Contracting for a cloud computing deal?

Cloud computing is on the mind of many CIO’s these days. Its also on the mind of lawyers. Lawyers know contracting for cloud services can be difficult given the potential risks associated with these services. For regulated entities like Canadian financial institutions, a material public cloud transaction also poses serious OSFI compliance challenges. The standard form contracts of many cloud providers also contributes to the difficulties. For a survey of these terms, see Simon Bradshaw et al Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services.

Many cloud providers will negotiate changes to their standard terms. Their flexibility depends, in part, on the size and importance of the transaction. According to a recent EU study by W Kwon Hon et al of Queen Mary School of Law Negotiating Cloud Contracts – Looking at Clouds from Both Sides Now, the outcome of a negotiation is “dependent on the size of the organization and the influence it can exert.” Even in these circumstances, however, there are significant divergences between the needs of organizations and the standard practices of cloud providers. PWC identified some of the gaps from a survey of cloud providers in Germany in its paper Cloud Computing: Navigating the Cloud. Not surprisingly, according to the Queen Mary study some of the major issues are

1.  exclusion or limitation of liability and remedies, particularly regarding data integrity and disaster recovery;
2.  service levels, including availability;
3.  security and privacy, particularly regulatory issues under the EU Data  Protection Directive (‘DPD’);
4.  lock-in and exit, including term, termination rights and return of data on exit;
5.  providers’ ability to change service features unilaterally and
6.  intellectual property rights (‘IPRs’).

The security and privacy challenges are generally at the forefront of the issues that have to be resolved. The US National Institute of Standards and Technology (NIST) recently published Guidelines on Security and Privacy in Public Cloud Computing to help organisations work through these issues. It is a must read for lawyers doing cloud computing deals.

The International Working Group on Data Protection in Telecommunication also recently published a Working Paper on Cloud-Computing – Privacy and data protection issues that canvasses data protection issues from an EU perspective. The Canadian Office of the Privacy Commissioner also released a Report on the 2010 OPC’s Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing which described some of the privacy issues implicated in cloud computing.

Governments around the world are also now helping make contracting for cloud transactions easier by publishing standards and best contracting practice guidelines. For example, in February the Australian Government published a Practice Guide called Negotiating the cloud – legal issues in cloud computing agreements. The National Standards Authority of Ireland in partnership with the Irish Internet Association (IIA), also just launched a new standard, entitled, “SWiFT 10: Adopting the Cloud – decision support for cloud computing“.

If you are thinking about doing a public, community, or hybrid cloud deal, you may want to keep NIST’s warning in mind:

Reaching agreement on the terms of service of a negotiated service agreement for public cloud services can be a complicated process fraught with technical and legal issues. If a negotiated service agreement is used, a legal advisor should be involved from the onset to address complicated legal issues that are likely to arise during negotiations.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy injunctions in the age of the Internet and social media: PJS v News Group NewspapersPrivacy injunctions in the age of the Internet and social media: PJS v News Group Newspapers



You’re a celebrity and had a threesome. Your partner wasn’t one of them. You want the affair to remain private. You go to a court in England where your family resides and get an interim injunction. It prevents the English press from publishing the tawdry details to protect your privacy and ...

OPC consultation on artificial intelligence: my submission to the consultationOPC consultation on artificial intelligence: my submission to the consultation



Here is my submission to the OPC consultation. ______________________________________________ Thank you for the opportunity to provide input into the OPC’s consultation on artificial intelligence (AI) as it relates specifically to the Personal Information Protection and Electronic Documents Act (PIPEDA). By way of introduction, I am a senior technology lawyer with McCarthy Tétrault. ...

OPC consultation on trans-border data flows: my submission to the consultationOPC consultation on trans-border data flows: my submission to the consultation



Dear M. Therrien: Thank you for the opportunity to provide input into the consultation on whether consent is or should be required for transborder data flows for processing. Introduction By way of introduction, I am a senior technology lawyer with McCarthy Tétrault. I have significant experience in outsourcings of all ...

%d bloggers like this: