Latest IT law, outsourcing and e-commerce legal updates
Cloud Computing - Legal & Business Issues (Part 1)
Posted 21st April 2011 by Jagvinder Kang, Director
In the previous editions of the Technology Column, we looked at the different types of Cloud computing services and models. Having now provided this backdrop to what Cloud computing entails, we will be looking at certain of the business and legal issues associated with such different models in this and the next instalment.
Legal and Business Considerations
Through the previous Technology Columns, certain of the business and legal constraints with Cloud computing will have started to come to light — for instance, the fact that the degree of input and negotiation in relation to the contractual arrangements which is possible between different Cloud models and services will vary, due to the inherent nature of such models and services. This therefore, clearly gives rise to important considerations such as:
- the reputation and financial standing of the service provider;
- data protection issues, audit & security;
- service levels, service credits and liability arrangements;
- business continuity and disaster recovery measures; and
- term and termination rights of the respective contract.
Over the course of this and the next Technology Column, we will be considering the above topics in the context of Cloud computing. Before we start though, it is important to set the scene with the typical contractual negotiation constraints in respect of Cloud computing.
Negotiating the Contract
As has been mentioned in the previous Technology Columns, the extent to which a customer will be able to negotiate with a Cloud service provider, will vary depending upon the type of Cloud model and service provision which the customer is seeking.
One of the key advantages of certain Cloud computing arrangements, is a low-cost solution which can be expanded, contracted or terminated in a flexible manner. This flexibility comes at a price which is not measured in cost terms, but instead in terms of the 'vanilla' solution extending to both the service offering and the associated contract. In essence, this means that the flexibility from a 'use' perspective in respect of the Cloud computing arrangements, does not extend to the flexibility in terms of undertaking heavy negotiations with regard to the respective contract. This is understandable, as the underlying Cloud computing solution will be quite standardised due to the price point and scale at which it is being offered.
On the other hand, a Private Cloud solution can be both tailored in terms of the service offering and also the applicable contract. This of course, usually comes at a cost premium compared to a Public Cloud solution.
It is therefore important to ensure that the contractual negotiations take this on board. A Cloud service provider will obviously be more resistant to changes to its contract in a Public Cloud arrangement compared to Private Cloud offering. It is therefore not necessarily the Cloud service provider which is being unreasonably resistant to any contractual arrangements, but rather, it may be that it is the particular Cloud model which is dictating the contractual stance. This is why, it was important to identify the different Cloud arrangements in the previous two Technology Columns, to provide the backdrop to such legal and business implications.
Reputation and Financial Standing of the Cloud Service Provider
The contract can only provide so much protection to a customer and the service provider.
The parties will obviously prefer to ensure that the business model and operational arrangements mitigate against risks, rather than having to wholly rely upon the respective contract. The extent that such mitigation is likely to occur, will be dependent to some degree upon the reputation and trading history of the Cloud service provider. This therefore is an important consideration from a due diligence perspective when identifying an appropriate service provider.
However, where the contract stipulates important arrangements between the parties by way of obligations and liabilities, then from an enforcement perspective it is the financial standing of the service provider which will clearly be key. If the service provider has a questionable financial solvent asset base to meet its liabilities, then the strength of the contract is likely to be a moot point in this regard. Again, this is a point to bear in mind from the initial and ongoing due diligence in respect of selection and ongoing monitoring of the respective service provider.
Data Protection, Audit & Security
The Data Protection implications within Cloud arrangements are obviously important, as in addition to the common requirements, there is also the fact that Cloud computing relies upon thin client computing where the servers can be hosting data (and more importantly for the purposes of the Data Protection Act, personal data) in any country, including outside the EEA.
Although all of the Data Protection Principles will be important to the extent that the data involves personal data, there will be 2 in particular which will probably be the focus of the business and security teams within a customer organisation, namely Principles 7 and 8:
- Principle 7 — this requires there to be appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Principle 8 - this requires personal data not to be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects, in relation to the processing of personal data.
In addition to the contractual language to address the Data Protection aspects, it will also be necessary to ensure that appropriate due diligence is undertaken and information is sought by the customer from the service provider, to check how the requirements of the 7th Principle are going to be satisfied — this should extend to not only physical and technical security measures, but also to management and operational processes and measures which will be used to safeguard personal data.
With regard to the 8th Principle, comfort in respect of the USA as to adequacy can be obtained if the respective service provider has signed up to the Safe Harbor scheme — this requires the US company to follow 7 Safe Harbour principles and be subject to the enforcement provisions in the US in this respect, which will usually be those of the Federal Trade Commission or other government or oversight schemes.
In order to investigate whether a company is Safe Harbor registered, details can be sought from websites such as the following: https://safeharbor.export.gov/list.aspx
If the above provisions are not applicable to the respective company in question (i.e. the data is being processed outside the EEA and either: in the USA to a non-Safe Harbor registered company; or outside the USA); then the usual approach will be to seek to have appropriate contractual protection (for example by using model contractual clauses approved by the European Commission) and undertaking appropriate due diligence.
The Data Protection issues will also give rise to issues relating to audit and security. However, irrespective of whether personal data is being processed or not by a Cloud service provider, audit and security requirements are likely to be important to a customer organisation, especially bearing in mind the importance, value and business criticality of the respective contractual arrangements.
A customer organisation, as part of considering the deployment of its requirements into the Cloud, needs to liaise closely with its compliance officers and security teams to identify which specific regulatory requirements may have a bearing on the Cloud offering, together with which additional rights it may then require from an auditing and security perspective. Looking back again at the above section in terms of negotiating the contract, it should be evident that the more 'intrusive' any customer validation requirements are into the service provider's infrastructure, the greater the degree of resistance likely to be experienced from the service provider.
The Cloud arrangement does give rise to some of the usual issues associated with technology and outsourcing arrangements, but with some interesting dynamics around the Cloud structure, as has been mentioned above, and as we will continue to see in the discussion of some further key legal and business considerations in the next Technology Column.