Businesses should not attempt to win special treatment during contract negotiations with cloud computing providers as they are unlikely to succeed, the legal head of Google’s European enterprise division warned today.
Cindy Yip argued that cloud computing providers can offer IT services at a lower cost than traditional outsourcers because those services are commoditised and delivered from multitenant architecture. It is therefore not in their interest to provide tailored offerings to their customers, she said.
"It wouldn’t be practical for a cloud service provider to meet the demands of one customer," she said.
Speaking from her experience of negotiating Google Apps contracts, Yip said customers often try to negotiate special data security standards and service level agreements. But cloud providers are unlikely to provide these, she added.
"In a cloud context, SLAs tend not to be negotiable," she explained. "This is not because the providers are being difficult, but because they need to provide the same service to all their customers."
Some customers try to opt out of the automatic upgrades that many cloud providers mandate. "The worry is that the provider will downgrade the service you have signed up to," she said. "But it is in the cloud provider’s interest to keep innovating."
Yip advised that a better way for customers to ensure their demands are met is to find a provider with an appropriate SLA, and to conduct due diligence around potential suppliers. She added that customers’ time would be better spent establishing who takes responsibility in the event of a data breach than attempting to receive special security provisions.
Another issue that arises during legal negotiations around cloud contracts is the question of which party serves the role of "data controller", which under the EU Data Protection Directive has legal responsibility for the data in question, and which is simply the "data processor".
Because cloud providers rarely allow customers to dictate precisely how their data is processed – where precisely it is stored, for example – they arguably assume the role of the "data controller", Yip explained. However, this is neither in the interest of the customer, which wants to retain control of the data, or the cloud provider, which does not want to assume full legal responsibility.
This can lead customers to try to dictate the means by which their data is processed but, as explained above, cloud providers are unlikely to comply with this, Yip said. It can be argued, though, that the provider can dictate some of the means of processing without assuming the data controller role as long as the customer retains control of the "central means" of data processing i.e. broadly how the data is used.
She added that the EU is expected to clarify this issue in its forthcoming reforms to the Data Protection Directive.
Yip’s remarks will be discouraging for businesses that are attracted to the promised cost benefits of cloud computing but that believe they have unique requirements. Her argument that customers can get what they want through vendor selection is rather undermined by the limited number of viable cloud offerings currently on the market, though this may well change in time.