Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manches LLP - Key Legal & Commercial Issues with Cloud Computing &Insider View from the EU Expert Group
Ähnlich wie Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manches LLP - Key Legal & Commercial Issues with Cloud Computing &Insider View from the EU Expert Group
Ähnlich wie Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manches LLP - Key Legal & Commercial Issues with Cloud Computing &Insider View from the EU Expert Group (20)
Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manches LLP - Key Legal & Commercial Issues with Cloud Computing &Insider View from the EU Expert Group
1. CIO UK: Leveraging Technology to Transform
your Business 9 October 2014
Key Legal & Commercial Issues
with Cloud Computing &
Insider View from the EU Expert
Group
Dr Sam De Silva
Partner, Head of IT & Outsourcing
Penningtons Manches LLP
Immediate Past Chair – Law Society’s
Technology & Law Reference Group
Member of EU Expert Group on Cloud
Computing
2. Outline
Key differences with other IT contracts
(esp. outsourcing)
Practical application
Risk assessment - key contractual and
legal issues
European Cloud Computing Strategy –
State of Play / Role of Expert Group
Summary
3. Key Differences with other IT Contracts
Customisation
Supply chain direction
Delivery of services versus availability
Active versus passive processing
Pricing
Upgrades and improvements versus configuration
Contract term
Low barrier to entry
– “click-wrap agreements” are legally enforceable
– often presented as less or no “legalese” contracts –
but appearances may be deceiving
4. Practical Application
Negotiating approach
Standard commoditised offering, therefore limited
flexibility or ability to change
– shift in mentality
– contract evaluation should be a key part of provider selection
Risk assessment exercise
– will a standard offering with its standard terms meet business
needs?
– selection between different contracts as opposed to contract
negotiations
– critical data or strategic services may not be suited for the cloud
unless appropriate contract terms can be agreed upon
Role of Integrators
5. Risk Assessment - Key Contractual and
Legal Issues (1)
Security compliance
Limited supplier obligations
Limitations and exclusions of liability
Data protection (*)
Suspension and termination clauses
Supplier lock-in and transitioning
6. Risk Assessment - Key Contractual and
Legal Issues (2)
Service levels
Modifications to contract
Subcontracting
7. Security Compliance
Due diligence
Security questionnaire
– who owns and controls infrastructure
– deployment and delivery methods
– security controls in place
– physical location of infrastructure elements
– reliability reports
Provider’s response
– confidential
– security policy
– security standards
8. Limited Supplier Obligations
Limited Supplier Obligations Typical obligations, warranties or other safeguards of
sourcing or hosting contracts are not included in cloud
computing contracts
Due to their commoditised approach, cloud computing
contracts typically contain less onerous obligations on
the supplier
Undertake “gap” analysis
9. Liability
Limiting liability of cloud provider to a level that is not in
line with the potential risk
Risk with limiting the liability of the cloud provider to the
amount paid
Issues include:
– almost total exclusion of liability
– limited financial cap
– exclusion of certain types of loss (e.g. direct losses
(US contracts) indirect loss and/or data loss)
– force majeure definition
10. Suspension or Termination (1)
“Hair” triggers for CSP suspension and termination rights
Pitfalls of suspension clauses
– impact on continuity
– low barrier for suspension of services/unplanned interruptions
– minor non-compliance may lead to significant remedy for the
supplier
Termination for convenience by the supplier
– notice period
– exit obligations
11. Suspension or Termination (2)
Termination for convenience by the customer
– typically cloud computing contracts allow for easy exit
for the customer
– check contracts for termination for convenience
because not always the case or such exit does not
come cheap
Risk of cloud provider going out of business or
restructuring its service portfolio – data escrow
12. Supplier Lock-in and Transition
Vendor Lock-in and Transition Usefulness of termination for convenience
No implied obligation to assist in data transfer and
disengagement
Everything depends on your contractual agreement
Pricing
13. Service Level Agreements
Often not part of standard offering
SLA without “teeth” / targets
Points of attention:
– Definition of availability
– how is the availability calculated by the provider?
e.g. 10 outages of 6 minutes versus 1 outage of 1 hour
– service measurement period
14. Availability (1)
Meaning
Permitted downtime by the 9s
Annual Monthly Daily (24
Period availability is measured
– 99% allows 14 mins over a 24 hour period
– 99% allows 7 mins over a 12 hour day
Core periods/non-core periods
hours)
99.999% 5.259 min 0.438 min 0.0144 min
99.99% 52.59 min 4.38 min 0.144 min
99.9% 8 h 45.6 min 43.8 min 1.4 min
99% 3 days 15 hours 7 hours 18 min 14.4 min
15. Availability (2)
Availability Formula
The Cloud Provider will ensure that the Services are Available 99.9% of the time 24 hours
a day, 7 days a week, 365 days a year ("Available Hours"). Availability will be measured
monthly.
Availability for the relevant month will be calculated using the following formula:
% Availability = (1- (a / b)) x 100
where:
a = total hours the Services were unavailable during the Available Hours in the
relevant month (excluding the time in respect of Problems with the public
telecommunications network or scheduled maintenance or outage that
commences outside Support Hours)
b = number of Available Hours during the relevant month.
Worked Example:
System unavailable for 10 hours in a month
Number of Available Hours in 1 month (assuming 30 days): 24 x 30 = 720
(1 – (10 / 720)) x 100 = 98.6%
16. Modifications to contract
Unilateral right
Prior / prior notice approval
Right to terminate
Changes to “other” documents
17. Subcontracting
Complex supply chain
Limited visibility / control
Lack of due diligence
Prior written approval for “key” subcontractors / change
Scope of services
Right to “step-in” / direct contract with subcontractors
19. Objectives of Expert Group
Commission Decision of 18.6.2013 on setting up the Commission
Expert Group on Cloud Computing Contracts (ref: 2013/C 174/04)
Identification of safe and fair contract terms for consumers and
SMEs
Consideration of best market practices and Data Protection Directive
Improving legal framework for cloud computing contracts for
consumers and SMEs in order to strengthen confidence
20. Process
30 experts across Europe appointed
– 20 in Ts&Cs work-stream
– 10 in data protection work-stream
First meeting was held on 19/20 November 2013
Key list of topics / issues were discussed
– Different cloud models (SaaS, IaaS, PaaS)
– “Free” versus paid
Completed 6 x 2 day meetings
Policy paper currently being drafted
Further meeting to finalise paper prior to issue and public consultation
No model clauses / contracts at this stage
21. Key Topics (1)
Switching – data portability upon switching
Pre-contractual information
Liability due to non compliance with data protection
Data location and data security
Auditing reporting and monitoring
Modifications of the contract
Cloud specific unfair terms
Subcontracting
22. Key Topics (2)
Jurisdiction / applicable law
Availability of the service
Compliance with the provisions of data transfers
Liability for non-performance including remedies / service credits
Data disclosure and integrity
Use and control of content
Consequences and conditions of termination of the contract such as
preservation, transfer or erasure of data
23. Summary
A different approach to “negotiating” cloud
computing contracts is required
Risk assessment exercise
Considerable amount of work at EU level
24. Contact details
Dr Sam De Silva
Email: sam.desilva@penningtons.co.uk
DDI: +44 (0) 1865 813 735
Q & A