Regulatory Developments

Last updated: 
3 months 3 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

QMUL: Negotiated Cloud Contracts

Tuesday, May 29, 2012 - 19:55

The Cloud Legal Project have published a new paper on cloud service contracts, this time from the perspective of those outsourcing services to the cloud. The top six concerns reported by those wanting to outsource to the cloud are unlikely to come as a surprise: limitation or exclusion of liability, service levels, security and privacy, lock-in and exit strategies, unilateral changes of service and intellectual property rights.

The market still looks immature, with both cloud providers and cloud users apparently failing to understand the different nature of the service that is being provided. However there are signs that things are changing, for example that users may lessen their demands for guarantees of future performance (SLAs have been a key tool in traditional outsourcing contracts) if providers provide evidence of how well the service has performed in the past, and that offering real-time access to logs (to see that bad things are not happening) may be a more appropriate substitute for an audit (to try to predict that they won’t).

There is still “frustration at providers’ lack of empathy with their compliance obligations, especially in Europe”, though the project note that this may partly be because European laws are badly suited to the cloud model anyway. Users complain that cloud providers want to be treated as Data Processors but are not willing to sign a full Data Processor contract: the Cloud Legal team point out that this is probably inappropriate because an infrastructure provider actually has less control over data than a traditional Data Controller and would be in a difficult position if two Data Controllers hosted on the same infrastructure gave incompatible processing instructions. Cloud providers may be reluctant to reveal the location of every data centre and sub-sub-contractor, as apparently demanded by some regulators; the Cloud Legal team have pointed out that geography is much less relevant to privacy than the processes and technology used to protect it.

However the project do see signs that contract terms are becoming a competitive discriminator, at least at the high end of the market because here large buyers and integrations have more negotiating power than individuals or SMEs. This is resulting in both more flexible offerings from general-purpose providers and the appearance of cloud services catering to particular niche markets. There is some expectation that these changes will gradually trickle down to the lower end of the market, but also a warning that scale, sharing and standardisation are what gives clouds their cost advantage. The more specialised you want your cloud provider to be, the closer its price will get to the traditional outsourcing or in-house option.

Cloud computing
Privacy
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo