“The worldwide public cloud services market is forecast to grow 17% in 2020 to total $266.4 billion, up from $227.8 billion in 2019.
By 2022, worldwide public services market revenue is expected to reach $354.6 billion, with up to 60% of organisations expected to use an external service provider’s cloud managed service offering, which is double the percentage of organisations from 2018 .”
Gartner Inc, November 2019
Cloud services are a key area of technology investment as organisations increasingly embrace externally-hosted applications and relocate their existing digital assets. Notably, the move towards cloud adoption has been accelerated by the COVID-19 pandemic as the demand for flexible working and focus on operational resilience has intensified.
1. What are cloud computing services? Cloud services involve the delivery of computing services over the internet. IT infrastructure and technology related capabilities are provided as a service rather than as a sale of hardware and software. Instead of procuring their own servers and systems which are then hosted on an organisation's premises or in a data centre, organisations access and use a service provider's servers and systems, effectively via the internet, to host and store data and software applications remotely, ie in the “cloud”.
2. Cloud service models: There are three main types of cloud service model: (i) infrastructure as a service (IaaS), which provides customers with access to IT infrastructure, such as servers, storage and networking hardware; (ii) platform as a service (PaaS), which builds on IaaS and enables customers to access an environment in which customers can develop, test, manage and run software applications; and (iii) software as a service (SaaS), which incorporates both IaaS and PaaS and enables the delivery of software applications, such as office, enterprise resource planning (ERP) and other cloud based apps. The different cloud service models involve different risks and their suitability will depend on the business’ use and associated deployment model, on which we comment further below.
3. Deployment models: Cloud services can be provided via: (i) public cloud, where any other organisation can subscribe to the same services provided by a service provider using the same IT infrastructure (multi tenancy); (ii) private cloud, where the dedicated IT infrastructure is used to provide services to one customer only (single tenancy), which allows an increased level of customer-specific customisation of the cloud environment; or (iii) hybrid cloud which involves the provision of services using a combination of public and private clouds, usually depending on the criticality of the application(s) or sensitivity of the data hosted on the relevant clouds.
4. Protection of personal data: Where a service provider hosts personal data, typically it will be “processing” that personal data and such processing will be subject to applicable data protection law. It is important to determine both the locations of the customer entities which benefit from the cloud services (as this will impact on which data protection laws apply) as well as the location(s) from which the service provider will process the personal data (noting that service providers are likely to have multiple data centres across different jurisdictions).
5. Employment and HR considerations: Although cloud services bring clear advantages to an organisation (such as lower costs and greater flexibility) their deployment in any business still requires careful consideration and should be kept under constant review. IT security policies and practices (eg passwords, access levels) remain important and should be updated as necessary. Also, cloud services may be used to host HR data and other personal information, engaging legal issues around privacy. As with all outsourced services, changing providers (or moving parts of such services back in house) might bring challenges. Customers and providers need to ensure that entry and exit obligations, and commercial and operational arrangements, are addressed in cloud services agreements. These should also address data and privacy obligations.
6.Data security: Customers should carry out a data security risk assessment, taking into account the service provider’s data security capability, and consider whether the measures are adequate especially in light of any contractual obligations they might owe to third parties. Potential security risks and the negative impacts of a data breach, including the sanctions under applicable data protection law are legitimate concerns. However, risks to data security can be reduced through appropriate contractual steps, such as clearly defined responsibilities and controlled access, as well as technical solutions (such as encryption). These measures should also help preserve the confidentiality of any hosted data.
7. Contractual arrangements: Depending on the nature and value of the cloud services arrangement, a service provider may offer limited quality assurances about its services and seek to aggressively limit its liability to a customer. A service provider may also seek rights to suspend the cloud services if the customer’s use of them affects other customers or causes other disruption. Each party’s liability, together with any limits or carve outs, should be carefully reviewed. Customers should also consider their contractual obligations to third parties (such as their own clients) and whether they have the necessary protections and remedies from the cloud service provider to go “back to back” with their own obligations to their clients.
8. Tax considerations: The unique features of cloud computing raise a number of challenging tax issues such as: (i) transfer pricing – cloud computing is expected to be subject to new income allocation rules which are being developed through the OECD “BEPS 2.0” project; (ii) characterisation of income – income derived from cloud computing transactions may be characterised in different ways (eg service fee, rent, royalty) depending on the facts and circumstances, which may impact how such income is sourced, the computation of the amounts which are subject to tax (including any deductible amounts) and the countries in which such amounts may be taxed; and (iii) indirect tax – the VAT treatment of the digital transaction will depend on the status of the customer (business or non-business) and the location of the supplier and customer.
9. Compliance and regulation: Customers operating in regulated sectors, such as financial institutions and asset managers, should ensure that any cloud services contract addresses their regulatory obligations. For example, the European Banking Authority published its outsourcing guidelines in 2019, which apply to all aspects of outsourcing arrangements entered into by certain financial institutions. Often a service provider’s standard terms and conditions will not adequately address a regulated organisation’s obligations and will therefore need to be carefully negotiated to ensure that the agreement, and the regulated organisation, is compliant.
10. National regulatory frameworks: Providers of cloud services, especially the dominant suppliers, favour unrestricted cross-border data flows, exemptions from liability for hosting and other passive activity, and a ready customer market willing to trust in their security capabilities. National regulatory frameworks, in particular those in some emerging markets, often will not enable these conditions. For example, the EU Commission is considering imposing greater responsibilities on online intermediaries (including cloud service providers) for the content they transmit and store. We have seen major providers push for regulatory change in these and other areas in jurisdictions in which they wish to expand, build infrastructure and deliver services. National authorities can be willing to adapt, including by issuing regulations specific to cloud services with a view to attracting investment and developing a “knowledge-based” economy. This should be balanced against the risks of inconsistency with existing national laws, policies, and customs, as well as programmes to support domestic cloud services providers.
Found this article useful? Read others in our TechNotes series
.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
