Cloud computingA great tool

www.allenovery.com

Cloud computing – A great tool | 20152

© Allen & Overy LLP 2015

“The worldwide cloud computing market will grow at a 36% compound annual growth rate (CAGR) through 2016, reaching a market size of USD19.5bn by 2016.” Predicting Enterprise Cloud Computing Growth, Gartner, September 2013

www.allenovery.com

3

Put simply, a cloud is a huge collection of hardware and software, connected via the internet. It is the infrastructure that enables a new business model. This model offers on-demand, easily scalable computing services to multiple users at flexible prices. It is quite a simple idea: instead of everyone buying their own systems that can handle a peak load (but which is required only a limited amount of time, and thus not otherwise fully used), everyone shares these resources and systems in the cloud. There is no need to

buy the systems (ie hardware and software) individually – you can just use it “as a service” on an as-needed basis.

Cloud is not a new phenomenon but it does represent a fundamental shift in behaviour in the ways consumers and enterprise consume IT. Cloud also underpins many of the disruptive megatrends in the TMT sector today including mobility, big data/advanced analytics and social.

What is cloud computing?

“This magic circle firm has excellent global coverage, which includes both local specialists and a well-developed network of international desks. Its expertise in the technology sector encompasses a broad spectrum of areas, including data protection, cloud computing and online liability. The group’s regulatory know-how is frequently engaged for major crossborder transactions.”Chambers Global 2013 (Technology & Communications: Globalwide)

Cloud computing – A great tool | 20154

© Allen & Overy LLP 2015

The four main types of cloud

On demand, scaleable resources delivered as-a-service to multiple users (consumers and enterprise) at flexible prices.

Public Cloudsare commercially available cloud services open to all

Community Cloudscan be set up for use by a particular group or industry

with similar needs

Private Cloudsare closed clouds dedicated

to one or more user

Hybrid Cloudsinvolve a mixture of public and

private services allowing users to take advantage of the cheap unit

prices of public clouds while ensuring mission-critical services

are more tightly ring-fenced within private services

Business Process- as-a-Service (BPaaS)Horizontal or vertical business

processes provided on a subscription basis

Software-as- a-Service (SaaS)

Software applications hosted in the cloud and provided on a

subscription basis

Platform-as- a-Service (PaaS)

Virtualised application development and run

time platform

Infrastructure-as- a-Service (IaaS)CPU, memory, storage, network etc available on

an as-needed basis

Primary delivery methods

Everything-as-a-service (XaaS)

Source: “Where Cloud Meets Reality”, Accenture 2012

www.allenovery.com

5

Organisations are turning to the cloud for a number of reasons:

– Cost

– Anywhere, anytime access

– Reduced service provider interaction (a “serve yourself ” model)

– Speed of provisioning

– Flexibility and elasticity

– Opportunities for better security and back-up

– Reduced pressure on internal systems

– Potentially limitless storage, combined with enhanced computing power

– A “greener” solution

Cloud computing – A great tool | 20156

© Allen & Overy LLP 2015

Standards and regulatory environment

SecurityPrivacy

and data protection

Conflict of laws Liability

Copyright Portability and interoperability

Integration with vertical regulation

In a rapidly evolving market, regulation and best practices are struggling to keep up. Particular areas of uncertainty exist around:

In particular, a lack of international standards and divergent regulation across key global markets may inhibit the fundamental advantage of cloud computing: the flexible optimisation of a global data infrastructure.

“A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”The NIST Definition of Cloud Computing, NIST Special Publication 800-145, US National Institute for Standards and Technology

www.allenovery.com

7

Article 29 Working PartyIn July 2012 the Article 29 Working Party (a European advisory body made up of representatives of the various EU national privacy authorities) issued an opinion on data protection aspects of cloud computing. This opinion was the first European-wide legal guidance on how to deal with the data protection challenges in cloud computing.

International Trade Administration (ITA)In April 2013, ITA (part of the U.S. Department of Commerce) issued a paper clarifying how the U.S. – EU safe harbour framework applies to cloud computing. Prepared in part to respond to Article 29 working party opinion of July 2012, the paper concludes that cloud computing is not a radically new business model and does not represent unique issues for the safe harbour. ITA says that existing safe harbour principles are comprehensive and flexible enough to deal with any issues raised by cloud computing model.

European CommissionIn September 2012 the European Commission released its new strategy for “Unleashing the potential of cloud computing in Europe”, outlining actions to deliver a net gain of 2.5 million new European jobs and an annual boost of EUR160bn by 2020. Emphasis was placed on cutting through the jungle of technical standards so that cloud users get interoperability, data portability and reversibility; supporting EU-wide certification of vendors; development of model contract terms, including Service Level Agreements; and measures to harness the public sector’s buying power and shape the European cloud market.

European Commission /Obama AdministrationIn February 2013 the European Commission launched a cybersecurity strategy for the EU aimed at increasing capabilities and preparedness towards security incidents such as hacking or technical failures. Cloud computing providers are specifically targeted by the framework. Hard on the heels of the EU’s efforts to promote a culture of security risk management, President Obama’s administration introduced an Executive Order on Improving Critical Infrastructure Cybersecurity in the U.S. The U.S. and EU initiatives both focus on cybersecurity risks to critical infrastructure and have at their heart a drive to encourage greater cooperation and information sharing between relevant agencies and also with those who suffer attacks.

Sopot MemorandumThis is a working paper issued in April 2012 by the International Working Group on Data Protection in Telecommunications led by the Berlin Commissioner for Data Protection and Freedom of Information. The paper contains a number of recommendations and best practices intended to ensure that the adoption of cloud computing does not lead to a lowering of data protection standards as compared with conventional data processing. Among other things, these recommendations emphasise transparency and the need for contractual standards.

STAR certification programmeThe Cloud Security Alliance (CSA) and BSI, the business standards company, in September 2013 announced the launch of the STAR Certification program, a third party independent assessment of the security of a cloud service provider.

The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Control Matrix, a specified set of criteria that measures the capability levels of the cloud service.

GCHQ guidance on security risk managementPublished in May 2014, GCHQ’s guidance suggests that organisations should seek “adequate assurance” from cloud providers over claims those providers make about their compliance with information security principles. The guidance also outlines a step-by-step risk management strategy for cloud security.

Guidelines on Service Level AgreementsIn June 2014, the European Commission published “Cloud Service Level Agreement Standardisation Guidelines”. These Guidelines are described as being designed “to help business users save money and get the most out of cloud computing services through SLAs”. Aimed at professional cloud users rather than consumers, the guidelines set out several overarching principles for the development of Cloud SLA standards, provide definitions of commonly used terms and suggest some targets for service levels. The working group behind the guidelines is also liaising with the International Organization for Standardization (ISO) Cloud Working Group to input the EU position and to contribute to the ISO/IEC 19086 project (which also relates to SLAs).The Guidelines are a useful first step in the process that was set out by the Commission Strategy document in 2012 to develop model terms, but they do not yet deliver all they need to.

Recent developments

Cloud computing – A great tool | 20158

© Allen & Overy LLP 2015

Allen & Overy & cloud computing

We recognise the importance of cloud computing to our clients.

To respond to our clients’ needs, we set up an internal cross border working group to focus on the legal services we provide in relation to cloud, to share best practices and make sure our lawyers have the right skills to respond to the changing IT market our clients operate in.

We believe that, for the most part, the issues encountered when implementing cloud solutions are not new, being

equally relevant in many other IT transactions. We also understand that getting comfortable with new IT bases which use cloud technologies will be a requirement for companies looking to embrace other game changing technological developments such as advanced analytics, context-based services and social driven IT. We offer practical support to our clients to help them turn IT innovation into successful business reality.

Our representative matters in this area include advising:

Proofpoint a NASDAQ listed leader in cloud-based information security and governance software, on the English law aspects of its acquisition of all of the shares in Mail Distiller, a European-based provider of SaaS email security solutions.

SAP on its USD3.4bn acquisition of NYSE-listed cloud computing leader Success Factors.

Novartis on a global 7-year application development and infrastructure cloud transaction with Microsoft. We focused on developing contractual mechanisms to mitigate the risks for Novartis as much as possible in relation to security and regulatory compliance.

Amazon on strategic copyright issues across the European Union in relation to its Cloud Drive service.

Cisco Systems on aspects of its USD1.2bn purchase of San Francisco-based Meraki, a provider of cloud-managed networking equipment and services.

A multinational company in the energy sector on the implementation of a SaaS project with Microsoft.

An international information technology services company on general matters (including on the application of the U.S. Patriot Act to cloud computing services, Regulatory, HR and IT).

Agfa-Gevaert, one of the largest players in the field of imaging systems and IT solutions, on a major cloud computing outsourcing transaction with Service Now, a leading provider of cloud-based services that automate enterprise IT operations.

Microsoft on the data protection aspects of their Office 365 cloud computing offering and on the Belgian and international regulatory restrictions applicable to cloud computing in the financial sector.

Novartis on a SaaS agreement with Box.Net for cloud-based storage services.

T-Systems on a contract to provide global data centre and SAP infrastructure services to healthcare, lifestyle and lighting giant Philips Electronics. The transaction involved the adoption of a SAP SaaS model, using a private cloud.

A global IT consultancy on the implementation of a SaaS platform for a multinational company in the manufacturing sector. Caisse des dépôts et consignation the French sovereign fund, on its investment in the French cloud computing joint venture Numergy with Bull and SFR.

Luxcloud on contractual and IT issues on cloud computing.

SFR on its acquisition of shares in G Cluster Global, a cloud-based video gaming service.

www.allenovery.com

9

Systemat on its complete suite of cloud computing contract templates for use with its customers.

Allen Systems Group on the takeover of visionapp AG, a German SaaS and cloud platform provider.

Novartis on the drafting of a SaaS template.

Randstad on the legal aspects of cloud computing and email solutions.

A global manufacturer of specialty chemicals on the data protection aspects of migration of HR data from more than 20 jurisdictions to a centralised platform managed by a U.S. based cloud provider.

ServiceNow a SaaS provider of IT Service management software, on the acquisition of Mirror 42, a Dutch developer of performance management software.

Stichting Centraal Informatie Systeem (CIS) a Dutch Foundation which manages and stores the insurance data of consumers, insurance companies and intermediaries in a central database, on the renegotiation of a SaaS contract with Solera, a U.S. technology supplier.

SFG Australia on its cloud computing outsourced services contract.

A major internet shopping platform on the review of terms and conditions on cloud services, notably from a data protection law perspective.

Cloud computing – A great tool | 201510

© Allen & Overy LLP 2015

Charlotte MullarkeySenior PSL – LondonTel +44 20 3088 2404charlotte.mullarkey@allenovery.com

Key contacts

Filip Van ElsenPartner – AntwerpTel +32 3 287 73 27filip.vanelsen@allenovery.com

Ahmed BaladiPartner – ParisTel +33 1 40 06 53 42ahmed.baladi@allenovery.com

Catherine Di LorenzoSenior Associate – LuxembourgTel +352 444 455 129catherine.dilorenzo@allenovery.com

Herald JongenPartner – AmsterdamTel +31 20 674 1614herald.jongen@allenovery.com

Gary CywieIP/IT Counsel – LuxembourgTel +352 44 44 5 5203 gary.cywie@allenovery.com

Jane Finlayson-BrownPartner – LondonTel +44 20 3088 3384jane.finlayson-brown@allenovery.com

Neville CordellPartner – LondonTel +44 20 3088 2754neville.cordell@allenovery.com

Nigel ParkerPartner – LondonTel +44 20 3088 3136nigel.parker@allenovery.com

Belgium Luxembourg

Netherlands UK

France

Rose HallBusiness Development – LondonTel +44 20 3088 3618rose.hall@allenovery.com

UK

www.allenovery.com

11

Will McAuliffePartner – Hong KongTel +852 2974 7119will.mcauliffe@allenovery.com

Connell O’NeillSenior Associate – SydneyTel +612 9373 7790connell.oneill@allenovery.com

Greater China Australia

Peter HarwichPartner – New YorkTel +1 212 610 6471peter.harwich@allenovery.com

U.S.

FoR MoRE INFoRMATIoN, PlEASE CoNTACT:

Allen & Overy LLP One Bishops Square London E1 6AD United Kingdom

Tel +44 20 3088 0000 Fax +44 20 3088 0088

London

www.allenovery.com

Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. The term partner is used to refer to a member of Allen & Overy LLP or an employee

or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP’s affiliated undertakings.

GLOBAL PRESENCE

Allen & Overy is an international legal practice with approximately 5,000 people, including some 527 partners, working in 45 offi ces worldwide. Allen & Overy LLP or an affi liated undertaking has an offi ce in each of:

Abu DhabiAmsterdamAntwerpBangkokBarcelonaBeijingBelfastBratislavaBrussels

Bucharest (associated offi ce)

BudapestCasablancaDohaDubaiDüsseldorfFrankfurtHamburgHanoi

Ho Chi Minh CityHong KongIstanbulJakarta (associated offi ce)

JohannesburgLondonLuxembourgMadridMilan

MoscowMunich New YorkParisPerthPragueRiyadh (associated offi ce)

RomeSão Paulo

SeoulShanghaiSingaporeSydneyTokyoTorontoWarsawWashington, D.C.Yangon

© Allen & Overy LLP 2015 I CS1210_CDD-4171_ADD-55229