A study conducted by the Centre for Commercial Law Studies (CCLS) at Queen Mary University of London, predicts the evolution of a multiplicity of contracting models to be used by suppliers/service providers for cloud computing services. The report raises concerns that end-users often overlook unfair terms as they are not afforded the opportunity to negotiate (e.g. through the use of click thru licences) and they fail to assess risk properly (if at all) when adopting low cost cloud services.
Conor Ward, Partner at Hogan Lovells International LLP and chair of the Cloud Industry Legal Forum (CILF), has warmly welcomed the research and reminds end-users to carefully consider the legal implications of the cloud proposition:
“This is the first in-depth study in to cloud computing contracts, shedding some valuable light on this still maturing branch of IT. The legal issues relating to the use of the cloud are well established and indeed have been so for some time, but currently this wealth of understanding and experience is overlooked.
“To date the relative immaturity of the market has resulted in contracts being used which were not particularly well suited to the services being provided but the study anticipates that contracting models will mature as a combined result of pressure from regulatory bodies and experience from negotiations on the larger deals.
“Cloud computing is not going to be suitable for every circumstance and potential customers would, as this study demonstrates, be well advised to undertake a detailed risk analysis before committing new applications to the cloud. A properly thought through contract will help mitigate the majority of risks associated with cloud computing services. However, there are few things that it is important to note. CSPs, like all external suppliers, will not act as insurers of a customer's business. Remedies under a contract may form part of, but should not be considered to be an entire, risk mitigation strategy.”
The university’s study identified common clauses in a wide range of both off-the-shelf, and negotiated cloud contracts that raise cause for concern, these include attempts by suppliers not to take liability for failures, service level agreements that do not match the needs of the business, incompatibility with EU data protection rules, and the right of suppliers to change service features without notice.
Ward continued: “Legal concerns can generally be addressed by technical and legal means and whilst this may mean that the supplier may not have total flexibility on where it can process and store data, in the majority of cases the supplier is subject to restrictions imposed by its technical infrastructure in any event and with full transparency and suitable contractual terms, data protection as an issue will disappear.
“Ensuring an adequate level of service will of course be important but data losses or the temporary loss of Internet connectivity could have dramatic consequences to a business. Agreed service levels with limited service credits will generally not provide an adequate remedy and where the loss of service is due to a force majeure event, the supplier may have no liability at all. A careful review of the contract and SLAs should highlight the extent to which the customer has any meaningful remedy if the service levels are not met and should enable the customer to take measures to minimise losses or disruption in the event that a disaster does occur,” he concluded.