Cloud computing services is one of the hottest topics in the technology sector at present. At its most basic form, cloud services allow users to access software applications/computing platforms/infrastructure as a service through the Internet and store data on suppliers servers rather than maintaining their own infrastructure. Users and suppliers of cloud services will need to be alive to the key regulatory and contractual risks associated with cloud services.
In general, cloud services is not currently subject to specific regulation. This does not mean that the service itself is not subject to a range of laws and regulations. A high level summary of the key legal and regulatory issues is set out below.
- Licensing requirements
Despite the lack of specific regulation, in certain jurisdictions the provision of cloud services will require the supplier to obtain a licence. For example, in China the provision of Software as a Service, Platform as a Service or Infrastructure as a Service will require the supplier to obtain a Type 1 Value Added Telecom Business Licence. From a user's perspective, proper due diligence on prospective suppliers' regulatory qualifications should be conducted.
Software as a Service means where customers access and use software (eg, applications for word-processing, spreadsheets, email, and customer relationship management) through the internet rather than storing it on local computers
Platform as a Service means where the customer is able to use cloud-based computing platforms for deploying applications on the internet (to other third parties) without having to invest in it and manage the underlying hardware and software
Infrastructure as a Service means where customers can use computer infrastructure (eg, servers, software, data centre space and network equipment) as a service through the internet.
- Data protection
Export of data to other jurisdictions is usually heavily regulated. In addition to jurisdictional-specific data protection regulations, it may be important for users to require suppliers to handle personal data stored in the cloud in accordance with their instructions and to keep such data secure. Services involving regulated industries may be subject to stringent data protection obligations. These requirements will need to be reflected in the contractual arrangements to be entered into with the prospective suppliers.
- Information security
Users and suppliers alike should assess the potential liability for losing or leaking users data. Suppliers that seek to limit their potential liability by including exclusion provisions in their contracts with users will need to closely scrutinise such provisions to ensure that they will be effective under applicable laws and yet represent the agreed distribution of risks. To cater for specific security demands, users and suppliers may consider if "private cloud" may be a better option.
- Service quality
Corporate/public sector users are usually keen to insist on appropriate SLAs and the extent to which a supplier may restrict its potential liability from service outages may be limited. Offering audit rights to users is critical to corporate users in regulated industries to allow such users access to data for regulatory compliance purposes.
- Intellectual property rights
It is important to contractually clarify the ownership of new IPR and licence terms. In general, suppliers own new copyright/database rights created during the handling of users' data. However, users may insist on the ownership of new IPR created in relation to their data or licence rights to allow unrestricted use of such rights. In addition, suppliers should be prepared for sophisticated users to request an indemnity against claims made by third parties against the users in relation to their use of software provided by the supplier.