AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

Transcription

1 AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING 1. Overview and Background On 27 September 2012, the European Commission adopted a strategy for "Unleashing the potential of cloud computing in Europe". The strategy is designed to increase the use of cloud computing across the economy. A key part of this strategy is the formation an Expert Group on Cloud Computing Contracts (the "Expert Group"). This Expert Group is to build on other legislative initiatives already put forward by the Commission such as the EU data protection reform and the proposed Common European Sales Law (CESL). "At the European Council last week, EU leaders called for action to help create a single market for cloud computing. The Commission is delivering its bit. Making full use of the opportunities presented by cloud computing could create 2.5 million extra jobs in Europe and add around 1% a year to EU's Gross Domestic Product by 2020," said Vice President Reding, the EU's Justice Commissioner. "We are asking experts to provide a balanced set of contract terms for consumers and small and mediumsized enterprises to use cloud computing services with more confidence. Trust is bankable citizens need to be able to trust that the services they use are fair and reliable." (European Commission Press Release, 28 October 2013). "Cloud computing" refers to the storage of data (such as text files, pictures and video) and software on remote computers, which users access over the internet on the device of their choice. This is faster, cheaper, more flexible and potentially more secure than on-site IT solutions. Many popular services such as Facebook and webbased use cloud computing technologies but commentators state that the real economic benefits come through widespread use of cloud solutions by businesses and the public sector. The formation of the Expert Group is as a response to stakeholder concerns relating to cloud computing contracts. From the perspective of cloud service providers, they indicated that the complexity and uncertainty relating to the existing legal framework makes cross-border activity more difficult. From the perspective of consumers and SMEs, their view was that although existing European legislation may protect them using cloud computing services, they are often unaware of their rights and are not informed by the provider in a sufficiently clear and unambiguous manner about the contractual conditions. In addition, representatives of consumers and SMEs indicated that vague and unbalanced cloud computing contracts make them reluctant to take up cloud computing services. In June 2013, following a call for applications from individuals and organisations and a nomination process, the Expert Group was formed on 24 October The Expert Group consists of 30 individuals based throughout Europe representing in-house legal counsel at cloud service providers and business procuring cloud services, private practice lawyers and academics. 10 members of the Expert Group are data protection experts. The key objective of the Expert Group is to assist the Commission in the identification of safe and fair contract terms and conditions for cloud computing services for consumers and SMEs. The Expert Group has been asked to take into consideration existing best market practices in contract terms and conditions in cloud computing contracts, as well as the relevant provisions of the Data Protection Directive. In essence, the Expert Group is tasked with helping the Commission to explore ways to improve the legal framework for cloud computing contracts for consumers and SMEs, so as to strengthen consumers' and SMEs' confidence in using cloud computing contracts. 1 /

2 The Expert Group is due to report back with recommendations in spring The input will feed into a Commission policy paper launching a broad public consultation on possible ways forward on cloud computing contracts for consumers and SMEs. The Expert Group met for the first time in Brussels on 19 and 20 November. The meeting was chaired by representatives of the Commission. The following key list of topics was discussed by the Expert Group (in no particular order): pre-contractual information availability of the service modifications of the contract switching data portability upon switching liability for non-performance including remedies and penalties cloud specific unfair terms data location and data security subcontracting auditing reporting and monitoring jurisdiction / applicable law compliance with the provisions of data transfers consequences and conditions of termination of contract such as preservation, transfer or erasure of data Experts also raised additional issues to potentially consider. Once the key topics have been agreed they would be further developed by 2 or 3 members of the Expert Group with the deliverable of a discussion paper. Each discussion paper would cover one of the key topics and would be structured into 2 parts. In the first part, the discussion paper: would describes the problem(s) related to the topic considering the service provider's and user interests, including, where available, data and evidence showing the importance of these problems. Experts are encouraged to include as an attachment to the paper examples of existing contract clauses related to the issue being discussed or identify some pre-contractual information practice; and would then identify existing best practices to solve the problems (for example, existing contractual clauses or pre-contractual information solutions). The expert(s) responsible for drafting the discussion paper would provide explanations why in his/her view this practice is an appropriate solution to properly solve the problem(s) identified and how that practice achieves a balance between the parties to the contract. 2 /

3 In the second part of the discussion paper the expert(s) responsible for its preparation may suggest to the Commission how the best practice(s) identified could be translated into rights and obligation of the parties to the contracts in specific legal wording. Throughout the first half of 2014, the Expert Group would meet monthly to consider the discussion papers. Amongst its other tasks, the Expert Group is to consider if new cloud computing contract terms are to be developed, how such terms would interact with the proposed CESL currently under development, such as when internet users purchase digital content stored in the cloud. Similar to cloud computing models, cloud computing contracts appear in a wide variety of forms. These can range from simple standardised click-wrap agreements to framework and multilayered sets of terms and conditions. However, there are a set of core contractual issues that parties should consider in any cloud computing contract as part of a procurement exercise. Currently the market for cloud services has been dominated by a number of multi-national providers which have typically used their positions of strength to impose on consumer and SME users' standard terms that are weighted heavily in the providers' favour. The Commission's initiative to redress the current imbalance by developing and promoting the use of a more balanced and fair set of model terms for cloud services is encouraging from the perspective of protecting consumer and SME users and encouraging the adoption of cloud services. 2. Discussion on the content/scope of the work of the Expert Group The following questions were discussed: Which cloud computing services are particularly relevant for increasing the uptake of cloud services by European consumers and small firms (e.g. SaaS, PaaS, IaaS)? Software as a service (SaaS) is the most relevant cloud service for consumers while SMEs who may use cloud to reduce their costs may need all services (i.e. SaaS, PaaS, IaaS). However, all cloud computing services are interrelated and therefore may be relevant for consumers and SMEs. These services are sometimes very difficult to dissociate. From a risk assessment point of view, all services are relevant and no distinction should be made between them. In summary, all these services play a role and therefore should be covered by the work of the Expert Group, although special attention should be given to SaaS. Shall both paid and "free" cloud services be included? Is it necessary to make a distinction between these two categories of cloud computing services? Where should this distinction be drawn? It was agreed that both paid and un-paid services are important and should be part of the work of the Expert Group. It was noted that often services are not free but offered against non-monetary consideration (e.g. personal data). Use of metadata by the providers should be considered. Paid services and services in exchange of a counter-performance other than a price should be treated differently. Providers' obligations regarding a "free service" should not be as high as for paid services. Otherwise "free services" will disappear from the market. In summary, both paid and un-paid services should be covered by the work of the Expert Group. 3 /

4 3. Topics to be covered by the Expert Group The following sections provide a short overview of the main issues to be discussed by the Expert Group Pre-contractual information A number of European directives regulates the area of pre-contractual information and establish a number of pre-contractual requirements. Consumer rights, data protection aspects and liability are considered as important elements of pre-contractual information. In respect of data protection it could be that cloud providers should be obliged to inform the customer for which kind of data processing (e.g. the processing of sensitive data) the offer was not suitable. The way of presentation of the information is also important and the ways information could be simplified and made easier to digest for the end-users needs to be considered. Icons were a potential way to reduce information, but for transparency reasons they should not be seen as a solution for everything. The problem of information overload needs to be considered. For example, lengthy terms and conditions could be used to "cover up" information. Providers could use a more "pedagogical approach" to indicate how a product could be used and what it was shaped for. While pre-contractual information is important, its limitations should be borne in mind. For SMEs and consumers comparing terms and conditions may be too burdensome. A third party could possibly give ratings. However, a third party review would have to be comparable. Too many regulations could be burdensome and may kill innovation. It is uncertain whether there was sufficient homogeneity in cloud services to allow for similar standards. Should small cloud providers face the same requirements for providing pre-contractual information than big providers? Other methods, such as awareness raising campaigns, could be explored Availability of the service The link needs to be considered between the description of the availability of the service and the corresponding consequences / remedies for non-performance as well as between availability of the service and transparency of the information. All those elements are key considerations for SMEs as cloud users. In practice availability of the service should cover at least the availability of the actual service, the possibility to access data and the possibility of re-using data. Five key elements could be covered by "availability of the service": (1) time to respond; (2) time to repair; (3) the pro-active time to respond; (4) the availability of the service in percentage per month; and (5) the maintenance windows (i.e. scheduled maintenance). It was agreed that issues related to the availability of the service and information, confidentiality, the integrity of data are interlinked and should be treated together. For consumers a key consideration might not be the permanent access to their data but rather access when they need data (i.e. the "main windows" issue: should the service be available 100% of all time or only 100% of the time the user actively uses the service). Data loss may be more relevant for individual consumers while the availability of service is more relevant for businesses. 4 /

5 Different levels of the availability of the service could be associated with paid/unpaid services and/or with critical/non-critical services. The nature of the service should be taken into account in this context. It was agreed that getting into detail about the technical issues related to the technical measurements of the level of the service provided (which are usually set by Service Level Agreements) should be avoided by the Expert Group. It was agreed that the relevance of pre-contractual information and reasonable expectations of users for determining the required level of service's availability should be considered. The issue of the burden of proof of non-compliance with the prescribed levels of service's availability needs to be addressed. In this context, it is important that there is the right to monitor the service. However, whether there is a need for service monitoring if a consumer is not interested in using the service in a given time, should be questioned Modifications of the contract This issue is closely related to the right to switch. After a modification the other party should be given the possibility to switch to another provider. This party should be given a reasonable time to take its decision. Query what should be the proper time limit to switch after a modification of the contract? Should termination of the contract and switching be the only right available after a modification of the contract? A distinction could be made between substantial and minor modifications. It was noted that according to some national laws there are limits on what you can change. It may be useful to examine whether consumers get something or not out of the modification. It could be argued that provided the modification does not affect what the consumer use to get as a service, providers should be able to modify the contract. The reasons of the modification of the contract need to be examined as the provider may have legitimate reasons. It is important to find the right balance between the need of flexibility and the protection of the other party Switching data portability upon switching From a customer perspective it is important to have the right to switch from one provider to another and of data portability. The issues related to data deletion or retention of data by the service provider is also important. It was agreed that the Expert Group should concentrate its work on the issue of deletion of data which is extremely important from a data protection point of view. In this context, law enforcers' access to data stored by the cloud provider was seen as an important issue. Other issues include copies and back-ups and retention of metadata created by the cloud user. Switching from one provider to another or transferring data is technically a difficult issue and that not all service providers have the necessary infrastructure. Switching depends often on the features of the operating system. It was underlined that portability not only covers the portability of the data but also the structure of the data. The format in which the data should be transferred is a key issue. 5 /

6 Whether portability is an absolute right or should depend on the type of service needs to be considered further. It could be argued that switching promotes competition. It is importance to examine the circumstances that have led to the termination of the contract. A distinction could be made between paid and free services. Issues such as subcontracting, access to data and operational standards also need to be considered Liability for non-performance including remedies and penalties The basic premise that it is key for users/consumers to know precisely who is liable for the non-performance of the cloud service and what the available remedies are. Statutory remedies for breaches of data protection rules are relevant and should be taken into account. Is it possible to exempt the cloud user from its liability towards the data subjects in cases of personal data breaches on the side of the cloud provider? To what extent other breaches of contract than breaches of the availability of the service should also give rise to remedies? The question needs to be asked which of the many cloud providers (and their subcontractors) in a chain should be liable towards the end-user. The possibility that the user should be responsible for limiting losses/risks associated with cloud services should also be considered. It was agreed that there is a need to find a balance between costs and benefits (for all contractual parties) of remedies. A consumer should not face any unreasonable limitation of liability especially those limitations which would be against the Unfair Terms Directive. The importance of global competition needs to be considered - as unlimited liability could compel providers to move outside the EU. From the perspective of an end-user the practical limitations of the way the remedies are exercised are crucial as well. It should be noted that the extent of liability may not be a key concern for some cloud providers, which focus rather on the level of service. Those providers may take a view that a financial risk linked with potential damages can be solved by insurance. Sometimes even general professional indemnity insurance might cover such cases. In the case of breach of contract, it might be more cost-effective for a provider to pay a lump sum in compensation rather than restoring data from a backup. On the other hand exposure to high damages may lead to insolvency of a provider which can in turn create problems for the customer of cloud services (e.g. under the German law the end-users are not entitled to get data back in the case of insolvency) Cloud specific unfair contract terms This issue has links with the various other issues discussed (e.g. related to modifications of the contract or limitation of liability). The control of fairness of terms, especially for un-paid services is important. Proper transparency of those terms as well as issues linked with their incorporation into the contract and (unilateral) contract modifications are also important. However, it was acknowledged that these issues are not specific to cloud computing contract but to all contracts which involved digital products. 6 /

7 The control of fairness of privacy policies (especially for free products) and the general interplay between the fairness legislation and data protection rules is also important. Examples of potentially unfair contract terms relevant for cloud services: include force majeure clauses and clauses excluding liability; time limits for claiming remedies/rights Data location and data security The data location issue is closely linked to matters such as law enforcers' access, data security and transparency. Other related subjects were the protection of professional activities and secrets. For example, lawyers may want to know who has access to their data. If the confidentiality of privileged information and communication cannot be guaranteed by the cloud provider, this may inhibit the uptake of cloud computing services in this area. What is important is not where data is located but from where data is accessible and who is guaranteeing the security of the cloud service. One could take the view that knowing where the infrastructure is located (e.g. to be provided in a list of locations) or the structure of the company would be more important than the exact location of the data at a specific time. Consumers should be made aware of how the process worked, who operates the data centres and who has access to them. Data location is important to determine the applicable law and define risks. Unlimited copying of data in long sub-processing chains could be seen as a major privacy risk. From a security point of view, it is important to know when the data is inside or outside the European Economic Area. To manage risk it could be argued that data should be stored in the EU or in another place with the same security standards. It is, however, practically very difficult to control the location of the data due to the free movement of data and the implication of several subcontractors. In the cloud computing context, it is virtually impossible to inform consumers about the location of their data. It should be noted that data is also at risk during a transfer. In a transfer data might go through third countries although it is sent from and stored in the EU. Encrypting such movements may be an option. ISO standards may not be adequate to secure the cloud environment. There is a need to distinguish between B2C and B2B contracts. In B2C contracts, consumers had certain legal rights while in B2B contracts SMEs would need to negotiate their rights Subcontracting From a provider perspective "subcontracting" raises some security issues. From the user perspective, "subcontracting" raises the issue of transparency and explicit consent for the use of subcontractors. Because of confidentiality, broad subcontracts should be prohibited. It is a conceptual mistake to believe that confidentiality could be guaranteed in extensive subcontracting chains. In contrast to integrity and availability, confidentiality is an issue that cannot be tested. This problem might become more sensitive when B2B contracts are concerned. It is not certain that model clauses could be efficient for a sub-processor chain, i.e. for processor-to-processor transfers. Existing model clauses have not been able to tackle the situation which often involves many contractors at the same level. 7 /

8 From the user point of view it is crucial to know the obligation of the suppliers, their subcontracting policy and in specific cases the identity of the subcontractors and when and in which place a subcontractor performed. An option may be to grant to the end-customer direct remedies against a sub-contractor. In practice it is often very difficult to get a clear overview of business models. Another issue to be considered is the ownership of the data being generated and what a subcontractor could do with this data. It could be argued that the prime service provider should retain the contractual liability. However in practice controlling the prime might be a mere fiction Summary Hopefully the formation of the Expert Group and the deliverables of that group should assist consumers and SMEs to navigate through the typical contractual issues in cloud computing contracts. It should be noted that many of these issues should be familiar to those who deal regularly with information technology contracts. However even in respect to those issues, the nature of cloud computing can create new or different risks and consumers and SMEs will need to consider those issues afresh in the cloud computing context. Dr Sam De Silva Partner Head of IT & Outsourcing Penningtons Manches LLP, UK Immediate Past Chair of UK Law Society s Technology & Law Reference Group Member of EU Expert Group on Cloud Computing [email protected] 6 October 2014 The information in this paper is not intended to constitute professional legal advice and should not be relied upon as such. Specialist legal advice should always be sought for your particular circumstance. 8 /