This chapter introduces the subject matter of the book, provides the core problem statement and defines the central terms used in the book. The introduction also explains the focus on governmental adoption of cloud computing services, legal sources, and the research approach.

The introduction explains how cloud computing has made it possible and desirable for users, such as businesses and governments, to migrate their data to be hosted on infrastructure managed by third parties. The chapter further outlines why aspects of migration to cloud services pose specific legal, contractual, and technical challenges for governments.

The chapter further outlines the challenge of addressing contracting and procurement requirements, data privacy and jurisdictional obligations when using an opaque, global, multi-tenant technology such as cloud computing.

This chapter contains the second part of book’s study on cloud computing contracts.

The chapter examines how general contract law, as defined in the chapter, will likely apply to the use of cloud computing services. This chapter focuses on terms that are often considered standard in cloud agreements. The analysis includes terms aimed at keeping information confidential, non-disclosure agreements, terms regarding liability, warranties, and other terms and conditions aimed at regulating or limiting responsibility. Additionally, the chapter considers terms aimed at termination of services, portability and other provisions necessary for exiting services.

In addition to offering an evaluation of specific contract terms, the chapter also evaluates how governments might create better cloud computing contracts to generate more consistent and compliant results.

This chapter evaluates the key data protection requirements and compliance obligations that governments must account for when entering into contracts with cloud service providers. The chapter concentrates on data protection issues that pose particular barriers for governments attempting to adopt cloud-computing services.

The chapter focuses primarily on understanding how the General Data Protection Regulation (GDPR) impacts the use of cloud computing. This requires an analysis of applicability and jurisdiction, applications of principles, understanding roles and responsibilities under the law, contractual obligations on sub-processors, liability for compliance, and limits on data transfers among others. The chapter also provides an overview of US data privacy law.

The chapter further evaluates recent case law and guidance from the European Data Protection Board (EDPB) and national data protection authorities to draw conclusions regarding GDPR cloud compliance obligations. Specifically, the chapter focuses on challenges and limits to cross-border transfers of data following the CJEU decision in the “Schrems II” case.

This chapter provides an overview of cloud computing technology. The explanation includes an overview of the differences between traditional outsourcing and cloud computing and how server virtualization makes cloud computing possible. The chapter also identifies the major players in the provision of cloud computing services and the primary cloud computing service and deployment models. The chapter evaluates central security concerns and risks including loss of availability and risks to data portability.

This chapter evaluates the unique obligations governments have when they commit citizen data to cloud service providers. In particular, the chapter focuses on how the responsibilities of governments are different than other types of cloud computing users focusing on specific procurement obligations, and other legal requirements.

The chapter also evaluates issues related to “data sovereignty”, outsourcing of government functions, and the potential risk to citizens from outsourcing critical infrastructure. Further, barriers that governments face when procuring cloud computing services including data localization restrictions, difficulties in comparing costs to traditional IT services, and ill-suited contract templates designed for traditional IT-outsourcing being applied to cloud computing services.

The chapter also explains that since operations or services are outsourced to cloud, governments must have the means to monitor them in order to retain a certain level of control over the operations they are outsourcing. The chapter examines government procurement programs in the United States, United Kingdom, and European initiatives to adopt cloud computing at the government level.

This chapter evaluates the application of jurisdictional principles to cloud computing services and the core challenges for governments and others. The chapter considers the interplay of jurisdiction—the ability of a court to hear a dispute—in the context of physical location, intelligible access to data, and the physical location of servers.

In particular, the chapter focuses on areas of uncertainty, such as the categorization of services and the location of data and limits to current approaches. The chapter argues that the traditional territorial approach to jurisdiction is a poor fit to account for the properties of cloud computing services and data more generally arguing that data poses unique legal challenges to applying traditional jurisdiction principles.

The chapter provides an analysis of access to cloud computing services for law enforcement and intelligence purposes by the US government. This includes an analysis of the “Microsoft Warrant” case, the US CLOUD Act and its possible conflicts with the General Data Protection Regulation (GDPR), and access by US intelligence agencies under FISA Section 702 and Executive Order 12333.

This chapter contains the first part of the book’s study on cloud computing contracts evaluating the organization and structure of cloud computing contracts in addition to their content. This includes an evaluation of Service Level Agreements (SLAs), the use of master-service and framework agreements, issues related to subcontractors and subcontracting, third-party rights, and liability considerations.

The study applies a qualitative analysis of based on both secondary and original data. Secondary data is derived from various research projects in the EU and elsewhere. Original study data is derived from contracts obtained by the author through Freedom of Information (FOI) requests. This study is original in its method and scope in the governmental context. Additionally, the chapter applies government cloud audits and other guidance form the UK G-Cloud and US FedRAMP programs.