In an effort to meet one of the key objectives of the European Union's Cloud Computing Strategy - to develop model terms for cloud computing contracts, including service-level agreements - an industry working group that includes major cloud-computing suppliers such as Google, Microsoft, Amazon, and others has submitted guidelines governing Cloud Service Level Agreements (Cloud SLAs) to the European Commission. (For more information on the EU's Cloud Computing Strategy, please read our alert.)
Although the guidelines do not prescribe the content of Cloud SLAs, they do set forth an extensive list of terms - including definitions and descriptions - with the objective of standardizing definitions within the cloud computing industry. The guidelines acknowledge that some Cloud SLAs (particularly those involving large enterprises) may be negotiated individually, while others may be offered in boilerplate form that customers can accept or reject. In either situation, the guidelines are meant to provide consistency in terminology and metrics across agreements and across borders.
In addition to recommending that contracts be technology neutral, business-model neutral, and applicable to users across jurisdictions, the guidelines include a glossary of uniform principles and terms designed to allow customers to evaluate and compare SLAs more effectively. Among the contract terms covered in the guidelines are:
- Service level objectives. These objectives relate to cloud computing performance, such as service availability, customer support, response time, storage capacity, and termination (ensuring that data is not deleted prematurely).
- Security level objectives. These objectives seek to "improve both assurance and transparency" concerning such security measures as reliability (including backup/redundancy), encryption, access authentication, and security incident monitoring and reporting.
- Data management service level objectives. These guidelines standardize terms relating to data classification, life cycle (when data is deleted), and portability.
- Personal data protection service level objectives. Addressing situations in which the cloud service provider acts as a data processor on behalf of its customer, these objectives seek to ensure that personal data collected by the customer is managed (stored, retained, and potentially released) appropriately and in a manner consistent with applicable privacy regulations.
In its statement announcing the receipt of the guidelines, the European Commission indicated that next steps would include testing these guidelines with users, in particular SMEs, and submitting the guidelines for discussion by the European Commission's Expert Group on Cloud Computing Contracts as part of a larger discussion of other cloud-related activities - including the data protection Code of Conduct for cloud computing providers, which the Expert Group prepared and presented to the Article 29 Data Protection Working Party.
The guidelines will also be presented to the Cloud Computing Working Group of the ISO (the International Standards Organization) in order to present a European position to inform the ISO's effort to establish international standards on SLAs for cloud computing.
Although these guidelines are not yet mandatory, they do signal the EU's view that internationally enforced standards are critical to consumer trust and the ultimate success of cloud services, and that any entity - including those that are U.S.-based - will need to eventually adhere to those standards.