Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CIO UK: Leveraging Technology to Transform 
your Business 9 October 2014 
Key Legal & Commercial Issues 
with Cloud Comput...
Outline 
 Key differences with other IT contracts 
(esp. outsourcing) 
 Practical application 
 Risk assessment - key c...
Key Differences with other IT Contracts 
 Customisation 
 Supply chain direction 
 Delivery of services versus availabi...
Practical Application 
 Negotiating approach 
 Standard commoditised offering, therefore limited 
flexibility or ability...
Risk Assessment - Key Contractual and 
Legal Issues (1) 
 Security compliance 
 Limited supplier obligations 
 Limitati...
Risk Assessment - Key Contractual and 
Legal Issues (2) 
 Service levels 
 Modifications to contract 
 Subcontracting
Security Compliance 
 Due diligence 
 Security questionnaire 
– who owns and controls infrastructure 
– deployment and d...
Limited Supplier Obligations 
Limited Supplier Obligations  Typical obligations, warranties or other safeguards of 
sourc...
Liability 
 Limiting liability of cloud provider to a level that is not in 
line with the potential risk 
 Risk with lim...
Suspension or Termination (1) 
 “Hair” triggers for CSP suspension and termination rights 
 Pitfalls of suspension claus...
Suspension or Termination (2) 
 Termination for convenience by the customer 
– typically cloud computing contracts allow ...
Supplier Lock-in and Transition 
Vendor Lock-in and Transition  Usefulness of termination for convenience 
 No implied o...
Service Level Agreements 
 Often not part of standard offering 
 SLA without “teeth” / targets 
 Points of attention: 
...
Availability (1) 
 Meaning 
Permitted downtime by the 9s 
Annual Monthly Daily (24 
 Period availability is measured 
– ...
Availability (2) 
Availability Formula 
The Cloud Provider will ensure that the Services are Available 99.9% of the time 2...
Modifications to contract 
 Unilateral right 
 Prior / prior notice approval 
 Right to terminate 
 Changes to “other”...
Subcontracting 
 Complex supply chain 
 Limited visibility / control 
 Lack of due diligence 
 Prior written approval ...
European Cloud Computing Strategy – 
State of Play
Objectives of Expert Group 
 Commission Decision of 18.6.2013 on setting up the Commission 
Expert Group on Cloud Computi...
Process 
 30 experts across Europe appointed 
– 20 in Ts&Cs work-stream 
– 10 in data protection work-stream 
 First mee...
Key Topics (1) 
 Switching – data portability upon switching 
 Pre-contractual information 
 Liability due to non compl...
Key Topics (2) 
 Jurisdiction / applicable law 
 Availability of the service 
 Compliance with the provisions of data t...
Summary 
 A different approach to “negotiating” cloud 
computing contracts is required 
 Risk assessment exercise 
 Con...
Contact details 
Dr Sam De Silva 
Email: sam.desilva@penningtons.co.uk 
DDI: +44 (0) 1865 813 735 
Q & A
Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manches LLP - Key Legal & Commercial Issues with C...
Upcoming SlideShare
Loading in …5
×

Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manches LLP - Key Legal & Commercial Issues with Cloud Computing & Insider View from the EU Expert Group

575 views

Published on

Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manches LLP, presented at CIO Event, October 2014

  • Be the first to comment

  • Be the first to like this

Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manches LLP - Key Legal & Commercial Issues with Cloud Computing & Insider View from the EU Expert Group

  1. 1. CIO UK: Leveraging Technology to Transform your Business 9 October 2014 Key Legal & Commercial Issues with Cloud Computing & Insider View from the EU Expert Group Dr Sam De Silva Partner, Head of IT & Outsourcing Penningtons Manches LLP Immediate Past Chair – Law Society’s Technology & Law Reference Group Member of EU Expert Group on Cloud Computing
  2. 2. Outline  Key differences with other IT contracts (esp. outsourcing)  Practical application  Risk assessment - key contractual and legal issues  European Cloud Computing Strategy – State of Play / Role of Expert Group  Summary
  3. 3. Key Differences with other IT Contracts  Customisation  Supply chain direction  Delivery of services versus availability  Active versus passive processing  Pricing  Upgrades and improvements versus configuration  Contract term  Low barrier to entry – “click-wrap agreements” are legally enforceable – often presented as less or no “legalese” contracts – but appearances may be deceiving
  4. 4. Practical Application  Negotiating approach  Standard commoditised offering, therefore limited flexibility or ability to change – shift in mentality – contract evaluation should be a key part of provider selection  Risk assessment exercise – will a standard offering with its standard terms meet business needs? – selection between different contracts as opposed to contract negotiations – critical data or strategic services may not be suited for the cloud unless appropriate contract terms can be agreed upon  Role of Integrators
  5. 5. Risk Assessment - Key Contractual and Legal Issues (1)  Security compliance  Limited supplier obligations  Limitations and exclusions of liability  Data protection (*)  Suspension and termination clauses  Supplier lock-in and transitioning
  6. 6. Risk Assessment - Key Contractual and Legal Issues (2)  Service levels  Modifications to contract  Subcontracting
  7. 7. Security Compliance  Due diligence  Security questionnaire – who owns and controls infrastructure – deployment and delivery methods – security controls in place – physical location of infrastructure elements – reliability reports  Provider’s response – confidential – security policy – security standards
  8. 8. Limited Supplier Obligations Limited Supplier Obligations  Typical obligations, warranties or other safeguards of sourcing or hosting contracts are not included in cloud computing contracts  Due to their commoditised approach, cloud computing contracts typically contain less onerous obligations on the supplier  Undertake “gap” analysis
  9. 9. Liability  Limiting liability of cloud provider to a level that is not in line with the potential risk  Risk with limiting the liability of the cloud provider to the amount paid  Issues include: – almost total exclusion of liability – limited financial cap – exclusion of certain types of loss (e.g. direct losses (US contracts) indirect loss and/or data loss) – force majeure definition
  10. 10. Suspension or Termination (1)  “Hair” triggers for CSP suspension and termination rights  Pitfalls of suspension clauses – impact on continuity – low barrier for suspension of services/unplanned interruptions – minor non-compliance may lead to significant remedy for the supplier  Termination for convenience by the supplier – notice period – exit obligations
  11. 11. Suspension or Termination (2)  Termination for convenience by the customer – typically cloud computing contracts allow for easy exit for the customer – check contracts for termination for convenience because not always the case or such exit does not come cheap  Risk of cloud provider going out of business or restructuring its service portfolio – data escrow
  12. 12. Supplier Lock-in and Transition Vendor Lock-in and Transition  Usefulness of termination for convenience  No implied obligation to assist in data transfer and disengagement  Everything depends on your contractual agreement  Pricing
  13. 13. Service Level Agreements  Often not part of standard offering  SLA without “teeth” / targets  Points of attention: – Definition of availability – how is the availability calculated by the provider?  e.g. 10 outages of 6 minutes versus 1 outage of 1 hour – service measurement period
  14. 14. Availability (1)  Meaning Permitted downtime by the 9s Annual Monthly Daily (24  Period availability is measured – 99% allows 14 mins over a 24 hour period – 99% allows 7 mins over a 12 hour day  Core periods/non-core periods hours) 99.999% 5.259 min 0.438 min 0.0144 min 99.99% 52.59 min 4.38 min 0.144 min 99.9% 8 h 45.6 min 43.8 min 1.4 min 99% 3 days 15 hours 7 hours 18 min 14.4 min
  15. 15. Availability (2) Availability Formula The Cloud Provider will ensure that the Services are Available 99.9% of the time 24 hours a day, 7 days a week, 365 days a year ("Available Hours"). Availability will be measured monthly. Availability for the relevant month will be calculated using the following formula: % Availability = (1- (a / b)) x 100 where: a = total hours the Services were unavailable during the Available Hours in the relevant month (excluding the time in respect of Problems with the public telecommunications network or scheduled maintenance or outage that commences outside Support Hours) b = number of Available Hours during the relevant month. Worked Example: System unavailable for 10 hours in a month Number of Available Hours in 1 month (assuming 30 days): 24 x 30 = 720 (1 – (10 / 720)) x 100 = 98.6%
  16. 16. Modifications to contract  Unilateral right  Prior / prior notice approval  Right to terminate  Changes to “other” documents
  17. 17. Subcontracting  Complex supply chain  Limited visibility / control  Lack of due diligence  Prior written approval for “key” subcontractors / change  Scope of services  Right to “step-in” / direct contract with subcontractors
  18. 18. European Cloud Computing Strategy – State of Play
  19. 19. Objectives of Expert Group  Commission Decision of 18.6.2013 on setting up the Commission Expert Group on Cloud Computing Contracts (ref: 2013/C 174/04)  Identification of safe and fair contract terms for consumers and SMEs  Consideration of best market practices and Data Protection Directive  Improving legal framework for cloud computing contracts for consumers and SMEs in order to strengthen confidence
  20. 20. Process  30 experts across Europe appointed – 20 in Ts&Cs work-stream – 10 in data protection work-stream  First meeting was held on 19/20 November 2013  Key list of topics / issues were discussed – Different cloud models (SaaS, IaaS, PaaS) – “Free” versus paid  Completed 6 x 2 day meetings  Policy paper currently being drafted  Further meeting to finalise paper prior to issue and public consultation  No model clauses / contracts at this stage
  21. 21. Key Topics (1)  Switching – data portability upon switching  Pre-contractual information  Liability due to non compliance with data protection  Data location and data security  Auditing reporting and monitoring  Modifications of the contract  Cloud specific unfair terms  Subcontracting
  22. 22. Key Topics (2)  Jurisdiction / applicable law  Availability of the service  Compliance with the provisions of data transfers  Liability for non-performance including remedies / service credits  Data disclosure and integrity  Use and control of content  Consequences and conditions of termination of the contract such as preservation, transfer or erasure of data
  23. 23. Summary  A different approach to “negotiating” cloud computing contracts is required  Risk assessment exercise  Considerable amount of work at EU level
  24. 24. Contact details Dr Sam De Silva Email: sam.desilva@penningtons.co.uk DDI: +44 (0) 1865 813 735 Q & A

×