With more and more organisations looking to rationalise their IT estate and with the ongoing advancements in technology, such as the internet of things, the procurement of data centre services is now becoming a must for organisations ranging from the large to the small.
Data centre service providers are constantly grappling with the challenge of how to deal with vast amounts of data (which continues to grow) efficiently and economically.
The merger activities between key players in the data centre service provision market and the recent announcement by Google of its commitment to invest $2.5 billion in renewable energy evidences how this market is growing.
This articles focuses on co-location services where the customer places its proprietary hosting infrastructure in the service provider’s premises. In this article I want to talk about some of the legal issues that arise in data centre procurements. Identifying and addressing these issues is key in any procurement of data centre services to ensure that, as a customer, your data and assets are secure, available and accessible.
One of the first questions that should be considered when procuring data centre services is whether as a customer you require a lease or licence.
To put it simply, the customer is effectively paying rent for some space and space services in premises in which there are other customers doing likewise. The legal mechanism to allow the customer to access and use the space is by way of a lease or licence.
The key distinction between the two is that a lease will provide the customer (aka the tenant) with exclusive possession. This tends to mean that the customer is provided with a walled or caged area to which only the customer has access. That is to say that personnel of the service provider will generally not be permitted to enter the defined space without the permission of the customer.
Under the Landlord and Tenant Act 1954 a tenant has the right to renew its tenancy at the end of the term if it occupies the space for the purpose of its business. Landlord’s seldom like this provision and often will require the customer to contract out of the statutory provisions.
The flip side to a lease is a licence. The analogy to be drawn is against taking a concession in a department store. Concessions have a defined boundary but tenants do not have exclusive occupation. A landlord can enter that space at will. Due to the sensitivity and security issues around co-location services, a customer may still nevertheless seek to include provisions in the contract regarding access constraints to the space by the landlord and may even request that the area be caged. A balance should, however be struck so that the constraints have not gone so far that the space in all actuality is exclusively occupied by the customer and in the eyes of the law is deemed to be a lease.
In my experience, for co-location services, customers tend to require a licence as opposed to a lease (unless, perhaps they want to take a vast amount of space such as an entire floor). This makes the practicalities of providing the data centre services easier for the service provider.
Recovery and accessibility
Some organisations use their infrastructure located in data centres to run their core business operations, for example banks and retail organisations. Therefore when choosing a data centre services provider the customer will want to undertake sufficient due diligence to ensure that its data will remain secure, available and accessible.
Please see below for further on security. To ensure that data is available and accessible at all times, customers will want to be assured that recovery procedures are in place should there be a failure of the data centre in whole or in part, to the fabrication of the building itself, to operational systems and equipment or in respect of logical security breaches. Service providers often respond to this by building in resilience into their operations, which can include a secondary data centre.
In the event of a failure, the customer will want to be assured that the contract provides for immediate failover or within a prescribed period of time, depending on its requirements. Where this is not the case, the contract should provide for appropriate remedies to be put in place by way of perhaps indemnities or liquidated damages. An outage could prove very costly to an organisation with perhaps a large customer base or where immediate access to data is a key business function (for example banking customers).
There are a number of aspects to be considered in respect of data centre security, both from a physical perspective and a logical perspective. These should be addressed in the contract.
From a physical perspective the customer will want to be assured that appropriate security mechanisms, processes and procedures are in place so that only authorised persons are able to gain access to the premises themselves and to the customer’s space.
From a logical perspective, the customer will want to be assured that the service provider’s operational systems (including its data centre infrastructure management systems) are sufficiently secure. It will want to be assured that the appropriate security firewalls and anti-virus systems are in place and that the systems are compliant with various industry standards. Again, the contract should cover this.
From a personal data perspective, the contract should contain obligations on the service provider in respect of the processing of such personal data sufficient to ensure that the customer is compliant with its obligations as data controller under the Data Protection Act 1998. Service providers may assert that they are not processing personal data if they are providing a “remote hands” only service, however, good practice is to include such provisions should it transpire that any data processing has taken or is taking place.
It should be noted that the new General Data Protection Regulations are to come in force in the next couple of years. It is quite certain that amongst other matters they will introduce a single legal framework that applies across all EU member states. This means that businesses will face a more consistent set of data protection compliance obligations from one EU member state to the next. They are also expected to include statutory obligations on data processors.
With the continuous increase in data storage requirements, customers should plan and provide in their contracts for an increase in its footprint of the space used at the data centre premises. The contract should provide for this in its charging mechanism and it should also provide for the space to be contiguous, where this is a requirement of the customer.
From an operational and service management perspective, the customer should ensure that the contract provides for the measurement of appropriate service levels together with a service credit regime to incentivise the service provider to meet the service levels.
Service credits are a form of liquidated damages and as such, care should be taken to ensure that they are not drafted as a penalty. It should also be noted that therefore, they may also operate as a cap on liability. Service providers often seek to impose a cap on the amount of service credits that can accrue. If service credits are determined by a court to be liquidated damages, the courts may strike down the provision as being unenforceable.
Care should also be taken to ensure that in the event of serious under performance, additional rights and remedies are available under the contract, such as the right to terminate the contract and/or claim additional damages.