Digitalisation in the wake of the Covid-19 pandemic – the digitalisation agreement
We believe that the transition to a post-crisis period will be defined by increased digitalisation. Digitalisation has already taken a huge leap due to the effects of Covid-19, including travel restrictions and restrictions on in-person meetings. Using services provided by external suppliers is an essential component in the digitalisation of many organisations.
A key ingredient of every successful digitalisation process is good agreements. Entering into and negotiating IT agreements does however come with certain risks. In this article, we discuss some of the most common issues and pitfalls related to IT agreements and how to avoid them.
Cloud services – an introduction
How to achieve a digitalisation furthering delivery in practice can vary greatly. From the contracting perspective, there are however (although somewhat simplified) two main types of IT agreements: delivery agreements and service agreements. A cloud service agreement is an example of a service agreement.
”Cloud services” is a collective term used for online-based IT services that are provided by a third party, instead of through the user’s own computers and IT resources (through so-called on-premise solutions). What makes cloud services attractive is, among other things, that cloud services are easily scalable and that the user does not need to have control over and update the infrastructure. All of this is instead done by the supplier. Cloud services also facilitate work regardless of time and place. Another advantage is that the user does not have to rely on any single computer or unit to work.
The following are the generally accepted main types of cloud services:
- Software-as-a-Service (SaaS) – ready-made software or applications that are available over the Internet, for example Microsoft Office 365, Salesforce and SAP.
- Platform-as-a-Service (PaaS) – hardware and software tools available over the Internet, such as operating systems, databases, programming tools and web servers.
- Infrastructure-as-a-Service (IaaS) – access to hardware capacity over the Internet, such as storage, network capacity and processing power.
These types of services can be compared with their corresponding on-premise solutions – as illustrated in the below image from Hosting Advice:
The cloud services agreement – basics and how to avoid the pitfalls
The service description is arguably the heart of every IT service agreement. A good service description should clearly state which services are to be performed and define their scope. The service description serves, among other things, as a basis for agreed service levels (SLA), guarantees and responsibilities under the agreement.
Before purchasing cloud services, the customer should decide on requirements. The service description should then be reviewed to confirm that it meets these requirements. This is especially the case if you buy a standardized “off the shelf” product. Service descriptions are often more or less vague in its language, which could be either an advantage or disadvantage to the customer. As an alternative (or complement) to a service description, you could try to get a test solution for functionality tests during a limited time. Where there is a risk that the customer’s requirements are not met, this should be discussed with the supplier. It is also important that the customer reviews the supplier’s security obligations under the agreement.
Prices and pricing models
In order to avoid rampant costs and to get the best possible agreement, the customer should review the cloud service provider’s prices and pricing model. It is common for the pricing model to consist of a fixed price component – a base price – and a variable price component based on utilized resources. The customer should, among other things, examine what is included in the base price and how the variable part of the pricing model is designed. It is important to understand what kind of use affects the variable price. One example of an ambiguity that we have recently seen in a dispute is how the term “actual user” (as a price-regulating factor) should be interpreted. It should serve as a reminder of the importance of clearly defining key concepts in the agreement. Unambiguous definitions are a must. The customer should also review whether the agreement contains limitations on flexibility.
Cloud services are constantly changed and updated by the cloud service provider. This is a natural part of cloud services, and also part of the advantage of using them. The fact that cloud services are constantly changed and updated does, however, give rise to an important question – how does the customer prevent the services from deteriorating and important functionality from disappearing or changing?
Cloud service agreements often to contain supplier friendly, one-sided, change management clauses. These clauses often give the supplier the freedom to unilaterally change the services in ways the supplier deems appropriate. In order to avoid the services deteriorating to the extent that they do not meet the customer’s needs, the customer should try to establish a baseline from which the services are not allowed to deteriorate. This is especially important with regard to security requirements and obligations. The customer should, inter alia, check whether the agreement allows the customer to terminate the agreement in case changes lead to the services no longer meeting the customer’s requirements (see further under Termination rights below).
The customer should also be wary of accepting clauses that permit the supplier to unilaterally change subcontractors – especially if the customer is under the supervision of a financial supervisory authority and obligated to comply with the EBA Guidelines on outsourcing arrangements or the EIOPA Guidelines on outsourcing to cloud service providers.
The cloud service agreement’s confidentiality clause should be reciprocal and that include an obligation for the supplier to keep the customer’s data and information confidential. The customer should also ensure that the customer’s data and information may not be:
- disclosed to third parties;
- disclosed to the suppliers’ staff, other than to those who work with providing the services to the customer; or
- be used for other purposes than to deliver the service.
The confidentiality clause is also relevant in assessing whether classified information can be lawfully “disclosed” to the supplier under the Swedish Public Access to Information and Secrecy Act (Sw. Offentlighets- och sekretesslagen). It is also relevant in relation to the rules on transfers of personal data to third countries under the GDPR.
Transfers of personal data to third countries
Many cloud service providers are based, or have data centers, in third countries, such as the United States, India and China. In order to transfer personal data to third countries, the GDPR requires that appropriate safeguards be taken. The customer should therefore carefully review where the customer’s data will be stored and processed under the agreement and ensure that the processing of personal data is regulated in an appropriate manner. In practice, it is common for the European Commission’s standard contractual clauses to be used in the transfer of personal data to third countries.
Following the European Court of Justice’s ruling in the so-called Schrems II case, it is however uncertain under what circumstances it is possible to lawfully transfer personal data to third countries and in particular to the United States. In its ruling, the European Court of Justice annulled the Privacy Shield decision, which was used by many companies as a legal basis to transfer personal data to the US. The standard contractual clauses were not invalidated by the European Court of Justice but the Court’s reasoning on the requirements for using them has generated uncertainty as to the extent to which they can be used to transfers personal data to third countries.
In some cases, it may be appropriate to use binding corporate rules (“BCR”) when transferring personal data to third countries. The Swedish Data Protection Authority recently approved Tetra Pak’s BCRs for transfers of personal data to third countries – the first such decision to be made by the Swedish Data Protection Authority. However, even in cases where BCRs have been approved, an assessment must be made as to whether the use of the BCRs provides such an adequate level of protection as is required by the GDPR. The assessment must be made in relation to each and every third country in question.
Intellectual Property Rights
Another important issue to consider when using cloud services is who is the owner of intellectual property rights related to the service. Who owns the rights to inputs such as data and materials, to the services provided through the cloud and to the output of the service?
The customer should ensure that no rights to the customer’s data and materials are assigned to the supplier through the use of the cloud services. The customer should also ensure that rights to output generated through the use of the cloud services vest in the customer.
It is of course important that the agreement’s liability clause is not one-sided to the supplier’s advantage – i.e. that the supplier limits its own liability while the customer’s liability remains unlimited. When reviewing the liability clause, the customer should pay special attention to the liability caps and the types of damages for which the supplier is not liable. The customer should also make sure that the agreement expressly sets out that the supplier’s limitation of liability does not apply in case of intent or gross negligence – and not solely rely on that general principles of law will cater for this.
Many cloud service agreements allow the supplier to suspend the customer’s access to the cloud services. The agreement often sets the bar low for when the supplier is allowed to do that – for example: if the customer does not pay on time or if the customer violates supplier policies. This may jeopardize the customer’s business continuity and compliance with regulatory requirements within certain industries. The customer should therefore review when and under what conditions the supplier may suspend the customer’s access to the services. In any case, we recommend ensuring that the supplier may not suspend the customer’s access without first giving an opportunity to rectify the suspension triggering breach.
If the quality of the cloud services deteriorates, the supplier violates contractual obligations or if the customer no longer needs the services, the customer may want to terminate the agreement. If the agreement does not have a fixed term, the customer can normally terminate the agreement with relatively short notice and without stating its reasons (termination for convenience). If the agreement has a fixed term, the customer must review under what circumstances it may terminate the agreement for cause and whether the customer also has the right to terminate the agreement for convenience. As a customer, you should however be careful before terminating an agreement for convenience as such termination is often tied to a compensation requirement. The customer should also ensure that volume changes within the applicable pricing model does not constitute termination for convenience. Finally, before terminating the agreement, the customer should pay attention to the applicable notice periods so as to ensure that it has enough time to transfer the services migrate data to a new service provider a suitable on-premise solution. A fixed and short notice period is not always preferable.
The customer should of course also check the supplier’s corresponding termination rights and be wary of agreements that allow the supplier to terminate for convenience with short notice.
Cloud services offer several advantages compared to traditional on-premise solutions – including increased flexibility, better prices and constant maintenance and updates. However, the use of cloud services comes with certain risks and pitfalls. Companies that intend to use cloud services should carefully review the contract terms of the cloud service provider to avoid unforeseen and unpleasant surprises – even if the terms are standardized and apply to all of the service provider’s customers.