Cloud computing creates a new compliance headache for organisations. Cloud-based services are, by their very nature, highly distributed and accessible from multiple locations, often by multiple users and - sometimes - by multiple third-party service providers. The data of many customers may be located on the same servers, and may be hosted, cached or backed-up dynamically, on the basis of usage patterns.

As Google's chief privacy counsel, Peter Fleischer, recently put it, "It's very hard to answer the apparently simple question: 'Where's my data?'. You can't pin-point the location of clouds, but you can still talk to them."

Uncharted territory

Unfortunately, the world's legal systems are based on territorial boundaries and data protection laws still require businesses to know where their data is. There is no single data protection booklet for the global, cloud-based service provider or user.

For many CIOs, enterprise information security is difficult enough, but the new cloud-computing data protection compliance burden will be an extra challenge their employers may also expect them to manage.

Sam Johnston, a strategic consultant in cloud computing, warned in his blog on CircleID: "A well configured cloud computing architecture is a hacker's worst nightmare. Conversely, a poorly configured cloud computing architecture is a hacker's best dream."

Companies must bear in mind that most jurisdictions with data protection laws impose stringent obligations on them to ensure the security of information. This is a core requirement of the EU Data Protection Directive, which demands that personal data is kept secure from unauthorised or unlawful processing, accidental loss, destruction or damage. Failure to do so may lead to regulatory sanction, and civil and criminal liability.

Growing responsibilities

As a result, when a business provides access to its data to a cloud-based service provider, the law requires the business to ensure the provider offers adequate levels of security for the data, too. The data controller must ensure that appropriate security commitments are agreed, in a binding contract, with the service provider.

If you are an organisation's data controller and you haven't ensured compliance on your part and that of the service provider, you could be held liable for any security breach or data protection lapse caused by cloud services. This is especially true in heavily-regulated industries, such as financial services, where million-pound fines have been handed out.

Many companies already have IT outsourcing relationships that involve sending data offshore. So, for some, the compliance burden won't change hugely. But for others, particularly those who have not taken steps to plan for compliance, it may be more of a challenge.

In conclusion, if the benefits of cloud computing are to be enjoyed by all, users need more than a nebulous idea of how their data will be used or how they intend to comply with data protection obligations. Businesses with compliance "built-in" will win through.

David Naylor is a partner in the Technology Law Group at Field Fisher Waterhouse LLP and heads the firm's new media practice.

Illustration: Raymond Beisinger