It’s safe to know that using Cloud services might bring some problems. Let’s start to see together some contractual aspects we must take particular care.

Who means to use, for his own activity, whichever Internet service that belong to the definition of Cloud, faces several aspects: from the content of the contract and the management of data by the provider, to the loss of data transferred outside the walls on their security. Very interesting and interwoven profile, which require a meticulous reflection in particular from a legal standpoint.

The first important aspect is the contract you are about to stipulate with the cloud provider, the agreement that will regulate the relationship. It’s a contract that, in our code, doesn’t have a typical discipline in the civil code (codice civile) or in some special law: it’s an atypical contract and, because of that, you must read it carefully as it contains the primary regulamentation of the relationship and responsibilities. The most probable hypothesis is that you can choose between predefined contractual offerings: a cloud computing contract is usually defined by the provider according to standard contractual models (the so-called “general terms of contract”) which can be hardly negotiated.
Let’s see some of the main clause you must pay attention while choosing a provider and subscribing a contract. First, it’s important to analyze the supply level of the service: certain clauses define the so-called Service Level Agreement (SLA), service levels that sometimes are not explicitly stated in the general terms of the contract but perhaps in some attachments or another document related to the contract: read them as well. Naturally there is a better warranty if service levels are indicated in an objective and measurable manner: they are the first parameter while evaluating the fulfillment or not of the provider. SLAs will help you (if you’re a technician, or your trusted tech) to evaluate the level of the service being offered, as they are pure technical parameters.

In general, a provider could add, for instance, a “result guarantee” clause where it’s stated that the results the service guarantees (ie. service availability for a certain percentage of time or for a determined amount of days per year). Such clause might also state that, however, in case of a not achieved result (ie. suspension of the service for a period longer than the one supposed within the contractual conditions), the compensation is limited to the extension of the service for an amount of time equal to the one of missed supply. That might not be enough to cover the damages caused by the lack of service. Be sure to have penalties (save an exception for the right of asking for major damages) for the unfulfillment of the contract and/or SLA.

A provider could offer you a service “as is” or with a similar expression: this way, the proper functioning of the service, without interruptions or faults, is not guaranteed and there could faults or it could not suit your needs. It’s a form of service functioning warranty exclusion that hardly is useful to the client.
Moreover, you must pay attention to the possible presence of exclusion/limitation of the provider’s responsibility clauses: for instance, the contract might contain a clause that excludes the responsibility or limit with a maximum edge the amount of money the cloud provider can pay in case of whichever type and entity of damage. 
Keep in mind that the loss of service supply, the disclosure of business information to third party (as a consequence of a fraudulent behaviour of an employee third party, of a directive of the Country Authority where data is stored or in any other similar cases), or even their loss (ie because of a virus) can cause huge, perhaps irreversible, damages (and, as a consequence, to your clients and subjects data refer to).

So it’s important to read well every clause that refer to such cases, if any. In our legal order, a rule that could limit responsibility of gross negligence or wilful misconduct would be not valid because of ex art.1229 of Civil Code: however, it’s not guaranteed that the applicable law is the italian. Then it could be valid (save you act as “consumers”, but that’s another story) the clause that limits the provider’s responsibility for misconduct (not wilful misconduct, but still misconduct): in such case, should you experience a damage because of the provider, you won’t be able to obtain any compensation (at most within the limits of the max edge contained in the contract, if the responsibility exclusion agreed is not total).
The more responsibility takes on the provider, and the more safeguard you have as users: naturally this can increase the service costs.

On another profile, the contract might contain some clauses adverse to the user that envisage the loss of the right of contesting, in particular with respect to the service or to the payment. Again, art.2965 of the italian Civil Code calls for the invalidity of contracts that establish decadence terms which make excessively hard the practice of the right to a part. But such a clause could not suit the hypothesis of invalidity, or be contested.
When agreeing upon the contract as users take care if the provider has the right of modifying the contract without the consent of the other part. You might find yourself with a contract with characteristic in part different to the initial ones. A better guarantee for the user is the clause that envisages the validity of any modifications only at the end of a certain term, within which the user can practice the termination right in order not to be tied to the new contractual norm.

Also take care if the provider has the right of using any subcontractor for the service: at this point, the service itself could be provided by a third party you might know nothing about and you don’t have agreed upon any contract with at all. The expressed statement of an authorized subcontractor, the warn about its change, the guarantee that the subcontractor is tied to the same contractual conditions of the supplier are some of the guarantees you must look for in such event.
Don’t forget about the length of the contract, the expressed dissolution clauses, modes and timing of withdrawal and guarantee of a seamless migration to another provider (ie data must be retrieved and migrated with ease).

Moreover, there’s a problem related to the applicable law: as the Cloud is international (user from a country, provider from another country, physical collocation of servers on a third country), there’s uncertainty about the applicable regulation, both in terms of not being expressed in the contract and evaluating the validity of the agreements.
Indeed, it’s not granted that the applicable law is the italian as the user is italian: the contract might contain indications related to that, which must be read and understood.

The Cloud being international offers another problem: the individuation of the Judge in charge for any dispute. It suffices to say that the indication of the exclusive indication of the italian Judge (and possibly the Courthouse of your location/residence) is to be preferred as well as the choice of an italian service provider.
Be careful whether an arbitration clause is present or not: potential disputes will be judged by arbitrators and not judges. Be careful to how they are appointed and to costs (which aren’t usually stated in the contract and could be high).
Because of that internationality, some difficulties could derive in the collection of information when taking legal actions, notify arraignments. Costs for the practice of legal safeguard could rise (so know where datacenters are).
I’d like to note that, as of art.1341 of the italian Civil Code, the so-called “general terms of contract” are effective if, when agreeing upon a contract, the other part acknowledges them (or should have acknowledged using ordinary diligence).

However some restrictive clauses (many of the clauses we covered could be defined as restrictive) require the specific written approval, otherwise they don’t have any effect.
Delicate issues within a cloud contract are about privacy, protection and security of data.

These arguments need a specific in-depth analysis (there’s an ad-hoc quality certification norm, there are specific indications from the italian Authority, we need to define the roles of owner and responsible of data treatment, the new european guidelines on privacy has just became law): we’ll talk about that in our upcoming column after the summer break.

About the Author

Veronica Morlacchi

Laureata a pieni voti in giurisprudenza, è Avvocato Cassazionista, iscritta all’Albo degli Avvocati di Busto Arsizio dal 2004 e all’Albo degli Avvocati abilitati al Patrocinio davanti alla Corte di Cassazione e alle altre Giurisdizioni superiori. Si occupa principalmente, nell’interesse di Privati, Professionisti, Aziende ed Enti pubblici, di diritto civile, in particolare responsabilità civile e risarcimento danni, diritto delle nuove tecnologie e privacy, contratti, persone e famiglia. Ha conseguito un master in Responsabilità civile e un corso di perfezionamento in Tecniche di redazione dei contratti e, da ultimo, si è perfezionata in Data Protection e Data Governance all'Università degli Studi di Milano e in Strategie avanzate di applicazione del GDPR. Pubblica periodici aggiornamenti e articoli nelle materie di cui si occupa sul suo sito www.studioavvmorlacchi.it e da giugno 2016 collabora con Guru Advisor

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...

>

The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...

>

The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...

>

Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...

>

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • GURU advisor: issue 13 - March 2017

    GURU advisor: issue 13 - March 2017

  • GURU advisor: issue 12 -  January 2017

    GURU advisor: issue 12 - January 2017

  • GURU advisor: issue 11 -  October 2016

    GURU advisor: issue 11 - October 2016

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1