Cloud computing is the delivery of information technology services over the internet without the need for businesses to purchase or install software or run their own application and data servers. Applications are hosted in the data centers of the cloud computing provider, benefiting from massive economies of scale which in turn lower the costs of the service to the businesses.
Cloud computing services include: Software as a Service, Platform as a Service and Infrastructure as a Service, all of which involve delivering information technology components that had previously been regarded as infrastructure or hardware.
Benefits and risks
Cloud computing services offer to a number of benefits but also expose businesses to certain risks, although the risks are often ignored with the result that businesses may enter into a cloud computing contract without having considered all potential issues including legal and compliance. Some of the benefits of cloud computing include: low, fixed charges; improved support and maintenance through greater competition between service providers; anytime, anywhere access; ease of adoption; greater flexibility with business requirements that can expand or contract as required. Some of the risks include: standard solutions may not precisely match business needs, limited warranties, indemnities, lack of integration and management of legacy systems, lack of control over data and content with potential data protection issues, risk of lock-in, risk of hidden extras for additional users, storage and so on, risk that a business fails to control usage or increased storage and ends up paying more than what it had budgeted for.
What are the legal issues?
Cloud computing operators generally offer their services on standard terms. Standard terms tend to be for the benefit of the operator, including only limited warranties. In particular, cloud computing providers may reserve the right to delete customer data for breach of contract, such as non-payment. For businesses this may be disastrous vis-a-vis their customers.
In the UK, standard terms between UK companies (and, in particular, any exclusions or limits of liability) are subject to the Unfair Contract Terms Act and must be reasonable. However, this requirement is not necessary in the event of international contracts (as most of the cloud computing contracts are). In addition, it is far safer to negotiate key provisions in advance rather than rely on statutory protection after an issue arises and business will need to know what kind of service levels and service credits will be offered to it. In the event of use of cloud computing services for key operations such as outsourcing then, the parties must have a properly negotiated agreement, including service levels and support.
The legal issues to consider are various and include: concluding contracts inadvertently; data protection; intellectual property issues and defamation; software licensing, open source use; liability; law and jurisdiction.
More in detail:
- The risk of concluding contracts inadvertently: for example, if an employee signs up to a cloud-computing application using a computer at work for a purpose related to their employment, then the company could be bound by the terms of that cloud computing service.
- The risk of data protection compliance: if employees input personal data held by their employer into the cloud, the company must comply with its data protection obligations.
- The risk of intellectual property infringement: liability may arise when employees post defamatory or copyright-infringing content into the public areas of many cloud-computing services. In all the above, appropriate policies, procedures and training must be given to employees to ensure compliance.
- Appropriate licences: when users have online use of software at a computer without a licence, they commit copyright infringement. The licences granted by cloud computing operators are usually very narrow and limited to use of the online application for the business own purposes. Customers have no rights to make copies of or modifications or enhancements to the software, and they cannot sub-license to third parties. So the business, before accepting the software licence, must ensure that it can comply with its obligations and if not it must make the necessary changes to allow for sub-contracting or outsourcing.
- Intellectual property issues: a cloud computing operator may not always own the intellectual property rights in the software that is the subject of the cloud-computing service. In this case, the operator will need to arrange for the right to sub-license the software to its customers, or for a direct licence to be entered into between the customers and the relevant third-party licensor.
- Use of open source software: although the use of open source software helps keeping the costs down and many cloud computing operators build their services using such software, the open source software licences vary considerably and some require onward licensing of source code when open source is incorporated into other software or deployed in a hosted environment, which could have serious consequences for businesses. It is thought however, that pure cloud services are not considered to involve a conveyance according to the General Public Licence Version 3 and therefore code disclosure requirements should not be triggered. However, it is preferable for businesses to check this issue with their provider.
- Content licence: the standard terms offered by many cloud computing operators allow them to use any content stored on its servers. These licences are often expressed as being perpetual and irrevocable often giving the cloud computing providers the right to pass the content to third parties or use it for the purpose of promoting the cloud computing service. This may not be appropriate for information such as personal data, third-party intellectual property rights or confidential information contained in or attached to e-mails. Customers should therefore take care in identifying and amending any rights they are agreeing to provide to the cloud computing operator before they sign the relevant contract.
- Liability: the cloud computing provider will seek to exclude all liability for content stored or posted on its services and will normally include a right in its standard terms to remove any data from its servers. This is because internet service providers can be liable for failing to take down offensive, defamatory or intellectual property infringing content and cloud-computing applications often blur the line between public and private networks. In these circumstances, corporate customers should seek an indemnity for any loss suffered as a result of material being unnecessarily deleted or moved and should look to impose a requirement to be notified in advance if any content is to be removed.
- Intellectual property indemnity: it is common in all IT contracts to include an intellectual property indemnity for the customer’s benefit in the event that a third party makes a claim that the use of IT products by the customer (particularly software) infringes the third party’s intellectual property. However, it is important for the customer to ensure that such indemnity is not unreasonably limited or subject to unnecessary conditions. The inclusion of intellectual property indemnities in cloud-computing contracts remains important because customers have to rely on the cloud computing provider to ensure that software licensing issues have been resolved so as to entitle the customer to use the software as part of the service. One of the benefits of cloud-computing arrangements is that the burden of the upkeep of software licensing arrangements is generally lifted from the customer. However, if the arrangements are not properly made, the customer may still infringe the intellectual property of a third party even though it may have no knowledge of the infringement. Cloud-computing users need to be aware of the possibility of patent infringement through the use of cloud-computing arrangements. Patent protection is increasingly available for computer software in the US and in the EU. Where cloud-computing arrangements are established on an international basis, the intellectual property indemnity needs to be wide enough to protect the cloud services’ customers in all jurisdictions in which the software will be used.
- Jurisdiction and governing law: Where the parties have not expressly chosen a legal system in their contracts: (a) contractual obligations will be governed in accordance with the law of the country in which the party who will perform obligations characteristic of the contract has its habitual residence or central administration this will generally be the law of the place in which the cloud computing provider locates its servers; (b) non-contractual obligations arising in civil and commercial matters between parties, the law applicable will be the law of the country in which the damage occurs or is likely to occur.
Also a business needs to take care during cross-border dealings to ensure that foreign law does not give rise to unexpected and binding non-contractual obligations (for example, duties of good faith in negotiations which do not exist under English law).
Under the Brussels Regulation a person domiciled in a contracting state may be sued in the courts of another contracting state where a contractual obligation is owed. A cloud computing provider based in the EU can be sued in all the jurisdictions in which it provides services to its customers. The Brussels Regulation also provides for mutual recognition and enforcement of judgments.
However, where the cloud computing provider is based outside the EU, jurisdiction will depend on the relevant rules of court relating to service of proceedings on the cloud computing outside the jurisdiction. Customers often take the view that the cloud-computing contract should be governed by their local law as this is the legal system of which they have greatest knowledge. However, this will be difficult to negotiate. Further, it may not necessarily be the most advantageous position. If the cloud computing does not have a sizeable presence in the customer’s jurisdiction then any court order that might be obtained will be difficult to enforce in the cloud computing provider’s jurisdiction. This applies particularly between EU customers and US cloud computing providers and where there is a need to obtain emergency remedies against a cloud computing provider for example, if the customer considers that its data has been misused by the cloud computing provider. In these circumstances, obtaining emergency remedies will generally be more straightforward if the governing law of the contract is the local law of the cloud computing provider. For a checklist of the cloud computing key issues see our article.
This article by Dr Maria Anassutzi, intellectual property and information technology law expert, discusses cloud computing, its benefits and risks and the legal issues that involves for businesses. This article is for general purposes and guidance only and do not constitute legal or professional advice.