Professional Documents
Culture Documents
Georg Haibach*
Cloud computing is inherently an activity which transcends territorial
borders. Providers may offer services to customers on a worldwide basis,
involving a chain of intermediaries or subcontractors scattered around
the globe. Data may be stored on servers the location of and the control
over which is unknown to customers; data, software, and applications
may be accessible from anywhere in the world. This reality raises
questions of private international law. Which law applies in the event of
a dispute? Which court has jurisdiction to hear a claim? Will any
resulting judgment be recognised and enforced? This article describes the
current practice of terms and conditions of cloud computing contracts
and the application of the rules of EU private international law to such
contracts.
Keywords: cloud computing; Brussels I Recast; Rome I; Rome II;
contract; tort; consumer contracts; CJEU case law; data protection;
personality rights
*LLM, PhD. Ofcial in DG Justice of the European Commission. Avenue de Tervuren 20,
B-1040 Brussels. Email:Georg.Haibach@ec.europa.eu. The information and views set out
in this article are those of the author and do not necessarily reect the opinion of the
European Commission. Responsibility lies entirely with the author.
1
American National Institute of Standard and Technology (NIST), Denition of Cloud
Computing, http://csrc.nist.gov/groups/SNS/Cloud-computing/, accessed 23 June 2015.
European Union 2015
253
The denition comprises the three service and four deployment models commonly referred to in the cloud as described below.2
2.
Service models
There are three different service models of which IaaS is the most basic and each
higher model abstracts from the details of the lower models.
(a)
The IaaS model is the most basic cloud computing service. The user of this
model receives the infrastructure of the network for use. He is then able to use
the processing, storage, networks and other computing resources. He can run
his software or other applications on this network. The provider of IaaS only
has control over the cloud infrastructure whereas the operating systems are
under control of the user. This model of cloud computing is for instance offered
by Amazon Web Service, Amazon Elastic Compute Cloud, Amazon Simple
Storage Service S3.
(b) Platform as a service (PaaS)
In the PaaS model, a computing platform is provided and an application may be
deployed in the cloud. The provider of this model has the control over the
cloud infrastructure. Additionally, he controls the application and the middleware.
The customer may use the applications in the cloud which were created by him or
third parties. Apart from using these applications, he can also control the deployed
application. Examples of this cloud computing model are Windows Azure, force.
com from Salesforce and OmegaScape. Facebook is also a PaaS model of cloud
computing.
(c)
The user is able to use the software or other applications of the provider over the
internet or another network. The vendor may host the application on his own
server or upload it to his customers for a certain period of time. The provider of
the software or other application has control over the Cloud infrastructure. The
user of this service receives access to this application and is able to use it for
his purposes. His control is limited to customer-specic applications. Examples
of this form of cloud computing are Gmail, Yahoo Mail, Google Apps, and
Ofce Web Application from Microsoft.
2
See in this regard B Sujecki, Internationales Privatrecht und Cloud Computing aus
europischer Perspektive (Kommunikation & Recht, 2012) 312.
254
3.
G. Haibach
Deployment models
(a)
Public cloud
The public cloud is available to an unknown and unlimited number of users. The
application may be accessed by different users of different entities at the same
time. No customer has an exclusive access to the application. The advantage of
this form of cloud computing is the exibility of the use of the applications.
They can be accessed anywhere and anytime without having to be customised.
On the other hand, the price for this exibility is the risk of a lower degree of
data protection.
(d)
Hybrid cloud
A mixed form of cloud computing can be found in a hybrid cloud, where the cloud
contains forms of private, public and community infrastructure. These different
forms of cloud computing are independent parts of a cloud, but at the same
time they are connected with each other in such a way that the users have
access to all applications.
4.
Contracts
Cloud computing contracts can be categorised in two different groups, on the one
hand according to the number of users and on the other hand according to the
number of providers.
255
Individual/standard contracts
(b)
A cloud computing user may choose to obtain the service from one or from several
providers. The user of cloud computing may purchase the entire service in the
cloud from one single provider, the so-called Single Point of Contact. The
parties conclude a single contract dealing with all aspects of their contractual
relationship. Due to the exclusivity, these contracts can be very exible. The
user can for example demand the application of certain standards by the provider.
In case of failure to perform, the single provider may be liable. The user may also
conclude a contract with one general service provider who then concludes different agreements with third parties. Also in this case, the user has one single point of
contact.
By contrast, in the Multi Vendor Strategy, the user receives a pack of services
from different providers who are not connected with each other and concludes
contracts with them. Depending on his needs, the user is able to choose the best
provider for each service. This enables the user to arrange the service in a exible
manner. At the same time, the user has to take into consideration that this model
may raise issues of compatibility.
B.
256
G. Haibach
of Law Legal Studies Research Paper No. 63/2010, 17, available at http://papers.ssrn.com/
sol3/papers.cfm?abstract_id=1662374, accessed 23 June 2015, in 19 out of 31 standard
terms and conditions of Cloud computing contracts examined for the purpose of the
study, the applicable law was the law of the jurisdiction in which the service provider
was based (in 15 cases the law of a particular US state -in most cases that of California,
but also those of Massachusetts, Washington, Utah and Texas and in four cases
English law). Only in eight cases the applicable law was the law of the jurisdiction of
the customer (in four cases English law, in two cases the law of other EU jurisdictions
(in one case Irish law for Apple and in another case Luxembourg law for certain Microsoft
services). In three cases, no choice of law was expressed or implied.
Some providers make the choice of law and forum based on the strong presence in a
jurisdiction. Salesforce is a good example of this case. In its T&C, Salesforce states that
any lawsuit arising out of or in connection with this Agreement, and which courts can adjudicate any such lawsuit, depend on where you are domiciled. At rst glance, it looks like
this provision implies that Salesforce determines the applicable law and jurisdiction based
on the location of the customer. But in fact Salesforce creates different zones of governing
law and the courts based on its branch ofce. So for example, if the customer that is residing
in Japan made a Cloud contract with Salesforce, the governing law and jurisdiction will be
in Tokyo. This is due to the fact that Salesforce has a Japanese afliate called Kabushiki
Kaisha. This means a customer who resides in Thailand must travel to Japan if they
want to challenge the Cloud contract in front of a court. See M Vincent, N Hart and K
Morton, Cloud Computing Contracts White Paper: A Survey of Terms and Conditions,
Truman Hoyle Lawyers, Sydney (2011), available at: http://www.cpi.org.au/articles/
White_Paper_June2011.pdf, accessed 23 June 2015.
5
The following jurisdiction clause is an example: Any dispute relating in any way to
products or services sold or distributed in which the aggregate total claim for relief
sought on behalf of one or more parties exceeds $7,500 shall be adjudicated in the
federal court in King County Washington, and you consent to exclusive jurisdiction and
venue in such courts.
6
For instance, Symantec requires that claims are brought in the courts of Santa Clara. See
for more detail Bradshaw, Millard and Walden, supra n 4, 18.
7
Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June
2008 on the law applicable to contractual obligations (Rome I), [2008] OJ L177/6.
8
Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July
2007 on the law applicable to non-contractual obligations (Rome II), [2007] OJ L199/40.
257
Special rules exist for consumer contracts.9 In particular, consumer contracts are,
in certain situations, governed by the law of the country where the consumer has
his habitual residence. It is, however, important to note that the parties may also
choose another law (for instance the law of the cloud service provider). Such a
choice, however, may not have the result of depriving the consumer of the protection of mandatory provisions of the law of the state of the habitual residence of the
consumer.
(b)
Jurisdiction
The Brussels I bis Regulation applies to determine the jurisdiction of the courts in
the Union over a dispute regarding cloud computing.10 Under the rules of the
Brussels I bis Regulation, a prorogation of jurisdiction is possible in accordance
with Article 25. Regarding the form of agreements on jurisdiction, Article 25(2)
provides that any communication by electronic means which provides a durable
record of the agreement shall be equivalent to writing. Consequently, agreements on jurisdiction can be part of electronically concluded cloud computing
contracts, if they provide a durable record, e.g. if they can be printed out.11
9
A contract is a consumer contract if it is concluded by a natural person for a purpose
outside his profession (consumer) with another person acting in the exercise of his trade
or profession (professional).
10
Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12
December 2012 on jurisdiction and the recognition and enforcement of judgments in
civil and commercial matters, [2012] OJ L351/1.
11
See for more details: FF Wang, Jurisdiction and Cloud Computing: Further Challenges to
Internet Jurisdiction, (2013) European Business Law Review 589, 616.
258
G. Haibach
In the absence of a choice of court, the general rule is that jurisdiction lies with
the court in the member state where the defendant is domiciled. Alternatively, a
person domiciled in a member state may be sued in matters relating to a contract
in the courts of another member state where the contractual obligation which is the
subject of the dispute is to be or has been performed. In particular with respect to
service contracts, jurisdiction lies with the courts of the place where, under the
contract, the services were provided or should have been provided. Consequently,
a cloud service provider based in the EU can be sued in the jurisdictions in which it
provides services to its customers.
Special rules exist in B2C relationships. Under Article 19 of the Brussels I bis
Regulation, a choice of jurisdiction in consumer contracts in accordance with
Article 17(1) is only valid if it has been agreed after a dispute has arisen or if it is
favourable to the consumer. This means for choice of forum clauses in standard
terms and conditions of cloud computing contracts that they can be disregarded if
they make the courts of the forum of the cloud provider the competent jurisdiction.
Furthermore, Article 18 of the Brussels I bis Regulation provides that, subject to
certain conditions, consumers may bring proceedings either in the courts of the
member state of the other party (e.g. the cloud provider) or in the courts for the
place where they are domiciled. Proceedings against a consumer may be brought
only in the courts of the member state in which the consumer is domiciled.
Article 7(3) of the Brussels I Regulation provides that a person domiciled in a
member state may in another member state be sued in matters relating to tort,
delict or quasi-delict, in the courts for the place where the harmful event occurred
or may occur.
Until recently, the Brussels I Regulation12 applied only to defendants domiciled
in an EU member state. Where defendants were domiciled outside the EU, national
courts applied their own national laws to determine whether they have jurisdiction.
However, the revised Brussels I Regulation13 which has been applicable since 10
January 2015 provides for exceptions to this limited scope of application. In particular, in accordance with the uniform jurisdiction rules of the Regulation and
subject to certain conditions, a consumer domiciled in a member state is now
able to bring proceedings against another party in the courts of the state of his domicile, regardless of whether or not the other party has its domicile in a member state.
C.
The EU private international law legal framework laid out above was put in place
before cloud computing became an important IT business model. On the other
hand, internet and internet services were already well-known at the time. Cloud
12
Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, [2001] OJ L12/1.
13
Supra n 10.
259
computing may present some specic features which may raise questions under
private international law. For instance, cloud services can usually be accessed
from any location in the world. Furthermore, it is difcult, if not impossible, for
a cloud user to know where his data are located at any specic moment. These features need to be taken into account when considering how the private international
law rules apply to disputes concerning cloud computing. Some of the questions
which may arise in the cloud are considered below.
1.
Questions could arise with respect to the determination of the court having jurisdiction in the context of Article 7(1)(a) of the Brussels I bis Regulation and of the
applicable law in the context of Article 4 of the Rome I Regulation. These questions will not arise when cloud computing contracts, as they normally do, contain
jurisdiction and applicable law clauses.
(a)
Party autonomy
As set out above, party autonomy is key in determining the competent court and
the applicable law in contractual matters. Both the Brussels I bis and the Rome I
Regulations provide for a large degree of party autonomy in B2B relations. Choice
of law and choice of court agreements are respected in the EU in B2B relations. By
contrast, party autonomy is limited in B2C relations where agreements must
comply with the protective consumer contract regime. In the absence of a
choice of court and/or choice of law, the relevant default rules of the Brussels
I bis and Rome I Regulations apply.
(b) The characterisation of cloud computing contracts
In order to apply Article 4 of the Rome I Regulation and Article 7 (1) of the Brussels I bis Regulation, it must be determined whether the contract in question can be
dened as a specic contract type within the meaning of these provisions. If not,
the general rules of Article 4(2) of the Rome I Regulation and of Article 7(1)(a) of
the Brussels I bis Regulation apply.
Cloud computing contracts in the different cloud computing models (IaaS,
PaaS and SaaS) as well as in the different deployment models (public, private,
community and hybrid cloud) are usually a combination of different contract
types. Normally, they do not correspond to a specic contract type. Instead, the
different elements and obligations in a cloud contract must be evaluated separately.
For instance, the access to infrastructure, platforms, software or storage capacities
may correspond to a lease contract, whereas the use of processing power to a
service contract. Therefore, for instance in an IaaS model cloud computing contract, the access to the infrastructure of the network can be considered as a
lease, and the use of the processing resources as a service.
260
G. Haibach
The Court of Justice of the European Union has already given guidance on
what should be considered a service contract for the purposes of the Brussels
I Regulation.14 In the Falco15 case, the court ruled that the concept of service in
Article 5(1)(b) of the Brussels I Regulation implies that the party who provides
the service carries out a particular activity in return for remuneration. Applied
to cloud computing, that means that cloud computing contracts in which a remuneration is foreseen would fall under the denition of a service contract. In
Corman-Collins,16 the court conrmed that the requirement of remuneration
should not be understood strictly as the payment of a sum of money; it could
consist of other things which represent an economic value and may be regarded
as constituting remuneration.17 It does not seem excluded therefore, that such
remuneration could consist of, for instance, the use of personal data.
(c)
To the extent that a cloud computing contract can be considered as a service contract, the place of performance is the place where the services under the contract in
question were provided or should have been provided (Article 7(1)(b) of the Brussels I bis Regulation). Those courts have jurisdiction for disputes whatever the
contractual obligation at stake in the dispute is.
If the contract cannot be considered as a service contract, jurisdiction is based
on the place of performance of the contractual obligation which is the subject of
the dispute (Article 7(1)(a) of the Brussels I bis Regulation), in accordance with
the so-called Tessili and de Bloos rules. Under the Tessili-rule,18 the place of performance of the contract is determined by the lex causae, ie the substantive law
which applies to the contract. In the de Bloos decision,19 the European Court of
Justice ruled that the place of performance must be determined for each contractual
obligation separately so that the courts have to refer to the specic obligation
forming the subject of the controversy.
It follows from the above that the jurisdiction of the courts for contractual disputes in cloud computing contracts depends on the determination of the place
where the services were or should have been provided (in the case of a service
14
In line with the coherent interpretation of Brussels I and Rome I Regulations, it can be
assumed that the guidance given by the court in the context of the Brussels I Regulation
is equally relevant for the application of the Rome I Regulation, see recitals 7 and 17 of
Rome I.
15
Case C-533/07, Falco Privatstiftung [2009] ECR I-03327, paras 29 and 37.
16
Case C-9/12, Corman-Collins ECLI:EU:C:2013:860.
17
In Corman Collins, which concerned a distribution agreement, such remuneration was
considered to consist of, among others, the competitive advantage conferred on the selected
distributor, the assistance granted to the distributor regarding access to advertising, communicating know-how by means of training or even payment facilities.
18
Case C-12/76, Tessili v Dunlop [1976] ECR 1473.
19
Case C-14/76, de Bloos v Bouyer [1976] ECR 1497.
261
(d)
262
G. Haibach
(e)
Consumer contracts
As shown above, consumers are well protected under EU private international law
with regard to jurisdiction and applicable law clauses. As a result thereof, consumers have access to the EU courts which can ensure the enforcement of mandatory
provisions of EU or national law.
The special protection for consumers of the Brussels I Regulation and of the
Rome I Regulation applies if the trader (service provider) directed his activities
at the member state of the consumer within the meaning of Articles 17(1)(c) of the
Brussels I bis Regulation and 6(1) of the Rome I Regulation.
In Hotel Alpenhof, the Court of Justice had to decide whether the accessibility
of an internet site is sufcient to assume that the professional has directed his
activity to the member state of the consumers domicile, within the meaning of
Article 15(1)(c) of the Brussels I Regulation.21
The court ruled that the mere access to an internet site is not sufcient but that
it must be ascertained whether before the conclusion of any contract with the consumer it is apparent from the websites and the traders overall activity that the
trader was envisaging doing business with consumers domiciled in one or more
member states, including the member state of that consumers domicile.
The following elements can constitute such evidence (non-exhaustive list):
.
.
.
.
.
.
.
21
Cases C-585/08 and C-144/09, Peter Pammer and Hotel Alpenhof GmbH [2010] ECR
I-12527.
263
the use of a language or a currency which are the language and/or currency
generally used in the member state of the trader.
In the context of cloud computing contracts, where providers are often domiciled in other states than their customers, it may frequently happen that providers
are directing activities to customers states. Given the global nature of the cloud,
certain criteria such as the international nature of the activity or the existence of an
international clientele may often be fullled in cloud computing cases and may
therefore constitute strong indicators that Article 17(1)(c) of the Brussels I bis
Regulation applies. Nevertheless, some cloud providers may target only their
own or only selected foreign markets. While this will hardly be the case in a
public cloud context, it can certainly occur in private cloud cases. Therefore, in
each individual case an assessment on the basis of the Alpenhof criteria must be
made.
2. Competent court and applicable law for non-contractual obligations torts
With regard to non-contractual obligations, the accessibility of the internet all over
the world plays an important role in the determination of the competent court and
the applicable law. The relevant provisions are Articles 4 and 7(2) of the Brussels
I bis Regulation and Article 4 of the Rome II Regulation.
(a)
In eDate Advertising GmbH, the Court of Justice had to decide whether the accessibility of a website can constitute the jurisdiction of a court in matters relating to
tort.22 The court ruled that like in consumer cases mere access to the website is
not sufcient for constituting the competence of a court. Instead, in accordance
with Article 5(3) of the Brussels I Regulation, a person who considers that his personality rights have been infringed by content placed online on an internet website
has two options, namely
.
22
to bring an action for liability, in respect of all the damage caused, before the
courts of the member state in which the publisher of that content is established or before the courts of the member state in which the centre of the
claimants interests is based, or
to bring an action before the courts of each member state in the territory of
which content placed online is or has been accessible. Those courts have jurisdiction only in respect of the damage caused to the claimant in the territory
of the member state of the court seised.
Cases C-509/09 and C-161/10 eDate Advertising GmbH v X and Olivier Martinez and
Robert Martinez v MGN Ltd [2011] ECR I-10269.
264
G. Haibach
Whereas in a private cloud context, often only the rst option may be realistic, the
second option should normally be available in private cloud cases.
As to the applicable law, violations of privacy and rights relating to personality, including defamation are excluded from the scope of application of the Rome
II Regulation (Article 1(2)(g)). As a result, each member state itself determines
which law it applies to a dispute regarding the violation of privacy rights. An
open question is the precise scope of the exclusion of privacy rights in the
Rome II Regulation.
(b) Damaged or lost data
A question which may arise in connection with cloud computing is what the relevant
private international law rules in the event of damage to or destruction of data are. This
could concern, for instance, a collection of photos in a B2C contract, or the database of
a company in a B2B contract, in whatever service and deployment model. In the cloud,
data is transferred from one server to another around the globe within seconds. Therefore, it is very difcult or even impossible for the user to localise the data, especially in
cases where the provider has sub-contractors (or possibly even a chain of sub-contractors) which may be responsible for the damage to or destruction of data.
In this context, the question arises whether such claims concern matters relating to a contract within the meaning of Article 7(1)(a) of the Brussels I bis Regulation, or matters relating to tort, delict or quasi-delict in the sense of Article 7(2)
of that Regulation. In Brogsitter,23 the Court of Justice ruled that the mere fact that
one contracting party brings a civil liability claim against the other is not sufcient
to consider that the claim concerns matters relating to a contract. This is the case
only where the conduct complained of may be considered a
breach of contract, which may be established by taking into account the purpose of
the contract. That will a priori be the case where the interpretation of the contract
which links the defendant to the applicant is indispensable to establish the lawful
or, on the contrary, unlawful nature of the conduct complained of against the
former by the latter.24
Applied to cloud computing, this may lead to the conclusion that claims for liability because of damaged or lost data may be considered as contract claims (Article
7(1)(a) of the Brussels I bis Regulation) since cloud computing contracts normally
contain provisions on liability for such cases.
(c)
For other types of torts, jurisdiction is determined pursuant to Article 7(3) of the
Brussels I bis Regulation either by reference to the place where the damage
23
24
265
occurred or to the place where the event giving rise to the damage took place,
whereas the criterion for the determination of the applicable law is only the
place where the damage occurred.
It is difcult to apply these rules in an abstract way without reference to a
specic harmful event or specic damages. In case of damage to data which
would not be considered contractual, there is guidance of the Court of Justice
which may be relevant. Concerning the determination of the event giving rise to
damage, the court held in Wintersteiger,25 a case concerning a trademark infringement on the internet, that it is the activation by the advertiser of the technical
process displaying, according to pre-dened parameters, the advertisement
which it created for its own commercial communications which should be considered as the event giving rise to an alleged infringement. This will usually be
the place of establishment of the tortfeasor (in that case the advertiser). This is
the case even if the server itself is located elsewhere.
More difcult could be the question how to determine in cloud computing
cases the place where the damage occurred. One possibility would be the place
where the data was located physically when the damage occurred. However,
because of the nature of the cloud, the user will normally not know where the
data was located at that moment. In cases concerning intellectual property rights
(trademarks and copyrights),26 the court held that the damages arise in the state
(s) where the right at stake is protected; those courts have jurisdiction only to
determine the damage caused in the member state within which they are situated.
Depending on the tort at stake, the place where the damage occurs would need to
be determined.
With regard to applicable law, it has been suggested to apply Article 4(3) of the
Rome II Regulation in case of problems in determining the place where the
damage occurred.27 According to this provision, the law of a country other than
the country where the damage occurred is applicable if it is clear from all the circumstances of the case that the tort/delict is manifestly more closely connected
with that country. It has been suggested that in cases in which data is damaged
or destroyed, the applicable law in accordance with Article 4(3) should be the
law governing the contractual relationship between the provider and the user of
the cloud service whose data were manipulated or damaged since that law is
clearly more closely connected with the damage than the law of the place where
the data happened to be located at the moment the damage occurred. This
shows again that the question may not be extra-contractual, but rather of a contractual nature, in which case the Rome II Regulation may not apply at all.
25
266
D.
G. Haibach
Conclusions
Cloud computing contracts have certain specic features which may raise questions when determining the competent jurisdiction and applicable law.
There are no decisions of the Court of Justice yet which would interpret provisions of EU private international law with regard to cloud computing contracts
specically. As shown above, there are, however, various judgments of the court
which are of relevance for such contracts. There are no indications that the applicable legal framework for contracts or torts could not be suited for the cloud. On
the contrary, the existing legal framework appears exible enough to offer appropriate solutions. Further guidance by the Court of Justice may be needed, for
instance concerning the place of provision of services in cloud computing contracts which qualify as service contracts, or the place of the location of damages
in tort cases.
In practice, the parties to a cloud computing contract usually avoid difcult
questions of jurisdiction and applicable law by agreeing on jurisdiction and applicable law clauses in their contracts. This standard practice in the cloud is possible
under the relevant provisions of EU private international law which, at the same
time, ensures that consumer rights in the cloud can be enforced before courts in
the European Union, irrespective of any choice of court clause in favour of a
third state and that mandatory provisions of EU and national law will be upheld
by those courts regardless of the choice of foreign law.