In Sweden, electronic documentation and management systems are today more or less mainstay in the modern infrastructure within the Life Science sector (the notion life science used here in its broadest meaning, including the food & beverage and chemical sector).Since 2006 researchers in academia, healthcare and business have made the transition from recording and storing their complex data in an analogue manner, to recording it in a digital manner. Historically, the preferred technological solution for the storage of clinical data has been to use an in-house server solution and have possession over the servers. As the range of cloud computing solutions increases, however, there is a growing trend within research groups and small research companies to outsource the management of the laboratories’ information and management systems, and the record keeping of laboratory notebooks, to cloud computing service providers. The attraction of cloud computing to companies of limited finance lies in the fact that it can effectively replace the need for considerable up-front investment in expensive IT infrastructure.
Laboratory Information and Management Systems (LIMS) and Electronic Laboratory Notebooks (ELN) are software systems used in laboratories for the integration of all laboratory software and instruments, the management of samples, laboratory users and standards, and other laboratory functions such as Quality Assurance and Quality Control, sample planning, invoicing, plate management and workflow automation. Outsourcing advanced data storage systems of delicate data, such as the data generally contained in LIMS and ELN, has fundamental implications for the contractual regulation of access to data and compliance with data protection for both suppliers and customers.
This article looks at the nature of cloud computing arrangements within the life science sphere and examines some key contractual issues.
The nature of cloud computing
In its essence, cloud computing is the delivery of IT as services via the internet. Cloud computing consists basically of Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The LIMS and ELN can either run as a software package downloaded to the users’ local computers (an in-house server solution), or as a web based service where the software is hosted and maintained by the cloud computing service provider (a cloud solution). The unique selling point is that users will not need to purchase or install software and companies will not run their own application and data servers. Cloud service providers will host applications and provide the computing power from their data centres, drawing benefits from economies of scale, and dramatically lowering the costs of IT. These arrangements most often use the business model of pay per service, or pay per use as cloud computing contracts are more like service contracts than software licenses. In some cases there may be an initial fee to be paid up front, after which payments will be made on a subscription basis.
As is the case with most commercial arrangements, the appropriate commercial and contractual structure to be adopted needs to be considered on a case by case basis. Today as the market for cloud computing solutions for the life science industry has matured, the shortcomings of the standard outsourcing agreements with regards to security have to a large extent been addressed by the service providers. However, the following issues are still likely to be relevant in most cases: content issues, access to data, and the issue of governing law and applicable jurisdiction.
– Content issues
Cloud service providers generally seek to offer their services on standard terms. These often include a broad license from the customer to the service provider allowing them to use any of the content stored on its servers. Note that data generally contained in LIMS and ELN, for example clinical data, compilation of patient data, laboratory results, and even patentable discoveries, are not appropriate to license to the cloud service provider. On the contrary, secrecy and security is required, in addition to integrity regulations etc.
The nature of these standard terms tends to be strongly supplier-centric, excluding nearly all but the most limited of warranties and any liability for data loss or service failure. This is not sufficient for LIMS or ELN. The cloud service provider will seek to exclude all liability for content stored or posted on its services and will normally include a right in its standard terms to remove any data from its servers. Under the Copyright Directive (2001/29/EC) and the Electronic Commerce Directive (2000/31/EC) internet service providers can be liable for failing to take down offensive, defamatory or IPR-infringing content. Corporate customers should therefore seek an indemnity for any loss suffered as a result of material being unnecessarily deleted or moved and should look to impose a requirement to be notified in advance if any content is to be removed.
The cloud service provider will not always own the intellectual property rights (IPR) in the software that is the subject of the cloud computing service. The customer then needs to secure that the cloud service provider grant sublicenses to third party IPRs, or see to regulate it separately from the cloud computing agreement.
– Access to data
Although the majority of the multinational life science companies have chosen to have their LIMS and ELN data stored on in-house servers, the need to regulate the terms of access to the data remains. With regards to LIMS, there is an issue of access to the content data as soon as the user terminates its service contract or wishes to change system and service provider. Generally, as soon as termination occurs, the service provider will use his right to withhold the service, thus cutting off the access to the data stored in the system. Similar situations will also arise in the event of either party becoming insolvent, or if the parties should find themselves in a dispute.
If an IT outsourcing arrangement does not contain exit or transition provisions, there is an apparent risk of the consumer becoming “locked in” with the supplier, or in the worst case scenario, of the data being lost. Maintaining their own back up arrangements may be the preferred solution for some customers. It might be enough to secure the service continuity, but it will not resolve the issue of terminated access. Also the cost of maintaining back-up will negate some of the cost benefits of having chosen to outsource to begin with.
Cloud computing entails that the customers put their applications and data in the hands of third parties that could withdraw their services at short notice for any number of reasons. The most reputable cloud service providers usually have the established practice of escrow-agreements in place with independent third parties. Software escrow regarding the source code is an established practice with IT agreements. Having an escrow in place for the object code is equally important for the customer with regards to cloud computing arrangements. In these cases the object code has to continue to be available in the event that the service provider terminates the service or becomes insolvent, as the customer will not ordinarily have it stored locally. Software escrow arrangements, like maintaining a back-up system, provide important protection but add to the overall costs. In this respect, there is also the problem of ensuring that the escrow codes are up to date. If not, the customer faces the risk of ending up with “old” codes.
It is thus advisable to include an exit plan and specific provisions in the cloud computing service agreement to cover situations such as insolvency and commercial conflicts. These provisions shall, where possible, specifically set out each party’s obligations in the event of termination, insolvency or a dispute arising. Preferably, the customer should actively check that the cloud service provider takes the measures agreed (see comments above).
– Governing law & applicable jurisdiction
The nature of the internet is global and enables multinational collaboration as well as cooperation, whereas the nature of the regulation of the internet and the sale and purchase of goods and services online is nationalized. This inherent conflict leads to jurisdictional issues of which law is in fact governing the agreement. It is common for the parties in advanced research (as well as for the parties of a cloud service arrangement) to be located in different jurisdictions. Research groups in both academia and in business are used to dealing with multiple jurisdictions and complex contract structures due to the numerous international collaborations.
The parties most often expressly provide that the cloud computing contract is to be governed in accordance with the laws of a particular jurisdiction. However, if the parties have not expressly decided on the specific governing law of the contract, the issue is resolved by private international law. The Rome Convention 1980 (80/934/EEC), and the Rome I Regulation 593/2008/EC (Rome I) for contracts concluded after 17 December 2009, prescribe – in a situation where the parties have not chosen a legal system – that a contract will be governed in accordance with the law of the country in which the party who will perform obligations characteristic of the contract has its habitual residence or central administration. This will generally entail that the governing law of the contract will be the law of the place in which the cloud computing service provider locates its servers (which can be in multiple places around the world). Non-contractual obligations arising in civil and commercial matters will be governed by Rome II. According to this convention, such obligations will be the law of the country in which the damage occurs or is likely to occur. Rome II is however subject to numerous defined exceptions (e.g. IP infringement, unfair competition and product liability). A person who is domiciled in a contracting state to the Brussels Regulation 2002 may be sued in the courts of another contracting state where a contractual obligation is owed. Hence, the cloud computing service provider based in the EU may be sued in all of the jurisdictions in which it provides services to its customers. The Brussels Regulation also provides for mutual recognition and enforcement of judgments.
Parties to a cross-border arrangement should be careful to ensure that the chosen governing law does not give rise to any unexpected contractual issues. For example, in Sweden, a party entering into negotiations has a binding non-contractual obligation to observe the duty of good faith in negotiations, and can be held liable if they breach this obligation and act in a disloyal manner. This is not the case under English law, for instance. Parties should also consider the possibility of obtaining emergency remedies against a cloud service provider if the user believes the service provider has misused the data.
Ida Smed Sörensen