Many web services are examples of cloud computing, from storage and backup sites such as Flickr and Dropbox to online business productivity services such as Google Docs and Salesforce.com. Cloud computing offers a potentially attractive solution to customers keen to acquire computing infrastructure without large up-front investment, particularly in cases where their demand may be variable and unpredictable, as a means of achieving financial savings, productivity improvements and the wider flexibility that accompanies Internet-hosting of data and applications.
The greater flexibility of a cloud computing service as compared with a traditional outsourcing contract may be offset by reduced certainty for the customer in terms of the location of data placed into the cloud and the legal foundations of any contract with the provider. There may be unforeseen costs and risks hidden in the terms and conditions of such services.
This document reports on a detailed survey and analysis of the terms and conditions offered by cloud computing providers.
The survey formed part of the Cloud Legal Project at the Centre for Commercial Law Studies (CCLS), within the School of Law at Queen Mary, University of London, UK. Funded by a donation from Microsoft, but academically independent, the project is examining a wide range of legal and regulatory issues arising from cloud computing. The project’s survey of 31 cloud computing contracts from 27 different providers, based on their standard terms of service as offered to customers in the E.U. and U.K., found that many include clauses that could have a significant impact, often negative, on the rights and interests of customers. The ease and convenience with which cloud computing arrangements can be set up may lull customers into overlooking the significant issues that can arise when key data and processes are entrusted to cloud service providers. The main lesson to be drawn from the Cloud Legal Project’s survey is that customers should review the terms and conditions of a cloud service carefully before signing up to it.
The survey found that some contracts, for instance, have clauses disclaiming responsibility for keeping the user’s data secure or intact. Others reserve the right to terminate accounts for apparent lack of use (potentially important if they are used for occasional backup or disaster recovery purposes), for violation of the provider’s Acceptable Use Policy, or indeed for any or no reason at all. Furthermore, whilst some providers promise only to hand over customer data if served with a court order, others state that they will do so on much wider grounds, including it simply being in their own business interests to disclose the data. Cloud providers also often exclude liability for loss of data, or strictly limit the damages that can be claimed against them – damages that might otherwise be substantial if a failure brought down an e-commerce web site.
Although in some U.S. states, in E.U. countries and in various other jurisdictions the validity of such terms may be challenged under consumer protection laws, users of cloud services may face practical obstacles to bringing a claim for data loss or privacy breach against a provider that seems local online but is, in fact, based in another continent. Indeed, service providers usually claim that their contracts are subject to the laws of the place where they have their main place of business. In many cases this is a US state, with a stipulation that any dispute must be heard in the provider’s local courts, regardless of the customer’s location.
Perhaps the most disconcerting discovery of the Cloud Legal Project’s survey was that many providers claimed to be able to amend their contracts unilaterally, simply by posting an updated version on the web. In effect, customers are put on notice to download lengthy and complex contracts, on a regular basis, and to compare them against their own copies of earlier versions to look for changes.
The cloud computing market is still developing rapidly, and potential cloud customers should be aware that there may be a mismatch between their expectations and the reality of cloud providers’ service terms, and be alive to the possibility of unexpected changes to the terms.