Supplier consolidation and commercial casualties are factors of any emerging market, and can result in sudden cessation of a service or the unexpected withdrawal of a software product. The nascent cloud services sector looks to be no different, with names like Coghead, Upline and The Linkup having come and gone.

The consequences of losing access to a business-critical application can become magnified when the application and end-user data are stored in the cloud. Who owns the data? Where is the data stored? What are the rights of data repatriation?

In terms of data protection and obligations to data security and privacy regulations, the cloud customer is regarded as the owner of the data in the eyes of the law, almost irrespective of where the data is held. If a cloud service supplier evaporates, legally the customer should be able to retrieve data, conceivably through the receiver. However, it is possible an administrator would initially want to retain as much customer data as possible, in the hope that the business could be sold as a going concern, with a roster of paying customers.

In order to comply with data protection law and to recover data, the supplier's location generally needs to be known. The contract with the supplier can then provide for the processing of data in compliance with the law and include indemnities against loss of data, and the right to retrieve the data.

Suppliers such as Amazon are starting to offer location-specific services for enterprise data storage purposes, but public cloud service providers will not want to have to guarantee exactly where customer data will be held. That said, responsible professional providers will comply with prevailing legislation. For example, they will operate under Safe Harbor rules in the US or commit to comply with the Model Contract Clauses published by the European Commission.

These issues are easier to address in a "private cloud", where there is a more dedicated service. In this case, the suppliers are more likely to be prepared to commit to keeping data in a specific location and to provide contractually for it to be recovered in the event of bankruptcy or service failure.

Perhaps the greatest legal challenge is the potential application of the laws of different jurisdictions. Even if a service is supplied to a customer in Country Y, if the cloud data is sitting on a data centre server in Country X then Country X's laws could apply. So you could be subject to different jurisdictional rules over data protection and ownership.  

Another challenge is recovering the application. In a traditional software licence, escrow arrangements are utilised - source code is deposited with an independent agent, on condition that it will be released if the supplier goes bankrupt or fails to provide support. This may be a solution for risk in the public cloud, although without the associated expertise to run and develop software, access to source code may not help very much. Perhaps the answer will be to move to another service provider with a similar service.

Cloud computing will also take a different approach to the ownership of software specially written for a particular customer. Traditionally the customer could expect to negotiate the transfer of ownership in such software. However it is highly unlikely a public cloud supplier will agree to this as it will see the benefit of such software as adding to its generic offering.

These risks need to be appreciated and provided for, but they can be managed. In the end, prevention is better than cure. Some obvious safeguards are: check contract terms carefully, run credit checks on the provider, make extra backups of cloud data, be vigilant about the supplier's financial stability, and have a potential second source for the service in mind.

Clive Davies is a senior counsel with Fujitsu in the UK, advising on major service contracts. He is the chair of the Society for Computers and the Law and is an editor of legal journal Communications Law.

Further reading: Driving cloud adoption through a business-centric approach to security