Use of cloud-based software solutions: legal dos & don’ts
Cloud computing
According to a study by Bitkom published in June 2018, two out of three companies are already using cloud computing. In the case of large companies (a workforce of 2000 or more), this figure is as high as 83%.
So cloud computing is a major part of business – but what exactly is cloud computing? The German Federal Office for Information Security (BSI) describes cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computer resources (e.g. networks, servers, storage systems, applications and services) that can be provisioned rapidly and released with minimum management effort or service provider interaction.”
The best-known cloud computing provider with a market share of approximately 32% is Amazon Web Services (AWS), which recorded a turnover of USD 25.4 billion in 2018. Microsoft Azure was second last year with a market share of around 17% and a turnover of USD 13.5 billion. According to a February 2019 analysis by Canalys, AWS recorded annual growth of 47% and Microsoft Azure 82% compared with the previous year.
Alongside the practical benefits of cloud computing, however, companies must also address the legal specifics and challenges. What are the legal risks associated with the use of cloud computing? What kinds of IT contracts are there and what contract types are involved? With which special data protection regulations must companies comply?
IT contracts and contract types in cloud computing
Cloud computing is offered in various forms – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
IaaS, PaaS or SaaS – what am I dealing with?
IaaS is about the provision of IT resources, such as computing power, data storage or networks. Differentiation can be made according to the content of the IaaS, so that, for example, the provision of storage capacities in the form of data storage as a service exists independently as an IT contract, but only represents a special case of the IaaS.
The same is true of the other cloud computing groups. PaaS offers a complete infrastructure to the customer, who can develop and execute their own programs through standardised interfaces.
The SaaS is a licensing and distribution model which allows customers to use software offers for a fee for an agreed period of time without having to install the software on the user’s device.
Determining the contract type is important
The civil law classification of the contracts depends on the respective content; however, a rental contract is to be assumed, for example when using storage capacities through cloud computing. The purchase of standard software is usually a simple purchase contract, whereas individually tailored software solutions can be assumed to be a work contract. The civil law classification of the IT contract has an influence on the warranty and liability claims of the contracting parties.
In the case of cloud-based software offers as SaaS (Software as a Service), elements from work, service and lease contract law are included which prevent a simple assignment as an individual contract type. The Applications Service Provider (ASP) contract also contains elements from different contract types, but has been assigned as a lease contract concerning the main service by the Federal Court of Justice (judgement of 15 November 2006, case no. XII ZR 120/04).
For the contract typological assignment, the focus of the service object of the respective contract part must be determined. The qualification of ASP contracts as lease contracts leads to an interest-oriented result.
The classification as a work contract for cloud computing contracts does not seem appropriate for SaaS, since the performance content of a work contract is performance-based and not transferable to standardised software applications with shared responsibility. The rules regarding the due date of the remuneration, acceptance or completion of the work are inappropriate, as the provider only provides the access option. Classifying the service contract (section 611 et seq. German Civil Code) as an applicable contract type seems unfair to the user, because only performance would be due, not its success. This would result in a fee obligation for the user, if necessary, without the application being able to be used. The initial situation, comparable with the tenancy law, allows at least an analogous application of the regulations, so that the declaration by the Federal Court of Justice can continue to be followed. The common ground is that there is something left to the user to use. Furthermore, within the scope of defects, the claims arising from the tenancy law come into effect and lead to a balance between the interests of both contracting parties.
It is important to recognise that the new form of IT contracts cannot be rigidly assigned to the regime of contracts typified by the German Civil Code. For General Terms and Conditions (GTC) in the area of B2C and B2B (in compliance with Section 310 (1) of the German Civil Code (BGB), the scheduling to a contract type is essential since a check as per section 307 (3) of the German Civil Code only takes place if the GTC deviate from legislation or these additional rules; it is ineffective if it deviates from the fundamental principles of the statutory provisions and is irreconcilable. This depends on the previously determined contract typology, which serves as the basis for the legal assessment.
In addition, conventional problems of software law must of course also be solved in the drafting of contracts in order to ensure comprehensive legal protection. Thus, cloud-based applications are also subject to copyright law, so care must be taken to ensure the adequate granting of usage rights or the effectiveness of open source licences. In addition, special attention must be paid to the definition of service levels and availability in order to limit the liability risk in this respect.
Dos:
- Clear agreement on the performance content
- Identification of the type of IT contract
- Civil law determination of the typology
- Examine effectiveness of rules and clauses
Don’ts:
- Postpone the scheduling of the contract type to later
- Examine liability and warranty claims only in the event of a performance failure
Risks and benefits of cloud computing
The growth in cloud computing and its growing popularity amongst businesses is due to various aspects. First of all, cloud computing enables the real-time scalability of IT performance and can therefore be quickly adapted to individual needs. By outsourcing and utilising third-party expertise, cloud users reduce their own IT administration costs without becoming burdened with additional costs, such as for servers, thereby freeing up capital for development and investment in other areas. Another benefit is the location-independent access to data and the opportunity for simultaneous processing of documents and processes by several employees. Cloud computing enables the user to have increased flexibility at different levels, thereby creating a competitive advantage over other companies.
When it comes to the disadvantages of cloud computing, there are both conventional and cloud-specific risks. Conventional risks when using services from third parties include irresponsible handling by the provider’s employees as well as insufficient technical and organisational measures. Cloud-specific disadvantages for cloud users include dependence on the provider. There is a particular risk for data security with respect to the following conventional protective goals: Confidentiality, integrity and accessibility. The dangers of data loss, data manipulation and at least temporary unavailability of the data represent potential risks. When selecting the provider, one crucial criterion should be the measures taken to prevent dangers. The BSI has published a catalogue of requirements for assessing the information security of cloud services, which can be used for decision-making.
The study conducted by bitkom found that there were more data security incidents in the internal IT of companies than with companies which used public cloud applications. Use of the cloud alone therefore does not increase the risk to data security. Although large cloud providers are more often targeted by hacking attempts, they place a particularly high emphasis on the protection of their applications and invest greater sums than companies would and could do in their own IT systems. Fifty percent of the companies surveyed say that the security of their data has been included in the cloud.
Dos:
- Determination of the necessity for outsourcing and scope of external IT structures
- Certifications of the cloud provider regarding data security
- Assessment of the long, medium or only short-term benefits of cloud computing
Don’ts:
- Absolute dependence on the provider
- Neglect of in-house security standards
Data protection requirements
Cloud computing faces legal challenges in the area of data protection. When erasing data, the user cannot simulate and verify whether all data has been erased and that no data has remained in the backup system, for example. There are very few cases where system and usage logs are provided to the user to inform them of difficulties or incidents, unless this is agreed in a contract. With major cloud providers in particular, the individual design of such clauses in contracts is usually not possible, resulting in the widest possible self-control on the part of the cloud provider.
Also problematic in terms of data protection law is the mostly non-transparent storage and duplication of data on servers in different countries, which may have different data protection standards and which may cause a divergence in the level of protection mandatory for the user and what is afforded by the supplier.
A processing contract in accordance with Art. 28 (3) of the GDPR is to be concluded between the user (controller as per Art. 4 (7) of the GDPR) and the provider (processor as per Art. 4 (8) of the GDPR). In addition to the mandatory section listed in paragraph 3, it is also recommended with regard to the erasure of data after the end of the contract, that regulations be established regarding information obligations and the commissioning of subcontractors, control rights and processing of data outside the EU/EEA.
Dos:
- Conclusion of a processing contract as per Art. 28 (s) of the GDPR
- Guarantee of control rights
- Regulations regarding processing outside the EU/EEA and the handling of data after the end of the contract
Don’ts:
- Infringement of obligations as a controller and GDPR
- “Shifting of responsibility” to the cloud provider
- Processing data in the cloud without local backup
- Loss of control over data
Conclusion
Cloud computing has become an indispensable part of the digital economy, providing companies with a variety of usage and development opportunities. For many users of cloud computing, concerns about data security have given way to the joy of flexibility and practicality, so it is expected that the cloud computing sector will grow in the coming years. The practical benefits are accompanied by legal issues. Determining the type of contract and complying with data protection regulations represent the greatest challenges for users. As noted, the specific content of the contract and the subject matter of the performance object to be determined serve as a starting point for using cloud computing in a legally compliant manner. In particular, the contract typological classification may pose problems for users, but also providers, with the result that claims are not made or not made in time.