Based primarily on in-depth interviews with global and UK cloud providers, cloud users and other market players, the Cloud Legal Project at the Centre for Commercial Law Studies, Queen Mary, University of London, has produced a paper on the extent to which cloud users have succeeded in seeking changes to cloud providers’ standard contract terms to better meet users’ risk profiles and compliance obligations.
Government and financial institutions seemed best able to negotiate changes, and in some cases could even require deals to be on their own standard terms rather than those of the provider, but generally many users have had difficulty in securing modifications to providers’ standard terms. The paper discusses changes agreed, or compromise solutions.
The terms that generated most negotiation were found to be those relating to:
- provider liability, especially disclaimers excluding or limiting liability
- Service Level Agreements
- privacy/security, in particular data protection laws and audit rights
- termination rights and exit, including data extraction and deletion
- providers’ rights to make unilateral amendments to service features
- intellectual property rights.
The paper also discusses other legal risk issues, such as how some organisations’ employees are bypassing internal procurement procedures when signing up for cloud services, and ways in which some users have dealt with the refusal of providers to amend certain terms, eg arranging their own backups to internal servers or other cloud providers. Intermediaries such as systems integrators and solutions providers seem to be playing an increasing role; in some cases, they are offering better terms, such as on liability, than users could obtain if they contracted directly with the ultimate provider.
There are signs of market development. It is suggested that changes to providers’ standard terms are likely to filter down from large deals where users have negotiated amendments, and filter up from regulatory action affecting the consumer market.
The paper suggests a multiplicity of approaches are emerging, rather than a de facto ‘cloud’ model, with market participants developing a range of cloud services with different contractual terms, priced at different levels, and embracing standards and certifications that aid legal certainty and compliance, particularly for SME users.
For the full account (43 pp in pdf), see Negotiating Cloud Contracts – Looking at Clouds from Both Sides Now by Kuan Hon, Christopher Millard and Ian Walden.
Conor Ward, Partner at Hogan Lovells International LLP and chair of the Cloud Industry Legal Forum (CILF), has warmly welcomed the research and reminds end-users to carefully consider the legal implications of the cloud proposition:
‘This is the first in-depth study in to cloud computing contracts, shedding some valuable light on this still maturing branch of IT. The legal issues relating to the use of the cloud are well established and indeed have been so for some time, but currently this wealth of understanding and experience is overlooked.
To date the relative immaturity of the market has resulted in contracts being used which were not particularly well suited to the services being provided but the study anticipates that contracting models will mature as a combined result of pressure from regulatory bodies and experience from negotiations on the larger deals.
Cloud computing is not going to be suitable for every circumstance and potential customers would, as this study demonstrates, be well advised to undertake a detailed risk analysis before committing new applications to the cloud. A properly thought through contract will help mitigate the majority of risks associated with cloud computing services. However, there are few things that it is important to note. CSPs, like all external suppliers, will not act as insurers of a customer’s business. Remedies under a contract may form part of, but should not be considered to be an entire, risk mitigation strategy.’
Legal concerns can generally be addressed by technical and legal means and whilst this may mean that the supplier may not have total flexibility on where it can process and store data, in the majority of cases the supplier is subject to restrictions imposed by its technical infrastructure in any event and with full transparency and suitable contractual terms, data protection as an issue will disappear.
Ensuring an adequate level of service will of course be important but data losses or the temporary loss of Internet connectivity could have dramatic consequences to a business. Agreed service levels with limited service credits will generally not provide an adequate remedy and where the loss of service is due to a force majeure event, the supplier may have no liability at all. A careful review of the contract and SLAs should highlight the extent to which the customer has any meaningful remedy if the service levels are not met and should enable the customer to take measures to minimise losses or disruption in the event that a disaster does occur.’