There is no shortage of hype about cloud services, both positive and negative, but it is often difficult for potential customers to do an objective cost / benefit analysis. In addition to promising productivity and business process benefits, cloud computing can be very attractive to cut rapidly both capital and operating expenditure.
There may, however, be unanticipated costs and risks in a move to online hosting of key data and applications. Perhaps surprisingly, and despite widespread concerns regarding security and privacy, there is little comparative information available regarding cloud contract terms and conditions and the associated legal risks of entrusting data to cloud providers.
A recent analysis of 31 cloud computing contracts from 27 different providers has at last shed light on industry practices and highlighted key issues for both suppliers and customers.
The survey formed part of the Cloud Legal Project at the Centre for Commercial Law Studies, Queen Mary, University of London. Funded by a grant from Microsoft, but academically independent, this ongoing project is examining a range of legal and regulatory issues associated with cloud computing.
Most cloud contracts, whether for infrastructure, platform or software as a service, can be set up in minutes via an online sign-up process. Compare this to a conventional IT outsourcing, which is typically negotiated and subject to commercial and legal scrutiny.
The simplicity and apparent lack of formality of cloud procurement can lull customers, whether consumers, corporate or public sector organisations, into treating cloud contracting as just another ‘click-through’ exercise to which very little attention is paid.
In fact, some of these standard-form agreements for cloud services contain clauses disclaiming responsibility for keeping the customer’s data confidential, secure or even intact.
Other clauses reserve the right to terminate accounts for a variety of reasons including apparent lack of use of the service or simply because the provider has decided to discontinue the service. This may be critical for long-term backup or disaster recovery arrangements. Also common are clauses purporting to exclude, or at least limit drastically, liability for loss or corruption of data.
The more draconian provisions in cloud contracts may not stand up in court, for example where EU consumer protection laws apply. Achieving redress for data losses or privacy breaches may still, however, be difficult in practice, especially where the cloud service provider is thousands of miles away. Indeed, most of the contracts surveyed specify that they are subject to the laws of the place where the service provider is based, often a US state, and that disputes must be heard in the provider’s local courts.
So what can users, especially businesses and public sector customers, do to manage cloud-related risks? For a start, they should read the contract, including any terms of service, terms and conditions, service level agreement and policies relating to privacy and acceptable use.
Questions should also be asked about service delivery and reliability, especially where the service provider is dependent on unrelated infrastructure providers. Although it may seem remote at the start, an exit from the cloud deal should be anticipated and care should be taken to ensure data portability (including metadata).
It is early days in the cloud market and the forecast is uncertain. Contracts may evolve rapidly in response to competitive positioning, customer demands and interventions by regulators and courts.
Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services is available for free download here:
Posted by Christopher Millard, Professor of Privacy and Information Law, Queen Mary, University of London and Senior Research Fellow, Oxford Internet Institute