SCL Meeting Report: ‘A review of contractual frameworks, issues and risks in Cloud Computing’

June 13, 2013

This seminar was chaired by me and featured two extremely distinguished (and complementary) speakers elucidating on how contracts can help manage risks and opportunities presented by Cloud Computing.  The first speaker was Professor Ian Walden, an academic as well as a solicitor.  Of particular interest is that, over the last few years, Ian has been part of the Cloud Legal Project at Queen Mary (where he is Professor of Information and Communications Law), which has published a series of leading research papers on cloud.  Ian also works in private practice at Baker & McKenzie. The second speaker was Conor Ward, a respected practitioner and partner from Hogan Lovells. Conor is heavily involved in the Cloud Industry Forum and chairs its Legal Forum. 

Ian set the scene by describing the current state of play in relation to the cloud market and dealing with some the issues which underpin cloud contracts. There is a lack of knowledge as to who actually holds data. Such well known services as iCloud and DropBox, for example, as well as many European cloud service providers (CSPs), all use Amazon infrastructure. More worryingly, much of the contractual protection being negotiated between customer and CSP is not back-to-backed in the sub-contract; the contracting CSP is often simply ‘taking the risk’. Ian reminded us that there is much ‘Fear, Uncertainty and Doubt’ (FUD) surrounding cloud discussions. Some of the FUD has disappeared over time; in particular, the myth that CSPs grabbed ownership of the customer data (this used to be a concern, but a study of cloud contracts shows that the concern was, and certainly now is, misplaced).

There are still valid concerns though in relation to the issue of law enforcement agency (LEA) access to cloud data; a timely discussion in the light of the PRISM revelations dominating the news.  It should not be forgotten though that all modern democratic states grant their LEAs legal powers to access data in the hands of CSPs. Drawing on from the Cloud Legal Project work (including its surveys as to standard contract terms), Ian then summarised the treatment of security and data issues in cloud contracts.  Most cloud contracts allow, as an exception to confidentiality obligations, the CSP to respond to LEA requests for data.  Interestingly, RackSpace takes the stance that the customer has so much control over its own data that it never has sufficient ‘possession, custody or control’ to be compelled to provide data to LEAs.

Conor spoke about the current state of the market in relation to cloud contracts.  He also drew on surveys – those of the Cloud Industry Forum. This threw up some surprising statistics. Even in fairly large organisation (over 200 employees), for example, 40% of contracts with CSPs were not negotiated; not much different from the 35% figure for organisations of fewer than 20 people.  Worryingly, many cloud contracts still provide for the cloud service provider to have no responsibility for data loss.  

Conor then talked us through the ‘Guide to Best Practice’ on contracting published by the Cloud Industry Forum.  This useful guidance, aimed at the supplier side but with a view to satisfying customer concerns to facilitate sales, covers a whole range of important areas, including: choice of law (perhaps CSPs should consider local law of the customer if they want to win business), data control (transparency would be good, as would local data centres), service availability, liability and termination.

More guidance as to contracting practice is given by the Article 29 Working Party in its Opinion on Cloud Computing (WP 196 of 1 July 2012).  In this, apart from dealing with the data protection issues a customer putting personal data into the cloud must consider, the Working Party set out their recommendations for cloud contracts. Conor took us through these, covering issues (some of which are arguably outside the Working Party ‘s data protection remit) such as SLAs, remedies, security, location of data, and so on. The critical point, never to be overlooked, was that a cloud contract must have some confidentiality obligation; unfortunately, not all do.

Might model contracts be introduced?  There are two possible initiatives here. First, as Ian reminded us, the European Commission in its September 2012 communication (‘Unleashing the Potential of Cloud Computing in Europe’), consider that the terms offered by CSPs are ‘insufficiently specific and balanced’.  A solution, believes the Commission, are model contracts – which it has promised by the end of 2013.  Separately, the Legal Forum of the Cloud Industry Forum (primarily Conor) is working on a possible model contract for adoption through the UK CSP community.  Conor candidly admitted that the benefit of model contracts was likely not so much to be a take up by CSPs (it is unlikely that this will happen; cloud is not a ‘one size; fits all’ industry).  Rather, it will help smaller customer companies (perhaps only with non-specialist legal help) contract with CSPs by operating as a ‘check-list’ for those new to cloud contracting.

Renzo Marchini is with the London office of Dechert advising on the full range of technology and data protection matters. He advises both cloud providers and customers. His book, Cloud Computing: A Practical Introduction to the Legal Issues, was published by BSI in November 2010. Renzo is on the editorial board of World Data Protection Report and is a founder member of the Cloud Industry Legal Forum. Prior to qualifying as a solicitor he worked for a number of years as a software consultant engaged in designing, programming and testing complex software applications.