Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)

Part two. Drafting a contract

D. Rights to customer data and other content

Provider rights to customer data for the provision of services

Providers usually reserve the right to access customer data on a "need-to-know" basis. That arrangement would allow access to customer data by the provider's employees, subcontractors and other third parties (e.g., auditors) where necessary for the provision of the cloud computing services (including maintenance, support and security purposes) and for monitoring compliance with applicable AUP, IP licences, SLA and other contractual documents. The parties may agree on circumstances when the provider's access to customer data would be allowed and measures that would ensure confidentiality and integrity of customer data.

Certain rights to access customer data can be considered to be implicitly granted by the customer to the provider by requiring a certain service or feature: without those rights, the provider would not be able to perform the services. For example, if the provider is required to regularly back up customer data, the fulfilment of that task necessitates the right to copy the data. Likewise, if subcontractors are to handle customer data, the provider must be able to transfer the data to them.

The contract may explicitly indicate which are the rights concerning data required for the performance of the contract that the customer grants to the provider, whether and to what extent the provider is entitled to transfer those rights to third parties (e.g., its subcontractors) and the geographical and temporal extent of the granted or implied rights. The geographical limitations could be particularly important when data cannot leave a certain country or region under law (read more). Contracts typically state whether the customer is able to revoke granted or implied rights and if so, under what conditions. Since the ability to provide the services at the required level of quality may depend on the rights granted by the customer, the direct impact of revocation of certain rights could be the amendment or termination of the contract.

Provider use of customer data for other purposes

Most jurisdictions do not grant the provider automatic rights to use the customer data for the provider's own purposes. The provider may request use of customer data for purposes other than those linked to the provision of the cloud computing services under the contract (e.g., for advertising, generating statistics, analytical or predictions reports, engaging in other data mining practice). The questions to consider in that context may include: (a) which information about the customer and its end users will be collected and the reasons for and purposes of its collection and use by the provider; (b) whether that information will be shared with other organizations, companies or individuals and if so, the reasons for doing so and whether this will be done with or without the customer's consent; and (c) how compliance with confidentiality and security policies will be ensured if the provider shares that information with third parties. Where the provider's use of customer data will affect personal data, the parties would normally be expected to carefully assess their regulatory compliance obligations under applicable data protection laws.

Where the contract gives the provider rights to use the customer data for the provider's own purposes, the contract may also list permissible grounds for such use, include obligations regarding de-identification and anonymization of customer data to ensure compliance with any applicable data protection and other regulations and impose limits on reproduction of content and communication to public. It is common to permit the provider to use customer data for its own purposes only as anonymized open data or in aggregated and de-identified form during the term of the contract or beyond.

Provider use of customer name, logo and trademark

The providers' standard terms may grant the provider the right to use customer names, logos and trademarks for the purposes of the provider's publicity. The parties may agree on the deletion or modification of such provisions, including limiting the permissible use to the customer's name and requiring prior approval of the customer for the use of its name, logo and trademark.

Provider actions as regards customer data upon State orders or for regulatory compliance

The providers' standard terms may reserve the right for the provider, at its discretion, to disclose, or provide access to, customer data to State authorities (e.g., by including such wording as "when doing so will be in the best interests of the provider"). They also usually provide for the right of the provider to remove or block customer data immediately after the provider gains knowledge or becomes aware of illegal content or when it has to enforce the right of data subjects to be forgotten, in order to avoid liability under law (the "notice and take down" procedure (see below under Liability)). The parties may agree to narrow down the circumstances in which the provider can perform those actions, for example when the provider faces an order from a court or other State authority to provide access to, or to delete or change, data.

The parties may agree, at a minimum, that the customer will be notified without delay of State orders or the provider's own decisions as regards customer data with a description of the data concerned, unless such notification would violate law. Where the advance notification and involvement of the customer is not possible, the contract may require the provider to serve an immediate ex-post notification to the customer of the same information. The parties may also agree on provisions as regards keeping and providing customer access to and logs of all orders, requests and other activities as regards customer data.

Rights to cloud service-derived data

The parties may agree on customer rights to cloud service-derived data and how such rights can be exercised during the contractual relationship and upon termination of the contract.

IP rights protection clause

Some types of cloud computing contracts may result in the creation of objects of IP rights, either jointly by the provider and the customer (e.g., service improvements arising from the customer's suggestions) or by the customer alone (new applications, software and other original work). The contract may contain an express IP clause that will determine which party to the contract owns IP rights to various objects deployed or developed in the cloud and the use that the parties can make of such rights. Where no option to negotiate exists, the customer may wish to review any IP clauses to determine whether the provider offers sufficient guarantees and allows the customer appropriate tools to protect and enjoy its IP rights and avoid lock-in risks (read more).

Interoperability and portability

There may be no statutory requirements to ensure interoperability and portability. The onus might be completely on the customer to create compatible export routines, unless the contract provides otherwise, for example, by including contractual commitments as regards interoperability and portability and assistance with the export of data upon termination of the contract (see below under M.End-of-service commitments,Export assistance by the provider). The contract may require the use of common, widely used standardized or interoperable export formats for data and other content or provide choice among available formats. Contractual clauses may also be included to address rights to joint products and applications or software, without which the use of the data and other content in another system may be impossible (see above under IP rights protection clause).

Data retrieval for legal purposes

Customers may need to be able to search and find data placed in the cloud in its original form in order to meet legal requirements (for example, in investigations). The electronic records may need to meet auditing and evidentiary standards. Some providers may be in a position to offer customers assistance with the retrieval of data in the format required by law. The contract may define the form and terms of such assistance.

Data deletion

Data deletion considerations may be applicable during the term of the contract, but particularly upon its termination (see below under Date deletion). For example, certain data may need to be deleted according to the customer's retention plan. Sensitive data may need to be destroyed at a specified time in its lifecycle (e.g., the destruction of hard disks at the end of the life of equipment on which such data was stored). Data may also need to be deleted in order to comply with law enforcement deletion requests or after confirmed IP infringement cases (see above under Provider actions as regards customer data upon State orders or for regulatory compliance).

The providers' standard terms may contain only statements to delete customer data from time to time. The parties may agree on the deletion of data, its backups and metadata immediately, effectively, irrevocably and permanently, in compliance with the data retention and disposition schedules or other form of authorization or request communicated by the customer to the provider. The contract may address the time period and other conditions for data deletion, including obligations as regards a confirmation of the data deletion upon its completion and access to audit trails of the deletion activities.

Particular standards or techniques for deletion may be specified, depending on the nature and sensitivity of the data. The provider may be required to delete data from different locations and media, including from subcontractors' and other third-parties' systems, with different levels of deletion, such as data sanitization ensuring confidentiality of the data until their complete deletion or hardware destruction. More secure deletion involving destruction rather than redeployment of equipment may be more expensive and may not always be possible (if, for example, data of other persons is stored on the same hardware). Those aspects may trigger the inclusion of contractual requirements to use an isolated infrastructure for storing the customer's particularly sensitive data.

Relevant Glossary terms

Acceptable use policy (AUP): Part of the cloud computing contract between the provider and the customer that defines the limits of use by the customer and its end users of the cloud computing services covered by the contract.

Cloud service-derived data: Data under the control of the provider that are derived as a result of the use by the customer of the cloud computing services of that provider. It includes metadata and any other log data generated by the provider containing records of who used the services, at what times, which functions and which types of data are involved. It can also include information about authorized users, their identifiers and any configuration, customization and modification.

Data subjects' rights: Rights associated with data subjects' personal data. Data subjects under law may enjoy the right to be informed about all significant facts related to their personal data, including data location, use by third parties and data leaks or other data breaches. They may also have the right to access their personal data at any time, the right to erasure of their personal data (pursuant to the right to be forgotten), the right to restrict processing of their personal data and the right to portability of their personal data.

Interoperability: The ability of two or more systems or applications to exchange information and to mutually use the information that has been exchanged.Intellectual property (IP) licences: Agreements between an IP rights owner (the licensor) and a person authorized to use those IP rights (the licensee). They usually impose restrictions and obligations on the extent and manner in which the licensee or third parties may use the licenced property. For example, software and visual content (designs, layouts and images) may be licensed for specific use, not allowing copying, modification or enhancement, and be restricted to a certain medium. The licences may be limited to a particular market (e.g., national or (sub)regional), a number of users or a number of devices, or may be time-bound. Sub-licensing may not be permitted. The licensor may require reference to be made to the IP rights owner each time the IP rights are used.

Lock-in: Where the customer is dependent on a single provider because the costs of switching to another provider are substantial. Costs in this context are to be understood in the broadest sense as encompassing not only monetary expenses but also effort, time and relational aspects.

Metadata: Basic information about data (such as author, when the data were created, when they were modified and file size). It makes finding and using the data easier and may be required to ensure the authenticity of the record. It can be generated by the customer or the provider.

Portability: The ability to easily transfer data, applications and other content from one system to another (i.e., at low cost, with minimal disruption and without being required to re-enter data, re-engineer processes or re-program applications). This might be achieved if it is possible to retrieve the data in the format that is accepted in another system or with a simple and straightforward transformation using commonly available tools. The service level agreement (SLA) may contain performance parameters related to portability, e.g., the customer data is retrievable by the customer via a single download link or documented application programming interfaces (API); or the data format is structured and documented in a sufficient manner to allow the customer to re-use it or to restructure it into a different data format if desired.

Service level agreement (SLA): Part of the cloud computing contract between the provider and the customer that identifies the cloud computing services covered by the contract and the level of service expected or to be achieved under the contract (see the performance parameters).