In the previous articles on cloud computing we examined what cloud computing entails and we considered some of cloud computing risks and benefits and some of cloud computing payment structures. 

It is now important to spend some time on the legal issues of cloud computing. As with everything in life that is sold and purchase the rights and obligations are highlighted in the underlined contract. This can be a very simple one (for example if I buy a standard Microsoft licence or a laptop) to a very complicated one if I commission software developed specifically for me hosted  by a third party on my servers etc.  

The characteristics of each case must be negotiated before the agreement is concluded (for example supplier chosen, money paid). This is not different for a cloud-computing agreement. Whereas there are some differences between contracting for cloud computing as opposed to more traditional IT products and services which I will be exploring in the next article, all cloud-computing agreements just like all service agreements will need to address the three R's: risks, relationships and results.  

In the context of cloud computing, risk will be apportioned differently to traditional IT arrangements, with customers transferring certain risks to their supplier (very little commitment on the customer side) and taking others back in-house (for example data back-up). Whatever the end position, the parties must explore well this aspect and know very well what they can accept (and what not) so that they can manage the risks assumed. 

All service agreements need to set the rules for the relationship that will underpin the parties work together. What are each party’s rights and obligations? How any potential problems will be resolved/?  

Contracting for results is key to making a contract work for both customers and suppliers. Customers want to ensure they are contractually covered for the outcomes they have been promised during the sales process. Suppliers will want to limit results to realistic targets and manage the expectations of both parties. Customers and suppliers need to deal with the implications of non-performance service levels are vital in cloud computing agreements. 

In practice, suppliers and customers start from very different places when looking to agree contracts for cloud services. The negotiation power will depend and will swift from one extreme point (standard services) to the other (bespoke agreement). 

From the supplier’s point of view, as far as standard services are regarded, he will want to limit/exclude his liability to the maximum extent permitted by law. He will want to avoid giving any warranties or indemnities and will try to resist guaranteed SLAs and support. At the same time the customer will be concerned with liability for problems caused by service, compliance with legislation and regulation especially data protection and security, data back-up and return and support. 

For bespoke agreements (in the event for example of a private cloud or large customer), the customer will seek to impose extensive service levels agreements, considerable warranties, back-up and disaster recovery provisions, step in rights. Whereas the supplier will try to balance the potential increased risk and liability with an increased price. 

Finding a reasonable meeting point is often difficult and is as much about attitudes as it is about the law.  

Suppliers will want to establish standard contracts to keep costs down and keep all customers on the same terms, but in reality negotiation is always likely to be feasible on big enough deals and suppliers need to accept that customers have legitimate issues with some of the current supplier-biased terms available on the market. When entering into any long-term relationship, both parties should ensure they consider at the outset the entire life-cycle of that relationship, particularly how it might end.

The provisions required in the services agreement will depend on whether the platform infrastructure that is adopted will be a single or multi-subscriber arrangement. A shared infrastructure will impact a number of areas including, but not limited to:

 ·         The termination issues including transfer of employees and charges the service provider shall seek to recover on an early termination.

·         The limits it should impose on customer transfer/assignment.

·         The ability customers have to request changes.

·         The breadth of audit provisions a service provider might accept.

·         The indemnities it might be prepared to offer for loss of data. 

Negotiating cloud-services arrangements

Cloud-computing agreements will vary substantially given the range of services and approaches that are available and will have to be negotiated on a case by case basis. Simply because cloud-computing agreements tend to be lower value it does not mean that they are necessarily lower risk for customers. In fact, the converse may well be true: customers getting lower prices are likely to be taking certain risks back within their organisation that perhaps they are not used to managing (for example, storage or use limits).

This is especially true in multi-sourcing arrangements where customers have to manage multiple supplier relationships. Technical knowledge is not enough and customers need to be highly skilled at managing projects, suppliers and contracts in order to realise the benefits of multi-sourcing and avoid the many pitfalls. 

There has been some discussion as to the extent that contracts between supplier and customer are necessary within the cloud, assuming that the suppliers' standard terms and conditions are flexible enough to allow customers to swap at relatively short notice out of an arrangement with one service provider to another driving upwards the quality of service and incentivising suppliers to provide as high a level of service as possible rather than working through a set of standard terms and conditions.  

Nevertheless, there are a number of legal issues that will continue to need a contractual relationship between customer and supplier, regardless of the duration of the relationship. For example, (i) data protection laws in the EU require certain safeguards to be in place when dealing with personal data. In an environment where is it not always clear where personal data is being held or transferred, it is essential as a customer to have contractual protection or (ii) intellectual property protection.