This week a note caution regarding an unusual trend in some cloud engagements. In several recent transactions, I have seen provisions that put the customer on notice that the provider has one or more offshore affiliates who may assist in performing the agreement. This, in and of itself, is not unusual. What is unusual is that in these transactions, the provider has taken the position that (i) it cannot tell which of its affiliates will be involved, (ii) it cannot provide a definitive list of the relevant jurisdictions involved, and (iii) even though use of the affiliates is for the convenience of the provider, compliance with all applicable laws, including local laws in the relevant jurisdictions, with regard to cross-border transfers of the personal data is the responsibility of the customer. It is this last item that causes the most concern. The customer has no control over where its data will be sent, how often it will be moved, or, even, the specific jurisdictions involved. Yet, the customer is somehow to assume the obligation of ensuring compliance with the myriad of potentially applicable privacy and other consumer protection laws everywhere in the world, including, apparently, adjusting its privacy policy and obtaining consents from consumers to comply with those laws. I suggest that is a tall, if not impossible, order to fulfill and one no customer should be forced to assume. In one of the transactions, the vendor was asked if the customer could encrypt its data so as to minimize the security and compliance issues presented by this type of undefined offshoring. The relevant vendor said that the customer could encrypt its data, but in at least some jurisdictions (e.g., China), the customer would have to supply the decryption key – rendering the protection sought illusory. The foregoing points up the need for customers to push back and push back hard on unrealistic and unreasonable provisions in cloud agreements and for vendors to take a reality check on what they are requiring from their “valued” customers in their contracts. Related content opinion Finding Common Threads in Privacy and Information Security Laws. By Michael Overly Apr 26, 2013 3 mins Compliance opinion Ensure Your Data is Securely Deleted By Michael Overly Mar 11, 2013 2 mins Cloud Security opinion CIA in the Cloud By Michael Overly Dec 18, 2012 2 mins Cloud Security opinion Overreacting to Information Security By Michael Overly Dec 10, 2012 2 mins Privacy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe