How To Control Content On The Cloud

Transcription

1 1 EXPERT GROUP MEETING ON CLOUD COMPUTING CONTRACTS SYNTHESIS OF THE MEETING OF 30 APRIL 2014 On 30 April 2014, the Expert Group on Cloud Computing Contracts met for the sixth time. Three sessions were held during this meeting: a session with contract law experts only chaired by Dirk Staudenmayer, a session with data protection experts only chaired by Marie-Hélène Boulanger, and a plenary session chaired by Paraskevi Michou. CONTRACT LAW EXPERTS I) CONTROL AND USE OF CONTENT The rapporteurs, Mr Peter Homoki and Mr Peter Kitts, made a short presentation of the main challenges related to the control and use of user s content in the cloud. In particular, they insisted on the (lack of) users' certainty on what providers can do with users' content. They also flagged that this topic is at the cross-over between several regulatory frameworks (copyright, trademark and other sectorial regulations). Finally, they clarified that the purpose of their discussion paper was to focus on legal issues other than data protection issues. Overview of current terms relating to the use of content Experts were critical toward contractual clauses granting authorisation to cloud providers to use the user's content for any purposes. These clauses were seen by some experts as potentially unfair as they give too broad rights to the provider. Several experts explained that this risk was mostly present in business-to-consumers contracts and less in business-to-business contracts. Cloud computing services addressed to consumer are generally for free. The use of the consumer content is thus a form of remuneration for the cloud provider. However, one expert pointed out that terms authorising a wide use of the user s content by the provider were also to be found in contracts for paid cloud services. Several experts underlined that the fact that users get the cloud service for "free" should not entitle the cloud service provider to use the content for any purpose. Several experts highlighted that a possible way forward would be to restrict the use of content to the extent necessary for the provision of the service. However, one expert expressed the view that such wording may also be subject to interpretation. This can be understood strictly (for example, the rigorous copy-paste of a logo on a portal) or broadly (for example the use of statistics in order to send new, tailored, offers linked to the initial service provision). Some experts called for a more differentiated approach for the use of data. Providers could develop business models with different options offered to users, instead of an "all or nothing system". For example, one option could be that users accept that their data are used for all purposes and would thus benefit from additional free services. Another option could be that users willing to have the data only used for the provision of the service would have to pay. Several experts pointed out the lack of clarity arising from discrepancy between clauses enabling cloud services providers to widely used customers content and clauses in the same contract claiming that "the users content will remain users' content".

2 2 Many experts supported the idea of clearer information on how user's content would be used (e.g. internal marketing purposes, use by third-parties for advertising purposes, provision of the service). They also said that users should be clearly informed when the exploitation of their contents is a form of remuneration to the provider. However, one expert explained that providers have no commercial incentives to clearly inform the user about the use of data. Indeed, contrary to other contractual elements, the way the content is used is not a competitive differentiator yet; potential clients do not choose a service provider or another on that basis. Finally, one expert said that information should be tailored to the service provided. He explained that the more the provider is doing with the content on the cloud, the more details users want to have in the contract regarding control and use of their content. For example, as it is rather simple for a pure storage service to define what the provider may or may not do with the content, the information on the use may be fairly limited. Other specific issues With regard to copyright issues, experts explained that due to the current fragmentation of copyrights laws, providers tend to draft very wide license clauses. The purpose is to protect themselves against possible actions brought by users for copyrights' infringements and ensure that they cover all possible uses that they may do with the content. In response to this trend, one expert suggested developing "licenses for specific purposes only". Another expert highlighted that very wide clauses may be incompatible with copyright laws (e.g., French law prohibits licenses over future creations). Experts insisted that the protection of trade secrets is very important for cloud users. Some experts explained that the lack of trust in cloud services prevents users from storing trade secrets in the cloud. One expert further suggested that cloud contracts make clear what access foreign governments may have to the content put in the cloud. One expert explained that certain professions are limited in their use of cloud services (such as lawyers and healthcare professionals in Germany) because this would endanger the secrecy of certain sensitive information. Experts discussed technical protection measures that can be used by the user to prevent unauthorised use of data by the provider, in particular back-ups on a hard drive. Some experts wondered whether hard drives would really still exist in coming years, as all technologies are moving to the cloud. Experts mentioned end-to-end encryption of data, while emphasising that this solution is quite burdensome to implement. Another expert mentioned new technologies in development, such as, for example, binding embedded software to a specific device or word electronic finger prints. DATA PROTECTION EXPERTS II) DATA DISCLOSURE AND INTEGRITY The rapporteur (Prof. Ian Walden) gave a presentation based on his discussion paper. This presentation was followed by a general discussion and the discussion of the questions attached to the discussion paper. Presentation

3 3 At the beginning of his presentation the rapporteur outlined that the topic is highly controversial. He distinguished three different types of data that a CSP can be seen as processing: a) content supplied to, or generated by, the cloud service by users; b) attributes data or meta-data generated through use of the service, and c) subscriber or user data identifying characteristics of those authorised to use the service. In terms of data disclosure he stressed that some CSPs provide for rather detailed and understandable contract clauses, whereas some CSPs use very vague ones. The more detailed the clauses the higher the protection for cloud users. So, regarding the first category of data, a), some providers have restricted policies, e.g. disclosure will only be made for security or policing reasons. On the other hand some CSPs have a very broad policy using clauses along the line of "We will disclose your data upon your interest". Thus, the former policy can be regarded to offer higher protection than the latter one. The rapporteur also underlined that the legal evaluation of the CSP's behaviour should depend on whether it is acting as a controller or as a processor. Regarding category a) the CSP is usually to be seen as a processor whereas regarding categories b) and c) it is to be seen as a controller. Concerning the term "integrity" the rapporteur explained that this term is usually not defined in legal provisions. However, from a legal perspective "integrity" cannot be seen as an absolute. Some applications do not work "bug free" and there are many sources of dangers for data integrity. General discussion on data disclosure and integrity Experts reacted to the introduction of the rapporteur. Some experts expressed the view that data disclosure issues are in most circumstances covered by the confidentiality clause of their contracts, and that those clauses are standard and undisputed across the industry. The experts discussed the content of a clause that would enable CSPs to disclose data "in response to a valid court order". Here, the use of the wording "valid" was criticized as vague to some experts. The rapporteur outlined in response that there is indeed ambiguity in this regard and that CSPs would rely on such ambiguity in contracts to make their work easier. However, the group also was of the opinion that CSPs cannot be expected to check or even challenge the lawfulness of law enforcement requests for disclosure, as they lack information. Instead, CSPs should only be obliged to check whether procedural rules are met with or not. The group also stressed that FISAA requests and also e-discovery requests are very problematic and that the Commission should provide proposals on how to deal with these matters. Moreover, the group discussed the classification of CSPs as controller and/ or processor. Some experts voiced their worries that the categories of data, a), b) and c), will be mixed and that it is not entirely clear in what category a CSP is to be regarded as controller and/ or processor. There seems to be an overlap between these three categories. Discussion of questions raised in the rapporteurs' paper 1) Should there be contractual limits on the right of a Provider to disclose data submitted/ generated by a Cloud Customer? [category a) of the discussion paper]

4 4 The experts reiterated that CSPs in case of law enforcement requests of disclosure cannot be expected to check the lawfulness of the request they should merely check the procedural compliance of the request. The Commission hinted at the provision Art. 26 (1) (d) Dir 95/46. 2) Should there be contractual limits on the right of a Provider to disclose attributes data or identity data [categories b) and c) of the discussion paper] In this context the issue of consent was discussed by the experts. The rapporteur explained that only rarely consent is given. He referred to Google's recent change of policy as an example: now, Google makes it express that they scan s for marketing purposes. This is a more transparent approach that can be seen as a first step towards the right direction. However, there is obviously no consent involved. The question came up whether it could be distinguished between free and non-free services. Notwithstanding that consumers always pay with their data the rapporteur came up with the idea that there could be an explicit notice of disclosure policies depending on whether consumer have to pay money or not. 3) What procedural safeguards should be detailed in the contract regarding Provider disclosures; and to which categories of recipient should such safeguards apply? The experts agreed that it has to be distinguished between legal and other proceedings. As regards legal proceedings the experts agreed that there should not be a duty to disclose entire data sets as this could harm the position of parties of a civil law case. 4) What procedural safeguards should be detailed in the contract regarding disclosures in urgent circumstances? The experts identified that the definition of "urgent" is problematic and could be used widely by law enforcement entities. 5) Should a disclosing Provider be held contractually liable for the conduct of a receiving Provider? The rapporteur added that there are Model Clauses for international transfers and the group discussed whether something similar should be introduced to intra-eu transfers. 6) What 'legal requirements' should permit a processor to disclose data without the authorisation of the Cloud Customer? Here, the group discussed whether or not public interest could be considered in this context. 7) Should Providers be subject to certain minimum contractual guarantees concerning data integrity? Here, the group agreed on that it depends on the circumstances of the single case. However, it would make sense to not leave CSPs out from responsibilities. 8) Should the contract specify what constitutes a breach of data integrity? The experts discussed whether it would make sense to have such clauses depended on how "important" or how sensitive data is (e.g. health related data or technology related data). It was discussed whether there could be different levels of integrity the highest level would cost extra money, for example. It was also identified, however, that it is not always possible to

5 5 define the integrity requirements in view of the data sensitivity at the time of the conclusion of the contract. 9) What contractual obligations should be required to enable adequate on-going oversight of a processor's obligation? The group discussed whether an annual third party oversight or annual reporting would be helpful. 10) Should Providers be contractually liable for a breach of data integrity by any of its processors and sub-processors? The rapporteur hinted at Art.23 (2) of Directive 95/46 which includes a rule on the burden of proof. It was discussed whether a similar rule should be applied to the CSP. 11) What liability should communication providers have towards a Provider or its customer? Here, the group identified that "TelCo" cases are addressed by this question and it discussed if and where TelCos can be included in the liability chain in cloud contracts. The rapporteur argued that TelCos are part of the "stack", while other experts were dubitative on this aspect. 12) Should the contract specify who is responsible for proving the cause of any data integrity breach? Some experts argued that such a rule should not be included in the contract as it is a fundamental principle of civil law that the party which asserts a claim has to give proof for the requirements of this claim. PLENARY SESSION III) CLOUD COMPUTING AND PRIVATE INTERNATIONAL LAW A representative from the Commission highlighted that cloud computing is an activity which transcends territorial borders and therefore inevitably raises questions of private international law. In particular, the question arises which courts have jurisdiction to deal with a dispute, which law those courts will apply, and whether the resulting judgment will be recognised and enforced in other (Member) States. Three main existing EU private international law instruments, the Rome I and Rome II Regulations (on the question of the applicable law) and the Brussels I Regulation (on the question of jurisdiction and whether judgments are recognised or enforced), apply to cloud computing services. A relevant factor in determining both the jurisdiction and the applicable law is which type of contract the individual cloud computing contract corresponds to. Cloud computing contracts can for instance be lease contracts, service contracts or sale contracts, or a mixture of different contract types. The EU legal instruments mentioned apply also in tort cases, for instance to infringements of privacy rights and to damage or loss of data. Current practice Experts first explained that, except in some limited cases, private international law issues related to cloud computing have been subject to litigation only to a very limited extent so far. An expert estimated that only B2B cases with strategic interests go to court, also due to high

6 6 court fees. One reason why there are only few court cases is the low value of the claims. One expert also emphasised that because of the costs involved, it is difficult for a consumer or even for an SME to sue a provider. Experts then named cases regarding disputes over applicable law they were aware of. One expert mentioned a case in the UK where Google tried to invoke the law of the State of California, but the UK court ultimately applied the UK law. One expert mentioned some B2C cases in France where the issue of applicable law was addressed. The same expert mentioned that Facebook, Google and Twitter were taken to court in some Member States, such as Germany, France and Spain. One expert said that, whilst there are no court cases in the Netherlands, the question of applicable law was discussed regarding a cloud contract for a public health service. One expert stated that usually providers assume that they have to comply with the law where consumers reside. Experts explained that companies, in particular big EU companies, tend more and more to "localise" their contracts. They may do this by conducting compliance checks and adjust their contract to national requirements. This is, however, complex and costly and may force providers to limit their offers to selected countries. Providers therefore now increasingly set up multi-jurisdiction agreements to comply with different jurisdictions, making any choice of applicable law subject to overriding national mandatory provisions. By doing so, they do not face upfront compliance costs, ensure the legality of their standard terms and conditions and take a calculated risk of having to comply with a local mandatory provision in rare specific cases of dispute. Regarding the competent jurisdiction, an expert stressed that while it may be difficult for consumers to go to court due to the costs involved, consumers still do have access to the court where he has his/her residence. That can be more difficult for SMEs because "choice of court clauses may require SMEs to initiate proceedings abroad. Another expert thought that it might be difficult for consumers to sue cloud providers in Hungary because very few of the providers have a local presence in Hungary. The Commission explained that a local presence is not required and that consumers can sue locally despite the absence of a local presence. One expert mentioned a case between Google and Apple Safari where the UK court declared itself competent, even though there was a choice of court agreement referring to a US court. Another expert stated that there is no choice of court possible in B2C relations in Poland. The Commission explained that this is indeed the result of EU legislation on the matter. Another expert mentioned that the fact that cookies were placed on a German computer had been sufficient for a German court to declare itself competent. This case concerned a non-eu provider, therefore jurisdiction was established on the basis of national German law. Finally, one expert explained that due to the value of the disputes, out-of-court mechanisms may be relevant for settling disputes linked to cloud computing contracts. Another expert mentioned that in the UK, in B2C cases one third of the parties choose alternative dispute resolution in case of disputes. Although in such cases, the consumer still has a right to go to court, the reduced costs and fees make such an option attractive. Characterisation of cloud computing contracts One expert stated that cloud computing contracts may be qualified as IT infrastructure contracts. Another expert stated that the type of contract depends on the key element of the service which is provided. For example, SaaS cloud computing contracts could be considered

7 7 as license, PaaS services as lease contracts. He pointed out that these contracts are rarely sales contracts. He wondered whether there are any typical property law instruments (e.g., coownership) that could apply by analogy to the content in the cloud. Another expert agreed that cloud contracts can be considered as service contracts, but that there are also analogies to lease and custody contracts. One expert referred to a decision from the Supreme Court in Germany which considered a webhosting contract as a leasing contract. He pointed out that SaaS contracts are also considered as leasing/renting contracts. In the UK, cloud computing contracts are considered as service contracts rather than lease contracts. The same is valid for France. For the purposes of applying the EU legislative instruments, a characterisation as "service contracts" would allow to establish jurisdiction over all disputes relating to the contract in the same court in the EU. Location of the provision in service contracts Experts listed criteria that may help locating the place of provision of the service, such as the seat of the main cloud provider, the operational service provider s physical premises or the place where networks of several multi-data centres connect. Regarding the service provider s premises, experts said that it may be difficult to use this criterion because many premises and infrastructures are operating at the same time for the provision of one service. Moreover, it is difficult to identify a specific datacentre when there are more than one datacentre involved in the service. Another expert stressed that there are services with geographical restrictions that are not accessible from all countries such as "Spotify". This should be taken into account when determining the place of location of the service. One expert suggested to be inspired by the definition of place of provision of service used in the EU VAT Directive. Others, on the other hand, thought that the objective (harmonising VAT laws) pursued by this legislation is different and can thus not necessarily be transferable to cloud computing service. Finally, one expert insisted that the determination of the location would depend on the exact nature of the cloud services provided. For example, in case of a cloud communication service, the relevant place would be the place where the service is used (e.g. the place of the consumer). The place of location of the server could also determine the place of provision of the service as it is the place where the contractual obligation (e.g. storage in case of storage service) is executed. One easy solution could also be to locate the provision of services at the place of domicile of the service recipient. Relevance of non-contractual claims and liability Most of the experts agreed that the protection of trade secrets and copyright infringements as non-contractual claims are very important aspects in the cloud. In that case, the place where the damage occurred or the place where the event giving rise to the damage took place are of relevance to determine jurisdiction; as for applicable law, the place where the damage occurred is the primary criterion.