Cloud Computing: A cluster of complex liability issues

Rolf H. Weber, Dominic Nicolaj Staiger [1]

Citation: Weber R.H. & Staiger D.N., "Cloud Computing: A cluster of complex liability issues", (2014) 20(1) Web JCLI.

Abstract

This article addresses cloud computing liability issues related to contract, torts, intellectual property and data protection laws. It distinguishes the different types of providers according to their level of involvement in the decision making processes and the potential liability flowing from such actions. Such assessment is of particular importance in relation to intellectual property infringements carried out in the cloud. Additionally the possible scenarios and extent of claims for damages based on a breach of contract or tortious conduct are highlighted. In order to reduce potential liability appropriate contractual and organizational measures are suggested. New insurance forms are also becoming a viable option in limiting the amount of exposure.

1. Introduction

At present a generally accepted definition of what the essential elements of cloud computing are does not exist; commonly cloud computing is described in its most basic form as the supply of computing capabilities through a communication link. [1] Cloud computing provides flexible, location-independent access to computing resources that are quickly and seamlessly allocated or released in relation to demand; the services are abstracted and typically virtualised, generally being allocated from a pool shared as a fungible resource with other customers." [2]

In essence, cloud computing is an IT service encompassing five specific characteristics: [3]

  • Cloud computing is an on-demand self-service allowing the customers to unilaterally access the desired service whenever required.
  • Cloud service capabilities are available through broad and ubiquitous network access (virtual web platform) by way of different devices (laptops, smartphones etc.).
  • Cloud computing enables resource pooling (also called multi-tenancy), i.e. services are offered to multiple parties at the same time in a flexible way.
  • Resource pooling forms the bases for the rapid elasticity of the service provision and the mass customization of computing power on the demand and the supply side.
  • Cloud computing enables measured service provision leading to transparency on the provider and the customer side.

Usually three different categories of cloud computing services are distinguished: [4]

  1. Infrastructure as a Service (IaaS): These services offer remote computing and storage allowing customers to back up data on servers with theoretically unlimited capacity.
  2. Software as a Service (SaaS):Cloud computing on the consumer market concerns the access to services being available without installation of additional software on a computer; well-known applications are Google Maps and YouTube involving data-intensive operations being executed in the cloud.
  3. Platform as a Service (PaaS): Remote access to development platforms for software is granted to the services without need for buying and deploying the software and hardware "on the ground". Used platforms are Microsoft Azure and Google App Engine allowing application builders to design and implement the products on their own server power.

Manifold regulatory concerns exist in light of the complex structures of cloud computing. Some problems can be seen at the cloud computing provider (CCP) level, others on the ISP level. Apart from reasonable pricing and discrimination concerns particular questions relating to the migration of data to and from different clouds (data portability) as well as the interoperability between clouds arise. [5] Even more complex are the challenges at the ISP/network operator level; the design of contractual relationships, vertical integration and discrimination play an important role, especially if an ISP decides to utilize cloud computing as part of its differentiation strategy. [6] Hereinafter these regulatory challenges will not be discussed in detail, but related liability issues are taken as the focus of the subsequent considerations.

2. Legal Framework for Liability in the Cloud Environment

2.1 Occurrence of Undesired Anomalies

Commonly liability manifests when the following undesired anomalies occur: [7]

  1. Interruption of information access or problem of information transfer: This group of anomalies encompasses technical aspects of the information delivery, including risks caused, for example, by denial-of-service attacks. These kinds of technical problems are most likely to frequently attract liability. Especially regular updates can, despite being administered properly, result in downtime and thus in a potential economic loss.
  2. Non-compliance with privacy rules: Making information available to the public can infringe privacy and data protection provisions; since cloud computing services are of a cross-border nature, privacy law conflicts between national legislations are likely to occur. Furthermore, cloud computing services need to comply with the principles of authenticity and integrity of information.
  3. Content of the information: The most important cases of illegal activities with regard to cloud systems concern the processed content; apart from distributing or making problematic material available, liability may be attracted in the process of giving advice, information gathering or through a misleading information search. Other aspects encompass unfair competition and violation of copyright or other intellectual property rights.

2.2 Types of Liability

Liability can generally be based on civil or criminal law; in the latter case direct liability must be distinguished from auxiliary liability.

Civil liability may be derived from a contractual relationship between the cloud computing provider and the customer. Contract law is the basis for regulating server availability, consequences of (direct and indirect) losses caused by server downtime as well as any disaster recovery and back-up strategy. Furthermore, these contracts often include the right to use data to "improve services", security requirements, audit rights, incident response procedures, measures to keep the customer's data confidential and a predetermined availability level of the required services in order to be able to respond to fast user growth. [8]

If the market participants and customers involved have not taken onboard specific contractual duties, liability can arise from general tort law. However, in the cloud computing context the wilful causing of damages is not of major practical importance. In most instances claims such as for damage caused by server downtime or loss of data will be based on the contract.

Liability can also accrue from special legislation, in particular telecommunications laws, electronic commerce laws, data protection laws, copyright laws and trademark or patent laws. The potential for unintentional infringements of these rights in a cloud computing environment remains high. However, attributing liability is difficult as these laws are state-based and in most parts not compatible with the technological framework of cloud computing. In negligence actions statutes prescribing or prohibiting a specific conduct of cloud providers and imposing a criminal penalty (fine or imprisonment) for its breach can result in strict civil liability of cloud provider to its customers. [9]

2.3 Elements of a Liability Claim

Generally, four well-known elements of a liability claim need to be fulfilled in order to successfully commence a legal action:

  • Occurrence of a quantifiable damage;
  • Illegal act of cloud computing provider (only if a specific statute forms the basis for the claim);
  • Causality between the act carried out and the damage incurred;
  • Fault on behalf of the cloud computing provider in form of intent or gross/light negligence; in a claim based on nonfulfillment of a specific obligation under a contract the lack of performance will be enough to establish a cause of action for breach of contract.

Firstly, before commencing an action against the cloud computing provider, the applicable law must be determined if the contract does not contain a choice of law clause. Secondly, the lack of bargaining power between the cloud computing provider and the customer should not be underestimated; often, contractual clauses limit or exclude liability as well as contain an indemnification of a party against losses, thus remedies for breach of warranties are in practice hardly ever enforceable.

3. Civil Law Differentiations for Specific Types of Providers

The particularities of Internet communication have encouraged some countries, for instance on a regional level the European Union, to pass legislation which treats the different participants of an information chain on the Internet in a distinct manner. Liability gradually increases subject to the closeness of the illegal or offensive communication or content to the activities of the provider.

The commonly used term in this connection is "secondary liability"; it involves the question whether an ISP should be liable for the actions of other Internet participants. A reasonable answer to this question pleads for a reduction of the liability when an ISP does not influence the communication or content transmitted. In how far this applies to a cloud provider remains yet to be specified. The US imposes a higher burden on an ISP than the EU which generally balances intellectual property and other rights against the free movement of data.[10]

3.1 Access and Caching Provider

The main function of an access provider consists in making Internet access available; therefore, the access provider can become liable to the user for lack of internet access which constitutes a contractual non-performance. A common issue is often the assessment of whether certain malfunctions of the Internet are attributable to the access provider.

The access provider is only exercising a "transport" function since normally the material is carried through an automatic technical process; the fact that the access provider makes it technically possible for the user to get access to illegal content is not considered a non-diligent behaviour per se (Art. 12 of the EU E-Commerce Directive). [11]

According to contract law, the access provider is obliged to inform the user about known upcoming access problems and also to protect its service against fishing, hacking or viral attacks. In addition, an obligation of the access provider to specifically block the access related to content being knowingly harmful to the user might in specific instances be required.[12] The extent of the access restriction must always be balanced against the individual rights (i.e. to privacy, self-determination) of the affected person. This especially applies to the US with its strong constitutional freedom of speech protection. When the access provider is advised to take down illegal content, it is generally assumed that an obligation exists to immediately take down the notified content. [13]

Cloud computing providers offer much more and diverse services than access providers. The privileging liability regime applying to access providers therefore does not appear to be adequate in the cloud computing context.

3.2 Host Provider

Usually a host provider supplies storage space on its server to the content or service provider and designs the web environment in accordance with the requirements of the web hosting contract. Art. 14 of the EU E-Commerce Directive as well as case law [14] suggest that a host provider is not under an extensive control obligation in regard to information available on websites/homepages or in non-moderated newsgroups; however, compliance with the notice-and-take-down approach is required since knowledge of illegal content can create liability. [15]

The services offered by a cloud computing provider do not correspond to the services of a host provider. Nevertheless, it is sometimes argued in legal doctrine that the hosting category is the most appropriate regime to be applied to the cloud environment, [16] however, this opinion does not sufficiently take into account that the data storage and data collection obligations of a cloud computing provider are quite different from the obligations of a host provider facilitating Internet access to the user. Additionally, a cloud provider in contrast to a host provider offers its services not from a predetermined location known in advance. Notwithstanding this assessment, it seems that Art. 14 E-Commerce Directive is applicable to cloud providers as the definition of "service" extends to any remunerated service provided at distance via electronic means on request of the recipient of such a service. [17]

A service offered by a cloud provider will invariably be conducted via electronic means over a distance. Importantly the nature of the service (calculating capacity or a software and storage solution) is irrelevant for the Art. 14 E-Commerce Directive's application as long as some form of storage takes place. Thus even a cloud provider will be protected from liability when it was not aware of illegal data being stored on its hardware. Subsequently the term storage needs to be defined. Any permanent or temporary storage of data on a hard drive will fall under the definition, but the situation in which data is only sent to a cloud provider for processing and is only temporarily transported through its RAM remains unsettled. In these situations once the processing is carried out the data will automatically be deleted from the temporary server memory, thus there is no intention to store it.

Article 14 (1) (a) E-Commerce Directive offers an exception for negligence claims if the provider knew of facts or circumstances which would have given rise to a perception or knowledge of illegal conduct being carried out. Most cloud storage providers such as DropBox have thus included a contractual right to review the data stored by their customers and to cancel the agreement when the data violates company policy (i.e. no obscene, illegal material). [18]

It seems that a new redefined approach to the Article 14 [19] hosting provisions is necessary in light of the evolving new technologies such as cloud computing. However, it does not appear to be wise to impose a burden of controlling a customer's data on a cloud computing provider if the contract does not specifically require it to do so. The main technological difference lies in the decentralised provisioning of a scalable service, thus making supervision of data much harder to achieve than on a single host server. As technology is evolving so are the many forms of cloud computing. Meanwhile, for example, cloud computing and hosting services have merged into a new product called cloud hosting.

In contrast to the old dedicated hosting where the web data was processed and stored on one server in a specific location, cloud hosting nowadays stores and processes the requested data from various locations based on availability and costs. This again highlights the incompatibility of cloud technology with the current law, created through inflexible definitions in legislation such as the E-Commerce Directive.

The E-Commerce Directive also incorporates some jurisdictional guidelines. [20] In a cloud context the location where the economic activity is pursued as well as the place where the service is provided are frequently hard to define. The E-Commerce Directive therefore looks at the place of establishment where the firm's centre of activity is based in order to determine the applicable law. However, in the case of an infringement of a personality right a person can elect to sue the provider at the place where his interest has been violated or the establishment of the business is located. [21]

4. Types of Civil Liability

The number of different civil liability types is relatively vast; in particular, the following liability situations are of practical importance.

4.1 Contractual Liability

Contract law is the basis for regulating server availability, consequences of (direct and indirect) losses caused by downtime, disaster recovery and back-up strategy. However, the rights and obligations of a party will strongly depend on the type of contract used and the terms incorporated. Potentially various contractual agreements could apply to a cloud, such as a contract for the sale of services or a licence. In general, the contract will mostly be for the rendering of services which, within legislative boundaries, gives the parties involved substantial contractual freedom. Especially in common law countries such service contracts are often not subject to statutory regulation. [22]

The parties to a contract will invariably need to address issues such as the amount of server downtime which is acceptable as well as access and deletion rights. It is also advisable to include a liquidated damage clause in a cloud contract as the loss caused (directly or indirectly) is often difficult to assess. However, the agreed compensation may not amount to a penalty on the party in breach or an unjust enrichment on behalf of the enforcing party. [23]

Further important aspects are the right to use data to "improve services", the security requirements, the audit rights, the incident response, the keeping of data confidential and the availability of services in case of fast user growth. Despite the obvious need for such provisions the ultimate outcome will be predetermined by the bargaining power of the parties. A weak (or small) cloud user will not be able to dictate the above mentioned requirements to the provider but will be faced with the choice of accepting a low protection standard and a moderate downtime or not to use the service at all.

In order to counteract such a development the EU Member States have enacted various consumer protection laws. For example the UK has implemented The Unfair Terms in Consumer Contracts Regulation 1999 in which Section 5 (1) states that:

"A contractual term which has not been individually negotiated shall be regarded as unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties' rights and obligations arising under the contract, to the detriment of the consumer. "

As this protection only applies to consumers and does not apply to the "main subject matter" of the contract it remains to be seen how the courts will interpret certain one-sided provisions of a cloud contract. The guidance published suggests that a consumer favorable interpretation will be applied. [24]

Furthermore, many cloud contracts contain a licence provision allowing the cloud provider to utilise any data stored on its servers for its own purposes. Despite the risk of abuse of such a far reaching right, it is currently predominantly used for targeted advertisement. [25] In light of these clauses a customer which is thinking of submitting sensitive (corporate) data into the cloud must ensure that no access right is granted to the cloud provider. In a worst case scenario a cloud provider (or its employees gaining access) could use confidential financial information stored on a cloud server (i.e. financial statements) to trade on a company's stock, thus potentially making the company liable for breach of securities regulations as well as other laws.

Ultimately the current standard contract terms of the biggest cloud providers (Microsoft, Amazon, Google) contain wide liability exclusion clauses. Private individuals generally lack the bargaining power to alter these terms. However, big publicly traded corporations and municipalities have started to negotiate and alter standard cloud contracts to their needs. For example the City of Los Angeles was successful in adjusting the standard contract terms of Google's cloud service to include a USD 7.7 million cap on damages caused by the loss or destruction of data. [26] Legislation such as the Federal Information Security Management Act of 2002 put further pressure on cloud providers' standard terms as it requires federal agencies to meet an adequate standard of information security which cannot be achieved by the current terms offered. [27]

4.2 Data Protection Liability

Compliance with data protection laws is a major problem for cloud computing; per se cloud services have a cross-border nature thus foreign data protection frameworks and their requirements must be adhered to. The most important laws are applied in the European Union with its EU Data Protection Directive (DPD) [28] and its E-Commerce Directive [29] as well as in the United States (US) with its scattered state laws and federal laws having an impact on trans-border data flows.

Currently under the EU DPD a data controller (the party deciding on the means and methods of data processing) [30] will be held liable for a breach of the EU Directive's rules on data protection. In contrast to a controller a processor does not control the processing and therefore is subject to a lesser burden. The main obligation under the DPD is to not transfer personal data to a country which does not fulfil the European data protection standards. [31] However various exceptions, creating an "equal level of protection", are available to allow such a transfer. In regard to transfers to the US the Safe Harbor Agreement is such an option. It is a framework negotiated by the European Union and the American Chamber of Commerce. Essentially it is a classification system which allows US companies to self-assess whether they meet the EU data protection standards. [32] If the required protection level is met data can flow freely to them from anywhere in the EU.

Another possible approach is to use standard contractual clauses of which only two have so far been approved by the EU. [33] These clauses must be inserted into any contract with a foreign party and require the fulfilment of the European data protection standards by the contracting party. An adequate level of protection will then also be assumed. [34]

New legal approaches replace the notion of the equal level of protection through the implementation of binding corporate rules, shifting the responsibility for data protection compliance to the enterprises. These rules are not designed by the EU but by the companies themselves. Once they have been implemented in the corporate structure and are approved by the EU, they offer a significant advantage for the corporate group. Within this structure personal data can move freely without impediments whilst fulfilling the DPD data protection standards.[35] The main problem with such a framework lies in its approval by all members of the corporate group. Essentially all subsidiaries of the parent company must be bound, either through a direct contract or through a power of attorney vested in the parent.

Furthermore, issues as to the subsidiaries' home country laws arise. For example the US PATRIOT Act [36] allows government agencies to access any user's data stored in the US without notice to the user. Such laws are generally non-compliant with EU data protection laws and thus due to their mandatory application theoretically act as a bar to the transfer of personal data.

Transfers to countries outside the EU other than the US can only be carried out if either the country's data protection laws have been determined to be adequate [37], Binding Corporate Rules (BCR) [38] are implemented or standard contractual clauses [39] are used in the agreement with the foreign party. However, most private cloud usage occurs on servers within the EU or the US as the leading service providers are based in the US (i.e. Apple, Microsoft, Amazon).

On an international level personal data is mostly being processed in the cloud in instances where a big organisation conducts customer data analyses which require a great amount of calculating and storage capacity. Nevertheless, in both instances, personal and commercial use, the cloud provider processing the data abroad must ensure that it complies with the data protection requirements laid down by the DPD.

A European cloud provider sending data to the US currently needs to show that the counterparty in the US is approved under the Safe Harbor scheme in order to send the data abroad in compliance with the DPD. The question whether the level of protection granted to such a personal data transfer meets the European level was conclusively decided by the EU Commission through its approval of the Safe Harbor Agreement. In light of Edward Snowden's revelations this protection level becomes increasingly questionable. However, a transfer to a third country under BCR will also not provide certainty that the data sent will not be subject to surveillance in the receiving country. Thus, currently the regulatory focus can only be placed on the commercial and private transfer of personal data as an international agreement on public surveillance cannot be achieved.

4.3 Intellectual Property Liability

Intellectual property (IP) rights issues arise in relation to copyright, trademark or patent law. A customer using a PaaS or SaaS cloud environment must be aware of a variety of IP rights questions that can occur in regard to data processing such as the required cloud software licences or third party IP rights. Despite differing licencing and patent systems being employed around the world, the EU has clarified that "ideas and principles which underlie any element of a computer program, including those which underlie its interfaces, are not protected by copyright". [40]

This approach causes a conflict with patent laws in the US which allow for such a protection. [41] So far the main cloud digital media providers (all US) have developed their own systems in order to protect them against infringement of their intellectual property. These so called Digital Rights Management (DRM) systems are imposed on all of their cloud users and essentially place the power to access a certain software or media in the cloud provider's hands. A good example for such a practice is the Amazon Kindle book reader. A customer only pays for the licence to access a certain book electronically via a DRM system but does not own the book itself.

When a cloud customer uses a cloud software solution which potentially is violating intellectual property rights the obligations and acts of each party must be closely analysed. In doing so, pinpointing an exact location of an intellectual property breach is challenging as the processing can take place in one country, storage and transmission in another. Additionally, not only one infringing party may be involved but a variety of parties (cloud provider, server centres, software distributor), thus theoretically requiring an apportionment of the infringement. A possible solution would be to target the user of the cloud service being the infringer of the right and the cloud provider for inducing the infringement. However, proving a breach will be very hard to achieve, especially if the breach only involves components of a software used in a cloud environment. Furthermore, the extent to which a cloud provider facilitates an IP infringement, either by supplying an on-demand self-service infrastructure to the customer or alternatively requiring human interaction before a service is rendered, will be of significance in attributing liability. [42] A similar approach is being taken by the European courts. In the L'Oréal/eBay[43] case the court also emphasised that the platform provider's own investigations into its customers usage must be taken into account but did not go so far as to impose a general monitoring obligation.[44]

Cloud software systems are closed off and generally cannot be traced backward, making a posterior assessment of an infringement impossible. Nevertheless, a cloud customer should ensure that it is granted a contractual indemnity for potential IP violations caused by the cloud provider's software. In addition to this fairly standard scenario where the cloud provider grants access to a standard software environment, customers often use open source software to meet their specific needs. This software is further refined (either by the customer or the provider) and adjusted precisely to the customer's specifications. A cloud provider could later use this "new" software and distribute it to its other customers whilst infringing the developing customer's IP rights. [45] On the one side a customer should therefore carefully review its contracts to ascertain whether a right to use and further distribute the software is being granted to the cloud provider. On the other side a cloud customer might only want to gain short term access to specific individualised open source cloud software in order to acquire certain know how.

Some cloud providers do not supply the licences or software a customer requires to have implemented in its cloud environment. In such a situation the customer is responsible for obtaining the appropriate licence or usage right. Acquiring such a right might not be as easy as it sounds. Most software providers have not yet fully developed their licencing systems for the cloud as the remuneration models and approaches differ widely. One can possibly calculate the licence fee in a number of different ways such as through a fee per user, per utilised processor or per data set created. [46]

If a cloud user transfers his data into the cloud for inclusion and adjustment to a specific software or system he must be aware of the risks associated with this combination. Recent case law emphasises the need for a clear contractual agreement on how such a business relationship is to be terminated and the respective rights in such a situation. As individual users are primarily not very concerned with copyright infringement new licencing systems need to be negotiated between cloud providers and copyright owners. [47]

In the case between Snap-On (the provider) and O'Neill (a substitute provider employed by Mitsubishi) Snap-On had received hard copies of Mitsubishi's parts catalogue and transferred these into an electronic database with its own software framework. Mitsubishi later wanted to gain access to this information (the parts catalogue), but did not want to pay Snap-On for it. O'Neill was then employed to copy the data with the help of a scrapper program which caused crashes to Snap-On's website. Snap-On then sued O'Neill for copyright infringement, trespass to chattel and breach of contract (terms on their website). [48] If they had agreed on the terms of the surrender of the data before entering into the arrangement the actions by O'Neill, for which Mitsubishi indemnified them, would not have been necessary. One should therefore always consider possible exit scenarios including IP rights before passing data into the hands of a cloud provider from which it can only be retrieved at a substantial cost.

In addition to the mentioned liabilities a cloud provider could potentially breach copyright laws by streaming i.e. copyrighted data such as films to the customer. As this data is buffered in the RAM of a computer the question arises as to what is required to "affix" the data for purposes of the U.S.C. [49] Firstly, the data must be embodied in a copy or phonorecord and secondly stored for more than a "transitory duration". [50] Therefore, buffering protected data in RAM does not appear to amount to an infringement of intellectual property rights as the duration of storage is merely transitory.

In order to become liable for infringing copyright in the creation of a copy some element of volition or causation is necessary. [51] Supplying capabilities such as cloud storage for the purpose of recording a stream would on its face seem to fulfil the volition requirement. However, as the act of copying is carried out by the cloud user sufficient proximity might become an issue in attributing liability under US copyright law. In such a case the cloud provider might be liable for contributory infringement but not for the full infringement as the U.S.C. maintains a distinction between direct and contributory infringement.[52]

This complexity is further increased when one user buys a copy of a protected digital artwork and stores it in the cloud. Through the cloud the data is accessible from any streaming device. [53] To what extent such an action can be considered to infringe an intellectual property right is yet unknown. [54] Some providers such as Apple have already negotiated licencing contracts with the entertainment industry in order to avoid expensive litigation, others such as Google have declined to do so and continue to allow access until clear legal precedent is established.[55]

The EU recognises a usage exception for private streaming of intellectual property [56] (i.e. films), allowing certain acts of temporary reproduction, which are transient or incidental reproductions, forming an integral and essential part of a technological process and carried out for the sole purpose of enabling either efficient transmission in a network between third parties by an intermediary, or a lawful use of a work or other subject-matter to be made. The acts of reproduction concerned should have no separate economic value on its own. The interpretation of "lawful use" in this context has not been finally determined by the courts. Nevertheless, recent cases point to an expansive interpretation, thus potentially making every form of consumption lawful. [57]

4.4 Further Liability Cases

Tort liability is a further issue, for example the duty of care to customers under a negligence approach. Such action would require, amongst other things, to ensure access in case of insolvency/contingency of the cloud computing provider and the reduction of downtime. As in general, the elements of a tortious action are harder to proof than a breach of a contract, a negligence action is usually only pleaded in the alternative. A claim under the tort of negligence will require the cloud customer to firstly establish a duty of care. Then a breach must be proven, together with causation and damages. There has to be a relationship of proximity which can be evidenced through the existing contractual arrangement. A potential loss caused by a disruption of the cloud provider's service is foreseeable in regard to most direct damages. Also imposing liability must be fair, just and reasonable in the circumstances. [58]

Because of these uncertainties and the fact that a duty of a cloud provider is not a yet established category, one may first turn to established duties such as those of host providers or server centres for guidance. Then it must be determined how an ordinary, prudent and reasonable cloud provider would act in preventing the harm which occurred. In doing so, industry standards can be contrasted with the actions of the cloud provider in question.

Furthermore, trespass to chattel is also a viable course of action where the lawful possession of a computer system of another party has been interfered with. This interference can already be present when a party exceeds the consent given by another party to use its IT equipment. However, imposing liability requires that either the possessor is deprived of the IT system's use for a substantial time or the chattel is impaired in its condition, quality or value. [59] As cloud providers are the possessors of their servers these claims will more likely be brought by the cloud provider against a customer exceeding the agreed usage causing the cloud provider a loss.

Additionally in an e-discovery scenario where a company used a cloud provider's services to store data outside its employees' control by entrusting the provider with the safekeeping of such data, further liability might be passed to the provider when such data is destroyed. [60] This can occur where the data is necessary for an anticipated litigation and due to the provider's fault the data is destroyed and the customer thus breaches its disclosure obligations to the adverse party. However, in most instances the risk of destruction remains much higher where the data is stored on individual devices within a company and under its employees' control. Presently it is not clear if the employees of a company would be classed as having control over the data stored in the cloud for purposes of imputing the destruction of discoverable data by the cloud provider to them. [61] Nevertheless an indemnification by the cloud provider for such an occurrence should be sought. Various jurisdictions also recognize an independent tort of spoliation against a third party allowing a party seeking discovery to hold the third-party cloud provider directly responsible. [62] As a cloud provider will generally run regular backups and take measures to ensure the data's safety the risk associated, although present, remains low.

5. Disclaimers

Apart from the problem of determining the applicable law if the contract does not contain a choice of law clause the lack of bargaining power between the cloud computing provider and the customer should not be underestimated. Clauses excluding the liability and restricting indemnities are frequently included in the contractual framework leading to restrictions on the remedies for breach of warranties.

The following examples show this tendency:

Clause 11, Exclusion of Warranties, Google App Engine Terms of Service:

"11.1. Nothing in these terms, including sections 11 and 12, shall exclude or limit Google's warranty or liability for losses which may not be lawfully excluded or limited by applicable law.

11.2. You expressly understand and agree that your use of the service is at your sole risk and that the service is provided "as it" and "as available".

11.3. Google, its subsidiaries and affiliates, and its licensors make no express warranties and disclaim all implied warranties regarding the service including implied warranties of merchantability, fitness for a particular purpose and non-infringement. Without limiting the generality of the foregoing, Google, its subsidiaries and affiliates, and its licensors do not present or warrant to you that: (A) Your use of the service will meet your requirements, (B) Your use of the service will be uninterrupted, timely, secure or free from error, and (C) usage data provided through the service will be accurate."

Clause 17, Limitation of Liability, Terms of Use, Salesforce.com

"In no event shall either party's aggregate liability exceed the amounts actually paid by and/or due from you in the twelve (12) month period immediately preceding the event giving rise to such claim. In no event shall either party and/or its licensors be liable to anyone for any indirect, punitive, special, exemplary, incidental, consequential or other damages of any type or kind (including loss of data, revenue, profits, use or other economic advantage) arising out of, or in any way connected with this service, including but not limited to the use or inability to use the service, or for any content obtained from or through the service, any interruption, inaccuracy, error or omission, regardless of cause in the content, even if the Party from which damages are being sought or such party's licensors have been previously advised of the possibility of such damages."

Disclaimers of liability can include the following issues: [63]

  • Almost total exclusion of liability; however, national consumer protection laws eventually limit the scope of the exclusion;
  • Limited financial cap; the limitation can relate to the amount of insurance coverage or to the financial statement of the cloud provider;
  • Exclusion of certain types of loss (e.g. indirect loss and/or data loss) and causes;
  • Exclusion of liability for IP infringements (copyright, patent, license); it would also be advisable for a cloud user to seek indemnity for an IP infringement if a software solution is supplied by the cloud provider;
  • Exclusion of liability for third party disclosure, however, a provider cannot exclude liability for gross negligence based on its employees' acts;
  • Exclusion of liability for downtime; cloud providers generally only guarantee a moderate availability of the cloud service in order to reduce liability.

Most disclaimers also allow for the adjustment of the terms of contract at any given time by at the choice of the cloud provider. As such changes are contractually deemed to be accepted upon the next login to the system by the customer, no retrieval of data is possible before the new terms take effect. [64] Giving a cloud provider such extensive one sided rights is not in the interest of the cloud user, however, currently it still forms part of common practice.

6. Cloud Insurance

Most cloud providers which retain liability through their customer contracts want to reduce this liability further by entering into insurance contracts. These should be tailored to risks such as server downtime due to power outages, hacker attacks etc. However, in order to strike a balance between the risks and the costs involved in ensuring that risk, each cloud provider should carefully analyse its business operations. In doing so its potential risks can be grouped into categories such as security, data, privacy and regulatory risks, service failures, supplier risks and loss of operational control as well as the mentioned intellectual property liability.[65] The costs created by any such event are often substantial and can further be broken down into first party (direct) and third party (indirect) costs.

  1. From a cloud insurance perspective first party risks are the risks to the cloud providers such as the loss of income or of lost data. These are mostly hard to calculate and therefore should be fixed through liquidated damages provisions depending i.e. on downtime and other ascertainable factors.
  2. The much greater risk lies in claims made by third parties. These risks include customer claims for loss of access, destruction of data or involuntary publication of private data and associated costs in mitigating the damage.

Once a risk assessment is completed cloud providers have the option to contract out of some of the mentioned risks as well as seek insurance for them. External risk evaluations in form of reliable certificates are of great importance to cloud insurance providers. As these providers such as CloudInsure [66] emerge, the need for reliable high quality certification systems will steadily grow. These certifications create the basis on which reliable risk calculations can be carried out by an insurer in order to ascertain the insurance premium required.

Of central importance for further growth and risk reduction in the cloud computing market is also the development of a flexible Identity Management System (IMS) which on one hand keeps the personal data of an individual safe and on the other allows for restricted and fast use if required. Part of such an emerging technology is the OpenID system which utilises only one identity, centralizing and incorporating the login data for various websites. Integral to the functioning of an IMS is the attachment of unchangeable access rules to the information sent which can be verified through certificates. [67] Despite technological advancements, the amount of damages that an insurer is required to cover tends to grow exponentially in the cloud as the insurer mostly not only covers the provider's loss but also part of the costumers'. These costs constantly increase as business expands. Furthermore, new risks associated with cyberextortion must also be accounted for. [68] However, insurance providers have so far been reluctant to expand coverage into these new areas based on the unknown risks involved. As the market grows and the legal frameworks, certification systems and insurance schemes become more refined to the functioning of cloud systems, insurance providers will expand their coverage accordingly.

Currently small to medium businesses are already facing increased IT risks by running their own server systems. For them the question is whether they are better off in the cloud where a big provider such as Amazon, Google or Microsoft ensures the safety of the data or to maintain their own server systems. Essentially any change will depend on whether the big cloud providers take on board the new insurances offered and are willing to pass the benefits on to their customers which otherwise could not afford insurance on their own.

Insurances and contractual arrangements are now available essentially indemnifying a cloud user against an increase in future storage prices and other cloud related costs. Thus, a business does not need to fear price fluctuations after it has moved its data into the cloud. In doing so the financial risk of utilising cloud services is further reduced. [69]

7. Outlook

Liability remains a cornerstone in the further expansion of cloud computing into all areas of business. For a company planning on moving its data and processing into the cloud two factors are decisive: risks associated and benefits to be gained. If the right balance can be struck between attributing rights and liabilities amongst the parties as well as diversifying the risks through cloud insurance the success story of cloud computing is bound to continue. Also new approaches to the protection of intellectual property rights in the digital world need to be developed and the respective obligations of cloud providers must be more precisely defined. Especially the E-Commerce Directive requires further clarification in regard to its liability protection under Article 14 in order to set a clear and reliable framework for cloud providers.

Clear rules as to the obligations of cloud providers when storing or transmitting copyrighted data need to be created. Currently there is too much uncertainty in how the courts will interpret the conduct of a cloud provider in regard to a potential IP rights infringement. This impedes their ability to ascertain what measures need to be taken into account in order to reduce their liability. Substantive questions such as these increase the overall costs of providing cloud services thus inhibiting further development. On the positive side the growth seen in cloud insurance offerings will decrease the potential loss for companies entering the cloud and thus act as a strong incentive. However, one should also remain cautious as to the extent to which user rights will be expanded into the middle and low cost cloud sectors.

Despite the advantages and improvements a cloud user should at all times be aware of how a service is offered as this will ultimately determine the precise risks involved. A layered service which employs several sub-contractors will invariably pose a higher risk than where the service is supplied by only one party. Even well-known cloud providers such as Apple with its iCloud do not have their own servers but use those of its competition such as Amazon's or Microsoft's cloud servers. [70] Guidance through professional industry standards can educate cloud users of these risks and thus put additional pressure on cloud providers to publish transparent accounts of how they perform the services offered.

In light of the strict scrutiny US surveillance measures are currently subjected to, many politicians advocate a "European Cloud" as possible solution. In such a scenario personal data is only processed on cloud servers within the EU and thus can be transferred freely without restrictions. Nevertheless, one should not forget that data can also be routed via an international server (i.e. in the US or third country) despite being sent and received in the same country. Influencing the routing of data is generally not possible for cloud providers as they do not own any telecommunication infrastructure. At present data is sent through the network by which it can reach its destination fastest. As this is a basic principle of the functioning of the internet it should not be interfered with. In any case an EU member state's surveillance agency can also transfer data abroad without notification to the sender or recipient. Developing encryption and secure communication methods therefore seem to be the most appropriate solution to the data protection issues international data transfers have created. In achieving this European cloud providers should as far as possible rely on hardware produced by European companies as the US products could be equipped with back door access installed by one of the US intelligence agencies.



[1] University of Zurich



[1] See Weber Rolf H./Staiger Dominic N., Legal Challenges of Trans-border Data Flow in the Cloud, Weblaw IT-Jusletter of May 15, 2013, N 3, available at www.jusletter-it.eu.

[2] Millard Christopher/Walden Jan/Hon W. Kuan/Cuningham Alan, Response to the UK Ministry of Justice's Call for Evidence on the European Commission's Data Protection Proposals (March 5, 2012) Queen Mary, University of London, 1, available at: <www.cloudlegal.ccls.qmul.ac.uk./docs/65220.pdf>

[3] See Sluijs Jasper P./Larouche Pierre/Sauter Wolf, Cloud Computing in the EU Policy Sphere, JIPITEC 2012/1, 12, N 9 et seq.

[4] Weber Rolf H./Staiger Dominic N., Legal Challenges of Trans-border Data Flow in the Cloud, Weblaw IT-Jusletter of May 15, 2013, N 7 et seq available at www.jusletter-it.eu; Sluijs Jasper P./Larouche Pierre/Sauter Wolf, Cloud Computing in the EU Policy Sphere, JIPITEC 2012/1, 12, N 14.

[5] For further details see Sluijs Jasper P./Larouche Pierre/Sauter Wolf, Cloud Computing in the EU Policy Sphere, JIPITEC 2012/1, 12, N 17-19.

[6] See Sluijs Jasper P./Larouche Pierre/Sauter Wolf, Cloud Computing in the EU Policy Sphere, JIPITEC 2012/1, 12N 22-24 with further references.

[7] See also Weber Rolf H., Internet Service Provider Liability. The Swiss Perspective, JIPITEC 2010, 145, N 18.

[8] Calloway Timothy J., Cloud Computing, Clickwrap Agreements, and Limitation on Liability Clauses: A Perfect Storm?, 11 Duke L. & Tech. Rev. 163, 168.

[9] Martin v. Herzog, Ct. of App. of N.Y., 228 N Y. 164, 126 N.E. 814 (1920).

[10] See Korea-US FTA, Art. 18.10(30) and EU-South Korea FTA, Sect. C, Sub-sect. C, Art. 10.62.

[11] Weber Rolf H., Internet Service Provider Liability. The Swiss Perspective, JIPITEC 2010, 145, N 18.

[12] Weber Rolf H., Internet Service Provider Liability. The Swiss Perspective, JIPITEC 2010, 145, N 16/17.

[13] Weber Rolf H., Internet Service Provider Liability. The Swiss Perspective, JIPITEC 2010, 145, N 19.

[14] CompuServe GmbH Case, AZ:20 Ns 465 Js 173158/95 (AG München I), available at: <http://www.netlaw.de/urteile/lgm_12.htm>

[15] Weber Rolf H., Internet Service Provider Liability - The Swiss Perspective, JIPITEC 2010, 145, N 24.

[16] Sluijs Jasper P./Larouche Pierre/Sauter Wolf, Cloud Computing in the EU Policy Sphere, JIPITEC 2012/1, 12, N 80.

[17] Directive 98/48/EC, Article 1 (a).

[18] Terms and Privacy Policy can be accessed at: <https://www.dropbox.com/privacy#security>

[19] Directive 2000/31/EC.

[20] Directive 2000/31/EC, Article 3.1, 3.2.

[21] eDate Advertising GmbH v X (C-509/09) and Olivier Martinez and Robert Martinez v MGN Limited (C-161/10), available at: <http://curia.europa.eu/juris/liste.jsf?num=C-509/09&language=en>

[22] See US U.C.C Art 2, only applicable to the sale of goods.

[23] Goetz Charles/Scott Robert, Liquidated Damages, Penalties and the Just Compensation Principle: Some Notes on an Enforcement Model and a Theory of Efficient Breach, Columbia Law Review , Vol. 77, No. 4 (May, 1977), 554-594.

[24] Unfair Contract Terms Guidance, Office of Fair Trading, September 2008, available at: <http://www.oft.gov.uk/shared_oft/reports/unfair_contract_terms/oft311.pdf>

[25] See for example the Privacy Terms of Facebook, available at: <http://www.facebook.com/help/360595310676682>

[26] City of Los Angeles, Professional Services Contract between the City of Los Angeles and Computer Science Corp. for the Saas E-Mail and Collaboration Solution (SECS) (2009), available at < https://sites.google.com/a/lageecs.lacity.org/la-geecs-blog/home/faqs-1/C-116359_c_11-20-09.pdf?attredirects=0&d=1>

[27] Carmeli Daniel, Keep An I On The Sky: E-Discovery Risks Forecasted For Apple's iCloud, 2013 B.C. Intell. Prop. & Tech. F.1, 13.

[28] European Parliament, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on Free Movement of such Data, 1995.

[29] Directive 2000/31/EC.

[30] European Parliament, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on Free Movement of such Data, 1995, Article 2 (d).

[31] Weber Rolf H./Staiger Dominic N., Legal Challenges of Trans-border Data Flow in the Cloud, Weblaw IT-Jusletter of May 15, 2013, N 32, available at: <www.jusletter-it.eu>

[32] Weber Rolf H./Staiger Dominic N., Legal Challenges of Trans-border Data Flow in the Cloud, Weblaw IT-Jusletter of May 15, 2013, N 47, available at: <www.jusletter-it.eu>

[33] European Parliament, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on Free Movement of such Data, 1995, Article (26)(4).

[34] Weber Rolf H./Staiger Dominic N., Legal Challenges of Trans-border Data Flow in the Cloud, Weblaw IT-Jusletter of May 15, 2013, N 38, available at: <www.jusletter-it.eu>

[35] Weber Rolf H./Staiger Dominic N., Legal Challenges of Trans-border Data Flow in the Cloud, Weblaw IT-Jusletter of May 15, 2013, N 53, available at: <www.jusletter-it.eu>

[36] Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act Of 2001, available at: < http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf>

[37] Directive 95/46/EC, article 25 (6), see also Weber Rolf H./Staiger Dominic N., Legal Challenges of Trans-border Data Flow in the Cloud, Weblaw IT-Jusletter of May 15, 2013.

[38] Directive 95/46/EC, article 26 (2).

[39] Directive 95/46/EC, article 26 (4).

[40] Council Directive 91/250/EEC on the legal protection of computer programs.

[41] Diamond v. Diehr, 450 U.S. 175 (1981).

[42] Melzer Marc Aaron, Copyright Enforcement in the Cloud, 21 Fordham Intell. Prop. Media & Ent. L.J. 403, 407.

[43] C-324/09, L'Oréal/eBay, para. 120

[44] Senftleben Martin, Breathing Space for Cloud-Based Business Models, (2013) JIPITEC 2, 94, available at <http://www.jipitec.eu/issues/jipitec-4-2-2013/3743/senftleben.pdf>

[45] Hon W. Kuan/Millard Christopher/Walden Jan, Negotiating Cloud Contracts, Stanford Technology Law Review, Volume 16 (1) Fall 2012, 126.

[46] Hon W. Kuan/Millard Christopher/Walden Jan, Negotiating Cloud Contracts, Stanford Technology Law Review, Volume 16 (1) Fall 2012, 127.

[47] Cave Jonathan/Robinson Neil/Kobzar Svitlana/Schindler Helen Rebecca, Regulating the Cloud: More, Less or Different Regulation and Competing Agendas (March 30, 2012). 2012 TRPC, 44. available at: <http://ssrn.com/abstract=2031695>

[48] Snap-On Business Solutions Inc. vs. O'Neill and Associates Inc., Case No. 5:09-CV-1547.

[49] U.S. Copyright Act, 17 U.S.C.

[50] Cartoon Network, LP v. CSC Holdings, Inc., 536 F.3d 121 (2d Cir. 2008).

[51] Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F. Supp. 1361 (N.D. Cal. 1995).

[52] Cartoon Network, LP v. CSC Holdings, Inc., 536 F.3d 121 (2d Cir. 2008), 24.

[53] Datesh Anne C., Storms brewing in the Cloud: Why copyright law will have to adapt to the future

of Web 2.0, 40 AIPLA Q.J. 685, 708.

[54] Oliver Sam, Legal Issues prompt Apple to remove Amazon Cloud music player from App Store, Apple Insider (Nov. 1, 2011, 8:08 AM), available at: <http://appleinsider.com/articles/11/11/01/legal_issues_prompt_apple_to_remove_amazon_cloud_music_player_from_app_store>

[55] Cheng Jacqui, Music Industry Will Force Licenses on Amazon Cloud Player - or Else, WIRED (Apr. 2, 2011, 9:30 AM), available at: <http:// www.wired.com/epicenter/2011/04/music-industry-cloud-player/all/l>

[56] Regulation 2001/29/EC.

[57] Herbert Zech, Lizenzen für die Benutzung von Musik, Film und E-Books in der Cloud, Zeitschrift für Urheber- und Medienrecht 2014, 6.

[58] Caparo Industries plc v Dickman [1990] UKHL 2.

[59] CompuServe Inc. v. Cyber Promotions, Inc. 962 F. Supp. 1015; 1997 U.S. Dist.

[60] Carmeli Daniel, Keep An I On The Sky: E-Discovery Risks Forecasted For Apple's iCloud, 2013 B.C. Intell. Prop. & Tech. F.1, 2.

[61] Grubb v. Board of Trustee of the University of Illinois 730 F. Supp. 2d 860 (N.D. Ill. 2010), 865.

[62] Poynter v. Gen. Motors Corp., 476 F. Supp. 2d 854, 857 (E.D. Tenn. 2007)

[63] Bradshaw Simon/Millard Christopher/Walden Ian, The Terms They Are A-Changin'...Watching Cloud Contracts Take Shape, Issues in Technology Innovation, Number 7 (March 2011), 1-12.

[64] Gellman Robert, Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing (2009), 18, available at < http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_ Report.pdf>

[65] Motzfeldt Fredrik, The Cloud Risk Framework: In Forming Decisions About Moving To The Cloud, Marsh Risk Consultants May 2012, 3-4, available at: <http://f.datasrvr.com/fr1/812/29871/3424_MA12-11623_Cloud_Computing_Frmwk_UK_04-2012_final_nocrps.pdf>

[66] Corner Stuart, The Age (Melbourne, Australia), 9 July 2013, 25.

[67] Cavoukian Ann, Der Schutz der Privatheit in der Wolke Plädoyer für ein flexibles und nutzerzentriertes Identitätsmanagement als Erfolgsvoraussetzung für Cloud Computing, digma - Zeitschrift für Datenrecht und Informationssicherheit 2009, 20-27.

[68] Christenson Cass W., Insurance Coverage Regarding Data Privacy, Cloud Computing, and other Emerging Cyber Risks , Aspatore Insurance Law 2011 (February 2011), 12.

[69] Naldi Maurizio/Mastroeni Loretta, Pricing of insurance policies against cloud storage price rises, Proceeding HotTopics '13, 1, available at: <http://dl.acm.org/citation.cfm?doid=2462307.2462315>.

[70] Gavin Clarke, Apple's iCloud Runs on Microsoft and Amazon Services: Who Says Azure isn't Cool and Trendy Now, The Register (Sept. 2, 2011), available at: <http://www.theregister.co.uk/2011/09/02/icloud_runs_on_microsoft_azure_and_amazon>