Although many Cloud Service Providers consider themselves as much more than a mere outsource provider, from the Customers perspective it is important to realise that, in essence, they are providing an outsource service, albeit one delivered via the internet. A Customer could, at least in theory, have chosen to do “in-house” what it is that the Cloud Service Provider is doing for him.
A Cloud Service is an outsourcing arrangement where one or more elements used in providing the service is hosted on the internet. One easy example of a cloud service which we all use is the provision of e-mail. The e-mails are stored “somewhere on the internet” before the user downloads them to the user’s computer. Depending upon how the user has configured the service, the e-mails will then be retained by the e-mail service provider or else deleted.
One of the most popular forms of Cloud Service Provision is where the bulk of the software is hosted remotely. This known as “Software as a Service” or “SaaS”. In a Saas model, some small part of the software may be downloaded onto the user’s machine. Depending upon the model, the data may be stored on the user’s machine or remotely by the Cloud Service Provider. The Customer will access that software and data remotely via the internet.
Generally the Cloud Service Provider will host software and data remotely and allow the Customer to access that software and data remotely: often via internet enabled applications. As with all forms of “outsourcing” the Customer has several risks associated with these circumstances. In this paper we identify and discuss ten such risks of a “legal” nature: Annual fee renewal; Termination; Limitations of liability; Change of Customer; Force Majeure; Change Control; Continuity; Inclusive costs; Foreign Suppliers; Data Protection.
This paper does not discuss whether and how the Customer will be able to negotiate changes to the terms on which the Cloud Service Provider is prepared to offer the Cloud Service. Many Cloud Service Providers will offer their services only on a “take it or leave it” basis. In other cases, the Customer may have insufficient bargaining power to insist on changes. At least the Customer will then be aware of what risks it is accepting in entering into the proffered contract.
Annual fee renewal
Some Cloud Service Provider models provide that the licence subsists only on a year by year basis. Many offer a licence on an even shorter, monthly basis. Often, the licence fee for the second and future years (or months) is not set out. Neither is it given (or capped) by some sort of formula: such as the Retail Prices Index or a labour index. Instead the licensor is free to set the charge for a future year entirely within its discretion. This will clearly present a substantive risk to the Customer: it will have no certainty as to the amount of its payment in future. The same issue may also arise in respect of future payments of maintenance or the like: where relevant, the Customer should have some sort of certainty of the price of maintenance or support throughout the lifetime of the contact.
The agreement will come to an end at some time. It is important to consider termination carefully at the outset, since often the Customer may have little or no bargaining power at the time of termination. At that point the Customer may be heavily dependent on the Cloud Service Provider. How long will it take for the Customer to find another Cloud Service Provider? Will the Customer have easy access to its data in order to transfer the data from one Cloud Service Provider to another? Provisions must be built into the contract with the Cloud Service Provider to deal adequately with these issues. Many Cloud Service contracts provide no guarantee of continuity for the Customer and no or little provision for the data to be delivered in a timely manner to the Customer in the format in which the Customer may need the data.
Limitations of liability
Limitation of liability is a complex legal subject. The Cloud Service Provider will not wish to have unlimited liability since its potential loss, in the case of a failure in its services, may well exceed the value of the contract. Conversely, the Customer may be relying on the Cloud Service Provider to run a critical part, of its business Resolving that dichotomy can require the negotiation and skill of an experienced lawyer. Ultimately, what can be successfully excluded in law often depends upon a “reasonableness” test. Some loss, for instance personal injury arising from the negligence of a party, can never be excluded or limited. Many Cloud Service Providers, particularly large United States providers purport to exclude virtually all liability.
Change of Customer
The software used in the service is invariably licensed. In most cases the software will be licensed by the Cloud Service Provider to the Customer. It is important to be aware of what fees the Cloud Service Provider will charge where there is a change in the user. This may occur, for example where the Customer subsequently is bought or merges with another company. The Customer will not wish this to be an unreasonable amount. Some Cloud Service contracts allow the Cloud Service Provider to terminate the contract in such circumstances. The easiest way to avoid an unpalatable result in such circumstances is to ensure that the original licence deals properly with such a change.
Force majeure is a French term which has found its way into many commercial contracts. It is usually used in conjunction with a definition, which provides that a party can avoid its contractual obligations for reasons beyond that party’s control : such as fire, earthquake or shortages of supplies. The Cloud Service Provider will naturally provide generous provisions in its favour. Do not be fooled! The major obligations to be performed are placed on the Cloud Service Provider. Therefore it is the Cloud Service Provider who will be able to take advantage of this clause – not the Customer! At the least, the force majeure clause should provide that the person taking advantage of the clause gives timely notice to the other party and continues to use its reasonable endeavors to minimize the effect of the event of force majeure.
The services to be provided by the Cloud Service Provider are unlikely to remain static. The Customer will need to know that the prices to be charged by the Cloud Service Provider for additional services will not be unreasonably high. The original contract might specify certain extra services and a charge for them. However, the contract will also need to deal with other unforeseen additional services by providing some mechanism for quotation.
Ultimately, there are only three ways of determining the additional charge for the additional service : the Cloud Service Provider will set the price; the Customer will set the price; an independent expert will set the price. Ideally, a contract would be worded to allow the price for an additional service to be set by an independent neutral party, acting as an expert. It is most unlikely that a Customer will have enough bargaining power to insist on this. While the first option, where the Cloud Service Provider sets the price “acting reasonably” may be seen as an acceptable compromise, in practice even achieving this is likely to be difficult.
How financially secure is the Cloud Service Provider? The livelihood of the Customer may depend upon the continuity of the services being provided by the Cloud Service Provider. Default of the Cloud Service Provider can therefore have serious repercussions. There is not much point in the Cloud Service Provider being penalized for non performance, if the reality is that the non performance may arise out of the questionable financial viability of the Cloud Service Provider. It is better not to undertake the deal with that Cloud Service Provider than end up with having to change Cloud Service Provider because the original Cloud Service Provider has gone out of business. Even if there were no direct monetary loss, the cost of setting up a replacement deal in terms of time and energy should be enough to dissuade a Customer from doing a deal with someone without a track record.
Are costs inclusive of all extras? It is worthwhile checking precisely what is and is not excluded. It has been known for a Cloud Service Provider to have a cost structure which included a charge for each page printed – a charge which can quickly mount up. Likewise telephones (whether a dedicated line or not), server rental and media storage costs may all be charged for at an extra rate. So long as these costs are known about in advance when you go into the contract, then at least there will be no surprises.
A Cloud Service Provider need not be based in a high cost country such as the United Kingdom. Many Cloud Service Providers operate out of low cost countries. While Iceland is popular because of its relatively low electricity costs, so are countries in the Far East. However, there are clearly additional risks when using a foreign Cloud Service Provider, for example: lack of immediate control; standards of professionalism; use of English as a first language. It is important to balance the price gain that can be achieved by using a foreign Cloud Service Provider against these additional risks.
A Cloud Service Provider will be using and indeed, to a certain extent, controlling the Customers data. This means that both the Cloud Service Provider and the Customer will need to register and comply with the Data Protection Legislation in so far as that data is personal data. A full discussion of the data protection legislation is outside the scope of this article. In practice, many Cloud Service Providers are United States companies who operate outside the European Economic Area and to whom compliance with data protection legislation is an anathema.
Recently leaked information gives details of a European proposal for a new data protection law (See Financial Times of Monday 12 December 2011). The European Commission has been debating such a law for at least 12 months and indeed sought submissions on possible changes over that period (See, for example http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm). If the leaks are to be believed, the new law will require EU countries to adopt stringent new data protection measures. If breached they will allow for companies to be fined up to 5% of annual turnover. This is in stark contrast to the present theoretical maximum fine of £500,000 (See http://www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx#monetarypenalties).
The United Kingdom Commissioner’s Office (ICO) has had this power to fine companies only since 6 April 2010. However, the ICO has used this power sparingly. Indeed in the first 20 months the ICO has fined only two businesses. Excluding one nominal fine, the only fine imposed on a commercial company was to A4E Limited, a company acting primarily as a supplier of service to the public sector. All the remaining seven fines were of local authorities.
History shows, that at least in the United Kingdom, the ICO has no appetite to take on companies bigger than he is. Take for example the case of Google collecting Wi-Fi data unlawfully in preparation for its Street View service a few years ago.
The UK Information Commissioner took no effective action against Google, unlike his counterparts in Germany, Italy, Switzerland, Canada and Czech Republic (See, for example http://www.bbc.co.uk/news/technology-11684952). In more recent times, the UK Information Commissioner has similarly failed to take action against Sony in respect of the Playstation hacking incident or against Facebook for tagging of facial features (See, for example http://www.dailymail.co.uk/news/article-1260334/Facebook-tagging-launch-breach-privacy-EU-court-battle-looms-social-network.html).
This week has seen David Cameron throw down a gauntlet to the European Union to protect the London based banking industry. The European Commission is proposing a radical change to the United Kingdom’s softly-softly approach to policing the data protection legislation, by proposing that a new European bureaucracy would enforce the new legislation. It remains to be seen whether the British government will continue the stance it started last week in opposing this type of legislation. If it fails to do so, British industry and British banks in particular will face a very significant increase in the risks associated with data loss.
The one silver lining in the cloud of the new proposals is the way in which they propose to tackle the Cloud Computing industry. Previously this industry, based as it is to a large extent outside the European Union, has been able to ignore European data protection rules. The European Commission is proposing to extend enforcement of the new European Union rules to all foreign companies operating in the European Union. This would mark a significant change. No longer would companies such as Facebook be able to hide behind a foreign veil. Instead, the new EU rules would allow their EU subsidiaries to be fined.
However, a company can only be fined if the proposed European data-policing authority knows that the company has breached data protection rules. Therefore the European Commission is proposing to require companies to report data protection breaches. This is consistent with EU Commissioner Viviane Reding remarks in a speech on 29 November 2011, when she said “Our proposal will introduce a general obligation for data controllers to notify data breaches. In concrete terms, that means notifying data protection authorities and the individuals concerned when a data breach is discovered.” (See http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/data-protection-social-media_en.pdf). What is not yet known is whether all breaches must be reported or, more likely, only those over a certain threshold of importance.
A proposal that has been debated for a while is a “right to be forgotten”. A provision to achieve this will also be included in the new legislation. This will require Facebook and other social media networks to change their sites significantly to improve the ease with which individuals can require their data to be removed. All of this is significant with Ms Reding’s view that “The protection of personal data is a fundamental right”.
In 2001 Electronic Data Systems (“EDS”) agreed to supply a Customer Management System to British Sky Broadcasting (“BSkyB”). It didn’t work. BSkyB therefore sued EDS. BSkyB (successfully, as it transpired) claimed that EDS salesmen had made negligent and fraudulent representations during the course of the negotiations. Although many claims were made by EDS, the main one that succeeded was in respect of a fraudulent misrepresentation that EDS’ had the ability to perform the project within the timescales stated by EDS. In law, a misrepresentation occurs when a salesman makes a false statement that persuades a party to enter into a contract. The statement needs to be one of fact, as opposed to opinion, but may be made verbally or in writing.
- Some 500,000 documents were reviewed by the lawyers.
- The court hearing involved some 70 witnesses and lasted for about a year of real time (109 days in court).
- The case started in summer 2002, and the judgment was given in January 2010: however it was nearly 18 months after the trial ended before the judge was able to give his decision.
- The judgment is 468 pages long!