Steve Ross tells us what issues business want dealt with in the European Commission’s standardised terms and conditions for cloud services, and why.
Cloud computing is at an early stage of its development as a business practice, but increasingly businesses of all sizes are seeing benefits in this alternative to traditional IT outsourcing. Some of the main benefits which customers of cloud computing cite include significant cost reductions, access to better technologies without large infrastructure expenditure, the enhancement of mobile working for its personnel and the ability to work 'greener' by utilising purpose-built data centres.
Despite these numerous benefits, however, and the increasing take-up of cloud services, there is a growing view that the terms and conditions (T&Cs) and ancillary documentation that are utilised by service providers are creating a fragmented market. In short, cloud users are confused, or indeed unaware, as to the standards of services to be provided and their respective rights and obligations.
The Commission has examined this issue, initially in a Produced Opinion (05/2012) on cloud computing, issued on 1 July 2012, followed by the communication 'Unleashing the potential of cloud computing in Europe' in September 2012. One of the outcomes of these Commission initiatives is the proposal that a standardised form of T&Cs for cloud computing services will be produced at an EU level to try to ensure that cloud computing services are utilised to their fullest potential and to put the EU at the leading edge of the market in these services. The stated aim is not to create a one-size-fits-all set of T&Cs, but rather to act as a starting point to which service providers can add (but not contradict), in order to provide certainty for customers of the services as to the core principles and standards which are to apply. As part of the consultation process for the preparation of these standardised T&Cs (expected to be produced at some point in 2013), EU businesses have been encouraged to undertake a thorough risk analysis of their cloud computing services.
Such an analysis highlights a number of key areas in the legal documents applying to cloud computing services in varying manners across the industry at present but which form key aspects for the data management and security of business in the 21st century. Such areas would benefit from a more standardised approach and would, by giving certainty to business, help establish the market for the cloud as a secure and viable option for businesses from the very largest to the smallest SMEs.
Five areas of current concern which would benefit from standardisation under the new Commission regime are:
1. location and security of data;
2. data protection and disclosure;
4. warranties and liabilities; and
5. choice of law.
1. Location and security of data
Given the nature of cloud computing, one of the key concerns for business remains the question of the location and integrity of the data placed on the cloud. This is obviously of great concern to lawyers as well, given the uncertainties that can arise if data is stored or processed in different and potentially unknown jurisdictions. Legal structures such as the EU Data Protection regime also play a direct role in governing the transfer of many types of data beyond Europe. At the same time there are certain jurisdictions that it may be preferable for a business to avoid entirely but which cannot be guaranteed unless the terms and conditions of their cloud computing service provider facilitate this. It should also be noted that cloud users are classified as 'data controllers' for the purposes of the EU Data Protection regime and as such will be responsible for ensuring that the cloud provider they select is in full conformity with the EU regime; failure to do so leaves users open to large fines.
At present, few providers of cloud services deal with this issue directly. Some do provide a regional structure such that a customer can specify a geographical zone within which their data will be held; however others do not touch on this issue at all, or make reference to the EU regime or the US safe harbour procedures which may or may not address the particular concerns of any individual customer. For business, it will be preferable if a standard approach to this were created so that business customers could either specifically select jurisdictions within which their data will be held by a specific provider, expand the regional zone structure across the industry or at least require cloud computing service providers to proactively advise customers of where data will be held and/or be transferred between, and giving the customer the ability to take action should a transfer be proposed through a jurisdiction which is (legally or otherwise) unacceptable to them.
Also on this issue, and given the nature of cloud computing services, arises the question of security of data during transit. This applies both for the transfer of data to and from the cloud service provider and also transfers within the cloud service provider's data centres. At present, a large number of service providers merely state that transfers of customer data will be made unencrypted over their (inherently not secure) networks, although some do refer to encryption or provide details of the underlying storage service provider for the purposes of security. Business would clearly be well served if this situation could be improved, either by having the requirement for all data transfers to be made in encrypted format unless the customer agrees otherwise, and/or provide a minimum security standard (both physical and electronic) which must be adhered to.
2. Data protection, preservation and disclosure
The integrity, preservation and (where required) disclosure of customer data whilst held by the cloud service provider is also of key importance to business. Clearly compliance with legal requirements of national and international data protection regimes is an absolute necessity for all service providers (and this should clearly be dealt with within the EU standard T&Cs). However, at present little responsibility is generally taken by cloud service providers (especially the larger providers) on the issue of integrity and preservation. Almost all service providers include within their terms and conditions statements that the ultimate responsibility for preserving the confidentiality and integrity of customer data lies with the customer, and contain some form of absolute disclaimer of liability in this regard. Even where certain service providers do state that they will use 'best endeavours' or similar terms to preserve customer data they nonetheless tend to include a disclaimer and encourage the customer to take actions to preserve their own information such as using encryption and regular archiving. Such disclaimers seem to ignore the fact that many cloud users (particularly SMEs) will be using the cloud for back-up purposes. This partly indicates that cloud service providers are not paying sufficient attention to the reason that their services are taken up by businesses. Arguably, if service providers do not change their approach across the industry to this issue then a significant amount of business will be lost as a result of the services simply not providing the security that the customers are seeking, and the cost savings involved in utilising a large service provider rather than purchasing one's own security and encryption packages. If this action is not taken, business would benefit greatly from a standardised approach within the proposed EU T&Cs, even if this is an additional cost, so that customers can utilise the cloud service as a back?up facility in the manner they envisage without having to further back?up or encrypt their data.
The approach taken by cloud service providers to the circumstances in which they will disclose customer data and other information to third parties (such as law enforcement agencies) also varies widely, and business would benefit from a more unified approach on this issue. Whilst complying with court orders is clearly a standard approach, many cloud service providers work to a much lower threshold for disclosure, accepting requests as well as enforcement orders from law enforcement agencies or indeed other bodies. Some service providers go as far as stating that they will disclose information where they, acting in 'good faith', believe that it will protect their own interests in doing so, or otherwise at their sole discretion. Clearly, some service providers such as social networks are established very much on the basis that customer information will be shared and disclosed; however this is also clearly not the case in relation to hosting sites (although the line between the two is becoming increasingly blurred as they seek to provide competing services against each other). The conflicting expectations of different types of customers for these sites will need to be taken into account, but a more standardised approach would clearly be of great benefit to business in providing certainty as to the circumstances in which their data can be disclosed without their proactive consent.
Finally, it is also very important for business customers to consider what will be done with their data once their relationship with the cloud service provider comes to an end. This raises two issues: the first relates to the customer's ability to gain access to its data (eg to retrieve it for use elsewhere); the second is whether there is an obligation on the service provider to effectively delete the information after that time. The latter question especially is a practical problem for cloud operations and will need to be addressed to avoid this perception becoming a significant issue in the development of cloud services in the future.
At present, most service providers do state that they will preserve customer data for a period of time after the end of the service contract (although clearly the period of time varies between service providers), however some do state that data will simply be deleted immediately once the relationship ends, or alternatively do not place themselves under an obligation to maintain data but intend in practice to do so at their discretion. The approach of deleting information immediately also carries risks for the cloud service provider (for instance it would be very difficult for them to avoid being in breach of contract or a duty of bailment to preserve the customer's data should a court decide that the termination of the contract was in fact ineffective, and this does not seem to be a long term viable solution to the problem). There is also the issue of cloud users requiring temporary access to their data if the cloud provider withdraws its service, for example where the user has breached the provider's acceptable use policy. Failure to provide the user with limited access to their data following the provider terminating the cloud service would mean that the user would be 'locked out' of their data and that they would not be able to transfer it to another provider. On the other hand, customers will also be aware that as data controllers they are obliged to ensure the effective deletion of data as required under the EU Data Protection regime. Overall, business would benefit greatly from a standardised approach whereby data must be preserved for a period that is appropriate to the contract (although having a fixed period across the industry would not be practical) and that data will in fact be effectively deleted after that time. The deletion of information in particular is something that the industry needs to look at more generally as this remains a long-term concern in respect of all data storage processes and will become of greater concern if the right to data erasure as provided for in the General Data Protection Regulation is adopted.
Most T&Cs of cloud providers deal with the manner in which variation can be made to their contract terms in one of two different ways. Some leave the issue silent, however the majority reserve the right to vary, in most cases simply by posting an updated version of the T&Cs on their web site and stating that the continued use of the service by the customer is deemed acceptance of the new T&Cs. A few do provide for the customer to be able to terminate the contract if they do not wish to accept those terms and conditions. Only in a very few cases are the T&Cs specifically subject to variation by agreement between the parties. Clearly, it is a significant risk to business that the T&Cs applicable to any service they receive, whether it be for cloud computing or otherwise, can be changed solely at the behest of the service provider, especially if there is no specific obligation to notify the business customer of any change. An important benefit in the standardised EU T&Cs would therefore be to specify that terms and conditions can be updated by service providers only by agreement or, at least, to impose an obligation to proactively notify customers of any change and allow them a period (which is sufficient to allow the transfer of the cloud data to another provider) within which the services can be terminated as a result of such variation.
4. Warranties and liabilities
Cloud providers have been keen to cap (and in some cases completely disclaim) their liability for breaches of their T&Cs. At the same time providers have also been keen to restrict any warranties which they have given. With such restrictions, businesses are likely to find themselves without adequate redress if access to their data is lost, either temporarily or permanently, or if data is improperly disclosed or corrupted.
Providers often go to great lengths to exclude any warranties as to minimum service levels, something which the Commission may consider imposing. Without cloud users having confidence that they can obtain both easy and reliable access to their data the uptake of cloud computing is likely to be hindered.
Cloud providers have sought to limit the types of liability for which they can be held liable. Cloud providers are particularly keen to avoid liability for lost profits. Understandably, cloud providers do not wish to assume such a wide and potentially large risk. However, cloud services are often being utilised for business critical data and/or processes and the inability to claim lost profits may deter many from making full use of its potential. The Commission faces a balancing act in securing that customers are protected while at the same time ensuring that the minimum liability cap is not set so high as to deter new cloud providers from entering the market.
Cloud providers are almost universal in their imposition of a maximum liability cap under their T&Cs. Cloud users need to ensure that such a liability cap is suitable to their business and the function for which they are using the cloud. Interestingly, some providers offer a variable liability cap determined by the location of the cloud user. If the Commission are keen to avoid a fragmented single digital market in which the level of liability varies from state to state they may seek to set a minimum level of liability for paid for cloud computing (it would seem unreasonable to subject free cloud providers to the same standards). Some cloud providers have linked the compensation limit to a multiple of the amount spent with the cloud provider while other cloud providers have made compensation available but only in the form of 'service credits' which can be put towards the future fees of the provider. Such a compensation mechanism acts to lock in cloud users who may wish to leave the provider after their breach but in doing so would lose their 'service credit' compensation. The Commission proposals should ensure that any compensation payments are meaningful.
5. Choice of law
A key issue for cloud users to consider is the applicable law clause, which will govern their contract with the cloud provider. Such clauses will also determine the jurisdiction in which any disputes will be heard. An inappropriate applicable law clause can present cloud users with a number of problems, notably that they will be forced to bring any dispute in a foreign jurisdiction (such as in California, as often appears in providers' documentation currently) with which they have no experience and for which they have to locate and use foreign counsel rather than their usual advisers. It is particularly important for SMEs, who do not benefit to the same extent as individuals from consumer protection legislation, to ensure that they have an appropriate applicable law clause. Some cloud providers offer a tailored applicable law clause determined by the user's location but many do not. While cloud providers desire certainty in knowing with which legal regimes they must comply there is obviously a need for customers to be protected. While large corporate cloud users may be able to negotiate appropriate applicable law clauses with the cloud provider it is unlikely that an SME will be able to do the same. The Commission may wish to impose a requirement that the applicable law clause is based on the user's location, or, at the very least require that the jurisdiction chosen is within the EU.
A number of providers are now inserting arbitration clauses within their T&Cs. While such a clause may be appropriate for larger SMEs it may prove off-putting for individual consumers or small businesses who are unfamiliar with this dispute resolution mechanism. The Commission must consider whether arbitration is an acceptable form of dispute resolution in all cases or whether it should only be available to consumers dealing in the course of a business.
Another associated issue with which the Commission should look to deal is the limitation periods imposed by cloud providers within their T&Cs. These limitation periods are often very tight with some providers' terms requiring any disputes to be brought within as little as six months from the cause of action arising. Such a time frame gives cloud users very little time to assemble their claim, especially where they must first locate and instruct foreign counsel. The Commission should consider imposing a minimum limitation period for bringing a claim, which in any case should not be shorter than one year.
There are many areas where the T&Cs for cloud services could be improved from a customer's standpoint, including those set out above, and the next steps of the EC's consultation on this project will be awaited with interest both within and outside the industry.
Steve Ross is an Associate in the Business Services Group at Hill Dickinson LLP, London: firstname.lastname@example.org