Tuesday, 7 February 2012
The contracts that most cloud services offer are in general non-negotiable. It’s a case of take it or leave it. Only very large or prestigious organisations will have the necessary influence to require a cloud supplier to accept amendments to its standard terms and conditions. However, many of the standard contracts are extremely one-sided in favour of the cloud supplier. If an individual or small organisation doesn’t like the terms offered, it has to make a decision whether to risk accepting the standard contract, try another cloud supplier, or give up on cloud services altogether.
Very few cloud service contracts offer guarantees of good service (e.g., 100% uptime), and those that offer refunds for poor service availability typically offer such refunds in terms of money off a future renewal of the subscription rather than a refund of the existing subscription. So if the cloud service client is so annoyed by poor availability it decides to not renew, or to cancel its current contract, it will get no refund. Some contracts give the service supplier the right to close the service at little or no notice. Presumably it would only do this if the service was unprofitable or if the cloud service supplier itself was in serious financial difficulty, but the danger is that the client who depends on the service for its day-to-day business activities may be left suddenly in great difficulty. Many cloud service suppliers include a clause by which they exclude all liability for any problems that arise in the service, whether or not it was caused by the service supplier’s incompetence or recklessness. It is really disappointing that cloud service suppliers include such clauses, which indicate an immaturity of, and lack of confidence in, the cloud service supply industry.
Almost by definition, data stored in the cloud will move from country to country, each with its own laws. In addition, the cloud service supplier may well be based in a different country to that of its clients. Even if there is no personal data present, three countries’ laws (the home base of the service supplier, the home base of the client and the country where the cloud happens to be residing at any given time) may apply to any actions taken with the data or any legal cases arising from the contract. If there is personal data present, things are even more complicated and legally treacherous. Furthermore, the data might well be backed up or replicated in multiple countries.
One particular area of concern is the US PATRIOT Act. This allows US authorities to compel, amongst others, cloud service providers to disclose information about their customers and/or the data stored or used by those customers - and without those customers knowing that such information has been requested. Because of its wide-ranging powers, this Act has led to some Governments (e.g., Canada and Netherlands) banning organisations under their control from passing any data to US-based organisations, and has allegedly led to Amazon delaying the launch of its new Kindle Fire within the EU because of the incompatibility of the PATRIOT Act with EU data protection legislation. The PATRIOT Act is not alone of course; there are similar pieces of legislation in other countries where cloud data might be held, but they are generally not as far-reaching or as well known as the PATRIOT Act.
Data protection and security of data are not the only legal issues that can arise. Questions might arise regarding who is responsible if the data offered by a client is somehow amended or released resulting in an illegality, such as defamation or breaking national security laws. It is not clear what country’s laws might apply in such cases. Whilst it is unrealistic to expect the cloud service supplier to monitor everything on its servers (and indeed, this could be problematic from a privacy point of view), it is reasonable to expect it to respond to complaints received regarding alleged defamatory comments. The contract or a Service Level Agreement between the client and the cloud service supplier will probably include warranties and instructions relating to alleged defamatory statements or other potentially illegal materials stored on the cloud’s servers. Software licences, copyright licences and database rights licences are also – and somewhat surprisingly - potentially problematic. If a client has permission to use a particular software or database “on site”, does that include “in the cloud”?
I suggest below questions that should be asked of any cloud service supplier before signing its contract:
- Who (both within and outside the service supplier) will be able to see my information?
- Who owns and controls your infrastructure? Is this outsourced to any third party?
- In what countries might our data be held?
- Can I see a copy of your reliability/availability/downtime reports (if any)?
- What service levels are guaranteed, e.g., availability, time taken to resolve a problem, and what compensation do you offer if you fail to fulfil that? (Resist the practice of discounts on future subscriptions, but insist where possible to receive financial compensation there and then?
- Have you ever had security breaches in the past? (If “yes”, ask for more details.)
- What assurances can you give that data protection standards will be maintained even if the data we supply is stored in a country with weak, or no data protection laws, or where government inspection powers are very wide-ranging?
- How easy would it be to migrate my data to a competitor service once this contract ends? Can you guarantee that it will be in a usable format?
- What are the names of your employees responsible for handling our data?
- What security policies, technology and systems do you employ? What national or international standards do they comply with?
- Do I get any rights of refusal before you make changes to the service that affect my data? (Alternatively, can we cancel early and get money back if we cancel early because of unwanted service changes?)
- Will you use my organisation’s name or type of data given to you on any of your advertising? (If need be, require that the cloud supplier has to ask for permission each time)
- What special measures will you take regarding data we tag as confidential?
- Could we have a free trial with some non-sensitive data before committing ourselves?
- Are you willing to include clauses in the contract relating to ensuring there is no unauthorised loss or destruction of data?
- Will you guarantee to inform us if you become aware of any data security breach that affects or involves our data?
- Finally, and most important, is your contract negotiable?
The cloud offers many potential benefits. But one should enter into a cloud contract being aware of both the benefits and the risks and should make an informed risk assessment before committing to a cloud service.
I rest my case, m’lud.To hear more from Professor Charles Oppenheim visit the UKeiG site for information regarding a one day seminar planned for later this year - The future of copyright in the digital age and what it means for you: Emily Goodhand and Professor Charles Oppenheim.
Posted by Sally Peat at 09:58