Thames Valley Group Meeting Report: Cloud Computing Contracts

February 20, 2011

Wednesday 16th February saw the second event of the Thames Valley branch of the SCL, welcoming around 60 people to Reading’s Town Hall for an evening’s discussion on cloud computing contracts. The session was led by Professor Christopher Millard, who presented a fascinating overview of the work which he and his colleagues at Queen Mary, University of London, have undertaken, reviewing around 30 contracts relating to ‘cloud computing’ services. (We were particularly fortunate to hear Christopher speak, as he had suffered an unpleasant altercation with glass door the night before – we wish him a speedy recovery.)  

Christopher commenced by discussing the definition of ‘cloud computing’, a phrase which has, perhaps, adopted a quality more akin to buzzword than term of art. The definition used – ‘scalable resources on demand via the Internet’ – is, as one might expect, technology and platform agnostic, but is somewhat wider than many might have anticipated, bringing within the scope of the research project not only those services which are well-known as cloud computing products (for example, Amazon Web Services), but also the likes of Apple (included by virtue of its ‘MobileMe’ offering) and Facebook, through its ‘app platform’ functionality. By adopting a wide definition, encompassing not only the element of storage site uncertainty, but also that which may have been considered previously to be merely scalable hosting services, the data set available for analysis is enlarged, facilitating discussion and comparison of the contractual terms, and the legal and business risks and uncertainties, across a more expansive base of services. 

Having established the scope of the study, Christopher discussed the pyramidal nature of cloud services, ranging from bare infrastructure provision through SaaS to virtual machine environments, and the inevitable balancing act between in-house and outsourced IT services provision, neatly identifying different rationales – and thus different requirements – for companies considering the use of cloud services. The point to note from this discussion was that, whilst the various services might all fall within the wide definition of ‘cloud computing’, one standardised approach to contracting for cloud services is unlikely to offer the best protection for one’s clients – instead, one would ideally adopt an approach of identifying each client’s key risks and opportunities, tailoring the agreement to fit. 

Cloud agreements, however, are rarely negotiable, with most providers requiring a would-be subscriber to adopt their standard form agreement, although, as always, a deal of sufficient value or strategic import might tempt a service provider towards a more tailored agreement. In this way, a cloud provider attempts to secure contracts with a large number of customers without the need for individual negotiations, theoretically enabling a lower price to be offered; the main body of the lecture was focussed on these standard form agreements – often embodying a number of related acronym-entitled documents, including Terms of Service (ToS), Service Level Agreements (SLAs), Acceptable Use Policies (AUPs) and, hopefully, a Privacy Policy (PP) – and the terms which lie therein. 

The major themes arising from the analysis were those of control over data storage (of particular interest for those advising companies in regulated sectors), liability for data loss or service disruption/discontinuation, rights to disclose to third parties (law enforcement and otherwise), and determination of the identity of the party actually providing the services, given the often multi-layered approach. The first paper resulting from the research ‘Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services‘ (available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1662374 and summarised in the February/March issue of Computers & Law), contains details of these clauses and others, examining them in context and, in some cases, questioning whether they would be enforceable as a matter of law. 

The lecture provoked a good discussion, touching in particular on issues of data processing, and whether the controller/processor/subject trichotomy remains a valid model in a cloud environment (where different participants play different roles), as well as discussion of certification / kite-marking of cloud providers to make it easier to determine whether a particular service would fit a customer’s needs. 

Neil Brown is a solicitor and a geek, and is fascinated by the overlap of law, technology and society. He works at Vodafone and is a member of the SCL Thames Valley Group committee.