The cloud conundrum: who actually owns your data?

Are you keeping an eye on the storage of your information?

Think about your online activity over the last week. Chances are you sent a few emails via Gmail, moved some new family photos to an online storage service, perhaps creates some new posts for your blog, and updated your Pinterest, Facebook or Twitter accounts.

Add to this the fact that your online data could be stored in several different countries, and it becomes impossible to state that you own all the data you have created.

Dino Wilkinson, a partner with international legal practice Norton Rose Fulbright told TechRadar: "Under English law, there are no property rights in data as such – although this has not necessarily prevented individuals and businesses from treating data as property.

"Markets exist for buying or selling data and individuals regularly disclose their personal data in exchange for goods and services. However, the value in these cases is created through the right to sell or use the data in a certain way rather than a legal right of ownership.

Exercising your rights

"In the cloud context, the contract between service provider and customer must address this issue by defining the extent of the service provider's right to process and store data on behalf of the customer. The customer will often be under an obligation to impose restrictions on the service provider in relation to how they use the data due to legal and regulatory obligations imposed on the customer itself."

Dino continued: "For example, data protection laws give rights to individuals (or data subjects) in relation to the processing of their personal data; an organisation that collects such personal data may have legal obligations to process it in a certain way including limits on how it (and any third party contractors) use, disclose, hold and transfer that data.

"The collecting organisation (or data controller) will have to ensure that any cloud services provider it wants to use for the processing of that data will do so in a legally compliant way and in accordance with the data controller's policy. Typically, the issue is not one of data ownership but rather accountability to the data subjects."

When it comes to your data, looking closely at the terms and conditions of the online services you are using is of paramount importance. At present, the relevant parts of the terms and conditions of leading hosted service providers are as follows:

Amazon Web Services

'Your Applications, Data and Content. Other than the rights and interests expressly set forth in this Agreement, and excluding Amazon Properties and works derived from Amazon Properties you reserve all right, title and interest (including all intellectual property and proprietary rights) in and to Your Content.'


'It is important that you can access your Google data when you want it, where you want it - whether is it to import it into another service or just create your own copy for your archives.'

Microsoft Office 365

'You own your data and retain all rights, title, and interest in the data you store with Office 365. You can download a copy of all of your data at any time and for any reason, without any assistance from Microsoft.'

Benefits of the hybrid model

And for businesses that are increasingly using cloud-based services to reduce costs and improve efficiency, creating a hybrid approach where the cloud and on-site servers are used can be effective. This offers a level of protection and more clarity of data ownership, as this information is not stored in the cloud. This approach is ideal if your business is in a regulated industry such as financial services, which have strict regulations about data storage.

One important aspect of data ownership is often called 'emergent data'. Many of the cloud service providers include in their terms and conditions the right to manipulate the data they are storing to create new data sets. Google is a good case here, as it often uses the data it is storing to generate its own metadata often for marketing purposes.