Cloud computing contracts in France

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

Cloud computing offerings are characterised by a multitude of contract documents, which for most providers include, as a minimum:

• the general conditions;
• the conditions specific to the given service;
• a service-level agreement defining the key performance indicators and the quality and service level commitments;
• a data processing agreement or privacy policy defining the commitments and exclusions relating to personal data protection; and
• an ‘acceptable use policy’ specifying the lawful conditions for use of the service.

These documents are multiplied according to the requirements of each service, which results in the service providers presenting comprehensive and complex catalogues.

These standard documents are generally recent and are regularly updated. The entry into force of the GDPR on 25 May 2018 (see questions 15 and 19) requires significant adaptations, just like Order No. 2016-131 dated 10 February 2016 reforming the French law of contracts (with its ratification Act No. 2018-287 of 20 April 2018). Among various provisions aimed at sustaining contractual justice, the new contract law indeed provides that a contract that includes a set of non-negotiable clauses that are predefined by one of the parties constitutes an ‘adhesion contract’.

In such a contract, a clause will be considered as non-existent where it causes a significant imbalance between the parties’ rights and obligations. In the event of any doubt, an adhesion contract will be interpreted against the party that proposed the contract. Comparisons may be made with the abusive clauses regime which protects consumers in business-to-consumer contracts.

This new statutory regime may help alleviate certain one-sided provisions that thrive in standard cloud computing contracts and help introduce more balance in favour of customers, as will be seen in the following questions. Such a reassessment remains contingent, however, on the application of French law to the contract.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

Governing law and dispute resolution

Standard contracts always include a clause defining the applicable law and which court has jurisdiction. The service providers thereby submit their contracts to the law and courts of the state where their establishment is located. Often, they have an establishment in the European Union. In France, their contracts are therefore often subject to the law and jurisdiction of a member state of the EU.

Enforceability

The public cloud contracts do not offer much opportunity for negotiation. As a consequence, the enforceability of their provisions is not necessarily guaranteed under the law - for example, in regard to the consent given by the client on standard documents that prove to be inaccessible or that allegedly should evolve without his or her express approval.

The clients frequently request the right to audit how the services are carried out in order to verify the services compliance with the provider’s commitments, in particular with regard to security. The GDPR provides for this right (article 28.3). Since, in practice, it is difficult and costly for the providers to continuously accommodate the auditors sent by the clients, the providers try to obtain certifications (eg, ISO 27000) and propose in their clauses to communicate their own audit reports in order to limit the need for the clients to carry out additional verifications.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

Flexibility

Flexibility is a key component of cloud computing contracts. The hosting services are generally invoiced on the basis of the resources granted to the client (eg, number of servers, CPUs, etc). Agreements usually offer the possibility to cease both use and payment of the resources at short notice. Clients may add services or increase their capacity through online portals without the need to sign contract amendments. Flexibility is also reflected in the contract duration, which may run by the month, thereby enabling the clients to include the costs in their operating expenses.

Acceptable use

A cloud computing contract generally includes clauses to define limitations of use of the service by the client and its employees (often grouped together in an ‘acceptable use policy’ appendix). Usual clauses prohibit:

• use beyond the client’s internal business purposes;
• use violating third parties’ intellectual property rights; and
• use for unlawful purposes, including to harass, defame or abuse third parties or to post obscene, violent or discriminatory content.

Although cloud computing services are often presented as being ‘content neutral’ and customers’ data considered as protected by confidentiality, service providers reserve the right to enquire about suspicious use and to suspend access and to put an end to the service in the event whereby the client’s data would appear to infringe upon the restrictions of use.

This reflects the increasingly stringent legal constraints to ensure that the internet players assume responsibility for the online content. For example, an employer must ensure that his or her internet access is not used by his or her employees to replicate or disseminate works protected by copyright (article 336-3 of the French Intellectual Property Code). This indirectly concerns the cloud computing service provider working for such employer.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Confidentiality

The terms and conditions covering data and confidentiality in contracts subject to French law are similar to those found under other laws. By way of principle, cloud service providers undertake to protect the confidentiality of their clients’ data. Access to such data is granted to their employees on a ‘need-to-know-only’ basis, insofar as required to deliver the services. Reference is often made to the employees’ individual confidentiality commitment, which is required by the GDPR and will usually be provided for in labour contracts.

Unlike pure players, which focus their services on the provision of infrastructure or storage for clients’ data and purport to be ‘content agnostic’, cloud service providers that provide software or other value added services often seek to gain a right to access and use customers’ data with a view to building up ‘big data’ pools on their own. This will often be provided for through a clause enabling such use for the purpose of ‘improving the services’ or ‘customising the customer’s experience’ of the service. Such purpose often covers targeted advertising.

In such circumstances, the confidentiality of clients’ and individuals’ data may be jeopardised. For example, in July 2016, the CNIL noticed that through the processing of users’ data for Windows applications, Microsoft was obtaining information on all the applications downloaded and installed by the users as well as the time spent on each application, which was not necessary for providing the service. Furthermore, an advert ID was activated by default upon the installation of Windows 10, which enabled Microsoft to follow the user’s browsing and to target the advertisements without the latter’s prior consent. The corrections requested by the CNIL have since been made.

The confidentiality clauses also show their limits in front of legislation requiring the service providers to disclose users’ data to their governmental authorities (eg, US Patriot Act and US Cloud Act). The GDPR meets this type of situation by requesting the providers to inform their clients beforehand on the legal obligations of communication that may apply and prohibit them from deferring to such requests if they are not based on a mutual legal assistance treaty or similar (GDPR, articles 28 and 48). To date, many clauses still need to be more specific on this issue.

Location of data and data processing

In this context, numerous services attempt to reassure clients by guaranteeing that the data will only be stored in their country of residence or elsewhere in the European Union. The clauses often provide that the client may or will be informed of any modification of the location or country of storage. Under the GDPR, the client’s approval as data controller is required and must be given prior to such modifications. It must be restated that this consent is necessary for any kind of data transfer, however: this is not limited to the country where data is stored, but applies to all the countries in which access to the data is possible.

When the cloud computing provider acts solely as a data processor within the meaning of the GDPR (ie, does not define the aims and means of the data processing), the GDPR requires that its agreement with the data controller specifically define certain obligations (article 28), including for the provider:

• to process the client’s personal data only on documented instructions from the controller, including with regard to cross-border transfers;
• to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Such measures may include, as appropriate:
• pseudonymisation and data encryption;
• ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• maintaining the provider’s ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• regularly testing and evaluating the effectiveness of the measures taken to ensure the security of the processing; and
• to engage sub-processors only with the client’s prior authorisation and to have them subject to the same data protection requirements.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

Service levels and warranties

The stakes of the cloud computing contracts reside in the characterisation of the providers’ obligations, with the well-known contrast under French law between the best-efforts obligation (for example, ‘the service provider will use reasonable efforts to provide the services with the level of diligence and competence that could reasonably be expected for services of a such nature and of a complexity substantially similar to that of the services’) and the performance obligation (‘the provider guarantees the continuous availability of the service during business hours’). In general, the service provider contracts avoid guaranteeing the availability and performance of their services or formulate service levels and exceptions (eg, planned maintenance, minimum downtime, etc) that enable a large degree of latitude.

The challenge for the cloud computing service providers is indeed to offer a service that is ready to use and works ‘end-to-end’, whereas, in practice, they do not master the production chain which begins at their servers through to their clients’ workstations. The cloud providers are rarely telecom operators and do not operate the internet connections. Furthermore, SaaS providers rarely own their data centres and, accordingly, are dependent on hosting providers. The IaaS and PaaS providers are, in practice, the ones actually in control of the service levels concerning the availability, reliability and quality of the cloud computing services. For these reasons, the service-level agreements are often sanctioned by a notion of ‘service credit’, which allegedly compensates for a default in the service with an extension of its duration.

Liability

As the cloud computing services market is dominated by a few global infrastructure and platform providers, the liability clauses significantly restrict their indemnification commitments. The liability cap in the event of a loss of client data is frequently fixed at the level of the monthly instalment paid by the client although, under French law, any clause that nullifies the debtor’s essential obligation will be considered void (New French Civil Code, article 1170).

With regard to the damages applicable in the event of non-compliance with the GDPR, a client may request a guarantee from its cloud computing provider insofar as the latter acted as a ‘sub-contractor’ and failed to comply with his or her regulatory obligations specific to sub-contractors or with the instructions received from his or her client in this regard (article 82).

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

The terms and conditions governing intellectual property rights (IPRs) in contracts subject to French law are similar to those found in contracts subject to other laws: typically, each party remains the sole rights holder on all the IPRs applicable to its materials, that is, the software programs it provides via the services, as regards the service provider, and the data and third-party software programs stored in the cloud and used by the client, as regards the latter.

Licence rights are granted by each party to the other insofar as necessary for the other party’s supply or use of the services, as applicable. Customisation is not typical of standard services such as IaaS and PaaS, but should this arise in the form of copyrighted work (eg, specific developments), the service provider will, in general, grant licence rights and avoid any IPR assignment to the client.

In the same vein, cloud computing contracts require each party to indemnify the other against any infringement claims from third parties. Often, the service providers’ standard terms and conditions will entitle them to terminate their services in cases where the client is found to infringe third-party rights.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Term and termination

Cloud computing contracts are usually entered into for a fixed term, typically from one month to one year. This duration may be extended or renewed, expressly or tacitly, but the client does not necessarily benefit from a renewal guarantee. In this regard, the new French law of contracts sets forth that no party may impose the renewal of a contract (Civil Code, article 1212). Therefore, attention should be paid to the notice period and the terms of renewal.

More traditionally, the termination clauses provide an exit right for each party in the event of non-compliance by the other party. In non-negotiated contracts, it will be difficult for the client to use such clauses as a credible threat against non-compliance relating to the service level or quality of the service provision.

Reversibility

At the end of a cloud computing service, the client must recuperate its assets (ie, programs and data). As they are standard , the reversibility of the IaaS and PaaS services does not require the transfer of know-how and knowledge specific to the provider. Nonetheless, assistance from the latter is often available as an option.

However, the specificities of a program implemented on the cloud (eg, specific developments and settings according to the client’s business rules, etc) and data formats set up by the provider (sometimes proprietary or using variants of the existing standards) may result in a lockout of the client. The reproduction of the existing solution or the system’s output available for data migration may also pose a problem. Despite their multitude, contractual documents are often lacking specifications and commitments in this regard (see question 26).

The entry into force of the GDPR should encourage the emergence of more adapted stipulations, as this text obliges data controllers to enable data portability (see question 15). The clients could use this as guidance to address the practical issues raised by reversibility situations. In any case, healthy competition between several providers and services remains the most effective tool in order to avoid harmful dependence.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

In cases where activities are transferred from one company to another, the Labour Code will govern the transfer of employment contracts (articles L1224-1 and L1224-2). A contract for the supply of private cloud computing services may be part of or may follow such a transfer of personnel from the client to the service provider. However, it will usually rather be considered as an outsourcing contract. In general, cloud computing contracts per se are indeed not understood to involve a transfer of personnel by the client. This is reflected in the statutory definitions of cloud computing (see questions 8 and 9), which do not refer to such an element.