This article was first published in The Cookie Jar, the monthly e-newsletter produced by the Bristows IT Team.

First of all, what is cloud computing? At its simplest, it is an arrangement whereby IT resources are provided as a service via the Internet, typically on demand and often without reference to geography or specific local infrastructure. Popular awareness of "the cloud" has grown recently with the launch of high profile offerings such as Amazon Web Services, Apple's MobileMe, and the growing popularity of the various services provided by Google, including Gmail and GoogleApps. However, many mainstream outsourcing and offshoring arrangements have for a long time been delivered in a way that depends on cloud computing concepts and infrastructure.

So, is cloud computing mature and safe? Yes and no. It all depends what you mean by cloud computing, and what you mean by mature and safe! Richard Stallman, founder of the Free Software Foundation, caused a stir at the end of September 2008 when he told a journalist that he regarded the use of cloud computing resources to be "worse than stupidity". This is almost certainly an over-simplification! Some so-called cloud services are tried and tested remote IT services of various kinds. In particular, there are various mature 'Software as a Service' (SaaS) and hosted storage and backup offerings. Such services may be delivered by long-established major players, may generate substantial revenue streams and may be subject to robust Services Level Agreements (SLAs). At the other end of the spectrum, however, there is a plethora of services provided by startups, and often at no cost to the end-user, at least for an entry-level product. In terms of maturity and stability, many cloud services are launched, and are subsequently rolled-out on a substantial scale, while still at a relatively early stage of development. Some may indeed remain in development for an extended period.

From a legal point of view an obvious place to start in assessing risk is to look at who is likely to be responsible for losses that might occur "in the cloud". Many providers of Internet email, backup, disaster recovery and other hosted cloud services include extremely broad exclusion and / or limitation of liability provisions in their terms of business. It may be argued that it is reasonable for cloud service providers to adopt an aggressive position, especially given the nascent state of the market, and the fact that many services are provided without charge, at least at the entry level. However, businesses should be aware of the implications of, for example, using a cloud service for storage of confidential or privileged information in circumstances where data may be highly exposed. Moreover, in many jurisdictions in Europe at least, there are limits to the extent to which a party can unilaterally assume an extreme position contractually, especially when dealing with consumers.

Complex regulatory issues may also arise in relation to cloud computing. An example of the importance of data location and the far-reaching consequences of network architecture decisions can be seen in the recent case involving the SWIFT payments cooperative. Following rulings from EU data protection regulators that various large scale transfers of payment messages from Europe to the US and disclosures that SWIFT had made to the US authorities post 9/11 were unlawful, SWIFT announced that it is building a new global operating centre in Switzerland. Applying the lessons of the SWIFT case to cloud computing, a particular vendor of cloud services may present its "location-independent" service as a customer benefit. It may, however, be very important for a particular customer, especially in a regulated industry such as financial services, to establish where exactly on the planet that customer's data will be housed physically by the service provider and any sub-contractors who may hold copies of part or all of the data.

The storage of data on servers in another jurisdiction can also create a risk of disclosure through the discovery process connected with litigation. Discovery rules vary by jurisdiction and the United States, for example, permits broad US-style discovery in aid of non-US proceedings where information is physically stored in the US. Again, while a cloud services vendor may not wish to be restricted in terms of geographical scope, it may be prudent for a particular customer to enquire as to the location of specific servers that will be used to store that customer's data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.