Nowadays, almost everyone is using cloud services in their daily lives. They are cost-effective, flexible, scalable, and allowing for specialization. The term cloud computing has been around since the late 1990s. It is defined by National Institute of Standards and Technology as:
A model for enabling convenient on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Key Concepts of Cloud Computing
It’s important to understand how cloud computing works because the technical details can have legal consequences. In the past, when computers typically not connected to any other computer, software were installed and ran on local computers. Even later, when you are able to download software from the Internet, they still ran on local devices. Now cloud computing changes this model entirely.
Today you don’t need to download software, instead of running on your local machine, the software runs on servers and any data you create will be saved there too. It led to a fundamental change in control since the hardware and software we rely on are now managed by third-party service providers.
However migrating from legacy IT systems to cloud services may also give rise to cultural, legal and regulatory concerns. Besides, there are also potential drawbacks to using cloud services, there are:
- Issues relating to trust, control and security.
- Concerns over lock-in, which means being dependent on a particular provider and hard to leave.
- Limited scope to customize those services, which are offered on a one-to-many basis.
With cloud computing, the data is not stored on local devices, but on the provider’s cloud servers. And the data blocks that make up a single file need not all be stored on the same server. Instead, fragments of the file could be stored on different servers. This data fragmentation (also called sharding) means it can be very difficult to say exactly where a file stored in the cloud is.
Data location can have legal implications. Many countries have laws that govern where certain types of data can be stored, for instance, the laws that restrict the transfer of data about individuals to other countries
(where their information might not be protected adequately).
There are three main types of cloud services:
|Manage hardware and hypervisor software that creates virtual machines
e.g. AWS EC2
|Control virtual machines and use them for any purpose
e.g. Google App Engine
|Design, build and deploy software applications
|Manage hardware and run software applications
e.g. Microsoft Office 365
|Access software via the Internet, control only how to use the software applications
Different service types entail different levels of customer control, which are important from a legal perspective. IaaS customers can do more to secure data by themselves, while SaaS customers may need to rely more heavily on contractual assurances from the cloud provider.
Cloud deployment models are different ways of delivering cloud services to customers. This matters from a legal perspective since different deployment models can have an impact on contractual responsibilities, compliance obligations, and cybersecurity risk.
|Multiple customers or tenants share access to the same underlying hardware
|Infrastructure is operated for the benefit of a particular customer, often regarded as more secure and more scope for customization
On-premises: located at the customer’s premises
Off-premises: located at a remote location, say provider’s datacenter
|Involve a combination of different deployment models
|A single customer uses cloud services from different providers, but making cloud use more complicated
Cloud layering refers to one cloud service being built on top of another cloud service. In practice, a large number of SaaS providers and their customers rely on a handful of underlying IaaS providers for their physical infrastructure. This means that those IaaS providers are key to the functioning and security of the overall system. This matters from a legal perspective.
CIA refers to the three key objectives in the security of a computer system. For a computer system to be secure, it should meet these three objectives:
|Data stored on a computer system, can only be seen by authorized users.
Data confidentiality is compromised when data can instead be accessed by other unauthorized outsiders. Also called data leak or breach.
|Data stored on a computer system can only be changed by an authorized user.
In computer science:
- A vulnerability is any property of a system that creates the potential for a breach of the CIA objectives.
- A threat refers to a set of circumstances that could lead to a vulnerability being exploited.
- A risk exists whenever a threat matches a vulnerability. Once you’ve identified a risk, the next step is to assess the level of risk that it presents, which depends on
- How likely the risk is to materialize, and
- What the impact would be, if it materializes
Various laws require companies to conduct security risk assessments and put in place risk appropriate measures. However
- who can in practice control resources and manage security measures, and
- who has legal responsibility for security
are two different matters. For example, consider a customer using SaaS services from a provider:
|May be under a legal obligation to put in place appropriate security measures for its data
|Has practical control over the resources and it manages many aspects of security
The customer needs to make sure that the provider puts in place the required level of security and this can be addressed in the contract between customer and provider. Cloud layering can complicate matters further, raising questions as to who’s responsible for security breaches in a layered cloud arrangement.
Basics of Cloud Contracts
A contract is a promise or set of promises which the law will enforce and it’s an agreement giving rise to obligations which are enforced or recognized by law. The parties to a contract are legally bound to perform their duties under the contract, and if they don’t, they will usually be in breach of contract. Then the other party is typically entitled to a legal remedy such as compensation for damages.
In most of continental Europe, an offer by one party and an acceptance from the other party are required to form a contract. However under the common law as founded in England, not all informal agreements are contracts, there are further requirements for contract formation.
- Offer from one party
- Acceptance from the other party
- Consideration: both parties to the contact must offer something of value.
- Intention: to create legally binding promises.
The clickwrap method is usually used in the formation of cloud contracts. i.e. users accept the provider’s standard terms typically by clicking on an ‘I agree’ button during the sign-up process. The resulting contract consists of a set of often lengthy documents, usually including:
- Terms of service
- Data processing addendum
- Service level agreement
- Acceptable use policy
- Law enforcement guidelines
Consumers, small to medium-sized businesses, and indeed, many larger organizations are presented with the provider’s terms on a take-it-or-leave-it basis. Yet from a provider’s perspective, standard contracts make a lot of sense:
- A uniform service available
- To a wide range of customers on a one-to-many basis
- The service is priced as a commodity product
- Efficient process for everyone
- Give both parties legal certainty.
It’s not necessary for the customer to read all of the terms. What’s required is that the provider gave the customer sufficient notice of the terms before the contract was signed. As long as the customer’s had the opportunity to view the terms, they will normally be bound by the contract. On the other hand, the provider’s freedom to dictate terms is limited in two important ways:
- Under consumer protection law, most unfair standard terms will not be binding on consumers.
- The Unfair Contract Terms Act subjects certain terms in standard contracts between businesses are subject to a reasonableness test.
Cloud contracts often have international elements. Which law will apply? The answer is determined by an area of the law called Private international law, also referred to as the conflict of laws. It determines which law applies to international cases. The European Union and UK has been harmonized through the Rome I Regulation, under which parties are free to choose which law governs the contract.
Almost all the cloud contracts had a choice of law clause. In the absence of a choice of law clause, Private international law has different rules for what law will apply depending on the circumstances of the case. For example, cloud services are governed by the law of the country where the service provider resides.
So, you may find that your cloud contract is in fact governed by a foreign law,
- Either because of a choice of law clause in the contract,
- Or because the provider is based abroad.
The law does contain an exception for consumers (natural persons acting outside of their trade or professions) who cannot be deprived of mandatory protections under their local law.
Many of the largest cloud providers are headquartered in the United States. But in Europe, many cloud providers identified a European subsidiary as the contracting party for European customers. The question of which courts have jurisdiction to hear contractual disputes is determined by Private international law. Under private international law, parties are generally free to choose which courts will have jurisdiction to hear disputes under the contract. This reflects the party’s freedom of contract.
Arbitration tribunals offer an alternative venue for resolving disputes without going to court. Instead of judges, an independent arbitrator, or a panel of arbitrators, will decide the case.
Breach of Contract
When one party fails to fulfill its promise, that usually means they are in breach of contract. To determine a breach, we need to ask three questions:
- What are the parties’ duties under the contract?
- Express terms: written up in the contract.
- Many cloud contracts do not spell out the provider’s duties expressly.
- Implied terms: not expressly stated, nonetheless, form part of the contract.
- Implied by courts, or by the law
- Any implied terms must be consistent with the express terms of the contract
- many business-to-business cloud contracts disclaim all implied warranties. This can make it difficult to determine what exactly the provider’s contractual duties are.
- Express terms: written up in the contract.
- What have the parties actually done?
- Does that performance match their duties under the contract?
The law typically enforces such a breach by providing the other party with a remedy. Under English law, there are two main remedies for breach of contract, the other party might
- Be able to terminate the contract without performing their own duties
- Be entitled to damages to compensate for losses caused by the breach
- A party is only liable for indirect damages if it should reasonably have foreseen that these damages would probably result from the breach at the time they entered into the contract.
- Cloud providers typically had broad exclusions of liability for losses, which means that customers might not be entitled to damages where a provider breaches the contract. Their only remedy might be to
- Terminate the contract, or to
- Apply for service credits in the case of downtime under an SLA.
In an Service Level Agreement, a provider commits to delivering a certain level of service availability based on measurable criteria. It offers a set rate of compensation if the actual service drops below that level.
Termination clauses determine when a party can end a contract. Cloud contracts are typically for an indefinite duration. Cloud customers can usually terminate for any reason and at any time, providing written notice and paying any outstanding fees. However provider’s termination rights differed:
- Many providers reserve the right to terminate services at their sole discretion and for any reason.
- Other providers reserve the right to terminate based on specific listed grounds, such as a customer’s breach of the contract.
Negotiation of Cloud Contracts
Cloud providers offer their services on a one-to-many basis. If you’re a consumer or a small to medium sized enterprise, usually cloud provider won’t negotiate the contract terms:
- If the customer is satisfied with the terms, they can click through and start using the service often straight away, without any human interaction with the cloud provider’s staff.
- If the customer is unhappy with the service, they can typically terminate the contract at any time.
Well, for larger customers, cloud providers may be more willing to enter into contract negotiations. Various factors may influence whether a cloud provider is willing to negotiate:
- Predicted spend on that deal
- Annual revenue / IT budget of your company
- Strategic advantage
Cloud providers will typically take their standard contract terms, which typically favor the providers’ interests, as the starting point in any negotiation. And they’re generally inclined to accept only minor amendments. As with any commercial negotiation, the outcome will depend to a large extent on the parties’ relative bargaining power.
In 2019, a Baker McKenzie survey reported that the top five terms most likely to be negotiated were:
- Data breach response and liability
- Limitation of liability
- Data ownership and use rights
- Data security and redundancy
In 2016 an Eversheds survey found that around a third of cloud customers had walked away from a cloud deal at the negotiation stage.
The two most cited reasons were:
- Concerns over data location
- Concerns over security breach reporting
Outsourcing vs Cloud
Traditional outsourcing at least differs from cloud services in four important respects:
|A customer moving existing in-house IT resources out to a service provider
|A provider builds a service first, and then a customer buys that service in.
|A provider typically provides a service tailored to a specific customer’s needs
|A provider offers a single uniform service to all its customers.
|An outsourcing supplier actively manages a process for the customer.
|Providers typically know a lot about the customer’s business.
|Providers often have little or no idea what their services are being used for.
These distinctions mean that there are key differences between cloud contracts and outsourcing contracts:
- A cloud customer enters into a contract to buy a service which the cloud provider has already developed independently. Cloud contracts are much more generic in terms of their features, and scope.
- Providers will rarely modify their service or contract terms to meet specific customer needs.
- Because cloud services are self-service, a provider typically offers tools for customers to use to manage the service.
- Not knowing how customers might use their service means it’s hard for providers to predict potential losses. This also help explain why cloud providers try to exclude liability.
Software Licensing vs Cloud
Software is protected by copyright, and simply put, this means the right holder has the exclusive right to permit others to copy the software. This permission is referred to as a software license.
|Traditional software licensing
The right holder gives the customer a license to install and run the software on their devices.
Access to the software is provided as a service, delivered via the SaaS provider’s or another cloud provider’s infrastructure.
Cloud contracts differ from traditional software licenses. Customers do not install or run software application, they may not need a software license.
Providers standard terms typically exclude liability for damages in broad terms. As a result, customers are often not entitled to any damages when things go wrong. They need to bear those costs themselves, and might be entitled to service credits for downtime under the provider’s service level agreement or SLA. Customers who want to preserve the option to claim damages need to negotiate amendments to the provider’s standard terms before signing the contract.
Customers can try to negotiate with providers in two ways:
- Ask providers to accept liability for certain categories of losses.
- Ask providers to increase the provider’s liability cap.
If the provider is unwilling to accept more liability, then it’s worth considering alternative options.
Cloud providers generally take a one size fits all approach to their standard security measures. To provide assurance, many providers obtain security certifications to show that their measures are actually effective. In addition, providers typically make tools available that customers can use themselves to enhance security on a self-service basis.
However, customers still might have both commercial and regulatory concerns about security:
- Internal – commercially sensitive data is being stored securely
- External – legal obligations to ensure that appropriate and proportionate security measures are in place
There are at least three things that customers can try to negotiate in relation to security:
- Penetration testing – hire an expert to try to breach the providers security, with provider’s permission.
- Breach notification – ask providers to agree to specific notification obligations if the provider becomes aware of a security incident.
- Breach liability – ask providers to accept more liability when it comes to security breaches.
An audit can provide assurance as to the provider’s level of security. An audit right refers to the right to inspect the way in which the provider operates its service. For instance, entering the provider’s physical premises and inspecting its devices, systems, networks, and data.
Clearly, such audits can be quite intrusive. Unsurprisingly, cloud providers are generally not keen on customer audit rights. Instead, many providers choose to subject themselves to regular audits by independent experts and then make these audit reports available to customers on request.
In 2019, the European Banking Authority, or EBA, published its new guidelines on outsourcing, which apply to banks’ use of cloud computing. Under these guidelines, the relevant cloud contract must include the unrestricted right to inspect and audit the service provider, both for the bank and the regulator. By 2020, providers appear to have accepted that customers in the financial services sector need to have audit rights to comply with these regulations.
Simply put, data location is about where a customer’s data will be stored. Concerns about data location are often driven by the need to comply with data protection laws.
Governments, regulators, and cloud providers do not always use terminology regarding data location or data residency consistently.
|Usually refers to a legal obligation to store data in a particular place, but that might or might not involve restrictions on also storing the same data elsewhere.
|Can sometimes be used to refer to the laws that apply to particular data, regardless of the actual geographic location of the data.
Customers need to know where their data will be stored so that they can comply with rules applying to international data transfers. Just because data are stored in one country, that doesn’t mean that the country’s authorities will necessarily be able to access the data. Strong encryption of data can prevent forced access to the data in an intelligible form.
Over time, major cloud providers have been willing to make changes to help customers comply with regulatory requirements. Cloud providers have also developed compliance tools such as data location services and specific security features.
There are actually limits to cloud providers’ flexibility when it comes to accommodating customers’ regulatory needs. Once providers have settled on additional terms or tools to help customers with compliance, they will typically not be open to further negotiation.
Information is non-rivalrous, which means that many people can use it at once without reducing how others make use of the same information. This is very different to physical property which is rivalrous. Ownership is both a social and a legal construct. It’s a feeling as well as a fact. English law does not recognize information on its own as a property right. It requires something more. Social expectations about owning property in order to protect it do not actually help solve the legal problem.
Because of the ease of copying, digital copies of information can be and often are reproduced and stored by multiple players. All these different players might have different levels of control over information in the cloud:
- Internet users or individual cloud customers.
- In the case of free cloud services, individuals are in fact paying for the use of their service by providing their information. The emotional feelings of ownership over their information, may not correspond to the players with legal or practical control over the relevant copies of information.
- Cloud providers
- Cloud providers manage the information that customers upload to the cloud, which includes storing copies of information on the underlying servers.
- Such information is protected by an IP right, such as copyright.
- The provider will need a licence from the user or customer, which is usually included in their standard terms of service.
- These sub-providers operate the servers on which the customer’s information is stored.
- For instance, Apple iCloud relies on sub-providers AWS and Google Cloud.
- Third parties
- Any other relevant party who is not directly involved as a customer, provider, or sub-provider. They might use or collect digital information.
Legal ownership consists of a collection of legal rights over an item of property, such as:
- The right to exclusive possession, i.e. exclude others or reclaim possession.
- The right to dispose, including transfer of ownership, right to use, right to take it as a security, etc.
Intellectual property (IP) include copyright, patents, databases, trade marks, designs, and trade secrets. IP is not about protecting information itself, rather, IP protects some other aspect of the protected thing. For example, a patent confers the right to prevent others from making or using the invention. Although patent is described using information, that information is not itself protected by the right.
Most IP rights enable the owner to exclusively control and exploit their IP for a limited time, in return for that time-limited monopoly. Once those IP rights expire, the public can then exploit that previously protected subject matter. IP monopolies are not information monopolies. Actually IP rights are limited in scope to prevent the monopolization of information.
Creativity and innovation comes from being able to access, use, and build on others’ information. Unlike information, the intangible IP can be owned, but it involves a trade-off:
|If authors and inventors were prevented from accessing earlier IP, they might be unable to access and
build on useful information.
|If authors and inventors were not adequately protected when making and sharing their work, society would suffer, as such works would more likely be kept secret to try to protect them.
Copyright and trade secrets can be used to control information in the cloud.
|Protect subject matter that’s expressed as an original work. It must be an expression of
an author’s own intellectual creation.
Does not protect the information by itself or an idea underlying the work.
For example you’re free to use the ideas and legal arguments contained in the book. However, you cannot copy the text of the book, since that would infringe the author’s copyright.
|Unlike classic IP rights, trade secrets directly concern information.
Trade secrets chiefly keep information with commercial value secret or confidential.
Copyright is a property right which prevents others from doing restricted acts reserved for the copyright owner. It can and does subsist in works that are digital in form. A copyright work is more than a collection of information. To achieve protection, it must be an expression of the author’s own intellectual creation.
Under EU law, this is broken down into two conditions which must be satisfied:
First, the subject matter must be original in the sense that it is the author’s own intellectual creation. Subject matter can be original if it reflects the personality of its author as an expression of his free and creative choices.
Second, copyright protection only extends to the elements that are the expression of such creation.
… when the realisation of a subject matter has been dictated by technical considerations, rules, or other constraints which have left no room for creative freedom, that subject matter cannot be regarded as possessing the originality required …
English law follows EU’s approach. English case law confirms that the issue is whether the person in question has exercised expressive and creative choices in producing the work. The more restricted the choice is, the less likely it is that the product will be the intellectual creation of the person who produced it.
An example is a Graphic User Interface of a computer program. Where the expression of those components is dictated by their technical function, they do not allow the author to express their creativity in an original manner either. But the appearance of the icons might still be original graphic works and so protected by copyright.
A substantial proportion of the information which business customers upload to or generate by using the cloud service is unlikely to qualify for copyright protection. For example, a database that records sales volumes for a product would be unlikely to qualify as a copyright work.
Entrepreneurial works can be distinguished from original works since they’re not subject to the same originality requirement. The scope of protection for entrepreneurial works is limited to protect the investment and can only be infringed if someone copies that work. The scope of original copyright works is broader than this in order to protect the expression of the author’s own intellectual creation.
In sum, entrepreneurial work protects the owner’s financial investment, rather than their creativity per se.
Like ownership, there is an important distinction between:
- information which someone wishes to keep confidential, and
- information which the law treats as sufficiently confidential to provide a legal remedy in the case of disclosure.
Trade secrets can be used to protect information, provided three criteria are satisfied:
- The information must be secret
- It must have commercial value because it is secret
- It must have been subject to reasonable steps in the circumstances by the person lawfully in control of the information to keep it secret.
An example of information, which is not a trade secret, but it’s still confidential might be the reason why an employee was dismissed.
The Right to Control
Control over digital information can clash with psychological and emotional claims to ownership. Feelings of emotional ownership over information are not the same as legal ownership or control. There are two main types of control: legal and practical.
|Legal rights, that can be used to control certain forms of information are arising from
1. The law of trade secrets
2. The law of intellectual property
3. Legal instruments like contracts. The Terms of Service is the primary mechanism for apportioning control between cloud providers and customers.
4. An individual exercising their legal rights to data protection
|Who, as a matter of fact, controls the various copies of the data?
Who manages the relevant servers and data centres where copies are stored?
Technology is a particularly helpful kind of practical control as it can be used to exclude others from information.
How does copyright enable legal control? On the cloud, there are two restricted acts reserved for the copyright owner:
- exclusive right to copy the work
- exclusive right to communicate the work to the public
Cloud providers will inevitably be copying information which is owned by their customers in the course of providing the service. The provider will have a licence from the customer to do so under the cloud Terms of Service. This means that the provider has permission from the customer to copy their works. As a result, the provider is not infringing the customer’s copyright. Similarly, the provider will have a licence to make the communication which make the work public under the Terms of Service.
Terms of Service
Even when IP rights apply, the contract between the parties will play an important role. It is critical to consider the licensing terms of the cloud Terms of Service at the outset. Cloud provider need certain legal rights to provide its core service. The Terms of Service for various cloud providers are written to support the provider’s activities in offering the service.
In general, cloud Terms of Service state that the provider and the customer agree reciprocal licenses. Usually:
- The provider owns the IP in the software and the service provided
- The customer owns any IP in data uploaded to the cloud
But beyond the ownership of information, we should also consider the level of legal and practical control. The level of control over information uploaded to the cloud will depend on the terms of the contract and the license granted by the customer.
- Some providers take only a relatively narrow license in their terms of service, limiting to the purposes of using customer data to provide or improve the service.
- Other providers take a license to cover a broader range of purposes, say sharing kinds of customer data publicly.
For more on Introducing Cloud Computing Contracts, please refer to the wonderful course here https://www.coursera.org/learn/cloud-computing-law-transactions/
Related Quick Recap
I am Kesler Zhu, thank you for visiting my website. Check out more course reviews at https://KZHU.ai
All of your support will be used for maintenance of this site and more great content. I am humbled and grateful for your generosity. Thank you!
Don't forget to sign up newsletter, don't miss any chance to learn.
Or share what you've learned with friends!Tweet