Welcome to the United Nations
Language:
  1. Home
  2. DRAFT Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019): Confidentiality clause

DRAFT Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019): Confidentiality clause

The provider’s willingness to commit to ensuring the confidentiality of customer data depends on the nature of services provided to the customer under the contract, in particular whether the provider will be required to have unencrypted access to data for the provision of those services. Some providers may not be in a position to offer a confidentiality or non-disclosure clause and may expressly waive any duty of confidentiality regarding customer data. Other providers may be willing to assume liability for confidentiality of data disclosed by the customer during contract negotiations, but not for data processed during service provision. Some standard confidentiality clauses offered by providers may not be sufficient to ensure compliance with applicable law.

In the absence of contractual commitments and statutory obligations on the provider to maintain confidentiality, the customer may have full responsibility for keeping data confidential, e.g., through encryption. Where the possibility of negotiating a general confidentiality clause applicable to all customer data placed in the cloud does not exist, the parties may agree on confidentiality commitments as regards some sensitive data (with a separate liability regime for breach of confidentiality of such data). The customer may in particular be concerned about its trade secrets, know-how and information that it is required to keep confidential under law or commitments to third parties. The parties may agree to restrict access to such data to a limited set of personnel and to require individual confidentiality commitments from them, in particular from those with high-risk roles (e.g., system administrators, auditors and persons dealing with intrusion detection reports and incident response). In those cases, the customer would normally specify to the provider such information, the required level of protection, any applicable law or contractual requirements and any changes affecting such information, including any changes in the applicable legislation.

In some cases, the disclosure of customer data may be necessary for the fulfilment of the contract. In other cases, the disclosure may be mandated by law, for example, under the duty to provide information to competent State authorities (read more). Appropriate exceptions to confidentiality clauses would thus be warranted.

The provider may in turn impose on the customer the obligation not to disclose information about the provider’s security arrangements and other details of services provided to the customer under the contract or law.

To the main page

To the precontractual aspects

To other contractual aspects

To the Glossary