G-Cloud v1: Cloud Legal Project’s Analysis

April 22, 2012

G-Cloud v1, the UK government’s pilot of a six-month framework for public sector use of cloud computing, was launched in October 2011, culminating in February 2012 in the CloudStore, an online catalogue of accepted cloud services. CloudStore is itself cloud-based, hosted on Windows Azure PaaS. G-Cloud v2 is expected to be announced soon.

The Cloud Legal Project at the Centre for Commercial Law Studies, Queen Mary, University of London, has produced a paper describing and analysing G-Cloud v1, including the procurement process, purchasing (call-off) process and contractual structures. It uses G-Cloud as a case study to illustrate the key issues arising on cloud contracts and discusses some lessons learned, particularly regarding contractual and public procurement issues.

G-Cloud v1 took the unusual approach of applying suppliers’ own contract terms, such as SLAs, payment terms and intellectual property rights, except where conflicting with specified mandatory ‘overlay’ terms. The initial draft documentation omitted liability provisions, which would have meant that suppliers’ liability provisions (eg total liability exclusions) would have governed. However, the government inserted liability provisions in December 2011, and expanded them further before signing. (The final version of the framework agreement has not been published yet by the government, but the liability provisions are reproduced on the CLP website.) The CLP’s study shows that the documentation’s wording also permits suppliers to change their terms during the period of the framework, which was perhaps not the intended outcome.

For public procurement law purposes, the addition of liability (and other substantive) provisions, and the ability of suppliers to change their terms, meant there could be material or even substantial amendments to the contract terms, raising questions as to the validity of the procurement process.

Security is an area often considered problematic in cloud. The paper outlines the government’s ‘business impact level’ approach to classifying information systems and assets. Security accreditation of services accepted onto the G-Cloud framework is ongoing, but meanwhile customers may use unaccredited services for IL0 (impact level 0) purposes. Detailed information assurance guidance was not available to registered suppliers until December 2011, shortly before the tender submission deadline (which again has public procurement law implications), and still has not been made public.

The CLP paper also shows that G-Cloud v1 also brought out questions regarding the role and treatment of sub-providers in cloud, which are still unclear and may not be sufficiently taken into account in contracts, as discussed in the paper. For example, a SaaS provider may itself build or ‘layer’ its services on the services of an IaaS or PaaS provider, but may have little control over the IaaS/PaaS provider. Is the latter a ‘sub-contractor’? Can the SaaS provider persuade the latter to sign a compliance certificate for its G-Cloud tender? How are layered services accredited? Rights to audit cloud services, including layered services, are also debated in the paper.

Various data protection law issues loomed large, illustrating how data protection laws (eg on security requirements) do not cater well for cloud computing arrangements, especially where there are multiple layers and the roles of the various participants do not fit easily into the regulated categories of ‘data controller’ and / or ‘data processor’.

Data extraction and data deletion are also discussed.

UK G-Cloud v1 and the Impact on Cloud Contracts, by Kuan Hon, Prof Christopher Millard and Prof Ian Walden.