Buying Services via the Cloud: Ten Legal Pitfalls
Although many Cloud Service Providers consider themselves as much more than a mere outsource provider, from the Customers perspective it is important to realise that, in essence, they are providing an outsource service, albeit one delivered via the internet. A Customer could, at least in theory, have chosen to do “in-house” what it is that the Cloud Service Provider is doing for him.
A Cloud Service is an outsourcing arrangement where one or more elements used in providing the service is hosted on the internet. One easy example of a cloud service which we all use is the provision of e-mail. The e-mails are stored “somewhere on the internet” before the user downloads them to the user’s computer. Depending upon how the user has configured the service, the e-mails will then be retained by the e-mail service provider or else deleted.
One of the most popular forms of Cloud Service Provision is where the bulk of the software is hosted remotely. This known as “Software as a Service” or “SaaS”. In a Saas model, some small part of the software may be downloaded onto the user’s machine. Depending upon the model, the data may be stored on the user’s machine or remotely by the Cloud Service Provider. The Customer will access that software and data remotely via the internet.
Generally the Cloud Service Provider will host software and data remotely and allow the Customer to access that software and data remotely: often via internet enabled applications. As with all forms of “outsourcing” the Customer has several risks associated with these circumstances. In this paper we identify and discuss ten such risks of a “legal” nature: Annual fee renewal; Termination; Limitations of liability; Change of Customer; Force Majeure; Change Control; Continuity; Inclusive costs; Foreign Suppliers; Data Protection.
This paper does not discuss whether and how the Customer will be able to negotiate changes to the terms on which the Cloud Service Provider is prepared to offer the Cloud Service. Many Cloud Service Providers will offer their services only on a “take it or leave it” basis. In other cases, the Customer may have insufficient bargaining power to insist on changes. At least the Customer will then be aware of what risks it is accepting in entering into the proffered contract.
Annual fee renewal
Some Cloud Service Provider models provide that the licence subsists only on a year by year basis. Many offer a licence on an even shorter, monthly basis. Often, the licence fee for the second and future years (or months) is not set out. Neither is it given (or capped) by some sort of formula: such as the Retail Prices Index or a labour index. Instead the licensor is free to set the charge for a future year entirely within its discretion. This will clearly present a substantive risk to the Customer: it will have no certainty as to the amount of its payment in future. The same issue may also arise in respect of future payments of maintenance or the like: where relevant, the Customer should have some sort of certainty of the price of maintenance or support throughout the lifetime of the contact.
The agreement will come to an end at some time. It is important to consider termination carefully at the outset, since often the Customer may have little or no bargaining power at the time of termination. At that point the Customer may be heavily dependent on the Cloud Service Provider. How long will it take for the Customer to find another Cloud Service Provider? Will the Customer have easy access to its data in order to transfer the data from one Cloud Service Provider to another? Provisions must be built into the contract with the Cloud Service Provider to deal adequately with these issues. Many Cloud Service contracts provide no guarantee of continuity for the Customer and no or little provision for the data to be delivered in a timely manner to the Customer in the format in which the Customer may need the data.
Limitations of liability
Limitation of liability is a complex legal subject. The Cloud Service Provider will not wish to have unlimited liability since its potential loss, in the case of a failure in its services, may well exceed the value of the contract. Conversely, the Customer may be relying on the Cloud Service Provider to run a critical part, of its business Resolving that dichotomy can require the negotiation and skill of an experienced lawyer. Ultimately, what can be successfully excluded in law often depends upon a “reasonableness” test. Some loss, for instance personal injury arising from the negligence of a party, can never be excluded or limited. Many Cloud Service Providers, particularly large United States providers purport to exclude virtually all liability.
Change of Customer
The software used in the service is invariably licensed. In most cases the software will be licensed by the Cloud Service Provider to the Customer. It is important to be aware of what fees the Cloud Service Provider will charge where there is a change in the user. This may occur, for example where the Customer subsequently is bought or merges with another company. The Customer will not wish this to be an unreasonable amount. Some Cloud Service contracts allow the Cloud Service Provider to terminate the contract in such circumstances. The easiest way to avoid an unpalatable result in such circumstances is to ensure that the original licence deals properly with such a change.
Force majeure is a French term which has found its way into many commercial contracts. It is usually used in conjunction with a definition, which provides that a party can avoid its contractual obligations for reasons beyond that party’s control : such as fire, earthquake or shortages of supplies. The Cloud Service Provider will naturally provide generous provisions in its favour. Do not be fooled! The major obligations to be performed are placed on the Cloud Service Provider. Therefore it is the Cloud Service Provider who will be able to take advantage of this clause – not the Customer! At the least, the force majeure clause should provide that the person taking advantage of the clause gives timely notice to the other party and continues to use its reasonable endeavors to minimize the effect of the event of force majeure.
The services to be provided by the Cloud Service Provider are unlikely to remain static. The Customer will need to know that the prices to be charged by the Cloud Service Provider for additional services will not be unreasonably high. The original contract might specify certain extra services and a charge for them. However, the contract will also need to deal with other unforeseen additional services by providing some mechanism for quotation.
Ultimately, there are only three ways of determining the additional charge for the additional service : the Cloud Service Provider will set the price; the Customer will set the price; an independent expert will set the price. Ideally, a contract would be worded to allow the price for an additional service to be set by an independent neutral party, acting as an expert. It is most unlikely that a Customer will have enough bargaining power to insist on this. While the first option, where the Cloud Service Provider sets the price “acting reasonably” may be seen as an acceptable compromise, in practice even achieving this is likely to be difficult.
How financially secure is the Cloud Service Provider? The livelihood of the Customer may depend upon the continuity of the services being provided by the Cloud Service Provider. Default of the Cloud Service Provider can therefore have serious repercussions. There is not much point in the Cloud Service Provider being penalized for non performance, if the reality is that the non performance may arise out of the questionable financial viability of the Cloud Service Provider. It is better not to undertake the deal with that Cloud Service Provider than end up with having to change Cloud Service Provider because the original Cloud Service Provider has gone out of business. Even if there were no direct monetary loss, the cost of setting up a replacement deal in terms of time and energy should be enough to dissuade a Customer from doing a deal with someone without a track record.
Are costs inclusive of all extras? It is worthwhile checking precisely what is and is not excluded. It has been known for a Cloud Service Provider to have a cost structure which included a charge for each page printed – a charge which can quickly mount up. Likewise telephones (whether a dedicated line or not), server rental and media storage costs may all be charged for at an extra rate. So long as these costs are known about in advance when you go into the contract, then at least there will be no surprises.
A Cloud Service Provider need not be based in a high cost country such as the United Kingdom. Many Cloud Service Providers operate out of low cost countries. While Iceland is popular because of its relatively low electricity costs, so are countries in the Far East. However, there are clearly additional risks when using a foreign Cloud Service Provider, for example: lack of immediate control; standards of professionalism; use of English as a first language. It is important to balance the price gain that can be achieved by using a foreign Cloud Service Provider against these additional risks.
A Cloud Service Provider will be using and indeed, to a certain extent, controlling the Customers data. This means that both the Cloud Service Provider and the Customer will need to register and comply with the Data Protection Legislation in so far as that data is personal data. A full discussion of the data protection legislation is outside the scope of this article. In practice, many Cloud Service Providers are United States companies who operate outside the European Economic Area and to whom compliance with data protection legislation is an anathema.