Notes on the Main Issues of Cloud Computing Contracts (prepared by the secretariat of the United Nations Commission on International Trade Law, 2019)
Part one. Main pre-contractual aspects
A. Verification of mandatory law and other requirements
The legal framework applicable to the customer, the provider or both may impose conditions for entering into a cloud computing contract. Such conditions may also stem from contractual commitments, including intellectual property (IP) licences. The parties should in particular be aware of laws and regulations related to personal data, consumer protection, cybersecurity, export control, customs, tax, trade secrets, IP-specific and sector-specific regulation that may be applicable to them and their future contract. Non-compliance with mandatory requirements may have significant negative consequences, including invalidity or unenforceability of a contract or part thereof, administrative fines and criminal liability.
Conditions for entering into a cloud computing contract may vary by sector and jurisdiction. They may include requirements to take special measures for the protection of data subjects' rights, to deploy a particular model (e.g., private cloud as opposed to public cloud), to encrypt data placed in the cloud and to register with State authorities a transaction or a software used in the processing of personal data. They may also include data localization requirements, as well as requirements regarding the provider.
Data localization requirements may arise in particular from the law applicable to personal data, accounting data, as well as public sector data and export control laws and regulations that may restrict the transfer of certain information or software to or from particular countries or a region. Compliance with data localization requirements set forth in the applicable law would be of paramount importance for the parties. The contract would not be able to override those requirements.
Data localization requirements may also arise from contractual commitments (e.g., IP licences that require the licensed content to be stored on the user's own secured servers). Data localization may be preferred for purely practical reasons, for example to reduce latency, which may be especially important for real-time operations, such as stock exchange trading. (Read more on contractual data localization safeguards.)
Choice of a contracting party
The choice of a contracting party may be restricted, in addition to market conditions, by statutory requirements. There may be a statutory prohibition on entering into a cloud computing contract with foreign persons, persons from certain jurisdictions or persons not accredited/certified with competent State authorities. There may be a requirement for a foreign person to form a joint venture with a national entity or to acquire local licenses and permissions, including export control permissions, for the provision of cloud computing services in a particular jurisdiction. Data localization requirements (see immediately above) as well as statutory obligations on either party to disclose or provide access to the data and other content to foreign State authorities may also influence the choice of a contracting party.