What’s it about?
Since the early days of the human genome project biotechnology has been pumping out vast amounts of data, and collating that data – and more importantly understanding them – has become a hugely resource intensive process requiring many life science companies to invest significant expenditure on IT infrastructure. However, in the last couple of years so called cloud computing has come to offer (or so the hype suggests) a cost-effective alternative, permitting the user an opportunity to rent high-performance computing capability on an on demand basis and port large scale or complex processing to the cloud. Are there any legal issues which might prevent the cloud from being the new future of areas such as bioinformatics?
The US National Institute of Standards and Technology defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Cloud computing tends to come in three main flavours:
- “Software as a service” (SaaS): users access applications, and related data are also stored on the provider’s servers. General use apps such as e-mail are obvious examples.
- “Platform as a service” (PaaS): an operating system on which users can install their own applications. Where the related data are stored is dependent on how the relevant application is configured. Such a service can be used for example in connection with in-house application development.
- “Infrastructure as a service” (IaaS): a “logical hardware” infrastructure onto which users install an operating system, their own applications and, if they so choose, their own data. This can be useful in connection with quickly adding or subtracting server capacity as required, and also can form part of a disaster recovery procedure.
What are the legal issues for life science companies?
There are a number of the legal issues connected with the use of cloud computing that can impact on life science companies in particularly significant ways.
Handing over vital assets into the control of third parties: since data is the lifeblood of any R&D or clinical developments, the life science customer must be certain with whom it is dealing in a cloud computing deal. It may be that the immediate service provider is not providing the whole service, but is relying on one or more subcontractors in the background to provide rack space, connectivity or other elements. The assets by their nature are extremely mobile and could in principle be stored anywhere in the world, well beyond the control of the customer or the immediate service provider if things go wrong. In addition, the financial stability of the provider and its subcontractors will be an issue.
Data security: although in principle the processing and storage by third-party providers of confidential data brings with it security issues, the fact is that most professional service providers probably adopt more effective security procedures than do most small and mid-sized biopharma companies. That said, most in the industry are proceeding cautiously with the adoption of cloud computing; when Pfizer adopted a cloud-based solution from Amazon it opted for a Virtual Private Cloud with Pfizer extending its firewall and other security aspects to this part of cloud. However, not all companies will be able to afford such a bespoke solution.
Data protection: rightly or wrongly, the European Union has a bee in its bonnet about personal data protection, and in particular has adopted stringent regulations regarding the transfer of personal data outside the EU to countries regarded as having less satisfactory personal data legislation. In addition, European data protection law identifies health information as “sensitive” personal data putting extra obligations on the data controller. Any data used by a biopharma company that relates to identifiable human beings and their state of health will fall into this category.
Local laws: a customer based in the UK may wish to insist on its cloud computing services contract being governed by English law, and the laws of many countries around the world (particularly in the Western world) will usually respect that choice. However even in Western countries there are certain local laws which will “trump” the chosen governing law of the contract in some circumstances, requiring a service provider to disclose the data it holds to government authorities. Examples include the Patriot Act and the Health Insurance Portability and Accountability Act in the US, which together with the requirements of Sarbanes-Oxley might make non-US-based customers think twice before having their confidential data stored or processed in the US. In the UK the Regulation of Investigatory Powers Act permits government authorities to access data in certain circumstances, something which again might make non-UK-based customers nervous.
International enforcement of contractual terms: a cloud computing services contract may be governed by, say, English law and jurisdiction may be given to the English courts, but that does not mean any judgement will be enforceable where the data actually is. If a customer’s data has found its way to a country such as Iran there is likely to be little the customer can do in enforcing its confidentiality and the return of its data.
Limitation of liability: with cloud computing in its infancy, many of the major players providing these services are in a position to do so on their own terms, and often the customer gets very little opportunity to negotiate the contract effectively. As a result, the provider will often seek to limit its liability considerably, often using contract terms commonly found in software licenses and offering no more than the return of the service fee if things go wrong. If mission-critical data has been handed over and lost by a provider such provisions will do little to remedy the damage caused to the customer.
Transition arrangements: even if things go well with the service provider, the agreement will end at some time with the customer wishing either to port the data back in-house or to a new service provider. This will not be easy if the current provider has been using non-standard software or application programming interfaces.
How can the legal issues be dealt with effectively?
In the light of the number of legal issues which arise in this area, some (including a Council of Europe discussion paper on cloud computing and its implications earlier this year) have questioned whether the use of cloud computing services should be banned in some circumstances, including their use with health related matters. The argument goes that such information is so sensitive that it cannot be reconciled with the use of cloud computing and the risk of disclosure that goes with it.
Perhaps that goes a little too far – legal issues tend to have legal solutions, and many of them can be dealt with in a well drawn contract. European data protection law requires, in practice, the adoption by the relevant parties of reasonably standard legal provisions dealing with how personal data is to be processed and stored. The obligations must be identified and written into the contract, but as a process this is relatively straightforward. In addition, a practical approach is to ensure that no data leaves the European Union without being encrypted in a way that the service provider based outside the European Union cannot decrypt; if individuals cannot be identified by the service provider then data protection legislation will not apply.
Provisions relating to data security, in which jurisdictions data may, or may not, be held and possibly detailed transitional arrangements can all be written into the contract. Clear governing law and jurisdictional statements can also be included. However, not all of the solutions are contractual; business commonsense also needs to be adopted. Key assets should not be kept with just one provider; backups should be kept, either by the customer itself or ideally another third party. These arrangements are common in software escrow agreements.
Whilst Cloud computing is still something of a new kid on the block, efforts are starting to be made to establish what is “good practice” in the industry. In 2009 the Cloud Industry Forum was established in the UK in order to create a Code of Practice that provides transparency of cloud services so that consumers can have clarity and confidence in their choice of provider. The Code is due for public launch in October 2010, and having been involved in the consultation phase I have to say that much of the draft Code amounts to “motherhood and apple pie” without there being any significant penalties on cloud service providers who breach the Code. However, it is probably better to have a weak Code than none at all, and once in place it will be something that cloud service contracts can make reference to in the context of service levels.
Conclusions
The main issues are not new. Outsourcing in one form or another has been with us for many years and the principle is clear: outsource anything and your protection is only as good as the words in your contract and your ability to enforce them (requiring you having the money to pay the lawyers and ensuring you’re working in a jurisdiction where the courts will quickly and effectively uphold your rights). That means in practice that you must never put yourself in a position where the failure of an outsourced service will cripple the business so fundamentally that it will not survive long enough to successfully sue the provider! Great care needs to be taken with regard to what is outsourced as well as to whom.
As a result it is vital that would-be customers of cloud-based services have a detailed understanding of how their own IT systems operate now and how they will need to operate in the future. Whilst the input here of IT professionals is important, these are ultimately key business decisions which should be made at board level.
Cloud computing generally, and for the life sciences industries in particular, is still at an early stage but is projected to grow enormously over the next 3 to 5 years in line with the increasing complexity of DNA sequencing and other computationally intensive applications. The adoption of cloud-based solutions will be an important step for many bioscience companies to remain competitive, but it will be a step that needs to be taken with considerable care.
© Taveners
August 2010