Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)
Part two. Drafting a contract
Statutory limitations to contractual freedom
While most legal systems generally recognize the right of contracting parties to allocate risks and liabilities and to limit or exclude liability through contractual provisions, this right is usually subject to various limitations and conditions. For example, an important factor in risk and liability allocation in personal data processing is the role that each party assumes as regards personal data placed in the cloud. The data protection law of certain jurisdictions imposes more liability on the data controller than on data processors of personal data. Notwithstanding contractual provisions, the factual handling of such data will generally determine the legal regime to which the party would be subject under applicable law. Data subjects who have suffered loss resulting from unlawful processing of personal data or any act incompatible with domestic data protection regulations may be entitled to compensation directly from the data controller.
In addition, in many jurisdictions a total exclusion of liability for a person's own fault is not admissible or is subject to limitations. It might not be possible to exclude altogether liability related to personal injury (including sickness and death) and for gross negligence, intentional harm, defects, breach of core obligations essential for the contract or non-compliance with applicable regulatory requirements. Some types of limitation clauses, such as waiver of liability by the provider for security incidents in cases where the customer has no control or ability to effect security, may be found to be "abusive" and therefore invalid. The terms of contracts of adhesion, which are typically not negotiated but pre-established by one of the parties, may be subject to particular scrutiny. In addition, unlimited liability may flow from certain types of defects under law (e.g., defective hardware or software).
The ability of public institutions to assume certain liabilities may be restricted by law, or public institutions would need to seek prior approval of a competent State body for doing so. They may also be prohibited from accepting exclusion or limitation of a provider's liability altogether or for acts or omissions defined in law.
The applicable law may, on the other hand, provide for exemption from liability if certain criteria are fulfilled by a party that would otherwise face a risk of liability. For example, under the "notice and take down" procedure in some jurisdictions, the provider will be released from liability for hosting the illegal content on its cloud infrastructure if it removed such content once it became aware of it.
In some jurisdictions, to be enforceable, the clauses containing disclaimers and limitations of liability agreed upon by the parties must be included in the contract. The applicable law might impose form or other requirements for the validity and enforceability of those clauses.
Other considerations for drafting liability clauses
The amount, if any, charged for the cloud computing services and the risks involved in the provision of the services would all be considered in negotiating the allocation of risks and liabilities. Although parties generally tend to exclude or limit liability as regards factors that they cannot control or can control only to a limited extent (e.g., behaviour of end users, actions or omissions of subcontractors), the level of control would not always be a decisive consideration. A party may be prepared to assume risks and liability for elements that it does not control in order to distinguish itself in the market place. It is nevertheless likely that the party's risks and liabilities would increase progressively in proportion to the components under its control.
For example, in SaaS involving the use of standard office software, it is likely that the provider would be responsible for virtually all resources provided to the customer, and liability of the provider could arise in each case of non-provision or malfunctioning of those resources. Nevertheless, even in those cases, the customer could still be responsible for some components of the services, such as encryption or backups of data under its control. The failure to ensure adequate backups might lead to the loss of the right of recourse against the provider in case of the loss of data. On the other hand, in IaaS and PaaS, the provider could be responsible only for the infrastructure or platforms provided (such as hardware resources, operating system or middleware), while the customer would assume responsibility for all components belonging to it, such as applications run using the provided infrastructure or platforms and data contained therein.
Providers' standard terms
Providers' standard terms may exclude any liability under the contract and take the position that liability clauses are non-negotiable. Alternatively, the provider may be willing to accept liability, including unlimited liability, for breaches controllable by the provider (e.g., a breach of IP licenses granted to the provider by the customer) but not for breaches that may occur for reasons beyond the provider's control (e.g., unforeseeable events or leaks of confidential data).
Providers' standard terms generally exclude liability for indirect or consequential loss (e.g., loss of business opportunities following the unavailability of the cloud computing service). Where liability is accepted generally or for certain specified cases, providers' standard terms often limit the amount of losses that will be covered (per incident, per series of incidents or per period of time). In addition, providers often fix an overall cap on liability under the contract, which may be linked to the revenue expected to be received under the contract, to the turnover of the provider or insurance coverage.
Providers' standard terms usually impose liability on the customer for non-compliance with AUP.
Possible variations of standard terms
Some events (e.g., personal data protection violations and IP rights infringement) could expose either party to the potentially high liability to third parties or give rise to regulatory fines. It is common to agree on a more stringent liability regime (unlimited liability or higher compensation) when those events occur due to the fault or negligence of the other party.
Liability of the parties for actions of third parties that they cannot control (e.g., of the customer for actions of end users or of the provider for actions of the customer or its end users) may be limited or excluded by contract or law.
The contract may contain insurance obligations for both or either party, in particular as regards quality requirements for an insurance company and the minimum amount of insurance coverage sought. It may also require parties to notify changes to the insurance coverage or provide copies of current insurance policies to each other.