Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manches LLP, presented at CIO Event, October 2014

1. CIO UK: Leveraging Technology to Transform
your Business 9 October 2014
Key Legal & Commercial Issues
with Cloud Computing &
Insider View from the EU Expert
Group
Dr Sam De Silva
Partner, Head of IT & Outsourcing
Penningtons Manches LLP
Immediate Past Chair – Law Society’s
Technology & Law Reference Group
Member of EU Expert Group on Cloud
Computing

2. Outline
 Key differences with other IT contracts
(esp. outsourcing)
 Practical application
 Risk assessment - key contractual and
legal issues
 European Cloud Computing Strategy –
State of Play / Role of Expert Group
 Summary

3. Key Differences with other IT Contracts
 Customisation
 Supply chain direction
 Delivery of services versus availability
 Active versus passive processing
 Pricing
 Upgrades and improvements versus configuration
 Contract term
 Low barrier to entry
– “click-wrap agreements” are legally enforceable
– often presented as less or no “legalese” contracts –
but appearances may be deceiving

4. Practical Application
 Negotiating approach
 Standard commoditised offering, therefore limited
flexibility or ability to change
– shift in mentality
– contract evaluation should be a key part of provider selection
 Risk assessment exercise
– will a standard offering with its standard terms meet business
needs?
– selection between different contracts as opposed to contract
negotiations
– critical data or strategic services may not be suited for the cloud
unless appropriate contract terms can be agreed upon
 Role of Integrators

5. Risk Assessment - Key Contractual and
Legal Issues (1)
 Security compliance
 Limited supplier obligations
 Limitations and exclusions of liability
 Data protection (*)
 Suspension and termination clauses
 Supplier lock-in and transitioning

6. Risk Assessment - Key Contractual and
Legal Issues (2)
 Service levels
 Modifications to contract
 Subcontracting

7. Security Compliance
 Due diligence
 Security questionnaire
– who owns and controls infrastructure
– deployment and delivery methods
– security controls in place
– physical location of infrastructure elements
– reliability reports
 Provider’s response
– confidential
– security policy
– security standards

8. Limited Supplier Obligations
Limited Supplier Obligations  Typical obligations, warranties or other safeguards of
sourcing or hosting contracts are not included in cloud
computing contracts
 Due to their commoditised approach, cloud computing
contracts typically contain less onerous obligations on
the supplier
 Undertake “gap” analysis

9. Liability
 Limiting liability of cloud provider to a level that is not in
line with the potential risk
 Risk with limiting the liability of the cloud provider to the
amount paid
 Issues include:
– almost total exclusion of liability
– limited financial cap
– exclusion of certain types of loss (e.g. direct losses
(US contracts) indirect loss and/or data loss)
– force majeure definition

10. Suspension or Termination (1)
 “Hair” triggers for CSP suspension and termination rights
 Pitfalls of suspension clauses
– impact on continuity
– low barrier for suspension of services/unplanned interruptions
– minor non-compliance may lead to significant remedy for the
supplier
 Termination for convenience by the supplier
– notice period
– exit obligations

11. Suspension or Termination (2)
 Termination for convenience by the customer
– typically cloud computing contracts allow for easy exit
for the customer
– check contracts for termination for convenience
because not always the case or such exit does not
come cheap
 Risk of cloud provider going out of business or
restructuring its service portfolio – data escrow

12. Supplier Lock-in and Transition
Vendor Lock-in and Transition  Usefulness of termination for convenience
 No implied obligation to assist in data transfer and
disengagement
 Everything depends on your contractual agreement
 Pricing

13. Service Level Agreements
 Often not part of standard offering
 SLA without “teeth” / targets
 Points of attention:
– Definition of availability
– how is the availability calculated by the provider?
 e.g. 10 outages of 6 minutes versus 1 outage of 1 hour
– service measurement period

14. Availability (1)
 Meaning
Permitted downtime by the 9s
Annual Monthly Daily (24
 Period availability is measured
– 99% allows 14 mins over a 24 hour period
– 99% allows 7 mins over a 12 hour day
 Core periods/non-core periods
hours)
99.999% 5.259 min 0.438 min 0.0144 min
99.99% 52.59 min 4.38 min 0.144 min
99.9% 8 h 45.6 min 43.8 min 1.4 min
99% 3 days 15 hours 7 hours 18 min 14.4 min

15. Availability (2)
Availability Formula
The Cloud Provider will ensure that the Services are Available 99.9% of the time 24 hours
a day, 7 days a week, 365 days a year ("Available Hours"). Availability will be measured
monthly.
Availability for the relevant month will be calculated using the following formula:
% Availability = (1- (a / b)) x 100
where:
a = total hours the Services were unavailable during the Available Hours in the
relevant month (excluding the time in respect of Problems with the public
telecommunications network or scheduled maintenance or outage that
commences outside Support Hours)
b = number of Available Hours during the relevant month.
Worked Example:
System unavailable for 10 hours in a month
Number of Available Hours in 1 month (assuming 30 days): 24 x 30 = 720
(1 – (10 / 720)) x 100 = 98.6%

16. Modifications to contract
 Unilateral right
 Prior / prior notice approval
 Right to terminate
 Changes to “other” documents

17. Subcontracting
 Complex supply chain
 Limited visibility / control
 Lack of due diligence
 Prior written approval for “key” subcontractors / change
 Scope of services
 Right to “step-in” / direct contract with subcontractors

18. European Cloud Computing Strategy –
State of Play

19. Objectives of Expert Group
 Commission Decision of 18.6.2013 on setting up the Commission
Expert Group on Cloud Computing Contracts (ref: 2013/C 174/04)
 Identification of safe and fair contract terms for consumers and
SMEs
 Consideration of best market practices and Data Protection Directive
 Improving legal framework for cloud computing contracts for
consumers and SMEs in order to strengthen confidence

20. Process
 30 experts across Europe appointed
– 20 in Ts&Cs work-stream
– 10 in data protection work-stream
 First meeting was held on 19/20 November 2013
 Key list of topics / issues were discussed
– Different cloud models (SaaS, IaaS, PaaS)
– “Free” versus paid
 Completed 6 x 2 day meetings
 Policy paper currently being drafted
 Further meeting to finalise paper prior to issue and public consultation
 No model clauses / contracts at this stage

21. Key Topics (1)
 Switching – data portability upon switching
 Pre-contractual information
 Liability due to non compliance with data protection
 Data location and data security
 Auditing reporting and monitoring
 Modifications of the contract
 Cloud specific unfair terms
 Subcontracting

22. Key Topics (2)
 Jurisdiction / applicable law
 Availability of the service
 Compliance with the provisions of data transfers
 Liability for non-performance including remedies / service credits
 Data disclosure and integrity
 Use and control of content
 Consequences and conditions of termination of the contract such as
preservation, transfer or erasure of data

23. Summary
 A different approach to “negotiating” cloud
computing contracts is required
 Risk assessment exercise
 Considerable amount of work at EU level

24. Contact details
Dr Sam De Silva
Email: sam.desilva@penningtons.co.uk
DDI: +44 (0) 1865 813 735
Q & A