Regulatory Compliance for Cloud Computing

Cloud computing services raise important legal and regulatory issues for both the providers and the users of those services. One of the key issues is effective compliance. Cloud service providers and users must comply with all of the legal and regulatory requirements imposed by the jurisdictions (nations, states/provinces, localities) in which the data managed by the cloud are stored. For example, if an organization makes use of cloud services configured in a manner such that the organization’s data are actually stored on computers in a jurisdiction other than its own, the organization must recognize that its data will be subject to the laws and regulations of that other jurisdiction. The organization must make sure that it and its cloud service provider comply with those requirements. To the extent that the organization also faces legal obligations in its home jurisdiction regarding the data (e.g. requirements to protect the data or to be able to produce it to government authorities in its home jurisdiction on short notice), the organization must also comply with those requirements. Thus use of cloud computing services can subject the user to legal compliance obligations in multiple jurisdictions, depending on the operational configuration of the cloud. Users of cloud services should thus insist on contractual provisions in their agreements with cloud service providers that ensure the operators comply with requirements imposed by all relevant jurisdictions and that provide for indemnification of the user in the event of compliance failures on the part of the service provider.