© Allen & Overy LLP 2014
“The worldwide cloud computing
market will grow at a 36%
compound annual growth rate
(CAGR) through 2016,
reaching a market size of
USD19.5bn by 2016.”
Put simply, a cloud is a huge collection of hardware and software, connected via the internet. It is the infrastructure that enables a new business model. This model offers on-demand, easily scalable computing services to multiple users at flexible prices. It is quite a simple idea: instead of everyone buying their own systems that can handle a peak load (but which is required only a limited amount of time, and thus not otherwise fully used), everyone shares these resources and systems in the cloud. There is no need to
buy the systems (ie hardware and software) individually – you can just use it “as a service” on an as-needed basis. Cloud is not a new phenomenon but it does represent a fundamental shift in behaviour in the ways consumers and enterprise consume IT. Cloud also underpins many of the disruptive megatrends in the TMT sector today including mobility, big data/advanced analytics and social.
What is cloud computing?
“This magic circle firm has excellent global coverage, which includes
both local specialists and a well-developed network of international
desks. Its expertise in the technology sector encompasses a broad
spectrum of areas, including data protection, cloud computing and
online liability. The group’s regulatory know-how is frequently
engaged for major crossborder transactions.”
© Allen & Overy LLP 2014
The four main types of cloud
On demand, scaleable resources delivered
as-a-service to multiple users
(consumers and enterprise) at flexible prices.
Public Clouds
are commercially available cloud services open to all
Community Clouds
can be set up for use by a particular group or industry
with similar needs
Private Clouds
are closed clouds dedicated to one or more user
Hybrid Clouds
involve a mixture of public and private services allowing users to take advantage of the cheap unit prices of public clouds while ensuring mission-critical services
are more tightly ring-fenced within private services
Business Process-
as-a-Service (BPaaS)
Horizontal or vertical business processes provided on a
subscription basis
Software-as-
a-Service (SaaS)
Software applications hosted in the cloud and provided on a
subscription basis
Platform-as-
a-Service (PaaS)
Virtualised application development and run
time platform
Infrastructure-as-
a-Service (IaaS)
CPU, memory, storage, network etc available on
an as-needed basis
Primary delivery methods
Everything-as-a-service (XaaS)
Organisations are turning to the
cloud for a number of reasons:
– Cost
– Anywhere, anytime access
– Reduced service provider interaction (a “serve yourself ” model)
– Speed of provisioning
– Flexibility and elasticity
– Opportunities for better security and back-up
– Reduced pressure on internal systems
– Potentially limitless storage, combined with enhanced computing power
© Allen & Overy LLP 2014
Standards and regulatory
environment
Security
and data
Privacy
protection
Conflict
of laws
Liability
Copyright
interoperability
Portability and
with vertical
Integration
regulation
In a rapidly evolving market, regulation and best practices are struggling to keep up. Particular areas of uncertainty exist around:
In particular, a lack of international standards and divergent regulation across key global markets may inhibit the fundamental advantage of cloud computing: the flexible optimisation of a global data infrastructure.
“A model for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.”
The NIST Definition of Cloud Computing, NIST Special Publication 800-145,Article 29 Working Party
In July 2012 the Article 29 Working Party (a European advisory body made up of representatives of the various EU national privacy authorities) issued an opinion on data protection aspects of cloud computing. This opinion was the first European-wide legal guidance on how to deal with the data protection challenges in cloud computing.
International Trade Administration (ITA)
In April 2013, ITA (part of the U.S. Department of Commerce) issued a paper clarifying how the U.S. – EU safe harbour framework applies to cloud computing. Prepared in part to respond to Article 29 working party opinion of July 2012, the paper concludes that cloud computing is not a radically new business model and does not represent unique issues for the safe harbour. ITA says that existing safe harbour principles are comprehensive and flexible enough to deal with any issues raised by cloud computing model.
European Commission
In September 2012 the European Commission released its new strategy for “Unleashing the potential of cloud computing in Europe”, outlining actions to deliver a net gain of 2.5 million new European jobs and an annual boost of EUR160bn by 2020. Emphasis was placed on cutting through the jungle of technical standards so that cloud users get interoperability, data portability and reversibility; supporting EU-wide certification of vendors; development of model contract terms, including Service Level Agreements; and measures to harness the public sector’s buying power and shape the European cloud market.
European Commission /Obama Administration
In February 2013 the European Commission launched a cybersecurity strategy for the EU aimed at increasing capabilities and preparedness towards security incidents such as hacking or technical failures. Cloud computing providers are specifically targeted by the framework. Hard on the heels of the EU’s efforts to promote a culture of security risk management, President Obama’s administration introduced an Executive Order on Improving Critical Infrastructure Cybersecurity in the U.S. The U.S. and EU initiatives both focus on cybersecurity risks to critical infrastructure and have at their heart a drive to encourage greater cooperation and information sharing between relevant agencies and also with those who suffer attacks.
Sopot Memorandum
This is a working paper issued in April 2012 by the International Working Group on Data Protection in
Telecommunications led by the Berlin Commissioner for Data Protection and Freedom of Information. The paper contains a number of recommendations and best practices intended to ensure that the adoption of cloud computing does not lead to a lowering of data protection standards as compared with conventional data processing. Among other things, these recommendations emphasise transparency and the need for contractual standards.
STAR certification programme
The Cloud Security Alliance (CSA) and BSI, the business standards company, in September 2013 announced the launch of the STAR Certification program, a third party independent assessment of the security of a cloud service provider.
The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Control Matrix, a specified set of criteria that measures the capability levels of the cloud service.
GCHQ guidance on security risk management
Published in May 2014, GCHQ’s guidance suggests that organisations should seek “adequate assurance” from cloud providers over claims those providers make about their compliance with information security principles. The guidance also outlines a step-by-step risk management strategy for
cloud security.
Guidelines on Service Level Agreements
In June 2014, the European Commission published “Cloud Service Level
Agreement Standardisation Guidelines”. These Guidelines are described as being designed “to help business users save money and get the most out of cloud computing services through SLAs”. Aimed at professional cloud users rather than consumers, the guidelines set out several overarching principles for the development of Cloud SLA standards, provide definitions of commonly used terms and suggest some targets for service levels. The working group behind the guidelines is also liaising with the International Organization for Standardization (ISO) Cloud Working Group to input the EU position and to contribute to the ISO/IEC 19086 project (which also relates to SLAs). The Guidelines are useful first step in the process that was set out by the
Commission Strategy document in 2012 to develop model terms, but they do not yet deliver all they need to.
© Allen & Overy LLP 2014
Allen & Overy & cloud computing
We recognise the importance of cloud computing to our clients.
To respond to our clients’ needs, we set up an internal cross border working group to focus on the legal services we provide in relation to cloud, to share best practices and make sure our lawyers have the right skills to respond to the changing IT market our clients operate in.
We believe that, for the most part, the issues encountered when implementing cloud solutions are not new, being
equally relevant in many other IT transactions. We also understand that getting comfortable with new IT bases which use cloud technologies will be a requirement for companies looking to embrace other game changing technological developments such as advanced analytics, context-based services and social driven IT. We offer practical support to our clients to help them turn IT innovation into successful business reality.
Our representative matters in this area include advising:
Proofpoint a NASDAQ listed leader in cloud-based information security and governance software, on the English law aspects of its acquisition of all of the shares in Mail Distiller, a European-based provider of SaaS email security solutions.
SAP on its USD3.4bn acquisition of NYSE-listed cloud computing leader Success Factors.
Novartison a global 7-year application development and infrastructure cloud transaction with Microsoft. We focused on developing contractual mechanisms to mitigate the risks for Novartis as much as possible in relation to security and regulatory compliance.
Amazonon strategic copyright issues across the European Union in relation to its Cloud Drive service.
Cisco Systemson aspects of its USD1.2bn purchase of San Francisco-based Meraki, a provider of cloud-managed networking equipment and services.
A multinational companyin the energy sector on the implementation of a SaaS project with Microsoft.
An international information technology services company on general matters (including on the application of the U.S. Patriot Act to cloud computing services, Regulatory, HR and IT).
Agfa-Gevaert,one of the largest players in the field of imaging systems and IT solutions, on a major cloud computing outsourcing transaction with Service Now, a leading provider of cloud-based services that automate enterprise IT operations.
Microsoft on the data protection aspects of their Office 365 cloud computing offering and on the Belgian and international regulatory restrictions applicable to cloud computing in the financial sector.
Novartis on a SaaS agreement with Box. Net for cloud-based storage services.
T-Systems on a contract to provide global data centre and SAP
infrastructure services to healthcare, lifestyle and lighting giant Philips Electronics. The transaction involved the adoption of a SAP SaaS model, using a private cloud.
A global IT consultancy
on the implementation of a SaaS platform for multinational company in the manufacturing sector.
Caisse des dépôts et consignationthe French sovereign fund, on its investment in the French cloud computing joint venture Numergy with Bull and SFR.
Luxcloudon contractual and IT issues on cloud computing.
SFRon its acquisition of shares in G Cluster Global, a cloud-based video gaming service.
Systematon its complete suite of cloud computing contract templates for use with its customers.
Allen Systems Groupon the takeover of visionapp AG, a German SaaS and cloud platform provider.
Novartison the drafting of a SaaS template.
Randstadon the legal aspects of cloud computing and email solutions.
A global manufacturer of specialty
chemicals on the data protection aspects of migration of HR data from more than 20 jurisdictions to a centralised platform managed by a U.S. based cloud provider.
ServiceNow a SaaS provider of IT Service management software, on the acquisition of Mirror 42, a Dutch developer of performance management software.
Stichting Centraal Informatie Systeem (CIS) a Dutch Foundation which manages and stores the insurance data of consumers, insurance companies and intermediaries in a central database, on the renegotiation of a SaaS contract with Solera, a U.S. technology supplier.
SFG Australia on its cloud computing outsourced services contract.
A major internet shopping platform on the review of terms and conditions on cloud services, notably from a data protection law perspective.
© Allen & Overy LLP 2014 Charlotte Mullarkey Senior PSL – London Tel +44 20 3088 2404 [email protected]
Key contacts
Filip Van Elsen Partner – Antwerp Tel +32 3 287 73 27 [email protected] Ahmed Baladi Partner – Paris Tel +33 1 40 06 53 42 [email protected] Tom de Cordier Counsel – Brussels Tel +32 2 780 25 78 [email protected] Catherine Di Lorenzo Senior Associate – Luxembourg Tel +352 444 455 129 [email protected] Herald Jongen Partner – Amsterdam Tel +31 20 674 1614 [email protected] Gary Cywie
IP/IT Counsel – Luxembourg Tel +352 44 44 5 5203 [email protected] Jane Finlayson-Brown Partner – London Tel +44 20 3088 3384 [email protected] Neville Cordell Partner – London Tel +44 20 3088 2754 [email protected] Nigel Parker Senior Associate – London Tel +44 20 3088 3136 [email protected]
Belgium
Luxembourg
Netherlands
UK
France
Rose HallBusiness Development – London Tel +44 20 3088 3618 [email protected]
Will McAuliffe Partner – Hong Kong Tel +852 2974 7119 [email protected]
Connell O’Neill Senior Associate – Sydney Tel +612 9373 7790 [email protected]
Greater China
Australia
Peter Harwich Partner – New York Tel +1 212 610 6471 [email protected]
U.S.
Paul Keller Partner – New York Tel +1 212 610 6414 [email protected]
London E1 6AD United Kingdom Tel +44 20 3088 0000 Fax +44 20 3088 0088 www.allenovery.com
Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. The term partner is used to refer to a member of Allen & Overy LLP or an employee or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP’s affiliated undertakings.
GLOBAL PRESENCE
Allen & Overy is an international legal practice with approximately 5,000 people, including some 526 partners, working in 46 offi ces worldwide. Allen & Overy LLP or an affi liated undertaking has an offi ce in each of:
Abu Dhabi Amsterdam Antwerp
Athens (representative offi ce)
Bangkok Barcelona Beijing Belfast Bratislava Brussels
Bucharest (associated offi ce)
Budapest Casablanca Doha Dubai Düsseldorf Frankfurt Hamburg Hanoi
Ho Chi Minh City Hong Kong Istanbul
Jakarta (associated offi ce)
Johannesburg London Luxembourg Madrid Mannheim Milan Moscow Munich New York Paris Perth Prague
Riyadh (associated offi ce)
Rome São Paulo Shanghai Singapore Sydney Tokyo Toronto Warsaw Washington, D.C. Yangon
