Cloud computing has been making headlines for some time now and is being hailed as a way to cut IT costs. As cloud computing contracts are quicker and easier to enter into than IT outsourcing projects, it has become a popular option.
However, as Professor Christopher Millard from The Cloud Legal Project from The Centre for Commercial Law Studies points out, “the ease and convenience with which cloud computing arrangements can be set up may lull customers into overlooking the significant issues that can arise when key data and processes are entrusted to cloud service suppliers.”
Cloud computing or internet-based computing allows users to access software applications and infrastructure as a service through the internet and store data and software on supplier’s servers in another location.
Due to the ease with which users may enter into cloud contracts, simply with the inputting of credit card details and a click acceptance of terms and conditions, users often pay far less attention to the terms they are agreeing to than they would in a typical IT outsourcing project.
We highlight some issues to consider before agreeing to a supplier’s standard terms and conditions.
Do you know who you’re dealing with?
Part of the beauty of cloud computing is that it is multi-jurisdictional. However, this also brings its own set of problems. It is important to carry out due diligence on the supplier before entering into an agreement to establish where it is based. This will affect its ability to legally offer the services and the law governing the agreement.
For example, in certain jurisdiction suppliers of cloud services will require a licence. In China, certain cloud-based services will require the supplier to have a Type 1 Value Added Telecom Business Licence. Proper investigation of the supplier will be needed to determine where the supplier is based and whether it has the requisite licences to carry on business.
When transferring data to a supplier of cloud computing, the requirements of the Data Protection Act 1998 should be borne in mind.
Transfers of data to other jurisdictions are heavily regulated. This can conflict with the advantages of cloud-services’ location-independence, as you may inadvertently be agreeing to the transfer of data to other jurisdictions if you are not aware of where the supplier’s servers are located.
Users should ensure that the terms and conditions specifically address the locations in which customer data will be held and allow the user to place restrictions on data transfer and storage, for example, only within the EU region. If the terms and conditions do not address this point, it should be specifically raised and addressed, otherwise you may be liable for breaching the Data Protection Act.
CIA Triad of Data Security
Users should check the provisions relating to supplier’s confidentiality, integrity and availability obligations, the CIA Triad of Data Security.
Breach of these obligations by the supplier can result in the user breaching its Data Protection obligations, confidential information being leaked or indirect or consequential losses arising from the lack of availability of services.
Many suppliers place responsibility for confidentiality and integrity of the data on the user, recommending that users encrypt data and routinely archive content.
Although data that is only to be stored by the supplier may remain in an encrypted state, any data that must be processed will need to be decrypted by the supplier. In this situation, the supplier must have some responsibility for security.
If a user is paying for cloud services in order to backup its data, it may well wonder it is paying for these services and then being expected to back up the data as well.
Research comparing 30 cloud computing contracts from 27 different suppliers by The Cloud Legal Project at the Centre for Commercial Law Studies, showed that a common feature of the contracts was the all-embracing drafting style used for exclusion clauses.
Some of the contracts included such extensive exclusion clauses that it was difficult for the researchers to see how the contract, at face value, could allow a dissatisfied customer any redress.
For example, suppliers commonly exclude liability for any unauthorised access to, use, corruption, deletion, destruction or loss of any data or content.
Similarly, the suppliers commonly excluded liability for any indirect or consequential loss or damage. Where it was not possible to exclude liability, it was often capped to the amount paid by a user over a set period (typically a month). As most of the losses suffered by a user from a service failure are likely to be indirect, this will in effect, leave the user without a remedy. Similarly, the cap will likely to very low in comparison to the loss suffered.
Users need to look out for such exclusions and challenge them where necessary.
Is the Remedy Offered Sufficient?
Commonly suppliers do not offer refunds as a remedy, only service credits against future use. If a user has experienced a serious problem, such as an outage or loss of data, it may not wish to continue with the supplier. Therefore, service credits will be of no use.
It is worth checking whether refunds will be offered and if so, in what circumstances, or whether the only remedy is service credits.
Before entering into any agreement the user should check the governing law and jurisdiction for the agreement, as if a dispute arises, it may face bringing an action in a different jurisdiction from that in which it is based. This will generally be costly and also involve laws with which the user may not be familiar
Although it may be possible to argue that such a provision is void against a consumer, the user must be realistic about the likelihood of enforcing any remedy or obtaining any damages from a supplier based in another continent.