On June 26, the European Commission published its “Cloud Service Level Agreement Standardisation Guidelines,” representing a first step in creating a set of service level agreement standardization guidelines for cloud service providers and B2B customers that meet the specific requirements of the European cloud market and hopefully beyond.
The guidelines are actually the product of the Cloud Select Industry Group — subgroup on service level agreements (CSIG-SLA), a working group established in February 2013 as one of the key actions in the EU’s September 2012 European Cloud Computing Strategy. The European Commission has adopted a strategy for “Unleashing the Potential of Cloud Computing in Europe” designed to speed up and increase the use of cloud computing across all economic sectors.
The development of “model safe and fair contract terms” was one of the cloud strategy’s key action items in a bid to harness the adoption of cloud computing services to deliver a net gain of 2.5 million new European jobs, and an annual boost of €160 billion to the European Union GDP (around one per cent), by 2020.
The guidelines represent one of the first deliverables of the CSIG-SLA, which may also further serve as a contribution to the emerging ISO/IEC NP 19086 project on cloud computing, as will be further discussed below.
Rather than prescribing requirements that must be implemented in an SLA, the stated objective of the guidelines is to provide information that regulators, cloud service customers, and cloud providers may find helpful when preparing cloud SLAs and related (and sometimes overlapping) documents.
The suggested service level standards are very detailed and have been grouped into four main categories. The first three are not atypical from a North American perspective and include:
(i) performance service level objectives including such standard factors as availability, response times, capacity, capability indicators (i.e. relating to the specific functionality of the cloud service), support (i.e. issues and queries raised by the customer), reversibility and termination (including the ability of customers to retrieve their customer data before deletion by the provider), and residual data retention;
(ii) security service level objectives service reliability, authentication and authorization, cryptography, security incident management and reporting, logging and monitoring, auditing and security verification, vulnerability management, governance, and services changes; and,
(iii) data management service level objectives data classification, i.e. for all classes of data associated with cloud services, including customer data, service provider data and “derived” data from use of the cloud services, customer data mirroring, backup & restore, data lifecycle (i.e. data handling and deletion), and data portability (ensuring customers can export their data following contract termination).
Interestingly, given that these guidelines reflect European concerns, the fourth category relates to “personal data protection,” when cloud service providers act as “data processors” on behalf of customers, which is typical in B2B services.
The guidelines provide for detailed personal data protection service level objectives here, including purpose specification, data minimization, use, retention and disclosure limitation, openness, transparency and notice, accountability, geographical location of the cloud service customer data, and “intervenability.”
Consistent with the Canadian June, 2012 “Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations” guidelines jointly issued by the Federal Privacy Commissioner and the offices of the information and privacy commissioners of Alberta and British Columbia, the EC guidelines stress the cloud customer, as the data controller, must accept responsibility for abiding by applicable data protection legislation and as such, has the responsibility to assess the “lawfulness of the processing of personal information in the cloud and to select a cloud service provider that facilitates compliance with the applicable legislation.”
However, it is the obligation of the cloud service provider to make available all necessary information, in order to adhere to principles of transparency, to allow customers to assess their services, including data protection codes of conduct and standards or certification schemes that the services comply with.
The guidelines make additional suggestions as to what should be covered under personal data specifications, including “purpose specification and limitation” so personal data is only collected by the provider for specified, explicit, and legitimate purposes and not further (illegally) processed by the provider or its subcontractors in a way that is incompatible.
Basically, this means cloud providers cannot surreptitiously process personal data for their own purposes without the express (prior) written permission of the customer, so descriptions of how the cloud provider will process and use the customer’s data — including the customer’s clients’ data — must be carefully defined in the legal agreement.
The cloud-computing contract with the customer must also include clear provisions for the irretrievable erasure of personal data, including any instances kept on different servers in different locations and temporary/previous versions. The guidelines also suggest the cloud provider should inform the customer, “in the most expedient time possible under the circumstances,” of any legally binding request for which the cloud provider is compelled to provide personal data by law enforcement or a government authority, unless otherwise prohibited.
Additionally, the guidelines confirm the cloud service provider has obligations to make sufficient information available to enable customers to provide individuals with adequate notice regarding the processing of their personal data as required by law.
Contracts between the cloud provider and its subcontractors must also contain the same level of data protection provisions, and cloud providers should be obliged to seek the consent of customers prior to subcontracting. The guidelines suggest customers should even be able to object to changes in the list of approved subcontractors.
In order to ensure IT accountability, the guidelines recommend cloud platforms should contain reliable monitoring and logging mechanisms to ensure the provider is actually taking appropriate steps to implement key data protection principles and monitor for breaches. Of course, the cloud provider should also immediately notify customers in the event of any breach that affects their data and cloud providers should also include in their contracts data breach management policies that specify how the provider will tell customers about data breaches.
As personal data processed in the cloud may be transferred by cloud providers (whether through the use of subcontractors or otherwise) to locations whose data protection legislation is weak, non-existent, or does not guarantee an adequate level of data protection, cloud customers should also be able to verify the provider can guarantee the lawfulness of cross-border data transfers and be told the geographic location of where the data is stored and processed by the provider. Customers may also want to choose a specific geographical location for the storage of their data.
Lastly, cloud service providers must ensure in contracts with customers, that in compliance with European legal requirements (Directive 95/46/EC), their clients can at all times access, rectify, erase, block, and object to certain uses of their data by the cloud service provider or its subcontractors and therefore any cloud agreement should allow for this to be done in an “timely and efficient” manner.
Do the guidelines have any value, given that they do not have force of law? They clearly represent aspirational “best practices” from a North American perspective but in Europe are more grounded by existing European data protection requirements.
Interestingly, the annex to the guidelines lists the members of the CSIG-SLA committee who worked on these guidelines include some of the largest cloud providers/technology companies in the world, including IBM, Microsoft, Telecom Italia, Amazon, Cisco, EMC, Google, EuroCloud, HP, Dell, Oracle, Salesforce, SAP, and Symantec, to name a few. There is a nice little disclaimer at the bottom of the annex’s first page stating the guidelines do not represent the position of any CSIG-SLA subgroup member.
It is fair to say many of the standard agreements of some of the subgroup members do not meet the guidelines’ lofty service level objectives for performance, security, data management, or personal data protection, particularly the current “vanilla” template versions available at first ask in North America.
However, as the guidelines themselves state in the preamble, while they were drafted with a view to ensuring that the specific needs of the European cloud market and industry are taken care of, this initiative will have maximum impact “if standardization of SLAs is done at an international level, rather than at a national or regional level.”
The guidelines acknowledge the creation of an international standard, such as ISO/IEC 19086 (which deals with “information technology — distributed application platforms and services — cloud computing — service level agreement framework and terminology” and is currently under development), would help spur this objective and the CSIG-SLA subgroup is currently liaising with the ISO cloud computing working group to provide concrete input and provide the European position on these issues as this standard is advanced.
If the creation of the guidelines helps spur European cloud providers to develop and offer more comprehensive, transparent, and fairer cloud contracts that considerably raise the bar, one can only hope large companies and governments in North America will demand parity and the protections contained in the European versions of their cloud contractors, and frankly this would be a good thing.
I have already started advising clients, depending on the factual circumstances, to start their negotiations with cloud providers by asking for the European versions of cloud template agreements since, in most instances, these standard agreements are already far superior to their North American counterparts. Let us hope the creation of these guidelines will continue to spur such trends.
The guidelines are actually the product of the Cloud Select Industry Group — subgroup on service level agreements (CSIG-SLA), a working group established in February 2013 as one of the key actions in the EU’s September 2012 European Cloud Computing Strategy. The European Commission has adopted a strategy for “Unleashing the Potential of Cloud Computing in Europe” designed to speed up and increase the use of cloud computing across all economic sectors.
The development of “model safe and fair contract terms” was one of the cloud strategy’s key action items in a bid to harness the adoption of cloud computing services to deliver a net gain of 2.5 million new European jobs, and an annual boost of €160 billion to the European Union GDP (around one per cent), by 2020.
The guidelines represent one of the first deliverables of the CSIG-SLA, which may also further serve as a contribution to the emerging ISO/IEC NP 19086 project on cloud computing, as will be further discussed below.
Rather than prescribing requirements that must be implemented in an SLA, the stated objective of the guidelines is to provide information that regulators, cloud service customers, and cloud providers may find helpful when preparing cloud SLAs and related (and sometimes overlapping) documents.
The suggested service level standards are very detailed and have been grouped into four main categories. The first three are not atypical from a North American perspective and include:
(i) performance service level objectives including such standard factors as availability, response times, capacity, capability indicators (i.e. relating to the specific functionality of the cloud service), support (i.e. issues and queries raised by the customer), reversibility and termination (including the ability of customers to retrieve their customer data before deletion by the provider), and residual data retention;
(ii) security service level objectives service reliability, authentication and authorization, cryptography, security incident management and reporting, logging and monitoring, auditing and security verification, vulnerability management, governance, and services changes; and,
(iii) data management service level objectives data classification, i.e. for all classes of data associated with cloud services, including customer data, service provider data and “derived” data from use of the cloud services, customer data mirroring, backup & restore, data lifecycle (i.e. data handling and deletion), and data portability (ensuring customers can export their data following contract termination).
Interestingly, given that these guidelines reflect European concerns, the fourth category relates to “personal data protection,” when cloud service providers act as “data processors” on behalf of customers, which is typical in B2B services.
The guidelines provide for detailed personal data protection service level objectives here, including purpose specification, data minimization, use, retention and disclosure limitation, openness, transparency and notice, accountability, geographical location of the cloud service customer data, and “intervenability.”
Consistent with the Canadian June, 2012 “Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations” guidelines jointly issued by the Federal Privacy Commissioner and the offices of the information and privacy commissioners of Alberta and British Columbia, the EC guidelines stress the cloud customer, as the data controller, must accept responsibility for abiding by applicable data protection legislation and as such, has the responsibility to assess the “lawfulness of the processing of personal information in the cloud and to select a cloud service provider that facilitates compliance with the applicable legislation.”
However, it is the obligation of the cloud service provider to make available all necessary information, in order to adhere to principles of transparency, to allow customers to assess their services, including data protection codes of conduct and standards or certification schemes that the services comply with.
The guidelines make additional suggestions as to what should be covered under personal data specifications, including “purpose specification and limitation” so personal data is only collected by the provider for specified, explicit, and legitimate purposes and not further (illegally) processed by the provider or its subcontractors in a way that is incompatible.
Basically, this means cloud providers cannot surreptitiously process personal data for their own purposes without the express (prior) written permission of the customer, so descriptions of how the cloud provider will process and use the customer’s data — including the customer’s clients’ data — must be carefully defined in the legal agreement.
The cloud-computing contract with the customer must also include clear provisions for the irretrievable erasure of personal data, including any instances kept on different servers in different locations and temporary/previous versions. The guidelines also suggest the cloud provider should inform the customer, “in the most expedient time possible under the circumstances,” of any legally binding request for which the cloud provider is compelled to provide personal data by law enforcement or a government authority, unless otherwise prohibited.
Additionally, the guidelines confirm the cloud service provider has obligations to make sufficient information available to enable customers to provide individuals with adequate notice regarding the processing of their personal data as required by law.
Contracts between the cloud provider and its subcontractors must also contain the same level of data protection provisions, and cloud providers should be obliged to seek the consent of customers prior to subcontracting. The guidelines suggest customers should even be able to object to changes in the list of approved subcontractors.
In order to ensure IT accountability, the guidelines recommend cloud platforms should contain reliable monitoring and logging mechanisms to ensure the provider is actually taking appropriate steps to implement key data protection principles and monitor for breaches. Of course, the cloud provider should also immediately notify customers in the event of any breach that affects their data and cloud providers should also include in their contracts data breach management policies that specify how the provider will tell customers about data breaches.
As personal data processed in the cloud may be transferred by cloud providers (whether through the use of subcontractors or otherwise) to locations whose data protection legislation is weak, non-existent, or does not guarantee an adequate level of data protection, cloud customers should also be able to verify the provider can guarantee the lawfulness of cross-border data transfers and be told the geographic location of where the data is stored and processed by the provider. Customers may also want to choose a specific geographical location for the storage of their data.
Lastly, cloud service providers must ensure in contracts with customers, that in compliance with European legal requirements (Directive 95/46/EC), their clients can at all times access, rectify, erase, block, and object to certain uses of their data by the cloud service provider or its subcontractors and therefore any cloud agreement should allow for this to be done in an “timely and efficient” manner.
Do the guidelines have any value, given that they do not have force of law? They clearly represent aspirational “best practices” from a North American perspective but in Europe are more grounded by existing European data protection requirements.
Interestingly, the annex to the guidelines lists the members of the CSIG-SLA committee who worked on these guidelines include some of the largest cloud providers/technology companies in the world, including IBM, Microsoft, Telecom Italia, Amazon, Cisco, EMC, Google, EuroCloud, HP, Dell, Oracle, Salesforce, SAP, and Symantec, to name a few. There is a nice little disclaimer at the bottom of the annex’s first page stating the guidelines do not represent the position of any CSIG-SLA subgroup member.
It is fair to say many of the standard agreements of some of the subgroup members do not meet the guidelines’ lofty service level objectives for performance, security, data management, or personal data protection, particularly the current “vanilla” template versions available at first ask in North America.
However, as the guidelines themselves state in the preamble, while they were drafted with a view to ensuring that the specific needs of the European cloud market and industry are taken care of, this initiative will have maximum impact “if standardization of SLAs is done at an international level, rather than at a national or regional level.”
The guidelines acknowledge the creation of an international standard, such as ISO/IEC 19086 (which deals with “information technology — distributed application platforms and services — cloud computing — service level agreement framework and terminology” and is currently under development), would help spur this objective and the CSIG-SLA subgroup is currently liaising with the ISO cloud computing working group to provide concrete input and provide the European position on these issues as this standard is advanced.
If the creation of the guidelines helps spur European cloud providers to develop and offer more comprehensive, transparent, and fairer cloud contracts that considerably raise the bar, one can only hope large companies and governments in North America will demand parity and the protections contained in the European versions of their cloud contractors, and frankly this would be a good thing.
I have already started advising clients, depending on the factual circumstances, to start their negotiations with cloud providers by asking for the European versions of cloud template agreements since, in most instances, these standard agreements are already far superior to their North American counterparts. Let us hope the creation of these guidelines will continue to spur such trends.
