The SLALOM project: Consequences of expiration or termination of the agreement, Data Protection and Conclusion

Read more on our SLALOM series

1. Introduction - Subject-Matter - Main Obligations of the Parties
2. Service levels-Service credits - Variation of the services
3. Intellectual Property - Liability
4. Consequences of expiration or termination of the agreement - Data Protection - Conclusion

Consequences of expiration or termination of the agreement

1. the data and content uploaded can be easily and quickly retrieved (also whether the format of the data is exportable and reversible);
2. a new Provider is permitted to use such data and content; and
3. the services can be extended until the new Provider is fully capable to provide the services.

Once the migration has been concluded, it is important to ensure that the data and content of the Adopter can be deleted. This is in order to comply with data protection legislation and with any confidentiality obligations between the parties. In particular, when processing personal data, it is the Provider’s duty to erase or otherwise destroy all personal data and certify that such personal data has been destroyed on its and its subcontractors’ systems, or return any personal data in a structured and widely-used format with appropriate guarantees of portability. Indeed, as also noted by the Information Commissioner Office (the UK data protection authority) in its "Guidance on the use of cloud computing", "when data is deleted is it rarely removed entirely from the underlying storage media unless some additional steps are taken. In addition, a cloud Provider is likely to have multiple copies of data stored in multiple locations to provide a more reliable service. This may include back-up tapes or other media not directly connected to the cloud. Copies of personal data stored in a cloud service may also be stored in other forms such as index structures. ... The cloud customer must ensure that the cloud Provider can delete all copies of personal data within a timescale that is in line with their own deletion schedule."

With reference to clauses proposed in the market on this issue, some cloud computing agreements specify that:

1. the Adopter shall not be entitled to use the services;
2. the Adopter’s rights under the agreement shall cease;
3. the Adopter shall be obligated to return or destroy the content provided by the Provider which are still in the Adopter’s possession;
4. provisions concerning, among others, indemnification obligations, the responsibility of the Adopter under the AUP, intellectual property rights, confidentiality obligations, shall survive termination or expiration;
5. all fees owed by the Adopter to the Provider shall be due immediately;
6. the governing law and jurisdiction provisions shall continue to apply to the surviving terms.

In addition to the above, with reference to the content uploaded/created/published by the Adopter, most cloud computing agreements provide that the Provider shall not erase such content for a certain period of time (generally from 30 up to 90 days) and that the Adopter shall be entitled to retrieve such content.

Some cloud computing agreements provide that the Adopter, in order to retrieve its data, must pay a charge for the services performed by the Provider after termination or expiration.

Under some other cloud computing agreements, upon termination because of the Adopter, the Provider shall refund the Adopter any prepaid fees covering the remainder of the term of all order forms after the effective date of termination and if the agreement is terminated because of the Provider, the Adopter shall pay any unpaid fees covering the remainder of the term of all order forms.

The clause on effects of termination and expiration of the SLALOM CSA states that, upon termination or expiration of the agreement, the Provider shall undertake to return the Adopter's data to the Adopter or to transfer the Adopter's data to a new Provider (at the Adopter’s expenses). This is in line with the recommendations put forward by some stakeholders (as well as the recent decision of the Tribunal de Grande Instance de Nanterre of 30 November 2012).

The Provider shall finally have the obligation to delete or destroy all Adopter data from all systems which were used to provide the services at the agreed time.

With reference to costs, we have distinguished between two cases: the retrieval by the Adopter of Adopter data shall be free of charge; while the transfer of Adopter data to the Adopter or to any third party (including a new Provider) shall be at the Adopter’s costs.

In line with the recommendations of EU cloud expert groups , we have set forth that in the case of termination of the CSA due to breach by the Provider, the cost of transfer of the Adopter data borne by the Adopter shall be reimbursed by the Provider.

We have set out a provision concerning the survival of certain clauses after the expiration or termination of the CSA such as: Sections 8 (Intellectual Property Rights), 10 (Consequences of Termination), 11 (Confidentiality Obligations), 12.2 and 12.3 (Warranties and Liabilities), 13 (Indemnification), 14 (Insurance Obligations); 17 (Data Protection); 19 (Notices – Party’s Team Leaders); 20 (Governing Law); 21 (Disputes – Jurisdiction); and 22 (Final Provisions).

Data Protection

Ensuring protection of the personal data that are processed in the context of the cloud services is a crucial point both for the Adopters and the Providers. During the past years there has been a progressive and significant change in the culture of cloud service Adopters and Providers approaching data protection and security compliance: one of the reasons is likely that most of the operators, each of them from their own perspective, faced new compliance challenges and increased the risks of their liability under the applicable data protection legislation.

This is even more true and actual when the General Data Protection Regulation (2012/0011 (COD) to be formally approved soon) will come into force in 2018. By then, EU (and non-EU) Providers should be ready to manage increased direct liabilities and responsibilities in the processing of personal data of individuals whose personal data are impacted by the cloud services they offer. On the other side, the Adopters will be required to increase the level of accountability that they are currently used to.

Undoubtedly, having clear statements and undertakings in the cloud service agreements on what the obligations for each of the parties are in terms of personal data processing - or even to clarify whether the processing of personal data using the cloud services is permitted - is crucial. Indeed, especially before the entering into force of the General Data Protection Regulation, the obligations of the parties may vary depending on the applicable data protection and privacy laws and some jurisdictions and local regulators may restrict the use of cloud services for processing of certain categories of personal data (e.g., sensitive data, including health data) if the storage of data is with a third party (e.g., under French legislation), or because the personal data have to be transferred outside the EU, or because the data are protected under professional rules and secrets.

As a matter of fact, in order to also meet the expectations and recommendations issued by many national Data Protection Authorities this clause must set out the roles (data controller/data processor) taken by each of the parties (Adopter vs Provider) in relation to the personal data stored and/or processed as a result of the services and their primary data protection compliance obligations. Full details of the data processing obligations for the Provider are often part of an attachment to the agreement (this is common in circumstances when the services are offered to EU Adopters or by EU Providers).

This section may also include - especially if the cloud services are offered to consumers – a privacy notice for the Adopter where the Provider describes how it will process (as data controller for this limited purpose) the Adopter’s personal data in order to execute the agreement. However, as this privacy policy may not be required as part of the agreement in many of the jurisdictions (e.g. UK, Germany, Italy), it may be set out in a separate document.

In current market practice, Providers adopt different solutions in relation to data protection : some prefer not to cover this matter specifically in the contract (leaving their data protection obligations to be identified based on an interpretation of applicable legislation), whilst others address these topics scattering the rights and obligations on this matter across several clauses or (more often) in the documentation attached to the agreement (e.g., the data security attachment, and/or the data processing agreement/privacy policy usually available as an attachment to the agreement), and a few others offer Adopters a more comprehensive data processing addendum.

When it comes to location and transfer of personal data, market operators approach the matter by identifying (or making the Adopter identify) the location of the data centre, retaining nevertheless the right to move the data from the selected regions to another simply by notifying the Adopter or even without notification, if permitted by law. After the CJEU judgment on the Schrems Case most of the Providers that used to transfer personal data to data centres in the United States under the legal basis of the Safe Harbor radically changed their approach either by transferring their data centres to the EU (or other countries offering adequate protection according to EU legislation) or by entering into Standard Contractual Clauses.

The security standards, and the retention obligations to comply with upon the termination of the cloud service agreement, are other two sensitive topics. Whatever the mechanism is to refer to technical security documentation describing the promised security obligations of the Provider, the current market practice apparently prefers to refer to a list of "reasonable" security standards rather than adhering to security standards specifically listed under the legislation and to pass/leave any liability and responsibility on the security of personal data onto the Adopters as much as possible.

Under the SLALOM project, the proposed approach on the management of data protection requirements is to have:

1. a core clause that focuses on the clear definition of the roles of the parties (setting out by default the role of each of the parties as controller – usually the Adopter or the final user – or processor – usually the Provider) and their obligations as arising under EU legislation (and under the future prospective of the General Data Protection Regulation),
2. a data processing addendum providing detailed instructions to the Providers about the processing of personal data; and
3. if applicable, a sample privacy policy.

The proposed data processing addendum includes the following key points: the purpose limitation in relation to the processing of personal data that the Provider is entitled to carry out, the restrictions on subcontracting (including specific clauses to legitimise the position of the subcontractors in relation to the processing of data as sub-processors), clear cooperation, reporting and notification obligations, as well as the Provider's undertaking to implement a detailed list of the security measures and deletion procedures upon termination of the agreement. The proposed addendum finally addresses also the data transfer requirements and restrictions, but also how the Provider should cooperate with the Adopter to ensure the data subjects can exercise their rights and the audit may be performed by the Adopter and the authorities.

Conclusions

In the last few years, the offer of cloud computing services in the market has significantly increased.

The cloud computing services existing in the market provide different technical parameters in relation to the services. The contracts are then very different one from the other and govern the relationship between Providers and Adopters in very different ways.

One of the main requests coming from Adopters concerns being able to measure and evaluate the numerous services offered in the market.

It is also increasingly important for Providers to be able to propose services that are easily comparable to other services proposed by their competitors.

Such a comparison, to be complete and exhaustive, has to take into account, on the one hand, the technical parameters and, on the other hand, the legal terms and conditions.

Standardising the cloud services will obviously not mean having services with the same levels of quality and quantity. Rather, it will mean that we must set out clear criteria in order to help Adopters understand the effective quantity and quality levels of each service offered by Providers.

At the same time, standardising cloud computing agreements will not imply that the parties shall agree the same terms and conditions for all of their cloud computing services. Instead, it will mean that the parties will be fully aware of the possible schemes of standard clauses governing their relationships and will be free to decide on any integrations or changes, whether more favourable to a party or to another, to the standard clauses.

We deem that a project such as SLALOM can provide an important contribution to the standardisation of cloud services and relevant contracts and can help to identify which technical parameters and contractual terms are –most acceptable for all the stakeholders.