Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)

Part two. Drafting a contract

J. Liability

Statutory limitations to contractual freedom

While most legal systems generally recognize the right of contracting parties to allocate risks and liabilities and to limit or exclude liability through contractual provisions, this right is usually subject to various limitations and conditions. For example, an important factor in risk and liability allocation in personal data processing is the role that each party assumes as regards personal data placed in the cloud. The data protection law of certain jurisdictions imposes more liability on the data controller than on data processors of personal data. Notwithstanding contractual provisions, the factual handling of such data will generally determine the legal regime to which the party would be subject under applicable law. Data subjects who have suffered loss resulting from unlawful processing of personal data or any act incompatible with domestic data protection regulations may be entitled to compensation directly from the data controller.

In addition, in many jurisdictions a total exclusion of liability for a person's own fault is not admissible or is subject to limitations. It might not be possible to exclude altogether liability related to personal injury (including sickness and death) and for gross negligence, intentional harm, defects, breach of core obligations essential for the contract or non-compliance with applicable regulatory requirements. Some types of limitation clauses, such as waiver of liability by the provider for security incidents in cases where the customer has no control or ability to effect security, may be found to be "abusive" and therefore invalid. The terms of contracts of adhesion, which are typically not negotiated but pre-established by one of the parties, may be subject to particular scrutiny. In addition, unlimited liability may flow from certain types of defects under law (e.g., defective hardware or software).

The ability of public institutions to assume certain liabilities may be restricted by law, or public institutions would need to seek prior approval of a competent State body for doing so. They may also be prohibited from accepting exclusion or limitation of a provider's liability altogether or for acts or omissions defined in law.

The applicable law may, on the other hand, provide for exemption from liability if certain criteria are fulfilled by a party that would otherwise face a risk of liability. For example, under the "notice and take down" procedure in some jurisdictions, the provider will be released from liability for hosting the illegal content on its cloud infrastructure if it removed such content once it became aware of it.

In some jurisdictions, to be enforceable, the clauses containing disclaimers and limitations of liability agreed upon by the parties must be included in the contract. The applicable law might impose form or other requirements for the validity and enforceability of those clauses.

Other considerations for drafting liability clauses

The amount, if any, charged for the cloud computing services and the risks involved in the provision of the services would all be considered in negotiating the allocation of risks and liabilities. Although parties generally tend to exclude or limit liability as regards factors that they cannot control or can control only to a limited extent (e.g., behaviour of end users, actions or omissions of subcontractors), the level of control would not always be a decisive consideration. A party may be prepared to assume risks and liability for elements that it does not control in order to distinguish itself in the market place. It is nevertheless likely that the party's risks and liabilities would increase progressively in proportion to the components under its control.

For example, in SaaS involving the use of standard office software, it is likely that the provider would be responsible for virtually all resources provided to the customer, and liability of the provider could arise in each case of non-provision or malfunctioning of those resources. Nevertheless, even in those cases, the customer could still be responsible for some components of the services, such as encryption or backups of data under its control. The failure to ensure adequate backups might lead to the loss of the right of recourse against the provider in case of the loss of data. On the other hand, in IaaS and PaaS, the provider could be responsible only for the infrastructure or platforms provided (such as hardware resources, operating system or middleware), while the customer would assume responsibility for all components belonging to it, such as applications run using the provided infrastructure or platforms and data contained therein.

Providers' standard terms

Providers' standard terms may exclude any liability under the contract and take the position that liability clauses are non-negotiable. Alternatively, the provider may be willing to accept liability, including unlimited liability, for breaches controllable by the provider (e.g., a breach of IP licenses granted to the provider by the customer) but not for breaches that may occur for reasons beyond the provider's control (e.g., unforeseeable events or leaks of confidential data).

Providers' standard terms generally exclude liability for indirect or consequential loss (e.g., loss of business opportunities following the unavailability of the cloud computing service). Where liability is accepted generally or for certain specified cases, providers' standard terms often limit the amount of losses that will be covered (per incident, per series of incidents or per period of time). In addition, providers often fix an overall cap on liability under the contract, which may be linked to the revenue expected to be received under the contract, to the turnover of the provider or insurance coverage.

Providers' standard terms usually impose liability on the customer for non-compliance with AUP.

Possible variations of standard terms

Some events (e.g., personal data protection violations and IP rights infringement) could expose either party to the potentially high liability to third parties or give rise to regulatory fines. It is common to agree on a more stringent liability regime (unlimited liability or higher compensation) when those events occur due to the fault or negligence of the other party.

Liability of the parties for actions of third parties that they cannot control (e.g., of the customer for actions of end users or of the provider for actions of the customer or its end users) may be limited or excluded by contract or law.

Liability insurance

The contract may contain insurance obligations for both or either party, in particular as regards quality requirements for an insurance company and the minimum amount of insurance coverage sought. It may also require parties to notify changes to the insurance coverage or provide copies of current insurance policies to each other.

Relevant Glossary terms

Personal data: Sensitive and non-sensitive data that can be used to identify the natural person to whom such data relate. The definition of personal data in some jurisdictions may encompass any data or information directly or indirectly linked or relating to an identified or identifiable individual (see the data subject).

Personal data processing: The collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.

Data controller: A person that determines the purposes and means of the processing of personal data.

Data processor: A person that processes the data on behalf of the data controller.

Data subject: A natural person who can be identified, directly or indirectly, by data, including by reference to such identifiers as name, an identification number, location and any factors specific to the physical, genetic, mental, economic, cultural or social identity of the person. In a number of jurisdictions, data subjects enjoy under data protection or data privacy regulations certain rights with respect to the data that can identify them. Those regulations may trigger the inclusion in the service level agreement (SLA) of data protection-specific performance parameters, such as that the services provided under the contract are certified at least annually by an independent auditor against the data protection/privacy standard identified in the contract. (See also data subject's rights and personal data)

Security incident: An event that indicates that the system or data have been compromised or that measures put in place to protect them have failed. A security incident disrupts normal operations. Examples of security incidents include attempts from unauthorized sources to access systems or data, unplanned disruption to a service or denial of a service, unauthorized processing or storage of data and unauthorized changes to system infrastructure.

Infrastructure as a service (IaaS): Types of cloud computing services with which the customer can obtain and use processing, storage or networking resources. The customer does not manage or control the underlying physical or virtual resources, but does have control over operating systems, storage and deployed applications that use the physical or virtual resources. The customer may also have limited ability to control certain networking components (e.g., host firewalls).

Platform as a service (PaaS): Types of cloud computing services with which the customer can deploy, manage and run in the cloud customer-created or customer-acquired applications using one or more existing programming languages and execution environments supported by the provider.

Software as a service (SaaS): Types of cloud computing services with which the customer can use the provider's applications in the cloud.

Acceptable use policy (AUP): Part of the cloud computing contract between the provider and the customer that defines the limits of use by the customer and its end users of the cloud computing services covered by the contract.