and should use the contracting process to educate its clients regarding access to data and service continuity issues – for example, a provider should inform potential clients on what the provider will do for clients in service disruption situations to get its clients back online as quickly as possible.

4. Promise of "Internet of Things" and big data to solve enterprise-level problems

The Internet of Things (IoT) and big data are becoming resources geared towards solving enterprise-level problems for companies – for example, tracking fuel costs, maintenance, and availability of a fleet of vehicles can allow shipping companies and others in the transportation industry to take measures to minimize costs (e.g. revise delivery routes). Despite these benefits, companies need to be aware that the use of IoT and the advantages that come from the wealth of data that may open them up to unforeseen liability, such as data breaches, as well as disclosure issues. As IoT grows to encompass more devices and practices, for instance, businesses using IoT devices in more consumer-focused industries such as retail may need to disclose their data collection and disclosure practices to their consumers and seek consumer consent under certain circumstances.  The lack of screens on these connected devices may make these disclosures, or the timing of the disclosures, more difficult.  This can often be addressed through packaging and/or a device registration process. If your company is considering using IoT and big data to improve its business operations, take the time to review just what data it would need to collect, how such data would be utilized, and whether such practices are permitted by your company’s privacy policies. Also consider consulting with experienced counsel on how to secure data and mitigate potential liabilities.

5. Compliance issues slow highly regulated industries’ embrace of cloud and big data

Cloud computing and big data open businesses up to technical capabilities that most would not have the capacity to build and manage on their own. But for companies in the financial sector, healthcare, and other highly regulated industries, stringent data security regulations and fear of running afoul of their regulators has slowed the acceptance of these innovative resources. While the technology is rapidly developing to allow businesses to store lots of data cheaply and securely in the cloud, the feeling is that the regulations for the entities in these highly regulated spaces are taking longer to evolve. Consequently, adoption of cloud computing and big data has been longer and been more labor intensive in these sectors than in others, as cloud and big data have been treated as new widgets that must fit within current regulations.

6. Who reports a breach in the cloud?

Data owners should understand that transferring data to the cloud does not relieve them of the obligation to report a data breach when it occurs. Under the majority of state data breach notification laws, an entity that stores or manages data on behalf of another is only obliged to report the incident to the data owner; the data owner, on the other hand, is still responsible for reporting the breach to its consumers and regulators according to the applicable breach notification laws. As part of its initial due diligence, a prospective client of a cloud provider should inquire about the provider’s data security practices, whether those practices meet legal requirements and industry standards, as well as how the provider responds to data security incidents.  The contract should require the cloud provider to give notice of a breach (and potentially even a suspected breach) to the data owner, and consumer notification obligations should be addressed.  A data owner should also understand what rights they have to participate in a forensic investigation, as the data owner will be held responsible by regulators, who will be asking detailed questions about what happened and the resulting investigation.

7. Use Model Contracts and BCRs while waiting for the Privacy Shield

The European Commission announced the new EU-U.S. Privacy Shield on February 2 to replace the invalidated Safe Harbor Framework, but U.S.-based businesses still need to rely on Commission-approved Model Contracts (also known as “standard contractual clauses”) and Binding Corporate Rules (BCRs) to transfer personal data from the European Union to the United States as European regulators work out their concerns with the new data transfer regime. Though it praised the Privacy Shield’s improvements over Safe Harbor, the EU’s Article 29 Working Party (WP29) – the privacy advisory body made up of the EU’s 28 data protection authorities (DPAs) – has expressed strong concerns about several aspects of the Privacy Shield and urged the Commission to make further changes to protect EU citizens’ personal data before formally adopting the new framework. Since then, both the European Parliament and the European Data Protection Supervisor have echoed the WP29’s concerns and asked the EU and the U.S. to return to the negotiating table to strengthen the Privacy Shield. And should the Privacy Shield be approved, changes to EU data protection laws over the next two years – most significantly the adoption of the General Data Protection Regulation (GDPR) – will mean that the further review of the Privacy Shield will likely be necessary. In the meantime, the WP29 has advised companies that Model Contracts and BCRs remain valid bases for trans-Atlantic data transfers (at least for now), and that any transfers under the old Safe Harbor are not in compliance with EU law.

8. Public and private sector engagement remains critical to future developments

The U.S. military played an important role in creating the precursor to the modern Internet, but the private sector has taken an increasingly leading role in spurring technological innovation in the digital age, including in the development of cloud computing and big data analytics. Indeed, it’s telling just how advanced the private sector’s capabilities are in this space that the CIA turned to a major private sector cloud services provider to build a secure cloud environment for the intelligence agency, rather than attempting to build one in-house. Because of the outsized role that the private sector has as the leader in digital innovation, private enterprise should routinely engage with lawmakers and government agencies and keep regulators informed of what is happening in this space.  As one participant said, if you don’t engage with governments, you will get agencies or lawmakers that will try to do things that either are not good or even possible.