SCL Event Report: Foundations of IT Law Programme – Module 6: Cloud Computing

September 16, 2014

This SCL event, the sixth in the series ‘Foundations of IT Law’ was hosted by Hunton & Williams and focused on the cloud.  Bridget Treacy chaired the event and began by challenging participants to consider what is genuinely new, and what is not new, in a cloud context.  She introduced the speakers: Dr Sam De Silva of Pennington Manches LLP, who discussed the cloud from the customer’s perspective; Samantha Hardaway, Associate General Counsel for EMEA Cloud Legal at Oracle, who discussed the cloud from the vendor’s perspective; and Wim Nauwelaerts, a partner in Hunton & Williams’ Brussels office, who discussed the data protection issues that are raised in cloud context. 

Dr Sam De Silva focused on the differences between the cloud and traditional IT outsourcing.  Sam began by highlighting the diverse range of cloud offerings available and how they may be categorised.  The defining characteristics of the cloud are that it is on demand, elastic and customers pay only for the computing resources that are actually used.   

Sam then explained the key differences between the cloud and traditional IT outsourcing.  Typically cloud offerings are standardised and there is little scope for customisation beyond configuration of basic parameters.  Cloud vendors are usually not obliged to provide updates or improvements to software. As cloud offerings tend to be standardised there tends to be less opportunity to negotiate contractual terms.  However, cloud vendors are often more flexible around the length of contract.  Traditional outsourcing arrangements are typically for a term of five years or more, whereas cloud offerings are usually shorter, with some vendors offering as little as 30 days’ notice. 

Sam went on to explain that the cloud requires a different negotiating approach to traditional outsourcing.  Cloud vendors are unlikely to agree to a number of clauses that would be found in traditional outsourcing contracts, for example, audit rights and benchmarking.  Consequently, customers should focus on risk evaluation and selecting a provider that meets the business’ needs, rather than seeking to negotiate particular contractual provisions. 

Samantha Hardaway talked about the cloud from the vendor’s perspective.  She began by explaining the main drivers for the adoption of cloud technology: globalisation, the need to increase productivity and cut costs, and the recent explosion of big data.  Samantha then explained that cloud terms often are not found in a single document, as with traditional outsourcing agreements.  For example SLAs, change management and other key provisions are likely to be found in separate documents, increasingly online.  A contract that appears to be two pages long may, in fact, amount to 50 or 60 pages once hyperlinked documents are included.  

Samantha provided an overview of key contractual provisions that are likely to be relevant. Cloud providers will not grant IP rights in cloud software to customers.  Providers may also request IP rights over certain customer data stored on the cloud.  This is typically in respect of aggregated customer data only, which the provider may wish to analyse to improve the service offering.  Samantha explained that cloud agreements are usually for a fixed term, typically around three years, and are subject to auto renewal.  Due to the nature of the cloud, providers will often, particularly for simpler services, allow the customer to terminate for convenience.  In many cases, however, customers will incur early termination costs. 

Providers usually require the right to suspend the provision of services.  Firstly, services may be suspended for non-payment by the customer, but other suspension rights are also common, for example if customer data stored in the cloud is found to be illegal or to infringe third-party IP rights, or where suspension is necessary due to a risk to the service, for example due to an attack by hackers.  A waiver of indirect or consequential damages, together with a cap on damages calculated as a ratio of fees paid, is typical.   

Wim Nauwelaerts discussed European data protection law and its implications for the cloud.  Wim began by explaining the complicating factors relevant to the cloud.  Firstly, there is often a contractual imbalance between the customer and the provider, allowing cloud providers to dictate terms to the customer.  Secondly, due to the nature of the cloud, it is often difficult or impossible to determine the physical location of data stored in the cloud.   

European data protection law is likely to apply if either the customer or the vendor is established in an EEA jurisdiction.  Even where this is not the case, EU data protection law may still apply if the vendor makes use of equipment located in an EEA country for processing data.    

Wim explained that often it is difficult to comply with the main data protection principles in a cloud context, for example, to ensure that data are adequate, relevant and not excessive, and that cloud customers know of all subcontractors that participate in the cloud service and all locations in which data may be stored or processed. The key data protection obligations lie with the customer who may have too little bargaining power to insist on contractual changes. Further, personal data transferred outside the EEA must meet the EU adequacy requirement. Some cloud providers may be Safe Harbor certified. While the Safe Harbor remains an approved legal basis for data transfers from the EU to the US, its long-term future has been called into question by the Article 29 Working Party.  Standard contractual clauses may also be used, but may be difficult to implement or unsuitable, for example, where an EU-based service provider makes use of non-EU sub processors.  

Finally, Wim discussed the proposed EU general data protection regulation.  In particular, the regulation is likely to impose obligations upon cloud providers that currently apply only to customers.  It is as yet unclear how this will impact the cloud industry, but in any event cloud providers are likely to face increased compliance hurdles.  

James Henderson is an associate in the Privacy and CyberSecurity Team at Hunton & Williams.