Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

Cloud computing contracts may adopt various forms. On the Belgian market we see a wide range of cloud contracts, ranging from IaaS, PaaS, SaaS to XaaS contracts.

Whereas the public cloud contracts are typically standard agreements which may be difficult to negotiate (ie, for SMEs), we see an increased willingness at the vendor side to negotiate cloud contracts that govern a more complex or tailored service delivery or which are part of a larger outsourcing deal.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

It is standard in B2B public cloud computing contracts to include provisions governing the applicability of the law and the competence of the courts. In public cloud computing contracts, the provider will often opt for the laws and courts of its country of origin (ie, its place of establishment). If the same set of terms is used on an international level, often a distinction is made between regions whereby for each region (eg, US or EU) one governing law and competent forum is designated.

Detailed dispute resolution procedures are common in complex cloud computing contracts but are less frequently included in public cloud computing agreements.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

Most public cloud computing providers adopt a subscription-based commercial model whereby the customers pays upfront (eg, on a monthly, quarterly or annual basis) for its right to use the public cloud service. A number of public cloud computing also apply a pay-per-use model whereby the customers pays at the end of the month for the consumed resource units. Whereas payment terms are often fixed and short (ie, 30 days), prices are subject to change on a regular basis, whereby the customer can terminate in case of disagreement with the price increase.

Nearly all public computing contracts contain an acceptable use policy, the breach of which often allows the cloud computing service provider to suspend or terminate the public cloud computing contract with the customer.

As public cloud computing is typically offered under a one-to-many service model, most public cloud computing contracts contain clauses allow the provider to unilaterally change the services and terms of the agreement in order to have flexibility to reflect changes to the services in the contractual documents. Most contracts, however, specify that such changes may no lead to a material reduction of the quality of the services. Furthermore, often exceptions exists for the more legal terms and conditions and data processing arrangements, of which a unilateral modification would be more difficult to justify. The typical variation clauses are also likely to be further scrutinised in light of the new Belgian Act of 4 April 2019 on unfair B2B terms. Indeed, the risk entailed by the new Belgian Act is that unilateral variation clauses could be considered as unfair, and hence be declared as null and void. Determinant criteria in this perspective will notably be the market size of the service provider and of the customer, as well as the scope of the ‘variation’ from which the service provider benefits.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Nearly all public cloud providers process personal data of the customer when providing their cloud services, as a result of which nearly all public cloud contracts contain a data processing agreement attached it, containing the typical safeguards imposed by the GDPR, including arrangements in relation to security, data breaches, data integrity, destruction of data, international transfer of data, technical and organisational measures taken, etc.

Several public cloud computing providers allow customers to choose the region in which their customer data is being hosted (eg, western Europe), as a result of which a customer is ascertained that its data does not reside outside the EU. Nonetheless, it must be remarked that most public cloud computing providers adopt a follow-the-sun-model to provide support to customers, as a result of which customer data will most likely still be accessible by (and thus processed by) the provider outside the EU, in which case appropriate safeguards need to be put in place. In light of the recent judgment of the Court of Justice of the European Union of 16 July 2020 in the Schrems II-case (in which it invalidated the EU–US Data Protection Shield), it needs to be seen how public cloud computing providers will respond to this judgment and  continue to organise their service in a compliant way.

Finally, more general confidentiality obligations are also common in public cloud computing contracts, whereby typically all information made available by the public cloud computing provider is marked as confidential.  Several public cloud computing providers also include clauses that allow them to aggregate customer data to prepare service analyses and monitor the functioning of their services.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

All cloud computing contracts contain a limitation of liability for the cloud computing service provider. A number of cloud computing contracts also contain a same limitation for the customer, but this is not common practice.

Nearly all contracts contain a broad exclusion of liability for consequential and indirect damages (such as loss of clients, loss of revenues, loss of profits, etc), whereby a cap applies to the liability for the direct damages. The liability cap is in many case based on the amounts paid by the customer in the 12 months preceding the event that gave rise to liability.  Several public cloud computing providers also exclude their liability for loss of data by qualifying it as indirect damage, but such exclusion, without any further specifications, can be questioned under Belgian law.

Exclusions to the liability cap exist, namely for damages for which a party’s liability typically cannot be limited or excluded, such as for intentional fault, fraud, death or bodily injury. Often liability for breaches of a party’s intellectual property rights (ie, the cloud provider’s rights in the cloud solution) and breaches of confidentiality obligations are also uncapped. Given the increased attention around the protection of personal data since the entry into force of the GDPR, uncapped liability for data protection related breaches is rare, but such breaches are sometimes covered by a separate super cap, which applies next to the general liability cap.

In terms of warranties, several public cloud providers only warrant to provide the cloud services in material conformance with the service descriptions or documentation, whereby sometimes the remedies available to the customer in the case of a breach of such warranty are limited to a re-performance or right to terminate.

In terms of service level breaches, most public cloud computing contracts contain service level agreements together with a service credit mechanism. Such mechanisms are, however, always carefully drafted and nearly always qualify the service credits due (often a percentage of the fees paid for the affective service) as the sole and exclusive remedy of the customer.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

Usually, IPR ownership is clearly distinguished in cloud computing contracts. The IPR in the cloud solution (including updates and customisations developed for the customer) will typically remain with the service provider, whereas the content created by the customer or being stored in the solution will remain the ownership of the customer. During the performance of the contract, it may well be that the service provider needs to use the customer content to provide the services, as a result of which public cloud contracts sometimes contain a licence for the provider to use such content during the term of the contract.

Most public cloud contracts contain an IP indemnity mechanism that needs to be applied in the event of an infringement of third-party rights. In such case, the infringing party will defend, indemnify and hold harmless the other party. Specifically, in relation to public cloud computing providers, an obligation is often included to purchase a licence to continue using the infringing components or to replace them with a non-infringing component, in the absence of which the contract may be terminated. It is often stated that such remedies are the sole and exclusive remedies of the customer, excluding the right for the customer to claim damages.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

The typical duration of public cloud computing contracts is relatively short (eg, one year, tacitly renewable unless terminated by either party before the expiration date of the contract), but we see a trend of moving towards longer contracts of up to three to five years for public cloud solutions that are used for business-critical appliances by the customer.

The notice period for termination will vary in respect of the termination ground. For instance, termination for convenience nearly always implies a notice period between one month up to three or six months, depending on the contract’s initial duration. However, in the case of a termination for cause (eg, material breach, bankruptcy), generally, no notice period is to be respected.

Following expiry or termination of the contract, most public cloud computing providers commit themselves to make the customer data available for a limited period of time (eg, 30 to 60 days) in which the customer can retrieve its data, and after which it is deleted by the customer. To avoid discussions, it is recommended to make sure that the data is made available in a data format and structure that is easily readable by the customer.

The typical exit assistance to help migrating to the customer or a replacement supplier, as seen in IT outsourcing agreements, is not often included, but some providers offer to provide such assistance on a time-and-material (T&M) basis.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

Outsourcing IT-related tasks may in some instances be considered as a ‘transfer of undertaking’. This could trigger the applicability of the Collective Labour Agreement No. 32-bis.

Law stated date

Correct on

Give the date on which the information above is accurate.

3 September 2020.