Information Technology Reference
In-Depth Information
not be liable if he can prove that he was diligent in protecting the customer's data.
Nevertheless, proving this may be cumbersome. The same applies to the client if
he wants to prove that the supplier did not implement in his systems the best (or
at least adequate) security measures. The standard of care required to the debtor,
i.e. the Grid/Cloud provider, depends on the applicable national legislation, and of
course it can be difficult to assess what 'care of a reasonable person' or 'reasonable
care and skills' in practice mean. The relevant legal sources are, for instance, Art.
1147 of the French civil code, Art. 1176 of the Italian civil code, § 276(1) of the
German civil code.
Secondly, the security obligations of the provider shall not be without sanction.
It is pointless for the customer if, the supplier who commits himself to keep the
data and content secure, is not liable for not doing so. The relevant clause in the
SLA (or other contract) therefore should balance the risks between the parties and
should state specifically that the provider is liable for not guaranteeing the protec-
tion of the customer's data and content and he is not liable whenever security meas-
ures shall efficiently be adopted by the client himself. This means, in practice, that
the customer shall be obliged to use encryption technology to protect his data and
content, to routinely archive it, etc. At the same time, the provider shall not be liable
for the security risks at the level of the transmission of the data, e.g. on the Internet,
if such transmission (or a portion of it) is not under his control.
Similar considerations apply to the relationship between the customer (in our
example,
SaaSforyou
) and his clients. The SLA (or other contract) should balance
risks and liabilities between the parties and should clearly state that the processing
of the client's data is made using a Grid or Cloud infrastructure that may be owned
and managed by a third party or parties. Regarding security issues, keeping the end
user fully informed is surely the best strategy.
7.3.4 Privacy
Together with security issues, privacy has to be assessed as part of the contrac-
tual relationship between the Grid/Cloud provider and the customer. First of all,
according to the applicable European sources
22
, privacy should be a concern of
the parties only if some personal data are processed. Pursuant to Art. 2(a) of the
Data Protection Directive, personal data “shall mean any information relating to
an identified or identifiable natural person ('data subject'); an identifiable person
is one who can be identified, directly or indirectly, in particular by reference to an
identification number or to one or more factors specific to his physical, physiolog-
ical, mental, economic, cultural or social identity”. In other words, phone numbers,
22
Namely Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the protection of individuals with regard to the processing of personal data and
on the free movement of such data (Data Protection Directive) [OJ L 281, 23/11/1995,
p. 31-50] and Directive 2002/58/EC of the European Parliament and of the Council of
12 July 2002 concerning the processing of personal data and the protection of privacy in the
electronic communications sector (Directive on privacy and electronic communications)
[OJ L 201, 31/7/2002, p. 37-47].
