95
Legal perspectives for evaluating Cloud service providers
After identifying the services and data to be migrated into the Cloud, and
the possible service providers, the question is which provider is the best
choice.
As the first selection criteria from the legal perspective, one needs to
ascertain which service provider fulfils any industry‐specific requirements to
which the customer is subject. Depending on individual circumstances, the
Cloud service provider may need to fulfil these requirements by possessing
corresponding permissions or certifications, or it may suffice for specific
facts to exist, for example, the ability to store all data domestically.
Additionally, one must not ignore the fact that authorities from third parties
are, in some cases, entitled to access user data .It is important to discover
whether the provider is directly or indirectly subject to this duty to disclose.
If so, does the migration of sensitive business data to the Cloud turn out to
be permissible or does one expose this data to inspection by a foreign
authority? It is impossible to assess the risk without a full set of tangible
facts.
One important decision‐influencing factor is the detailed wording of the
contract. As Cloud service providers typically have pre‐worded standard
contracts, the customer has the option, although this may involve signing a
non‐disclosure agreement, to inspect and compare the contracts, thus
discovering which service provider is the most favourable from a legal point
of view. Negotiation is always a possibility; as a large customer with a
smaller service provider, the chance of successfully negotiating changes to
the contract are more favourable than those of a small customer with a
large provider, even if the latter's standard contract is closer to what one is
looking for.
Many decisive factors of which service providers are of technical rather than
legal nature. For example, compatibility of the Cloud service provider's IT
infrastructures with those of the customer, and the impact this has on
migration costs. However, these factors are also reflected in legal
considerations. For example: the ability to assure a specific minimum level
of availability and data security, the ease or difficulty of a provider change
due to the use of a proprietary or standardised IT infrastructure.
A decision making aid in selecting a service provider is given by audits and
certifications, for example, by methods such as the ISO 27000 series or SSAE
16
or certifications developed specifically for auditing Cloud computing
services, such as EuroCloud Star Audit. In any case, certifications of this kind
