New challenges ahead

Cloud computing: contracting and compliance issues for in-house counsel

By Dr. Severin Löffler and Shahab Ahmed Microsoft Corporation, Munich, Redmond

Download article as PDF

Many organizations across the globe are adopting cloud-based services to reduce information technology (IT) costs and to meet rapidly growing business demands. Organizations now have to think about purchasing IT as a service instead of making the traditional hardware and software purchase decisions. This fundamental paradigm shift is not only placing new demands on procurement professionals, it is also presenting new challenges for the in-house counsel. Many in-house counsel have negotiated IT outsourcing agreements for decades, but they are relatively new to cloud contracts. Cloud services contracts are different than traditional IT outsourcing agreements, because a cloud service is designed as a multitenant service where computing and operating resources are shared across potentially millions of customers—making the scale and consistency extremely important to the viability of the cloud business model.

Essential characteristics of cloud computing

The key aspect of the cloud’s technical architecture is the “multitenant” nature of the platform. The functional and technical aspects of the cloud are designed to serve a large customer base from the same platform, limiting the opportunities for customization but making scale and consistency critical factors for controlling operating expenses. The cloud business model is often dependent on receiving relatively small sums of revenue from a very large base of customers. Cloud economics also depends on the ability of cloud service providers to operate large, interconnected, efficient and strategically placed data centers. The location of these data centers depends on many factors, such as geographic proximity to customers, operational cost structures, legal and regulatory environments and political and safety concerns. In a typical IT outsourcing arrangement, a customer outsources all or parts of its IT functions to an IT outsourcing provider. An outsourcing customer exercises a great deal of control over the operations of outsourcing arrangements since each contract is designed for an individual customer with specific needs in mind. The customized nature of the deal provides flexibility to accommodate unique functional and operational requirements as the costs are directly passed back to the individual customer. The technology architecture of the outsourcing platform is also customized; it may include handing over existing IT systems and personnel to the outsourcer for ongoing operations.

Contract negotiations for cloud services

In-house counsel often engage in tough and adversarial contract negotiations with IT service providers. A sound understanding of the cloud business model and the interests of each party helps to reduce friction in the process. IT outsourcing contract negotiations may seem to provide a greater level of flexibility due to the unique nature of each deal. In-house counsel can sometimes become frustrated when the cloud-services-contracting process does not appear to offer the same level of freedom. The reason behind the different approach is not usually the unwillingness of the cloud vendor to negotiate; instead, it is the turnkey nature of the cloud services, which leaves less room for customizing the highly standardized contractual terms. In fact, in-house counsel should be vigilant when a cloud vendor agrees to terms which run counter to its business model and operations strategy. Some of the most typical negotiation topics are:

_ Defined terms

It is important to understand the key operative definitions since they relate directly to the operations of cloud services. For example, a contract may define the term “financial data,” and describe the handling of financial data by the cloud provider. The defined terms in the contract often do and should reflect how the back-end systems are designed and operated. Changing a definition may mean modifying the system design and operations, which can be very disruptive and cost prohibitive. Instead of focusing on changing defined terms, in-house counsel should work to understand the definitions in order to assess whether the cloud service fits their business needs.

_ Data location requirements

Data location has become a hotly debated topic in the industry, with privacy advocates and regulators raising concerns about the risks of moving data to new jurisdictions. Cloud economics demands scale, which means most customers are served from geographically dispersed data centers. It also means that unless the customer happens by chance to be operating in the jurisdiction where the data center is located, the customer will probably be served from a remote data center location. Even if the customer is located in the same jurisdiction as the data center, customer data are probably transferred to other locations for the purposes of backup and disaster recovery, redundancy and support. Instead of focusing their energy on negotiating a specific location for the data center, potential customers should ask for transparency regarding where the main data sets are stored as well as regarding associated data flows to make sure their needs are being addressed.

_ European Union data transfer requirements

The European Union has specific rules governing the transfer of personal data outside the European Economic Area. Many reputable cloud vendors have achieved certification under the U.S.-EU Safe Harbor Framework to transfer data to the United States under EU rules. However, as a consequence of the NSA/PRISM developments, the European Parliament and many privacy regulators have called for more robust mechanisms and controls as well as a suspension of data transfers. In order to comply with privacy laws, cloud vendors may offer the EU’s standard contractual clauses. These clauses, which are published by the European Commission, are a robust and legally valid way to transfer personal data outside of the EEA. In-house counsel should request to incorporate the standard contractual clauses into the contract framework and push for clarity on legal mechanisms that are being used by cloud vendors to transfer data outside Europe to ensure compliance with EU rules.

_ Data privacy and security requirements

The privacy and security of personal data has become a top area of concern in the cloud computing industry due to legitimate concerns about how customer data may be mined (for example, to provide targeted advertising). In-house counsel should demand a detailed data processing agreement from cloud vendors to ensure privacy, security and confidentiality terms are properly addressed and meet the needs of the customer. In-house counsel need to confirm that the use of that data is limited to providing cloud services to the customer. For example, the cloud vendor should not be able to mine or use data for other purposes, such as to support consumer services like advertising.

_ Examination and audit rights

In a typical outsourcing arrangement, the customer may exert control by negotiating examination or audit rights to assure appropriate documentation and compliant operations. It is very difficult for a cloud vendor to provide such rights since the cloud vendor could not possibly have millions of customers examining its data centers. Direct customer audits would not only be cost prohibitive, they would also be extremely disruptive to operations, potentially putting at risk the data and operations of other customers whose data is processed at the same location. Cloud vendors that serve enterprise customers have recognized this challenge and provide independent third-party audits’ summary results and certifications, such as ISO 27001, as way to meet customers’ needs. Potential customers should ask for independent verification by reputable third-party auditors instead of focusing on direct audit rights.

_ Data portability

Cloud services can hold key customer data, and in case of termination of the agreement, it is important that customers are able to take their data back. While there will be costs associated with such switchovers, customers should negotiate the terms that allow data migration as needed. In-house counsel should secure written commitments that the cloud vendor does not acquire any ownership rights to customer data. It is important to understand the differences between cloud services and traditional IT outsourcing models in order to provide counsel and to negotiate successful deals. Cloud vendors with experience serving enterprise customers understand the complex needs of commercial customers and can design appropriate technologies, processes and contractual safeguards to meet such needs.

severinl@microsoft.com

shahaba@microsoft.com