Journal of Private International Law, 2015

Vol. 11, No. 2, 252266, http://dx.doi.org/10.1080/17441048.2015.1067994

Cloud computing and European Union private international law

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

Georg Haibach*
Cloud computing is inherently an activity which transcends territorial
borders. Providers may offer services to customers on a worldwide basis,
involving a chain of intermediaries or subcontractors scattered around
the globe. Data may be stored on servers the location of and the control
over which is unknown to customers; data, software, and applications
may be accessible from anywhere in the world. This reality raises
questions of private international law. Which law applies in the event of
a dispute? Which court has jurisdiction to hear a claim? Will any
resulting judgment be recognised and enforced? This article describes the
current practice of terms and conditions of cloud computing contracts
and the application of the rules of EU private international law to such
contracts.
Keywords: cloud computing; Brussels I Recast; Rome I; Rome II;
contract; tort; consumer contracts; CJEU case law; data protection;
personality rights

A. Denition, service and deployment models, contracts

1. Denition of cloud computing
According to a widely used denition,1cloud computing is
a model for enabling convenient, on-demand network access to a shared pool of
congurable computing resources (e.g., networks, servers, storages, applications,
and services) that can be rapidly provisioned and released with minimal management
effort or service provider interaction.

According to this denition, cloud computing has ve elements: (1) on-demand

self-service, (2) ubiquitous network access, (3) resource pooling, (4) elasticity,
and (5) metered service.

*LLM, PhD. Ofcial in DG Justice of the European Commission. Avenue de Tervuren 20,
B-1040 Brussels. Email:Georg.Haibach@ec.europa.eu. The information and views set out
in this article are those of the author and do not necessarily reect the opinion of the
European Commission. Responsibility lies entirely with the author.
1
American National Institute of Standard and Technology (NIST), Denition of Cloud
Computing, http://csrc.nist.gov/groups/SNS/Cloud-computing/, accessed 23 June 2015.
European Union 2015

Journal of Private International Law

253

The denition comprises the three service and four deployment models commonly referred to in the cloud as described below.2

2.

Service models

There are three different service models of which IaaS is the most basic and each
higher model abstracts from the details of the lower models.

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

(a)

Infrastructure as a service (IaaS)

The IaaS model is the most basic cloud computing service. The user of this
model receives the infrastructure of the network for use. He is then able to use
the processing, storage, networks and other computing resources. He can run
his software or other applications on this network. The provider of IaaS only
has control over the cloud infrastructure whereas the operating systems are
under control of the user. This model of cloud computing is for instance offered
by Amazon Web Service, Amazon Elastic Compute Cloud, Amazon Simple
Storage Service S3.
(b) Platform as a service (PaaS)
In the PaaS model, a computing platform is provided and an application may be
deployed in the cloud. The provider of this model has the control over the
cloud infrastructure. Additionally, he controls the application and the middleware.
The customer may use the applications in the cloud which were created by him or
third parties. Apart from using these applications, he can also control the deployed
application. Examples of this cloud computing model are Windows Azure, force.
com from Salesforce and OmegaScape. Facebook is also a PaaS model of cloud
computing.
(c)

Software as a service (SaaS)

The user is able to use the software or other applications of the provider over the
internet or another network. The vendor may host the application on his own
server or upload it to his customers for a certain period of time. The provider of
the software or other application has control over the Cloud infrastructure. The
user of this service receives access to this application and is able to use it for
his purposes. His control is limited to customer-specic applications. Examples
of this form of cloud computing are Gmail, Yahoo Mail, Google Apps, and
Ofce Web Application from Microsoft.
2
See in this regard B Sujecki, Internationales Privatrecht und Cloud Computing aus
europischer Perspektive (Kommunikation & Recht, 2012) 312.

254
3.

G. Haibach
Deployment models

Cloud computing is delivered in four different deployment models, which differ

with regard to the number of users.

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

(a)

Public cloud

The public cloud is available to an unknown and unlimited number of users. The
application may be accessed by different users of different entities at the same
time. No customer has an exclusive access to the application. The advantage of
this form of cloud computing is the exibility of the use of the applications.
They can be accessed anywhere and anytime without having to be customised.
On the other hand, the price for this exibility is the risk of a lower degree of
data protection.

(b) Private cloud

A cloud can be customised and exclusively used by one entity. The access to the
private cloud is limited to a certain entity or to a limited number of users. The
private cloud is controlled either by the provider of the cloud or by the entity
having access to the application on the cloud. The data does not leave the cloud.
This increases data protection and the security of data in the cloud. However,
the costs of this form of cloud computing are higher than in the public cloud.

(c) Community cloud

In this model, access is opened to entities sharing the same concern. If a user
shares this concern, the application on the cloud is open to him. This application
can then be used by different entities at the same time, as long as they share the
same interest.

(d)

Hybrid cloud

A mixed form of cloud computing can be found in a hybrid cloud, where the cloud
contains forms of private, public and community infrastructure. These different
forms of cloud computing are independent parts of a cloud, but at the same
time they are connected with each other in such a way that the users have
access to all applications.

4.

Contracts

Cloud computing contracts can be categorised in two different groups, on the one
hand according to the number of users and on the other hand according to the
number of providers.

Journal of Private International Law

(a)

255

Individual/standard contracts

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

In case of a small number of users (usually business users in a B2B relationship) of

a cloud service, the terms regulating the contractual relationship are normally individualised. The parties negotiate these contractual terms and conditions. Contracts
are tailored to the particular needs of the parties.
If the service is provided to a large or unlimited number of users (usually consumers in a B2C relationship), contracts are normally standardised. There are
various forms of standardised contracts depending on the service and on the
users. The contract terms are offered by the service provider on a take-it-orleave-it basis. Users have no possibility of negotiating or changing them.3

(b)

Single Point of Contact/Multi Vendor Strategy

A cloud computing user may choose to obtain the service from one or from several
providers. The user of cloud computing may purchase the entire service in the
cloud from one single provider, the so-called Single Point of Contact. The
parties conclude a single contract dealing with all aspects of their contractual
relationship. Due to the exclusivity, these contracts can be very exible. The
user can for example demand the application of certain standards by the provider.
In case of failure to perform, the single provider may be liable. The user may also
conclude a contract with one general service provider who then concludes different agreements with third parties. Also in this case, the user has one single point of
contact.
By contrast, in the Multi Vendor Strategy, the user receives a pack of services
from different providers who are not connected with each other and concludes
contracts with them. Depending on his needs, the user is able to choose the best
provider for each service. This enables the user to arrange the service in a exible
manner. At the same time, the user has to take into consideration that this model
may raise issues of compatibility.

B.

EU private international law rules and practice in the cloud

1. Choice of applicable law and jurisdiction

Under most cloud computing contracts, the law of a specic jurisdiction is made
applicable to the contract. That law is typically the law of the jurisdiction in which
the provider has its principal place of business.4 In some cases, the law of the
location of the customer is made applicable.
Key action 2 of the Commission Communication on Unleashing the Potential of Cloud
Computing in Europe (COM(2012) 529 nal) foresees the development of model contract
terms for both types of Cloud computing contracts (B2B and B2C).
4
In a study by S Bradshaw, C Millard and I Walden, Contracts for Clouds, Comparison and
Analysis of the Terms and Conditions of Cloud Computing Services, Queen Mary School
3

256

G. Haibach

Cloud computing contract terms normally also contain a choice of forum

clause.5 Usually such a choice points to the same state as the choice of law governing the contract. Thus, the situation concerning jurisdiction is very similar to
that of applicable law. In many cases, especially when the law of a particular
US state is made applicable, contracts provide that claims must be brought in
the courts of a particular city within that state.6

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

2. Relevant EU private international law rules

(a) Applicable law
Most disputes concerning contractual or non-contractual obligations in connection
with cloud computing are governed by the Rome I7 and Rome II8 Regulations.

of Law Legal Studies Research Paper No. 63/2010, 17, available at http://papers.ssrn.com/
sol3/papers.cfm?abstract_id=1662374, accessed 23 June 2015, in 19 out of 31 standard
terms and conditions of Cloud computing contracts examined for the purpose of the
study, the applicable law was the law of the jurisdiction in which the service provider
was based (in 15 cases the law of a particular US state -in most cases that of California,
but also those of Massachusetts, Washington, Utah and Texas and in four cases
English law). Only in eight cases the applicable law was the law of the jurisdiction of
the customer (in four cases English law, in two cases the law of other EU jurisdictions
(in one case Irish law for Apple and in another case Luxembourg law for certain Microsoft
services). In three cases, no choice of law was expressed or implied.
Some providers make the choice of law and forum based on the strong presence in a
jurisdiction. Salesforce is a good example of this case. In its T&C, Salesforce states that
any lawsuit arising out of or in connection with this Agreement, and which courts can adjudicate any such lawsuit, depend on where you are domiciled. At rst glance, it looks like
this provision implies that Salesforce determines the applicable law and jurisdiction based
on the location of the customer. But in fact Salesforce creates different zones of governing
law and the courts based on its branch ofce. So for example, if the customer that is residing
in Japan made a Cloud contract with Salesforce, the governing law and jurisdiction will be
in Tokyo. This is due to the fact that Salesforce has a Japanese afliate called Kabushiki
Kaisha. This means a customer who resides in Thailand must travel to Japan if they
want to challenge the Cloud contract in front of a court. See M Vincent, N Hart and K
Morton, Cloud Computing Contracts White Paper: A Survey of Terms and Conditions,
Truman Hoyle Lawyers, Sydney (2011), available at: http://www.cpi.org.au/articles/
White_Paper_June2011.pdf, accessed 23 June 2015.
5
The following jurisdiction clause is an example: Any dispute relating in any way to
products or services sold or distributed in which the aggregate total claim for relief
sought on behalf of one or more parties exceeds $7,500 shall be adjudicated in the
federal court in King County Washington, and you consent to exclusive jurisdiction and
venue in such courts.
6
For instance, Symantec requires that claims are brought in the courts of Santa Clara. See
for more detail Bradshaw, Millard and Walden, supra n 4, 18.
7
Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June
2008 on the law applicable to contractual obligations (Rome I), [2008] OJ L177/6.
8
Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July
2007 on the law applicable to non-contractual obligations (Rome II), [2007] OJ L199/40.

Journal of Private International Law

257

According to these Regulations, a choice of law is possible both in contractual

(Article 3 Rome I) and in tort matters (Article 14 Rome II), but the conditions
for a valid choice of law in tort are much stricter than in contract.
Where there is no express choice of law,

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

with regard to contractual obligations, the contract is governed by the law of

the country in which the party who will perform the obligation characteristic
of the contract has its habitual residence and/or central administration. In
particular, a contract for the provision of services is governed by the law
of the country where the service provider has its habitual residence and/or
central administration. To the extent that a cloud computing contract can
be characterised as a service contract, this means the law of the place of
the central administration of the service provider.
with regard to non-contractual obligations, subject to certain dened exceptions (e.g. unfair competition, intellectual property infringement, product liability), the law applicable is the law of the country in which the damage occurs.

Special rules exist for consumer contracts.9 In particular, consumer contracts are,
in certain situations, governed by the law of the country where the consumer has
his habitual residence. It is, however, important to note that the parties may also
choose another law (for instance the law of the cloud service provider). Such a
choice, however, may not have the result of depriving the consumer of the protection of mandatory provisions of the law of the state of the habitual residence of the
consumer.

(b)

Jurisdiction

The Brussels I bis Regulation applies to determine the jurisdiction of the courts in
the Union over a dispute regarding cloud computing.10 Under the rules of the
Brussels I bis Regulation, a prorogation of jurisdiction is possible in accordance
with Article 25. Regarding the form of agreements on jurisdiction, Article 25(2)
provides that any communication by electronic means which provides a durable
record of the agreement shall be equivalent to writing. Consequently, agreements on jurisdiction can be part of electronically concluded cloud computing
contracts, if they provide a durable record, e.g. if they can be printed out.11
9
A contract is a consumer contract if it is concluded by a natural person for a purpose
outside his profession (consumer) with another person acting in the exercise of his trade
or profession (professional).
10
Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12
December 2012 on jurisdiction and the recognition and enforcement of judgments in
civil and commercial matters, [2012] OJ L351/1.
11
See for more details: FF Wang, Jurisdiction and Cloud Computing: Further Challenges to
Internet Jurisdiction, (2013) European Business Law Review 589, 616.

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

258

G. Haibach

In the absence of a choice of court, the general rule is that jurisdiction lies with
the court in the member state where the defendant is domiciled. Alternatively, a
person domiciled in a member state may be sued in matters relating to a contract
in the courts of another member state where the contractual obligation which is the
subject of the dispute is to be or has been performed. In particular with respect to
service contracts, jurisdiction lies with the courts of the place where, under the
contract, the services were provided or should have been provided. Consequently,
a cloud service provider based in the EU can be sued in the jurisdictions in which it
provides services to its customers.
Special rules exist in B2C relationships. Under Article 19 of the Brussels I bis
Regulation, a choice of jurisdiction in consumer contracts in accordance with
Article 17(1) is only valid if it has been agreed after a dispute has arisen or if it is
favourable to the consumer. This means for choice of forum clauses in standard
terms and conditions of cloud computing contracts that they can be disregarded if
they make the courts of the forum of the cloud provider the competent jurisdiction.
Furthermore, Article 18 of the Brussels I bis Regulation provides that, subject to
certain conditions, consumers may bring proceedings either in the courts of the
member state of the other party (e.g. the cloud provider) or in the courts for the
place where they are domiciled. Proceedings against a consumer may be brought
only in the courts of the member state in which the consumer is domiciled.
Article 7(3) of the Brussels I Regulation provides that a person domiciled in a
member state may in another member state be sued in matters relating to tort,
delict or quasi-delict, in the courts for the place where the harmful event occurred
or may occur.
Until recently, the Brussels I Regulation12 applied only to defendants domiciled
in an EU member state. Where defendants were domiciled outside the EU, national
courts applied their own national laws to determine whether they have jurisdiction.
However, the revised Brussels I Regulation13 which has been applicable since 10
January 2015 provides for exceptions to this limited scope of application. In particular, in accordance with the uniform jurisdiction rules of the Regulation and
subject to certain conditions, a consumer domiciled in a member state is now
able to bring proceedings against another party in the courts of the state of his domicile, regardless of whether or not the other party has its domicile in a member state.
C.

Private international law issues in the cloud

The EU private international law legal framework laid out above was put in place
before cloud computing became an important IT business model. On the other
hand, internet and internet services were already well-known at the time. Cloud

12

Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, [2001] OJ L12/1.
13
Supra n 10.

Journal of Private International Law

259

computing may present some specic features which may raise questions under
private international law. For instance, cloud services can usually be accessed
from any location in the world. Furthermore, it is difcult, if not impossible, for
a cloud user to know where his data are located at any specic moment. These features need to be taken into account when considering how the private international
law rules apply to disputes concerning cloud computing. Some of the questions
which may arise in the cloud are considered below.

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

1.

Competent court and applicable law for contractual obligations

Questions could arise with respect to the determination of the court having jurisdiction in the context of Article 7(1)(a) of the Brussels I bis Regulation and of the
applicable law in the context of Article 4 of the Rome I Regulation. These questions will not arise when cloud computing contracts, as they normally do, contain
jurisdiction and applicable law clauses.
(a)

Party autonomy

As set out above, party autonomy is key in determining the competent court and
the applicable law in contractual matters. Both the Brussels I bis and the Rome I
Regulations provide for a large degree of party autonomy in B2B relations. Choice
of law and choice of court agreements are respected in the EU in B2B relations. By
contrast, party autonomy is limited in B2C relations where agreements must
comply with the protective consumer contract regime. In the absence of a
choice of court and/or choice of law, the relevant default rules of the Brussels
I bis and Rome I Regulations apply.
(b) The characterisation of cloud computing contracts
In order to apply Article 4 of the Rome I Regulation and Article 7 (1) of the Brussels I bis Regulation, it must be determined whether the contract in question can be
dened as a specic contract type within the meaning of these provisions. If not,
the general rules of Article 4(2) of the Rome I Regulation and of Article 7(1)(a) of
the Brussels I bis Regulation apply.
Cloud computing contracts in the different cloud computing models (IaaS,
PaaS and SaaS) as well as in the different deployment models (public, private,
community and hybrid cloud) are usually a combination of different contract
types. Normally, they do not correspond to a specic contract type. Instead, the
different elements and obligations in a cloud contract must be evaluated separately.
For instance, the access to infrastructure, platforms, software or storage capacities
may correspond to a lease contract, whereas the use of processing power to a
service contract. Therefore, for instance in an IaaS model cloud computing contract, the access to the infrastructure of the network can be considered as a
lease, and the use of the processing resources as a service.

260

G. Haibach

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

The Court of Justice of the European Union has already given guidance on
what should be considered a service contract for the purposes of the Brussels
I Regulation.14 In the Falco15 case, the court ruled that the concept of service in
Article 5(1)(b) of the Brussels I Regulation implies that the party who provides
the service carries out a particular activity in return for remuneration. Applied
to cloud computing, that means that cloud computing contracts in which a remuneration is foreseen would fall under the denition of a service contract. In
Corman-Collins,16 the court conrmed that the requirement of remuneration
should not be understood strictly as the payment of a sum of money; it could
consist of other things which represent an economic value and may be regarded
as constituting remuneration.17 It does not seem excluded therefore, that such
remuneration could consist of, for instance, the use of personal data.
(c)

Competent courts in B2B disputes

To the extent that a cloud computing contract can be considered as a service contract, the place of performance is the place where the services under the contract in
question were provided or should have been provided (Article 7(1)(b) of the Brussels I bis Regulation). Those courts have jurisdiction for disputes whatever the
contractual obligation at stake in the dispute is.
If the contract cannot be considered as a service contract, jurisdiction is based
on the place of performance of the contractual obligation which is the subject of
the dispute (Article 7(1)(a) of the Brussels I bis Regulation), in accordance with
the so-called Tessili and de Bloos rules. Under the Tessili-rule,18 the place of performance of the contract is determined by the lex causae, ie the substantive law
which applies to the contract. In the de Bloos decision,19 the European Court of
Justice ruled that the place of performance must be determined for each contractual
obligation separately so that the courts have to refer to the specic obligation
forming the subject of the controversy.
It follows from the above that the jurisdiction of the courts for contractual disputes in cloud computing contracts depends on the determination of the place
where the services were or should have been provided (in the case of a service
14
In line with the coherent interpretation of Brussels I and Rome I Regulations, it can be
assumed that the guidance given by the court in the context of the Brussels I Regulation
is equally relevant for the application of the Rome I Regulation, see recitals 7 and 17 of
Rome I.
15
Case C-533/07, Falco Privatstiftung [2009] ECR I-03327, paras 29 and 37.
16
Case C-9/12, Corman-Collins ECLI:EU:C:2013:860.
17
In Corman Collins, which concerned a distribution agreement, such remuneration was
considered to consist of, among others, the competitive advantage conferred on the selected
distributor, the assistance granted to the distributor regarding access to advertising, communicating know-how by means of training or even payment facilities.
18
Case C-12/76, Tessili v Dunlop [1976] ECR 1473.
19
Case C-14/76, de Bloos v Bouyer [1976] ECR 1497.

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

Journal of Private International Law

261

contract) or on the determination of the place of performance of the obligation in

question (in the case where the contract cannot be characterised as a service contract).20 There is no jurisprudence yet as to where in cloud computing contracts
which can be characterised as service contracts, the place of the provision of the
services is to be located. If the place of performance cannot be dened, the
general rule of Article 4 applies and jurisdiction lies with the courts of the
member state of the defendants domicile. This latter situation might arise in
cloud computing contracts which do not constitute service contracts within
the meaning of Article 7(1)(b) of the Brussels I bis Regulation, for instance
when the obligation at stake concerns acceptable use policy provisions in cloud
computing contracts, i.e. rules that restrict the ways in which a network,
website or system may be used and set guidelines as to how it should be used.
In cloud computing contracts, in which the service to be performed is the
storage of data, the question arises where such services are performed. Article 7
(1)(b) of the Brussels I bis Regulation can apply if the parties agreed that the
data should be stored in a certain country. However, if this is not the case, this provision would be difcult to apply. It is therefore suggested that in such cases the
connecting factor of the habitual residence/seat of the service provider, as set out in
Article 4(2) of the Rome I Regulation, applies.

(d)

Applicable law in B2B disputes

If the cloud computing contract is considered as a service contract, the contract in

the absence of a choice of law is governed by the law of the country where the
service provider has his habitual residence. If the contract is not a service contract,
it is governed by the law of the country where the party required to effect the characteristic performance of the contract has its habitual residence. In the latter case, the
party effecting the characteristic performance under a cloud computing contract
must be determined. Presumably it is the provider, since it is him who is putting
hosted services in the sense of application service provisioning at the disposal of
the customer that run client server software at a remote location. This is true for
the different cloud computing models (IaaS, PaaS and SaaS) as well as for the different deployment models (public, private, community and hybrid cloud).
20
It should be noted that in exceptional cases, it may not be possible to determine the place
of performance of a specic obligation. In the Besix judgment, Case C-256/00, Besix SA
[2002] ECR I-1699, the court held that what is now Art 7(1)(a) of the Brussels I Regulation
is not applicable if the place of performance of the obligation in question cannot be determined because it consists of an undertaking not to do something which is not subject to any
geographical limit and is therefore characterised by a multiplicity of places for its performance. In such cases, only the courts with the general jurisdiction of the domicile of the
defendant (Art 2(1) of the Brussels I Regulation, Art 4(1) of the Brussels I revised) are competent. This may in particular be of relevance for acceptable use policy provisions in Cloud
computing contracts.

262

G. Haibach

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

(e)

Consumer contracts

As shown above, consumers are well protected under EU private international law
with regard to jurisdiction and applicable law clauses. As a result thereof, consumers have access to the EU courts which can ensure the enforcement of mandatory
provisions of EU or national law.
The special protection for consumers of the Brussels I Regulation and of the
Rome I Regulation applies if the trader (service provider) directed his activities
at the member state of the consumer within the meaning of Articles 17(1)(c) of the
Brussels I bis Regulation and 6(1) of the Rome I Regulation.
In Hotel Alpenhof, the Court of Justice had to decide whether the accessibility
of an internet site is sufcient to assume that the professional has directed his
activity to the member state of the consumers domicile, within the meaning of
Article 15(1)(c) of the Brussels I Regulation.21
The court ruled that the mere access to an internet site is not sufcient but that
it must be ascertained whether before the conclusion of any contract with the consumer it is apparent from the websites and the traders overall activity that the
trader was envisaging doing business with consumers domiciled in one or more
member states, including the member state of that consumers domicile.
The following elements can constitute such evidence (non-exhaustive list):
.
.
.

.
.

.
.

the international nature of the activity,

mention of itineraries from other member states for going to the place where
the trader is established,
use of a language or a currency other than the language or currency generally used in the member state of the trader with the possibility of making and
conrming the reservation in that other language,
mention of telephone numbers with an international code,
outlay of expenditure on an internet referencing service in order to facilitate
access to the traders site or that of its intermediary by consumers domiciled
in other member states,
use of a top-level domain name other than that of the member state in which
the trader is established, and
mention of an international clientele composed of customers domiciled in
various member states.

Not sufcient are:

.
.

the mere accessibility of the traders or the intermediarys website in the

member state in which the consumer is domiciled, or
an email address and other contact details, or

21
Cases C-585/08 and C-144/09, Peter Pammer and Hotel Alpenhof GmbH [2010] ECR
I-12527.

Journal of Private International Law

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

263

the use of a language or a currency which are the language and/or currency
generally used in the member state of the trader.

In the context of cloud computing contracts, where providers are often domiciled in other states than their customers, it may frequently happen that providers
are directing activities to customers states. Given the global nature of the cloud,
certain criteria such as the international nature of the activity or the existence of an
international clientele may often be fullled in cloud computing cases and may
therefore constitute strong indicators that Article 17(1)(c) of the Brussels I bis
Regulation applies. Nevertheless, some cloud providers may target only their
own or only selected foreign markets. While this will hardly be the case in a
public cloud context, it can certainly occur in private cloud cases. Therefore, in
each individual case an assessment on the basis of the Alpenhof criteria must be
made.
2. Competent court and applicable law for non-contractual obligations torts
With regard to non-contractual obligations, the accessibility of the internet all over
the world plays an important role in the determination of the competent court and
the applicable law. The relevant provisions are Articles 4 and 7(2) of the Brussels
I bis Regulation and Article 4 of the Rome II Regulation.
(a)

Infringement of personality rights

In eDate Advertising GmbH, the Court of Justice had to decide whether the accessibility of a website can constitute the jurisdiction of a court in matters relating to
tort.22 The court ruled that like in consumer cases mere access to the website is
not sufcient for constituting the competence of a court. Instead, in accordance
with Article 5(3) of the Brussels I Regulation, a person who considers that his personality rights have been infringed by content placed online on an internet website
has two options, namely
.

22

to bring an action for liability, in respect of all the damage caused, before the
courts of the member state in which the publisher of that content is established or before the courts of the member state in which the centre of the
claimants interests is based, or
to bring an action before the courts of each member state in the territory of
which content placed online is or has been accessible. Those courts have jurisdiction only in respect of the damage caused to the claimant in the territory
of the member state of the court seised.

Cases C-509/09 and C-161/10 eDate Advertising GmbH v X and Olivier Martinez and
Robert Martinez v MGN Ltd [2011] ECR I-10269.

264

G. Haibach

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

Whereas in a private cloud context, often only the rst option may be realistic, the
second option should normally be available in private cloud cases.
As to the applicable law, violations of privacy and rights relating to personality, including defamation are excluded from the scope of application of the Rome
II Regulation (Article 1(2)(g)). As a result, each member state itself determines
which law it applies to a dispute regarding the violation of privacy rights. An
open question is the precise scope of the exclusion of privacy rights in the
Rome II Regulation.
(b) Damaged or lost data
A question which may arise in connection with cloud computing is what the relevant
private international law rules in the event of damage to or destruction of data are. This
could concern, for instance, a collection of photos in a B2C contract, or the database of
a company in a B2B contract, in whatever service and deployment model. In the cloud,
data is transferred from one server to another around the globe within seconds. Therefore, it is very difcult or even impossible for the user to localise the data, especially in
cases where the provider has sub-contractors (or possibly even a chain of sub-contractors) which may be responsible for the damage to or destruction of data.
In this context, the question arises whether such claims concern matters relating to a contract within the meaning of Article 7(1)(a) of the Brussels I bis Regulation, or matters relating to tort, delict or quasi-delict in the sense of Article 7(2)
of that Regulation. In Brogsitter,23 the Court of Justice ruled that the mere fact that
one contracting party brings a civil liability claim against the other is not sufcient
to consider that the claim concerns matters relating to a contract. This is the case
only where the conduct complained of may be considered a
breach of contract, which may be established by taking into account the purpose of
the contract. That will a priori be the case where the interpretation of the contract
which links the defendant to the applicant is indispensable to establish the lawful
or, on the contrary, unlawful nature of the conduct complained of against the
former by the latter.24

Applied to cloud computing, this may lead to the conclusion that claims for liability because of damaged or lost data may be considered as contract claims (Article
7(1)(a) of the Brussels I bis Regulation) since cloud computing contracts normally
contain provisions on liability for such cases.
(c)

Other types of torts

For other types of torts, jurisdiction is determined pursuant to Article 7(3) of the
Brussels I bis Regulation either by reference to the place where the damage

23

Case C-548/12, Marc Brogsitter ECLI:EU:C:2014:148.

Ibid at paras 2425.

24

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

Journal of Private International Law

265

occurred or to the place where the event giving rise to the damage took place,
whereas the criterion for the determination of the applicable law is only the
place where the damage occurred.
It is difcult to apply these rules in an abstract way without reference to a
specic harmful event or specic damages. In case of damage to data which
would not be considered contractual, there is guidance of the Court of Justice
which may be relevant. Concerning the determination of the event giving rise to
damage, the court held in Wintersteiger,25 a case concerning a trademark infringement on the internet, that it is the activation by the advertiser of the technical
process displaying, according to pre-dened parameters, the advertisement
which it created for its own commercial communications which should be considered as the event giving rise to an alleged infringement. This will usually be
the place of establishment of the tortfeasor (in that case the advertiser). This is
the case even if the server itself is located elsewhere.
More difcult could be the question how to determine in cloud computing
cases the place where the damage occurred. One possibility would be the place
where the data was located physically when the damage occurred. However,
because of the nature of the cloud, the user will normally not know where the
data was located at that moment. In cases concerning intellectual property rights
(trademarks and copyrights),26 the court held that the damages arise in the state
(s) where the right at stake is protected; those courts have jurisdiction only to
determine the damage caused in the member state within which they are situated.
Depending on the tort at stake, the place where the damage occurs would need to
be determined.
With regard to applicable law, it has been suggested to apply Article 4(3) of the
Rome II Regulation in case of problems in determining the place where the
damage occurred.27 According to this provision, the law of a country other than
the country where the damage occurred is applicable if it is clear from all the circumstances of the case that the tort/delict is manifestly more closely connected
with that country. It has been suggested that in cases in which data is damaged
or destroyed, the applicable law in accordance with Article 4(3) should be the
law governing the contractual relationship between the provider and the user of
the cloud service whose data were manipulated or damaged since that law is
clearly more closely connected with the damage than the law of the place where
the data happened to be located at the moment the damage occurred. This
shows again that the question may not be extra-contractual, but rather of a contractual nature, in which case the Rome II Regulation may not apply at all.

25

Case C-523/10, Wintersteiger AG ECLI:EU:C:2012:220.

Case C-170/12, Peter Pinckney ECLI:EU:C:2013:635.
27
See C F Nordmeier, Cloud Computing und Internationales Privatrecht Anwendbares
Recht bei der Schdigung von in Datenwolken gespeicherten Daten (2010) MultiMedia
und Recht, 151, 156.
26

266

Downloaded by [EP- IPSWICH] at 03:27 27 September 2015

D.

G. Haibach
Conclusions

Cloud computing contracts have certain specic features which may raise questions when determining the competent jurisdiction and applicable law.
There are no decisions of the Court of Justice yet which would interpret provisions of EU private international law with regard to cloud computing contracts
specically. As shown above, there are, however, various judgments of the court
which are of relevance for such contracts. There are no indications that the applicable legal framework for contracts or torts could not be suited for the cloud. On
the contrary, the existing legal framework appears exible enough to offer appropriate solutions. Further guidance by the Court of Justice may be needed, for
instance concerning the place of provision of services in cloud computing contracts which qualify as service contracts, or the place of the location of damages
in tort cases.
In practice, the parties to a cloud computing contract usually avoid difcult
questions of jurisdiction and applicable law by agreeing on jurisdiction and applicable law clauses in their contracts. This standard practice in the cloud is possible
under the relevant provisions of EU private international law which, at the same
time, ensures that consumer rights in the cloud can be enforced before courts in
the European Union, irrespective of any choice of court clause in favour of a
third state and that mandatory provisions of EU and national law will be upheld
by those courts regardless of the choice of foreign law.

Copyright of Journal of Private International Law is the property of Hart Publishing,

Oxford and its content may not be copied or emailed to multiple sites or posted to a listserv
without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.