THE CLOUD: OPPORTUNITIES AND ISSUES

Transcription

1 THE CLOUD: OPPORTUNITIES AND ISSUES OF IMMATERIALITY Alberto Pera Partner, Gianni Origoni Grippo Cappelli & Partners

2 THE CLOUD IS A NO-LAND TERRITORY Data can be accessed and processed from anywhere via the Internet. This has great operational advantages: possibility of quick data delocalization Enterprises can share data, programs and procedures among their offices around the world: quantum jump in speed and data processing capabilities But from a legal point of view this poses a lot of issues about applicable law and the criteria of interpretation 2

3 LEGAL HURDLES TO THE DEVELOPMENT OF THE CLOUD Fragmentation of the digital single market due to differing national legal frameworks and uncertainties over applicable law, digital content and data location. A few examples: Specific issues concerning contracts Issues concerning data protection Issues concerning competition law Uncertainty hampers exploitation of potential benefits, especially by SME 3

4 1. SOME CONTRACTUAL ISSUES No specific "cloud law" exists yet. Key contractual issues depend on national laws and their interpretation. Examples: Service Level Agreement (SLA) are qualified in different ways: service contracts, lease contracts, work contract: performance obligations stemming from the contract may differ; Liabilities for indemnification for direct (in some countries: France, Italy) or indirect (UK) damages. Contractual limitations of liability are generally admissible, but different requirements in different countries and treatment is usu sllydifferent in B to B and B to C cases Consumer protection EU legislation implies a strong protection of individual customers. In some countries (Netherlands, Italy) consumer protection applies also to small business Quest for standardization and harmonization Regulations put in place by the industry itself non-binding initiative of the industry (in Sweden), which elaborated the General Terms on Cloud Computing. However, they will only apply in case both (or all) parties agree with this and this also to the extent the terms are not derogated from. Publicly sponsored initiatives for standardization EU Commission s proposal of Safe and Fair Contract Terms and Conditions (through a Regulation on a Common European Sales Law) 4

5 2. PRIVACY LAW AND THE CLOUD/1 The cloud presents an inherent freedom from locational constraints. Consequently, another issue concerns the transfer of personal data to countries other than those considered to offer adequate protection. Data protection law is based on the premise that it is always clear where personal data is located, by whom it is processed and who is responsible for data processing. Cloud computing appears to fundamentally conflict with this evidence it is no longer possible to say where the data is at a certain moment and by whom and how it is being processed. The study of more than 12,000 cloud services by security provider Skyhigh Networks (2015) revealed that suppliers have significant issues around EU regulatory requirements such as data residency, data breach detection and notification, encryption and data deletion policies 5

6 2. PRIVACY LAW AND THE CLOUD /2 UE citizens data must be guaranteed a treatment compliant with stringent Privacy requirements in Europe set by the Directive 95/46/EC. Applied to Cloud services by interpretation (processors and subprocessors of data) EU privacy requirements set a high standard, based on personal rights to privacy enshrined in the Europea Convention of Human Rights New Regulation (not Directive) to be issued in 2017 explicitly applies to cloud services (possibility of encription) Commission Decisions may attest compatibility with data tratment in other jurisdictions. 200 Decion on Safe Harbour Principles guaranteeing same level of protection in the US Recent ECJ judgement on Safe Harbour Principles(6 october 2015): Commission Decision does not prevent NDPA from evaluating arrangements of compliant companies SHP non compliant with EU standards of protection (does not apply to public sector bodies) Transfer of data to processors to the USA is jeopardized 6

7 2. PRIVACY LAW AND THE CLOUD/3 Possible remedies to ECJ decision: Contractual guarantees to privacy will they be enough? The Commission Standard Clauses Decision (February 2010) Art. 29 Working Party Opinion concerning Privacy in the Cloud (2012) On these bases starting in 2014 it has been possible for (some) companies to obtain individual opinion of compliance from the Working Party Public bodies access to data and EU citizens guarantees remain ope issues: the Umbrella Agreement, not yet in force, provides for judicial redress for EU citizens in the US. The process of approval is still ongoing. 7

8 3. BETWEEN PRIVACY AND ANTITRUST: THE ISSUE OF «BIG DATA» Definition «Big data refers to datasets whose size is beyond the ability of typical database software tools to capture, store, manage and analyse» (see McKinsey report) Main characteristics ubiquity, low cost, wide availability and fleeting value Competitive benefits and risks of data-driven strategies(see European Commission, Google case) ongoing proceedings, implications still unclear; French and German Competition Authorities just opened a joint Study on new challenges and risks 8

9 4. THE CLOUD AND ANTITRUST ISSUES Lock-in effect / creation strengthening of market power lack of interoperability the cloud could offer specialized software or services that, once adopted by the customer, would be difficult to obtain from another source network effects the more the cloud is used, the more its value will grow (the network effect is the effect a person of a good or service has on the value of the this good or service for other people using it) switching costs the investment of time and money required to change the cloud provider represents an obstacle to the change of provider. Moreover, another barrier is constituted by the investment of time and money required to train employees to use the cloud and its software Risk of tying / market power in aftermaarkets the cloud provider which has market power on its market could condition the sale of its service on the purchase of another (that is the case, for instance, of a cloud provider that will sell its data storage services only to customers who purchase its own virus detection software). Risk of exclusive dealing/ raise barrier to entry If the customers are already locked in, an exclusive deal between a cloud provider and a particular product or service vendors risks to be problematic as it foreclose competitors access to substantial share of the relevant market for their products. 9

10 AN EUROPEAN APPROACH TO CLOUD ISSUES European Commission is working since 2012 in order to promote the rapid adoption of cloud computing in all sectors of the economy and solve some issues which came up with the development of such a new technology. In particular, The strategy includes three key actions: Safe and Fair Contract Terms and Conditions (through the Commission's proposal for a Regulation on a Common European Sales Law); Cutting through the jungle of Standards (with the support of European Union Agency for Network and Information Security (ENISA) and other relevant bodies); Establishing a European Cloud Partnership (in order to work on common procurement requirements for cloud computing in an open and fully transparent way). In 2016 the European Commission will also present the European cloud initiative. This regulation proposal will facilitate clear and credible certification of services in order to allow users to benefit from secure, reliable and high-quality cloud services. It will ensure that SMEs and consumers are able to switch to a different service provider without undue technical or administrative restraints, and other contractual issues that require a common approach in a single market 10

11 Thank you for your attention This document was prepared by Gianni, Origoni, Grippo, Cappelli & Partners and is made available for informational purposes only. This document is up-dated at the date indicated on its first page. The information contained in this document, the completeness of which is not guaranteed, does not represent a legal opinion, nor an exhaustive examination of a subject matter and cannot replace an opinion released on a specific subject matter. Gianni, Origoni, Grippo, Cappelli & Partners accepts no responsibility to any person for any direct or consequential loss arising from the inappropriate use of this document or any alleged reliance upon its content or any other circumstances relating to its use. This document may not be reproduced, distributed or published, either in whole or in part, for any purpose unless expressly authorised by Gianni, Origoni, Grippo, Cappelli & Partners. For any further clarification, or to find out more about the services available to clients, please contact Gianni, Origoni, Grippo, Cappelli & Partners.