It’s safe to know that using Cloud services might bring some problems. Let’s start to see together some contractual aspects we must take particular care.
Who means to use, for his own activity, whichever Internet service that belong to the definition of Cloud, faces several aspects: from the content of the contract and the management of data by the provider, to the loss of data transferred outside the walls on their security. Very interesting and interwoven profile, which require a meticulous reflection in particular from a legal standpoint.
The first important aspect is the contract you are about to stipulate with the cloud provider, the agreement that will regulate the relationship. It’s a contract that, in our code, doesn’t have a typical discipline in the civil code (codice civile) or in some special law: it’s an atypical contract and, because of that, you must read it carefully as it contains the primary regulamentation of the relationship and responsibilities. The most probable hypothesis is that you can choose between predefined contractual offerings: a cloud computing contract is usually defined by the provider according to standard contractual models (the so-called “general terms of contract”) which can be hardly negotiated.
Let’s see some of the main clause you must pay attention while choosing a provider and subscribing a contract. First, it’s important to analyze the supply level of the service: certain clauses define the so-called Service Level Agreement (SLA), service levels that sometimes are not explicitly stated in the general terms of the contract but perhaps in some attachments or another document related to the contract: read them as well. Naturally there is a better warranty if service levels are indicated in an objective and measurable manner: they are the first parameter while evaluating the fulfillment or not of the provider. SLAs will help you (if you’re a technician, or your trusted tech) to evaluate the level of the service being offered, as they are pure technical parameters.
In general, a provider could add, for instance, a “result guarantee” clause where it’s stated that the results the service guarantees (ie. service availability for a certain percentage of time or for a determined amount of days per year). Such clause might also state that, however, in case of a not achieved result (ie. suspension of the service for a period longer than the one supposed within the contractual conditions), the compensation is limited to the extension of the service for an amount of time equal to the one of missed supply. That might not be enough to cover the damages caused by the lack of service. Be sure to have penalties (save an exception for the right of asking for major damages) for the unfulfillment of the contract and/or SLA.
A provider could offer you a service “as is” or with a similar expression: this way, the proper functioning of the service, without interruptions or faults, is not guaranteed and there could faults or it could not suit your needs. It’s a form of service functioning warranty exclusion that hardly is useful to the client.
Moreover, you must pay attention to the possible presence of exclusion/limitation of the provider’s responsibility clauses: for instance, the contract might contain a clause that excludes the responsibility or limit with a maximum edge the amount of money the cloud provider can pay in case of whichever type and entity of damage.
Keep in mind that the loss of service supply, the disclosure of business information to third party (as a consequence of a fraudulent behaviour of an employee third party, of a directive of the Country Authority where data is stored or in any other similar cases), or even their loss (ie because of a virus) can cause huge, perhaps irreversible, damages (and, as a consequence, to your clients and subjects data refer to).
So it’s important to read well every clause that refer to such cases, if any. In our legal order, a rule that could limit responsibility of gross negligence or wilful misconduct would be not valid because of ex art.1229 of Civil Code: however, it’s not guaranteed that the applicable law is the italian. Then it could be valid (save you act as “consumers”, but that’s another story) the clause that limits the provider’s responsibility for misconduct (not wilful misconduct, but still misconduct): in such case, should you experience a damage because of the provider, you won’t be able to obtain any compensation (at most within the limits of the max edge contained in the contract, if the responsibility exclusion agreed is not total).
The more responsibility takes on the provider, and the more safeguard you have as users: naturally this can increase the service costs.
On another profile, the contract might contain some clauses adverse to the user that envisage the loss of the right of contesting, in particular with respect to the service or to the payment. Again, art.2965 of the italian Civil Code calls for the invalidity of contracts that establish decadence terms which make excessively hard the practice of the right to a part. But such a clause could not suit the hypothesis of invalidity, or be contested.
When agreeing upon the contract as users take care if the provider has the right of modifying the contract without the consent of the other part. You might find yourself with a contract with characteristic in part different to the initial ones. A better guarantee for the user is the clause that envisages the validity of any modifications only at the end of a certain term, within which the user can practice the termination right in order not to be tied to the new contractual norm.
Also take care if the provider has the right of using any subcontractor for the service: at this point, the service itself could be provided by a third party you might know nothing about and you don’t have agreed upon any contract with at all. The expressed statement of an authorized subcontractor, the warn about its change, the guarantee that the subcontractor is tied to the same contractual conditions of the supplier are some of the guarantees you must look for in such event.
Don’t forget about the length of the contract, the expressed dissolution clauses, modes and timing of withdrawal and guarantee of a seamless migration to another provider (ie data must be retrieved and migrated with ease).
Moreover, there’s a problem related to the applicable law: as the Cloud is international (user from a country, provider from another country, physical collocation of servers on a third country), there’s uncertainty about the applicable regulation, both in terms of not being expressed in the contract and evaluating the validity of the agreements.
Indeed, it’s not granted that the applicable law is the italian as the user is italian: the contract might contain indications related to that, which must be read and understood.
The Cloud being international offers another problem: the individuation of the Judge in charge for any dispute. It suffices to say that the indication of the exclusive indication of the italian Judge (and possibly the Courthouse of your location/residence) is to be preferred as well as the choice of an italian service provider.
Be careful whether an arbitration clause is present or not: potential disputes will be judged by arbitrators and not judges. Be careful to how they are appointed and to costs (which aren’t usually stated in the contract and could be high).
Because of that internationality, some difficulties could derive in the collection of information when taking legal actions, notify arraignments. Costs for the practice of legal safeguard could rise (so know where datacenters are).
I’d like to note that, as of art.1341 of the italian Civil Code, the so-called “general terms of contract” are effective if, when agreeing upon a contract, the other part acknowledges them (or should have acknowledged using ordinary diligence).
However some restrictive clauses (many of the clauses we covered could be defined as restrictive) require the specific written approval, otherwise they don’t have any effect.
Delicate issues within a cloud contract are about privacy, protection and security of data.
These arguments need a specific in-depth analysis (there’s an ad-hoc quality certification norm, there are specific indications from the italian Authority, we need to define the roles of owner and responsible of data treatment, the new european guidelines on privacy has just became law): we’ll talk about that in our upcoming column after the summer break.