Comparative Study on cloud computing contracts Final Report

(1)

Prepared by DLA Piper UK LLP [March – 2015]

Comparative Study on

cloud computing

contracts

Final Report

(2)

EUROPEAN COMMISSION

Directorate-General for Justice and Consumers

European Commission B-1049 Brussels

(3)

EUROPEAN COMMISSION

Comparative Study on

cloud computing

contracts

Final Report

Prepared by DLA Piper UK LLP

(4)

Europe Direct is a service to help you find answers

to your questions about the European Union.

Freephone number

(*)

:

00 800 6 7 8 9 10 11

(*) The information given is free, as are most calls (though some operators, phone boxes or hotels may charge you).

LEGAL NOTICE

This document has been prepared for the European Commission however it reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.

More information on the European Union is available on the Internet (http://europa.eu). Luxembourg: Publications Office of the European Union, 2015

ISBN 978-92-79-46480-5 doi:10.2838/16333 © European Union, 2015

(5)

A

BOUT THE AUTHORS

This Study was prepared by the international law firm DLA Piper UK LLP.

The performance of the Study was coordinated by a multi-national team composed of legal experts pertaining to the several legal traditions across Europe. The members of the Core Team are Mr Patrick Van Eecke, Mr Antoon Dierick, Mrs Sabine Fehringer and Mr Mark O'Conor.

The report is based on the input received from legal experts in relation to IT (including cloud computing) contract laws in each of the investigated countries, either pertaining to the DLA Piper group or as a preferred partnership firm.

The input for each of the countries was provided by and/or under the supervision of each of the following persons:

Country Responisble person Law firm

Austria Mrs Sabine Fehringer DLA Piper

Belgium Mr Kristof De Vulder DLA Piper

Bulgaria Mrs Dessislava Fessenko Pavlov and Partners Law Firm Cyprus Mr Alexandros Economou Chrysses Demetriades & Co Czech Republic Mrs Eva Ruhswurmová DLA Piper

Denmark Mr Egil Husum Advokataktieselskabet Horten

England & Wales Mr Mark O'Conor DLA Piper

Estonia Mr Pirkko-Liis Harkmaa Lawin law firm

Finland Mr Samuli Simojoki Attorneys at Law Borenius Ltd

France Mr Stéphane Lemarchand DLA Piper

Germany Mr Jan Geert Meents DLA Piper

Greece Mrs Mina V. Zoulovits Philotheidis, Rogas & Partners

Hungary Mr Zoltan Kozma DLA Piper

Ireland Mrs Jeanne Kelly Mason Hayes & Curran Law Firm

Italy Mr Giangiacomo Olivi DLA Piper

Latvia Mr Sarmis Spilbergs Lawin law firm

Lithuania Mr Julius Zaleskis Lawin law firm

Luxemburg Mr Alain Grosjean Bonn & Schmitt

Malta Mr Antoine Camilleri Mamo TVC Advocates

The Netherlands Mr Joris Willems DLA Piper

Poland Mrs Krystyna

Szczepanowska

DLA Piper

Portugal Mr João Luís Traça Miranda, Correia, Amendoeira & Associados

Romania Mrs Cosmina Simion DLA Piper

Slovak Republic Mrs Michaela Stessl DLA Piper Slovenia Mrs Jasna Zwitter-Tehovnik DLA Piper

Spain Mr Diego Ramos DLA Piper

Sweden Mr Jan Bryme DLA Piper

(7)

E

XECUTIVE

S

UMMARY

English Introduction

The present comparative law Study, encompassing the European Member States (excluding Croatia) and the U.S., has been conducted by the international law firm DLA Piper UK LLP. The Study has been coordinated by a multinational Core Team, with representatives from countries pertaining to the various legal traditions across Europe.

The input for each of the countries under investigation was provided by a dedicated team of specialized IT contracting lawyers from local DLA Piper law firms or preferred partner firms.

In light of the European Commission's action point on the development of model safe and fair contract terms for the cloud environment, aimed at intensifying cloud trust and higher uptake of cloud services, the present Study will serve as a knowledge base to understand to which extent the existing laws, case law and administrative guidance apply to cloud computing contracts.

The Study investigates whether key contractual legal issues which are typically mentioned in relation to the cloud, are adequately dealt with by existing national law or case law, or, as the case may be, by guidelines issued by administrative authorities.

Brief description of the Work Packages of the Study

In order to complete the tasks under the Study in a structured way, the work was divided into three work streams (each a "Work Package" or "WP").

During the first Work Package, a general overview of the legislation concerning cloud computing contracts of 27 EU Member States of the European Union (excluding Croatia) and on the U.S. level was given.

This overview is based on the relevant specific legislation on cloud computing contracts, the general and consumer contract legislation which may be applicable to a cloud environment, and administrative decisions and guidelines concerning cloud computing contracts.

This input has been gathered by using a template questionnaire which was filled out by each of the national correspondents. The template is based on several important contractual issues which may be encountered in a (cloud) contracting environment. The overview in question has been attached to this Final Report in Annex 1.

Work Package 2 entails establishing a methodology to select (including the actual selection) a representative sample of EU Member States.

On the one hand, the methodology takes into account legal criteria such as the level of development of cloud legislations, case law or guidelines, applicable laws frequently chosen, level of cloud litigation, etc.

On the other hand, economic criteria, such as the composition of the global ICT market, the size of public cloud services market and the size of the hosting market, are taken into account.

Based on this assessment and in common agreement with the European Commission, DLA Piper has selected England & Wales, France, Germany, Italy, Poland, Sweden, The Netherlands and The United States of America (the latter being contractually required to be represented in the sample) as the representative sample of countries.

These countries, which moreover provide a cross-section of the various legal traditions in Europe, are further analysed under the third Work Package of the Study. The methodology for selecting the above-mentioned sample of countries has been annexed to this Final Report as Annex 2.

During the third Work Package, the contractor was asked to perform a comparative law analysis on how the national legislations in the sample countries selected under Work Package 2 apply to certain key legal areas for cloud contracts. As during Work Package 1, the selected national correspondents were invited to provide the necessary input by means

(8)

of a template questionnaire (attached as Annex 3) in order to facilitate comparison between the input from the various countries. Each of the completed questionnaires for the selected countries is attached to this Final Report in Annex 4. The comparative law assessment and conclusions of the analysis of these country reports is further set out in the main body of this Final Report.

Summary overview of the main findings during the comparative law analysis Specific cloud legislation, case law and guidelines

In general, no specific "cloud laws" exist in the 28 investigated countries. Notwithstanding the foregoing, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have nonetheless been issued which may further fuel the drive towards national cloud regulations. Some of these initiatives are binding, such as the guidelines issues by several financial supervisory bodies, whereas the guidelines of data protection authorities may not as such be binding but nonetheless tend to lead to a best practice standard, a deviation from which could be seen as an infringement against binding laws.

Not many "cloud cases" have been reported, it being understood that not all cases where a cloud provider and cloud customer are involved constitute a specific "cloud case". However, there are several interesting cases which will apply by analogy to a cloud computing context, and these are mentioned under the relevant sections in the Report below.

Legal qualification of a cloud contract

Cloud contracts will be subject to the general rules of contractual agreements, applicable to all contracts whatever the subject matter of the contract may be. Where specific types of contracts (e.g. consensual contracts, synallagmatic contracts, etc.) are regulated under local laws, such laws may also be applicable in case the cloud contract falls within the definition of these contracts.

Next, a cloud contract may also be regulated by the rules applicable to certain "named" contracts, based on the subject matter of the contract. This assessment turns out to be difficult in practice however, as it is not possible to classify "a" cloud contract in a general manner under the legal framework of existing named contracts. The cloud offering is simply too diverse (and rapidly changing) to make general qualifications. In each event, several of the investigated countries have indicated that the rules applicable to "services agreements" may be relevant for all types of cloud. The rules applicable to "work contracts" may be relevant where the cloud provider has agreed to perform a specific task, such as customizing the cloud service. Particularly interesting is the qualification of some cloud contracts (such as certain types of PaaS and IaaS contracts) as "lease contracts". German legal scholars make a distinction between non-gratuitous cloud contracts (both SaaS, PaaS and IaaS) on the one hand, which can be classified as lease agreements, and gratuitous cloud computing contracts on the other hand, which can be qualified as a loan agreement. Regulations on sales of goods are deemed inapplicable, as goods are likely defined as tangible movable items which is considered not to be the case in a cloud computing context (although Swedish legal scholars take a differing point of view in this respect). As a result of the difficulties in legally qualifying the cloud agreement, several countries have stated that cloud contracts are likely to be qualified as sui generis contracts.

From a consumer law perspective, it should also be noted that where a cloud contract is concluded by means of distance communication, the contract will qualify as a "distance contract" in all EU Member States.

General quality levels of cloud services

1. In relation to the statutory conformity requirements of cloud services and the nature of obligations, it should be noted that conformity requirements depend on the legal qualification of the cloud contract. Where a cloud contract would be qualified as a "services agreement", conformity levels remain general as all of the investigated countries refer to general concepts such as the performance of the service "with due care", "in a professional manner", "with reasonable endeavour", etc. whereas it should be noted that, as the cloud market is a relatively new one, there are no set standards yet of what could be considered best market practices. In those countries where the cloud contract would qualify as a lease agreement, similar general conformity requirements or none at all apply. German legal scholars qualify gratuitous cloud contracts as loan agreements, but again, no statutory conformity requirements apply in this respect.

The rules on sales of goods, which most of the investigated jurisdictions state not to apply to a cloud context, contain express conformity requirements. In Sweden, it is argued that

(9)

these principles could apply by analogy to a cloud contract but Sweden remains in this perspective the odd man out.

2. Pre-contractual information obligations mainly apply in a B2C context, but the legislation of some of the investigated countries also requires such information in B2B scenarios. Including contractual terms by reference is generally allowed but the counterparty must be clearly informed of this, with a threshold which typically will be higher in a business-to-consumer context. References to terms on a website are considered acceptable if duly notified to the customer. However, case law may tend to change position by denying the binding power of simply providing a hyperlink to a website terms and conditions document. 3. Reasonable expectations by a cloud customer in general cannot overrule the wording of the contract as, on the one hand, the contract wording will always be the starting point of the interpretation of a contract, and on the other hand, what can reasonably be expected from a cloud service provider remains unclear at this stage. Somewhat different is Sweden, where (as stated above) legal scholars have argued that the rules on sales of goods can be applied by analogy to a cloud computing context. This means that, notwithstanding the provisions of the contract, the sold "good" should conform to what can usually be expected by the "buyer".

4. Service level agreements are generally considered to fall under the scope of the unfair consumer contract terms regulations. In this sense, overly restrictive service level agreements could indeed be considered as unfair.

Acceptable use policies in the cloud agreement

The legislation in all of the investigated countries allows to include limitations on use and according liability provisions, in an AUP document, insofar as the general rules on unfair terms and other general principles are complied with such as not including surprising clauses into the agreement. Such AUP document may be incorporated into the contract by reference, which then follows the general rules on the applicability of agreements. This is not a cloud-specific issue.

All of the investigated Member States have indicated that the limited liability regime for "hosting providers", as set out in the e-Commerce Directive, could be applied to cloud providers under the condition that the service offered constitutes a "hosting service". Whether this will be the case is fact-specific. In case the cloud provider would fall under this legal regime, it is recommended to incorporate appropriate notice-and-take-down procedures. Swedish case law suggests that in case the service itself is intended to allow infringements against the law (e.g. exploiting a platform destined to share illegal content), the limited liability regime will likely not apply. In The Netherlands, interesting case law can be found on how to assess whether or not a "hosting provider" is actively involved in the making available of the infringing content.

Processing of personal data in the cloud

All European Member States have adopted similar (stringent) legislation in execution of European data protection rules, whereas on the U.S. level the legal regulations in relation to processing of personal data are primarily set out on the state level (as opposed to the federal level) and even then do not provide for detailed legal provisions. A source of debate is the qualification of the cloud services provider as a data "processor", with some legal scholars arguing that some cloud service providers will neither qualify as a data controller nor data processor. A second issue is the transfer of personal data to countries other than those considered to offer adequate protection. This is usually based on the use of EU model clauses. In general, the existing data protection rules are widely considered inadequate to deal with the current technological evolutions, reason for which several national data protection authorities have issued guidelines or recommendations to take into account when 'going cloud'.

The cloud and intellectual property rights

Rules on intellectual property are important both for the cloud provider and the customer. Copyright laws are the most important regulations which set out the boundaries for access to and use of protected materials. Copyright laws exclusively allow the author of a protected work to use the protected works. These principles apply both to the cloud provider (protecting its platform and the information stored on it by the provider) and the cloud user (protecting its content stored on or made via the cloud service) and are similar in all of the investigated countries.

(10)

However, in case certain materials are not regulated by intellectual property rights (e.g. a work is only protected by copyright laws under certain conditions), applicable regulations are scattered for example relating to rules on trade secrets, professional secrecy, data protection rules, general tort law, etc. It is therefore often unclear to which extent these apply to a specific scenario. As a result, it is highly recommended from a general contracting perspective, in case contracting parties wish to avoid having discussions on rights on content, that cloud contracting parties include provisions on confidential information in the cloud contract.

Liability of cloud contracting parties

General rules on liability of a contractual party can be applied to a cloud contract context in the same way as to any other contractual context. However, the applicable statutory warranties which can determine whether or not a party is in default, remain difficult to determine as there is no clear view on how cloud contracts can be qualified in the existing legal framework.

Further, limitations on liability can be regulated contractually in each of the investigated countries but the extent to which such contractual limitations are valid, may differ from country to country. Where such contractual limitations are generally strictly regulated under the consumer protection laws of each of the investigated countries, one would expect that in a B2B environment such contractual agreements are freely to be negotiated. However, in all of the investigated countries legal concepts have been developed, or laws have been enacted, to restrict limitations of liability clauses in a B2B context.

Whether or not a contract party may invoke a subcontractor to perform some or all of its obligations varies from country to country, some countries requiring the preliminary consent of the other party. In case obligations are being subcontracted, the party invoking the subcontractor will remain fully liable for the execution of its subcontractor.

The legal qualification of service credits is a difficult topic and remains unclear with legal opinions varying from country to country. Clear contractual stipulations (for example stating whether service credits should be considered a pre-estimate of the loss incurred for not achieving agreed service levels or a mere decrease of applicable fees as a result of the lesser value of the service without prejudice to other rights of compensation; stating whether service credits should be considered a sole and exclusive remedy or a form of compensation without prejudice to other forms of remedy; etc.) will be required to circumvent discussions on this point. In each event does the existing legal framework allow to set boundaries to overly restrictive service credit stipulations which would greatly exclude liability of the service provider.

The term, termination and consequences of termination of a cloud contract

In general, cloud contracts are likely to qualify as on-going contracts which are either fixed-term (in which case the parties generally cannot terminate prior to the end date of the contract) or concluded for an undetermined period of time (in which case the parties can terminate giving reasonable notice). Next to these general principles which apply for all of the investigated countries, country-specific statutory default rules on term and termination may also apply in some of the investigated countries, dependent on the legal qualification of the cloud contract, for example qualifying the contract as a services or a lease agreement.

The issue on the consequences of terminating a cloud agreement, in particular the obligation to return the data stored in the cloud, is a much debated one and a major issue for cloud customers. The contract may state clear provisions in this respect but in lack thereof, none of the investigated countries' legislations (both B2B and B2C) contain default statutory rules which deal with this topic. Although one could thus assume that a cloud customer does not have a statutory right to claim retrieval of data after termination of the contract, the importance of this issue has resulted in the development of legal theories which do give the customer such right. Part of these theories are being based on the existing principles for some named contracts (such as the regulatory framework for lease agreements in Germany and services agreements in The Netherlands) applied to a cloud contract, whereas in France the principle of the good faith execution of the contract has led the courts to impose an obligation of this kind upon a service provider.

The right to unilaterally change a cloud contract

Under all of the laws investigated, the main principle is that a party cannot unilaterally change a contract. However, parties can validly agree that one of the parties may change the contract.

(11)

Generally, the investigated laws require such clauses allowing the unilateral modification of the contract and the exercise thereof to be reasonable. In a B2C context, several of the countries investigated stipulate specific safeguards for consumers in case such clauses are stipulated in the contract.

Implied consent with a unilateral contract change (e.g. by continued use of the service after the contract change) is generally deemed acceptable, but additional safeguards apply in a B2C environment.

Security requirements for data stored in the cloud

There are no general or specific security standards in relation to cloud. In case the data processed contains personal data, the processing of such data must adhere to the applicable rules but here again, no standard set of security measures is laid down by the legislator.

On the European level, the European Commission has launched interesting initiatives in relation to (security) standardisation and certification which may further improve security standards. On a national level, the German legislator has proposed draft legislation on security for information technologies, including minimum IT security standards.

(12)

Français Introduction

La présente Etude comparative, dont le champ d'application couvre les Etats Membres de l'Union européenne (à l'exception de la Croatie) ainsi que les Etats-Unis, a été réalisée sous la direction du cabinet d'avocats international DLA Piper UK LLP.

L'Etude a été coordonnée par une équipe centrale multinationale, composée de représentants des pays appartenant aux différentes traditions juridiques à travers l'Europe. Les informations obtenues pour chacun des pays faisant l'objet de l'enquête ont été fournies par une équipe ad hoc d'avocats spécialisés en droit de l'informatique faisant contractuellement partie des bureaux locaux de DLA Piper ou des cabinets partenaires favoris.

A la lumière du point d'action de la Commission européenne concernant le développement de modèles de clauses contractuelles sûres et équitable pour l'environnement relatif au cloud, destiné à intensifier la confiance dans le cloud ainsi qu'une consommation accrue de services cloud, la présente Etude sera destinée à servir de base de connaissance afin de comprendre dans quelle mesure les législations, jurisprudence et orientations administratives existantes s'appliquent aux contrats de cloud computing.

La présente Etude s'intéresse à la question de savoir si les questions juridiques contractuelles qui sont typiquement mentionnées dans le contexte du cloud, sont traitées de manière adéquate par les législation ou jurisprudence nationales existantes, ou le cas échéant par des orientations données par des autorités administratives.

Description sommaire des Modules de Travail de l'Etude

Afin de mener à bien de manière structurée les tâches composant l'Etude, la charge de travail a été divisée en trois flux de travail (ou "Module de Travail").

Durant la réalisation du premier Module de Travail, un aperçu général de la législation concernant le droit contractuel relatif au cloud computing au sein des 27 Etats Membres européens (excepté la Croatie) ainsi que des Etats-Unis a été établi.

Cette vue d'ensemble est basée sur les dispositions légales pertinentes spécifiques concernant le droit contractuel relatif au cloud computing et la législation générale, ainsi que celle relative aux contrats de consommation qui peuvent être appliquées à l'environnement relatif au cloud, et les décisions administratives et orientations concernant les contrats relatifs au cloud computing.

Les données reçues ont été collectées à travers l'utilisation d'un questionnaire type qui a été rempli par chacun des correspondants nationaux. Le questionnaire type est basé sur plusieurs questions contractuelles importantes qui peuvent être rencontrées dans un environnement contractuel (relatif au cloud). L'aperçu général dont il est question figure en Annexe 1 du présent Rapport Final.

Le Second Module de Travail contient l'établissement d'une méthodologie pour sélectionner un échantillon représentatif des Etats Membres européens (ainsi que la sélection effectuée).

D'une part, la méthodologie prend en considération des critères légaux tels que le niveau de développement des législations en matière de cloud, la jurisprudence ou les orientations, les lois applicables fréquemment choisies, le niveau de contentieux relatif au cloud, etc.

D'autre part, des critères économiques, tels que la composition du marché global en matière de TIC, la taille des marchés des services de cloud publics, la taille du marché de l'hébergement, sont pris en compte.

Sur base de cette évaluation et d'un commun accord avec la Commission Européenne, DLA Piper a sélectionné l'Angleterre et le Pays de Galles, la France, l'Allemagne, l'Italie, la Pologne, la Suède, les Pays-Bas et les Etats-Unis d'Amérique (ce dernier faisant l'objet d'une obligation contractuelle de représentation dans l'échantillon) en tant qu' échantillons représentatifs des pays.

(13)

Ces pays, qui en plus de fournir une coupe transversale des diverses traditions juridiques en Europe, sont analysés plus en détail dans le cadre du Troisième Module de Travail de l'Etude. La méthodologie utilisée pour sélectionner les échantillons mentionnés ci-dessus a été jointe au présent Rapport Final en tant qu'Annexe 2.

Durant la réalisation du Troisième Module de Travail, il a été demandé au responsable de l'exécution du contrat d'effectuer une analyse comparative visant à établir comment les législations nationales des pays composant l'échantillon sélectionné dans le cadre du Module de Travail 2 s'appliquent à certains domaines juridiques essentiels pour les contrats relatifs au cloud. Tout comme pour la réalisation du Module de Travail 1, les correspondants nationaux sélectionnés étaient invités à fournir les informations nécessaires par le biais d'un questionnaire type (joint en tant qu'Annexe 3), afin de faciliter les comparaisons entre les informations reçues des différents pays. Chacun des questionnaires complétés pour les pays sélectionnés est annexé au présent Rapport Final à l'Annexe 4. L'évaluation légale comparative et les conclusions de l'analyse de ces rapports nationaux est expliquée plus en détail dans le corps de ce Rapport Final.

Aperçu synthétique des principaux résultats de l'analyse légale comparative Législation, jurisprudence et orientations spécifiques relatives au cloud

De manière générale, il n'existe pas de "législations spécifiques relatives au cloud" au sein des 28 pays analysés. Nonobstant ce qui précède, de nombreuses initiatives réglementaires sectorielles (qu'elles aient été émises par les autorités administratives ou de contrôle ou par l'industrie elle-même) ont néanmoins été publiées ce qui peut davantage alimenter le courant allant vers de réglementations nationales relatives au cloud. Certaines de ces initiatives sont contraignantes, telles que les lignes directrices à l'origine desquelles se trouvent plusieurs organismes de surveillance financière, alors que les lignes directrices des autorités de protection des données peuvent ne pas être contraignantes en tant que telles mais elles ont toutefois tendance à conduire à une meilleure pratique ("best practice standard"), et tout écart de celle-ci pourrait être considéré comme une violation des lois contraignantes.

Il n'y a pas beaucoup d'affaires impliquant le cloud qui ont été identifiées, étant entendu que toutes les affaires dans lesquelles un fournisseur et un acheteur de services cloud sont impliqués ne constituent pas une affaire spécifique "relative au cloud". Néanmoins, il existe plusieurs affaires intéressantes qui s'appliqueraient par analogie au contexte relatif au cloud computing et celles-ci sont reprises sous les sections pertinentes du Rapport qui se trouvent ci-dessous.

Qualification juridique d'un contrat relatif au cloud

Les contrats relatifs au cloud seront régis par le droit commun des obligations contractuelles, applicables à tous les contrats quel que soit leur objet. Lorsque certains types de contrats (tels que les contrats consensuels, synallagmatiques, etc.) sont régis par les dispositions légales locales, ces dispositions peuvent aussi trouver à s'appliquer dans le cas où le contrat relatif au cloud entrerait dans l'une des définitions de ces contrats. En outre, les contrats relatifs au cloud peuvent aussi être régis par les règles relatives à certains contrats "nommés", en fonction de l'objet du contrat. Cette évaluation s'avère toutefois difficile en pratique, vu qu'il n'est pas possible de classifier un contrat "unique" relatif au cloud de manière générale en vertu du cadre juridique des contrats nommés existants. L'offre relative au cloud est tout simplement beaucoup trop diversifiée (et évoluant rapidement) pour permettre une classification générale. Dans chaque cas, plusieurs pays ayant fait l'objet de l'enquête ont indiqué que les règles applicables aux "contrats de services" peuvent être pertinentes pour tous les types de contrats relatifs au cloud. Les règles relatives aux "contrats de travail/de prestation" peuvent avoir leur importance dans le cas où le fournisseur de services cloud a accepté d'effectuer une tâche spécifique, telle que la personnalisation du service cloud. La qualification de certains contrats relatifs au cloud (tels que certains types de contrats PaaS et IaaS) de "contrats de location" est particulièrement intéressante. La doctrine allemande fait une distinction entre les contrats cloud à titre onéreux (SaaS, PaaS et IaaS), d'une part, qui peuvent être qualifiés de contrats de location, et les contrats de cloud computing gratuits, d'autre part, lesquels peuvent être qualifiés de contrats de prêt. Les réglementations relatives à la vente de marchandises ne sont pas d'application étant donné que les marchandises semblent être définies comme étant des objets mobiliers corporels ce qui n'est pas le cas du cloud computing (même si la doctrine suédoise a un différent point de vue à ce sujet). Compte tenu des difficultés rencontrées dans la qualification juridique des contrats cloud, plusieurs pays ont indiqué qu'il est probable que les contrats relatifs au cloud soient qualifiés de contrats sui generis.

(14)

Il convient aussi de relever que, du point de vue du droit de la consommation, lorsqu'un contrat cloud a été conclu au moyen d'une technique de communication à distance, le contrat sera qualifié de "contrat à distance" dans tous les Etats membres de l'UE.

Niveaux généraux de qualité des services cloud

1. Pour ce qui est des exigences de conformité légales relatives aux services cloud et de la nature des obligations, il convient de relever que les exigences de conformité dépendent de la qualification juridique du contrat cloud. Si le contrat cloud est qualifié de "contrat de services", les niveaux d'exigence demeurent générales vu que tous les pays ayant fait l'objet de l'enquête se réfèrent à des concepts généraux tels que l'exécution du service "avec soins", "de manière professionnelle", "en déployant des efforts raisonnables", etc. alors qu'il convient de noter qu'étant donné que le marché relatif au cloud est relativement récent, il n'y a pas encore de standards définis relativement à ce qui pourrait être considéré comme constituant les meilleures pratiques du marché. Dans les pays où le contrat cloud serait qualifié de contrat de location, soit des exigences de conformité générales similaires s'appliquent, soit aucune exigence n'est d'application. La doctrine allemande qualifie les contrats cloud gratuits de contrats de prêt, mais de nouveau il convient d'indiquer qu'il n'y a pas d'exigences de conformité légales qui seraient d'application dans ce contexte.

Les règles relatives à la vente de marchandises, que la plupart des juridictions ayant fait l'objet de l'enquête affirment ne pas appliquer dans le cadre d'un contexte touchant au cloud, contiennent des exigences de conformité expresses. Il est soutenu en Suède que ces principes pourraient s'appliquer par analogie à un contrat cloud mais la Suède reste une exception.

Les initiatives de standardisation réglementaire pourraient ainsi davantage ouvrir la voie à l'établissement de meilleures pratiques.

2. Les obligations d'information précontractuelle s'appliquent surtout dans le cadre de relations B2C, mais les législations de certains pays ayant fait l'objet de l'enquête exigent aussi de telles informations dans des situations B2B.

L'insertion de dispositions contractuelles par renvoi est généralement permise mais le co-contractant doit être clairement avisé de cette circonstance, le seuil étant normalement plus élevé dans un contexte B2C. Les références à des conditions se trouvant sur un site Web sont normalement admises si elles ont été dûment notifiées au client. La jurisprudence peut toutefois essayer de changer de position en refusant le caractère contraignant des conditions générales se trouvant sur un site Internet s'il n'a été renvoyé à celles-ci que par l'intermédiaire d'un hyperlien.

3. En général, les attentes raisonnables d'un client cloud ne peuvent pas prévaloir sur les termes du contrat vu que, d'un côté, les termes du contrat seront toujours le point de départ de l'interprétation du contrat, et d'un autre, à ce stade, il n'est pas encore clair ce qui est attendu d'un fournisseur de services cloud. La situation en Suède est quelque peu différente vu que (comme indiqué ci-dessus) la doctrine y a soutenu que les règles relatives à la vente de marchandises peuvent être appliquées par analogie aux contrats de cloud computing. Cela signifie que, nonobstant les dispositions contractuelles, la "marchandise" vendue doit être conforme à ce à quoi l' "acheteur" peut normalement s'attendre.

4. Les accords de niveau de services sont normalement considérés comme tombant sous le champ d'application des réglementations relatives aux clauses abusives contenues dans les contrats avec les consommateurs. En ce sens, les accords de niveau de services excessivement restrictifs peuvent, en effet, être considérés comme abusifs.

Politique d'utilisation acceptable dans les accords cloud

Les législations de tous les pays ayant fait l'objet de l'enquête permettent l'insertion de limitations à l'utilisation et de clauses de responsabilité y-relatives, dans un document PUA, aussi longtemps que les règles générales relatives aux clauses abusives et autres principes généraux sont respectés et qu'il n'y a donc pas de clauses surprenantes dans le contrat. Un tel document PUA peut être inclus dans le contrat par référence ce qui est ensuite conforme aux règles générales d'application des accords. Ceci n'est pas un problème spécifique au cloud.

L'ensemble des Etats membres faisant l'objet de l'enquête ont indiqué que le régime de responsabilité limitée applicable aux "fournisseurs de services d'hébergement", comme précisé dans la Directive sur le commerce électronique, pourrait être appliqué aux

(15)

fournisseurs de services cloud, à condition que le service proposé constitue un "service d'hébergement". Si cela va être le cas, dépendra des faits. Dans le cas où le régime légal s'appliquerait au fournisseur cloud, il est conseillé d'insérer des procédures de notification et de retrait adéquates. La jurisprudence suédoise propose que, si le service lui-même vise à permettre les violations de la loi (par exemple, l'exploitation d'une plateforme destinée au partage de contenu illégal), le régime de responsabilité limitée ne devrait pas s'appliquer. Aux Pays-Bas, une jurisprudence intéressante est disponible expliquant de quelle manière il est possible de déterminer si un "fournisseur de services d'hébergement" est impliqué de manière active dans la mise à disposition d'un contenu illicite.

Traitement des données à caractère personnel dans le cloud

Tous les Etats Membres de l'Union ont adopté des législations (strictes) similaires en exécution des règles européennes en matière de protection des données, tandis qu'au niveau américain, le traitement de données à caractère personnel est essentiellement réglementé au niveau étatique (par opposition au niveau fédéral) où même à ce niveau, aucune disposition légale détaillée n'est prévue. La qualification du fournisseur de services cloud en tant que "sous-traitant" des données peut être source de polémique, certains auteurs soutenant même que certains fournisseurs de services cloud ne peuvent être qualifiés ni de responsables du traitement, ni de sous-traitants. Un deuxième problème peut être le transfert de données à caractère personnel vers des pays autres que ceux considérés comme offrant une protection adéquate. Ceci est normalement basé sur l'utilisation de clauses-type européennes. Généralement, les règles existantes en matière de protection des données sont largement considérées comme étant inadéquates face aux évolutions technologiques de nos jours, raison pour laquelle plusieurs autorités nationales chargées de la protection des données ont émis des lignes directrices ou des recommandations visant à prendre en compte le recours au système cloud.

Le cloud et les droits de la propriété intellectuelle

Les règles de droit de la propriété intellectuelle sont importantes pour le fournisseur de services relatifs au cloud et pour le client. Les législations en matière de droits d'auteur sont les règles les plus importantes qui établissent les limites à l'accès et l'utilisation de données protégées. Les législations en matière de droits d'auteur permettent au seul auteur de l'œuvre protégée de l'utiliser. Ces principes s'appliquent aussi bien au fournisseur de services cloud (en protégeant la plateforme et l'information stockée sur celle-ci par le fournisseur) qu'à l'utilisateur de tels services (en protégeant le contenu qu'il a conservé sur ou fait via le service cloud) et sont similaires dans tous les pays ayant fait l'objet de l'enquête.

Cependant, au cas où certaines données ne tombent pas dans le champ d'application des droits de propriété intellectuelle (par ex., une œuvre n'est protégée par les règles en matière de droits d'auteur que sous certaines conditions), les réglementations applicables sont dispersées, par exemple celles relatives aux règles concernant les secrets des affaires, le secret professionnel, les règles en matière de protection des données, les règles en matière de responsabilité extra-contractuelle, etc. Il est donc souvent peu clair de savoir jusqu'à quel point celles-ci s'appliquent à un scenario spécifique. Par conséquent, il est fortement recommandé, d'un point de vue contractuel et dans le cas où les parties contractantes préfèrent éviter d'avoir des discussions quant aux droits sur le contenu, que les parties au contrat intègrent des clauses sur la confidentialité des informations dans le contrat relatif au cloud.

Les responsabilités des parties au contrat relatif au cloud

Les règles générales concernant la responsabilité d'une partie au contrat peuvent être appliquées aux contrats relatifs au cloud de la même manière qu'elles sont appliquées dans tout autre contexte. Toutefois, les garanties légales applicables qui déterminent si une partie au contrat a manqué à ses obligations ou pas, sont difficiles à déterminer vu que, dans le cadre juridique actuel, il n'est pas clair quelle est la qualification juridique à donner aux contrats relatifs au cloud.

En outre, les limitations de responsabilité peuvent être contractuellement aménagées dans chacun des pays ayant fait l'objet de l'enquête mais la question de savoir dans quelle mesure de telles limitations sont valides peut différer d'un pays à l'autre. Alors que ces limitations contractuelles sont généralement strictement réglementées en vertu des règles relatives à la protection des consommateurs de chacun des pays ayant fait l'objet de l'enquête, l'on pourrait supposer que, dans un contexte B2B, de tels accords peuvent être négociés librement. Cependant, dans tous les pays ayant fait l'objet de l'enquête, des concepts juridiques ont été développés, ou des lois ont été adoptées, afin de restreindre les clauses limitatives de responsabilité dans un contexte B2B.

(16)

Qu'une partie au contrat puisse ou non faire appel à un sous-traitant afin que celui-ci exécute une partie ou l'ensemble de ses obligations, ceci varie d'un pays à l'autre, certains pays exigeant un consentement préalable de l'autre partie. Dans le cas où l'exécution des obligations est confiée à un sous-traitant, la partie ayant fait appel à un sous-traitant demeure entièrement responsable de l'exécution faite par le sous-traitant.

La qualification juridique de services-crédits est un sujet difficile et peu clair avec des avis juridiques variant d'un pays à l'autre. Des stipulations contractuelles claires (précisant, par exemple, si les services-crédits doivent être ou non considérés comme étant une estimation de la perte subie en raison de l'absence de réalisation des niveaux de services convenus ou comme étant une simple diminution des honoraires applicables en raison de la valeur moins importante du service sans préjudice des autres droits à des indemnités; s'ils doivent être considérés comme étant le seul et unique recours ou comme étant sans préjudice des autres droits à des indemnités) sont nécessaires afin d'éviter les discussions à ce sujet. Dans tous les cas, le cadre juridique actuel permet la fixation de limites aux stipulations excessivement restrictives concernant les services-crédits qui excluraient, dans une large mesure, toute responsabilité du fournisseur de services.

La durée, la résiliation et les conséquences de la résiliation d'un contrat relatif au cloud De manière générale, les contrats relatifs au cloud sont susceptibles d'être qualifiés de contrats en cours qui sont soit à durée déterminée (dans ce cas, les parties ne peuvent généralement pas terminer le contrat avant la fin de la date indiquée dans celui-ci) ou à durée indéterminée (dans ce cas, les parties peuvent terminer le contrat en donnant un préavis dans un délai raisonnable). Outre ces principes généraux qui s'appliquent à tous les pays examinés, les règles par défaut spécifiques à chaque pays relatives à la durée et à la résiliation peuvent aussi s'appliquer dans certains pays examinés, en fonction de la qualification juridique du contrat relatif au cloud, par exemple la qualification du contrat comme un contrat de service ou de location.

La question sur les conséquences d'une résiliation d'un contrat relatif au cloud, en particulier l'obligation de rendre les données conservées dans le cloud, fait l'objet d'un grand débat et constitue un enjeu majeur pour les clients. Le contrat peut contenir des dispositions claires à cet égard mais en l'absence de celles-ci, aucune des législations des pays examinés (à la fois B2B et B2C) ne contient des règles par défaut qui traitent de ce sujet. Même si l'on peut supposer que le client cloud n'a pas le droit de réclamer la restitution des données après la résiliation du contrat, l'importance de cette question a abouti au développement de théories juridiques qui octroient au client ce droit. Une partie de ces théories est basée sur les principes existants pour certains contrats nommés (tels que le cadre réglementaire pour les contrats de location en Allemagne et les contrats de services aux Pays-Bas) appliqués au contrat relatif au cloud, tandis qu'en France, le principe de l'exécution de bonne foi du contrat a conduit les cours et tribunaux à imposer une obligation de ce genre sur un prestataire de services.

Le droit de modifier unilatéralement le contrat relatif au cloud

Dans toutes les lois examinées, le principe de base est qu'une partie ne peut modifier unilatéralement un contrat. Cependant, les parties peuvent valablement convenir que l'une des parties peut modifier le contrat.

De manière générale, les lois examinées requièrent que de telles clauses permettant la modification unilatérale du contrat et l'exercice de ce droit soient raisonnables. Dans un contexte B2C, plusieurs des pays examinés prévoient des garanties spécifiques pour les consommateurs dans le cas où de telles clauses seraient stipulées dans le contrat.

Le consentement implicite avec une modification unilatérale du contrat (par exemple, par l'utilisation continue du service après la modification du contrat) est généralement considérée comme acceptable, mais des garanties supplémentaires s'appliquent dans un environnement B2C.

Conditions de sécurité des données enregistrées dans le cloud

Il n'existe pas de standards de sécurité, généraux ou spécifiques, en ce qui concerne le cloud. Dans l'éventualité où les données traitées contiennent des données à caractère personnel, le traitement de ces données doit respecter les dispositions applicables mais, de nouveau, aucun standard de mesures de sécurité n'est mis en place par le législateur. Au niveau européen, la Commission Européenne a lancé des initiatives très intéressantes concernant la standardisation et la certification (de sécurité) ce qui peut améliorer davantage les standards de sécurité. Au niveau national, le législateur allemand a proposé

(17)

un projet de loi sur la sécurité de la technologie de l'information qui incluent aussi un standard minimum pour la sécurité en matière d'IT.

(18)

1. I

NTRODUCTION

1.1 Setting the scene

Much has been said and written about the definition of cloud computing. However, to our knowledge, no legal definitions (i.e. provided by law) of this computing model exist, and justifiably so given its ever changing features. Authoritative institutions, such as the National Institute of Standards and Technology (NIST), have, rather than defining the concept, generally described the conditions which are a sine qua non to be able to indicate a service as cloud1_{. European institutions have taken a similar approach}2_.

Cloud computing refers to the evolution where information technology resources are separated from the underlying infrastructure, and dynamically scalable virtualised resources are provided "as a service" over the Internet ("the cloud"). Instead of the traditional computing model where individual companies buy and maintain private computer systems and software, cloud computing focuses on centralized services. Computing is turned into a utility which can – ideally – be drawn from the wall (just like electricity), so that computers, storage systems, networking equipment and software are becoming commodities.

According to prominent security experts and programmers3_{, apart from the term ("cloud}

computing"), the technologies it refers to are nothing really new. Some even talk about a "marketing hype" or the "latest fashion"4_{. According to them, cloud computing is what}

popular service providers (such as Gmail or Hotmail) have been doing for several years already, under the umbrella of various types of IT outsourcing services (remote backup, archiving or security monitoring, web-based applications, remote hosting, e-mail filtering, etc.).

What may be happening, however, is that new computing services and technologies, rebranded under the more generic name of "cloud computing", are fuelling the drive towards it. Cloud computing technologies have enormous potential, and hold great promises for the future. However, if the potential of cloud computing is to be fully realized over the coming years, there needs to be a clear understanding of all the technical and legal issues involved, both from the perspective of the intermediaries providing cloud computing services and the users thereof.

1

See, for an early document, P. Mell and T. Grance, The NIST definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology, September 2011, accessible via

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.

2 See also for example the description of cloud computing by the Working Party 29 (WP 29), WP 29, "Opinion 05/2012 on Cloud Computing", WP 196, 1 July 2012, accessible via htt

p://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf, in particular pages 4-5 and the European Commission's description of cloud in its Communication on the "Unleashing the Potential of Cloud Computing in Europe" of 27 September 2012, accessible via http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF, toghether with the Commission Staff Working Document, accompanying this document, http://euapm.eu/wp-content/uploads/2013/04/STAFF-WORKING-DOCUMENT-Unleashing-the-Potential-of-Cloud-Computing-in-Europe.pdf, page 2 referring to the NIST definition of cloud computing ("Cloud computing is a model for enabling convenient on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.", source: NIST (2009 ) Cloud computing definition, updated by NIST (2011) SP 800-145 US National Institute of Standards and Technology). 3

Many of them expressing their opinion during the countless cloud computing seminars, conferences, workshops, etc. that have been organized for several years now.

4

See T. RODRIGUES, "Cloud Computing: A new label on Old Technologies", 3 October 2012,

http://www.computer.org/portal/web/Mind-the-Cloud/content?g=5970560&type=blogpost&urlTitle=cloud-computing%3A-a-new-label-on-old-technologies-; see also on this issue K. DE VULDER and A. DIERICK, "Cloud

computing contracten, een nieuwe trend", in Recht en Elektronische Handel, P. VAN EECKE (ed.), Larcier, 2012, 142-143.

(19)

1.2 The European Commission and the cloud

Following the European Commission's Communication on the "Unleashing the Potential of Cloud Computing in Europe" of 27 September 20125_{, the Commission has adopted a true}

European Cloud Computing Strategy.

The Commission's Communication identified three key action points to be undertaken in order to accelerate cloud uptake in Europe, with the aim of delivering a net gain of 2,5 million new jobs throughout the European Union and an annual boost of €160 billion to the European Union GDP by 2020.

A first action point is "cutting through the jungle of standards" in order to improve interoperability of cloud services, facilitating data portability and reversibility. The establishment of a "European Cloud Partnership to drive innovation and growth for the public sector" is a second key action point of the Commission. The European Cloud Partnership (ECP) is intended to bring together cloud industry and public sector representatives to work on common procurement requirements for cloud computing. A the third key action point relates to the "Safe and Fair Contract Terms and Conditions".

In the context of this third action point, the Cloud Select Industry Group ("C-SIG") on Service Level Agreements in June 2014 issued the "Cloud Service Level Agreement Standardisation Guidelines" which set out common guidelines for service level agreements6_{. Cloud services providers commonly include SLAs in contracts with customers}

to define the levels of service being provided. SLAs form an important component of the contractual relationship between a customer and a provider of a cloud service. The new guidelines will help professional cloud users to ensure essential elements are included in plain language in contracts they conclude with cloud providers. In addition, the Cloud Select Industry Group on Code of Conduct from its part has prepared a draft data protection Code of Conduct for providers. This code has been presented to the Article 29 Data Protection Working Party7_.

Finally, the Commission set up an expert group to work on safe and fair terms for cloud computing for consumers and small firms8_{. Consumers and SMEs may still be reluctant to}

use services offered in the cloud. One of the reasons of this lack of trust may be the complexity and uncertainty of the legal framework. Cloud contracts may sometimes be unclear, complex or favour the providers. Consumers and small firms may sometimes have little to no bargaining power when concluding cloud computing contracts. Some are offered as non-negotiable "off-the-shelf" products or "take-it-or-leave-it" contracts. Between November 2013 and April 2014 the expert group held 6 meetings to discuss key issues9_on

cloud computing contracts10_{for consumers and SMEs.}

In the context of this third action, it is of the utmost importance for the Commission to better understand in what way the existing national legislations apply to and regulate cloud computing contracts, as well as whether any case law exists which is of key importance for the cloud computing offer. The present Study's aim is to serve as one of the sources of the Commission's knowledge base and, more particularly, it is the intention to inform the Commission to what extent existing national laws apply to cloud based contracts, as well as of any relevant case law in relation to such contracts.

1.3 Structure of the present Study

The Study has been conducted in three phases, each called a Work Package or WP. 1.3.1 Work Package 1

The first Work Package ("WP 1") envisages to give a general overview over the legislation 5_{See footnote 2.} 6 See https://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines. 7 See https://ec.europa.eu/digital-agenda/en/cloud-select-industry-group-code-conduct. 8

See the original Press Release at http://europa.eu/rapid/press-release_IP-13-990_en.htm. 9

The group has discussed the following issues: switching, pre-contractual information, availability of the service, modification of contracts, liability for non-performance including remedies and the control of use and content where the data protection aspects are quite limited; the contractual aspects linked to data location and security; sub-contracting; auditing, reporting and monitoring; compliance with provisions on data transfers and liability, data protection clauses between cloud users, cloud providers and sub-contractors where the data protection elements are more prominent. 10

All the syntheses of the meetings can be found on

(20)

concerning cloud computing contracts of 27 EU Member States11_{of the EU and the U.S.}

(including both the federal level and the laws of the State of California). The overview is based on an analysis of:



the relevant specific legislation on cloud computing contracts, including possibly mandatory provisions,

 the general and consumer contract legislation which may be applicable to cloud computing contracts, including possibly mandatory provisions,

 any administrative decisions and jurisprudence concerning cloud computing contracts or that can be relevant to cloud computing contracts.

Rather than simply providing an enumeration of applicable legal provisions without any central thread, the WP 1 input is structured on the basis of the most important contractual issues which may rise in a (cloud) contracting context. Each of those contractual topics are discussed per country, giving an overview of relevant legislation, case law, administrative guidance where relevant and a discussion of how the general legal principles are applied in practice.

This input has been compiled in an easily readable and consultable overview of more than 750 pages of detailed information on applicable law, relevant case law and administrative guidance relating to cloud computing contracting.

This overview has been annexed to this Final Report as Annex 1 which gives an overview of the input gathered per country, ordered alphabetically.

1.3.2 Work Package 2

During Work Package 2 ("WP 2"), a methodology has been developed to identify a representative sample of EU Member States' legislations relating to cloud computing contracts. The methodology for establishing a representative sample took into account legal and economic criteria.

Legal criteria included, for example, how advanced cloud legislations are, based on the input gathered during Work Package 1 of the Study, using a global scorecard of biggest ICT countries in relation to cloud regulatory environment, the law applicable to cloud contracts and cloud litigation, etc.

The economic criteria comprise the composition of the global ICT market, identifying the most important ICT countries, the size of the public cloud services market in numbers and in percentages, the size of the hosting market, etc.

Based on the aforementioned legal and economic criteria, the contractor, in common agreement with the European Commission, has selected 8 countries which were further subject to the in-depth comparative law analysis during Work Package 3 (see below). These countries are:

 England & Wales  France

 Germany  Italy  Poland  Sweden

 The Netherlands, and

 The United States of America.

(21)

The proposed sample is therefore not only backed up by the various criteria taken into account, but equally provides a cross-section of the various legal traditions in Europe12_.

The methodology for selecting the above-mentioned sample of countries as well as an overview of the sources used to establish such sample has been annexed to this Final Report as Annex 2.

1.3.3 Work Package 3

During the third Work Package ("WP 3") the contractor was asked to perform a comparative law analysis on how the national legislations in the sample countries selected under Work Package 2 (see section 1.3.2 and Annex 2) apply to certain key legal areas for contracts for cloud services.

As during WP 1, the expert national correspondents of each of the selected countries were asked to complete a template questionnaire which set out the legal issues under investigation. This template questionnaire is attached as Annex 3 to this Final Report. The in-depth legal analysis of the issues concerned for each of the selected countries is attached as Annex 4 to this Final Report. The countries are ordered alphabetically.

The subsequent comparative law assessment and general conclusions which are drawn from this input, are further being set out below in the main body of this Final Report, under section 2.

12

Including Common Law countries (UK and U.S.), Civil Law countries (France, The Netherlands), countries pertaining to the "German law" tradition (Germany), "Roman Law" tradition (Italy), as well as a Eastern European country (Poland) and finally, a country influenced by the "Nordic law" tradition (Sweden).

(22)

2. C

OMPARATIVE LAW ANALYSIS

2.1 Background and adopted approach

During the Work Package 3 exercise, the countries selected under WP 2 (see the list in section 1.3.2 of this Final Report, and the detailed methodology in Annex 2) have provided an in-depth analysis on several key contractual legal issues, which were agreed with the European Commission.

The agreed key contractual issues under investigation during WP 3 are the following, with, for each of the issues under investigation, a short description as to why these issues are of particular interest in a cloud context:

 Description of the service and service level agreement: The Service Level Agreement (SLA) constitutes an important part of the contractual relationship between the service provider and the user. It normally describes the conditions under which the service is considered conforming to the contract (e.g. the level of availability of the service, reliability, down times, responses times in case of the service being unavailable, conditions/times of maintenance etc.). In some cases, SLAs refer to specific information, available on the provider's website, which is subject to change without notice. In some cases, SLAs are rather restrictive in defining conformity requirements (i.e. they limit the possibility for the user to invoke their reasonable expectations as to the conformity of the service with the contract). Potentially, SLAs raise a number of specific legal issues which are under further investigation.

 Acceptable use policy (AUP): Cloud service providers sometimes include provisions on acceptable use policy in the contracts for their services. This is usually a safeguard for providers against liability arising out of unlawful activities of their customers.

 Data protection and disclosure of personal data; Data location and data transfer: Data protection is an important element of cloud computing contracts. In the EU, the protection of personal data is governed by Directive 95/46/EC13_{("Privacy Directive"). It}

strikes a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU. For that purpose, the Privacy Directive sets strict limits on the collection and use of personal data and provides for rules concerning transparency, legitimate purpose and proportionality. Cloud computing is frequently based on a lack of any stable location of the data within the cloud provider’s network. The cloud client may therefore not be in a position to be able to know where the data is located, stored or transferred. The location of the data determines, however, under many cloud computing contracts, the law applicable to the contract. Article 25 of the Privacy Directive provides that the transfer of personal data to a third country may take place only if the third country in question ensures an "adequate level of protection". Several legal issues are further investigated in this respect.

 Intellectual property and other proprietary rights and duties over content: Cloud computing services involve a number of questions relating to intellectual property rights over the customer's content located on the cloud as well as user interactions with the provider's content which is subject to these rights. A number of issues may be agreed by the parties in the framework of their contractual relationship. A clear understanding of the legal rules applicable to the cloud content of both parties may therefore be of high importance. There is also an issue of third party rights in protected content (e.g. performers and composers of music); this issue however was not specifically investigated by the selected countries.

 Warranties, direct and indirect liability, indemnification for third party claims: When the service does not meet the conformity requirements described in the SLA, the user may have certain remedies against the provider. Furthermore, due to a non-conforming service, the user might incur direct and indirect losses (e.g. a direct loss resulting from the loss of data or an indirect economic loss for gains that could not be realised due to the service being unavailable for a period of time) and the user might hold the provider liable for those losses. Some providers limit their liability for losses as well as the possibility of warranty claims by users in their standard contract terms. One of the ways often used for remedying non-conformity is the inclusion of so-called

13

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data of24 October 1995,

Comparative Study on cloud computing contracts Final Report

Comparative Study on

cloud computing

contracts

Final Report

Comparative Study on

cloud computing

contracts

Final Report

Europe Direct is a service to help you find answers

to your questions about the European Union.

Freephone number

(*)

:

00 800 6 7 8 9 10 11

Table of Contents

A

E

S

1.

I

1.1

Setting the scene

1.2

The European Commission and the cloud

1.3

Structure of the present Study



2.

C

2.1

Background and adopted approach