Cloud computing is on the mind of many CIO’s these days. Its also on the mind of lawyers. Lawyers know contracting for cloud services can be difficult given the potential risks associated with these services. For regulated entities like Canadian financial institutions, a material public cloud transaction also poses serious OSFI compliance challenges. The standard form contracts of many cloud providers also contributes to the difficulties. For a survey of these terms, see Simon Bradshaw et al Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services.
Many cloud providers will negotiate changes to their standard terms. Their flexibility depends, in part, on the size and importance of the transaction. According to a recent EU study by W Kwon Hon et al of Queen Mary School of Law Negotiating Cloud Contracts – Looking at Clouds from Both Sides Now, the outcome of a negotiation is “dependent on the size of the organization and the influence it can exert.” Even in these circumstances, however, there are significant divergences between the needs of organizations and the standard practices of cloud providers. PWC identified some of the gaps from a survey of cloud providers in Germany in its paper Cloud Computing: Navigating the Cloud. Not surprisingly, according to the Queen Mary study some of the major issues are
1. exclusion or limitation of liability and remedies, particularly regarding data integrity and disaster recovery;
2. service levels, including availability;
3. security and privacy, particularly regulatory issues under the EU Data Protection Directive (‘DPD’);
4. lock-in and exit, including term, termination rights and return of data on exit;
5. providers’ ability to change service features unilaterally and
6. intellectual property rights (‘IPRs’).
The security and privacy challenges are generally at the forefront of the issues that have to be resolved. The US National Institute of Standards and Technology (NIST) recently published Guidelines on Security and Privacy in Public Cloud Computing to help organisations work through these issues. It is a must read for lawyers doing cloud computing deals.
The International Working Group on Data Protection in Telecommunication also recently published a Working Paper on Cloud-Computing – Privacy and data protection issues that canvasses data protection issues from an EU perspective. The Canadian Office of the Privacy Commissioner also released a Report on the 2010 OPC’s Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing which described some of the privacy issues implicated in cloud computing.
Governments around the world are also now helping make contracting for cloud transactions easier by publishing standards and best contracting practice guidelines. For example, in February the Australian Government published a Practice Guide called Negotiating the cloud – legal issues in cloud computing agreements. The National Standards Authority of Ireland in partnership with the Irish Internet Association (IIA), also just launched a new standard, entitled, “SWiFT 10: Adopting the Cloud – decision support for cloud computing“.
If you are thinking about doing a public, community, or hybrid cloud deal, you may want to keep NIST’s warning in mind:
Reaching agreement on the terms of service of a negotiated service agreement for public cloud services can be a complicated process fraught with technical and legal issues. If a negotiated service agreement is used, a legal advisor should be involved from the onset to address complicated legal issues that are likely to arise during negotiations.