Disclaimer:The views expressed here are personal and should not be taken as legal advice.

CIOs will constantly be looked upon to come up with innovative models to leverage the benefits of cloud computing as a key differentiator to help businesses realize objectives of flexibility, scalability, cost control, and so on. Whether a CIO pro-actively comes up with a proposal for a cloud based model in preference to a traditional legacy based one, or, if he or she is asked to explore the cloud as a cost effective model, the debate is not merely the CFO’s demand for a convincing logic for capital outlay, or a cost comparison under either models. A CIO would rightly have other concerns – security, data privacy, ownership issues, compatibility of platforms, and the like. The CIO’s success would lie in embracing a proper cloud service model while addressing these concerns to protect the larger organizational interest.

To overcome these risks and challenges in this balancing act, it is imperative that the least that could be done by the CIO is either -

1. To negotiate a properly documented and ‘enforceable’ contract with the cloud service provider; or,
2. To justify the decision to go ahead, even if it is not possible to negotiate with the service provider on the contract clauses, considering the overall larger benefits, and treating the sub-optimal contract as an evil whose risk is containable.  In this case, the CIO has to clearly communicate the risk vs. benefit equation and sell the idea as a business decision to a wider audience.

The first option will require the CIO and the CLO (Chief Legal Officer) to collaborate, as the right contract will be the outcome of cross-functional expertise. The second option will require that the CIO discuss with the CLO in detail on the missing legal safeguards, and the individual and collective risk involved therein. Either way, it is inevitable that legal implications and challenges under the cloud environment be clearly understood; it is here that a CIO will discover that there is more than what was initially estimated.  Amongst the two options, the first is certainly better. However, practically speaking, the CIO would end up getting the desired comfort in some aspects of the contract, and a business call will have to be taken for the reminder. Proper contract documentation for cloud services, or assessment of the impact of its absence, is not easy. What are the experiences, precedents, issues, solutions and recommendations on legal issues involved in cloud computing, especially in a public cloud scenario, whether in India or other jurisdictions where more clouds are operational?

The foremost noteworthy issue is that the typical cloud service contract is a standardized one – often, though not always, an online click through agreement. Many of these are akin to the ‘terms of use’ of an email service - cartloads of disclaimers and no liability on the service provider. If the standard excuse of a standardized contract for cloud services is resorted to in markets, where traditional outsourcing contracts are well deliberated and tailor made after successive rounds of negotiation, where contract breaches are well tested in courts and where precedents are available, what to say of jurisdictions where perils of breaches in the IT domain are yet to be fully visualized?  To add to the perils of having a ‘standard agreement’, which is passed on to the customer as being non-negotiable – please sign at the places marked ‘x’ and return; most of the cloud providers are US based, where terms of the contract are, more often than not, pro-vendor. Larger customers with dedicated in-house legal support or external legal advise may be able to estimate risks involved in a standard contract. However, SMEs and other smaller customers may not have either in-house expertise or budgets for a critical legal vetting of cloud contracts, and it is these who are expected to be the bigger chunk of cloud patrons for whom cloud computing is said to be more suitable to achieve cost benefits of shared services, infrastructure and utilities.

If a genuine cloud customer attempts to pierce the veil of the standard uniform agreement and gets into actual ‘legalese’, resistance from the cloud service provider is assured. Typically –

1. The very premise of a cloud computing model is standardization at the service provider’s level. Hence, legal documentation has to work within this frame, and cannot be divorced of this inherent characteristic.
2. Since resources, infrastructure, operations and processes of the cloud service provider are uniform to all customers, there is no reason why the contract has to be unique for each of them.
3. Providing preferential terms to some customers would detriment others who also subscribe to the cloud services on similar terms.
4. The cloud service provider would not be able to change individual parameters – say for example data protection safeguards, data locations, data privacy and housekeeping, data transfer procedures and the like, as per the needs of individual customers. Hence the legal contract, by default, has to be standard and uniform.
5. The pricing offered to the cloud customer is highly competitive taking into account the savings in fixed costs due to apportionment across customers. If individual contracts are to be negotiated, such pricing will not ‘work out’ for the cloud service provider.
6. The terms of the cloud service contract have been painstakingly developed by the service provider considering the regulatory compliances involved and changing any of the standard clauses will expose the parties to the risk of non-compliance with statutory requirements.

However the aforesaid are quoted merely to build a case for standard contracts. It is possible to address specific concerns without in any manner disturbing the aforesaid propositions. Of course, negotiation is easier for bigger customers. For example, the Los Angeles Times reported in October 2009 that the Los Angeles City Council was able to negotiate favourable service levels, liabilities etc., with Google for email and data storage services. To achieve this efficiently, cloud customers should state the desired terms with greater details and specifications at the initial stages of negotiation, say while framing the request for proposal (RFP) or the Letter of Intent (LOI). This gives scope to address the concerns sooner in the day, and also provides the cloud service provider an opportunity to present flexi-costing options, with differential costing to match the customer’s request for stronger terms.