Legal Issues in Web 2.0 and Cloud Computing
December 1, 2010 Leave a comment
On 24th November I attended a training course organised by UKeIG on the legal issues related to Web 2.0 and cloud computing and presented by Charles Oppenheim. This was a useful reminder that while these technologies present the same legal challenges as other forms of on-line publication, such as including articles in institutional repositories, they also add their own specific complications.
I feel that many of the potential legal issues that are most acute in Web 2.0 applications are centered around IPR and stem from two areas – that the content is often user generated and that it is frequently multimedia.
The user generated nature of Web 2.0 content can raise multiple problems for the host/administrator of the application. There are issues around copyright both from the point of view of managing rights around genuinely user developed content and of ensuring that the copyright of others is not breached when content is added to the application. For the former case content may be collaboratively generated and amended over time resulting in situations where the rights cannot be clearly separated and therefore are shared amongst multiple authors. In this situation any re-use or distribution of the work may require the permission of all rights holders. If the application does not accurately track who has made contributions to a piece of work it may be very difficult even to know who the rights holders are.
Also recommended is avoiding, or at least thoroughly checking, ‘high risk’ items such as images, video and music. Copyright holders in these areas are often very active at protecting their rights. Multimedia content also brings other risks. These include a need to be aware of any potential ‘background’ items that may be in breach of copyright and a respect for performers rights.
An issue that is most prevalent with multimedia and which still seems to be unclear in law is whether embedding content may be in breach of copyright. In one sense embedding content is explicitly not copying – the content is still hosted and controlled at the source – but an embedded video for instance is still forming part of the document in which it is included. It may be that a legal test case is required to provide clarification on this issue.
The primary concerns relating to cloud computing and cloud storage arise from the lack of control over the geographical location of the data when it is being stored and worked upon. Different countries and regions have different laws, and one of the fundamental features of the cloud is that data and processing are moved to where resources may be best utilised. This can mean, for example, that some data resides in the United States for one part of the day until there is a peak period in North America, when the data is moved to Asia where resources are not in such great demand, and so on.
This free movement of data and processing has a particular implication for users in the United Kingdom, and Europe more widely, where we have stricter data protection laws than many other parts of the world, including the united states. The UK Data Protection Act explicitly prohibits the export of data to a country that does not have adequate data protection laws. This includes data moving from cloud servers in the UK to the United States, or other countries where the data protection laws are not deemed to be similar to our own. If the data contains information that is defined as sensitive then this could be considered a very serious breach of the act.
Charles Oppenheim suggested that customers should specify to the cloud provider that the data should remain in specific geographic locations but also conceded that this is not high on the agenda of the cloud providers at the moment. The business model of cloud computing is to make best use of under-utilised resources wherever they are and so there is little appetite for moves that restrict this approach. Indeed, in some situations providers share resources, so the data may be held, temporarily, by a company with which the client has no agreement whatsoever.
However, some cloud providers do offer the use of ‘safe harbours’. These are data centres that may be located in other countries but where UK/European levels of data protection are upheld. This may meet the requirements of many users but it was pointed out that if the data centre is in the United States then two laws override the safe harbour provision, the PATRIOT act and the Homeland Security Act. Both of these laws could require the cloud provider to allow the US government access to the data held in the safe harbour. If your cloud provider is a US based company, would you trust them to place UK Data Protection legislation above these acts?
Image credit: The National Archives UK