Notes on the Main Issues of Cloud Computing Contracts (prepared by the secretariat of the United Nations Commission on International Trade Law, 2019)

Part one. Main pre-contractual aspects

A. Verification of mandatory law and other requirements

The legal framework applicable to the customer, the provider or both may impose conditions for entering into a cloud computing contract. Such conditions may also stem from contractual commitments, including intellectual property (IP) licences. The parties should in particular be aware of laws and regulations related to personal data, consumer protection, cybersecurity, export control, customs, tax, trade secrets, IP-specific and sector-specific regulation that may be applicable to them and their future contract. Non-compliance with mandatory requirements may have significant negative consequences, including invalidity or unenforceability of a contract or part thereof, administrative fines and criminal liability.

Conditions for entering into a cloud computing contract may vary by sector and jurisdiction. They may include requirements to take special measures for the protection of data subjects' rights, to deploy a particular model (e.g., private cloud as opposed to public cloud), to encrypt data placed in the cloud and to register with State authorities a transaction or a software used in the processing of personal data. They may also include data localization requirements, as well as requirements regarding the provider.

Data localization

Data localization requirements may arise in particular from the law applicable to personal data, accounting data, as well as public sector data and export control laws and regulations that may restrict the transfer of certain information or software to or from particular countries or a region. Compliance with data localization requirements set forth in the applicable law would be of paramount importance for the parties. The contract would not be able to override those requirements.

Data localization requirements may also arise from contractual commitments (e.g., IP licences that require the licensed content to be stored on the user's own secured servers). Data localization may be preferred for purely practical reasons, for example to reduce latency, which may be especially important for real-time operations, such as stock exchange trading. (Read more on contractual data localization safeguards.)

Choice of a contracting party

The choice of a contracting party may be restricted, in addition to market conditions, by statutory requirements. There may be a statutory prohibition on entering into a cloud computing contract with foreign persons, persons from certain jurisdictions or persons not accredited/certified with competent State authorities. There may be a requirement for a foreign person to form a joint venture with a national entity or to acquire local licenses and permissions, including export control permissions, for the provision of cloud computing services in a particular jurisdiction. Data localization requirements (see immediately above) as well as statutory obligations on either party to disclose or provide access to the data and other content to foreign State authorities may also influence the choice of a contracting party.


Relevant Glossary terms

Data localization requirements: Requirements relating to the location of data and other content or data centres or the provider. They may prohibit certain data (including metadata and backups) from residing in or transiting into or out of a certain area or jurisdictions or require that prior approval be obtained from a competent State body for that. They are often found in data protection law and regulations, which may in particular prohibit personal data from residing in or transiting into jurisdictions that do not adhere to certain standards of personal data protection

Intellectual property (IP) licences: Agreements between an IP rights owner (the licensor) and a person authorized to use those IP rights (the licensee). They usually impose restrictions and obligations on the extent and manner in which the licensee or third parties may use the licenced property. For example, software and visual content (designs, layouts and images) may be licensed for specific use, not allowing copying, modification or enhancement, and be restricted to a certain medium. The licences may be limited to a particular market (e.g., national or (sub)regional), a number of users or a number of devices, or may be time-bound. Sub-licensing may not be permitted. The licensor may require reference to be made to the IP rights owner each time the IP rights are used.

Personal data: Sensitive and non-sensitive data that can be used to identify the natural person to whom such data relate. The definition of personal data in some jurisdictions may encompass any data or information directly or indirectly linked or relating to an identified or identifiable individual (the data subject).

Sector-specific regulations: Financial, health, public sector or other specific sector or profession regulations (e.g., attorney-client privilege, medical professional secrecy) and rules for handling classified information (broadly understood as information to which access is restricted by law or regulation to particular classes of persons).