For the United Arab Emirates, the main type of risk being associated with cloud technology is legal risks, which basically means issues that could expose a provider or user to legal liabilities as it pertains to the country in which they operate. While the UAE doesn’t really have an extensive set of laws, policies, and standards that pertain to the provision of cloud computing services, they have general laws that can be applied in its stead. But this absence of a prescriptive legislative framework means that providers and users must collaborate and work together in a relationship of trust, in order to bring forth a financially advantageous service relationship.
When it comes to management of risks, cloud users are usually dependent on third parties as they have no direct control on crucial data and applications. However, this is not always a bad thing and is never an indication of a flawed system, as third parties are driven to provide the best security as failing on this responsibility could expose them to lawsuits from customers, failure of business continuity, and damaged reputation. This can happen even if the fault lies in the user. This is why many cloud providers try to present service contracts that offer the cloud services “as is”, with the provider not assuming any risk and with an exclusion of the provider’s liability to the utmost permitted by applicable law. This doesn’t mean that SMEs must readily accept these SLAs without even trying to negotiate the terms that they deem unfair.
Problems with the UAE’s Laws
When things go wrong, a cloud user may bring claims against a provider. However, they tend to be limited outside the scope of contractual rights and might not be effective in cases where the cloud service provider is located overseas. For instance, under the UAE Civil Code (number 5 of 1985), claims for compensation will require the cloud user to prove the value of loss claimed, which may be difficult.
The UAE Federal Law number 2 of 2006 concerning Cyber Crimes, on the other hand, focuses on the criminal actions of the hacker, but does not provide a framework that addresses the claims a cloud user may have against a faulty cloud provider. The UAE is severely lacking in data protections and privacy laws that can speak about the protection of secrets.
However, there are information security policies that are very important for organizations and government agencies like the Abu Dhabi System and Information Centre, which has already developed and implemented an information security policy under Federal Law number 1 of 2006 concerning Electronic Transactions and Commerce, with which Abu Dhabi government entities must comply. Ironically, this places added pressure on the Abu Dhabi government entities that want to outsource data storage and applications to a provider, as they are the ones who are obligated to be compliant with the ADSIC’s information security policy.
There are several key points that are considered as relevant to all of the legal/contractual issues arising from cloud computing in the UAE, such as:
Cloud users need to keep in mind the effects of various UAE laws pertaining to the privacy of secrets on the transfer and storage of data to the cloud provider, as well as the migration of data across different jurisdictions as part of the provision of the cloud service. Furthermore, they also need to consider the impact of various laws that pertain to data transfer and use on the different locations where the data is bound to end up.
Record Retention Obligations
Under Federal Law number 18 of 1993 Commercial Transactions Law, organizations in the UAE have clear record retention obligations. Under said law, as well as the Electronic Commerce and Transactions law, many records can be kept in electronic form. But when data storage obligations is outsourced to a third party, as is the case with cloud environments, the company in UAE must ensure that there is sufficient protection mechanisms that will avoid any failure in complying to the UAE’s local record retention policies.
Under the cloud arrangement, the cloud user will generate data in the ordinary course of business, which is stored in the cloud. The main consideration is that the cloud provider will also be generating data in relation to the cloud user, which means the cloud user’s ownership rights over all data which it creates and which is created on its behalf by the cloud provider must be outlined in the SLAs.
The cloud user will maintain their own data security and access management policies internally, but they must also determine how to ensure that the same security measures are reflected in the data hosting service offered by the cloud provider.
Cloud computing environments are bound to experience slowdowns and downtimes, and while most providers promise reasonable uptime guarantees such as 99.95% excluding maintenance downtime, the cloud user must still have failsafes in case the cloud provider fails to meet their promise.
Planning for the possible termination of cloud services relationship
Cloud users must avoid a situation in which the applications and data storage mechanisms that a cloud service provider gives them will not lock the users into the provider’s services, and that a transition to a different provider is possible without incurring too much loss in time with regard to restructuring.
Cloud users, whether they are individuals or organizations, must be thoroughly diligent in researching the capabilities and reputation of the provider they are considering, particularly with regard to privacy and security levels offered by the third party company. It is therefore in the best interests of both users and providers to have all the pertinent information available and for the parties to act reasonably when it comes to fulfilling contractual negotiations in order to foster a healthy relationship with each other.