Welcome to the United Nations
Language:
  1. Home
  2. DRAFT Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019): Rights to data

DRAFT Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019): Rights to data

Provider rights to customer data for the provision of services

Providers usually reserve the right to access customer data on a “need-to-know” basis. That arrangement would allow access to customer data by the provider’s employees, subcontractors and other third parties (e.g., auditors) where necessary for the provision of the cloud computing services (including maintenance, support and security purposes) and for monitoring compliance with applicable AUP, IP licences, SLA and other contractual documents. The parties may agree on circumstances when the provider’s access to customer data would be allowed and measures that would ensure confidentiality and integrity of customer data.

Certain rights to access customer data can be considered to be implicitly granted by the customer to the provider by requiring a certain service or feature: without those rights, the provider would not be able to perform the services. For example, if the provider is required to regularly back up customer data, the fulfilment of that task necessitates the right to copy the data. Likewise, if subcontractors are to handle customer data, the provider must be able to transfer the data to them.

Provider use of customer data for other purposes

Most jurisdictions do not grant the provider automatic rights to use the customer data for the provider’s own purposes. The provider may request use of customer data for purposes other than those linked to the provision of the cloud computing services under the contract (e.g., for advertising, generating statistics, analytical or predictions reports, engaging in other data mining practice). The questions to consider in that context may include: (a) which information about the customer and its end users will be collected and the reasons for and purposes of its collection and use by the provider; (b) whether that information will be shared with other organizations, companies or individuals and if so, the reasons for doing so and whether this will be done with or without the customer’s consent; and (c) how compliance with confidentiality and security policies will be ensured if the provider shares that information with third parties. Where the provider’s use of customer data will affect personal data, the parties would normally be expected to carefully assess their regulatory compliance obligations under applicable data protection laws.

Provider use of customer name, logo and trademark

The providers’ standard terms may grant the provider the right to use customer names, logos and trademarks for the purposes of the provider’s publicity. The parties may agree on the deletion or modification of such provisions, including limiting the permissible use to the customer’s name and seeking the prior approval of the customer for the use of its name, logo and trademark. 

Provider actions as regards customer data upon State orders or for regulatory compliance

The parties may agree, at a minimum, that the customer will be notified without delay of State orders or the provider’s own decisions as regards customer data with a description of the data concerned, unless such notification would violate law. Where the advance notification and involvement of the customer is not possible, the contract may require the provider to serve an immediate ex-post notification to the customer of the same information. The parties may also agree on provisions as regards keeping and providing customer access to and logs of all orders, requests and other activities as regards customer data. 

Rights to cloud service-derived data

The parties may agree on customer rights to cloud service-derived data and how such rights can be exercised during the contractual relationship and upon termination of the contract. 

Data retrieval for legal purposes

Customers may be required to be able to search and find data placed in the cloud in its original form for legal purposes, for example, in investigations. The electronic records may need to meet auditing and evidentiary standards. Some providers may be in a position to offer customers assistance with the retrieval of data in the format required by law. The contract may define the form and terms of such assistance.

Data deletion

Data deletion considerations may be applicable during the term of the contract, but particularly upon its termination. For example, certain data may need to be deleted according to the customer’s retention plan. Sensitive data may need to be destroyed at a specified time in its lifecycle (e.g., the destruction of hard disks at the end of the life of equipment on which such data was stored). Data may also need to be deleted in order to comply with law enforcement deletion requests or after confirmed IP infringement cases.

Particular standards or techniques for deletion may be specified, depending on the nature and sensitivity of the data. It may be required to delete data from different locations and media, including from subcontractors’ and other third parties’ systems, with different levels of deletion, such as data sanitization ensuring confidentiality of the data until their complete deletion or hardware destruction. More secure deletion involving destruction rather than redeployment of equipment may be more expensive and may not always be possible (if, for example, data of other persons is stored on the same hardware). Those aspects may trigger the inclusion of contractual requirements to use an isolated infrastructure for storing the customer’s particularly sensitive data.

 

Relevant Glossary terms

Acceptable use policy (AUP): Part of the cloud computing contract between the provider and the customer that defines the limits of use by the customer and its end users of the cloud computing services covered by the contract.

Intellectual property (IP) licences: Agreements between an IP rights owner (the licensor) and a person authorized to use those IP rights (the licensee). They usually impose restrictions and obligations on the extent and manner in which the licensee or third parties may use the licenced property. For example, software and visual content (designs, layouts and images) may be licensed for specific use, not allowing copying, modification or enhancement, and be restricted to a certain medium. The licences may be limited to a particular market (e.g., national or (sub)regional), a number of users or a number of devices, or may be time-bound. Sub-licensing may not be permitted. The licensor may require reference to be made to the IP rights owner each time the IP rights are used.

Service level agreement (SLA): Part of the cloud computing contract between the provider and the customer that identifies the cloud computing services covered by the contract and the level of service expected or to be achieved under the contract.

Personal data: Sensitive and non-sensitive data that can be used to identify the natural person to whom such data relate. The definition of personal data in some jurisdictions may encompass any data or information directly or indirectly linked or relating to an identified or identifiable individual.

Cloud service-derived data: Data under the control of the provider that are derived as a result of the use by the customer of the cloud computing services of that provider. It includes metadata and any other log data generated by the provider containing records of who used the services, at what times, which functions and which types of data are involved. It can also include information about authorized users, their identifiers and any configuration, customization and modification.

Data deletion: A sequence of operations designed to irreversibly erase data, including its backups and metadata, and other content from the cloud computing infrastructure (physical and virtual). In some cases, data deletion may require the destruction of the physical infrastructure (e.g., the servers) on which the data were stored. The service level agreement (SLA) may contain a specific performance parameter related to data deletion, e.g., that the provider ensures that the customer’s data are effectively, irrevocably and permanently deleted wherever requested by the customer within a certain time period identified in the contract and in compliance with the standard or method identified in the contract.

To the main page

To the precontractual aspects

To other contractual aspects

To other terms in the Glossary