Out-Law News 4 min. read

Commission seeks model contract terms and new standards for cloud computing services

The European Commission is to draw up new model contract terms that businesses could use in forming contracts and service level agreements with cloud computing providers.

The Commission said (16-page / 107KB PDF) the "safe and fair contract terms and conditions" could help improve the trust that businesses have in cloud providers to deliver on service. The Commission had proposed establishing standard terms and conditions for the use of cloud computing services in a consultation it held in 2011.

"The complexity and uncertainty of the legal framework for cloud services providers means that they often use complex contracts or service level agreements with extensive disclaimers," the Commission said in a new 'communication' titled 'Unleashing the Potential of Cloud Computing in Europe'. "The use of 'take-it-or-leave-it' standard contracts might be cost-saving for the provider but is often undesirable for the user, including the final consumer. Such contracts may also impose the choice of applicable law or inhibit data recovery."

"Even larger companies have little negotiation power and contracts often do not provide for liability for data integrity, confidentiality or service continuity," it said. "As regards professional users, the development of the model terms for cloud computing of the service level agreements for professional users were one of the most important issues that arose during the consultation process. The service level agreements determine the relationship between the cloud provider and professional users, and thus essentially provide the basis of trust cloud users can have in a cloud provider's ability to deliver services."

The Commission said it would develop the model terms, with the help of "stakeholders", before the end of 2013.

Within the same deadline new model terms will also be proposed specifically for small businesses and consumers for "those issues that fall within the Common European Sales Law proposal," the Commission said.

"The aim is to standardise key contract terms and conditions, providing best practice contract terms for cloud services on aspects related with the supply of 'digital content'," the Commission said.

Last year the European Commission proposed a new Common European Sales Law (CESL), which would provide traders and consumers with the option of agreeing transactions in line with the harmonised laws set out in the text. The '28th regime' of contract law would exist alongside the contract laws that apply in the 27 EU member states and would apply only if both the trader and consumer in a sales transaction opted to use it.

The new law could be used in contracts for the cross-border sale of goods between businesses and consumers or between two different traders providing at least one of the traders is a small or medium-sized enterprise (SME), as defined by CESL. Traders from outside the EU could also operate contracts within the new regime providing that the business they are dealing with is based within the EU.

Banks and other financial service institutions will not be able to offer the new contract law regime for financial service transactions, such as online banking. The sale of intangible digital goods, such as the sale of music files online, would be able to be covered by the new regime, though.

The Commission also said that it would set up a new "expert group" to look into whether new "safe and fair contract terms and conditions" could be created as an additional "optional instrument" for SME-consumer transactions on issues that are not covered by CESL.

The Commission also hinted that the model terms it is looking to draft could address the issue of remuneration for rights holders for any private copying of copyright-protected digital content stored in the cloud.

A former European Commissioner is currently mediating discussions between stakeholders around the future of rules around private copying. The Commission said it would wait to see what the "outcome" of those discussions were before assessing "whether there is a need to clarify the scope of the private copying exception and the applicability of levies, in particular the extent to which cloud computing services allowing for the direct remuneration of right holders are excluded from the private copy levy regime".

The UK's Intellectual Property Office (IPO) earlier this year reported that rights holder groups have called for individuals to be prevented from copying digital content into cloud storage services for private use.

In addition, the Commission said it would review and possibly adapt "as needed" the model contract clauses it has previously drafted in order that they fit with cloud services. Businesses can use model contract clauses drafted by the Commission to govern the transfer of personal data from the EU to 'third countries'.

The Commission said that it will also work with cloud providers in a bid to establish a new "code of conduct" that would "support a uniform application of data protection rules". The code could be put before the Article 29 Working Party, a committee of EU privacy watchdogs, for scrutiny. The Working Party's "endorsement" would "ensure legal certainty and coherence between the code of conduct and EU law," the Commission said.

The European Telecommunications Standards Institute (ETSI) has also been asked to help set out what new standards are required for the way that cloud services work. Those standards could relate to data security, interoperability and data portability, the Commission said. It said that new "technical specifications in the field of information and communication technologies for the protection of personal information" would have to meet the EU rules on standardisation.

The Commission said that it would seek to develop new "EU-wide voluntary certification schemes in the area of cloud computing", including certification schemes that enable businesses to review cloud providers' data protection compliance. It could publish a list of those schemes "by 2014".

"The priority now is to deploy existing standards to develop confidence in cloud computing via comparable service stacks as well as interoperable and diverse offerings," the Commission said. "In addition to identifying the concerned standards compliance certification is needed. Many, and certainly all larger organisations, require certification of their IT systems' compliance with legal and audit requirements and that applications and systems are interoperable."

Earlier this year the Article 29 Working Party said that businesses that wish to use cloud services to store and process personal data must use providers that can "guarantee" compliance with EU data protection laws.

The Commission said that its plans have the potential to create 2.5 million new jobs in Europe and increase the EU's gross domestic product by €160bn a year by 2020.

The EU's Justice Commissioner Viviane Reding said: "Europe needs to think big. The cloud strategy will enhance trust in innovative computing solutions and boost a competitive digital single market where Europeans feel safe. That means a swift adoption of the new data protection framework which the Commission proposed earlier this year and the development of safe and fair contract terms and conditions."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.