Use the Lexology Getting the Deal Through tool to compare the answers in this article with those from other jurisdictions.
Kinds of transaction
What kinds of cloud computing transactions take place in your jurisdiction?
All manner of cloud computing transactions take place in the United States, including public, hybrid and private cloud models and software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) models. There is a growing trend in both the private and public sectors to utilise cloud offerings not only for the benefits of such offerings over legacy models, but out of necessity, as a growing number of products and services procured by businesses and governmental entities are being replaced by cloud-only offerings.
The most common examples of public cloud offerings are service providers who provide software applications (ie, SaaS) and data storage to the general public. By comparison, the most popular private cloud offerings are IaaS, which permits a customer to access IT infrastructure services as a service, and PaaS, which can include a variety of services from simple cloud-based applications to more sophisticated enterprise applications. As noted above, because cloud offerings have begun largely to replace legacy offerings, in practice, most customers implement and integrate public and private cloud offerings to create a hybrid cloud environment.
In addition to the considerable cloud offerings available to the private sector in the US, there are a number of notable government platforms for cloud computing, including Amazon Web Services (AWS) GovCloud and Microsoft Azure Government. These platforms address the specific regulatory and compliance requirements required by government agencies and customers, including adherence to the US International Traffic in Arms Regulations requirements. See:
- www.wired.com/insights/2012/08/5-coolest-gov-cloud-projects/; https://aws.amazon.com/govcloud-us/;
- https://azure.microsoft.com/en-us/global-infrastructure/government/; and
Active global providers
Who are the global international cloud providers active in your jurisdiction?
Generally speaking, all of them. The largest include AWS, Microsoft Azure, Google Cloud, IBM Cloud, and Salesforce.com; smaller providers (as measured by market share) include Rackspace, Oracle, NTT, Fujitsu, Alibaba and HP Enterprise. See www.zdnet.com/article/cloud-providers-ranking-2018-how-aws-microsoft-google-cloud-platform-ibm-cloud-oracle-alibaba-stack/.
Active local providers
Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?
Many of the ‘local’ cloud providers are the same as the global international cloud providers listed above. Although some global international cloud providers, such as Alibaba, do not have headquarters in the US, they typically have data centres and other operations in the US.
How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?
Cloud computing is very well established in the US. According to some projections, worldwide spending on public cloud offerings alone - of which the US market constitutes a material portion - is expected to increase from US$67 billion in 2015 to US$162 billion in 2020. The US federal government is expected to exceed US$10 billion in spending for cloud computing by 2023.
The largest players in public cloud offerings - particularly private data storage - are Amazon Web Services, Microsoft, IBM, Google, and Oracle. See:
- www.forbes.com/sites/louiscolumbus/2017/04/29/roundup-of-cloud-computing-forecasts-2017/#6eb471b931e8; and
Are data and studies on the impact of cloud computing in your jurisdiction publicly available?
There are many publicly available studies about the impact of cloud computing in the US. These studies indicate that the impact has been considerable and will continue to grow over the next five years. For instance, according to a cloud computing study by IDG Communications, 73 per cent of 550 surveyed organisations had at least one application or a portion of their computing infrastructure in the cloud; the average environment included 53 per cent non-cloud infrastructure and 23 per cent SaaS, 16 per cent IaaS, and 9 per cent PaaS resources; and more than a third of respondents felt pressure to migrate 100 per cent to the cloud (see www.idg.com/tools-for-marketers/2018-cloud-computing-survey/ and www.infoworld.com/article/3297397/cloud-computing/cloud-computing-2018-how-enterprise-adoption-is-taking-shape.html). As previously reported by Forbes, market intelligence firm IDC has stated that cloud computing is growing at 4.5 times the rate of IT spending since 2009 and is expected to grow at more than six times the rate from 2015 to 2020 (www.salesforce.com/assets/pdf/misc/IDC-salesforce-economy-study-2016.pdf).
As noted above, as cloud offerings are very rapidly becoming the default, legacy offerings such as on-premises solutions and traditional models of IT outsourcing are both less in demand and less available.
Encouragement of cloud computing
Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?
Yes. Policy in this area tends to focus on moving government agencies to cloud services. One example is the Cloud First Initiative, launched by former US government CIO Vivek Kundra, which aimed to cut waste and increase efficiencies within the US federal government’s technology services by reducing government IT expenditures by US$4 billion dollars over the next two years (www.wired.com/insights/2012/08/5-coolest-gov-cloud-projects/). As one result of this initiative, the General Services Administration, the federal government’s procurement agency, has developed a number of resources to assist government agencies in procuring cloud services (www.gsa.gov/portal/content/190333). The current administration has continued these efforts by working to implement the Modernizing Government Technology Act, which has, as one of its goals, transitioning legacy IT systems to commercial cloud computing platforms, particularly platforms serving more than one covered agency with common requirements (www.whitehouse.gov/wp-content/uploads/2017/11/M-18-12.pdf). And, in 2017, President Trump signed an Executive Order on cybersecurity mandating that federal systems move to the cloud (www.geekwire.com/2017/trump-cybersecurity-cloud/).
Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?
In addition to the policies discussed generally above, certain development and government grants and other incentives promote technological investment, which increasingly means cloud services as a default. For example, the US federal government’s Centers for Medicare & Medicaid Services established Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs to encourage eligible healthcare providers to adopt, implement, upgrade, and demonstrate meaningful use of certified EHR technology. The availability of these ‘meaningful use monies’ has spurned a lot of spending on EHR systems, which nearly always involve some cloud computing components.
Legislation and regulation
Recognition of concept
Is cloud computing specifically recognised and provided for in your legal system? If so, how?
From a legal perspective, cloud computing is principally dealt with in commercial contracts and, therefore, governed by contract law, which is generally a matter of state law (as opposed to federal law) in the US. Additionally, cloud computing implicates numerous federal and state laws drawn to specific related topics or issues, including data security laws, data breach and notification laws, data transfer laws and various data-specific regulations, like those addressing the processing, storage and use of healthcare information, financial transaction information and other confidential information. These laws are addressed in more detail in the sections below.
Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?
We are not aware of any laws or regulations that ‘directly and specifically prohibit, restrict or govern’ cloud computing. However, there are numerous federal and state laws that indirectly impact cloud computing services, as discussed further below.
What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?
While we are not aware of any laws or regulations specifically addressing cloud computing per se, there are numerous federal and state laws that indirectly impact cloud computing services.
State privacy laws
Generalised data privacy and data breach notification laws in the US are generally a matter of state law (as opposed to federal law). All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands now have specific breach notification laws (www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx). These laws differ in significant respects as to how and when notification requirements are triggered, and whether and how cloud computing is implemented in any given scenario affects how these laws are applied to determine parties’ rights and obligations.
Federal privacy laws
There is no comprehensive US federal law regarding generalised data privacy or security or data breach notification. Instead, there are various sectoral federal laws imposing regulation on data security for certain types of information, including information that is often stored in the cloud.
Certain US regulatory frameworks require data owners to ensure that their third-party service providers are capable of maintaining the privacy and security of personal information entrusted to them. This is typically accomplished through the use of contractual provisions mandating particular security measures. Three federal privacy laws that restrict the activities of service providers are the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191; the Gramm-Leach-Bliley Act, Pub. L. 106-102, 113 Stat. 1338, codified in relevant part at 15 U.S.C. §§6801-6809 and §§6821-6827; and the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g; 34 CFR Part 99.
Health Insurance Portability and Accountability Act (HIPAA)
Under HIPAA’s Privacy Rule, an entity may not use or disclose protected health information (PHI) except as permitted or required by the Rule, or as authorised in writing by the individual affected. HIPAA’s Security Rule complements the Privacy Rule and deals specifically with Electronic PHI. This Rule lays out three types of security safeguards required for compliance: administrative, physical and technical. The Rule identifies various security standards for each of these types. Required specifications must be adopted and administered as dictated by the Rule. The HITECH Act provisions are also applicable as they have expanded and enhanced HIPAA privacy and security rules.
Further, any HIPAA-covered entity would first have to negotiate and enter into a business associate agreement with a cloud provider before the cloud provider could store records containing PHI in a cloud computing facility as such cloud providers would be ‘business associates’ under HIPAA. In some cases, HIPAA’s substantive requirements could conflict with the cloud provider’s operations or terms of service, and a covered entity would risk a HIPAA violation by using such a provider to store or process PHI.
The Gramm-Leach-Bliley Act (GLBA)
For entities subject to the GLBA, the use of a cloud provider would be subject to similar restrictions. The GLBA’s Privacy and Safeguards Rules restrict financial institutions from disclosing consumers’ nonpublic personal information to non-affiliated third parties. Any such disclosures that are permitted under the GLBA are subject to numerous restrictions under both the Privacy Rule and Safeguards Rule. Pursuant to the Privacy Rule, prior to disclosing consumer personal information to a service provider, a financial institution must enter into a contract with the service provider prohibiting the service provider from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Under the Safeguards Rule, prior to allowing a service provider access to customer personal information, the financial institution must: (i) take reasonable steps to ensure that the service provider is capable of maintaining appropriate safeguards (ie, the entity must undertake appropriate due diligence with respect to the service provider’s data security practices); and (ii) require the service provider by contract to implement and maintain such safeguards.
Family Educational Rights and Privacy Act (FERPA)
FERPA is a federal law that protects student personally identifying information collected by educational institutions and associated vendors. These institutions must have the student’s consent prior to disclosure of personal data, including grades, enrolment status or billing information. FERPA does not prohibit the use of cloud computing solutions for the purpose of hosting education records; rather, FERPA requires schools to use reasonable methods to ensure the security of their IT solutions, which includes cloud providers.
Also, although not a US law, the EU’s General Data Protection Regulation is commonly interpreted to have a significant effect on the operations of US entities and interests, which effect often implicates use of cloud computing resources to collect, process, and store personal information (www.businesswire.com/news/home/20180815005111/en/Gartner-Survey-Cloud-Computing-Remains-Top-Emerging).
In addition to official laws and regulations, there are certain industry standards implicated by cloud computing that are so commonly adopted and implemented that they are treated effectively as official regulations would be in a commercial transaction. For example, the Payment Card Industry Data Security Standard (PCI DSS), which is referenced as a standard by some state laws, was jointly developed by payment card companies to simplify compliance for merchants and payment processors. It has six core areas and 12 requirements that cover best practices for, for example, perimeter security, data privacy and layered security. As a practical matter, any cloud-based application that processes payment card transactions typically must comply with PCI DSS.
Breach of laws
What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?
Violation of the laws and regulations identified above are typically addressed by fines and penalties, which can be significant, particularly if tallied on a per violation basis across any appreciable volume of business. For example, violations of HIPAA’s data security provisions can range from US$100 per violation for an unknowing violation to fines of US$250,000 per violation and imprisonment up to 10 years for the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm. See:
- www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html; and
Consumer protection measures
What consumer protection measures apply to cloud computing in your jurisdiction?
We are not aware of any consumer protection measures specific to cloud computing, but general consumer protection measures could apply to cloud computing products and services (eg, cooling-off periods, implied warranties covering quality and performance, restrictions on excluding and limiting liability, dispute resolution and venue for proceedings in the consumer’s jurisdiction, governing law and other mandatory or overriding local laws for the benefit of the consumer). These protections are typically a matter of state (as opposed to federal) contract and consumer protection laws and enforcement actions and initiatives of state attorneys general (ie, the chief lawyers and law enforcement officers in each state) and vary from state to state.
At the federal level, consumer protection generally is handled by the Federal Trade Commission (FTC). The FTC has broad jurisdiction to regulate unfair or deceptive acts or practices in or affecting commerce. In the area of cloud computing, the FTC is most concerned with issues of privacy and security of consumer data.
Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.
As discussed in more detail above, relevant federal laws in particular tend to be sector-specific: the GLBA and PCI DSS are relevant to the financial sector, HIPAA and HITECH are relevant to the healthcare sector, and FERPA is relevant to the education sector.
Outline the insolvency laws that apply generally or specifically in relation to cloud computing.
We are not aware of any insolvency laws that apply specially to cloud computing. In practice, the issues that typically arise in this context are whether and to what extent data held on third-party servers are ‘assets’ of a debtor subject to the automatic stay that generally halts actions by creditors to collect debts from the debtor. For example, different questions arise when a cloud service provider files for bankruptcy (eg, is third-party data held on its servers part of the bankruptcy estate or how does the third party who owns the data recover it) versus when a data owner files for bankruptcy (eg, can a non-debtor cloud service provider delete or alter the debtor’s data unilaterally or does it need relief from the bankruptcy court to do so?).
Data protection/privacy legislation and regulation
Principal applicable legislation
Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.
As discussed above, at the federal level, data protection and privacy legislation is addressed sectorally, by laws such as HIPAA, GLBA and FERPA. Additionally, the Children’s Online Privacy Protection Act is a federal law enforced by the FTC that governs the online collection of information from children under the age of 13. See www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule.
State laws typically address data protection and privacy more generally, with laws varying from state to state. As noted above, many states have data breach notification laws. Other relevant state laws include
- the California Shine the Light law, which, among other things, addresses the practice of sharing personal information of consumers for marketing purposes;
- the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, which, among other things, provides security requirements for organisations that handle private data of payment card residents;
- Illinois and Texas laws governing the collection and use of biometric data; and
- the Illinois Geolocation Privacy Protection Act.
Additionally, the California legislature passed a broad digital privacy law in 2018 as the first US law approaching generalised data regulation similar to that seen in the EU. This law is not set to go into effect until January 2020 and is expected to be modified before then, but it is likely to significantly change the landscape for generalised data regulation in the US (www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html).
Cloud computing contracts
Types of contract
What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?
Cloud computing contracts typically manifest in different forms and draw on different legacy contracts and precedents depending on the particular vendor, offering and customer. For example, cloud computing contracts can resemble legacy software licence agreements, legacy managed services or hosting agreements, and limited purpose outsourcing agreements. As cloud services become more and more commoditised, cloud computing contracts are increasingly being presented by vendors as click-wrap agreements that are little- to non-negotiable agreements or as otherwise negotiable agreements that have significant portions that are designated as non-negotiable (eg, links to click-wrap maintenance, warranty, service level, acceptable use and privacy terms).
Typical terms for governing law
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?
It is common practice in the US to choose as the governing law of a B2B public cloud contract the law of the state where one of the parties is located, typically the vendor (ie, where the party is headquartered or has a principal place of business). The governing law provision typically also includes a specific statement that the named state’s choice of law principles should not apply. This statement is important because one state’s choice of law principles may mandate application of another state’s laws under the circumstances, which would subvert the intent of choosing the state’s law to apply. Also, it is common to include an express statement that the UN Convention on Contracts does not apply, usually because the parties are more familiar and comfortable with US case law. As an alternative to the law of the state where one of the parties is located, the parties may choose a neutral state’s law to apply. Common choices for a neutral state with significant commercial contract case law include New York and Delaware.
It is common practice in the US to choose a specific city or county located within the state that was chosen for the governing law as having exclusive jurisdiction over a dispute relating to the contract.
In cloud computing contracts, there are a number of cross-border issues, particularly relating to data protection laws.
Dispute resolution tends to include some mechanism for internal dispute resolution, which may be pro forma or more meaningful, followed by either arbitration or litigation. Whether the parties agree on arbitration or litigation depends on the parties’ experiences and preferences.
Typical terms of service
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?
Typically there are subscription fees for the cloud service that are invoiced monthly. Certain professional services may be offered and are typically billed as a fixed fee or on a time and materials basis. Professional services could include implementation, integration, training, support, enhanced maintenance (beyond that covered by the subscription fees), customisation or data analysis.
Cloud agreements generally contain audit provisions to ensure compliance with billing or payment obligations. However, audits may also be directed to other issues, such as regulatory and compliance, quality, and security. The audit provision typically specifies parameters and limitations for the audit (eg, during business hours, once per year), use of a third-party professional, such as an accountant, confidentiality and limited use of results of an audit.
Either party (most commonly the vendor) or, in some cases, both parties may be required to obtain and maintain specified levels of insurance during the term of the agreement (eg, commercial general liability, errors and omissions) and cyber insurance that specifically covers a data breach. These provisions typically require the other party to be provided with a certificate of insurance or the actual policy (to confirm scope of coverage) and to be named as an additional insured.
Typical acceptable use restrictions include:
- personnel limitation can only be used by customer and customer’s employees, and whether or not affiliates or subcontractors are included is negotiated;
- maximum number of users;
- no reverse engineering;
- internal business purposes only;
- no modifying or creating derivative works;
- no interference with use of the platform by other users;
- no testing the platform for vulnerabilities, regardless of motive;
- no use that infringes or violates the rights of third parties (eg, intellectual property or privacy rights);
- no use for an unlawful purpose;
- no use to harass, defame or abuse a third party; and
- no posting of obscene, profane, sexually explicit, violent, threatening or discriminatory content.
Often the cloud provider will include as a remedy its ability to suspend or terminate the service for any breach of the acceptable use restrictions.
Typical terms covering data protection
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?
Data and confidentiality (generally)
Most cloud computing contracts include mutual confidentiality provisions. The definition of confidential information is categorical, but may include specific items each party wants to protect as confidential information (eg, the customer’s data). Obligations of confidentiality typically survive termination or expiration of the agreement, and it is not uncommon for this survival to have a sunset (eg, five years after termination or expiration), with or without express carve-outs for trade secrets. In recent practice, the US federal Defend Trade Secrets Act requires certain language to be included in agreements to make clear that individuals may share confidential information with attorneys or with law enforcement in connection with whistle-blowing activities. Because this language must be included to preserve certain remedies in the event of a trade secret claim later, this language is more and more often being added to agreements that include confidentiality provisions.
Customers typically request an express statement that they own all their data and are only granting the cloud provider the right to access, use or manipulate the data as required to provide the cloud service. Cloud providers often want to have rights to aggregate and use customers’ data; this is a point of negotiation in some cases.
Customers typically want their data backed up by the cloud provider, with visibility into the process and geography implicated by the back-up, and commitments (ie, warranties) regarding frequency, recovery point objective, recovery time objective and periodic restoration testing. Typically, upon termination of the agreement, cloud providers are obligated to promptly return all data to the customer, in an agreed-upon format (preferably a standard format) or to certify destruction in writing after return of the data and confirmation by the customer that the data are accessible.
Premises and data security
This can vary widely. For data centres, customers look for electrical sources and generator backups, cooling, humidity and temperature controls, internet connectivity, physical security (video cameras, locks and access badges, escorted visitors, security personnel stationed there), information security (firewalls, passwords, encryption, etc), maintenance and redundancy. Usually require third-party security audits such as SOC2 or SOC3.
Data disclosure is typically limited only to employees or agents who have a ‘need to know’ for the purpose of the agreement and who have signed a confidentiality agreement or are bound by professional obligations of confidentiality.
Disclosures may only be made if required by law (subpoena, court order, etc) so long as the party that received the data provides notice to and cooperates with the party that disclosed the data to the receiving party so that the disclosing party can seek to fight the disclosure.
Location of servers and data
Customers typically want the data to stay in their jurisdiction (ie, stay inside the US) and commonly vendors will not be able to move the location of servers or data without prior written approval from the customer.
Cross-border data transfers
There are numerous laws and mechanisms governing cross-border data transfers. The most recent is the EU-US Privacy Shield.
Typical terms covering liability
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?
Representations and warranties
Typical representations and warranties in a cloud computing contract fall into three categories: ability to enter or perform the agreement generally, service-related and software-related.
The first category of representations and warranties is directed to the parties stating that they have the ability to enter into the agreement, they have all the rights necessary to grant the rights granted therein, they aren’t under any pre-existing agreement that would limit their ability to perform this agreement, they will not enter into any agreement that would limit their ability to perform this agreement, and they will comply with all applicable laws (including data breach notification laws).
The second category of representations and warranties target the performance of services under the agreement. Generally, the vendor is required to represent and warrant that it will perform all services in a good and workmanlike manner, with qualified personnel having the skill required of the industry, it will replace any unsatisfactory personnel (if applicable) and re-perform any unsatisfactory services, and it will use its established, industry-standard methodologies to provide services. The vendor may also expressly warrant that it will meet its service levels.
The third category of representations and warranties target the software components of the cloud service. Typically the vendor will represent and warrant that there is no malicious code or virus within the cloud software, and that the software itself (and use of it) does not violate any third-party intellectual property right (eg, patents and copyrights). Open source representations and warranties may be appropriate or not depending on the offering.
Limitation of liability
The limitation of liability provision is closely connected to the indemnification provisions and addresses qualitative limits on type of damages and quantitative limits on amount of damages. The limit on type of damages typically excludes indirect, consequential, special, incidental and punitive damages and may expressly exclude lost revenues or profits, loss of use and loss of data. The limit on amount of damages can be set at a specific number or it can scale (eg, with reference to the amount paid or payable under the agreement (or some multiple thereof)) over a certain period of time. Typically, when the quantitative limitation of liability references amounts paid or payable over some period of time, there is also some reasonable floor to cover a significant liability in the early part of the contract term when payments have not accrued sufficiently to cover such a liability.
Often there are exceptions to the limitations of liability for specific items, such as breach of an obligation of confidentiality or data security or privacy, indemnification obligations, misuse of intellectual property, bodily injury (including death) and injury to personal or real property (not unusual to see, but less likely to be relevant in a cloud computing agreement), fraud, gross negligence or wilful misconduct. The parties typically will spend a lot of time negotiating the limit on liability exceptions. An alternative is to set a separate (often higher) limit for these items (rather than excepting them from any limitation of liability).
The indemnification provision typically includes an obligation to indemnify and hold the other party harmless for certain enumerated circumstances. Often the indemnification provision includes an obligation to defend, though this depends on the offering and the parties.
Indemnified parties are typically defined to include the parties to the agreement, their affiliates and their directors, officers, employees and successors. This list can be expanded to include subcontractors, suppliers, and customers, under certain circumstances.
The items for which a party (typically the vendor, but in some circumstances the customer) has an indemnification obligation in cloud computing contracts typically include:
- breach of the agreement (or, more specifically, breach of a representation or warranty);
- IP infringement claims;
- tort actions (ie, bodily injury, death or damage to personal property) due to acts or omissions of a party;
- fraud, gross negligence and wilful misconduct;
- breach of confidentiality;
- breach of data security provisions or data breach; and
- violation of law.
Also addressed in the indemnification provision is the procedure for obtaining indemnification, including terms for notice, cooperation and the right to participate in the defence.
Service-level agreements (SLAs)
SLAs typically address availability (uptime), latency, incident response times and work levels until resolution, and backup and restoration procedures.
The single most common SLA is availability, and some vendors, if they offer any SLAs, will offer only an availability SLA. It is common for a vendor to qualify an availability SLA with a commitment to use ‘commercially reasonable efforts’ to achieve a stated availability (though this is often objected to by the customer). The availability SLA commonly has exclusions for scheduled and emergency maintenance and force majeure events, and specific notice and reporting to customer in preparation for downtime. Customers will want vendors to self-monitor and report compliance with SLAs to the customer, whereas the vendor will want customers to have to monitor (or ‘feel’) and report suspected SLA failures to the vendor.
Often the remedy for a breach of an SLA will be limited to the vendor providing a service credit to customers.
Typical terms covering IP rights
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?
Typically, the cloud vendor owns the software underlying the cloud computing services and any software the vendor makes available for direct use by the customer. The customer typically owns all its data and provides a licence right to the cloud vendor to access and use the data as needed to provide the service.
If there is any development work or customisation work, the parties typically negotiate ownership rights. Typically, the customer will own all right, title, and interest in and to all work product created under the agreement specifically for the customer, and the vendor will name the customer as ‘the person for whom the work is prepared’ and designate the work product as a ‘work made for hire’. The vendor should also assign all of its right, title, and interest in and to such work product to the customer, in case any work product does not meet statutory requirements to be a ‘work made for hire’, and provide further assurances from itself and its employees as necessary to vest ownership rights in customer. Typically, the vendor will also give a licence to any of its background technology that is used in the work product.
As discussed above, IP infringement is typically addressed via a representation and warranty that there is no infringement or by an indemnification obligation for third-party IP infringement claims.
Typical terms covering termination
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?
Termination for cause
There is typically a mutual right of termination for cause (ie, for a material breach of the agreement by the other party that has not been cured for a certain period of time since notice of the material breach, eg, 30 days). The parties may specifically identify certain breaches that are deemed material breaches in order to forgo any dispute over materiality later. For example, the customer may seek an express termination right if the vendor catastrophically fails to meet an availability SLA.
Termination for convenience
Often the customer will want a termination for convenience clause, which allows the customer to terminate the agreement at any time and for any reason, upon written notice to the vendor. A termination for convenience right can greatly help to mitigate a customer’s risk in a contract. Vendors very commonly object to a customer’s right to terminate for convenience. Often, for a vendor to accept a customer’s right to terminate for convenience, there is typically a liquidated damages term (ie, an early termination fee). The amount of the fee varies.
Survival of terms
The parties typically stipulate which provisions survive termination of the agreement. Often, the parties want terms for confidentiality, IP ownership, dispute resolution, limitations on liability and indemnification to survive termination.
The customer typically will seek some level of transition services upon expiration or termination of the agreement, which typically includes an extension of cloud services for a set time after termination, such as 30-90 days, so that the customer will still have access to the cloud solution while it transitions to a replacement provider. Transition services typically also include a provision that the vendor will cooperate as necessary with the replacement provider in order to assist with the transfer of the customer’s data and operations.
Effect of termination
The parties typically include in an ‘effect of termination’ provision terms that require the return or deletion of all data and confidential information of the other party, and transfer of all deliverables, whether complete or in progress, from the vendor to the customer.
Employment law considerations
Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.
There is typically a provision that states that the parties are independent contractors and not in an employment or joint venture relationship, with an express statement that neither party has the ability to bind the other party. Less common is a provision that distinguishes between working hours and non-working hours for non-exempt employees under the Fair Labor Standards Act.
Applicable tax rules
Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.
In general, taxation is divided into income tax issues, gross receipt tax issues and sales tax issues. As applied to taxation of cloud computing offerings, the nexus for each category of issues may be different, and how to calculate the tax impact of a certain offering varies for the type of tax and the tax authority involved. For example, as a sales tax, a city such as Chicago might tax cloud usage depending on the type of usage by classifying it as a remote taxable lease, whereas a city such as New York might classify certain cloud usage as a non-taxable service, certain cloud usage as a taxable remote lease and other cloud usage as a taxable information service.
Some of the considerations that affect these issues include the ownership of intellectual property in the cloud; the locations of the vendor and the customer; different tax authority definitions applicable to the cloud offering or the business model under which the offering is made; how much of the offering can be characterised as a service versus tangible personal property; how much of the offering can be characterised as software versus goods and services; and whether implicated software is off-the-shelf versus customised.
Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.
See question 24.
Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) (H.R. 4943) was enacted on 23 March 2018. The CLOUD Act amends the Stored Communications Act of 1986 (SCA) to allow federal law enforcement to compel US-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the US or foreign jurisdictions.
One of the motivating forces behind the CLOUD Act was United States v Microsoft Corp. In that case, federal law enforcement agents applied for a warrant requiring Microsoft to disclose all emails and other information associated with the account of one of its customers. Microsoft resisted the warrant because the account’s email contents were stored in its Dublin data centre. The district court held Microsoft in civil contempt for refusing to comply with the warrant, but the appellate court vacated the civil contempt. The case was on appeal to the Supreme Court of the United States when the CLOUD Act was passed. With the enactment of the CLOUD Act, the government procured and served a new warrant pursuant to the new law, which the parties agreed replaced the original contested warrant. This replacement warrant rendered the parties’ dispute moot, so the Court vacated the ruling on review and remanded the case with instructions to dismiss. See United States v Microsoft Corp, 138 S. Ct. 1186 (2018).
On 6 June 2018, IBM Corp and SAP SE announced plans to launch an edition of the SAP Cloud Platform running on the IBM Cloud for private cloud deployments. The companies said the collaboration would help clients in regulated industries build new applications in the cloud without jeopardising security and control (www.ibm.com/blogs/cloud-computing/2018/06/06/ibm-sap-cloud-partnership/).
On 27 August 2018, Amazon and VMware introduced a version of Amazon’s cloud-based database management software aimed at companies that use on-premises data centres. Amazon and VMware started working together on a combination of cloud and on-premises technology in October 2016.
Update and trends
Update and trends
What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?
The main challenges facing cloud computing in the US are the same as those faced by jurisdictions worldwide. Adoption of cloud computing offerings in replacement of legacy resources will continue in view of the favourable economies for both vendors and customers. Data privacy and protection issues, both in terms of practical implementation and legal compliance, will remain among the most significant issues related to cloud computing.
The California legislature passed a broad digital privacy law in 2018 as the first US law approaching generalised data regulation similar to that seen in the EU. This law is not set to go into effect until January 2020 and is expected to be modified before then, but it is likely to significantly change the landscape for generalised data regulation in the US (www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html).