Cloud Computing Contracts

Tomas Nielsen, Green IT Publication

Relying on the virtualisation of the technological background of businesses, the new trends in the ICT market affect many areas - not only the technological and business aspects; they do have an essential impact on the area of law. Compared to the past, the ICT service users have to cope with the issue of data security and third party copyright protection. They also have to update their existing agreements with modern system suppliers so as to sufficiently protect their own interests and ensure that they will be able to satisfy their conventional and statutory obligations despite the transfer of their intelligence and data to third parties.

New trends bring along other new developments from the viewpoint of the practised co-operation model between ICT users and suppliers such as internationalisation of the business relations. Not only do a series of suppliers have their seat outside the Slovak Republic (sometimes even beyond Europe), but they also provide their services from abroad. As a result, the users' data are often placed outside the Slovak Republic.

Although Cloud Computing providers strive to point out that the technology upon which the service is based is losing on importance and the only issue thus remains the accessibility of the data from the respective virtual cloud; from the point of view of law, it still is (and probably will remain so for a long time) significant from which country the services are being provided, where the data are stored, etc. This proves essential, for instance, in respect of personal data processing (where the domestic law often governs even data relating to foreign entities being processed by a foreign entity, as long as they are located in the systems of the given country).

Switching to new methods of using Information and Communication Technologies, it is critical to proceed carefully and not to underestimate this process in any implementation phase, specifically in the pre-contractual one.

Defining Contract Subject-Matter

Although the notion of "Cloud Computing" is beginning to be rather well-known, it is not interpreted uniformly. Therefore, the subject of contract, i.e. rights and obligations of the contracting parties, have to be formulated with precision. The contract should always be comprised of an outline of the individual activities and acts of performance the service providers undertake to provide so that their activity is measurable (traceable). It is not only in the interests of the user to be able to supervise whether or not they are receiving the agreed value for the consideration they pay to the provider. Enabling them to prove (toward the customer or toward the court in the case of a dispute) a due satisfaction of their obligations and hence the title to the agreed consideration where needed, the traceability of the agreed performance is indeed central to the provider. What is more, this makes them sure the customer will not request performance the provider has not incorporated into the service price and did not account for at the time of signing the contract.

Trade Secret Protection

The subject of contract also has to specify the nature of the data to be sent to the cloud within Cloud Computing. In case of sensitive data such as know-how, price lists, business processes etc., this is the exclusive responsibility of the management. From this point of view, the law does not impose any obligations on the businesses. Such data usually do not enjoy any other protection than the so-called trade secret of the given business which is a full responsibility of the business. There are statutory requirements the secret data has to meet in order to enjoy protection. Rather underestimated, albeit crucial requirement of Section 17 of the Commercial Code, trade secret shall mean only such facts that "are to be held confidential pursuant to the will of the businessman and the businessman ensures their confidentiality by reasonable means".

Contracts regulating business know-how transfer to a third party should - therefore - incorporate decisions concerning the protection of intelligence on the level of details pertaining to the value of such intelligence. In addition, authorised representatives of businesses should not underestimate the selection of the person to be entrusted with business data and ensure (specifically by means of a contract) the protection of such data in order to keep their status as a trade secret. Failure to protect the trade secret need not necessarily mean "merely" the loss of their status, but also the statutory protection. Where the company incurs damage due to an erroneous wording of the contract and a subsequent abuse of the trade secret of the business, the D&O liability of the authorised representatives of the business for such damages cannot be avoided where this risk might have been reduced or avoided by means of contract.

Personal Data

Where data classified as personal data are to be sent to and stored in remote clouds within Cloud Computing services, it shall be considered whether or not the service provider will process the data, i.e. act in the capacity of a personal data mediator within the meaning of the Personal Data Protection Act. The answer to this question is by far not simple since the act includes in the notion of "processing" a series of acts including but not limited to the "provision of access to personal data" or their "storage". Where the Cloud Computing service provider also acts in the capacity of the mediator of the personal data being processed by their service users, it is necessary that this user signs a written agreement on the processing of personal data with the provider. The requisites are to be provided by law (or the provider is to be commissioned with the processing in writing).

Satisfaction of the statutory requirements is not an issue with standard outsourcing projects between a user - a personal data operator, i.e. the company collecting and processing personal data of, for instance, their employees, and the service provider - a procurer who owns the hardware and programs used for the storage and further processing of the data. Much more problematic, however, is the satisfaction of the statutory requirements in respect of Cloud Computing where there is yet another group of entities behind the service provider providing the physical infrastructure to the given cloud. Should, therefore, personal data be subject of the processing, it is crucial for the user to have a clear overview of who the data is going to be processed by.

Similarly (and again not simple to be handled with Cloud Computing), there is the issue of a place where the personal data is going to be processed. According to a series of legal regulations, the local regulation on the protection of personal data applies not only to the data concerning persons being subjects of the given country or data processed by persons registered in the given country. Where the data are processed in the given country, the regulation often applies simultaneously to two foreign entities.

Co-Operation of Parties

Defining the parties' responsibilities is another important point of Cloud Computing contracts.               The related mechanisms ensuring the parties' compliance with their obligations should always reflect the priorities of the individual obligations (a delay of a service provider in submitting a system status report by one week, for instance, is practically not such a critical default compared to the failure to comply with the time limit for a disaster recovery where the user's data are completely inaccessible, etc.).

One of the most common tools for securing the delivery is represented by contractual penalties. The tool, although a simple one, is not always effective. Even though it represents a simple method for the aggrieved party of how to cover the damages (where the penalty is set correctly), it need not solve the most critical problem - restoration of the service - whereby the system or service failure may be fatal to many businesses. This is one of the reasons for why to negotiate delivery mechanisms rather than penalties, ideally preventative ones (performance checks, etc.).

Unique Issues Associated with IT Contracts

When negotiating Cloud Computing contracts, it is also critical to address other issues more or less implied by law. Respective licences for the use of the computer program delivered within the project, for instance, shall not be ignored. The contracting parties should negotiate the scope of use, the licence period and its territorial or bulk limits. It shall not be disregarded that Slovak law (in contrast to the majority of other EU jurisdictions) still acknowledges only written licence agreements. The absence of the regulation of licence relations may hence lead to the fact that the service user even unwillingly interferes with the copyright of third parties.

Another important point is the guarantee provision - guarantees for both legal and factual mistakes, hidden defects or defects that transpire after the co-operation is started. From the point of view of law, the parties are given relative freedom (in contrast to the standard consumer contracts). Nevertheless (or rather therefore), ICT service providers still do not have a clear overview of what defects may be guaranteed and how; thus, such provisions are often vague (with all the risks arising therefrom).

Exit terms should also be incorporated into the contracts, providing a mechanism ensuring the users' access to their data (or their migration to another system) - not only for the case of contract termination by mutual agreement (or upon lapse of time), but also for the unfriendly situations, such as withdrawal. Although the termination terms are basically in the interest of the user, providers should not ignore this issue either; on the contrary, they should actively come up with their own solutions. There are several reasons for the provider proposing a solution to such situations. Firstly, customer care is conclusive of a responsible provider with a prospective of a long term market presence. There is no reason for leaving such a critical issue unaddressed and implement the project with an outlook of a potential dispute. The said procedure on part of the provider also has a business aspect - it represents another potential deal (Cloud Computing transfer back to the customer or a new provider), i.e. a new source of income.

Regardless of the legal aspects of the negotiation of outsourcing contracts, it shall be noted that the basic requirement of a high-quality outsourcing contract and project is openness from the very beginning. Any partnership not based on mutual trust is not prospective. Long term ICT projects should be a real partnership. Therefore, either party should open any potential issue at their mutual meeting with an attempt to address it.