Part I of this series we outlined some of the practical
approaches to consider at the outset of a cloud arrangement. In
this Part II we set out below 10 practical solutions to alleviate
some structural, regulatory and contractual issues:
Exploring practical options with the cloud provider may be one
approach to consider, rather than trying to force a cloud provider
to agree to terms later in the negotiation process that it cannot
agree to due to its policies and need to maintain conformity
amongst its customers. The following are some suggestions:
Limit Destination of Data:Agree to
limit the transmission of sensitive data to (or access from)
certain countries rather than using all of the cloud provider's
facilities that may be located around the world. For example, there
may be concerns over a particular country's privacy laws and
whether they provide a 'comparable level' of protection as
required by Canadian privacy law. Simply requiring that only
certain data centres or sites come in contact with the data could
remove a problem, and lessen the regulatory hurdles.
Limit Data: Practically limit the
type of data that is uploaded to the service and is subject to the
cloud agreement. For example, in the human resources context there
may be categories of compensation data or personal information that
are highly sensitive that could be maintained separately from the
cloud solution on the business's own systems.
Reduce Functionality: Consider
switching off certain functionality offered by the cloud solution
that the business is unable to make work within the regulatory
constraints. If the cloud provider agrees, this could lead to
considerable simplification and enable the parties to reach
resolution of outstanding issues; it may be as simple as a
change to a user interface.
Seek Internal Exceptions: Once you
have conducted your due diligence and understand the detailed
service provisions, consider, if required, if the business is able
to seek specific exceptions to its existing standards and policies
and obtain the necessary internal approvals. There may be scope for
compromising on low level requirements.
Consider Add-ons: Consider if there
are add-on software applications that can circumvent particular
issues, for example, through the use of identity authentication
tools deliberately designed to interoperate with cloud solutions to
give added security.
Separate Amending Agreements:If faced
with service level schedules and service descriptions that the
cloud provider cannot amend, consider if you can agree to a
separate amending agreement, or alternatively terms that cut across
the provisions in the main legal agreement rather than making
amendments in the attached schedules.
Prepare to make Informed Compromises:
If the business does not have the will nor the desire to negotiate
certain changes, at least go through the implications of those
terms with the internal client. A pre-informed client that is aware
of the potential discrepancies, issues or limitations can manage
the risks in a practical and informed manner.
Collateral Agreements: Consider if
collateral agreements can be used to circumvent certain contractual
issues. For example, if you are not satisfied with the cloud
provider flowing down contractual provisions to a sub-contractor
data centre, can a separate privity agreement be used, or if there
is a cross border data flow from Europe can European model contract
provisions be used to supplement existing protections?
Be Prepared to Negotiate: Experience
has shown that towards the upper end of the risk/reliance spectrum
with substantial cloud arrangements, cloud providers are open to
common sense and practical suggestions to resolve structural,
regulatory and contractual issues. Do not be afraid to
Consider Alternatives: Ultimately in
the risk/reward context the business may need to be prepared to
walk away and consider other options.
Matthew Wanford is co-leading a Pre-Forum Master Class
entitled Compliant Cloud Computing for Financial Institutions for
the Canadian Institute on September 19, 2012:http://canadianinstitute.com/privacy
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Law Society of British Columbia’s Cloud Computing Working Group issued its Final Report on Cloud Computing on January 27, 2012, amending an earlier consultation report approved by the "Benchers" on July 15, 2011.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).