This week a note caution regarding an unusual trend in some cloud engagements. In several recent transactions, I have seen provisions that put the customer on notice that the provider has one or more offshore affiliates who may assist in performing the agreement. This, in and of itself, is not unusual. What is unusual is that in these transactions, the provider has taken the position that (i) it cannot tell which of its affiliates will be involved, (ii) it cannot provide a definitive list of the relevant jurisdictions involved, and (iii) even though use of the affiliates is for the convenience of the provider, compliance with all applicable laws, including local laws in the relevant jurisdictions, with regard to cross-border transfers of the personal data is the responsibility of the customer. It is this last item that causes the most concern.
The customer has no control over where its data will be sent, how often it will be moved, or, even, the specific jurisdictions involved. Yet, the customer is somehow to assume the obligation of ensuring compliance with the myriad of potentially applicable privacy and other consumer protection laws everywhere in the world, including, apparently, adjusting its privacy policy and obtaining consents from consumers to comply with those laws. I suggest that is a tall, if not impossible, order to fulfill and one no customer should be forced to assume.
In one of the transactions, the vendor was asked if the customer could encrypt its data so as to minimize the security and compliance issues presented by this type of undefined offshoring. The relevant vendor said that the customer could encrypt its data, but in at least some jurisdictions (e.g., China), the customer would have to supply the decryption key – rendering the protection sought illusory.
The foregoing points up the need for customers to push back and push back hard on unrealistic and unreasonable provisions in cloud agreements and for vendors to take a reality check on what they are requiring from their “valued” customers in their contracts.