Cloud Computing: infrastructure features and legal profiles.

cloudrossogrigio.jpeg.png

The European Network and Information Security Agency (ENISA) defines Cloud Computing as the infrastructure that a Provider makes available to the user to enable him/her to access resources, spaces, software or development environments accessible through remote servers owned by third parties.

In terms of volume, the Cloud Computing market is growing significantly every year. In Italy alone, the estimated sales for cloud computing for 2020, exceeds 2.5 billion euros.

The success of Cloud technology is due to the flexibility of a systema that does not require complex configurations and substantially simplify the management and use of company resources without requiring major economic investments.

  Types of Cloud Computing

There are 3 different types of Cloud structures:  

  • Infrastructure as a Service (Iaas): this is the hardware infrastructure that is the basis of every Cloud system. The provider provides the user with hardware without having to manage it himself. An example of IaaS is the storage space made available by the provider.

  • Platform as a Service (Paas): these are conceived as "bridge" platforms between an IaaS structure and a SaaS structure in which the Provider makes the structure available but it is up to the user to install and implement the software. This type of Cloud is normally aimed at developers who use the Paas to exploit specific automation features and avoid having to write ad hoc code.

  • Software as a Service (SaaS): this is the most widely used Cloud structure and offers a service that is easily accessible even to non-professionals. The end user, in fact, does not need any technical expertise and can use the swrvices provided by the Provider through any device. The Provider that provides a SaaS service via the web provides users with a series of application services that can be directly used by end customers.

SaaS infrastructures are systems that allow the use of spreadsheets via the web or applications that allow the insertion of e-commerce forms to websites that originally did not foresee them.

Cloud Computing Models

Private Cloud Computing: this is a Cloud structure that is created by the Provider to meet the specific needs of individual customers and is intended for their exclusive use. Large companies sometimes opt for a private Cloud model in order to maintain greater control over exported data: in the internal Cloud, in fact, the data stored remains in the organizational structures over which the user has full and exclusive control. By adopting this system, the wealth of personal and sensitive data is processed directly within the organization itself. In the Private Computing system it is possible to negotiate the contract that governs the relationship between the company using the service and the Provider.

  • Ibrid Cloud Computing: this is the model often used by public administrations and represents a middle way between Private Cloud Computing and Public Cloud Computing. Using a hybrid Cloud model allows the user to delegate to a public Cloud system the services or applications that involve the processing of non-sensitive data, while certain processes involving sensitive data and requiring enhanced security measures remain managed solely within the organization.

  • Public Cloud Computing: is the infrastructure owned by the Cloud Provider whose use is not dedicated to a single user but to a multiplicity of indeterminate users. In Public Cloud Computing you do not have the possibility to negotiate terms and conditions of use because you are faced with an "as it is" service. In fact, the user can have access to the service by adhering to a standardized contract prepared unilaterally by the Provider.

Cloud Contracts as atypical agreements

Cloud contracts are characterized by not having its own structure, but it can be defined using two different typical negotiating schemes: the service contract and the license agreement.

  • Service contract: the obligation - on the part of the contractor is to provide a service for a specific consideration. If a SaaS system is taken into account, it is easy to see that its main characteristic is precisely that it makes an IT structure external to the private or corporate IT structure accessible and allows the user to use software services managed by third parties. It seems therefore simple to trace a contract with a SaaS Provider to the case provided for by art. 1665 cc.

  • License Agreement: is a legal instrument that allows the use of a product (software) and establishes the manner of use of the product itself through the imposition of constraints and limits for the user.

Since Cloud contracts have common characteristics of both the license agreement and the service contract, it did not seem convenient to drastically opt for one or the other solution, but it seems more appropriate to configure the Cloud contract as an atypical contract.  In addition to the general conditions of service, Cloud contracts require some specific documentation such as the Service Legal Agreement and the Service Legal Objective.

The Service Legal Agreement is a specific document that contains the reference parameters for the provision of the Cloud Provider service and for monitoring the level of quality of service actually provided.

The Service Level Objective, on the other hand, is the document in which the parameters for measuring the performance of the provider are agreed in order to limit the emergence of disputes between the two parties on the quality and quantity of the service provided.

Cloud Provider and GDPR: how to choose a Cloud Provider

The European Data Protection Regulation (2016/679) provides that where processing is to be carried out on behalf of the data controller, the controller must only use controllers offering sufficient guarantees to implement all appropriate technical and organisational measures which meet the requirements of the Regulation and ensure the protection of the data subject's rights.

It would therefore be good practice for the data controller, before signing the contract with the Cloud Provider, to verify the latter's adherence to a code of conduct referred to in Article 40 GDPR or other certification mechanism.

The adherence to a code of conduct can in fact be assessed as a guarantee of the Provider's sufficient reliability. For example, the CISPE (Cloud Infrastructure Services Provider in Europe) code of conduct is a coalition of more than 20 Cloud Infrastructure Providers operating in the territory of the Member States and ensures compliance with GDPR and best security practices in data processing.

In addition to adhering to a code of conduct, before signing a contract with the Cloud Provider, it is important to ensure that the Cloud Provider guarantees:

Data portability i.e. the transition of data from one Provider to another in case of need (e.g. in the event that the Provider inserts a pejorative and unilateral change of the service conditions in the T&C and the customer wants to withdraw from the contract)

The adoption of data encryption tools or their pseudonymisation

The storage and processing of data within the EU as it is always preferable to rely on providers that process data within the European Union or in countries for which an adequacy decision has been made.