Law

Information and Communication Technology

Cloud Computing and its Legal Issues
 Role Name Affiliation
Principal Investigator Prof. (Dr.) Ranbir Vice Chancellor,
Singh National Law
University, Delhi
Co-Principal Prof. (Dr.) G.S. Registrar, National
Investigator Bajpai Law University Delhi
Paper Coordinator Dr. Aparajita Bhatt Assistant Professor,
National Law
University Delhi
Content Writer/Author Ms. Reeta Sony National Law
University
Content Reviewer Prof. V.C. Professor, NALSAR
Vivekanandan University, Hyderabad

Items Description of Module

Subject Name Law
Paper Name Information and Communication Technology
Module Name/Title Cloud Computing and its Legal Issues
Module Id XXIII
Objectives  Concept of cloud computing
 Legal issues pertaining to cloud computing
 Regulatory framework of India, EU and USA

Prerequisites Basic knowledge of the information technology

Key words Cloud Computing, Cloud Services, Limitations, Legal
Issues,Regulation.

Learning Outcome: The reader shall be able to understand the concept of cloud
computing and various issues relating to cloud computing.
1. Introduction

With rapid development on Information and Communication Technology (ICT), the

network and storage capacities have exponentially increased, and pervasively made
available anywhere at any time. This has resulted in ICT technologies transforming to
online mode using a central computer for a self-service model in a large scale. It is
evident that the computing-as-utility business model is becoming prevalent in the
electronic world and various economic sectors are adopting it. Over the last few years,
IT (Information Technology) service which is known as ‘Cloud Computing’ (CC) is
used by individuals, consumers, private and government organizations. 1 Cloud
computing is not new for computer users.Many of them around the world are using
the cloud service through the internet without their knowledge, for e.g. Gmail,
Dropbox and Yahoo mail services.

The basic concept behind cloud computing is the availability of hardware and
software services over the internet any time. Presently, cloud computing is a wide
spread phenomenon which is used for various purposes; from maintenance of
individual e-mail accounts to latest applications used on smart phones to that of
managing social networking.. It also provides users with a convenient on-demand
access to a shared pool of computing power and resources. On the data storage and
processing functions in the internet -cloud computing is fast, cheap, flexible and
works on pay as you use model2, similar to that of electricity consumption billing. In
spite of several benefits, cloud computing services gives rise to various legal issues
relating to data security and privacy protection. Service providers are often faced
with the challenges of reliability and compliance of governmental regulations. Many
service providers are unprepared and ill equipped to handle potential regulatory
violations and data breaches.

1
BSA Global Cloud Computing Score Card: A clear path to progress.,2013.Chapter 1.
2
The NIST Definition of Cloud Computing, September 2011.NIST defines cloud computing as paradigm shift and
revolutionary change in the era of cloud computing.
In a traditional IT environment, the users are connected to the internal infrastructure
of the company.They store the data in the company’s data warehouse. The data
processing and storage will be under their control. Whereas in cloud computing, as it
is an internet based computing, the users will connect to the cloud directly and the
data processing and storage will take place on the web, outside the
companies’infrastructure. The data will be stored in data centre or on servers which
are geographically distributed. Although this shift in computational paradigms creates
great opportunities for industry and for end-users, it also raises a new set of
challenging problems.A contract between the service provider and the user is the only
means of addressing the issues raised out of cloud computing services. However,
most cloud computing service contracts come with a standard clause. It is very
important to note that, the technical implementation of cloud computing
models/services directly raises the legal issues of data protection accountability and
transparency,3 the reasons are:

 The ownership of the data center infrastructure may be different from the owner of
the servers located within the data center.
 Ownership of the software, application, and hardware installed on the infrastructure
may be belonging to different vendors.
 Owner of the Hardware, software infrastructure does not necessarily manage the
cloud service to the users; its infrastructure can be managed by other third party
service providers.
 Multi - tenancy system4.
 Data centers may be located in different geographical locations.
 Different geographical locations have different governing laws for data protection.

To the end user, it appears as a single cloud computing service. If the customer opts
for any kind of service models or deployment model of the cloud computing, it could
be a combination of third party services and infrastructure owned by different
ownerswhichmay be spread in different geographical locations. Such situations lead

3
W.KuanHon, Christopher Millard, Ian Walden, “Who is Responsible for 'Personal Data' in Cloud computing? The
Cloud of Unknowing, Part 2”, International Data Privacy Law (2012) 2 (1): 3-18
Queen Mary School of Law Legal Studies Research Paper No.
77/2011,http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1794130, Accessed on January 2014.
4
Multi tenancy refers to running multiple users application on single server. It is cost effective but lack of operational
understanding and human error can create serious security problem.
to legal complications relating to jurisdiction and applicable laws, conflict of law,
privacy and personal data protection, contractual issues, challenges of digital
investigation and e- discovery etc.

This study concentrates on addressing the legal and regulatory issues of public cloud
service model. Such models being common in ITES raising concerns of data security
and privacy policies. 5 This module provides an overview of the different deployment
and service models of cloud computing. It also will deal the limitations of cloud
computing in terms of its limitations of technical issues, commercial benefits and
legal aspects.

1.2 Definitions
Cloud Computing: ‘Cloud Computing’ refers to internet based computing that
allows organizations to access a pool of network of computing resources that are
owned and maintained by a third party via the internet.6

Cloud Computer User: A customer or user may be an individual, business,

government agency or any other entity.7

Cloud Service Provider: The organization that offers the cloud computing service. A
cloud provider may be an individual, a corporation or other business, a non-
government agency or any other entity.

Third Party: A cloud service provider is one type of third party, which maintains
information about or on behalf of another entity.

Data Centre: Adata centre is a collection of servers and services where user
applicationsare stored. It could be a large room full of servers. On the other

5
Lisa Angelo, “Exploring the Legal issues of high altitude: The Law in the Cloud”, 20 current Int’l Trade,
L,J< 39 2011-2012.
6 Mrs. Gowri Menon, Regulatory Issues in Cloud Computing -An Indian Perspective, Journal of Engineering,
Computers & Applied Sciences Volume 2, No.7, July 2013.
7
Gellman, Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, World Privacy Forum,
USA, 2009.
 hand, there maybe virtual servers, running half a dozen of virtual servers
through one physical server.8

Server: Cloud computing is a combination of servers, data storage and remote

computing services. Cloud computing does not always use servers in the same
physical location, and, often, servers are geographically dispersed. This provides
greater flexibility, availability and security. A cloud provider can easily expand and if
something goes wrong with one site, service access can still be provided through
another site.9

2. Cloudcomputing over view

2.1 What is cloud in terms of Information Technology?

The symbol of cloud refers to a remote location in the Information Communication
Technology (ICT) sector. In essence the term “Cloud” refers to “internet” or
“network”. Internet is just a medium to deliver the cloud services to the end
customers.

2.2 What is Cloud computing?

Cloud computing refers to remote computing, where the different services such as
applications, software, server, storage and infrastructure delivery to cloud user’s
computer through internet. It is just like electricity consumption.Users have to pay
according to the consumption of computational power. Cloud computing is
considered as the fifth generation of technology after mainframe, personal computer,
client server computing and the web.

2.3 Working definition of cloud computing

8
Paul Stryer, “Understanding Data Centers and Cloud Computing”, http://viewer.media.bitpipe.com/
1078177630_947/1267474882_422/WP_DC_DataCenterCloudComputing1.pdf Accessed on August 2013.
9
Paul Stryer, “Understanding of data centers and Cloud Computing”
http://viezwer.media.bitpipe.com/1078177630_947/1267474882_422/WP_DC_DataCenterCloudComputing1.pdf
Aceesed on August 2013.
For the purposes of this study, we adopt a definition of cloud computing proposed by
the US National Institute for Standards and Technology (NIST), 10 which is widely
used in the cloud computing community.
“Cloud computing is a model for enabling convenient, on-demand network access
to a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and released
with minimal management effort or service provider interaction.” This means the
cloud user can access the cloud computing service over the network or internet
without any hardware, software or technical effort to create the internal
infrastructure on premise and even do not have to understand or manage the
underlying cloud computing infrastructure. The cloud users have to pay
according to their utility of computing power.

2.4 How the cloud works

Figure 1 shows the NIST visual model for cloud computing. NIST describes a number
of essential cloud computing characteristics, which includes
 on-demand self-service,
 broad network access,
 resource pooling,
 rapid elasticity and
 measured service.

NIST defines four deployment models:

 public,
 private,
 community and
 hybrid.

NIST also defines three service models: software as a service (SaaS), platform as a
service (PaaS), and Infrastructure as a service(IaaS).

Broad Network Access Rapid Elasticity

Essential
10 Characteristic
On-demand
NIST(National Self service
Institute of standards and Technology),US Department of Commerce,Special Publication 800-
Measured Service
145.2011. Access s

Resource Pooling

Service
SAAS PAAS IAAS
 Fig 1. NIIST Model for Cloud Computing

2.4.1 Service Models

There are three types of service models in cloud computing, it depends on the kind of
service the end user is using.

2.4.1.1 Software as a Service (SaaS): This is the third and last layer of service in
cloud computing service model, it provides software application as a service
to the cloud customers. The customer can not have any control or managing
capacity over it. Examples of SaaS applications are web-based email, office
suite including a word processor, a spreadsheet and a presentation program,
Customer Relationship Management (CRM), enterprise resource planning,
and human resource management platforms, media and storage services, and
social applications

2.4.1.2 Platform as a Service (PaaS): This is the second layer of the service model
which provides applications, development and deployment tools as a service
to the cloud user. It allows customers to have some control over the
application they deploy on the Cloud.Examples of PaaS are operating
systems,database management systems, storage, network access, hosting and
tools for design and develop services.
 2.4.1.3 Infrastructure as a Service (IaaS):Thisis the first and foundation layer of
cloud computing, the service provider manages customer’s virtualisation,
servers, networking and storage etc.But they allow customers to have control
over the operating system, storage and applications.Examples of IaaS
providers currently on the market are Open Stack, Cloud Stack, Amazon
AWS, Microsoft Azure,Go Grid, Open Nebula, Nimbula.

The reality is that in the above said service models, the customer does not manage the
under lying infrastructure of the cloud computing.That means they do not knowwhere
their data resides and under which jurisdiction it is processed.
2.4.2 Deployment Model
There are four types of deployment models in cloud computing. The classification is
based on how the cloud is accessed and where the cloud is located.

2.4.2.1 Private Cloud: The private cloud may exist on the premise or off the premise
and it may be managed by an organisation andthe cloud infrastructure is dedicated to
single organisationin which only specific users can operate.

2.4.2.2 Public Cloud: The public cloud exists off the premises and is owned by third
party service providers. The cloud infrastructure is made available to the general
public or to large industrial groups.

2.4.2.3 Community Cloud: The cloud may exist on the premise or off the premise
and it is managed by third party service providers. The cloud Infrastructure is made
available to several organisations whichsharesimilar needs like security, location and
compliance considerations. This model can greatly help organizations saving costs by
cooperatively work together with other organizations sharing common requirements.

2.4.2.4 Hybrid Cloud: Hybrid cloud combines several clouds and traditional IT
models to create a customized cloud. A hybrid cloud can be any combination of using
a public cloud, private cloud, community cloud or dedicated in-house servers or
servers hosted at a service provider. This model presents opportunities for enterprises
to spread workloads across each of these different environments. For instance,
sensitive data can be hosted on premises on a private cloud and tasks that are less of a
concern off premises on a public cloud.
However, when using a private cloud, customers can negotiate a particular risk within
the terms and conditions of their contracts.The other models of cloud computing offer
customers or users, less negotiation powers leaving the customer to bear the legal risk
which rises during the service.

3. Benefits and limitations of cloud computing:

Cloud computing provides lot of benefits toSmall and Medium Enterprises
(SMEs).Large scale industries are sceptic to adopt cloud computing in their
businesses because of its technical and legal limitations.Business entities prefer
relying on their own infrastructure fordata storage and other computational needs.
Therefore we can say that there is delay in market adoption of cloud computing.The
other significant technical and legal limitation of cloud computing is thescalability of
computer recourses by demands as shown in figure 2.

Figure 2: Benefits and limitations of cloud computing

4. Wheredoes the cloud exist?

 It is very important to know whichcloud computing models and services adopted, to
understand the legal issue of cloud computing. Cloud computing services may havea
data centre somewhere in the world, or even multiple data centres scattered around
the world.11The cloud user can access the service from anywhere, anytime through the
medium of internet and the data will be stored in any datacentres of thecloud
serviceprovider. The cloud service provider can have his own servers or data centres
or he can use third party service to provide the secure service to cloud customers. The
end user will access the service without the knowledge of the underlying
infrastructure of cloud computing. Primarily, to construct the data centre the service
providers look in to suitable physical location, highbandwidth internet connection,
affordable energy and human resources and finally law and policies of the
jurisdiction12 or it can be located somewhere in the sea or in the air which is out of
any geographical jurisdiction e.g. Google navy data centreis located in the middle of
the sea,13pirate bays flying drone data centre is located in the air.

Data
Data Center Data
Center Center
Data
Center

Data
CloudServi Data Center
Internet ceprovide Center
r Data
Center
Data
Center

Clients

Figure3.Elements of cloud computing and geographical distribution of data centres.

As shown in Figure 3, data centres are located in different parts of the world, with
user data and applicationsstored across the globe. The client is remotely connected to

11
NIST(National Institute of standards and Technology),US Department of Commerce,Special Publication 800-
145.2011
12
PoulT.Jaeger, Jimmy Lin, Justin M.Grimes and Shannon N.Simmons,”where is the Cloud? Geography,
Economics, Environment and Jurisdiction of Cloud Computing” Journal of the Internet, Volume 14,
number 5, May 2009.
13
Steven R. Swanson, Google set sails: Ocean based server forms and Inter National Law,” Connecticut Law
Review, Volume 43, number 3, February 2011.
a data centre through the internet, his data travelling across different political borders.
The multiplicity of jurisdictions used in cloud computing raises legal issues
concerning data protection as a consequence of the distributed nature of cloud
computing.

5. Legal Issues of Cloud Computing

5.1 Personal data protection and privacy

One of the most challenging issues which rose from cloud computing is privacy to
protect the personal data. There are many factors of cloud which leads to the privacy
issue. Jurisdiction is one of the foremost important issues which affects privacy and
personal data protection in the cloud computing. Within cloud there are no borders. In
such an environment, data can be broken up and stored in multiple data centres across
multiple jurisdictions.This scenario completely challenges the criminal jurisdiction of
the local courts to determine where the data is; and which law to apply? 14Security
becomes the second most important issue. The personal data will be processed and
stored outside the infrastructure. It is stored in data warehouses.Hence, it is vulnerable
to hackers and data breaches resulting in lost, destroyed or improperly disseminated
data. It is the primary responsibility of the cloud provider to reassure the reasonable
and appropriate security measures to safeguard the data of consumer and individuals.
The other significant responsibility isthe fair information security practices and
international data transfer. It is the primary responsibility of the cloud provider to
comply with fair information security practices and have the ability to fulfil the legal
requirements which is mentioned in their privacy notice. The data which is collected
by the user or consumer should be used for the purposes for which it was collected
and the onward transfer or other third party use of the data must occur only when
authorized by law, as provided for in the terms of the privacy notice or according to
customer preference.15If they fail to manage this, they cannot maintain the trust and
confidence of the user or consumer.

14
C.IanKyer and Gabriel M.Stern, “where in the world is my Data? Jurisdiction and issues with the Cloud
computing.www.facken.com.
15
“Privacy and security law report” by Reproduced with permission from Privacy & Security Law Report, 8 PVLR 10,
03/09/2009 http://www.bna.com).
5.2 Trans- boarder data storagejurisdiction and conflict of law
The concept of cloud computing is globalized, and within the cloud there are no
borders but laws have their own territorial and jurisdictional limit.In cloud computing
the service the providers’ collect, use, store, process and duplicate (for disaster
management) the user’sdata in multiple places.And cloud computing is part of
internet ecosystem therefore the data travels around the globe through the internet.It is
very difficult to locate the jurisdiction of the data.Even ifit is located, it is very
difficult to find out: to whom the data belongs? Who processed the data? Who is
responsible for the lossif some incident occurs in the cloud? It is no longer clear
which jurisdiction can be claimed for data protectionor which law to apply; national
law or the law of any other country, international law or conventions.This nature of
cloud computing demands proper legal arrangement for data protection for global
application.

5.3 Contracts and Service Level Agreements (SLA)

In cloud computing the cloud users can discuss their needs in Service Level
Agreement (SLA) and then enter into a contract.SLAs are designed to provide clear
understanding about the duties and responsibilities and quality of the service between
the cloud service providers and cloud customers.It is just an agreement to commit to
the level of service and it can be negotiated in case of non-compliance to the agreed
terms and conditions16. A contract under cloud computing is a legal binding between
two or more parties. It is a legal interpretation of terms and conditions.All civil and
criminal liabilities can be negotiated there. 17However, the reality is that under cloud
computing services all most all the contracts are done online.They are usually “click
through” contracts, it is in the standard format and non-negotiable. Only big players in
the market can negotiate; the small and medium scale customer does not have that
privilege.

5.4 Data accessed by the third parties

16
Dimostheri S Kyriazis, “Cloud Computing Agreement. June 2013.
17
JISC Legal information, “user guide: Cloud Computing contracts, SLAs and terms and conditions of use” August
2013.
In cloud computing service, the data is processed outside the organisation in virtual
environment and in remote physical location. The data is under the risk of third party
access, attack and miss use. There are three types of third party access and attacks in
cloud computing.18

5.4.1 Access and attacks by outsider:

It is most classical issue in the terms of cyber security. This attack is not connected to
cloud customers or cloud providers.It is a forcible attack from the outsiders with
different methods of attacks; phishing (by false pretence they seek the information
through emails or online), distribution of denial of service attack( creating
unavailability of services), viruses , bonnets, spoofing, password hacking etc.

5.4.2 Access and attacks by insider:

It is done by someone who is legitimate to access the cloud service system; it may be
the third party subcontractor of cloud service provider or an employee of cloud user
or any other business partners.

5.4.3 Access and attacks by investigating authorities or compulsory disclosures to

the government.
The cloud data can be disclosed in three ways.First one is inadvertent disclosure of
data which any organisation discloses un-intentionally for e.g. due to security threat
or hacking.The second one is voluntary disclosure, where the organisation discloses
the data intentionally, for e.g., payroll data for accounting department, salary details
for income tax auditors. The final one is compulsory disclosure of the data, where the
government mandates and imposes certain legal obligations on organisations, for e.g.
disclosure of data for the sake of national security threat. In USA, under Patriot Act,
the service provider should disclose the data to the investigating agencies or under a
subpoena. In this scenario, it is mandatory that the cloud provider has to disclose the
data.

5.5 E-discovery and digital investigation

18
Ninja Marnar, “T Clouds”, Cloud Computing Legal Analysis”,7th framework programme.
According ENISIA, 19 E-discovery and digital investigation rises many challenging
issues under cloud computing. Themulti-jurisdictional nature,lack of transparent data
processing and storage system, presence of sub-contractor’s service makes the cyber
forensics investigator to violate the rules and regulation of any nation un-knowingly.
Collection of evidence is a biggest challenge in the cloud environment because of lack
of international collaboration in e-discovery and digital investigation.

6. Regulatory frameworks
6.1 EU and USA
Many countries around the world are coming upwith data protection laws to regulate
the E-transitions of any Information Technology development (includes internet,
Cloud computing etc..) and many of these laws “are based on a combination of the
OECD Guidelines and the EU (European Union) Directive or the APEC Privacy
20
Principles”. When the OECD guidelines were first adopted, the internet had not
emerged yet.Data was in physical formand people used to exchange data through
physical mediums. At a November 2004 meeting in Santiago, Chile, Ministers from
APEC (Asia-Pacific Economic Cooperation) economies adopted the APEC Privacy
Framework. The APEC privacy framework follows OECD principles, but the
framework suggests that “privacy legislation should be primarily aimed atpreventing
harm to individuals from the wrongful collection and misuse of their
information”. 21 Later, Data Protection Directives 95/46/EC, known as EU Data
Protection Directives 1995, set out to protect the right to privacy of individuals and to
facilitate the free flow of personal data between EU member states. The EU
Directives prohibit the transfer of personal data to other countries; however, the
Article 29 Data Protection Working Party, a European working group on data
protection, has included “adequate protections” in their European privacy rules. 22On
the other hand, the USA does not have dedicated personal data protection or privacy
legislation in place. Instead, the United States has sector-specific laws: Gramm-

19
ENISA , 2009.
20CSA 2012 (Cloud Security Alliance’s opinion on Cloud computing and Privacy regulation).
21Greenleaf, Graham. 2006.“Global data privacy in a networked world.” University of New South Wales, 30 March
2006.
22Schellekens, B.J.A. 2013.“The European data protection reform in the light of Cloud Computing.”Tilburg, January
2013.
Leach-Bliley (applicable to financial institutions), HIPAA (applicable to health care
providers and others dealing with health information and related entities), COPPA
23
(applicable to online data of children under and the USA Patriot Act (may be
applicable to foreign companies that work with cloud providers that allow data to
reside in or flow through the US). The Computer Fraud and Abuse Act, etc. and the
government allow American states to have their own individual legislation; however,
the US has made privacy legislation for the private sector distinct from public sector
privacy legislation.24In spite of all these EU and US has an international Safe Harbour
frame work to permit the transfer of personal data from EU to USA to meet the
requirement of “adequate protection” principle of EU directives25.
6.2 India
India is neither a member of the OECD nor of APEC, and it has not signed the
Budapest Convention on Cybercrime; however, it is the largest member in the Asian
26
Association for Research Cooperation (SAARC). The Indian Information
Technology Act (IT Act) 2000 creates regulatory environment for Information
Technology and E-commerce. The main laws regulating data privacy are the
Information Technology (Amendment) Act 2008 (IT Act 2008) and Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Information) Rules 2011 (IT Privacy Rules 2011).
The concept of privacy was introduced in the IT Act 2008 through Section 43-A
(compensation for failure to protect data) and Section 72-A (punishment for
disclosure of information in breach of lawful contract). In 2011, the Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Information) Rules Act was introduced. It extends the scope of section 43A of the IT
Act and regulates the collection, disclosure and transfer of sensitive personal data.
The IT Privacy Rules 2011 requires corporate entities, which collect, process and
storing personal data, including sensitive personal information, to comply with certain
procedures. It distinguishes “personal information” and “sensitive personal

23Simmons, Jean. “Data Protection and Privacy in the United States and Europe.”IASSIST Quarterly.
24
Greenleaf, Graham. 2011. “Promises and illusions of data protection in Indian law.”International Data Privacy Law.
Vol. 1, No.1
25Jenna Gerber, Head out of the Cloud: what the United state may learn from the European Union’s treatment of
data in the Cloud.23 Ind. Intel and comp, L, Rev,245,2013.
26
Greenleaf, Graham. 2011. “Promises and illusions of data protection in Indian law.”International Data Privacy
Law.Vol.1, No.1
information” as defined below. According to IT Privacy Rules 2011, enacted under
section 87(2) of the IT Act, which defines “sensitive personal data or information”,
the following information is included:

 Passwords
 Financial information, such as bank account, credit or debit card, or other
Payment instrument details
 Information regarding physical, physiological and mental health
 Sexual orientation
 Medical records and history
 Biometric information (technologies that measure and analyses human body
characteristics, such as “fingerprints”, “eye retinas and irises”, “voice patterns”,
“facial patterns”, “hand measurements” and “DNA” for authentication purposes)

Any details listed above if provided to the body corporate responsible for providing a
service or for processing or storing data will be the responsibility of such entity to
maintain the privacy and security under a lawful contract. However, any information
that is freely available in the public domain is not considered as sensitive personal
data or information and is exempt from the above definitions, as set out by the 2005
Right to Information Act or any other law in force. The Indian Data Protection Bill of
2006 is still pending in Parliament and recently the Shah Committee27has submitted
its recommendation to frame privacy laws. As per the India Law, organisation
whichoriginally owns the data will remain as the owner of the data stored in the cloud
but this should be mentioned in the contract, otherwise no other Indian law governs
the ownership of the cloud data.28

7. Conclusion
Cloud computing is a new technological development, which is transforming business
delivery system of individual consumers, business entities and government sectors
with its several IT delivery mechanism and cost effective methods. The benefits of

27
A committee headed by J. A. P. Shah commissioned a 92-page report dealing comprehensively with privacy laws
in the jurisdiction in 2012.
28
Cloud Computing Risks /Challenges-Legal and Tax issues- My Cloud, your Cloud, Whose Cloud? March
2013.www.nishithadesai.com.Accessed on June 2014.
cloud computing have led to many stakeholders to move their data andinfrastructure
into the virtual world. Yet the rules and regulations to regulate such virtual assets
have not evloved to protect the same.,

The very basic nature of the internet and new features of cloud computing, such as the
geographical distribution of data, the lack of physical access to the server and the
absence of transparency in data processing and third party access to the data, raise
new legal challenges in understanding how to apply the law in relation to data
protection cyber security in the multi-jurisdictional environment. The data transfer
through multiple technologies in the global level, raising the question of existence of
the regulations for the global application. Present cloud technology requires
cooperation in international level to provide a legal framework for cloud provider and
cloud customer perspective and a world organisation to regulate internet based future
technology.The technology is growing with its pros and cons but we need to think
about its regulation, which needs a comprehensive techno-legal and technology
neutral law and policies in national and international level.

List of Figures
Fig1-NIIST Model for Cloud Computing.
Fig2-Figure 2: Benefits and limitations of cloud computing
Fig3- Elements of cloud computing and geographical distribution of data centres