Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)
Part two. Drafting a contract
D. Rights to customer data and other content
Provider rights to customer data for the provision of services
Providers usually reserve the right to access customer data on a "need-to-know" basis. That arrangement would allow access to customer data by the provider's employees, subcontractors and other third parties (e.g., auditors) where necessary for the provision of the cloud computing services (including maintenance, support and security purposes) and for monitoring compliance with applicable AUP, IP licences, SLA and other contractual documents. The parties may agree on circumstances when the provider's access to customer data would be allowed and measures that would ensure confidentiality and integrity of customer data.
Certain rights to access customer data can be considered to be implicitly granted by the customer to the provider by requiring a certain service or feature: without those rights, the provider would not be able to perform the services. For example, if the provider is required to regularly back up customer data, the fulfilment of that task necessitates the right to copy the data. Likewise, if subcontractors are to handle customer data, the provider must be able to transfer the data to them.
The contract may explicitly indicate which are the rights concerning data required for the performance of the contract that the customer grants to the provider, whether and to what extent the provider is entitled to transfer those rights to third parties (e.g., its subcontractors) and the geographical and temporal extent of the granted or implied rights. The geographical limitations could be particularly important when data cannot leave a certain country or region under law (read more). Contracts typically state whether the customer is able to revoke granted or implied rights and if so, under what conditions. Since the ability to provide the services at the required level of quality may depend on the rights granted by the customer, the direct impact of revocation of certain rights could be the amendment or termination of the contract.
Provider use of customer data for other purposes
Most jurisdictions do not grant the provider automatic rights to use the customer data for the provider's own purposes. The provider may request use of customer data for purposes other than those linked to the provision of the cloud computing services under the contract (e.g., for advertising, generating statistics, analytical or predictions reports, engaging in other data mining practice). The questions to consider in that context may include: (a) which information about the customer and its end users will be collected and the reasons for and purposes of its collection and use by the provider; (b) whether that information will be shared with other organizations, companies or individuals and if so, the reasons for doing so and whether this will be done with or without the customer's consent; and (c) how compliance with confidentiality and security policies will be ensured if the provider shares that information with third parties. Where the provider's use of customer data will affect personal data, the parties would normally be expected to carefully assess their regulatory compliance obligations under applicable data protection laws.
Where the contract gives the provider rights to use the customer data for the provider's own purposes, the contract may also list permissible grounds for such use, include obligations regarding de-identification and anonymization of customer data to ensure compliance with any applicable data protection and other regulations and impose limits on reproduction of content and communication to public. It is common to permit the provider to use customer data for its own purposes only as anonymized open data or in aggregated and de-identified form during the term of the contract or beyond.
Provider use of customer name, logo and trademark
The providers' standard terms may grant the provider the right to use customer names, logos and trademarks for the purposes of the provider's publicity. The parties may agree on the deletion or modification of such provisions, including limiting the permissible use to the customer's name and requiring prior approval of the customer for the use of its name, logo and trademark.
Provider actions as regards customer data upon State orders or for regulatory compliance
The providers' standard terms may reserve the right for the provider, at its discretion, to disclose, or provide access to, customer data to State authorities (e.g., by including such wording as "when doing so will be in the best interests of the provider"). They also usually provide for the right of the provider to remove or block customer data immediately after the provider gains knowledge or becomes aware of illegal content or when it has to enforce the right of data subjects to be forgotten, in order to avoid liability under law (the "notice and take down" procedure (see below under Liability)). The parties may agree to narrow down the circumstances in which the provider can perform those actions, for example when the provider faces an order from a court or other State authority to provide access to, or to delete or change, data.
The parties may agree, at a minimum, that the customer will be notified without delay of State orders or the provider's own decisions as regards customer data with a description of the data concerned, unless such notification would violate law. Where the advance notification and involvement of the customer is not possible, the contract may require the provider to serve an immediate ex-post notification to the customer of the same information. The parties may also agree on provisions as regards keeping and providing customer access to and logs of all orders, requests and other activities as regards customer data.
Rights to cloud service-derived data
The parties may agree on customer rights to cloud service-derived data and how such rights can be exercised during the contractual relationship and upon termination of the contract.
IP rights protection clause
Some types of cloud computing contracts may result in the creation of objects of IP rights, either jointly by the provider and the customer (e.g., service improvements arising from the customer's suggestions) or by the customer alone (new applications, software and other original work). The contract may contain an express IP clause that will determine which party to the contract owns IP rights to various objects deployed or developed in the cloud and the use that the parties can make of such rights. Where no option to negotiate exists, the customer may wish to review any IP clauses to determine whether the provider offers sufficient guarantees and allows the customer appropriate tools to protect and enjoy its IP rights and avoid lock-in risks (read more).
Interoperability and portability
There may be no statutory requirements to ensure interoperability and portability. The onus might be completely on the customer to create compatible export routines, unless the contract provides otherwise, for example, by including contractual commitments as regards interoperability and portability and assistance with the export of data upon termination of the contract (see below under M.End-of-service commitments,Export assistance by the provider). The contract may require the use of common, widely used standardized or interoperable export formats for data and other content or provide choice among available formats. Contractual clauses may also be included to address rights to joint products and applications or software, without which the use of the data and other content in another system may be impossible (see above under IP rights protection clause).
Data retrieval for legal purposes
Customers may need to be able to search and find data placed in the cloud in its original form in order to meet legal requirements (for example, in investigations). The electronic records may need to meet auditing and evidentiary standards. Some providers may be in a position to offer customers assistance with the retrieval of data in the format required by law. The contract may define the form and terms of such assistance.
Data deletion considerations may be applicable during the term of the contract, but particularly upon its termination (see below under Date deletion). For example, certain data may need to be deleted according to the customer's retention plan. Sensitive data may need to be destroyed at a specified time in its lifecycle (e.g., the destruction of hard disks at the end of the life of equipment on which such data was stored). Data may also need to be deleted in order to comply with law enforcement deletion requests or after confirmed IP infringement cases (see above under Provider actions as regards customer data upon State orders or for regulatory compliance).
The providers' standard terms may contain only statements to delete customer data from time to time. The parties may agree on the deletion of data, its backups and metadata immediately, effectively, irrevocably and permanently, in compliance with the data retention and disposition schedules or other form of authorization or request communicated by the customer to the provider. The contract may address the time period and other conditions for data deletion, including obligations as regards a confirmation of the data deletion upon its completion and access to audit trails of the deletion activities.
Particular standards or techniques for deletion may be specified, depending on the nature and sensitivity of the data. The provider may be required to delete data from different locations and media, including from subcontractors' and other third-parties' systems, with different levels of deletion, such as data sanitization ensuring confidentiality of the data until their complete deletion or hardware destruction. More secure deletion involving destruction rather than redeployment of equipment may be more expensive and may not always be possible (if, for example, data of other persons is stored on the same hardware). Those aspects may trigger the inclusion of contractual requirements to use an isolated infrastructure for storing the customer's particularly sensitive data.