Making Cloud SLAs readily usable in the EU private sector

Negotiating cloud contracts – from both sides now

 
Key concerns impeding the mainstream adoption of the cloud and new challenges on the horizon
Cloud computing services are generally offered on cloud providers’ standard terms. ‘Off the shelf’ cloud services are easy and quick to procure, just by clicking through and (in the case of paid services) providing credit card details. This has contributed to the growth of shadow IT use, where IT, procurement and other departments may not know the extent to which employees of the organisation are using cloud services, including for confidential and personal data.
 
The Cloud Legal Project [1] at the Centre for Commercial Law Studies, Queen Mary University of London [2] conducted ground-breaking research on cloud contracts, surveying some 30 sets of standard cloud contract terms in 2010, and analysing the negotiation of cloud contracts through anonymised interviews with cloud market players in 2012.
 
With providers’ standard terms, key specific risks identified by the research related to wide liability exclusions and disclaimers, sub-contracting by providers (e.g. SaaS built on IaaS or PaaS), ability for the provider to change or discontinue the service at any time, and recovery of data after termination. It was questionable whether some of these terms were legally enforceable, particularly against consumers or under laws regarding unfair standard terms.
 
Users may seek changes to providers’ standard terms for several reasons. Terms tend to favour providers, unsurprisingly – although not always, e.g. the terms of providers with a legacy of enterprise rather than individual consumer customers. There are commercial reasons, notably SLAs and risk allocation. And the user needs to remain compliant with laws and regulations affecting it when using cloud, in particular data protection laws regulating processing personal data, and financial services regulation.
 
Whether users can negotiate successfully depends as always on the user’s bargaining position. Even huge corporates have had difficulty persuading large providers to agree to any changes. Our research found that users in the best position to secure changes tended to be financial institutions and government/public sector users. Most of these contracts are confidential but some have been published. The provider’s position is also relevant – smaller providers, unsurprisingly, were more willing to negotiate. Integrators can play a significant role too, sitting in the middle and contracting with both user and provider. Some integrators have proved willing to accept liability desired by the user but rejected by the provider, but of course this leaves the integrator exposed to the risk mismatch.
 
In our negotiated contracts research, the top 6 points most negotiated (which sometimes proved to be ‘deal breakers’) were exclusion/limitation of liability, SLAs, security/privacy, lock-in and exit, providers’ rights to modify the service unilaterally, and intellectual property rights. Liability was far ahead of the others. There are, of course, several key tensions here. ‘Guaranteed’ liability and security may be possible, but will cost money, and seems at odds with the model of cheap or free public cloud. The biggest providers may end up the winners as they are the most likely to be able to control the entire supply chain, from datacentres to any IaaS/PaaS layers, and therefore be able to offer the guarantees sought particularly by users in regulated sectors.
 
There is still some way to go in improving user awareness and educating users about the risks of using cloud computing and ways to mitigate their risks, whether technical or legal. More guidance and pre-contract risk assessment checklists for users would assist, and users should be encouraged to implement backups and encryption whenever possible and appropriate. User demand may push, and indeed show signs of having pushed, providers to make their terms more customer-friendly for market competitiveness reasons.
 
As for laws and regulation, it needs to be borne in mind that imposing direct liabilities on all cloud providers alike, without regard to whether they can or do access and use or disclose intelligible data, may drive prices up and discourage infrastructure providers in particular from offering their services to EU customers. The market seems too varied to prescribe standard terms for cloud contracts; consumer protection laws do exist, and can and have been used. Certifications, codes of conduct and seals seem promising, but the devil will lie in the details of such schemes, and incentives will be needed to persuade providers to invest in obtaining certifications etc., such as liability reductions or defences for those who have complied with such certifications. We may see the emergence of a 3-tier cloud, with free or cheap cloud services, more expensive services certified as ‘fit for personal data’, and even more expensive, highly-secure cloud services e.g. for financial services.
 
Links and References
Most of the above issues, and more including a case study of the UK public sector G-Cloud programme and its contract terms, are discussed in depth in chapters 3 to 5 of Cloud Computing Law (ed. Christopher Millard), OUP 2013, http://ukcatalogue.oup.com/product/9780199671687.do; Kindle edition,http://www.amazon.co.uk/Cloud-Computing-Law-Christopher-Millard-ebook/dp/B00GLO2OGW
See also http://www.kuan0.com/publications.html, for Kuan’s other publications and, for explaining cloud computing to the uninitiated, 12 C(haracteristic)s of Cloud Computing: a Culinary Confection, http://www.scl.org/site.aspx?i=ed26082 and 9 D(ifference)s of Cloud Computing, http://blog.kuan0.com/.
 
This paper comes from Kuan Hon, Centre for Commercial Law Studies, Queen Mary University of London and was submitted at Cloudscape VI, 24-25 February 2014.