Cloud Computing 2019 Cloud Computing 2019

2018

Research Business Law ©

2019

Contributing editor Lewis Mark Computing Cloud

GETTING THE DEAL THROUGH Cloud Computing 2019 Cloud Computing 2019

Contributing editor Mark Lewis Bryan Cave Leighton Paisner LLP

Reproduced with permission from Law Business Research Ltd This article was first published in November 2018 For further information please contact [email protected]

Publisher Law The information provided in this publication is Tom Barnes general and may not apply in a specific situation. [email protected] Business Legal advice should always be sought before taking Research any legal action based on the information provided. Subscriptions This information is not intended to create, nor does James Spearing Published by receipt of it constitute, a lawyer–client relationship. [email protected] Law Business Research Ltd The publishers and authors accept no responsibility 87 Lancaster Road for any acts or omissions contained herein. The Senior business development managers London, W11 1QQ, UK information provided was verified between Adam Sargent Tel: +44 20 3780 4147 September and October 2018. Be advised that this is [email protected] Fax: +44 20 7229 6910 a developing area.

Dan White © Law Business Research Ltd 2018 [email protected] No photocopying without a CLA licence. Printed and distributed by First published 2017 Encompass Print Solutions Second edition Tel: 0844 2480 112 ISBN 978-1-78915-001-8

Global overview 5 India 48 Mark Lewis Samuel Mani and Abraham Mathew Kandathil Bryan Cave Leighton Paisner LLP Mani Chengappa & Mathur

Argentina 7 Japan 52 Diego Fernández Atsushi Okada and Hideaki Kuwahara Marval, O’Farrell & Mairal Mori Hamada & Matsumoto

Australia 12 Korea 56 Adrian Lawrence and Caitlin Whale Seungmin Jasmine Jung, Jeong Kyu Choe and Jung Han Yoo Baker McKenzie Jipyong LLC

Bangladesh 16 New Zealand 61 Sharif Bhuiyan and Maherin Khan Richard Wells Dr Kamal Hossain and Associates MinterEllisonRuddWatts

Belgium 19 Poland 65 Edwin Jacobs, Stefan Van Camp and Bernd Fiten Krzysztof Wojdyło and Rafał Kuchta time.lex Wardyński & Partners

Brazil 25 Sweden 72 José Mauro Decoussau Machado, Ana Carpinetti and Peter Nordbeck and Dahae Roland Gustavo Gonçalves Ferrer Advokatfirman Delphi Pinheiro Neto Advogados Switzerland 77 China 30 Jonas Bornhauser Matthew Murphy and Fei Dang Bär & Karrer Ltd MMLC Group United Kingdom 81 France 36 Mark Lewis Olivier de Courcel and Stéphanie Foulgoc Bryan Cave Leighton Paisner LLP Féral-Schuhl/Sainte-Marie Alain Recoules Arsene Taxand United States 95 Amy Farris, Manita Rawat and Matthew Mousley Germany 43 Duane Morris Thomas Thalhofer and Lars Powierski Noerr LLP

2 Getting the Deal Through – Cloud Computing 2019 © Law Business Research 2018 PREFACE

Preface

Cloud Computing 2019 Second edition

Getting the Deal Through is delighted to publish the second edition of Cloud Computing, which is available in print, as an e-book and online at www.gettingthedealthrough.com.

Getting the Deal Through provides international expert analysis in key areas of law, practice and regulation for corporate counsel, cross- border legal practitioners, and company directors and officers.

Throughout this edition, and following the unique Getting the Deal Through format, the same key questions are answered by leading practitioners in each of the jurisdictions featured. Our coverage this year includes new chapters on Argentina, Brazil, France and Korea.

Getting the Deal Through titles are published annually in print. Please ensure you are referring to the latest edition or to the online version at www.gettingthedealthrough.com.

Every effort has been made to cover all matters of concern to readers. However, specific legal advice should always be sought from experienced local advisers.

Getting the Deal Through gratefully acknowledges the efforts of all the contributors to this volume, who were chosen for their recognised expertise. We also extend special thanks to Mark Lewis of Bryan Cave Leighton Paisner LLP, the contributing editor, for his continued assistance with this volume.

London October 2018

www.gettingthedealthrough.com 3

Global overview

Mark Lewis Bryan Cave Leighton Paisner LLP

It took from November 2009 to September 2011 and 15 drafts for the composed of ‘two or more distinct cloud infrastructures (private, com- US National Institute of Standards and Technology (NIST) to pro- munity or public) that remain unique entities, but are bound together duce its final definition of cloud computing. (For the short story by standardised or proprietary technology that enables data and of that journey, see www.nist.gov/news-events/news/2011/10/ application portability (eg, cloud bursting for load balancing between final-version-nist-cloud-computing-definition-published, and for clouds)’. (NIST definition, page 3.) the final version of the definition, see The NIST Definition of Cloud This is not without its challenges, but it reflects a more measured Computing, Recommendations of the National Institute of Standards approach. Organisations that are even more concerned about risk and and Technology, Peter Mell and Timothy Grance, Special Publication compliance (eg, regulated financial services firms), but that want some 800-145 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpub- of the benefits of the computing model, are likely to deploy a private lication800-145.pdf.) It was worth the wait, because the NIST defini- cloud, which is ‘provisioned for exclusive use by a single organisation tion remains de facto the definitive universal statement of what cloud comprising multiple consumers (eg, business units). It may be owned, computing is. managed and operated by the organisation, a third party, or some com- By the way, in the time it took the NIST to produce 15 drafts and bination of them, and it may exist on or off premises’. (NIST definition, release a final version of the world’s favourite cloud computing defini- page 3.) Alternatively, in a community of common interests, for exam- tion, the global public cloud services market had grown from US$58.6 ple within local government, health and law enforcement communi- billion to US$92.97 billion – by an astonishing 58.65 per cent. ties, they may deploy a community cloud: Arranged over just one and a half pages, the NIST’s definition of cloud computing is: provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (eg, mission, security a model for enabling ubiquitous, convenient, on-demand network requirements, policy, and compliance considerations). It may be access to a shared pool of configurable computing resources (eg, owned, managed, and operated by one or more of the organizations networks, servers, storage, applications, and services) that can be in the community, a third party, or some combination of them, and rapidly provisioned and released with minimal management effort it may exist on or off premises. (NIST definition, page 3) or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deploy- As the community cloud shares the characteristic of ‘exclusive use’ ment models. with the private cloud deployment model, we may treat it as a variant of the private cloud for the purposes of this work. For the purposes of Getting The Deal Through – Cloud Computing, we can So, we observe that the four deployment models are currently in look up the five essential characteristics at our leisure. Of more imme- use, but to varying degrees. For the reasons given below, in our analysis diacy are the three service models: software-as-a-service (SaaS), plat- of how cloud computing has been adopted in the countries covered by form-as-a-service (PaaS) and infrastructure-as-a-service (IaaS). And this work, we need to address the deployment models as a composite we need instantly to refer to the four deployment models: private cloud, of cloud computing, and as virtually interchangeable. Besides, finding community cloud, public cloud and hybrid cloud. That is because one data to compare and contrast the adoption of each of the deployment of the first challenges, when answering the questions outlined below, is models (and for that matter each of the service models) – that will for to tell readers which of the cloud deployment models we mean. the most part be freely available to our readership, while also being In general, what most people mean when they refer generically to authoritative – is a real challenge. And it does not help that, in their cloud computing is the third deployment model, which is most often endeavours, law and policymakers and regulators have not generally seen as the archetypal cloud, ie, the public cloud: – yet – seen the need to distinguish precisely between the cloud deployment models and service models. the cloud infrastructure . . . provisioned for open use by the general However, where we can do so within the limitations of our allot- public. It may be owned, managed, and operated by a business, ted space, we try to identify the characteristics of a deployment model academic, or government organisation, or some combination of that may be relevant to our analysis. Take, for example, the question them. It exists on the premises of the cloud provider. (NIST defini- concerning labour and employment law considerations applicable to tion, page 3) the cloud. And in particular, whether the EU Acquired Rights Directive (ARD) and EU member state legislation implementing it will apply to a It is the cloud model for which the most extensive claims are made in cloud migration. If that legislation does apply, it will transfer staff auto- this computing model: utility, multi-client, location neutral, almost matically on their existing terms of employment to the cloud service infinitely scalable and pay-per-use (see ‘Essential Characteristics’, provider (CSP) where their employer is migrating some or all in-house NIST definition, page 2). IT functions to the cloud. And this will almost certainly extinguish the But migrating from ‘traditional’ computing models to the public financial case for the cloud migration. In considering whether there is cloud has real challenges: chief information officers (CIOs) and chief an ARD transfer of an undertaking, it may well make a difference that risk officers (CROs) worry about, among others, security, compliance the migration is to a public cloud (where you might struggle to discern with data protection and privacy laws, data residency, service resilience the transfer of an undertaking, because the ‘before and after’ activities and portability of data on termination of cloud arrangements. So, to are so different), rather than to a private cloud (which could have many avail themselves of some of the benefits of the archetypal cloud, organ- characteristics of an outsourcing, to which the ARD has been held to isations have deployed instead the hybrid cloud: an infrastructure apply). Or will it? Readers with business interests in the EU will have to www.gettingthedealthrough.com 5

© Law Business Research 2018 GLOBAL OVERVIEW Bryan Cave Leighton Paisner LLP decide for themselves – alerted to the possibility by this work and, one • Public and private sector organisations around the world worry hopes, properly advised. about – and some have already had to cope with – what happens For the reasons given above, it is mostly beyond the scope of this when a CSP becomes insolvent. What insolvency laws will apply in work to differentiate precisely or at all between and focus on each of those situations? SaaS, PaaS and IaaS. • Almost all surveys of CIOs, CROs and other business leaders Accordingly, in this work we attempt to cover the broadest pos- around the world highlight their continuing concern about data sible spectrum of cloud computing adoption, including (mostly inter- security in the cloud, as well as whether and how they continue to changeably) the public, hybrid and private cloud deployment models comply with data protection and privacy regulation in migrating and the service models, all in a business-to-business (B2B) context, but to the cloud – especially with the coming into operation of the EU recognising that business-to-consumer (B2C )arrangements will also General Data Protection Regulation in May 2018. So, we identify be of interest to many of our readers, mainly because of consumer pro- the principal data protection or privacy legislation applicable to tection regulation. For each contributing country, this approach will, cloud computing. naturally, be somewhat different, depending on the size and state of development of cloud computing in its local market, as well as local We turn next to what I have found to be the most challenging set of market, contractual, legal and regulatory conditions. questions to answer. After outlining what forms of cloud computing Our survey starts with the market in each of the countries covered contract are usually adopted, we analyse as far as we can from publicly and examines what kinds of cloud computing transactions take place available sources, the typical key terms of B2B public cloud computing and which of the global and local cloud providers are active in that contracts in local markets. country, as well as the cloud services the latter provide. It is clear that cloud computing will – if not now, then in the near Next, we address how well-established cloud computing is, includ- term – have a significant impact in the workplace, so we identify labour ing by its market size, referring to data and studies that are publicly and employment law considerations that apply. available. Because much of the developed world and many emerging econo- How active is central or regional government in the development mies are becoming increasingly concerned about how to tax online and of cloud? Are there specific, cloud-friendly policies? How are those digital products and services, especially where supplies cross borders policies implemented – by fiscal or customs incentives or develop- and will be made from IT product and services providers without a per- ment grants, or other means? And what other government initiatives manent establishment in their target markets, we outline the direct and apply? indirect taxation rules that apply to the establishment and operation of We turn next to the core of this work: law, regulation, contract CSPs and their customer transactions. and market practice. We address the following questions for each Finally, we identify recent notable cases as well as commercial, country. administrative or regulatory decisions or actions that have directly • Is cloud computing specifically recognised and provided for in the involved cloud computing as a business model. And we close with a local legal system and, if so, how? survey of updates and trends as far as they can be discerned. • Is there any legislation or regulation that directly and specifically With a new and fast-developing area like cloud computing, we prohibits, restricts or otherwise governs cloud computing? must keep our questions under review for future editions. And it follows • What legislation or regulation indirectly prohibits, restricts or oth- that our answers to those questions will change over time. Of course, erwise regulates cloud computing? law and regulation will change, as will contract and market practice. As • What are the consequences of breach of those laws and regulations? with the first edition, we will be happy to consider your comments and • Recognising the importance of B2C cloud adoption, what local contributions and, as far as practicable, take account of them in future consumer protection measures apply to cloud computing? editions. Contact me at [email protected] if you wish to make • Knowing that cloud – especially public cloud – may pose real chal- comments or suggestions for the next edition. lenges in certain sectors, for example, financial services and health, The country contributors and I very much hope that you will find what (if any) sector-specific legislation or regulation applies? this edition of Getting The Deal Through – Cloud Computing both stimu- lating and useful, and a worthwhile addition to this series.

Mark Lewis [email protected]

Adelaide House Tel: +44 20 3400 1000 London Bridge Fax: +44 20 3400 1111 London EC4R 9HA www.bclplaw.com United Kingdom

6 Getting the Deal Through – Cloud Computing 2019

Argentina

Diego Fernández Marval, O’Farrell & Mairal

Market overview cloud computing, it does not measure the sector’s impact on the overall economy or on specific sectors. 1 What kinds of cloud computing transactions take place in your jurisdiction? Policy Almost all kinds of cloud computing transactions take place in the region. 6 Does government policy encourage the development of your In connection with public cloud services, software-as-a-service jurisdiction as a cloud computing centre for the domestic (SaaS), infrastructure-as-a-service (Iaas) and platform-as-a-service market or to provide cloud services to foreign customers? (PaaS) are all common. Of these segments, SaaS – which includes In general, Argentina does not have a federal policy to encourage the storage-as-a-service – has had the most marked growth in recent years. development of the country as a cloud computing centre for the domes- Private cloud models have mostly been adopted by enterprises. tic market or provide cloud services to foreign customers. There has been a growing interest in cloud solutions from the However, Argentina does have a law that seeks to foster the growth insurance, telecommunications and banking industries. Furthermore, of the software industry in general (see question 7). both the national and local governments have begun turning to cloud Furthermore, it is worth noting that the Argentine government is solutions, in particular in relation to PaaS. involved in cloud computing through ARSAT. ARSAT has constructed a state-of-the-art data centre with the goal of facilitating cloud com- 2 Who are the global international cloud providers active in puting for consumers. The data centre’s design and construction has your jurisdiction? made it the sole Uptime Institute Tier III data centre in Argentina. Prominent international cloud computing providers operating in The data centre has also received ISO/IEC Certification 27001:2013 as Argentina include IBM, Microsoft Azure and AWS. well as Communication ‘A’ 4609 approval from the Argentine Central Bank, both of which certify the rigour of the data centre’s information 3 Name the local cloud providers established and active in your security. jurisdiction. What cloud services do they provide? 7 Are there fiscal or customs incentives, development grants At a local level, most telecommunications companies provide cloud or other government incentives to promote cloud computing computing capabilities as IaaS and not the full range of services that the operations in your jurisdiction? international cloud providers offer. Local companies providing cloud services include Claro, Movistar and ARSAT (a government-owned tel- Although there are no specific regulations to promote cloud comput- ecommunications company). The business model is mostly based on ing in Argentina, the Software Promotion Law No. 25,922 (the Software providing hosting and offering flexible payment options. Law) sets forth a broadly supportive regime for the software industry in general. This will remain in effect until 31 December 2019. 4 How well established is cloud computing? What is the size of Pursuant to this law, Argentine-incorporated companies whose the cloud computing market in your jurisdiction? activities are the creation, design, development, production, implementation, adjustment, or upgrade of developed software systems Cloud computing is well established in the region, and continues to and their associated documents, may participate in the benefits cre- grow. Cloud computing services in Argentina have seen an exponential ated by this regime, provided they comply with certain requirements. increase in the past two years, and this is expected to continue for at Beneficiaries of the regime will benefit from: least a couple of years. • fiscal stability; For instance, a global cloud services provider operating in • conversion of certain monthly social security tax payments into a Argentina has estimated that the growth of public cloud services in tax credit; 2019 will be 46 per cent. In particular, IaaS is expected to grow 60 per • non applicability of any VAT withholding or collection regimes; cent , PaaS 30 per cent and SaaS 38 per cent. • a 60 per cent reduction in the total amount of corporate income tax as applied to income derived from software activities; and 5 Are data and studies on the impact of cloud computing in your • exclusion from any kind of present or future restriction on the jurisdiction publicly available? currency transfers matching the payouts for imports of software There is no publicly available data on the impact of cloud computing in products by the beneficiaries, provided the imported goods are Argentina issued by a government body. necessary for the software production activities. The Software Alliance, also known as BSA, a trade group representing the world’s leading software companies, has been releasing A draft bill that would extend the duration of these benefits until its Global Cloud Computing Scorecard regularly since 2012. Its most 31 December 2030 is currently before the National Congress. recent Scorecard was released in 2018. The Scorecard grades 24 coun- In addition, it is worth noting that, from a customs perspective, tries with notable cloud computing sectors, including Argentina. The cloud computing services may not be construed as a ‘good’ that may scores and accompanying rankings are based on the legal and regu- be imported or exported, as they are not a tangible good that enters or latory frameworks of the countries studied and aim to assess each exits the territory. country’s readiness for cloud computing. Policy areas include data Some specific provisions may apply when importing servers into privacy, intellectual property rights, IT readiness and data security. Argentina, depending on which tariff code they subject to under the However, while the Scorecard assesses each country’s readiness for Mercosur Common Nomenclature. These goods are singled out as www.gettingthedealthrough.com 7

‘technological goods’ and, if imported new, have a reduced VAT rate 11 What are the consequences for breach of the laws directly (10.5 per cent) for their definitive importation, are exempt from the or indirectly prohibiting, restricting or otherwise governing statistical fee (0.5 per cent over cost, insurance and freight (CIF) valua- cloud computing? tion) and are also exempted from some advanced payments on internal There are no laws directly prohibiting, restricting or otherwise govern- taxation collected upon the definitive importation of goods. ing cloud computing. In the case of any laws that may apply indirectly, These are also capital goods that, if imported on a used condition, consequences will vary depending on the pertinent regulation. are subject not only to regular import taxation but also to a specific For instance, in the case of the Argentine Data Protection Law regime that alters their import duties rate (up to 28 per cent ad valorem) No. 25,326, a breach may lead to administrative sanctions, civil pro- and requires a specific certificate granted by the Ministry of Production ceedings, or criminal penalties. The Data Protection Authority (DPA) before its importation. Depending on their tariff position, the importa- may apply the following administrative penalties in the event of violation into Argentina of used servers may be completely forbidden. tion of the Argentine Data Protection Law: • observation; Legislation and regulation • suspension; 8 Is cloud computing specifically recognised and provided for • fines of between 1,000 and 100,000 pesos; in your legal system? If so, how? • business closure; or • cancellation of the database. Cloud computing is not recognised or regulated by a specific law. However, there are different regulations that apply to matters Sections 117 bis and 157 bis of the Criminal Code also punish, with that may relate indirectly to cloud computing, including general pro- between one month and three years of imprisonment, those who: visions on contract law, data protection, consumer protection, labour, • illegally insert false information in a database; intellectual property, tax and public procurement regulations. Taken • knowingly supply false information stored in a database to a third as a whole, these constitute the framework that would apply to cloud party, computing. • knowingly and illegally gain access to a database containing personal data in violation of its security systems; 9 Does legislation or regulation directly and specifically • disclose personal data protected by duty of confidentiality pursu- prohibit, restrict or otherwise govern cloud computing, in or ant to law; or outside your jurisdiction? • illegally insert data in a database. There is no legislation that directly and specifically prohibits, restricts or otherwise governs cloud computing in Argentina. Additionally, in the case of any infringements of the Consumer Section 8 of the Argentine Digital Law No. 27,078 (the ADL), as Protection Law No. 24,240, the following sanctions: amended by Decree 267/2015, establishes that the provision of informa- • observation; tion, communications and technology services (ICT services) requires • fines of between 100 and 5 million pesos; a corresponding licence. ICT services are defined by the ADL as the set • seizure of infringing merchandise or products; of resources, tools, equipment, software, applications, networks and • business closure or suspension of the provided service for up to 30 means that allow the compilation, processing, storing and transmis- days; sion of information, such as voice, data, text, video and images, among • suspension for up to five years from the registries that allow suppli- others. Section 6, subsection (g) of the ADL establishes that each ICT ers to contract with the government; and service will be subject to its specific regulatory framework. • loss of concessions, privileges, and any special tax or credit At present, there is no specific telecom regulation in Argentina conditions. governing cloud computing services. In principle, cloud computing services would not fall under the Argentine telecoms regulations since Further, the CPL provides that punitive damages may be imposed on they would not be an ICT service with specific regulation but merely an the infringer. application of – or business solution that runs on – the public internet, provided locally by an authorised local internet service provider (ISP). 12 What consumer protection measures apply to cloud Therefore, a reasonable interpretation is that cloud computing services computing in your jurisdiction? would not be subject to any licensing or other regulatory requirement If cloud computing services are provided to consumers, Argentine con- in Argentina. sumer protection regulations will apply. In particular, the CPL and the It is worth noting that currently a new legal framework for telecom- provisions of the Civil and Commercial Code (the CCC) on consumer munications (and media) activities in under discussion. Thus, there electronic contracts will be relevant. may be changes in such regulations in the near future and these may The CPL protects consumers, defined as any physical person or affect cloud computing services. entity that acquires or uses, whether for a fee or not, goods or services Finally, in connection with personal data protection and regulation as an end user, for its own benefit or for the benefit of its family or social of international data transfers, see question 15. group. Some central aspects of general protection consumer law which 10 What legislation or regulation may indirectly prohibit, restrict may be relevant to e-commerce are the following: or otherwise govern cloud computing, in or outside your • under the CPL, every description of the service or product adver- jurisdiction? tised by any means of communication is considered part of the There are several provisions that could indirectly restrict or otherwise offer and a binding term of the contract; govern cloud computing, and which could apply depending on the • suppliers are forbidden from compelling the consumer to reject characteristics and nature of the services and the parties involved. goods or service in order to avoid the payment of a fee; and For instance, the Argentine Data Protection Law No. 25,326 will • the CPL entitles the consumer to terminate the contract by the apply to the use of cloud computing insofar as it entails the process- same means used to agree upon it (ie, telephone, internet, etc). ing of personal data. The Consumer Protection Law No. 24,240 (the CPL) will also apply to cloud services if they are provided to consum- Further, section 40 of the CPL states that there is joint liability between ers. Market-specific laws may also be relevant. Furthermore, general all those involved in the supply chain for damages resulting from intellectual property, tax and labour regulations should be taken into defects or risks associated with goods or service. account. In addition, the CCC contains provisions which refer specifically to the protection of consumers in electronic transactions (sections 1106- 1116). For instance, an important provision is section 1106, which states that electronic means may be used in contracts and have the same force of law as written contracts. Another relevant provision is section 1109, under which the location where the consumer is located and receives the products or services triggers the applicable law. This means

8 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Marval, O’Farrell & Mairal ARGENTINA that when a cloud computing service is located outside Argentina, operating. Therefore, the provision of services to the customer should Argentine consumers may still be protected by the CCC. Moreover, remain relatively unaffected. If, however, the service provider under- CCC section 1110 grants consumers a 10-day term to revoke the online goes bankruptcy, the customer would, at some point, stop receiving transaction (with exceptions for: goods that are personalised or which, the services. The customer would have to direct any actions – such as by their nature, cannot easily be returned; video or audio recordings or claims for services paid but not performed – against the insolvent entity software that upon delivery can be quickly and indefinitely stored and in the bankruptcy proceeding. copied; and for daily or periodical publications, such as newspapers). Data protection/privacy legislation and regulation 13 Describe any sector-specific legislation or regulation that 15 Identify the principal data protection or privacy legislation applies to cloud computing transactions in your jurisdiction. applicable to cloud computing in your jurisdiction. In the public sector, there is no specific legislation or regulation that The Argentine Data Protection Law No. 25,326 (the Argentine Data applies to cloud computing transactions at a federal level. However, the Protection Law) will apply to the use of cloud computing insofar as it Federal Information Technology Office – responsible to the Ministry of entails the processing of personal data. The Argentine Data Protection Modernisation – has revealed that it is working on regulating the use Law, and its accompanying Decree No. 1158/01, constitute the main of cloud services in the public sector, and recently issued a number of framework on data protection in Argentina. They are enforced by the non-binding recommendations, some of which relate to cloud services: DPA. • the public sector should choose cloud-services solutions over The Argentine Data Protection Law defines personal data as any any other option when requesting new information technology kind of information referring to identified or identifiable individu- services; als or legal entities. The general principle under the Argentine Data • public sector entities will choose which cloud service to procure; Protection Law is that any processing of personal data (including any and disclosure, collection, storage, amendment and destruction) must be • providers of cloud services to the public sector will have to com- specifically consented to by the data subject. Such consent must be ply with certain minimum requirements during the procurement prior, given freely, based upon the information previously provided to process. the data subject (informed) and expressed in writing or by equivalent means, depending on each case. In general terms, public procurement regulations provide for the sanc- Several provisions of the Argentine Data Protection Law and its tion of particular bidding terms and conditions for each type of pro- complementary regulations can be relevant in connection with cloud curement. Pursuant to Argentina’s political system, the procurement computing. These include its provisions on cross-border data transfers, legal framework differs in each jurisdiction and can also vary depend- data processing agreements, and security measures and confidentiality ing on the relevant entity. The procurement framework at the federal obligations. level mainly consists of: Regarding cross-border data transfers, the Argentine Data • Decree No. 1023/2001; and Protection Law prohibits the transfer of personal data from Argentina • Decree No. 1030/2016 (together, the General Legal Framework), to other countries or to international organisations if the countries or which provide general rules that cannot be neglected even by way organisations do not provide an adequate level of data protection, with of private negotiation. certain exceptions. In cases when adequate data protection is not set up, transfers may still be done when the data subject consents to the Pursuant to the General Legal Framework, it is the public sector that transfer or when adequate protections arise from contractual clauses will determine and announce the service that needs to be procured, or self-regulated systems. along with the scope and modalities under which the service will be DPA Rule No. 60-E/2016 (Rule 60) provides a list of jurisdictions rendered, by means of the bidding terms and conditions and the tech- which the DPA considers to provide an adequate level of protection. nical specifications. These are the member states of the European Union and the European In relation to the banking industry, it is worth noting that in Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the November 2017, the Argentine Central Bank issued Communiques ‘A’ Faroe Islands, Canada (only applicable to their private sector), New 6354 and 6375, which made important modifications to the regulations Zealand, Andorra and Uruguay. In some non-binding administrative which apply to the decentralisation, outsourcing and delegation of decisions, the DPA has found the United States not to meet an adequate activities of financial entities. Among other faculties, these regulations level of protection. Moreover, Rule 60 approved two sets of standard authorised financial entities to hire information technology services model clauses addressing the two most common types of data trans- provided by third parties, subject to the condition that such activities fers: the assignment of data to a third party and the transfer of data for fall within the list provided by the Argentine Central Bank. the rendering of data-processing services. These new rules were an important update to the regulatory frame- In connection with data processing, any entities that provide out- work applicable to financial entities, and aimed to allow them to make a sourced processing services, including cloud computing entities, are more extensive use of technological services. There is still some debate considered data processors. In that case, the Argentine Data Protection whether these regulations would allow the use of cloud services – after Law requires a data processing agreement between data processor and undergoing the pertinent procedures and subject to the limitations and data controller. Decree No. 1558/2001 provides that the agreement technical requirements contained in these regulations. must: • detail the security measures mandated by the Argentine Data 14 Outline the insolvency laws that apply generally or Protection Law; specifically in relation to cloud computing. • include the parties’ confidentiality obligations; Where a company fails to meet its obligations, the contractual provi- • establish that the data processor will only act as instructed by the sions entered into by the parties are the first source of regulation for data controller; and the conflict. In B2B contracts, where the negotiation leverage is suppos- • establish that the data processor is also bound by the Argentine edly fairer for the parties, the contract will govern what occurs in cases Data Protection Law’s data-security requirements. of non-compliance, which will generally come about if a company becomes insolvent. In B2C contracts, the same contractual provisions The data may only be used for the purpose outlined in the agreement, will apply with the caveat that, in this case, consumer-specific legisla- and may not be assigned. After the data processing has been rendered, tion might apply and might offer more protection to a customer. the data must be destroyed. In connection with insolvency, general insolvency laws will apply Lastly, in relation to security and confidentiality, the Argentine to cloud computing, since there is no specific regulation in connec- Data Protection Law states that the data controller and the data pro- tion with insolvency and cloud computing services. The most impor- cessor must adopt the necessary technical and organisational meas- tant Argentine regulation on this matter is Law on Reorganisation and ures to guarantee the protection and confidentiality of the data. DPA Bankruptcy Proceedings No. 24,522. Resolution No. 47/2018 recently approved two sets of recommenda- If the reorganisation procedure regulated by this law is success- tions in connection with security measures for the processing and ful, the service provider should be able to clear its debts and continue conservation of personal data. One is aimed at computerised data www.gettingthedealthrough.com 9

18 What are the typical terms of a B2B public cloud computing Update and trends contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and There are currently no draft laws that refer specifically to cloud variation? computing. However, as discussed in question 13, the Federal Information In connection with commercial terms, providers tend to offer a range of Technology Office is working on regulating the use of cloud services various rates and prices for different services. Payment schemes can be in the public sector. either fixed, or offer greater flexibility. Prices are usually set in US dol- Furthermore, there is an initiative to rethink data- lars and converted to Argentine pesos at the exchange rate applicable protection regulations that could indirectly affect cloud when issuing the invoice. Most providers allow for payment in US dol- computing. In June 2017, the Data Protection Authority released lars or Argentine pesos. a non-binding draft of a bill intended to supersede the current Acceptable use policy terms usually list behaviours and actions Argentine Data Protection Law. The draft bill includes several aspects relevant to cloud computing. Among other things, it: which are considered unacceptable, and state that the provider • limits the concept of data subject to natural persons and reserves the right to discontinue the service if the customer engages in excludes legal entities; these activities. Regarding variations in the terms of service, providers • revisits general concepts included in the current Argentine tend to include provisions that allow them to alter the terms and condi- Data Protection Law, such as databases, personal data and tions of the services and regulate how notification occurs. sensitive data, and it incorporates new ones; • includes accountability obligations and eliminates the 19 What are the typical terms of a B2B public cloud computing requirement of registering databases with the DPA; contract in your jurisdiction covering data and confidentiality • establishes that the legal basis for the processing of personal considerations? data is still the data subject’s express consent, although under specific circumstances, consent can be given implicitly, with Cloud computing contracts tend to provide that the service providers the addition of the data processor’s legitimate interest as a new will implement security measures to protect their customer’s con- legal basis; tent and prevent any unauthorised access. In particular, this type of • expressly acknowledges the right to be forgotten and the right agreements may establish that only the service provider’s employees to data portability; or contractors will have access to the customer’s content and, only • includes an obligation to notify of data breaches in certain as required, to render the services. Some systems may include the cases; possibility of encrypting certain data, or of replicating data in differ- • includes an obligation to appoint a data protection officer in ent servers to ensure access to the content in the event of a system public agencies, big data operations, and when the processing failure. of sensitive data is a principal activity; and • mandates the enactment of an impact analysis when the data 20 What are the typical terms of a B2B public cloud computing processor intends to treat personal data in such a way that there contract in your jurisdiction covering liability, warranties and is a high risk of affecting fundamental data subject rights. provision of service? Cloud computing services contracts generally contain clauses which limit the provider’s liability. Some of these clauses limit the total liabil- processing, while the other is aimed at non-computerised processing. ity of the provider for any claim to the amounts paid for the service. They include guidelines on measures on collection, access, modifica- Others state that liability is limited to the farthest extent allowed by the tion, recovery and destruction of data, as well as on vulnerability man- applicable laws. agement, security incidents and development. It is worth noting that under the CCC, any provisions that limit liability are invalid if they affect inalienable rights, are against good Cloud computing contracts faith, good customs or imperative laws, or are abusive. 16 What forms of cloud computing contract are usually adopted In relation to warranties and provision of services, it is common in your jurisdiction, including cloud provider supply chains (if for agreements to include a clause that states that services are pro- applicable)? vided ‘as-is’. Conversely, they tend to exclude specific warranties, As a rule, cloud computing contracts are generally non-negotiated, and such as non-interruption of services or freedom from errors. They customers may choose from different options. Pay-as-you-go type of may, however, include clauses related to a reasonable level of care or subscriptions, baseline agreements and PaaS subscriptions are all com- diligence. mon. In baseline agreements, the customers are able to estimate the amount of services they expect to require, which allows them to have 21 What are the typical terms of a B2B public cloud computing access to better pricing conditions than those available in pay-as-you- contract in your jurisdiction covering intellectual property go models. rights (IPR) ownership in content and the consequences of Overall, provisions contained in cloud services agreements are infringement of third-party rights? more or less standardised among different global providers, and tend In connection with IPR ownership of content, cloud computing con- not to vary greatly. tracts usually state that the customers’ content belongs exclusively to them, and that the agreement grants the service provider no IPR rights. 17 What are the typical terms of a B2B public cloud computing Any access or use of the content by the service provider is generally contract in your jurisdiction covering governing law, restricted to that which is necessary to provide the services. jurisdiction, enforceability and cross-border issues, and Moreover, cloud services agreements generally state that the cus- dispute resolution? tomer is responsible for its content, and must obtain all necessary con- In connection with governing law, some providers establish the law sents and ensure that there is no infringement of third-party rights. An and courts of the country where their headquarters are located. infringement of third-party rights could be listed as an action that vio- However, providers with local presence may establish the application lates acceptable use. In addition, there could be a limitation of liability of Argentine law instead. Dispute resolution terms may differ, and or indemnity provision related to IPR claims filed by third parties for include local courts, foreign courts or arbitration. customer content. It is worth noting that choice of law and jurisdiction clauses may be subject to restrictions if Argentine law applies. For example, under the 22 What are the typical terms of a B2B public cloud computing CCC, disputes arising from consumer agreements cannot be resolved contract in your jurisdiction covering termination? by arbitration. Considering that, in the case of B2B cloud computing, the services provided may be important for the customer to be able to continue its ordinary business, the terms of a cloud contract may include provisions that aim to regulate the transition to another service provider or the migration of data.

10 Getting the Deal Through – Cloud Computing 2019

Regarding termination, contracts usually state that either party 25 Outline the indirect taxes imposed in your jurisdiction that may terminate the cloud services agreement due to non-compliance of apply to the provision from within, or importing of cloud the other party. From the standpoint of the service provider, a customer computing services from outside, your jurisdiction. infringement could include lack of payment, violation of the accepta- In relation to VAT, this tax applies, among other things, to the provision ble use provision or infringement of third-party rights. There may also of services rendered within Argentina. The current general rate for this be a unilateral right to terminate the contract for both parties, after a tax is 21 per cent. However, in cases where the services are rendered certain prior notice has been granted. in Argentina but effectively used or exploited abroad, they would be deemed as rendered abroad and therefore would not be subject to VAT. 23 Identify any labour and employment law considerations that A recent amendment to the VAT Law introduced a new taxable apply specifically to cloud computing in your jurisdiction. event related to the provision of digital services by an individual or There are no labour or employment law considerations that specifi- company domiciled abroad when its use or effective exploitation is car- cally apply to cloud computing. As a result, general principles and ried out in Argentina, as long as the customer is not subject to the tax provisions set forth in international treaties, the Argentine National for other taxable events and does not assume the quality of registered Constitution, the Labour Contract Law No. 20,744, collective bar- taxpayer. gaining agreements, case law and any other labour regulations could The VAT Law also includes a definition of digital services, which be applicable. are understood, regardless of the device used for download, display These general principles include the employer’s faculties to organ- or use, as those carried out through the internet or any adaptation or ise the company economically and technically, and the control over the application of protocols, platforms or technology used by the inter- worker’s activity and working conditions. A corporate policy on elec- net or other networks through which equivalent services are provided tronic communications and tools in the workplace could be considered that, by their nature, are basically computerised and require minimum among those instructions. In turn, the employees’ compliance with the human intervention. The tax resulting as a consequence of the provi- policy could be regarded as part of the duty of due diligence and coop- sion of digital services is paid by the customer directly or through a eration. A case-by-case analysis, though, is key to confirm this rule as reverse withholding mechanism. applicable to specific facts. During the past few years, labour case law has been developing an Recent cases increasing broad concept of working tools, which has included not only 26 Identify and give details of any notable cases, or commercial, a corporate email account, but also information technologies, comput- private, administrative or regulatory determinations within ers, software, internet access and internet use, among others. the past three years in your jurisdiction that have directly As a result, case law and most legal authors agree that corporate involved cloud computing as a business model. email and other communication tools should be deemed as work tools and, thus, the employer should be authorised to duly control Some recent international developments in connection with data pro- its use. tection and privacy may have some impact on cloud computing as a business model. Taxation In particular, the Cambridge Analytica case involving Facebook had some local effects. After the facts became public in early 2018, the 24 Outline the taxation rules that apply to the establishment and Data Protection Authority launched an investigation on the practices operation of cloud computing companies in your jurisdiction. of Facebook’s Argentine company to determine whether there had Any company performing activities in Argentina would be subject to been an infringement of Argentine Data Protection Law No. 25,326. the general tax regime. In addition, if the company complies with the This raised awareness at a local level regarding the importance of tak- requirements set forth in the Software Law to qualify for the promotion ing into account data protection matters when providing technological regime, it may also benefit (see question 7). services in general. Additionally, the EU’s General Data Protection Regulation (GDPR) may also have an impact on the provision of cloud computing services in Argentina, since the most important service providers are global companies. In this context, and taking into account that the GDPR has extraterritorial application in some instances, its existence may translate in practice to a higher common standard in data protection matters.

Diego Fernández [email protected]

Av. Leandro N. Alem 882 Tel: +54 11 4310 0100 Buenos Aires Fax: +54 11 4310 0200 Argentina www.marval.com

www.gettingthedealthrough.com 11

Australia

Adrian Lawrence and Caitlin Whale Baker McKenzie

Market overview 4 How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction? 1 What kinds of cloud computing transactions take place in your jurisdiction? Australia is a keen adopter of cloud computing. Cloud computing is a fast-growing industry in Australia and IT research firm Gartner fore- In Australia, many kinds of cloud computing transactions take place, casts that public cloud services will reach A$4.6 billion in 2018 and but the market is primarily composed of four service models and four $5.45 billion in 2019. The growth from 2017 to 2018 is largely driven by deployment models. The four service models are: a nearly 25 per cent increase in spending on SaaS offerings. Accordingly, • software-as-a-service (SaaS), providing software services hosted Australia offers opportunities for growth in cloud services, with its from the cloud; developed ICT infrastructure well suited to cloud computing. • platform-as-a-service (PaaS), providing an environment for the Gartner has also noted that security and privacy concerns have development and hosting of applications; inhibited public cloud adoption. There appears to be room for more • business processing-as-a-service (BPaaS), delivering business pro- education to help organisations overcome such concerns to continue cess outsourcing services that are sourced from the cloud; and the high rate of predicted growth in adopting cloud computing. • infrastructure-as-a-service (IaaS), offering data centre capacity, processing resources and storage. 5 Are data and studies on the impact of cloud computing in your jurisdiction publicly available? Within each of the service models, there are four main deployment models: Yes, both the Australian government and industry bodies have pub- • the private cloud – for exclusive use by a single organisation; lished reports on the impact of cloud computing. • the community cloud – for exclusive use by a specific community of At a government level, the Australian Bureau of Statistics com- users from organisations that have shared concerns; pletes an annual survey of IT Use and Innovation in Australian • the public cloud – for open use by the general public and owned by Business. Some of this data provides details about the number of an organisation selling cloud computing; and Australian businesses using commercial cloud computing services. • the hybrid cloud – composed of two or more distinct cloud Furthermore, the Australian Communications and Media Authority infrastructures. published ‘Communications Report Series – Report 2 Cloud Computing in Australia’ in March 2014, which noted the government cloud comput- Typically, Australian cloud computing services providers come from ing strategy to relocate critical data to a secure government cloud from communications carriers and information, communications and tel- older infrastructure. ecommunications (ICT) providers. Established Australian ICT provid- At an industry level, organisations and research firms have pub- ers, Telstra and Optus, have both significantly expanded their cloud lished reports that discuss the impact of cloud computing in Australia. offerings in 2016-2017. International Data Corporation’s end-user study Cloudview surveys Australian businesses. In addition, organisations including Media 2 Who are the global international cloud providers active in Access Australia have reported on the impact of cloud for specific your jurisdiction? users, such as people with disabilities, in ‘The Accessibility of Cloud Computing – Current and Future Trends.’ Baker McKenzie also con- The global cloud computing service providers servicing the Australian ducts an annual Cloud and Digital Transformation Survey that sur- market include Amazon Web Services, Microsoft, Oracle, Salesforce, veys vendors, professional advisers and customers of cloud computing IBM, Rackspace and Hewlett Packard. services. 3 Name the local cloud providers established and active in your Policy jurisdiction. What cloud services do they provide? The local cloud computing service providers in Australia include 6 Does government policy encourage the development of your Macquarie Telecom, Vault Systems, SlicedTech, Cloud Central, jurisdiction as a cloud computing centre for the domestic Ultraserve, Brennan IT and Servers Australia. market or to provide cloud services to foreign customers? The larger providers including Macquarie Telecom and Vault The Australian government is committed to developing the country Systems provide a hybrid cloud service as well as a private cloud and as a cloud computing centre for the domestic market and to provide servers. SlicedTech also provides a hybrid cloud, with a focus on pro- international cloud services. The Australian government’s Digital duction and backup storage. Transformation Agency launched a new cloud strategy for govern- The types of cloud services provided range from open and pri- ment agencies in February 2018, which focuses on building public sec- vate cloud platforms and dedicated servers to storage. For example, tor understanding of cloud and confidence in using it. Furthermore, Macquarie Telecom provides a hybrid cloud, VMware cloud, private Australia’s trade-friendly policy environment makes the country an cloud, colocation, dedicated servers, managed hosting, management attractive market for overseas cloud exporters, where current leaders in tools and data centre extensions. Vault Systems provides similar fea- the Australian cloud services market include international companies tures, including a hybrid cloud, open cloud platforms, private networks, such as Amazon Web Services, IBM and Microsoft. a virtualised server and backup storage. While SlicedTech provides a The Australian government has identified three core goals to hybrid cloud, it also provides production and backup storage. achieve its cloud services vision – by maximising the value of cloud computing in government; promoting cloud computing to small businesses,

12 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Baker McKenzie AUSTRALIA not-for-profits and consumers; and supporting a vibrant cloud services 12 What consumer protection measures apply to cloud sector in Australia. This was followed by the publication of the Australian computing in your jurisdiction? Government Cloud Computing Policy, which outlined the goal of the The Australian Consumer Law, the primary consumer protection leg- government to reduce the cost of government ICT by ‘using cloud ser- islation in Australia, will apply to any cloud computing services sup- vices to reduce costs, lift productivity and develop better services’. plied to individuals or small to medium businesses in Australia. This includes an unfair contract terms regime and statutory consumer 7 Are there fiscal or customs incentives, development grants guarantees. or other government incentives to promote cloud computing The unfair contract terms regime renders void any ‘unfair’ terms operations in your jurisdiction? in standard form consumer or small business contracts and, in the case We are not aware of any Australian governmental incentives or grants of small businesses, applies when: that specifically promote cloud computing. However, more general • at least one of the parties is a ‘small business’ (ie, employs fewer grants such as the ‘business growth grants’ are one of the services of the than 20 people, including casual employees employed on a regular Australian government’s Entrepreneurs’ Programme, which encourages and systematic basis); businesses to update IT systems. The business growth grants provide • the upfront price payable under the contract is no more than eligible businesses with up to A$20,000 for a business improvement A$300,000 (or A$1 million if the contract is for more than 12 project, and intends to help small businesses and start-ups in Australia months); and grow quickly and create more jobs. • it is for the supply of goods or services or the sale or grant of an interest in land. Legislation and regulation A term of a standard form small business contract will be considered 8 Is cloud computing specifically recognised and provided for in to be unfair if: your legal system? If so, how? • it would cause a significant imbalance in the parties’ rights and No, there is no specific reference to cloud computing in legislation. obligations under the contract; However, regulators have referred to it as a distinct concept (eg, the • it is not reasonably necessary to protect the legitimate interest of a Privacy Commissioner specifically refers to cloud computing in guide- party to the contract (note that the party who would be advantaged lines regarding the application of privacy laws in Australia). by the term must prove that it is reasonably necessary); and • it would cause detriment to a party to the contract if it were to be 9 Does legislation or regulation directly and specifically applied or relied upon. prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction? The statutory consumer guarantees will also apply if individual goods No. or services being provided are deemed to be valued at less than A$40,000. These guarantees relate to being of acceptable quality, fit 10 What legislation or regulation may indirectly prohibit, restrict for a particular purpose, matching description, title, repairs or spare or otherwise govern cloud computing, in or outside your parts, possession and securities. jurisdiction? 13 Describe any sector-specific legislation or regulation that The Privacy Act 1988 (Cth) (the Privacy Act) regulates any overseas applies to cloud computing transactions in your jurisdiction. disclosures of personal information, a matter that is clearly relevant to many cloud computing implementations. Any organisation covered by There are obligations under the Prudential Standard CPS 231 for cer- the Australian Privacy Principles under the Privacy Act must comply tain regulated organisations in the financial services sector seeking with certain obligations when disclosing personal information outside outsourcing services outside of Australia. of Australia. Additionally, certain government departments have their own Under Australian Privacy Principle 8, before disclosing data outside policies regarding the use of cloud computing services such as the of Australia, the party disclosing the data must take such steps, if any, as Department of Finance (see, for example, the Australian Government are reasonable to ensure that the recipient does not breach the Privacy Cloud Computing Policy). Act. Unless an exemption applies, the disclosing party will be liable for any breaches of the Privacy Act by the recipient. One exception is if the 14 Outline the insolvency laws that apply generally or disclosing party reasonably believes that the recipient is subject to a law specifically in relation to cloud computing. or binding scheme that has the effect of protecting the information to at There are no insolvency laws in Australia specific to the provision of least a substantially similar level to the Privacy Act, and there are mech- cloud computing services. anisms that the individual to whom the information relates can access in General insolvency laws in Australia will operate in the context of order to enforce that law or binding scheme. Consent is a further excep- cloud computing services in relation to the insolvency of an Australia- tion, provided an individual consents to the disclosure of the personal based cloud provider. Such laws could, in relevant circumstances, information to the overseas recipient having been informed that by result in the appointment of an insolvency practitioner, such as a doing so the disclosing entity will not be held liable for the actions of the receiver, voluntary administrator or liquidator, as the controller of the overseas recipient with respect to that personal information. cloud provider. The Australian Prudential Regulation Authority also has Prudential In such instances, the rights of customers of the cloud provider will Standard CPS 231 regarding outsourcing, which requires that all out- primarily remain regulated under the agreement pursuant to which the sourcing arrangements (which would typically include the use of cloud cloud services are provided. However, it is clearly possible that such services) involving material business activities entered into by an APRA- circumstances could lead to the restructuring or ultimately the liquida- regulated institution be subject to appropriate due diligence, approval tion of the cloud provider, and the cessation of the relevant services. and ongoing monitoring. Key questions at that point include the rights of customers to receive transitional services to enable transition to an alternative provider, as 11 What are the consequences for breach of the laws directly well as access to customer data. In some instances, cloud providers or indirectly prohibiting, restricting or otherwise governing subject to external administration may be entitled to disclaim certain cloud computing? contractual obligations or terminate customer contracts. Customers The Australian privacy regulator (the Office of the Australian with claims against such cloud providers will be required to participate Information Commissioner) has the power to investigate matters in relevant processes as (generally unsecured) creditors. (based on complaints or the regulator’s own initiative), accept enforcea- For contracts entered into after 1 July 2018, contractual rights that ble undertakings, make determinations, bring proceedings and apply to arise only because of certain insolvency-related events (entering into a court for a civil penalty order in certain cases. Civil penalties for seri- an arrangement or compromise in order to avoid an insolvent wind- ous interferences of privacy can be up to A$2.1 million for corporations. ing up, the appointment of a receiver or similar, or a company entering into administration) will be unenforceable in certain circumstances. Practically this may limit the enforcement of suspension, termination www.gettingthedealthrough.com 13

© Law Business Research 2018 AUSTRALIA Baker McKenzie or step-in rights until the statutory stay on enforcement is lifted by a Certain providers will identify their compliance with international court order, or consent to enforcement is given by the counterparty standards such as the ISO 27000 series. (or the administrator, scheme administrator or managing controller • Data preservation during the contract term – the cloud provider is appointed to the counterparty). likely to offer an additional backup option for its customers. If there is a data breach leading to data loss, the cloud provider does not Data protection/privacy legislation and regulation usually automatically provide for a requirement for the provider to reinstate the data at no cost. 15 Identify the principal data protection or privacy legislation • Location of servers and data – the larger cloud providers, such as applicable to cloud computing in your jurisdiction. AWS, provide options for customers to select where their data will The Privacy Act is the primary legislation regulating the collection be located subject to higher pricing. and storage of personal information in a cloud computing context in • Cross-border transfers – cloud providers are generally quite trans- Australia. parent about the location of their servers and how customer data may be transferred outside of Australia. However, options to keep Cloud computing contracts data in certain locations are generally offered at an additional price. 16 What forms of cloud computing contract are usually adopted • Confidentiality – cloud providers generally require their customers in your jurisdiction, including cloud provider supply chains to agree to standard confidentiality protections of provider confi- (if applicable)? dential information. Typically, confidentiality is dealt with as part Reporting by Gartner identifies the following breakdown of cloud of a provider’s security measures. computing contracts in the Australian market: • SaaS – 57 per cent; 20 What are the typical terms of a B2B public cloud computing • PaaS – 6 per cent; contract in your jurisdiction covering liability, warranties and • IaaS – 12 per cent; and provision of service? • BPaaS – 20 per cent. The typical terms are: • Liability of the provider or customer, including exclusions, limita- Cloud management and security services account for the remainder tions and caps on liability – cloud providers typically tend to seek of the market exclusions of consequential losses including data losses, a liability cap based on a certain number of months of fees (usually 12) across 17 What are the typical terms of a B2B public cloud computing most, if not all, possible heads of damage and also seek to exclude contract in your jurisdiction covering governing law, all possible warranties or representations except to the extent per- jurisdiction, enforceability and cross-border issues, and mitted by law. dispute resolution? • Warranties from the provider or customer – typically, the provider Given that the majority of cloud providers are based outside of will limit any specific service-related warranties given to the cus- Australia, the typical terms are: tomer and rely instead on service-level agreements (SLAs). • governing law – the governing law of the territory in which the • Indemnities from the provider or customer – common customer cloud provider is based is commonly selected; indemnities are for violations of law, wilful misconduct or gross • jurisdiction – it will likely be the jurisdiction where the cloud pro- negligence and third-party IP infringement; common provider vider is based; indemnities are for violations of law, wilful misconduct or gross • enforceability and cross-border issues – although the jurisdiction is negligence, data security breaches and third party IP infringement. often specified to be the jurisdiction in which the cloud provider is • Service availability – each provider will offer its own SLAs with based, or at least, is outside of Australia, if the activity is related to respect to availability. Australia (eg, is provided to a business in Australia), an Australian • Reliability and quality, including service levels and key perfor- court will likely find that it has jurisdiction over the matter and can mance indicators – each provider will offer its own SLAs with enforce a foreign governing law; and respect to availability. • dispute resolution – arbitration is the most common dispute reso- • Business continuity and disaster recovery – most providers will lution mechanism in a typical B2B cloud computing implementa- offer this service for an additional cost depending on customer tion in Australia. requirements.

14 Getting the Deal Through – Cloud Computing 2019

23 Identify any labour and employment law considerations that 25 Outline the indirect taxes imposed in your jurisdiction that apply specifically to cloud computing in your jurisdiction. apply to the provision from within, or importing of cloud None. computing services from outside, your jurisdiction. Cloud computing services provided from within Australia (for exam- Taxation ple, from Australian-based servers) will likely be subject to Australian GST. GST is a broad-based consumption tax that applies to the provi- 24 Outline the taxation rules that apply to the establishment and sion of many goods and services (including cloud computing services) operation of cloud computing companies in your jurisdiction. at a rate of 10 per cent of the price. For example, if a cloud computing Overview of generally applicable tax rates service cost A$110 (GST inclusive), the provider would be required to • Corporate income tax rate: 30 per cent (27.5 per cent for compa- remit AU$10 to the ATO. nies with turnover less than A$50 million for the 2018-19 financial GST is intended to be borne by final consumers, and as such, gener- year); ally does not represent a real cost to businesses as they are typically able • goods and services tax (GST) rate: 10 per cent; to recover any input GST paid by way of an ‘input tax credit’. However, • royalty withholding tax: 30 per cent (may be modified by provi- where an entity makes ‘input taxed supplies’ (with the most notable sions of income tax treaties); and example being the financial services industry), it is blocked from recov- • foreign capital gains withholding: 12.5 per cent. ering any GST (unless a ‘reduced’ input tax credit is available). In relation to cloud computing services provided from outside of Cloud computing companies that establish operations in Australia will Australia, from 1 July 2017, Australia’s new cross-border GST electroni- likely be subject to Australian income tax, and certain employment cally supplied service (ESS) rules may require the cloud computing taxes if they employ people locally (including pay-as-you-go with- company to account for GST in certain circumstances. Where a non- holding and payroll tax). Further, where a cloud computing company resident provides a cloud computing service to an entity that is resident acquires land (for example, to construct a data centre on), they may in Australia and not registered for GST (ie, a consumer), and that non- be subject to state-based stamp duty regimes, where the duty rate can resident’s sales exceed A$75,000 per year (the GST threshold), the reach up to 13.5 per cent of unencumbered market value of the land non-resident will be required to account for GST. acquired by foreign cloud computing companies. While the ESS rules are not intended to apply in respect of business- Particularly relevant to foreign multinational cloud computing to-business (B2B) transactions, the non-resident supplier is required to companies, Australia has recently instituted a set of laws in response collect the Australian Business Number (ABN) and a declaration as to to the Organization for Economic Co-operation and Development’s GST registration status from the recipient before treating a B2B trans- efforts on base-erosion and profit-shifting: the multinational anti- action as not subject to GST. Practically, this means that while a purely avoidance law (MAAL) and diverted profits tax (DPT). These laws B2B non-resident cloud computing company should not be required to work together to ensure that an appropriate amount of income tax is account for GST on its supplies, it is likely to be required to change its paid in Australia, and Australia’s tax authority, the Australian Taxation onboarding and business systems to ensure that it collects the neces- Office (ATO), has been given broad powers to investigate and sanction sary information from its customers in order to establish that the cus- corporate structures that are seen to result in too little tax being paid tomers are GST-registered business entities. in Australia. This means that any cloud computing company looking to establish operations in Australia will need to have close regard to Recent cases its taxable position, transfer pricing policy, permanent establishment position and application of Australian income tax. 26 Identify and give details of any notable cases, or commercial, Additionally, where a locally established cloud computing com- private, administrative or regulatory determinations within pany pays a royalty to a foreign entity (for example, a royalty for use the past three years in your jurisdiction that have directly of intellectual property or technology to a foreign parent entity) that involved cloud computing as a business model. royalty may be subject to royalty withholding tax at a general rate of 30 None. per cent (which may be modified by provisions of an income tax treaty between Australia and another jurisdiction).

Adrian Lawrence [email protected] Caitlin Whale [email protected]

Tower One, International Towers Tel: +61 2 9225 0200 Level 46, 100 Barangaroo Avenue Fax: +61 2 2 9225 1595 Sydney NSW, 2000 www.bakermckenzie.com Australia

www.gettingthedealthrough.com 15

Bangladesh

Sharif Bhuiyan and Maherin Khan Dr Kamal Hossain and Associates

Market overview all sensitive data of the country, will start in February 2018 (www.the- dailystar.net/business/national-data-centre-be-ready-2017-1302760). 1 What kinds of cloud computing transactions take place in your jurisdiction? 7 Are there fiscal or customs incentives, development grants Users in Bangladesh are able to access all kinds of cloud computing or other government incentives to promote cloud computing services including software-as-a-service (SaaS), infrastructure-as-a- operations in your jurisdiction? service, platform-as-a-service (PaaS) and storage. Most users generally The ‘National Information and Communication Technology Guidelines use global international cloud providers. 2015’ envisages the establishment of software technology parks, hi- tech parks and ICT incubators. In order to encourage investment in this 2 Who are the global international cloud providers active in sector, the guidelines also envisage tax holiday and other incentives. your jurisdiction? Under section 46C of the Income Tax Ordinance 1984 (ITO), cer- Users in Bangladesh are able to access all the global international cloud tain tax exemptions are available to hi-tech parks, ICT villages or soft- providers. ware technology zones and IT parks.

3 Name the local cloud providers established and active in your Legislation and regulation jurisdiction. What cloud services do they provide? 8 Is cloud computing specifically recognised and provided for Some local companies provide cloud computing services. Their ser- in your legal system? If so, how? vices include providing SaaS, PaaS and storage services. Cloud computing is not yet expressly mentioned as a commercial, tech- 4 How well established is cloud computing? What is the size of nological or operational concept in our legal system. the cloud computing market in your jurisdiction? 9 Does legislation or regulation directly and specifically Cloud computing is still not very established in Bangladesh. We were prohibit, restrict or otherwise govern cloud computing, in or not able to find any reliable market statistics. outside your jurisdiction? 5 Are data and studies on the impact of cloud computing in your There is no legislation or regulation that directly and specifically pro- jurisdiction publicly available? hibits, restricts or otherwise governs cloud computing, in (onshore) or outside (offshore) Bangladesh. Bangladesh is not part of the EU and, as We were unable to find any reliable data or studies on the impact of such, EU laws do not have any direct effect in our jurisdiction. cloud computing in Bangladesh. 10 What legislation or regulation may indirectly prohibit, restrict Policy or otherwise govern cloud computing, in or outside your 6 Does government policy encourage the development of your jurisdiction? jurisdiction as a cloud computing centre for the domestic Section 35 of the Bangladesh Telecommunication Regulation Act, market or to provide cloud services to foreign customers? 2001 (the 2001 Act) sets out the circumstances under which one The government of Bangladesh is taking various steps to develop the needs licence from the Bangladesh Telecommunication Regulatory IT sector in Bangladesh. In 2014, it was reported that the Bangladesh Commission (BTRC). Section 35 of the 2001 Act, inter alia, provides as government is planning to move to cloud computing ‘G’ (government) follows: to preserve the country’s sensitive data. According to the Information Security Policy Guidelines, all gov- Requirement for licence for telecommunication, internet etc – ernment agencies will be brought under the e-governance framework. (1) Subject to subsection (3), no person shall, without a licence: Different government ministries or divisions, departments or agencies (a) install or operate a telecommunication system in and their subordinate bodies have started implementing e-governance. Bangladesh or undertake any construction work of such system; The intention is to improve and ease the government work process and (b) provide in Bangladesh or to any place outside Bangladesh to increase the productivity of the government. any telecommunication service; According to the ‘National Information and Communication (c) undertake any construction work for providing internet Technology Guidelines 2015’, one of the action plans of the govern- service or install or operate any apparatus for such service. ment includes creating data centres to preserve government informa- (Unofficial translation) tion and central hosting of e-services. One of the leading national daily newspapers reported in 2016 The term ‘telecommunication’ has been defined in section 2(11) of the that the construction of the national data centre (National Tier IV Data 2001 Act to mean transmission and reception of any speech, sound, Centre) will be completed by 2017. This US$154- million project is being sign, signal, writing, visual image or any other intellectual expression implemented by Chinese telecom giant ZTE Corporation. ZTE started by way of using electricity or electro-magnetic or electro-chemical or building the government-sponsored centre at the Hi-Tech Park in electro-mechanical energy through cable, pipe, radio, optical fibre or Kaliakoir, Gazipur. The test run of the data centre, which will preserve other electro-magnetic or electro-chemical or electro-mechanical or satellite communication system.

16 Getting the Deal Through – Cloud Computing 2019

Although the aforesaid provisions may be interpreted as indirectly safeguards to protect sensitive payment card data). The banks or NBFIs covering cloud computing, on contacting BTRC on a no-name basis, are required to ensure that sensitive card data is encrypted to ensure we were informed that cloud computing service does not require a the confidentiality and integrity of these data in storage and transmis- licence under these provisions. sion. It also sets out detailed procedure for the security of data centres Bangladesh is not a part of the EU and, as such, EU laws do not in which critical systems and data of a bank or NBFI are concentrated have direct effect in our jurisdiction. and housed. Banks or NBFIs are required to establish baseline standards to ensure security for operating systems, databases, network 11 What are the consequences for breach of the laws directly equipments and portable devices. or indirectly prohibiting, restricting or otherwise governing In the telecoms sector, operators are required to maintain con- cloud computing? fidentiality of subscriber information. The Cellular Mobile Phone Not applicable. Operator Regulatory and Licensing Guidelines 2011 and Regulatory and Licensing Guidelines for Establishing, Operating and Maintaining 12 What consumer protection measures apply to cloud 3G Cellular Mobile Phone Services stipulate various conditions in the computing in your jurisdiction? licences of the mobile phone operators. One such condition is subscriber confidentiality. Accounting information and user information There are no specific consumer protection measures that apply to cloud of subscribers cannot be transferred to any person or place outside computing in Bangladesh. Bangladesh. Similar restrictions apply to licensees providing other telecommunication services, such as an internet protocol telephony 13 Describe any sector-specific legislation or regulation that service. applies to cloud computing transactions in your jurisdiction. The government has also taken a number of measures to ensure There is no sector-specific legislation that applies to cloud computing cybersecurity and information security. For example, the National transactions in Bangladesh. Cybersecurity Strategy outlines a framework for organising and prior- itising efforts to manage risks to the cyberspace or critical information 14 Outline the insolvency laws that apply generally or infrastructure. It outlines minimum-security measures that stakehold- specifically in relation to cloud computing. ers must abide by to claim compliance with national cybersecurity The insolvency laws in Bangladesh do not expressly deal with bank- requirements. ruptcy of a cloud computing supplier. Therefore, the general bank- The Information Security Policy Guidelines was issued to help gov- ruptcy laws would be applicable. Bankruptcy in Bangladesh is primarily ernment agencies formulate their own Information Security Policy to governed by the Bankruptcy Act 1997. The Act makes provision for, protect their information in the cyberspace (including information that inter alia, the order of preferential payments from the distributable is moving in the intranet or LAN or in the cloud, or simply stored in an assets of the bankrupt, management of distributable assets, appoint- internal database or in a PC). ment of receiver and so on. Cloud computing contracts Data protection/privacy legislation and regulation 16 What forms of cloud computing contract are usually adopted 15 Identify the principal data protection or privacy legislation in your jurisdiction, including cloud provider supply chains (if applicable to cloud computing in your jurisdiction. applicable)? There is no specific data protection or privacy legislation applicable to There is no specific form of cloud computing contracts. cloud computing contracting or contracts. There are some sector specific data protection laws. However, these provisions apply generally 17 What are the typical terms of a B2B public cloud computing and are not limited to cloud computing contracting or contracts. contract in your jurisdiction covering governing law, For example, under the Bank Companies Act, 1991, permission jurisdiction, enforceability and cross-border issues, and from Bangladesh Bank (the central bank of Bangladesh) would be dispute resolution? required for a banking company to remove from Bangladesh certain Not applicable. records or documents. Bangladesh Bank has issued various guidelines and circulars on cybersecurity and ICT security. These guidelines 18 What are the typical terms of a B2B public cloud computing and circulars set out various requirements that banks and non-bank contract in your jurisdiction covering material terms, such financial institutions must adhere to. The Guideline on ICT Security as commercial terms of service and acceptable use, and for Banks and Non-Bank Financial Institutions of 2015, for example, variation? sets out the minimum requirements to which banks and non-banking Not applicable. financial institutions (NBFI) must adhere to (eg, the bank or NBFI, which provides payment card services, should implement adequate

Dr. Kamal Hossain & Associates Barristers . Advocates . Legal Consultants

Sharif Bhuiyan [email protected] Maherin Khan [email protected]

Metropolitan Chamber Building, 2nd Floor Tel: +880 2 955 2946/956 4954 122-124 Motijheel CA Fax: +880 2 956 4953 Dhaka 1000 www.khossain.com Bangladesh

www.gettingthedealthrough.com 17

What are the typical terms of a B2B public cloud computing 19 Period of exemption Rate of exemption contract in your jurisdiction covering data and confidentiality considerations? For the first and second year 100 per cent of income Not applicable. For the third year 80 per cent of income For the fourth year 70 per cent of income 20 What are the typical terms of a B2B public cloud computing For the fifth year 60 per cent of income contract in your jurisdiction covering liability, warranties and provision of service? For the sixth year 50 per cent of income Not applicable. For the seventh year 40 per cent of income For the eighth year 30 per cent of income 21 What are the typical terms of a B2B public cloud computing For the ninth year 20 per cent of income contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of For the tenth year 10 per cent of income infringement of third-party rights? 25 Outline the indirect taxes imposed in your jurisdiction that Not applicable. apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction. 22 What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination? ‘Cloud computing services’ are not expressly provided for in taxation laws. However, VAT is payable on ‘information technology enabled ser- Not applicable. vices’ (service code: S099.10), which includes digital content development and management, animation (both 2D and 3D), GIS, IT support 23 Identify any labour and employment law considerations that and software maintenance services, website services, business process apply specifically to cloud computing in your jurisdiction. outsourcing, data entry, data processing, call centre, graphics design, There are no labour or employment law considerations that apply spe- search engine optimisation, web listing, e-commerce and online shop- cifically to cloud computing contracting or contracts. ping, document conversion, imaging and archiving, any automated services rendered by internet or electronic network, e-procurement Taxation and e-auction. 24 Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction. Recent cases There are no specific taxation rules that apply to the establishment and 26 Identify and give details of any notable cases, or commercial, operation of ‘cloud computing companies’. However, under section private, administrative or regulatory determinations within 46C of the ITO, certain tax exemptions are available to hi-tech parks, the past three years in your jurisdiction that have directly ICT villages or software technology zone and IT parks. involved cloud computing as a business model. Under section 46C(1) of the ITO, income, profits and gains from None. certain physical infrastructure facilities (including hi-tech parks, ICT villages or software technology zones and IT parks) set up in Bangladesh between 1 July 2011 and 30 June 2019 (both days inclusive) are exempted from the tax payable under the ITO for 10 years begin- ning with the month of commencement of commercial operation, and at the rate, specified below.

18 Getting the Deal Through – Cloud Computing 2019

Belgium

Edwin Jacobs, Stefan Van Camp and Bernd Fiten time.lex

Market overview • Microsoft; • NetApp; 1 What kinds of cloud computing transactions take place in • Oracle; and your jurisdiction? • Zenith. With regard to public, hybrid and private cloud models: the public cloud usage in Belgian companies has grown in the period from 2012 3 Name the local cloud providers established and active in your to 2016, from 6 per cent to 12 per cent. (source: Cloudmakelaar, http:// jurisdiction. What cloud services do they provide? cloudmakelaar.be/2016/12/meer-dan-de-helft-van-belgische-bedrijf- • Acerta (SaaS for payroll and other HR services); svestigingen-gebruikt-cloud-applicaties). Hybrid clouds are also used, • Adc Antwerp (tier 3 data centre); although no exact numbers are available for this specific category. • ADMB (SaaS for payroll and other HR services); In the public sector, a notable community cloud project is the • Amplidata (storage facilities); development of the ‘G-cloud’. This is a voluntary cloud service for all • Arxus (hosting services); public sectors and services to centralise public governance in a single • Attentia (SaaS for payroll and other HR services); cloud. The G-cloud is a hybrid cloud, with the possibility of offering • Calligo (IaaS, SaaS, PaaS); infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and • Combell (hosting services); software-as-a-service (SaaS). For the development and functioning • CRM-Warehouse (cloud integrators); of the G-cloud, the government uses private cloud providers, such as • First Served (hosting services); IBM, Microsoft and Oracle. • Groep S (SaaS, PaaS for payroll and other HR services); Of the companies that use cloud services (see question 4), the fol- • Impro Biz (implementation of salesforce CRM); lowing percentages apply. Storage cloud services are the most used • Informat (SaaS for school administration); cloud service employed by Belgian companies (66.2 per cent). Next to • Isabel (SaaS for e-banking); storage services, e-mail services through the cloud are also strongly • LCL (tier 3 data centre); represented in the Belgian economy (57.2 per cent). With regard to • Nucleus (cloud hosting services); SaaS, software tools for managing finance and accounting (44.1 per • Partena (SaaS for payroll and other HR services); cent in 2015), standard office software (29.7 per cent in 2015), and • Protime (SaaS for workforce management); customer relationship management (CRM) (32.8 per cent in 2015) are • Proximus (XaaS private, public or hybrid cloud services); commonly used in Belgium. Regarding IaaS the most used applications • SAAS45 Channel (SaaS); are hosting services for company databases (48.6 per cent), processing • SaaSForce (cloud services distributor – SaaS); power for proprietary company software (31.8 per cent). • SAP (PaaS for app development); Cloud computing services are mostly used in the human resources • SD Worx (SaaS for payroll and other HR services); (HR) and banking sectors. In HR, cloud solutions are often offered • Securex (SaaS for payroll and other HR services); by social secretariats such as Partena, Attentia, SD Worx, Xerius and • Systemat (local cloud integrator); Securex. • Telenet (PaaS); Regarding notable cloud transactions, the Belgian bank Belfius • UnifiedPost (Saas); relies on the company Genesys to provide workforce management • Xaop (system integration in the cloud); and tools, which stem from cloud-based solutions. • ZapFi (OTT Wi-Fi cloud platform). Another notable cloud transaction was announced in 2013. IBM signed an agreement with Belgian bank Dexia and several major (Cloudmakelaar, http://cloudmakelaar.be/wp-content/uploads/2017/12/ financial institutions in Europe to build and manage their IT infra- CSP-catalog-2017_v2.pdf). structure (source: IBM and Dexia, www.dexia.com/EN/journalist/ press_releases/Documents/20131206_PR_IBM_DEXIA_agreement. 4 How well established is cloud computing? What is the size of EN.pdf). An IBM company called Innovative Solutions for Finance the cloud computing market in your jurisdiction? (ISFF). An IBM company called Innovative Solutions for Finance (ISFF) was designated for this, and sourcing contracts for a total value In Belgium, 28.5 per cent of the enterprises use cloud computing ser- of US$1.3 billion over seven years were signed. IBM agreed to imple- vices. This figure has risen by 7.2 per cent over the past two years. The ment a cloud infrastructure to expand ISFF services into new markets use of cloud computing services varies strongly in Belgium depending and optimise its existing information technology management. on the size of the enterprise: 64 per cent of larger companies (ie, 250 employees or more) use cloud computing services in Belgium, while 2 Who are the global international cloud providers active in only 25.1 per cent of smaller companies (ie, 10 to 249 employees) use your jurisdiction? cloud computing services (source: Christiaens, www.christiaens.net/ nl/nieuws/cloud-computing-in-belgie-cijfers). • Amazon; However, the growth of cloud computing has largely stagnated, • Google (Gmail, Google Drive, Google Docs, Google+, search as shown by reports from 2017. Without differentiating between large engine); or small enterprises, about 56 per cent of corporate establishments in • HP; Belgium use cloud applications (source: Belgium Cloud, http://bel- • IBM; giumcloud.com/2016/09/16/de-belgium-cloud-barometer). This is a • LaCie; slight increase compared with 2016 (52 per cent). Meanwhile, one out www.gettingthedealthrough.com 19

© Law Business Research 2018 BELGIUM time.lex of seven applications (in other words, 14 per cent of the applications In the public sector, a notable government initiative is the com- used by enterprises) is an application that runs in the cloud, which is munity cloud project ‘G-cloud’. This is a voluntary cloud service for again a slight increase compared to 2016 (one out of eight, or 12.5 per all public sectors and services to centralize public governance in a sin- cent of the applications used) (source: Belgium Cloud, http://belgium- gle cloud. The G-cloud is a hybrid cloud, with the possibility of offer- cloud.com/2016/09/16/de-belgium-cloud-barometer). ing IaaS, PaaS and SaaS. For the development and functioning of the Furthermore, the use of cloud computing differs greatly from G-cloud, the government uses private cloud providers, such as IBM, region to region in Belgium. A 2017 study conducted by Computer Microsoft and Oracle (source: G-Cloud, www.gcloud.belgium.be/nl/ Profile shows that cloud penetration in the Flanders region totalled index.html). 64 per cent, followed by the Brussels region with 54 per cent. Lastly, the Wallonia region only counts a penetration rate of 30 per cent (source: 7 Are there fiscal or customs incentives, development grants Belgium Cloud, http://belgiumcloud.com/2017/12/23/belgium-cloud- or other government incentives to promote cloud computing barometer-editie-2017/). A 2015 report by cloud service provider Aspex operations in your jurisdiction? shows that the familiarity rate of SMEs with the cloud is high in Brussels The Microsoft Innovation Centre (MIC) Flanders aims to stimulate (with 53 per cent of respondents claiming familiarity with cloud com- the development of Information and Communication Technology puting) while Flanders and Wallonia have low familiarity rates of 20 per in the Flanders region. One of their programs is a Microsoft Azure cent and 26 per cent, respectively (source: Aspex, http://blog.aspex.be/ Developer Camp. Here, companies can discover the possibilities of nl/zijn-er-nog-belgen-in-de-cloud). developing an app in the cloud through Microsoft Azure with the goal These regional differences continue in the types of cloud-based of improving, strengthening or changing their corporate projects and solutions, as can be noticed in the same Aspex report. Concerning methods (source: Microsoft, https://mva.microsoft.com/en-US/train- the use of SaaS, Brussels sports an impressive number of 52 per cent, ing-courses/transforming-it-infrastructure-services-with-azure-at- closely followed by Flanders with 43 per cent. Wallonia limps behind microsoft-18474?l=PqWWJPMVF_1612263987). with 27 per cent of respondents claiming the use of SaaS. The same rea- soning continues for IaaS, although the numbers greatly differ. Brussels Legislation and regulation leads the pack with 51 per cent. Flanders, however, sees a huge drop in percentage with only 31 per cent. Wallonia is hot on its heels with 28 per 8 Is cloud computing specifically recognised and provided for cent of respondents claiming to use IaaS solutions. in your legal system? If so, how? With regard to individual cloud computing use, a study of the A study on cloud computing by the FPS Finances (available at information society in Belgium has been conducted. This research https://economie.fgov.be/sites/default/files/Files/Publications/ shows that, of all Belgian individuals that have used the internet over files/20130730-Cloud-computing-NL.pdf) found that, at present, the past three months, 36.9 per cent have used cloud storage facilities Belgian law does not contain specific regulations on cloud computing. (in 2016) (source: FPS Economy, http://economie.fgov.be/nl/binaries/ Thus, there is currently no specific recognition of cloud computing as a Barometer_van_de_informatiemaatschappij_2017_tcm325-284038.pdf). commercial, technological or operational concept in the Belgian legal system. However, this might change in the near future with the trans- 5 Are data and studies on the impact of cloud computing in your position of the NIS Directive (see below). For the moment, reference jurisdiction publicly available? should be made to contract law, to specific rules on data protection (see The Belgian FPS Economy has published several studies on the impact question 15) and to the system of liability of data storage service provid- of cloud computing in Belgium – for example, the ‘Barometer van de ers (see question 10). informatiemaatschappij 2017’ (source: http://economie.fgov.be/nl/ It is also worth mentioning that in the financial sector, the National binaries/Barometer_van_de_informatiemaatschappij_2017_tcm325- Bank of Belgium (NBB) has described cloud computing in its communi- 284038.pdf) and ‘Cloudcomputing – een kans voor de Belgische cation of 9 October 2012 as an on-demand service model for provision Economie’ (source: https://economie.fgov.be/sites/default/files/ of IT services, mostly based upon virtualisation and internet tech- Files/Publications/files/20130730-Cloud-computing-NL.pdf). There niques. The NBB also refers in the same communication to a special are other studies or barometers conducted by non-governmental publication of the US National Institute of Standards and Technology actors such as Computer Profile or IT companies such as Christiaens. on the NIST definition of cloud computing (available at http://nvlpubs. It should also be noted that cloud computing communities such as nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf). Belgium Cloud bring out reports about the state of cloud computing in Belgium from time to time. 9 Does legislation or regulation directly and specifically At present, there are no studies on the impact of cloud computing prohibit, restrict or otherwise govern cloud computing, in or on more traditional forms of IT outsourcing and other IT transactions outside your jurisdiction? conducted in Belgium. Only a 2016 study conducted by Computer There is currently no legislation or regulation applicable to cloud com- Profile stated that the growth of cloud services and hosted services is puting in Belgium which directly and specifically prohibits, restricts, or at the expense of on-premises solutions, without further data or statis- otherwise governs cloud computing. tics. More research is necessary to establish the exact impact of cloud However, it should be noted that the European Directive (EU) services on the traditional IT sector in Belgium. 2016/1148 on security of network and information systems (NIS Directive) defines the notion of ‘cloud computing service’ for the first Policy time. Pursuant to article 4(19) of the NIS Directive, a cloud computing service is a digital service that enables access to a scalable and elastic 6 Does government policy encourage the development of your pool of shareable computing resources. jurisdiction as a cloud computing centre for the domestic The NIS Directive was adopted by the European Parliament on market or to provide cloud services to foreign customers? 6 July 2016, but has not yet been transposed into Belgian legislation. Yes, through the creation of, among others, Digital Belgium. This action However, on 13 July 2018, the Cabinet, acting on a proposal from Prime plan establishes a long-term vision for the digital economy in Belgium Minister Charles Michel and Minister of Security and Home Affairs Jan and aims to place Belgium in the top three of the European Digital Jambon, approved a preliminary draft law establishing a framework for Economy and Society Index by 2020. Additional goals are the creation the security of network and information systems of general interest for of 1,000 new enterprises and 50,000 new jobs across all sectors, also public security. (source: Presscenter, http://www.presscenter.org/nl/ by 2020 (source: Digital Belgium, http://digitalbelgium.be/en). pressrelease/20180713/kader-voor-de-beveiliging-van-netwerk-en- Wallonia attempts to attract big players such as Microsoft informatiesystemen-voor-de-openbare-v). Currently, the Belgian Law and Google through attractive research grants and further inves- of 1 July 2011 on the security and protection of critical infrastructures tigation into subsidising (done by AWEX). As a consequence, does not mention cloud computing services. Google has built its first data centre outside of the US in Mons (Wallonia) in 2015 (source: Wallonia, www.wallonia.be/en/news/ google-inaugurates-second-data-center-mons).

20 Getting the Deal Through – Cloud Computing 2019

10 What legislation or regulation may indirectly prohibit, restrict which contains provisions i.a. on the principles applicable to the confi- or otherwise govern cloud computing, in or outside your dentiality of communications. jurisdiction? In the health sector, the Coordinated law of 10 July 2008 on hos- In contrast to the previous question, there is Belgian legislation applica- pitals and other care facilities was amended in such a way that it does ble to cloud computing services that may indirectly prohibit, restrict or not anymore indirectly prohibit the use of cloud computing services by otherwise govern cloud computing services. hospitals. Article 20 section 1 of the Coordinated law of 10 July 2008 This kind of legislation includes, first of all, legislation on data now states that the patient file must be kept ‘by’ the hospital, and no protection, such as the European General Data Protection Regulation longer ‘in’ the hospital. After that, the FPS Public Health has drafted (GDPR) which is directly applicable since 25 May 2018. A cloud pro- guidelines on this matter which were approved by the Belgian Privacy vider will typically act as a processor of personal data, which means Commission (the Belgian Data Protection Authority) in Opinion that a data protection agreement has to be concluded. 04/2015 of 25 February 2015 (available at www.privacycommission.be/ Also, legislation on outsourcing in the financial sector in the Law sites/privacycommission/files/documents/advies_04_2015.pdf). of 11 March 2018 (replacing the Law of 21 December 2009) on the stat- The Belgian eIDAS law, implementing the eIDAS Regulation (EU) ute and supervision of payment institutions and the institutions for 910/2014 on electronic identification and trust services for electronic electronic currencies, the access to the company of the payment ser- transactions in the internal market, may also have indirect conse- vices provider and the activity of issuance of electronic money and the quences for cloud computing in Belgium. It governs, in particular, elec- access to payment systems, may affect cloud computing services. In tronic archiving, which can be very relevant for cloud computing, but it this regard, cloud computing services are subject to the same principles contains also rules on electronic registered mail, electronic seals, elec- as traditional outsourcing in the financial sector. However, cloud com- tronic signatures, websites authentication, trust service providers and puting is not directly addressed by the Law of 11 March 2018, but the electronic identification schemes. NBB stated in its communication of 9 October 2012 that cloud computing is considered as a type of outsourcing. 11 What are the consequences for breach of the laws directly The same communication of the NBB states that the circulars or indirectly prohibiting, restricting or otherwise governing dealing with outsourcing, which establish rules on good practices, cloud computing? will remain applicable. Subsequently, the communication states The consequences for breach of the laws directly or indirectly prohibit- that, in principle, there is no prior authorisation by the NBB required ing, restricting or otherwise governing cloud computing depend on the for outsourcing (in contrast to De Nederlandsche Bank (DNB) in law that was infringed upon. the Netherlands: see www.dnb.nl/nieuws/dnb-nieuwsbrieven/ The GDPR contains some penal provisions in articles 83-84 mean- nieuwsbrief-banken/nieuwsbrief-banken-februari-2015/dnb319119. ing that member states should give data protection authorities, such as jsp). Nevertheless, the NBB emphasises that it should be informed in the Belgian Data Protection Authority (replacing the Belgian Privacy advance on how these rules on good practices will be applied in prac- Commission), the competence to impose administrative fines on non- tice (see circular PPB 2004/5 on healthy management practices in out- compliant companies. sourcing by credit institutions and investment companies, issued by the In the financial sector, payment institutions are subject to super- Belgian Banking, Finance and Insurance Commission on 22 June 2004, vision by the NBB, and the NBB may, in certain cases, withdraw the available at www.nbb.be/doc/cp/nl/ki/circ/pdf/ppb_2004_5_circular. licence of a payment institution. That could be the case with the viola- pdf, and circular PPB 2006/1 CPA on healthy management practices tion of circulars about outsourcing. in outsourcing by insurance companies, issued by the Belgian Banking, Regarding distance contracts and information society services, it is Finance and Insurance Commission on 6 February 2006, available at worth mentioning that the Belgian Code of Economic Law contains a www.nbb.be/doc/cp/nl/vo/circ/pdf/ppb_2006_1_cpa_circular.pdf). Book XV on legal enforcement. The Belgian Civil Code contains provisions on service contracts (article 1779 ff). These provisions may be relevant for cloud computing 12 What consumer protection measures apply to cloud services. Other relevant legislation is to be found in the Belgian Code of computing in your jurisdiction? Economic Law, which contains provisions on distance contracts (Book As regards consumer protection measures applicable to B2C cloud VI and Book XIV) and information society services, which also contains computing services in Belgium, it should be noted that cloud comput- provisions on the liability of data storage service providers (Book XII). ing contracts are generally concluded over the internet, which means Article XII.19 of the Code of Economic Law states that where an that those contracts are distance contracts. information society service is provided that consists of the storage of The European Directive 2011/83/EU on consumer rights (the information provided by a recipient of the service, the service provider Consumer Rights Directive) establishes rules on distance selling, is not liable for the information stored at the request of a recipient of the which is transposed into Belgian legislation. The transposition of the service, on the condition that the provider does not have actual knowl- provisions of the Capital Requirements Directive can be found in Book edge of illegal activity or information and, as regards damage claims, VI of the Belgian Code of Economic Law. These provisions may also be is not aware of facts or circumstances from which the illegal activity or applicable to cloud contracts. Consequently, in some cases, the right of information is apparent; or the provider, upon obtaining such knowl- withdrawal for 14 days may have to be taken into account for the con- edge or awareness, acts expeditiously to remove or to disable access to clusion of certain cloud computing contracts. However, in some cases, the information, provided that he or she immediately communicates the right of withdrawal related to service contracts may be excluded this to the Public Prosecutor. (article VI.53 Code of Economic Law). Additionally, criminal law provisions in the Belgian Criminal Code The European Regulation (EU) 1215/2012 on jurisdiction and the and the Code of Criminal Proceedings may also indirectly prohibit, recognition and enforcement of judgments in civil and commercial restrict or otherwise govern cloud computing services in Belgium. This matters (Brussels I-bis) states that a consumer may bring proceedings includes, for example, a provision on the search in computer systems against the Cloud Service Provider (CSP) to a contract either in the which can be extended to a computer system or a part thereof that is courts of the member state in which the CSP is domiciled or, regardless located in another place other than the place where the search takes of the domicile of the CSP, in the courts for the place where the con- place (article 39-bis, article 88-ter and 88-quater). sumer is domiciled. The Belgian Code of International Private Law of It should also be noted that other Belgian legislation may, whether 16 July 2004 is in accordance with this Brussels I-bis Regulation. or not implicitly, require that certain data remains within the jurisdic- Pursuant to the European Regulation (EC) 593/2008 on the law tion of Belgium, such as article 14 of the Law of 8 August 1983 establish- applicable to contractual obligations (Rome I), a B2C cloud computing ing a National Register of natural persons. However, with regard to the contract will be governed by the law of the country where the consumer free flow of data across member states within the European Union, the has his or her habitual residence, provided that the CSP pursues his or legality or applicability of this kind of data localisation legislation may her commercial or professional activities in the country where the con- be uncertain in the future. sumer has his or her habitual residence, or by any means, directs such Other legislation worth mentioning is the Belgian Income Tax Code activities to that country or to several countries including that coun- (article 315) and the Law of 13 June 2005 on electronic communications, try, and the cloud computing contract falls within the scope of such activities. www.gettingthedealthrough.com 21

Subsequently, the insolvency administrator has to decide in Update and trends due time whether to continue performing the valid cloud computing contracts. The customer can demand the insolvency administrator Belgium is sometimes considered too complex to attract large to decide on whether to perform the contract, and if the insolvency outside investment. The myriad administrative and fiscal administrator does not decide within 15 days from the date of that regulations that differ in the separate regions means that investors must have a thorough understanding of the institutional structure demand, the cloud computing contract is considered terminated. of Belgium. Also, the Belgian taxation regime on energy entails a It is also worth mentioning that there is a ranking of the claims that large cost for potential cloud computing providers if they construct are duly declared. All estate debts and creditors having the benefit of large and energy-consuming data centres. Moreover, the supply of security interest and privileges will be satisfied first. Then the remain- energy has sometimes been uncertain in Belgium. ing assets of the CSP will be distributed by the insolvency administra- Legal uncertainty is a significant deterrent for companies in any tor among the unsecured creditors, who rank pari passu. sector, and this is most certainly the case in Belgium for the cloud The termination of the bankruptcy procedure can only be ordered computing sector. As the answers to some of the previous questions by the court at the request of the insolvency administrator. have shown, there is no specific legal regime for cloud computing Traditionally, source code escrow agreements are used to protect in any facet of its operation. This needs to change if Belgium seriously wants enterprises to fully commit to cloud services as a software licensees against the bankruptcy of licensors. It is generally business practice. Another uphill battle is the uncertainty that many considered, however, that this practice is less interesting in the frame- companies have with regard to the security of data on the cloud, work of SaaS contracts. In some circumstances, it can still be helpful to especially when the data concerned is sensitive or confidential. obtain the source code, if it is possible to deploy the software on a dif- Finally, more knowledge of Belgian IT services across all regions ferent system than the system provided by the SaaS CSP. In such a case, would be welcome, so that the understanding of cloud computing it is possible that stored data must be migrated as well. can be improved. We are not aware of any draft laws or legislative initiatives Data protection/privacy legislation and regulation specific to cloud computing that are being developed in Belgium. 15 Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction. 13 Describe any sector-specific legislation or regulation that The Belgian Privacy Act of 8 December 1992 (as subsequently amended applies to cloud computing transactions in your jurisdiction. and further implemented by the Royal Decree of 13 February 2001), In the public sector, the Law of 21 August 2008 established the eHealth which was the transposition into national law of the European Data platform in Belgium. One of the tasks assigned to the eHealth platform Protection Directive 95/46/EC, will be replaced by a new Privacy is to check whether software packages for managing electronic patient Act. At the time of writing, the text of the new Privacy Act has been files comply with the established ICT-related functional and techni- adopted in the second reading (source: www.dekamer.be/FLWB/ cal standards, specifications, and to identify these software packages. PDF/54/3126/54K3126007.pdf). The main source of privacy legisla- Cloud service providers have to comply with certain requirements, tion applicable to cloud computing services in Belgium is the GDPR such as security and privacy standards. supplemented by the Belgian Privacy Act. Other EU instruments may In Opinion 04/2015 of 25 February 2015, the Belgian Privacy also have an impact, such as the European Directive 2002/21/EC Commission also stated that the choice for a community or private (Framework Directive) and Directive 2002/58/EC (ePrivacy Directive). cloud does not necessarily provide more safeguards than a public cloud in terms of a better protection of personal data. Regardless of the type Cloud computing contracts of cloud, the focus should be on effective data protection safeguards, 16 What forms of cloud computing contract are usually adopted according to the Privacy Commission. in your jurisdiction, including cloud provider supply chains (if In the financial sector, the implementation of the European applicable)? Directive 2014/65/EU on markets in financial instruments (the MiFiD Directive) has led to some operational requirements with respect to Cloud computing contracts can be focused on the processing of data investment firms and regulated markets, which also affect their abil- residing in the cloud, or can be regarded as contracts of the SaaS cat- ity to employ subcontracting or outsourcing services, including for ICT egory, involving the online operation of applications of all kind, includ- services such as cloud computing (see above). ing more and more business-critical applications such as enterprise resource planning programmes and supply chain and logistics manage- 14 Outline the insolvency laws that apply generally or ment, asset management and asset maintenance, workflow manage- specifically in relation to cloud computing. ment, human resources, among others. On 1 May 2018, new insolvency legislation entered into force in 17 What are the typical terms of a B2B public cloud computing Belgium. A new Book XX was added to the Belgian Code of Economic contract in your jurisdiction covering governing law, Law. A CSP can be declared bankrupt by the commercial court if three jurisdiction, enforceability and cross-border issues, and conditions are met, namely: the CSP is engaged in commercial activi- dispute resolution? ties, the CSP has suspended payments to its creditors, and is no longer creditworthy, and so the CSP will continue not to meet its obligations B2B public cloud computing contracts are often made by international to creditors. If those three conditions are met, the CSP will formally be service providers, who include governing law and jurisdiction of their declared bankrupt by a bankruptcy judgment of the commercial court. home state, or may include international arbitration. Belgian service With regard to the fate of contracts concluded before the date of providers often include an arbitration clause indicating specialized the bankruptcy (which are not terminated by the judgment declar- Belgian arbitration forums as competent for claims. Some contracts ing the bankruptcy), Book XX article 139 provides that the insolvency contain dispute resolution clauses that set forth an escalation of dis- administrator may terminate those contracts unilaterally when the putes up to the level of the executive board of the parties, and if this does management of the estate necessarily requires this and that such a not result in a positive outcome, then arbitration, court procedures, or decision may not affect the rights in rem of third parties against the mediation by an external third person are possibilities. With respect estate. The contracts are not automatically terminated unless a termi- to enforceability, salvation clauses normally foresee that clauses that nation clause explicitly states so. would be invalid or unenforceable, will be automatically adapted in a The bankruptcy judgment is published in the Belgian State Gazette, way that remains as close as possible to the intended meaning of the as well as in two regional papers. The judgment appoints the insolvency relevant clause. administrator (the receiver), who will perform his or her duties under the general supervision of a supervisory judge, and the judgment also provides the term for creditors to declare their claims to the insolvency administrator and the court (with a maximum period of 30 days). This declaration is necessary for all creditors who wish to assert claims against the CSP.

22 Getting the Deal Through – Cloud Computing 2019

18 What are the typical terms of a B2B public cloud computing indirect damages are usually excluded and direct damages are usually contract in your jurisdiction covering material terms, such limited (often referring to the fee paid for the service as the limitation as commercial terms of service and acceptable use, and for damage in the aggregate). variation? Damage caused by intentional fault or fraud cannot be limited nor If implementation services are involved, a separate price is foreseen excluded by law. Although the possible liabilities of the customer are for the implementation service, and this will be paid according to mile- often considered as less likely, many contracts will balance the custom- stones, where the acceptance of the delivered service will oblige the er’s liability in a similar way. Indemnities are usually provided as a safe customer to pay the relevant price. The operational cloud service is harmless clause when a customer is confronted with a claim of a third typically paid as a subscription, with annual, trimestral or monthly pay- party for infringement of its intellectual property rights. The customer ments, typically paid up front. The price can be based on the allowed can be liable for infringement on third party’s rights based on infring- number of users or the used volume or number of transactions. The ing applications provided by the service provider, and in that case the cloud contracts normally include an acceptable use policy, providing service provider will take control of legal proceedings or negotiations suspension and possibly even termination of the contract if the use and will not hold the customer liable for damages. policy is not respected. In the direct relationship between a data controller and his or her Because the cloud service is often a one-to-many relationship, the customer, liability for breach of the data protection rules cannot be lim- service provider is practically obliged to include a variation clause in ited. Similarly, when the customer has a direct claim against a data pro- the contract, enabling him or her to modify the service unilaterally cessor (eg, the CSP) based on a breach of these rules, his or her liability when this is needed in order to provide an acceptable service. In order cannot be limited. It is, however, accepted that between a data control- to balance the rights of the customer, such clause will provide a termi- ler and his or her CSP (acting as data processor), the liability can be nation right of the customer with an acceptable notice period if he or limited even for damage caused by breach of the data protection rules. she does not agree, especially when the cost of the service is increased SLAs are becoming a normal standard of cloud contracts, guar- or certain functionalities are lost. anteeing the availability of the service, timely response of a helpdesk and performance levels. The levels can be negotiated by the customer 19 What are the typical terms of a B2B public cloud computing unless the service is standard for many customers: in which case, the contract in your jurisdiction covering data and confidentiality SLA is a take-it or leave-it matter. SLAs are not always sanctioned by considerations? financial penalties; however, financial service credits are increasingly applied when the service levels are not met by the provider. Cloud contracts will contain a description of the data centre, the A normal cloud contract should contain clear explanation and communication lines and the security provisions protecting the com- warranties regarding business continuity and disaster recovery (eg, munication and safety of the data. Data are usually located in a data through replication of data or applications to spare servers); specific centre provided by the service provider or by one of his or her suppli- key performance indicators can be set forth to cover maximum loss of ers. Customers that are well aware of the risks will ask for service levels data packages and the time needed to be up again after a shutdown. that are included in a service-level agreement (SLA) with clear levels Damages for loss of data are often excluded as damage compensation. and financial sanctions (credits). Regarding data security, the service provider will usually provide encryption and access management, 21 What are the typical terms of a B2B public cloud computing authorisation methods; more and more the compliance with industry contract in your jurisdiction covering intellectual property standards is demonstrated through certificates. rights (IPR) ownership in content and the consequences of When personal data is involved, the requirements will at least infringement of third-party rights? allow compliance with the legal and sectorial standards for data protection. In that case, customers require a warranty that data remain The intellectual property rights of the applications involved in SaaS located in servers in the EU territory. If data must be transferred to, or agreements or similar contracts remain with the provider of the cloud used from, third countries such as the US, the European compliance service; this is usually the case for developed interfaces and specific measures must be respected. Notification of data breaches is not yet adaptations as well. Data and other content that is created by the cus- a common clause, but will become more and more of a requirement tomer usually belongs to the customer. Most contracts contain a provi- under the influence of the GDPR, and as general awareness about the sion that warrants the return of data after the termination of a cloud risk of breaches on privacy is increased. contract. When the cloud service is endangered because of infringement of 20 What are the typical terms of a B2B public cloud computing third-party rights by the applications of the service provider, the con- contract in your jurisdiction covering liability, warranties and tract clauses usually state that the service provider has the right to apply provision of service? the appropriate remedy chosen by him or her, such as the adaptation or replacement of infringing code, and if that is not feasible, the termi- Every cloud contract contains some kind of limitation of liability for nation of the contract with a partial refund of any upfront payment of any damage caused by the service; liability for consequential and other fees. Damage compensation is usually excluded or at least limited.

Edwin Jacobs [email protected] Stefan Van Camp [email protected] Bernd Fiten [email protected]

Joseph Stevensstraat 7 Tel: 0032 2 893 20 95 1000 Brussels Fax: 0032 2 893 22 98 Belgium http://timelex.eu/en

www.gettingthedealthrough.com 23

22 What are the typical terms of a B2B public cloud computing Article 315 of the Income Tax Code also applies to all taxpay- contract in your jurisdiction covering termination? ers and determines that accounting books and support documents of B2B cloud computing contracts usually have a rather short applicabil- accounting entries must be kept on record if they can help determine ity period (typically of one year, automatically renewable unless termi- the amount of taxable income. They must be kept at the disposal of the nated by either party before the anniversary date of the contract). If an tax administration in the office, agency, branch or other professional or important investment was involved, such a contract can be agreed for private premises of the taxpayer where they have been kept, prepared three years, but usually not longer. or sent. Subject to an exception that may be granted, the books and Termination for no cause will always take a notice period into con- records may be kept in another place, provided that immediate access sideration that is sufficient for both parties to find an alternative con- to the books and records can be granted or that such documents can be tract partner. Termination for cause, on the other hand, is foreseen in provided on short notice in case of unannounced control. case of material breach, usually after a grace period of one month, and in cases of bankruptcy and insolvency procedures. 25 Outline the indirect taxes imposed in your jurisdiction that The retention and return of data is of utmost importance in case apply to the provision from within, or importing of cloud of termination and is usually foreseen, although any assistance with computing services from outside, your jurisdiction. data migration can be subject to an additional payment. The service The VAT imposed on cloud computing services follows the standard provider will usually not provide a retention right for himself or herself, Belgian tariff of 21 per cent for goods and services that do not fall under unless in case of non-payment of service fees where it might be used as the exhaustively determined categories of goods and services which a pressure mechanism have a reduced tariff of 12 per cent or 6 per cent. Cloud computing services also do not fall within the limited category of goods and services 23 Identify any labour and employment law considerations that that are exempted from VAT. More information on the place of the pro- apply specifically to cloud computing in your jurisdiction. vision of electronic services to persons who are not liable to VAT can In some cases, outsourcing of a company’s IT department may be seen be found here: https://financien.belgium.be/sites/default/files/down- as the transition of a corporate entity. In that case, the provisions of loads/electronic-services-en.pdf. collective labour agreement No. 32-bis could be applicable (available at www.cnt-nar.be/CAO-COORD/cao-032-bis.pdf) Recent cases 26 Identify and give details of any notable cases, or commercial, Taxation private, administrative or regulatory determinations within 24 Outline the taxation rules that apply to the establishment and the past three years in your jurisdiction that have directly operation of cloud computing companies in your jurisdiction. involved cloud computing as a business model. There are no specific fiscal rules that apply to the establishment and Announced in 2013 – but still ongoing – is the already mentioned IBM operation of cloud computing companies in Belgium. Instead, the same agreement with several major European financial institutions to build taxation regime as for other digital service providers – and indeed, for and manage their IT infrastructure through ISFF, which was desig- companies in general – is maintained. Important in the context of cloud nated for this (see question 1). The total value of the deal amounts to computing, however, is that these rules may require that data is held US$1.3 billion over seven years. IBM will set up a cloud infrastructure at all times within the jurisdiction of Belgium. Two separate regimes so that ISFF can expand services into new markets and optimise its must be differentiated. information technology management. In April 2018, IBM and Belfius Article 60 of the VAT Code discusses record-keeping concern- announced a multi-million euro extension of their existing technology ing invoices and equivalent documents (such as credit notes) for any services agreement until the end of 2023. taxpayer (meaning both natural and legal persons). Documents can be Arguably the most important and notable case of cloud comput- stored wherever the taxpayer wishes, yet they must be made available ing within Belgium was the establishment of the G-cloud. As noted whenever the tax administration so requests. If the storage does not before, this is a community cloud project initiated by the government. guarantee complete and online access, then mandatorily the invoices G-cloud is a voluntary cloud service for all public sectors and services must be stored in Belgium. At all times, and regardless of the for- to centralise public governance in a single cloud. Furthermore, it is mat, the authenticity, integrity and legibility of the invoices must be a hybrid cloud, with the possibility of offering IaaS, PaaS and SaaS. ensured. For the development and functioning, the government uses private cloud providers such as IBM, Microsoft and Oracle (source: G-cloud, www.gcloud.belgium.be/nl/index.html).

24 Getting the Deal Through – Cloud Computing 2019

Brazil

José Mauro Decoussau Machado, Ana Carpinetti and Gustavo Gonçalves Ferrer Pinheiro Neto Advogados

Market overview us-43-bilhoes-de-um-lado-us-93-bilhoes-de-outro-cloud-e-seguranca- destacam-empresas-brasileiras/). 1 What kinds of cloud computing transactions take place in However, a portion of Brazilian companies still do not completely your jurisdiction? trust the security of the cloud computing model and fear being depend- Cloud computing is a reality in Brazil in various industry sectors and ent on a service provider (lock-in). They view the quality of telecom- businesses. Cloud computing services and business models include munications infrastructure as a limitation for adopting cloud-based the offering of cloud-based storage solutions, software-as-a-service solutions (www.la.logicalis.com/globalassets/latin-america/advisors/ (SaaS), infrastructure-as-a-service (IaaS) and others, and both the pt/_it_snapshot_2018_web.pdf). private sector and public entities take part in contracting cloud-based solutions. 5 Are data and studies on the impact of cloud computing in your According to a 2018 research developed by Logicalis (www. jurisdiction publicly available? la.logicalis.com/globalassets/latin-america/advisors/pt/_it_snap- Publicly available research on the impact of cloud computing in Brazil shot_2018_web.pdf), the private cloud model is adopted by 60 per cent is primarily developed by private entities, with a few exceptions pub- of companies, while 53 per cent use the public model and 31 per cent lished by the government. A recent study by Logicalis (a private con- use a hybrid solution. The percentage for hybrid solutions is expected sulting entity) predicts an optimistic future for the IT market (www. to reach 64 per cent by the end of 2018. la.logicalis.com/globalassets/latin-america/advisors/pt/_it_snap- shot_2018_web.pdf). 2 Who are the global international cloud providers active in According to this research, half of the Brazilian companies that your jurisdiction? were interviewed have IT solution budgets 14 per cent higher in 2018 The most relevant worldwide cloud service providers already have local than 2017, while 34 per cent of companies expect to keep the same level presence or operations in Brazil including, for example, Microsoft, of investment as 2017. Oracle, Verizon, SAP, IBM and, more recently, Google. Apple and telecommunications companies, such as Vivo and Claro, Policy also provide cloud storage services in a business-to-consumer model. Other providers offer cloud-based products or licences to Brazilian 6 Does government policy encourage the development of your customers or companies through local subsidiaries or partners. Some jurisdiction as a cloud computing centre for the domestic local entities are used by major international providers for marketing market or to provide cloud services to foreign customers? purposes or for maintenance and implementation, while the cloud The government is taking steps to encourage the development and products or licences are actually provided by foreign entities of the dissemination of new technologies, including cloud computing. One same economic group. initiative is a federal programme called Strategic Program for Software and IT Services. 3 Name the local cloud providers established and active in your The government issued a statement in 2012 stating that it planned jurisdiction. What cloud services do they provide? to invest 486 million reais only on this segment (40 million real only Apart from the local entities of international groups, the number of for start-ups and 446 million reais for companies that develop software Brazilian cloud providers is increasing each year. These companies for certain industries) and, in 2014, six major technology companies include Locaweb, Cloud2Go, Tivit and Mandic. entered into memorandums of understandings with the Ministry of Telecommunications companies, such as Vivo (controlled by Science, Technology and Innovation to install research and develop- the Spanish group Telefónica), also provide storage services to their ment centres in Brazil. customers. Other government programmes, such as ‘Brasil Mais TI’, are also targeted at developing its students’ IT-related skills, including those 4 How well established is cloud computing? What is the size of related to programming, internet and cloud. the cloud computing market in your jurisdiction? Additionally, in 2016, the federal government published a guide to assist public bodies in contracting cloud computing services (www. Brazil is already a large market for cloud providers, with its figures dras- governodigital.gov.br/documentos-e-arquivos/Orientacao%20servi- tically increasing each year. cos%20em%20nuvem.pdf). This guide included recommendations for According to a recent research by Citrix (referenced in this article: data to be kept in the Brazilian territory and for the adoption of a hybrid https://computerworld.com.br/2018/08/30/brasil-ampliara-investi- cloud solution for cases that do not compromise national security. mento-em-cloud-em-linha-com-cenarios-futuros/ and https://exame. abril.com.br/negocios/dino/us-43-bilhoes-de-um-lado-us-93-bilhoes- 7 Are there fiscal or customs incentives, development grants de-outro-cloud-e-seguranca-destacam-empresas-brasileiras/), 57 per or other government incentives to promote cloud computing cent of Brazilian companies already adopt cloud computer solutions for operations in your jurisdiction? their businesses. Moreover, 74 per cent of Brazilian companies intend to invest in cloud technologies in the near future and to integrate ser- Currently, there are no specific fiscal or customs incentives for cloud vices and applications to a cloud in the next three years. computing in Brazil. Instead, there is not yet a definition on which tax is The International Data Corporation estimated that, in 2017, applicable – if ICMS (a VAT-like tax) should apply, which is collected by investment in the cloud computing sector reached approxi- Brazilian states, or if ISS (service tax) should apply, which is collected mately US$20 billion (https://exame.abril.com.br/negocios/dino by Brazilian municipalities. www.gettingthedealthrough.com 25

If the service tax ends up prevailing, then there is an indirect incen- The BR GDPA will be applicable irrespective of industry or business tive for cloud service providers to be located in the Brazilian territory when it comes to the processing of personal data. Among other norms, (ie, a local entity as the cloud provider) since the amount of taxes appli- it provides for user consent for the collection, processing and transfer cable to providers located abroad are significantly for importation of of data (with specific provisions pertaining cross-border transfer), data services. security and data breaches, sensitive personal data and situations for After there is a definition on which tax is applicable to cloud com- ceasing the processing of data. puting solutions, it is very likely that Brazilian states (in case of VAT-like It is also worth mentioning Decree 8135/2013, enacted by the fed- tax) or municipalities (in case of service tax) will create tax incentives eral government in response to the Snowden revelations. This Decree to bring service providers to their locations. sets forth that all ‘data communication’ of the federal government See questions 24 and 25 for more tax-related information. must take place in networks and services provided by public companies belonging to the federal administration. The Decree, however, failed Legislation and regulation to work in practice and has been largely ignored by the government. 8 Is cloud computing specifically recognised and provided for 11 What are the consequences for breach of the laws directly in your legal system? If so, how? or indirectly prohibiting, restricting or otherwise governing There is no express reference to cloud computing in Brazilian federal cloud computing? laws. However, the Brazilian Central Bank issued Resolution No. 4,658 According to the MCI, if an internet application provider (in which on 26 April 2018, which sets forth requisites for processing and storing category cloud computing providers are included) fails to comply with data and for cloud computing solutions for information collected by a take-down order issued by a court (or with an extrajudicial letter financial institutions (see question 13). sent by an affected party in case of pornography or sexual content), it Note that there are federal laws that apply specifically to internet may be held liable for content created by third parties. Thus, the MCI operations and to data protection, which impact cloud computing and established a safe harbour for such situations, by which an application their providers. provider is not held liable before it is notified either by a party or by a The Brazilian Civil Rights Framework for the Internet (Federal Law judge. No. 12,965/2014 (the MCI)), which was further regulated by Federal If the application provider fails to comply with a court order or Decree No. 8,771/2016, provides for principles, rights and obligations extrajudicial letter, it would likely be sentenced to pay an indemnifi- regarding the use of the internet in Brazil, and sets forth obligations for cation for material or moral rights to the aggrieved party, depending internet connection and application providers, which are relevant for on the facts of the case (there are several types of content that may cloud computing solutions in general. be deemed unlawful under Brazilian laws, the most common types of Recently, the Brazilian General Data Protection Act (Federal Law which are defamation, racism, child pornography, bullying, rights of No. 13,709/2018 (the BR GDPA)) was sanctioned and will come into publicity and other personality rights). force in February 2020. The BR GDPA will apply irrespective of indus- The MCI also provides for penalties of warning; administrative try or business when personal data is collected or processed. Among fines of up to 10 per cent of the income of the economic group in Brazil, other norms, it provides for user consent for the collection, processing net of taxes, to be calculated according to the economic condition of and transfer of data (with specific provisions pertaining cross-border the offender and the principle of proportionality between the severity transfer), data security and data breaches, sensitive personal data and of the offence and the intensity of the penalty; and suspension or pro- situations for ceasing the processing of data. hibition of the activities pertaining to the collection, storing or processing of logs, personal data or communications. 9 Does legislation or regulation directly and specifically Apart from administrative fines that may be imposed according to prohibit, restrict or otherwise govern cloud computing, in or the MCI, courts can impose fines for non-compliance with preliminary outside your jurisdiction? injunctions or final decisions ordering the removal of content or the Brazilian legislation does not directly and specifically prohibit or producing of data. There is no limitation for such penalties, which are restrict cloud computing services, either in or outside Brazil. set by judges on a case-by-case basis. Courts may also award damages In 2018, the Brazilian Central Bank issued Resolution No. 4,658, if the company fails to obey the court order to remove the content. which provides for precautions to be taken by financial institutions in If the company does not take down a specific content after a court contracting cloud services and for the responsibility of such institu- order, this could be considered a crime of ‘disobedience’ (article 330 tions for the reliability, integrity, availability, security and confiden- of the Brazilian Criminal Code), the penalty for which is 15 days’ to six tiality of the contracted cloud services. The financial institution must months’ imprisonment (for officers or administrators) and a fine. The notify the Central Bank prior to contracting the services and certain risk of criminal liability is higher in matters involving criminal organi- requirements must be met for the cloud service to be rendered abroad. sations or child pornography. See questions 8 and 10 for information on norms applicable to Regarding infringements to the provisions of the BR GDPA, in cloud computing and internet-based services. addition to liability for moral and material damages, data-processing agents are subject to the following administrative sanctions: warning 10 What legislation or regulation may indirectly prohibit, restrict with a deadline implementing corrective measures; fine of up to two or otherwise govern cloud computing, in or outside your per cent of the revenues earned by the legal entity, group or conglom- jurisdiction? erate in Brazil in the preceding year, net of taxes, capped at 50 mil- The MCI provides for rights and obligations for different stakeholders lion reais per offence; daily fine, subject to the cap referred to above; on the internet and sets forth parameters for the protection of user data. disclosure of the offence after the occurrence thereof having being The MCI is applicable to internet connection and application provid- investigated and confirmed; blocking of the personal data to which the ers in general. It provides for a vague and broad definition of internet offence refers, until the processing activity is regularised; and deletion application providers (‘a set of features that might be accessed through of the personal data related to the infringement. a computer connected to the internet’), which potentially makes cloud computing services subject to such legislation. 12 What consumer protection measures apply to cloud General requirements are related to the following obligations and computing in your jurisdiction? provisions: Legal consumer relations in Brazil are regulated by Law No. 8.078/1990 • access logs data retention by internet application providers; (the Consumer Protection Code or CDC), which governs all consumer • users’ rights in connection with personal data; relationships, including cloud computing products or services where • agreement provisions that might be considered void under there is a supplier on one side and a consumer on the other side. Brazilian law; ‘Consumer’ for this purpose is defined as any individual or legal entity • obligation to provide information on data processing activities; that acquires or uses products or services as an end user. • data request by Brazilian authorities; and The CDC protects consumers and, in general, its language allows • liability for content created by third parties. consumers to file claims against companies involved in the supply chain. If an entity is not directly responsible for damage suffered by the

26 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Pinheiro Neto Advogados BRAZIL consumer, such company may seek the amount paid by it to the con- instance, have certain benefits (representation in general meetings, for sumer from the other liable company. example) and their credits come before general unprivileged credits. The CDC sets forth a 30-day or 90-day deadline for the consumer to file a suit pertaining to a defective product or service and a five-year Data protection/privacy legislation and regulation period for damages caused to the consumer’s physical or mental health. 15 Identify the principal data protection or privacy legislation The supplier (where the consumer is an individual) cannot dis- applicable to cloud computing in your jurisdiction. claim or limit its liability for product or service defects, and all contractual clauses with this language will be null and void. The agreement The BR GDPA is the main norm to be applicable (after February 2020) also cannot include clauses impairing, disclaiming or mitigating obli- to any personal data processing activity in Brazil. It will create a robust gations to indemnify. There is no legal restriction on the warranty term legal landscape for personal data processing and will strengthen data apart from the 30-day or 90-day terms counted from the delivery of the subjects’ rights in relation to their personal data. It applies irrespective product or from the rendering of the service, by any contractual war- of industry or business when it comes to the processing of personal data. ranty must be clear, precise and additional to the legal warranty. Among other norms, it provides for user consent for the collection, pro- The CDC also provides for a right to regret, by which consumers cessing and transfer of data (with specific provisions pertaining cross- have the prerogative to return a product or a service contracted out- border transfer), data security and data breaches, sensitive personal side the point of sale within seven days of delivery. Currently, this rule data and situations for ceasing the processing of data. applies to purchases made through the internet, where the consumer It also provides to the implementation of controlled processes to has no physical contact with the product or service. ensure data subjects’ rights, such as the rights to access, correction, Choice of foreign law and arbitration/foreign venue clauses in anonymisation, blocking, deletion and portability of personal data, as consumer contracts are usually held null and void by Brazilian courts, well as provide for the possibility of creation of several documents by especially small claims courts, because they tend to complicate the companies, including privacy policies, consent forms, internal manu- consumer’s pursuit of his or her rights. However, in a 2018 decision, als, agreements with data operators and companies with whom it shares the Superior Court of Justice considered that the nullity of a choice of collected personal data, documentation supporting cross-border trans- venue clause (where the elected venue was a different city of the same fers of personal data, impact assessment reports. Brazilian state) was contingent on the proof of harm to the consumer’s Additionally, there are provisions of the MCI and the Federal Decree ability to claim his or her rights. No. 8,771/2016 that are applicable to data processing in general, including cloud computing providers. Such provisions include obligations to 13 Describe any sector-specific legislation or regulation that keep access logs for a minimum period of time; to obtain consent for the applies to cloud computing transactions in your jurisdiction. processing of personal data (and such processing must be adequate and clear); to use the data only for the purposes that justify its collection; and The Brazilian Central Bank issued Resolution No. 4,658 on to delete the collected personal data as soon as its processing is finished. 26 April 2018, which sets forth requisites for processing and storing General provisions provided by sparse laws may also be applicable data and for cloud computing activities related to information col- depending on the issue involved (eg, for consumer relationships, the lected by financial institutions. Consumer Protection Code will apply). Resolution No. 4,658/18 sets forth that the outsourcing of relevant data processing, storage and cloud computing services must be com- Cloud computing contracts municated in advance by the financial institution to the Central Bank. Such communication must comprise the name of the service pro- 16 What forms of cloud computing contract are usually adopted vider, the service being outsourced and the indication of the countries in your jurisdiction, including cloud provider supply chains (if where the services may be rendered and the data may be stored and applicable)? processed. There are a few main forms of cloud computing contracts usually The financial institution contracting cloud services must imple- adopted in Brazil: IaaS (where the contracting party seeks to rent IT ment procedures to verify the service provider’s ability (companies that infrastructure usually for the processing, storing or transferring of data); offer cloud computing, data storage and processing services to finan- platform-as-a-service (mainly for developing, delivering and managing cial institutions) to ensure: software applications); and SaaS (for a wide range of activities, includ- • compliance with prevailing laws and regulations; ing communications, collaboration, productivity, customer manage- • the institution’s access to the data and information to be processed ment, taxing and account activities, etc). or stored by the service provider; • the confidentiality, integrity, availability and recovery of data and 17 What are the typical terms of a B2B public cloud computing information being processed or stored by the service provider; contract in your jurisdiction covering governing law, • the service provider’s adherence to certifications required by the jurisdiction, enforceability and cross-border issues, and institution for outsourcing of the corresponding services; dispute resolution? • the institution’s access to reports prepared by an independent expert audit company hired by the service provider concerning the In B2B contracts, parties are generally free to choose the applicable law controls and procedures being adopted for outsourced services; and to elect a venue for dispute resolution. When the parties to the con- • the availability of management information and resources that are tract are all Brazilian entities, the governing law and the venue chosen adequate to monitoring the outsourced services; for dispute resolutions are usually Brazilian. • the identification and segregation of data belonging to the institu- When the cloud computing provider is not a Brazilian entity (eg, tion’s clients, via physical or logical controls; and when the provider does not have operations in Brazil or when its local • the quality of access controls targeted at protecting the data and entity is only for marketing, implementation or maintenance), the information referring to the institution’s clients. parties may negotiate different applicable law and dispute resolution clauses, including foreign law and foreign courts or arbitration tribunals. 14 Outline the insolvency laws that apply generally or However, the MCI provides that, in adhesion agreements, where specifically in relation to cloud computing. the terms of the agreement are standard and the contracting party is not able to negotiate its clauses, any foreign forum selection clause for There are no insolvency laws in the Brazilian legal system that apply disputes arising out of services rendered in Brazil will be null and void. specifically to cloud computing. The general provisions governing liq- Notice that, under the CDC, a company could be considered a con- uidation and recovery in insolvency proceedings are provided for in sumer if it acquires the product or service as an end user and it is vul- Federal Law No. 11.101/2005 (the Insolvency Law). nerable when compared with the supplier of products or services, so the The Insolvency Law provides for which credits or creditors have CDC may also apply in B2B contracts. In this case, any provision that preference with regard to the others in insolvency or credit recovery, limits or impairs the consumer’s pursuit of rights (such as the election of and a Brazilian customer seeking to enforce rights against an insolvent foreign law or foreign courts or arbitration) likely to be considered null cloud computing provider would have to follow the regular procedures, and void by Brazilian courts. being in general a regular creditor (unless there is a specific guarantee with respect to the services provided). Micro or small companies, for www.gettingthedealthrough.com 27

Update and trends The main legal challenge in the next few years will be for companies protection with specific provisions on technical standards and and the public sector to adapt to the new General Data Protection Law detailed norms, as well as on proceedings and investigations carried (Federal Law No. 13,709/2018 (the BR GDPA)), which was passed in out by it. August 2018 and will enter into force in February 2020. It is similar Other challenges to the cloud computing industry in Brazil concern in many aspects to the EU General Data Protection Regulation and the quality of the telecommunications infrastructure; the bureaucratic sets forth detailed personal data protection obligations and rights for and costly barriers to create and run companies; and the complexity individuals and companies. and burden created by the Brazilian tax regime. However, Brazil is a An additional challenge related to data protection will be the large and growing market for IT services and technology developments creation of a data protection authority. Even though there are several and is currently attracting international companies and giving matters that must be regulated and enforced by the authority, the incentives to the creation of local players. provisions that would create it were vetoed by the President in enacting In 2018, the BR GDPA (which is applicable not only to cloud the BR GDPA. However, it is very likely that a new law creating the data computing but to all activities that involve the collection, processing protection authority will be passed by the time the BR GDPA comes and transfer of personal data) and Central Bank Resolution No. 4,658 into force. (which contains sections applicable specifically to the contracting of The data protection authority, as provided in several provisions cloud services by financial institutions) were issued, both of which are of the BR GDPA, will then create its regulations on personal data major legal developments for the field.

18 What are the typical terms of a B2B public cloud computing 21 What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such contract in your jurisdiction covering intellectual property as commercial terms of service and acceptable use, and rights (IPR) ownership in content and the consequences of variation? infringement of third-party rights? In general, cloud computing services are paid for on a monthly basis, Cloud computing agreements usually provide that there will be no and prices can be either a fixed amount or an amount according to transfer of ownership and that all intellectual property will be held by the volume of use (eg, the amount of data stored or processed). The the party who owns it in the first place. agreements may include regular monetary adjustments according to This means that the cloud computing provider will keep all intel- national inflation indexes. lectual property related to the provision of services and to the technol- Service level agreements are also common, and they usually pro- ogy related to the services, and the customer will keep all intellectual vide for minimum efficiency levels and discounts or penalties in case property on the content that it provides for the services to be rendered such levels are not met. (for example, the content uploaded to a cloud storage). It is also common to include in contracts clauses by which the cus- 19 What are the typical terms of a B2B public cloud computing tomer declares that it is responsible for the content that it provides for contract in your jurisdiction covering data and confidentiality the rendering of services, and that it shall not infringe any third-party considerations? rights (eg, that the customer will not keep infringing material in a cloud Cloud computing contracts usually cover security measures applica- storage). ble to data, especially personal data collected by a party. These secu- In the case of third-party intellectual property infringement, the rity measures may comprise data isolation, minimum standards and parties usually agree that the infringing party will indemnify the other parameters, encryption and backups. in case it is held liable. Some companies provide in their contracts that the data will be kept in servers in the Brazilian territory (which may be a requirement 22 What are the typical terms of a B2B public cloud computing for public contracting entities). contract in your jurisdiction covering termination? After the MCI, companies have been including consent clauses in Termination clauses depend on the nature of services being rendered. their agreements to support their collection and processing of personal While certain agreements allow for any party to terminate at any time, data. This will be strengthened and more detailed in contracts until others may provide for predetermined agreement terms or extension February 2020, when the BR GDPA enters into force and the compa- cycles (eg, one-year terms extendable for successive one-year terms) nies’ practices will need to comply with its provisions, so changes to the with certain periods for termination notices (eg, at least 30 days before standard cloud computing agreements are expected by then. the end of the current term). In this situation, there could be penalties where the agreement is terminated early or not in accordance with the 20 What are the typical terms of a B2B public cloud computing procedure set forth in the termination clause. contract in your jurisdiction covering liability, warranties and Typically, termination clauses cover the return or destruction of the provision of service? data provided by the customer under the agreement in a safe manner Parties are generally free to negotiate clauses covering liability, war- to ensure that no data will be lost or unduly breached by third parties, ranties and provision of service. Thus, liability or indemnification caps and confidentiality terms will apply to both parties for an indefinite or are common, as well as warranties for the rendered services and ser- limited amount of time. vice level agreements with a minimum level of service to be met by the The MCI obliges all internet application providers (and such defini- provider. tion comprises cloud computing providers) to keep internet application If the clauses are abusive, especially if the contracting party is vul- access logs for a minimum of six months, and some companies include nerable and not able to negotiate the contract terms (eg, in the case of this data retention in their agreements to inform their customers about an adhesion contract), they could be considered null and void in litiga- this legal obligation to keep data for some time. tion. This could be the case for small liability caps that do not cover a The BR GDPA provides that personal data should be deleted after substantial amount of the damage caused by a provider to the contract- its processing purpose has been reached, with a few exceptions, which ing party. include transfer to third parties and exclusive use of anonymised data. Finally, the CDC (which may apply to agreements entered into by This matter can be included in a termination clause in case the cloud legal entities) provides that, although any clause that limits the respon- computing provides wishes to use data after the termination of the sibility of the supplier for damages caused to individual consumers agreement, provided that all limitations under the BR GDPA are met. will be null, this is not the case for consumer relationships where the consumer is a legal entity and there is justification for the limitation 23 Identify any labour and employment law considerations that of liability. apply specifically to cloud computing in your jurisdiction. There are no specific labour laws applicable to cloud computing. If, in a specific contractual situation, cloud computing is considered as not a mere provision of services but as an outsourcing of workforce

28 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Pinheiro Neto Advogados BRAZIL for the contracting party, then certain labour laws could apply. In this It is currently not a clear on which tax should apply to such digital case, if the cloud computing provider fails to pay its employees their activities, fuelled by a dispute between Brazilian states and municipali- wages and benefits, the contracting party could be held responsible ties, because ICMS are collect by the former and ISS by the latter. and be obliged to fulfil such labour law obligations. Specifically regarding SaaS activities, Tax Authorities of the Municipality of São Paulo published Normative Ruling No. 1/17 stat- Taxation ing that SaaS activities are subject to ISS based on item 1.05 (software licensing) of the list of services of Complementary Law 116/2003. 24 Outline the taxation rules that apply to the establishment and In this same Normative Ruling, authorities also recognised the operation of cloud computing companies in your jurisdiction. hybrid nature of SaaS activities and, consequently, the possibility of it Cloud computing providers are subject to the corporate income tax and encompassing additional services classified on items 1.03 (indicated the social contribution on net profits at the joint rate of 34 per cent, as above) and 1.07 (technical support in IT, including the installation, well as the contribution to the profit participation programme (PIS) configuration and maintenance of computer programs and database). and the social security financing (COFINS), at 9.25 per cent (over total The consumption taxes mentioned above are applicable if the ser- revenue) under the non-cumulative regime or 3.65 per cent under the vice is provided from within or imported from outside. cumulative regime. Based on the nature of cloud services, revenues should be subject Recent cases to the non-cumulative PIS and COFINS regime with the application of the 9.25 per cent rate and the possibility of using credits. 26 Identify and give details of any notable cases, or commercial, If the cloud services are imported from outside, remittances are private, administrative or regulatory determinations within subject to the WHT at a 15 per cent rate (or 25 per cent, if the beneficiary the past three years in your jurisdiction that have directly is located in a tax haven jurisdiction). Tax authorities have recently involved cloud computing as a business model. manifested themselves, when analysing the taxation of remittances In September 2018, Engineering do Brasil, SAP and Google Cloud related to the resale of SaaS, that such remittances should be classified announced a commercial partnership to promote innovative solutions as technical services subject to the CIDE at a 10 per cent rate, and to the using artificial intelligence, machine learning and cloud computing. PIS/COFINS at the combined 9.25 per cent rate. Such three companies are working on an artificial intelligence that assists other companies in managing their tax obligations. For this pro- 25 Outline the indirect taxes imposed in your jurisdiction that ject, the objective is to integrate the technologies provided by Google apply to the provision from within, or importing of cloud Cloud and SAP with Engineering do Brasil’s tax expertise. computing services from outside, your jurisdiction. Another notable commercial partnership was entered into in 2017 The most relevant analysis from a Brazilian tax perspective is whether by Microsoft and Infraero, a state-owned organisation responsible for cloud computing services are subject to ICMS (a VAT-like tax) or to ISS managing Brazilian commercial airports. Both companies developed (service tax). Both ISS and ICMS are consumption taxes in Brazil. a cloud-based corporate social network to unite employees of the ICMS is assessed over the sale of goods and the provision of com- Brazilian company. The network aims to improve the communication munication and transport services. Recent modifications in the leg- and collaboration between Infraero teams and directors. islation regulated the procedures for charging ICMS for transactions The Brazilian Central Bank is also interested in regulating and related to digital goods. incentivising cloud computing technologies, which is evident from ISS, in turn, is a service tax assessed over any service (except those this year’s issuance of Resolution No. 4,658 and from the creation of a subject to ICMS) as long as the service is provided for in a list of ser- Technological Financial Innovation Lab, coordinated by the Central vices attached to Complementary Law 116/2003. Bank, which has AWS, IBM, Microsoft and Oracle (relevant companies Item 1.03 of Complementary Law 116/2003 includes processing, in the provision of cloud computing services) as supporters. storage of hosting of data, texts, images, videos, web pages, apps, information systems, among other forms, and congeners in the list of services taxed by ISS, and these activities are the core of cloud computing.

José Mauro Decoussau Machado [email protected] Ana Carpinetti [email protected] Gustavo Gonçalves Ferrer [email protected]

Rua Hungria 1100 Tel: +55 11 3247 8400 São Paulo Fax: +55 11 3247 8600 01455-906 www.pinheironeto.com.br Brazil

www.gettingthedealthrough.com 29

China

Matthew Murphy and Fei Dang MMLC Group

Market overview licensing and so on. For instance, Amazon.com cooperated with Beijing Sinnet Technology Co Ltd to conduct formal commercial application in 1 What kinds of cloud computing transactions take place in your China in 2016. Before that, it could only cooperate with clients, such as jurisdiction? Xiaomi and TCl, with limited preview service. Similarly, upon cooper- Three models of cloud computing have been adopted in China. These ating with 21Vianet and CapitalOnline Date Service in terms of private are: cloud and public cloud services respectively, IBM announced in March • Public cloud model: this market has been growing quickly since 2017 that it will cooperate with an affiliate of the Wanda Group to pro- 2015. According to data from the biannually published China vide IaaS and PaaS cloud computing services, and according to the Cloud Service Tracker of 2017 released by the International Data IBM spokesperson, their cooperation will be in charge of the distribu- Corporation (IDC), the total market value of the public cloud ser- tion, construction and operation of the IBM cloud platform in China. vices reached US$4 billion. In the public cloud market, the infra- Microsoft Azure has also entered China by cooperating with 21Vianet, structure-as-a-service (IaaS) accounts for the largest market share, and it is said that it has more than 70,000 enterprises clients in China. with an increase of 72 per cent in 2017, with the users in the IaaS Other global international cloud providers in China are Oracle, which market mainly being start-up companies, internet companies and announced its cooperation with Tencent Cloud in September 2016 in so on. Software-as-a-service (SaaS) is the second biggest segment hope of promoting its cloud computing service in China; and Cisco, of the market with an increase of 40.1 per cent, with their users which entered the Chinese cloud market by investing UnitedStack, a mainly coming from traditional industries. The smallest segment Chinese open-source cloud computing enterprise at the end of 2015. In of the market is the platform-as-a-service (PaaS) sector, which is addition, Apple is also a cloud provider in China owing to its iCloud ser- mainly adopted by individual developers and small to medium- vice, and it is reported that Apple started to store the iCloud data of its sized enterprises. Chinese users in the China Telecom cloud service in 2014. • Private cloud model: the market volume of the private cloud model has reached 34.48 billion yuan in China, which is a 25.1 per 3 Name the local cloud providers established and active in your cent increase than that of 2015, according to the China Private jurisdiction. What cloud services do they provide? Cloud Development and Investigation Report issued by the According to the IDC report, Alicloud is the biggest cloud service pro- China Academy of Information and Communications Technology vider in China and its major users are internet enterprises. Alicloud is an (CAICT) in April 2017. It also mentioned that, among the inter- Iaas, and provides a virtual hardware platform for development, as well viewed enterprises by the CAICT, there was a 25.4 per cent increase as services, such as elastic compute, storage, database, internet, domain of the enterprises that deployed cloud computing in 2016 and the name and website. It is reported that it accounted for 31 per cent of the deployment of private cloud thereof has increased 8.9 per cent. The IaaS market share in China in 2015, and its fast growth can be attrib- private cloud is mostly applied in the IT system within the enter- uted to the fast growth of internet enterprises, development of mobile prise, including the management system, office system and com- end, transition of traditional industry ecommerce, as well as the drive munication system. of game industry and oversea expansion. China Telecom and China • Hybrid cloud model: this combines the advantages of both the Unicom are the second and third largest cloud service providers focused public cloud (least costly) and the private cloud (security). It is esti- on services, such as cloud server, object-oriented storage, content deliv- mated that the hybrid cloud model will be most common in large ery network and so on, and most of their users are government insti- and medium-sized enterprises. tutions and enterprises. In addition, 21Vianet, Kingsoft, ChinaCache, among others, are also the top cloud service providers in China. It worth mentioning that, to increase the technology level of cloud computing transaction in China, China tried to innovate the transaction of 4 How well established is cloud computing? What is the size of cloud computing service by establishing its first cloud computing trans- the cloud computing market in your jurisdiction? action platform – Xinjiang Central-Asian Commodity Trading Centre – in September 2014, with the strong support of local government. It It was reported in an article titled: ‘Cloud Computing Market will carries out spot transitions, using ‘cloud computing’ as trading variety, Reach 57.064 billion in 2019, Internet Giants Set off Multi-dimensional and it can match seller and buyer of cloud computing on the transaction Competition’ published by caijing.com.cn on 13 January 2017, that the platform. For instance, a client can transfer its extra cloud computing to cloud computing service market has been growing continuously in another client who needs it through this platform. recent years, and it is estimated that the total market value will reach 279.7 billion yuan in 2016, an increase of 41.7 per cent year on year. 2 Who are the global international cloud providers active in your As estimated by the Ministry of Industry and Information jurisdiction? Technology (MIIT) in its Three Year Action Plan for Development of Cloud Computing, China’s cloud computing industry will reach 430 According to the IDC’s China Public Cloud Service Tracker 2015, billion yuan in 2019. Also, according to an interpretation of the MITT’s Amazon.com took sixth place and accounted for 4.3 per cent of IaaS Action Plan, the cloud computing industrial structure continues to opti- market share in China in 2015, IBM took 11th place and accounted for mise, and the industry chain tends to complete. Key technologies such 0.1 per cent of the market share. Although Oracle and VMware were as large-scale concurrent processing, mass data storage and data cen- also listed, no specific market shares were recorded. It is worth noting tre energy-saving have achieved breakthroughs, and even reached the that global international cloud providers have to operate in the Chinese international advanced level. Backbone enterprises have been rapidly market by cooperating with domestic service providers or technology developing the strategic layout including efficiencies to improve their

30 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 MMLC Group CHINA business categories. Large enterprises, government agencies and finan- or stored outside China. A security or confidentiality agreement cial institutions continue to accelerate the pace of application of cloud should be signed by the departments and the provider. Regarding computing, and the application areas of cloud computing continue to businesses relating to state secrets or work secrets, social cloud expand into manufacturing, government, finance, education, medicine computing services should not be applied though. and other fields. • Guideline Opinion of the State Council concerning Actively Promoting ‘Internet +’ Actions issued in July 2015, which points 5 Are data and studies on the impact of cloud computing in your out the direction of combining the cloud computing and traditional jurisdiction publicly available? industries (eg, industry, financing, social services). There are some data and studies on the impact of cloud computing • Action Outlines of Promoting Big Data Development issued by the in China available publicly. For instance, a report called the ‘Cloud State Council in August 2015. The State Council promises to pro- Computing Development White Book’ (2015) issued by China Center mote the healthy development of the big data industry, by encour- for Information Industry Development (CCID), a research institution aging enterprises to increase the data key technology research and affiliated to the MIIT, is available online; and the China Private Cloud development, and improving the regulatory and standard system. Development and Investigation Report issued by CAICT (see question 1). 7 Are there fiscal or customs incentives, development grants According to these reports, the traditional IT enterprises have been or other government incentives to promote cloud computing vigorously launching cloud computing businesses and have speeded operations in your jurisdiction? up the expansion of the market share through mergers and acquisi- Yes, according to MITT’s Three-Year Action Plan for Development of tions in order to meet the requirement of the market; and the applica- Cloud Computing, the government will provide fiscal and other support tion of cloud computing is involved in traditional IT outsourcing and for cloud computing enterprises, including but not limited to: other IT transactions. As of 2015, 52 government departments and • optimising the financing environment for such enterprises, sim- more than 300 business applications of Jinan City use cloud services, plifying the financing process, promoting policy banks, industrial which accounts for more than 80 per cent of the non-confidential investment institutions and security agencies to increase the sup- e-government system (the White Book by CCID). According to another port of cloud computing enterprises, and increasing credit support; report, the ‘Cloud Computing Industry Research Report’ issued by the • supporting cloud computing enterprises to finance from capital Soochow Securities, the ‘Golden Power’ platform of China Financial market, conduct acquisition and expand the market; Computerization Corp, an enterprise directly under the People’s Bank • encouraging cooperation between the enterprises and universities of China, can provide disaster-based data centre services based on the for talent training; heterogeneous IaaS platform, and provide cloud services such as dis- • enhancing brand-making in the industry; aster relief, training, takeover, recovery, switching and back-cutting • supporting key enterprises in the industries’ overseas development; services for small and medium-sized financial institutions. So far, it has and provided disaster recovery services for the People’s Bank of China and • speeding up the establishment and improvement of cloud comput- more than 20 small and medium-sized financial institutions. ing in the field of international cooperation and exchange platforms Although China’s cloud computing technology is not yet very by setting up professional, market-oriented overseas market ser- mature, it has been extensively used in software engineering. The tra- vice systems in order to support the overseas layout of the backbone ditional software engineering development and relevant technology is cloud computing enterprises. bound to make significant changes accordingly. Legislation and regulation Policy 8 Is cloud computing specifically recognised and provided for in 6 Does government policy encourage the development of your your legal system? If so, how? jurisdiction as a cloud computing centre for the domestic Yes, the importance of cloud computing, big data and such like have market or to provide cloud services to foreign customers? been recognised by more and more industries, even in the legal system. Yes, the Chinese government issued several policies concerning the For instance, there are more online legal databases providing judgment development of cloud computing as follows: and case studies, such as the China Judgments Online, which is a plat- • Opinions of the State Council concerning the Promoting Innovation form of the people’s courts in China to publish their judgments, as well and Development of Cloud Computing and Cultivating New Format as some commercial legal database. The public, especially the parties of Information Industry issued in January 2015, which is the most concerned in a case, may also find important judicial information or important policy as the guideline of cloud computing development data, such as dishonest persons subject to enforcement or other lawsuit in China. The Opinions indicate six main tasks to strengthen the information. In addition, at the Computing Conference 2016 held in growth of new format, industrial support and security, including: Hangzhou, a legal robot that could realise AI case analysis and lawyer • enhancing the ability of cloud computing services, vigor- selection based on legal big data was launched. ously developing the public cloud computing services, and guiding enterprises to adopt safe and reliable cloud comput- 9 Does legislation or regulation directly and specifically ing solutions; prohibit, restrict or otherwise govern cloud computing, in or • enhancing the ability of independent innovation, and breaking outside your jurisdiction? the cloud computing and large data key core technology; The cloud computing or data service should comply with the provisions • exploring the new model of e-government cloud comput- concerning cyber operation and information security stated in the PRC ing development; Cyber Security Law and the PRC Counterterrorism Law. There are also • strengthening the development and utilisation of large data; other regulations that govern the data security as well as data transfer in • optimising the layout of cloud computing infrastructure, and certain fields. For instance, the Opinions concerning Enhancing Cloud accelerating the optimisation and upgrading of information Computing Service Network Safety Management of the Party and network infrastructure; and Government Department mentioned above, specifically provide that a • improving the security capabilities, researching and improving cloud computing service platform and data centre for the party and gov- the cloud computing information security policies and regula- ernment departments must be established within China. Also, certain tions, and strengthening the assessment review and monitor. kinds of information or data, such as personal credit information, per- • Opinions concerning Enhancing Cloud Computing Service sonal financial information, health information, map data, government Network Safety Management of the Party and Government information, enterprises’ accounting information and human inherit- Department issued in May 2015, which focus on cloud comput- ance resource information and the like, are prohibited or restricted from ing security issues. According to the Opinions, the cloud comput- being transferred overseas. ing service platforms and data centres that provide service for the In addition, there is a national standard named ‘Information party and government should be located in the territory of China, Security Technology – Security Capability Requirements of Cloud and sensitive information should not be transmitted, processed Computing Services’ concerning the issue. www.gettingthedealthrough.com 31

Also, in order to conduct IDC and internet service provider (ISP) In addition, an operator of cloud computing may be subject to a services that cover the cloud computing services in China, such service tort liability when its wrongdoing infringes consumers’ civil rights providers, whether they are domestic or foreign providers, must obtain or interests, including the right to name, reputation, privacy and IP the relevant IDC/ISP licence from the MITT. However, such licences right in accordance with articles 2 and 6 of the Tort Law. Also, a well- are only open to foreign investment from Hong Kong and Macao designed cloud computing contract for consumers can be a consumer in accordance with the Closer Economic Partnership Arrangement protection measure under the Contract Law. signed between the Chinese central government and the governments of the Hong Kong Special Administrative Region and the Macao 13 Describe any sector-specific legislation or regulation that Special Administrative Region respectively. In other words, for foreign applies to cloud computing transactions in your jurisdiction. cloud service providers (excluding those from Hong Kong or Macao) In accordance with the Cyber Security Law, operators of key informa- that want to conduct cloud computing service in China, they cannot tion infrastructure should store personal information and important directly conduct such operation in China unless they cooperate with data collected and generated during its operation within the territory qualified domestic service providers as mentioned in question 2. If such of China. Key information infrastructure includes public telecommu- cooperation is in the form of creating a joint venture to run a cloud ser- nications and message services, energy, transportation, water conser- vice operation in China, the ratio of the foreign investment in the joint vation, financing, public service, e-government, as well as those that venture should be further subjected to the restrictions (no more than may severely threaten national security, people’s livelihoods and pub- 50 per cent for a value-added telecoms service and no more than 49 lic interest once such key information infrastructure is damaged, mal- per cent for a basic telecoms service) provided in the Catalogue for the functions or suffers data loss. Guidance of Foreign Investment Industries (amended in 2015). Also, as mentioned in question 9, information and data are prohibited from being transferred overseas. Those sectors include, but are 10 What legislation or regulation may indirectly prohibit, restrict not limited to, credit investigation, banking and financing, health infor- or otherwise govern cloud computing, in or outside your mation, map data, government information, enterprises’ accounting jurisdiction? information and human inheritance resource information and so on. Legislation or regulations that involve information protection (eg, data privacy) may indirectly prohibit, restrict or otherwise govern cloud 14 Outline the insolvency laws that apply generally or computing in China: General Provisions of the Civil Law, Criminal specifically in relation to cloud computing. Law, Tort Law, Public Security Administration Punishments Law, There is no specific insolvency law or regulation concerning the cloud Law on the Protection of Consumer Rights and Interests, Provisions computing field in China. In cases where a cloud computing supplier on Protecting the Personal Information of Telecommunications that possesses data or information owned by a customer goes bank- and Internet Users, Regulation on Internet Information Service of rupt, the customer who is the rightful owner or legal holder of the the People’s Republic of China, Provisions on the Administration of data or information may claim the right to its data or information as Communications Short Message Services, Administrative Measures a creditor in accordance with article 38 of the PRC Bankruptcy Law, for Online Trading, among others. which provides that ‘if, after the people’s court accepts the bankruptcy petition, the debtor is in possession of property not belonging to it, the 11 What are the consequences for breach of the laws directly holder of the rights in such property may recover the same through the or indirectly prohibiting, restricting or otherwise governing administrator, unless otherwise specified in this Law’. cloud computing? A breach of the laws and regulations mentioned above will result in Data protection/privacy legislation and regulation the breaching party facing administrative, civil or criminal liabilities 15 Identify the principal data protection or privacy legislation depending on the circumstances. Taking the breach of the PRC Cyber applicable to cloud computing in your jurisdiction. Security Law as an example, where an internet operator violates the obligations concerning internet operation and information security, The principal data protection or privacy legislation applicable to cloud the operator will face administrative penalty from the government computing in China includes, but is not limited to, the PRC Cyber authorities, including, but not limited to, a warning, an order for rec- Security Law, General Provisions of the Civil Law, Criminal Law, Tort tification, suspension, cancellation of permission or business licence, Law, Public Security Administration Punishments Law, the Law on the confiscation of illegal gains or an administrative fine. The person in Protection of Consumer Rights and Interests, Provisions on Protecting charge of the operator that violates the obligation may also face an the Personal Information of Telecommunications and Internet Users, administrative fine, administrative detention and a ban from re-enter- Regulation on Internet Information Service of the People’s Republic ing the key position of the cyber-security management and internet of China, Provisions on the Administration of Communications Short operation. Apart from the administrative liabilities above, if the viola- Message Services, Administrative Measures for Online Trading, tion is so severe that it may constitute a crime, the operator will face Decision of the Standing Committee of the National People’s Congress criminal liability as well. Also, where the violation causes damage to an on Strengthening Information Protection on Networks, Regulation individual, such operation will come under civil liability in accordance on the Administration of Credit Investigation Industry, Notice of the with the General Principle of the Civil Law, the Tort Law and others. People’s Bank of China on Urging Banking Financial Institutions to Do a Good Job in Protecting Personal Financial Information and Measures 12 What consumer protection measures apply to cloud for the Administration of Population Health Information (for Trial computing in your jurisdiction? Implementation). There is no law or regulation that specially or directly regulates the Cloud computing contracts protection of consumers in terms of cloud computing yet. However, the Law on the Protection of Consumer Rights and Interests provides 16 What forms of cloud computing contract are usually adopted rights entitled by the consumers and obligations of the operators in in your jurisdiction, including cloud provider supply chains (if general that naturally covers the field of cloud computing; and in arti- applicable)? cles 14, 29, 50 and 56 thereof, it especially states the rights, obligations Cloud computing contracts in China are usually in written form (elec- and liability concerning personal information protection. Also, in the tronic form available) and most of the clauses therein are standard Administrative Measures for Online Trading, it specifies various meas- clauses prepared by the cloud computing service provider. ures to protect consumers’ right that also could apply to cloud computing, including, but not limited to, providing customers with detailed 17 What are the typical terms of a B2B public cloud computing trading information (eg, information concerning goods or services, contract in your jurisdiction covering governing law, payment, returning policy, warning, after-sales), providing receipts or jurisdiction, enforceability and cross-border issues, and invoices in paper or electronic form to consumers, seven-day returning dispute resolution? policy without reasons (excluding certain goods), privacy protection, application of standard clauses, dispute resolution channels and so on. In China, the formation, validity, implementation and interpretation of a cloud computing contract is governed and construed in accordance

32 Getting the Deal Through – Cloud Computing 2019

Update and trends The main challenges facing cloud computing within, from or to China The Specification also sets out the definition of ‘personal sensitive stem from the information security aspect, which involves issues such information’, which means personal information that may endanger as data cross-border transfer, personal information protection, data personal and property security, resulting in damage to personal processing and mining among others. reputation, physical and mental impairment or discriminatory Taking the data cross-border transferring as an example, treatment and so on, once it is disclosed, illegally provided or abused. in accordance with the Cyber Security Law, operators of critical The scope of personal sensitive information is similar to that of information infrastructure should store personal information and personal information. important data collected and generated during its operation within Furthermore, in the latest draft of the Measures of Security the territory of China in China. Critical information infrastructure Assessment of Personal Information and Important Data Exported includes public telecommunication and message services, energy, Abroad issued in 2017, personal information and data being transferred transportation, water conservation services, financing, public services, abroad may be subject to evaluation by the industry administrative e-government, as well as those services that may severely threaten or supervision departments under certain circumstances, such as national security, people’s livelihoods and public interest, if damage containing, or cumulatively containing, the personal information of to those infrastructure services takes place. If a business is involved in more than 500,000 individuals; amount of data more than 1000GB; the provision of critical information infrastructure services in China, it data in the fields of nuclear facility, chemical biology, national defence, could find that complying with the Cyber Security Law is onerous. demographic health, among others. As to personal information protection, although there are no On 13 April 2018, the China Financial Standardization Technical unified measures for regulating the cross-border transfer of personal Committee (CFSTC) issued a notice concerning solicitation of public information in general, personal information in relation to credit opinions for three financial industry standards relating to cloud information, financial information, health information and the like, are computing. The three drafted standards are ‘Financial application subject to restrictions. It is worth of noting that, ‘personal information’ specification of cloud computing technology – Technical architecture’; has been defined as referring to ‘various information that can identify ‘Financial application specification of cloud computing technology a certain natural person or reflect certain natural person’s activity, – Security technical requirement’; and ‘Financial application whether individually or combining with other information, in electronic specification of cloud computing technology – Disaster recovery’. or other format, according to the Information Security Technology’ According to CFSTC’s drafting statement, the purpose of such – Personal Information Security Specification (GB/T35273-2017 (the drafts is to encourage and regulate information technology to be Specification)), which came into effect on 1 May 2018. More specifically, applied in the financial industry, effectively prevent financial risk, it is now known that personal information may include the following: enhance finance’s ability to serve the real economy, and fully bring the • personal basic information (eg, name, birthday, sex, etc); cloud computing into the play of financial information establishment. • personal identity information (eg, ID card, passport, driving Those standards can be applied to various service models, such as IaaS, licence, etc.); Paas and SaaS, and different deployment models, such as private cloud, • personal biological identifying information (eg, genetic details, community cloud or hybrid cloud. finger print, vocal print, etc); The drafts include three parts, which are technology framework, security technology requirements and disaster recovery. In terms of • online identity information (eg, system account, IP address, etc); technical architecture, it divides the financial industry cloud computing • personal health physical information (eg, relevant record technology framework into different levels from bottom to top, generated from medical treatment, etc); including basic hardware resource level, resource abstract control level, • personal education and work information (eg, personal occupation, cloud service level, as well as operation management level; and brings title, etc); up relevant requirements. • personal property information (eg, bank account, etc); In terms of security technical requirements, it brings up • personal communication information (eg, communication record requirements from various aspects, including basic hardware, and content, etc); resource abstract and control, optional components, application, data • contact information (eg, contact record, friend list, etc); and management, in order to establish a cloud computing security • personal internet surfing record (eg, user’s operation record stored defensive line from the bottom level to the application top level. by log file, etc); In terms of disaster recovery, it divides the disaster recovery ability • personal often used equipment information; of the cloud computing platform into different levels based on the • personal location information; and affected scope and the level of impact the suspension of the business will have, and brings up the key index to be reached at each level and • other information. the specific technical requirements to be fulfilled.

with the Contract Law and other relevant laws and regulations of 19 What are the typical terms of a B2B public cloud computing China, and any dispute arising out of the contract can be resolved by contract in your jurisdiction covering data and confidentiality negotiation, or be submitted to a Chinese people’s court with jurisdic- considerations? tion (eg, the people’s court where the cloud computing service provider In China, the typical terms of a cloud computing contract include a is located) or an arbitration institution in rare circumstances. term concerning confidentiality, which normally provides that one party will keep the other party’s personal information (eg, technolo- 18 What are the typical terms of a B2B public cloud computing gies, trade secret, proprietary information) confidential unless it is contract in your jurisdiction covering material terms, such required to by law, regulations or competent authorities. Typical terms as commercial terms of service and acceptable use, and of a cloud computing contract concerning confidentiality may include variation? content as follows: In China, a typical cloud computing contract usually includes the fol- • confidential information normally refers to technical and business lowing clauses: service content, parties’ rights and obligations (espe- information that is unknown to the public, but can bring economic cially focused on the users’ obligations), intellectual property, cap of benefits, be practical and have taken confidential measures, infor- liability and so on. Among them, in the users’ rights and obligations mation related to business activities or operating methods such as part, it usually specifies the compliance obligations that must be customer information and marketing programmes and so on, tech- observed by the users. For instance, users should not use the cloud nical information, statistical data, methods and results for techni- service to conduct or provide convenience to non-compliance or even cal improvements and their forms and carriers; illegal actions (eg, gambling, sending unsolicited emails, damaging or • forms of confidential information generally include computer data disturbing the operation of the cloud service). As to price and payment forms – written, graphic, symbol and other written form or picture clause, this may not be included in the main service contract on the form; media forms – recording sound and images; and oral com- grounds that it may be contained in a separate order, and the price and munication forms; payment clauses are quite different owing to the versatile services pro- • confidentiality period; and vided by different providers in order to meet the users’ varied needs . • responsibility for leakage.

www.gettingthedealthrough.com 33

The term of such confidentiality clause will continue after the termina- also be borne by the user. After the said period expires, the service pro- tion of the cloud computing contract. vider will delete the user’s data.

20 What are the typical terms of a B2B public cloud computing 23 Identify any labour and employment law considerations that contract in your jurisdiction covering liability, warranties and apply specifically to cloud computing in your jurisdiction. provision of service? There is no labour and employment law or regulation that applies spe- In China, the typical terms of a cloud computing contract concerning cifically to cloud computing in China. The cloud computing enterprises liability or warranties may include the following content: the cloud have to comply with labour-related laws and regulations, such as the computing service provider will not warrant that its service will meet PRC Labour Law and the PRC Labour Contract Law among others, as all the users’ requirements, nor that its service will be timely, safe, reli- other enterprises do. able without interruptions or errors. The service provider will not be liable for service interruption owing to reasons such as force majeure Taxation (eg, natural disaster, act of government), fault of infrastructure opera- 24 Outline the taxation rules that apply to the establishment and tor, internet security incident and other circumstances that the service operation of cloud computing companies in your jurisdiction. provider could not foresee or avoid even if it has foreseen such circumstances. Also, any indirect losses arising from the contract are usually In accordance with the Opinions of the State Council concerning excluded from the liability of the service provider. Promoting Innovation and Development of Cloud Computing and A customer is obliged to ensure that all the information provided Cultivating New Format of Information Industry, the cloud comput- by it: ing companies could be incorporated into the definition of software • is true and effective; enterprises, state planning key software enterprises, high and new tech • conforms to Administrative Measures for Internet Information enterprises and advanced technology service enterprises, and be enti- Services and other relevant law and regulations; tled to relevant preferential tax policy, assuming that the cloud com- • does not contain any information that poses a threat to national puting companies meet the requirements of those enterprises. Once security, promotes violence and crime, war, terrorism, militarism, the cloud computing companies are recognised as one of those enter- Nazism and national hatred, or involve obscene content; prise types mentioned above, they may enjoy various preferential tax • does not harm the health of children; and policies, such as a rate of 10 per cent of incorporate income tax for state • does not infringe others’ IP rights or privacy or violate public planning key software enterprises, 15 per cent for high and new tech morality or public order. enterprises and so on. (The standard rate of incorporated income tax is 25 per cent.) 21 What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property 25 Outline the indirect taxes imposed in your jurisdiction that rights (IPR) ownership in content and the consequences of apply to the provision from within, or importing of cloud infringement of third-party rights? computing services from outside, your jurisdiction. In China, the typical terms of a cloud computing contract concerning For provision of computing services in China, the cloud computing ser- IPR may include content as follows: the intellectual property rights vice provider is subjected to the same major taxes as other enterprises (eg trademark right, copyright) entitled by each party are exclusively face, including, but not limited to, income tax, VAT, tariffs and so on. owned by each party, and one party will not use the other party’s intel- As to importing cloud computing services from outside, the relevant lectual property rights without the other party’s prior permission. One tax policy is to be specified. party will warrant that software, material and the like obtained or used by such party does not infringe any third party’s legal right. The IPR Recent cases term will continue after the termination of the contract. 26 Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within 22 What are the typical terms of a B2B public cloud computing the past three years in your jurisdiction that have directly contract in your jurisdiction covering termination? involved cloud computing as a business model. In China, a cloud computing contract may be terminated due to vari- In a second instance judgment issued by the Beijing Intellectual ous reasons including mutual agreement, the term of service depend- Property Court in April 2016, it maintained the first instance deci- ing on the user’s payment made to the service provider or violation of sion that the Cloud Cell Phone Assistant operated by Aliyun, a cloud the obligations by users. Upon termination, the user may be given a computing service platform under the Alibaba Group, infringed cer- certain period (eg, seven days), which varies depending on the service tain works’ information online broadcasting rights that were owned provider, to transfer all the data. The fee incurred from such period will by ChineseAll.com (the plaintiff). The plaintiff claimed that it owned

Matthew Murphy [email protected] Fei Dang [email protected]

1209 Tower W3 Tel: +86 10 8515 1091 The Towers, Oriental Plaza Fax: +86 10 8515 1089 1 East Chang An Avenue www.mmlcgroup.com Dongcheng District 100738 Beijing China

34 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 MMLC Group CHINA the exclusive right for the online broadcasting of 12 books, as authorised by the author. In January 2015, the plaintiff found that the Cloud Cell Phone Assistant of Aliyun incorporated an application that contained the unauthorised 12 books mentioned above for downloading by users. Although a warning letter was sent to Aliyun, no response was received by the plaintiff and the infringed works could still be downloaded thereafter. During the trial, Aliyun argued that, according to its Application Service Cooperation Agreement, it only provided a display- ing and promoting service for a third party’s application and software. For instance, a third party could transfer its product to Aliyun by email, FTP, URL, among others, and start an information service through the Aliyun platform; and Aliyun would introduce such party’s product to its application centre for users’ downloading. The court considered that Aliyun constituted providing works based on cooperation and division of labour with an outside party, other than merely providing storage room or linking service. Even if it was only considered as providing the storage room or linking service, it must take immediate measures and delete infringing content upon the receipt of infringement notice from the rightful owner. According to the first instance judgment, Aliyun was ordered to compensate the plaintiff for financial loss amounting to 120,000 yuan.

www.gettingthedealthrough.com 35

France

Olivier de Courcel and Stéphanie Foulgoc Féral-Schuhl/Sainte-Marie Alain Recoules Arsene Taxand

Market overview 4 How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction? 1 What kinds of cloud computing transactions take place in your jurisdiction? According to the official statistical enquiry undertaken in 2016 (see question 1), 31,687 companies (ie, 17 per cent of French companies with The official statistics define ‘cloud computing’ as the IT services used at least 10 employees) were using cloud computing services. This figure on the internet to access a software, processing power or a storage is compared with an average of 21 per cent noted in the countries of the capacity and which include all the following characteristics: European Union in that year. • to be delivered from IT servers operated by service providers; On the information and communication technologies market, • to be easily increased or decreased; cloud computing services had a minimal representation in 2015, as • once installed, to enable use without the need for human contact the ‘Data processing, hosting and related activities – internet portals’ with the provider; and (according to the OECD classification, which stretches beyond the sole • to be payable either by the user or depending on the capacity used cloud computing services) only represented 4.8 per cent (ie, €3,281 or to be prepaid. billion) overall, in terms of added value (www.entreprises.gouv.fr/ etudes-et-statistiques/numerique-chiffres-cles). These services may include connections via a virtual private network Nonetheless, the cloud computing market is rapidly evolving in (VPN) (www.insee.fr/fr/statistiques/2646317?sommaire=2646324). France like elsewhere. An analysis undertaken by the research firm The different varieties of cloud computing services covered by this Markess estimated its annual growth at 21 per cent in 2017, with a definition are offered in France. Accordingly, in 2016, the services the total of €8.5 billion in turnover. This amount includes additional ser- most frequently used were infrastructure-as-a-service (IaaS, according vices provided in the form of consulting, support or assistance with the to the NIST typology), mainly in the form of file storage (21,974 compa- exploitation. SaaS represents 54 per cent of the total, closely followed nies out of the reportedly 31,687 using cloud computing). Software-as- by IaaS and PaaS (www.usine-digitale.fr/article/le-marche-francais- a-service (SaaS) was also very frequently used by businesses, primarily du-cloud-atteint-8-5-milliards-d-euros-en-2017.N645943). for emails (19,464 companies). Database hosting was in third position (in the platform-as-a-service (PaaS) category). The other significant use 5 Are data and studies on the impact of cloud computing in your of cloud computing included office automation software services and jurisdiction publicly available? software for the management of client relations (source: Insee, TIC 2016 enquiry, TAB07: Use of the cloud computing service by internet). Numerous analyses and official studies have been undertaken on Furthermore, according to the same statistical enquiry, in 2016 the digital sector in France and, more specifically, on cloud comput- the companies that purchased cloud computing services on shared IT ing services, although regular updating is still lacking. The Insee sta- servers (public cloud) were almost as numerous as those that requested tistics (www.insee.fr) and the analyses of the Ministry of Economy servers exclusively reserved for their needs (private cloud). and Finance (www.entreprises.gouv.fr/observatoire-du-numerique/ usages) are the most prominent. 2 Who are the global international cloud providers active in The administration is particularly focused on the modus operandi your jurisdiction? for the different forms of cloud computing and publishes its works for the needs of the public bodies (for example, www.entreprises.gouv.fr/ The principal global providers (Amazon Web Services, Microsoft Azure numerique/guide-du-cloud-computing-et-des-datacenters). and Google Cloud Platform), for which the share of the world market Ad hoc analyses are undertaken by professional organisations such is estimated at 57 per cent (www.lebigdata.fr/microsoft-azure-parts- as EuroCloud (www.eurocloud.fr), which includes 200 service provid- marche-cloud, 30 July 2018), are very active in France. Numerous other ers on the cloud market, or Syntec Numérique, which represents digital international players commercialise their services directly or indirectly service companies, software publishers and technology consultancy in the country (eg, IBM, Rackspace, Oracle, NTT, Fujitsu, Hewlett, companies (www.syntec-numerique.fr). With regard to the users, asso- Salesforce). ciations such as Cigref (www.cigref.fr) or software user clubs such as SAP (www.usf.fr) also publish such analyses. 3 Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide? Policy While the principal global providers are dominant players on the market for both the software-, platform- and infrastructure-as-a-service activi- 6 Does government policy encourage the development of your ties, this market includes numerous less significant and more special- jurisdiction as a cloud computing centre for the domestic ised players in France, including OVH, Cloudwatt and Ikoula (IaaS and market or to provide cloud services to foreign customers? PaaS) (which are listed with the principal global providers among the 10 During the past few years, the public authorities have encouraged the leading providers in the CloudScreener/Cedexis/JDN ranking (www. creation of data-hosting providers (such as Cloudwatt and Numergy) journaldunet.com/solutions/cloud-computing/1167190-comparatif- that can guarantee storage near customers’ sites, on national territory cloud/). As there are numerous providers active in France, some of them (‘sovereign cloud’). can be found among the members of the EuroCloud association (www. In 2018, they launched a strategy to encourage administrations, eurocloud.fr/adherents/) (SaaS, PaaS) or of the Cloud Infrastructure public establishments and local authorities alike to choose cloud com- Services Providers in Europe association (CISPE: https://cispe.cloud/ puting among a variety of options including private cloud as well as pub- publicregister) (IaaS). lic or hybrid solutions (www.numerique.gouv.fr/node/88147).

36 Getting the Deal Through – Cloud Computing 2019

Furthermore, the government greatly strives to open its data to the Nonetheless, in practice, the boundaries are not as clearly defined. public (www.data.gouv.fr). On this count, France is now ranked fourth On the one hand, the telecoms operators offer cloud computing ser- globally (https://index.okfn.org/). vices. On the other, the content providers are more and more seeking to bring their content closer to the end clients and set up cache servers 7 Are there fiscal or customs incentives, development grants in the operators’ networks. Accordingly, in France, about 50 per cent or other government incentives to promote cloud computing of the incoming traffic to telecommunication service providers origi- operations in your jurisdiction? nate from the four main content providers – Google, Netflix, Akamai, There are financial funding and tax benefits that may help support Facebook (source: Regulatory Authority for Telecommunications investments in cloud computing activities but are not reserved for (ARCEP), 2018 Report). This reflects a highly condensed market. them. Yet, the telecoms network operators and the telecommunica- Specifically, financial funding for innovation and loans may tion service providers are subject to obligations specific to them, but be granted in the context of the Investment Plan for Europe (the which could or should also concern cloud computing services, such as Juncker Plan) and may be combined with national funding. The the principle of internet neutrality (governed by (EU) Regulation No. offers are accessible at the Deposits and Consignments Fund 2015/2120 dated 25 November 2015), the protection of personal data, (www.caissedesdepots.fr/developper-le-numerique-sur-le-ter- the protection of confidentiality of correspondence and the neutrality ritoire) and BPIFrance (www.bpifrance.fr/A-la-une/Actualites/ with regard to the content of the messages communicated (CPCE, arti- Systancia-securise-les-applications-dans-le-cloud-35047). cle L32-1). Also, telecoms operators are obliged to ensure the conserva- The companies that invest in cloud computing may also benefit tion of technical communication data for the needs of the prosecution from preferential tax benefits such as tax credit on research and devel- of criminal offences and the fight against terrorism. opment costs, the tax exemption for innovative new companies or the Finally, the CPCE defines and regulates a service category which tax credit for innovation expenses. combines both telecom and cloud computing aspects – the ‘electronic safe’. The purpose of this service is the receipt, storage, removal and Legislation and regulation transmission of data and electronic documents in conditions that must retain their integrity and exactitude of origin (article L.103). The pro- 8 Is cloud computing specifically recognised and provided for viders of these services must set up the security measures necessary to in your legal system? If so, how? meet these conditions and to ensure the traceability of the operations The concept of cloud computing has been acknowledged by the offi- made on the data and documents. They must set up a technical file to cial texts since 2010, when the terminology commission in charge of provide proof of their adherence to the legal requirements. establishing the official definition of new terms in the French language defined the term ‘cloud computing’ as a ‘means of processing client Defence Code (‘Fundamental Operators’) data, the exploitation of which is made via internet, in the form of ser- Since the law of military programming No. 2013-1168 dated vices provided by a service provider’, and provided an official transla- 18 September 2013, the Defence Code submits a specific category of tion of this term in the French language (informatique en nuage). players, the infrastructures and systems of which are strategic for the Law No. 2018-133 26, dated 26 February 2018, defines the ‘cloud country, designated as ‘Fundamental Operators’ (OIV), to specific rules computing service’ as ‘a digital service that enables access to a set of concerning the security of their information systems (article L1332-6-1 flexible and variable IT resources which may be shared’ (which could et seq). Each OIV is obliged to provide a map of its information sys- restrict cloud computing to IaaS and PaaS services). This service is clas- tem, ensure that it is homologated and establish a security policy for sified among the ‘digital services’, along with online marketplaces and its system. The OIVs must inform the Prime Minister of the incidents search engines, for which the providers are obliged to comply with cer- affecting the functioning or security of their information systems. They tain security obligations (see question 9). must enable the ANSSI to carry out audits and must set up any security measures requested by the latter. Such obligations require the service 9 Does legislation or regulation directly and specifically agreements to be adapted, including those that they may enter into prohibit, restrict or otherwise govern cloud computing, in or with digital service providers for cloud computing. outside your jurisdiction? Law No. 2018-133 dated 26 February 2018 transposed Directive General tax code (clients) No. 2016/1148 of the European Parliament and the Council dated All companies are obliged to retain the documents on which the French 6 July 2016, which aims to meet a uniform high level of security for the tax authorities have a right of communication, enquiry and control. networks and information systems set up in the EU (NIS – network and The documents in question must be kept for at least six years (Tax information security). This is the sole text which, to date, directly and Procedure Code, article L102 B). In this context, the use of a cloud com- specifically monitors cloud computing services in France. puting service to store invoices must meet the various conditions con- This law obliges ‘digital service providers’ (including cloud com- cerning the terms of conservation of the documents and the countries puting providers) to identify the risks that affect their networks and of location of the storage servers (Tax Procedure Code, article L102 information systems’ security and to take the technical and organisa- C). The invoices issued or received by a company must remain acces- tional measures necessary for managing these risks, to guarantee the sible from its principal establishment or registered office in France, continuity of their services. regardless of the country of storage. The French tax authorities must These providers must notify the National Cybersecurity Agency of be informed of the location of storage of the invoices. France (ANSSI) of any incident which has a significant impact on the Furthermore, when the accounting department works with auto- provision of their services. Upon the Prime Minister’s initiative, they mated systems (including SaaS), the tax authorities’ right of control may be subject to compliance and security controls, which will be made applies to all the information, data and software processing that are by the same authority. When they offer their services in the EU but are used to establish the results and statements for the tax authorities, as located in a third-party state, such providers must designate a repre- well as the documentation relating to the analysis, programming and sentative in a member state. the performance of IT processing (Tax Procedure Code, articles L13, IV and L47 A,II). 10 What legislation or regulation may indirectly prohibit, restrict For such a purpose, the tax authority may set up its own IT pro- or otherwise govern cloud computing, in or outside your cessing on the company’s equipment. Furthermore, since 2014, all jurisdiction? companies must communicate their online accounting to the tax authorities according to the required standards (Fichier des Ecritures Posts and Electronic Communications Code (CPCE) (telecom Comptables). Finally, the tax authority may, after court authorisation, operators) launch a search and seizure, including the seizure of data hosted on IT French law distinguishes the activities relating to ‘content’ accessible servers. The location of servers abroad does not constitute an impedi- online (eg, user platforms, search engines, site hosting, portal management (Paris Court of Appeal, Division 5, Chapter 7, Order dated 31 ment, edition of online content, etc) from telecommunication services, August 2012). which concern the ‘container’. For example, the telecoms operators are not classified among the ‘digital service providers’ (see question 9). www.gettingthedealthrough.com 37

Others fees for minor offences) and to correspond with them electronically. For Cloud computing transactions are indirectly governed by sector-spe- such purpose, they must respect a general security referential (RGS), cific legislation or regulations, as discussed in question 13, as well as which defines the rules and best practices to be followed, and terms by data protection and privacy legislation applicable to any kind of per- such as certification, official approval or security audits (www.ssi.gouv. sonal data processing, as discussed in question 15. fr/entreprise/reglementation/confiance-numerique/le-referentiel- More generally, all regulations governing business-to-business general-de-securite-rgs/). This general referential indirectly applies to (B2B) relations apply to transactions between cloud computing service the service providers used by the administration, including for cloud providers and businesses. For instance, French Law No. 2016-1691 on computing services. transparency, fight against corruption and modernisation of the econ- In this context, the ANSSI adopted a referential of specific require- omy of 9 December 2016 (Sapin II Law) requires large businesses to ments for cloud computing service providers called ‘SecNumCloud’. take measures to prevent and detect acts of corruption and subornation The last version of this document was published on 11 June 2018 (www. in France. ssi.gouv.fr/uploads/2014/12/secnumcloud_referentiel_v3.1_anssi.pdf). So far, no cloud computing service provider has fulfilled the criteria to 11 What are the consequences for breach of the laws directly be considered as a ‘qualified service provider’. The ANSSI often under- or indirectly prohibiting, restricting or otherwise governing lines that the cloud computing services’ compliance with the RGS – and cloud computing? beyond with the security policy enacted for the state’s information sys- The Law No. 2018-133 dated 26 February 2018 (see question 9) sanc- tems – must not be taken for granted. tions the directors of digital service providers to a fine of €100,000 when they prevent audit and security operations from being carried Public Estate Code (public sector) out in accordance with the law, and a fine of €75,000 when they do not The Public Estate Code defines the legal regime for state archives and comply with security measures that they have been formally required to public entities in general. It sets obligations for their safekeeping, which take as a result of such an audit. If they fail to declare an incident or dis- may only be outsourced if the provider is approved and if the archives close information to the public as legally required, these directors may are kept on French territory (article R212-23). be subject to a fine of €50,000. The Posts and Electronic Communications Code sanctions opera- French Public Health Code (health sector) tors and their agents to a one-year prison sentence and a fine of €75,000 Article L1111-8 of the French Public Health Code requires that health for failure to delete or ensure the anonymity of any data relating to data hosting providers implement specific safeguards, fulfil certain communications or for not retaining technical communication data in commitments and be certified. New criteria for such certification accordance with the legal requirements (article L39-3) (see question are currently being defined by the public health agency (ASIP Santé). 10). Furthermore, those who offer a connection to the public enabling Failure to meet such requirements is sanctioned by a fine of €45,000 an online communication via an internet access, including for free, are and three years’ imprisonment (article L1115-1). required to comply with the provisions applicable to telecoms operators, including to register themselves with the competent regulatory Order dated 3 November 2014 of the French Finance Ministry authority (ARCEP). Accordingly, they are subject to the same sanctions relating to the internal control of companies in the banking sector as telecoms operators (article L34-1). and others (financial sector). The Defence Code sanctions directors of the OIVs to a fine of The French Supervisory and Regulatory Control Body (ACPR), which is €150,000 if they fail to set up a protection plan, to accomplish works in charge of preserving the stability of the financial system and protect- they have scheduled or to carry out the works requested following an ing the customers, insurance policyholders, members and beneficiaries audit, or otherwise fail to comply with their legal obligations (article of the businesses under its control, clarified in 2013 that cloud com- L1332-7). These sanctions may be multiplied five-fold for the operators puting services should comply with the rules governing the outsourc- as legal persons. ing of banking activities. These rules are now set forth in an Order of 3 November 2014. Among other requirements, this text provides that 12 What consumer protection measures apply to cloud the relevant businesses must remain able to terminate at any time the computing in your jurisdiction? outsourcing services they use without this affecting the continuity or With regard to consumers, the cloud computing service providers are quality of the services they provide. obliged to respect the provisions of the French Consumer Code. This More recently, the European Banking Authority issued code regulates the entire relationship with a client, from the obligation ‘Recommendations on outsourcing to cloud service providers’ which to provide pre-contractual information (article L111-1 et seq), the pro- address five key areas: the security of data and systems, the location of cess for entering into an online contract (article L121-16), prohibited data and data processing, access and audit rights, chain sub-processing, or regulated commercial practices and abusive clauses, guarantees, and contingency plans and exit strategies (www.eba.europa.eu). These through to the terms for terminating such contracts. recommendations must be applied by the national authorities (ie, the The pre-contractual information must be provided in a legible ACPR) to the relevant businesses. and understandable manner and a written confirmation of the contract must be provided as well (article L221-5). Insofar as the request Inter-professional Agreement dated 3 October 2016 concerning for cloud computing services usually implies an immediate use, the the obligation to seek continued exploitation relating to usual right of withdrawal that lasts for 14 days will most often not apply cinematographic and audio-visual works (cinema sector). (article L121-21-8 1°). Finally, the consumers benefit from a right of port- In the cinema industry, a trade agreement provides for the film produc- ability of their personal data within the conditions of the General Data ers’ duty to ensure the conservation of the works used to create movies, Protection Regulation (GDPR) (see question 15). so as to guarantee that such works are recorded in digital formats that enable their availability online. This agreement has been made manda- 13 Describe any sector-specific legislation or regulation that tory by government decree. In furtherance thereof, a trade association, applies to cloud computing transactions in your jurisdiction. the Technical Superior Board of Image and Sound, has issued technical A number of sector-specific legislation or regulations that do not spe- recommendations concerning, among others, the material conditions cifically target cloud computing transactions actually apply indirectly for the conservation of works under the contracts concluded with ser- thereto. In regulated sectors (eg, healthcare, banking, etc), regulations vice providers (www.cst.fr: CST-RT043-2017-12-18-12h02.pdf). or recommendations in this respect are usually issued by the authority in charge of the sector. The following provides only a few examples. 14 Outline the insolvency laws that apply generally or specifically in relation to cloud computing. General Security Referential (public sector) The French Commercial Code provides the rules applicable to the Since Decree No. 2010-112 dated 2 February 2010, the state administra- insolvency of companies. No specific provision applies to cloud com- tions, local authorities and other administrative bodies must guarantee puting service providers, even though the consequences of their insol- the security of the information systems that they are using to provide vency could be severe on consumers and professionals alike. the users with online services (for example, the payment of criminal

38 Getting the Deal Through – Cloud Computing 2019

Therefore, appropriate precautions against the loss of data due to The French data protection authority (CNIL) issued recom- such situations should be incorporated into the contractual provisions mendations on cloud computing services in 2012 (www.cnil. governing the services, particularly with regard to reversibility and fr: Recommandations_pour_les_entreprises_qui_envisagent_de_ pricing. souscrire_a des_services_de_Cloud.pdf). Although they need to be updated with the GDPR, these recommendations provide useful guid- Data protection/privacy legislation and regulation ance on how to implement data protection in agreements. 15 Identify the principal data protection or privacy legislation Cloud computing contracts applicable to cloud computing in your jurisdiction. The processing of personal data is subject to the GDPR of 27 April 2016. 16 What forms of cloud computing contract are usually adopted This text is being supplemented by national legislation based on the in your jurisdiction, including cloud provider supply chains (if former law of 6 January 1978, which is still pending finalisation at the applicable)? time of writing. Cloud computing offerings are characterised by a multitude of contract The main data protection rules applicable to cloud computing ser- documents, which for most providers include, as a minimum: vices delivered in France are the same as in the other EU member states • the general conditions; (which was the main reason for enacting a regulation under EU legisla- • the conditions specific to the given service; tion). Nonetheless, the following aspects may be noteworthy. • a service-level agreement defining the key performance indicators and the quality and service level commitments; Data controller and data processor • a data processing agreement or privacy policy defining the commit- In most cases, a cloud computing service provider will be considered as ments and exclusions relating to personal data protection; and a ‘data processor’ (ie, as acting pursuant to and under the instructions • an ‘acceptable use policy’ specifying the lawful conditions for use of its client). The client will, in turn, be considered as the ‘data control- of the service. ler’ (ie, the party who determines the purposes and means of the data processing (articles 4 and 28)). These documents are multiplied according to the requirements of each Consequently, obligations pertaining to the relations with the service, which results in the service providers presenting comprehen- concerned individuals (‘data subjects’) will continue prima facie to be sive and complex catalogues. assumed by the clients. This concerns, in particular, the requirement These standard documents are generally recent and are regularly for the individuals’ consent to the data processing; the duty to mini- updated. The entry into force of the GDPR on 25 May 2018 (see ques- mise data collection to the types of data actually necessary; the duty tions 15 and 19) requires significant adaptations, just like Order No. to keep data up-to-date and for no longer than is necessary to fulfil the 2016-131 dated 10 February 2016 reforming the French law of contracts processing’s purposes; the duty to ensure the security and confidential- (with its ratification Act No. 2018-287 of 20 April 2018). Among various ity of the data against unauthorised or unlawful processing and against provisions aimed at sustaining contractual justice, the new contract law accidental loss, destruction or damage; the duty to respond to individu- indeed provides that a contract that includes a set of non-negotiable als’ requests to correct, delete or transfer their data. On the other hand, clauses that are predefined by one of the parties constitutes an ‘adhe- insofar as they qualify as data processors, the service providers will be sion contract’. responsible mainly for the implementation of technical and organisa- In such a contract, a clause will be considered as non-existent tional measures that ensure a level of security appropriate to the risks where it causes a significant imbalance between the parties’ rights and inherent to the data processing. Their obligations in this respect are obligations. In the event of any doubt, an adhesion contract will be detailed in question 19. interpreted against the party that proposed the contract. Comparisons However, it must be emphasised that the GDPR expressly pro- may be made with the abusive clauses regime which protects consum- vides that the parties to a service contract may be considered as joint ers in business-to-consumer contracts. data controllers. In a market where certain types of cloud computing This new statutory regime may help alleviate certain one-sided services are dominated by a few service providers, this clarification is provisions that thrive in standard cloud computing contracts and help intended to correct some imbalances inherent in adhesion contracts introduce more balance in favour of customers, as will be seen in the (see question 16). following questions. Such a reassessment remains contingent, however, on the application of French law to the contract. Cross-border transfers Under the GDPR, personal data may be transferred out of the EU, pro- 17 What are the typical terms of a B2B public cloud computing vided adequate safeguards are implemented (article 44 et seq). This contract in your jurisdiction covering governing law, requirement also applies to cloud services directed at individuals resid- jurisdiction, enforceability and cross-border issues, and ing in France but based on servers located outside the EU. Thus, the dispute resolution? use of servers outside the EU is not prohibited per se, but it is regulated, Governing law and dispute resolution with a view to granting individuals the same protection as within the EU. Standard contracts always include a clause defining the applicable law Furthermore, data is considered as transferred to any country where and which court has jurisdiction. The service providers thereby submit access to such data is technically possible: the location of the servers is their contracts to the law and courts of the state where their establish- therefore not sufficient to determine whether a cross-border transfer is ment is located. Often, they have an establishment in the European taking place or not. Similarly, one may not consider that cloud services Union. In France, their contracts are therefore often subject to the law based on servers located in France are per se compliant, if the data con- and jurisdiction of a member state of the EU. troller does not ensure that ‘sufficient guarantees’ are provided by the cloud computing service provider. Enforceability The public cloud contracts do not offer much opportunity for negotia- Individuals’ rights tion. As a consequence, the enforceability of their provisions is not nec- In the event that the cloud computing service provider proposes to essarily guaranteed under the law – for example, in regard to the consent transfer personal data out of the EU, the data subjects must be informed given by the client on standard documents that prove to be inaccessible not only that their personal data is processed by a data processor, but or that allegedly should evolve without his or her express approval. also that it is transferred outside the EU (GDPR, articles 13 and 14). In The clients frequently request the right to audit how the services the event that the service provider is faced with a security breach, it are carried out in order to verify their compliance with the provider’s must notify its client without delay and notify the persons whose data is commitments, in particular with regard to security. The GDPR provides involved. Also, the service provider will have to enable ‘data portability’ for this right (article 28.3). Since, in practice, it is difficult and costly for (ie, to enable its client to deliver the personal data upon request to the the providers to continuously accommodate the auditors sent by the cli- relevant data subjects, in a structured, commonly used and machine- ents, the providers try to obtain certifications (eg, ISO 27000) and pro- readable format), and to transmit such data to another controller with- pose in their clauses to communicate their own audit reports in order to out any impediment (article 20). limit the need for the clients to carry out additional verifications. www.gettingthedealthrough.com 39

18 What are the typical terms of a B2B public cloud computing GDPR meets this type of situation by requesting the providers to inform contract in your jurisdiction covering material terms, such their clients beforehand on the legal obligations of communication that as commercial terms of service and acceptable use, and may apply and prohibit them from deferring to such requests if they are variation? not based on a mutual legal assistance treaty or similar (GDPR, articles Flexibility 28 and 48). To date, many clauses still need to be more specific on this Flexibility is a key component of cloud computing contracts. The host- issue. ing services are generally invoiced on the basis of the resources granted to the client (eg, number of servers, CPUs, etc). Agreements usually Location of data and data processing offer the possibility to cease both use and payment of the resources In this context, numerous services attempt to reassure clients by guar- at short notice. Clients may add services or increase their capacity anteeing that the data will only be stored in their country of residence through online portals without the need to sign contract amendments. or elsewhere in the European Union. The clauses often provide that the Flexibility is also reflected in the contract duration, which may run by client may or will be informed of any modification of the location or the month, thereby enabling the clients to include the costs in their country of storage. Under the GDPR, the client’s approval as data con- operating expenses. troller is required and must be given prior to such modifications. It must be restated that this consent is necessary for any kind of data transfer: Acceptable use this is not limited to the country where data is stored, but applies to all A cloud computing contract generally includes clauses to define limi- the countries where access to the data is possible. tations of use of the service by the client and its employees (often When the cloud computing provider acts solely as a data proces- grouped together in an ‘acceptable use policy’ appendix). Usual clauses sor within the meaning of the GDPR (ie, does not define the aims and prohibit: means of the data processing), the GDPR requires that its agreement • use beyond the client’s internal business purposes; with the data controller specifically define certain obligations (article • use violating third parties’ intellectual property rights; and 28), including for the provider: • use for unlawful purposes, including to harass, defame or abuse • to process the client’s personal data only on documented instruc- third parties or to post obscene, violent or discriminatory content. tions from the controller, including with regard to cross-border transfers; Although cloud computing services are often presented as being ‘con- • to implement appropriate technical and organisational measures tent neutral’ and customers’ data considered as protected by confiden- to ensure a level of security appropriate to the risk. Such measures tiality, service providers reserve the right to enquire about suspicious may include, as appropriate: use and to suspend access and to put an end to the service in the event • pseudonymisation and data encryption; whereby the client’s data would appear to infringe upon the restrictions • ensuring the ongoing confidentiality, integrity, availability and of use. resilience of processing systems and services; This reflects the increasingly stringent legal constraints to ensure • maintaining the provider’s ability to restore the availability that the internet players assume responsibility for the online content. and access to personal data in a timely manner in the event of For example, an employer must ensure that his or her internet access a physical or technical incident; and is not used by his or her employees to replicate or disseminate works • regularly testing and evaluating the effectiveness of the meas- protected by copyright (article 336-3 of the French Intellectual Property ures taken to ensure the security of the processing; and Code). This indirectly concerns the cloud computing service provider • to engage sub-processors only with the client’s prior authorisation working for such employer. and to have them subject to the same data protection requirements.

19 What are the typical terms of a B2B public cloud computing 20 What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality contract in your jurisdiction covering liability, warranties and considerations? provision of service? Confidentiality Service levels and warranties The terms and conditions covering data and confidentiality in con- The stakes of the cloud computing contracts reside in the characterisa- tracts subject to French law are similar to those found under other laws. tion of the providers’ obligations, with the well-known contrast under By way of principle, cloud service providers undertake to protect the French law between the best-efforts obligation (for example, ‘the ser- confidentiality of their clients’ data. Access to such data is granted to vice provider will use commercially reasonable efforts to provide the their employees on a ‘need-to-know-only’ basis, insofar as required to services with the level of diligence and competence that could rea- deliver the services. Reference is often made to the employees’ indi- sonably be expected for services of a such nature and of a complexity vidual confidentiality commitment, which is required by the GDPR and substantially similar to that of the services’) and the performance obli- will usually be provided for in labour contracts. gation (‘the provider guarantees the continuous availability of the ser- Unlike pure players, which focus their services on the provision of vice during business hours’). In general, the service provider contracts infrastructure and/or storage for clients’ data and purport to be ‘con- avoid guaranteeing the availability and performance of their services tent agnostic’, cloud service providers which provide software or other or formulate service levels and exceptions (eg, planned maintenance, value added services often seek to gain a right to access and use cus- minimum downtime, etc) that enable a large degree of latitude. tomers’ data with a view to building up ‘big data’ pools on their own. The challenge for the cloud computing service providers is indeed This will often be provided for through a clause enabling such use to offer a service that is ready-to-use and works ‘end-to-end’, whereas, for the purpose of ‘improving the services’ or ‘customising the cus- in practice, they do not master the production chain which begins at tomer’s experience’ of the service. Such purpose often covers targeted their servers through to their clients’ workstations. The cloud providers advertising. are rarely telecoms operators and do not operate the internet connec- In such circumstances, the confidentiality of individuals’ data may tions. Furthermore, SaaS providers rarely own their data centres and, be jeopardised. For example, in July 2016, the CNIL noticed that through accordingly, are dependent on hosting providers. The IaaS and PaaS the processing of users’ data for Windows applications, Microsoft was providers are, in practice, the ones actually in control of the service lev- obtaining information on all the applications downloaded and installed els concerning the availability, reliability and quality of the cloud com- by the users as well as the time spent on each application, which was puting services. For these reasons, the service-level agreements are not necessary for providing the service. Furthermore, an advert ID was often sanctioned by a notion of ‘service credit’, which allegedly com- activated by default upon the installation of Windows 10, which ena- pensate for a default in the service with an extension of its duration. bled Microsoft to follow the user’s browsing and to target the advertisements without the latter’s prior consent. The corrections requested by Liability the CNIL have since been made. As the cloud computing services market is dominated by a few global The confidentiality clauses also show their limits in front of leg- infrastructure and platform providers, the liability clauses signifi- islation requiring the service providers to disclose users’ data to their cantly restrict their indemnification commitments. The liability cap in governmental authorities (eg, US Patriot Act and US Cloud Act). The the event of a loss of client data is frequently fixed at the level of the

40 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Féral-Schuhl/Sainte-Marie and Arsene Taxand FRANCE monthly instalment paid by the client although, under French law, any clause that nullifies the debtor’s essential obligation will be considered Update and trends void (New French Civil Code, article 1170). With regard to the damages applicable in the event of The software publishers strongly recommend their clients replace their on-premise applications by cloud computing services non-compliance with the GDPR, a client may only request a guarantee (SaaS), which allow for economies of scale but tend to make the from its cloud computing provider insofar as the latter acted as a ‘sub- clients more dependent. The underlying hosting market (IaaS) contractor’ and failed to comply with his or her regulatory obligations progressively covers nearly all IT services. This trend raises specific to sub-contractors or with the instructions received from his or questions about the risks related to the concentration of this market her client in this regard (article 82). to a few global players. The research firm Gartner expressed this concern early in 2018: 21 What are the typical terms of a B2B public cloud computing ‘The increasing prevalence of the IaaS hyper-scale providers create contract in your jurisdiction covering intellectual property both enormous opportunities and challenges for the end users and rights (IPR) ownership in content and the consequences of the other market players . . . The companies should be cautious concerning the uncontrolled influence of the IaaS providers on infringement of third-party rights? the clients and the market’ (www.solutions-numeriques.com: The terms and conditions governing intellectual property rights (IPRs) cloud-public-une-croissance-du-marche-mondial-de-214-en-2018- in contracts subject to French law are similar to those found in contracts liaas-en-progression). subject to other laws: typically, each party remains the sole rightsholder The record fine of €2.42 billion issued on 27 June 2018 by on all the IPRs applicable to its materials, that is, the software programs the EU Commission to Google for having abused its dominant it provides via the services, as regards the service provider, and the data position on the search engines, with a view to benefiting its price- comparison engine and downgrading those of its competitors in and third-party software programs stored in the cloud and used by the the users’ search results shows the risks entailed by this type of client, as regards the latter. dominant position (www.huffingtonpost.fr: lunion-europeenne- Licence rights are granted by each party to the other insofar as nec- inflige-a-google-une-amende-record-de-2-4-mil_a_23003706/). essary for the other party’s supply or use of the services, as applicable. The GDPR (see question 15) opens the door for a number of Customisation is not typical of standard services such as IaaS and PaaS, subjects to be varied or adapted at the national level. Legislative but should this arise in the form of copyrighted work (eg, specific devel- and regulatory initiatives should be monitored throughout the opments), the service provider will, in general, grant licence rights and coming year. avoid any IPR assignment to the client. In the same vein, cloud computing contracts require each party to indemnify the other against any infringement claims from third par- 23 Identify any labour and employment law considerations that ties. Often, the service providers’ standard terms and conditions will apply specifically to cloud computing in your jurisdiction. entitle them to terminate their services in cases where the client is In cases where activities are transferred from one company to another, found to infringe third-party rights. the Labour Code will govern the transfer of employment contracts (articles L1224-1 and L1224-2). A contract for the supply of private cloud 22 What are the typical terms of a B2B public cloud computing computing services may be part of or may follow such a transfer of per- contract in your jurisdiction covering termination? sonnel from the client to the service provider. However, it will usually Term and termination rather be considered as an outsourcing contract. In general, cloud com- Cloud computing contracts are usually entered into for a fixed term, puting contracts per se are indeed not understood to involve a transfer typically from one month to one year. This duration may be extended of personnel by the client. This is reflected in the statutory definitions or renewed, expressly or tacitly, but the client does not necessarily of cloud computing (see questions 8 and 9), which do not refer to such benefit from a renewal guarantee. In this regard, the new French law an element. of contracts sets forth that no party may impose the renewal of a contract (Civil Code, article 1212). Therefore, attention should be paid to Taxation the notice period and the terms of renewal. 24 Outline the taxation rules that apply to the establishment and More traditionally, the termination clauses provide an exit right for operation of cloud computing companies in your jurisdiction. each party in the event of non-compliance by the other party. In non- negotiated contracts, it will be difficult for the client to use such clauses Despite the recurring trend for the implementation of sectorial taxes as a credible threat against non-compliance relating to the service level on companies or digital services (eg, tax on bandwidth or the data or quality of the service provision. exchanged), the cloud computing service providers are currently subject solely to the standard corporate tax, at 33.33 per cent. This rate will Reversibility progressively diminish to reach 25 per cent in 2022. At the end of a cloud computing service, the client must recuperate its Nonetheless, as cloud computing providers may exercise an activ- assets (ie, programs and data). As they are standard , the reversibility of ity in a country without any human and material resources and, accord- the IaaS and PaaS services does not require the transfer of know-how ingly, may be considered as not having a ‘fixed establishment’ in the and knowledge specific to the provider. Nonetheless, assistance from country, French corporate tax does not apply equally to all the providers the latter is often available as an option. of the sector that sell services in France. The judgment rejecting the tax- However, the specificities of a program implemented on the cloud ation of Google Ireland Limited imposed by the French tax authorities (eg, specific developments and settings according to the client’s busi- is a relevant example (Paris Administrative Court, Google, 12 July 2017). ness rules, etc) and data formats set up by the provider (sometimes This situation should evolve in the coming years with the progressive proprietary or using variants of the existing standards) may result in a modification of the applicable international rules, and in particular, the lockout of the client. The reproduction of the existing solution or the redefinition of the notion of fixed establishment. system’s output available for data migration may also pose a problem. Despite their multitude, contractual documents are often lacking spec- 25 Outline the indirect taxes imposed in your jurisdiction that ifications and commitments in this regard (see question 26). apply to the provision from within, or importing of cloud The entry into force of the GDPR should encourage the emer- computing services from outside, your jurisdiction. gence of more adapted stipulations, as this text obliges data control- The French General Tax Code classifies the cloud computing services lers to enable ‘data portability’ (see question 15). The clients could use in the category of ‘electronic service provisions’ (appendix 3, article 98 this as guidance to address the practical issues raised by reversibility C, c). These services are subject to the standard VAT rate (20 per cent). situations. In any case, healthy competition between several providers The application of VAT to the cloud computing services entails and services remains the most effective tool in order to avoid harmful complexity, as the location of the provider’s taxation varies depending dependence. on whether the client is itself liable to charge VAT (the location is then his or her establishment in France) or not (the location of taxation is the place where the beneficiary of the services is established, at his or her domicile or habitual residence, including abroad) (article 259 et seq). www.gettingthedealthrough.com 41

Whether they are established in the EU or not, the service providers Versailles Court of Appeal, 19 May 2015, No. 14/08016 may follow a special tax regime for clients that are not VAT collectors, In the context of an objection procedure against the registration of which provides a Mini One-Stop-Shop mechanism to liquidate VAT a trademark ‘CLOUD CUBE’, the Versailles Court of Appeal judged owed in the various member states of the EU. that the term ‘CLOUD’ can be readily understood by the consumer as referring to the expression ‘cloud computing’ and, consequently, that Recent cases it already shows the destination of a certain number of products and services. Accordingly, it cannot be considered to be distinctive. The dis- 26 Identify and give details of any notable cases, or commercial, missal for the registration of the trademark was being requested by the private, administrative or regulatory determinations within holder of a prior trademark ‘+ LE CUBE’ and was upheld by the court. the past three years in your jurisdiction that have directly involved cloud computing as a business model. Nanterre Tribunal de grande instance, interim order, 30 Paris Administrative Court, Google, 12 July 2017 November 2012, UMP v Oracle Even though the French administration focused on the search engine This former case is still an important reference in the area of cloud com- activity and the income gained from the advertising services invoiced puting as it addresses reversibility issues, which rarely come before the by Google to its French clients (AdWords), the discharge by the courts. The claimant was a political party that had subscribed to a SaaS Administrative Court of the tax reassessments requested in terms of provider for the management and hosting of the database of its adher- corporate tax, withholding tax, VAT and various contributions could ents. As it intended to revert to another IT provider upon the expiry of also apply to cloud computing services (see question 25). This litiga- the contract, the party tried to recover its data, but the exportation tool tion presents a significant challenge for the business model used by the set up by Oracle was not working. The court ordered the provider to pro- cloud computing service providers (http://paris.tribunal-administratif. vide the necessary means for this exportation immediately, or to guar- fr/Actualites-du-Tribunal/Communiques-de-presse/La-societe- antee the extension of its service without cost for two months beyond irlandaise-Google-Ireland-Limited-GIL-n-est-pas-imposable-en- the date on which the exportation would become possible (www.legalis. France-sur-la-periode-de-2005-a-2010). net/jurisprudences/tribunal-de-grande-instance-de-nanterre-ordon- nance-de-refere-30-novembre-2012/).

Olivier de Courcel [email protected] Stéphanie Foulgoc [email protected]

24, Rue Erlanger Tel: +33 1 70 71 22 00 75016 Paris Fax: +33 1 70 71 22 22 France www.feral-avocats.com

Alain Recoules [email protected]

32, Rue de Monceau Tel: +33 1 70 38 88 00 75008 Paris Fax : +33 1 70 38 88 10 France www.arsene-taxand.com

42 Getting the Deal Through – Cloud Computing 2019

Germany

Thomas Thalhofer and Lars Powierski Noerr LLP

Market overview Probably due to the fact that cloud computing is one of the ‘driver technologies’ of the fourth industrial revolution, its use is growing rap- 1 What kinds of cloud computing transactions take place in idly. Already in 2017, Bitkom – an association representing most of the your jurisdiction? companies of the digital economy in Germany – spoke of the ‘boom- In Germany, almost all types of cloud models are used. The use of ing’ use of cloud computing in companies. infrastructure-as-a-service (IaaS) – in particular, any kind of stor- According to the Cloud Monitor 2018, two out of three companies age services – is already widespread in the private sector. The use of in Germany use cloud computing solutions in their company. Pursuant platform-as-a-service (PaaS )and software-as-a-service (SaaS) are also to a statistical report published by Statista, the total turnover in the field increasing rapidly. German companies are more willing to implement of cloud computing in the B2B-sector in Germany is forecast to reach their core business processes using PaaS and SaaS. One trend, for €22.5 billion in 2020. example, is the outsourcing of enterprise resource planning (ERP) systems to the cloud. In the context of this development, public and hybrid 5 Are data and studies on the impact of cloud computing in your cloud models are gaining increasing acceptance, although most cloud jurisdiction publicly available? services currently used by German companies are still based on private There are several studies publicly available regarding cloud computing cloud models/classic on-premise software. in Germany. However, most of these studies are conducted by stake- Acceptance of cloud services in the public sector is not as high as holders of the cloud computing market and are, therefore, not scientific in the private sector but there are political plans to make greater use studies. of cloud services in public administration. Nevertheless, there is still The Cloud Monitor (see question 4) is a valuable source of infor- scepticism about public and hybrid cloud models, so planning of the mation. The Cloud Monitor is an annual survey of German companies federal and regional governments is primarily focused on the develop- using cloud services, published by Bitkom and KPMG. It provides a ment of self-operated private cloud models. One lighthouse project, good overview of the current trends and developments in the German for example, is the ‘federal cloud’, which is operated as IaaS by the cloud market. Federal Information Technology Centre (ITZBund, a German federal Furthermore, Destatis offers detailed statistical information on the government-owned IT service provider) and can be used by any federal use of information and communications technology in Germany. authority. Policy 2 Who are the global international cloud providers active in your jurisdiction? 6 Does government policy encourage the development of your Almost every major international cloud provider offers cloud services jurisdiction as a cloud computing centre for the domestic in Germany. In particular Amazon, Microsoft, IBM and Google are market or to provide cloud services to foreign customers? highly visible in the market. Other ambitious international cloud pro- The federal government funds various scientific projects and business viders, such as Alibaba, Rackspace or Salesforce, are trying to establish platforms in the context of cloud computing. themselves in the market. For example, back in 2010 the Federal Ministry of Economics and SAP, one of the largest German software providers, is expanding Energy initiated the project ‘Trusted Cloud’. An important element strongly in the German and international cloud market with its ‘SAP of the project is the ‘Trusted Cloud Platform’ that provides compre- Cloud Platform’. hensive information on certificates and standards relevant for cloud computing as well as an independent marketplace for trustworthy 3 Name the local cloud providers established and active in your cloud services. Prerequisite for listing as a ‘Trusted Cloud Service’ in jurisdiction. What cloud services do they provide? the marketplace is a contractual warranty from the provider that cer- There is a very differentiated market for cloud services in Germany. tain minimum requirements on transparency, data protection and On the one hand, there are only a few local full-service cloud providers IT-security are met. competing with the major international cloud providers. On the other Furthermore, in 2017, the Federal Ministry of Economics and hand, there is an increasing number of small and medium-sized cloud Energy initiated the European Cloud Service Data Protection providers specialising in a particular type of cloud product, a certain Certification (AUDITOR) project. AUDITOR’s goal is to design, imple- industry or certain use cases. ment and test a sustainable EU-wide data protection certification of cloud services on the basis of the General Data Protection Regulation 4 How well established is cloud computing? What is the size of (GDPR) (see question 15). the cloud computing market in your jurisdiction? In the 2018 Global Cloud Computing Scorecard recently published by the BSA|The Software Alliance, Germany is ranked number one out Cloud computing is a dynamic and fast-growing market and there is an of 24 countries examined with regard to the regulatory and political increasing acceptance of cloud computing in Germany. Not only large framework for cloud computing. enterprises but also an increasing number of small and medium-sized enterprises (SMEs) use cloud computing services. Nevertheless, a study by the Federal Statistical Office of Germany, Destatis, from 2016, states that the extent of use of cloud computing by German companies still depends on the size of the company.

www.gettingthedealthrough.com 43

7 Are there fiscal or customs incentives, development grants mainly depends on the nature, the purpose and the business context of or other government incentives to promote cloud computing the respective cloud service. operations in your jurisdiction? In any event, data protection law and particularly the new EU Data There are no fiscal or customs incentives for cloud computing in Protection Regulation EU 2016/679 have a great impact on almost Germany. every cloud service and can be regarded as the most important regula- The EU, the federal government as well as the governments of tion indirectly governing cloud computing (see question 15). the federal states of Germany offer a wide variety of different funding The provision of a service based on cloud technology is in principle programmes to promote the digitisation of the European or German not subject to the Telecommunications Act (TKG) even if data is trans- economy. Depending on the individual programme, grants, loans or ferred between individual physical servers in the cloud and is therefore guarantees are granted. In particular, support is provided to SMEs. not governed by telecommunications regulations. The Foerderdatenbank provides a comprehensive overview of the Exceptionally, however, a cloud service may be subject to the available funding programmes. Particularly worth mentioning is the TKG if it includes communication services such as Voice over Internet ‘ERP-Digitalisierungs- und Innovationskredit’ programme of the Protocol, video conferencing, instant messaging or email services. If so, Kreditanstalt für Wiederaufbau (a German federal government-owned the cloud provider is, inter alia, subject to strict rules on secrecy of tel- development bank). Under this programme, SMEs can obtain low- ecommunications and has to register with the Federal Network Agency. interest loans of up to €5 million to invest in their digital infrastructure. Furthermore, the tax regulations relating to the keeping of accounts and records (see section 145 et seqq, Fiscal Code) must be taken into Legislation and regulation account when outsourcing accounting to the cloud.

8 Is cloud computing specifically recognised and provided for 11 What are the consequences for breach of the laws directly in your legal system? If so, how? or indirectly prohibiting, restricting or otherwise governing German law does not provide a specific legal framework for cloud cloud computing? computing. In particular, there is neither a ‘cloud’ or ‘IT act’ nor does In the event of a breach of the laws governing cloud computing, the fol- German contract law provide specific rules for cloud computing con- lowing four consequences are relevant: tracts. Hence, legal matters relating to cloud computing are governed • It is conceivable that a competent supervisory authority will initi- by the general legal provisions, in particular the GDPR and the German ate administrative proceedings and take the necessary measures Civil Code. to remedy the infringement. The authorities could, for example, Consequently, in practice the courts, supervisory authorities and impose prohibitions or duties to act on the person responsible. Such legal literature have a strong role in interpreting the general legal provi- administrative acts can be enforced with a fine or by way of substi- sions in the context of cloud computing. tute performance at the expense of the person responsible. The data protection authorities in Germany have already pub- • It is conceivable that an administrative fine will be imposed on lished a joint guideline on cloud computing in 2014. The guideline the person responsible. The possible amount of the fine varies ‘Orientierungshilfe – Cloud Computing’ provides an overview of from one law to another and depends on the circumstances of the the opinion of the German data supervisory authorities on the most individual case. However, in particular, a breach of the GDPR (see relevant data protection issues in the context of cloud computing. question 15) can be subject to a very high administrative fine up to However, the legal requirements and references of the guideline still €20 million, or in the case of an undertaking, up to 4 per cent of the correspond to the old data protection law that applied until the GDPR total worldwide annual turnover of the preceding financial year, came into force. A new version of the guideline that takes into account whichever is higher. the requirements of the GDPR, in particular the provisions on data • It is conceivable that a breach of law governing cloud computing processing, is currently being prepared by the German data protection can also be a criminal offence, for example, in case of an unlawful authorities. deletion or suppression of data by the cloud provider (see section 303a, German Criminal Code) or in case of data espionage of the 9 Does legislation or regulation directly and specifically cloud provider (see section 202a, German Criminal Code). prohibit, restrict or otherwise govern cloud computing, in or • It is conceivable that other market participants or cloud customers outside your jurisdiction? assert claims for injunctive relief and damages on the basis of com- Until recently, German law neither directly regulate cloud computing petition law or contract. nor was the term ‘cloud computing’ used in German law. As already explained in question 9, there is still no specific legal framework for 12 What consumer protection measures apply to cloud cloud computing in Germany. computing in your jurisdiction? Recently, however, section 2, paragraph 11 of the Act on the Federal German civil law contains a large number of consumer protection Office for Information Security (BSIG) introduced the first legal defi- regulations. Important for cloud providers are above all the rules on nition of cloud computing to the German law. According to this defi- distance contracts (see section 312c et seqq, German Civil Code) that nition, ‘cloud computing services’ are services that allow ‘access to a impose extensive information duties on the cloud provider concerning scalable and elastic pool of shareable computing resources’. These its identity, its contact details and the modalities of the relevant cloud services must meet different IT-security requirements if the cloud pro- service. Furthermore, the consumer, in principle, has the right to with- vider exceeds a certain company size. In particular, sufficient technical draw from a distance contract on cloud computing services within a and organisational measures must be taken to establish IT security and period of 14 days. cloud providers affected by the BSIG must report all security incidents Moreover, there are limitations for the use of standard business that have a significant impact on the respective cloud service to the terms in B2C contracts. Section 308 and section 309 of the German Federal Office for Information Security. Civil Code stipulate a comprehensive catalogue of prohibited clauses. This can be regarded as the first direct regulation of cloud comput- For example, there are restrictions for the exclusion or limitation of ing in German law. liability as well as on the duration of the contract and on price increase clauses. Additionally, there is a general test of reasonableness of the 10 What legislation or regulation may indirectly prohibit, restrict content of standard business terms, which is handled very strictly by or otherwise govern cloud computing, in or outside your the courts with regard to standard business terms for B2C contracts. jurisdiction? Experience shows that most of standard business terms designed The German law is quite differentiated and includes a wide variety for cross-country use not do not comply with these provisions. Hence, of different regulations that could have an indirect impact on cloud it is advisable to use specific standard business terms for the German computing. In general, every law that governs business activities and European market. in Germany can be applicable on cloud computing. Because cloud For the sake of completeness, it should be noted that it is not pos- computing by itself is not a concept that is specifically recognised in sible to exclude the application of these provisions by a choice of law German law, each individual cloud service should to assess which laws of foreign law because the Regulation (EC) No 593/2008 (Rome I) for- and regulations need to be considered. The answer to this question bids any choice of law that have the result of depriving the consumer of

44 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Noerr LLP GERMANY the protection afforded to him or her by provisions of the country of its data by the cloud provider, whether the data is contained in user log- habitual residence if this is a member state of the EU. in credentials or in content stored or processed by means of the cloud. Attention should also be paid to the provisions on alternative dis- The GDPR applies, inter alia, to the processing of personal data in pute resolution laid down in Regulation (EU) No 524/2013 and the Act the context of the activities of an establishment of a controller or a pro- on Alternative Dispute Resolution in Consumer Matters which, inter cessor in the EU. Hence, the GDPR must always be taken into account alia, includes several information duties. if the cloud provider is located in the EU or if the customer is subject to the GDPR. 13 Describe any sector-specific legislation or regulation that The GDPR sets high standards to the processing of personal data. applies to cloud computing transactions in your jurisdiction. In case of non-compliance substantial administrative fines can be As already discussed, the BSIG imposes IT-security requirements on imposed on the customer or the cloud provider. Infringements of the cloud services if the cloud provider exceeds a certain company size (see GDPR can be subject to administrative fines up to €20 million, or in the question 10). Besides this, the BSIG also addresses operators of ‘critical case of an undertaking, up to 4 per cent of the total worldwide annual infrastructures’. Companies in the water, energy, nutrition, health, tel- turnover of the preceding financial year, whichever is higher. ecommunications, finance, insurance and logistics sectors may there- The German supervisory authorities are becoming more and more fore be obliged to meet the IT-security requirements laid down in the active in enforcing the GDPR. Therefore, compliance with GDPR is BSIG when using cloud services and only collaborate with cloud provid- very important and can be regarded as a key challenge in setting up ers that also meet these requirements. new cloud services as well as in the daily business of cloud computing. In addition, there are other industry-specific regulations that can All provisions set out in the GDPR basically are aimed at fulfilling impose special organisational obligations on companies or restrict the and safeguarding the following general principles. Personal data will outsourcing of business processes to the cloud. Such regulations exist, be: for example, for: • processed lawfully, fairly and in a transparent manner in relation to • the financial sector (see the Banking Act; the Payment Services the data subject (lawfulness, fairness and transparency); Supervision Act; the Securities Trading Act; and the Investment • collected for specified, explicit and legitimate purposes and not Code); further processed in a manner that is incompatible with those pur- • the insurance sector (see the Act on the Supervision of Insurance poses (purpose limitation); Undertakings); • adequate, relevant and limited to what is necessary in relation to • the telecommunications sector (see TKG); the purposes for which they are processed (data minimisation); • the energy sector (see the Energy Industry Act); and • accurate and, where necessary, kept up to date; every reasonable • the healthcare sector. step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or In practice, these regulations are specified by comprehensive interpre- rectified without delay (accuracy); tative decisions of the supervisory authorities such as the Minimum • kept in a form that permits identification of data subjects for no Requirements for Risk Management for the financial sector and the longer than is necessary for the purposes for which the personal Supervisory Requirements for IT in Financial Institutions published by data is processed (storage limitation); and the Federal Financial Supervisory Authority. • processed in a manner that ensures appropriate security of the In cases where customers are bound to a special professional personal data, including protection against unauthorised or unlaw- secrecy, such as lawyers, tax consultants or health care providers, spe- ful processing and against accidental loss, destruction or damage, cial attention should be paid to section 203, Criminal Code that makes using appropriate technical or organisational measures (integrity the unauthorised disclosure of professional secrets a criminal offence and confidentiality). and only permits the transfer of such secrets to the cloud under restrictive conditions. Furthermore, professional law should also be taken Furthermore, the controller will be responsible for, and be able to dem- into account in these cases. onstrate, compliance with the GDPR at any time (accountability). If one picks out the rules within the GDPR that are particularly 14 Outline the insolvency laws that apply generally or specifically important for cloud computing, it would be the provisions concerning in relation to cloud computing. data processing and data transfer to third countries. The cloud provider processes customer content uploaded to the No specific cloud computing or IT insolvency law exist. Thus, the gen- cloud for and on behalf of the respective customer and not for its own eral legal framework, in particular, the German Insolvency Statue, is purposes. Accordingly, the cloud provider is to be qualified as the applicable to a cloud provider in the event of insolvency. customer’s data processor within the meaning of article 4, paragraph If a cloud provider files for insolvency, in most cases, an insolvency 8, GDPR. Consequently, article 28, GDPR, which stipulates special administrator is appointed. The insolvency administrator is, in princi- requirements to the data processing, is applicable to cloud services. ple, entitled to refuse to perform the cloud contract at its discretion. If First of all, the customer is obliged to choose carefully the right so, the customer is entitled to claim the separation of his or her data cloud provider. The customer should use only cloud providers pro- stored in the cloud (section 47, Insolvency Statue). This means that the viding sufficient guarantees to implement appropriate technical and customer can request the insolvency administrator to transmit the data organisational measures in order to ensure that the data processing will stored in the cloud to him or her or to delete the data from the cloud but meet the requirements of the GDPR. also that the insolvency administrator can immediately stop the provi- Furthermore, the cloud provider and the customer are obliged to sion of the respective cloud service. agree on a data processing agreement that includes the necessary con- Alternatively, the insolvency administrator may decide to content laid down in article 28, paragraph 3, GDPR. tinue the cloud contract. In this case, cloud services will continue to be If the infrastructure of the respective cloud service is located in available even during the insolvency proceedings. However, from the a third country (ie, outside the EU), the cloud service is subject to the customer’s perspective, it is very uncertain if and for which period of special provisions for a transfer of data to third countries laid down in time the cloud provider is financially able to continue the provision of article 44 et seqq, GDPR. Any transfer of personal data to the relevant the cloud services. Hence, it should be carefully assessed whether the cloud service in principle will take place only if an adequate level of data cloud contract could be terminated by the customer. protection is ensured in the relevant third country. Such transfer of personal data may take place where the cloud Data protection/privacy legislation and regulation infrastructure of the respective cloud service is located in a country 15 Identify the principal data protection or privacy legislation that is subject of an adequacy decision of the European Commission. applicable to cloud computing in your jurisdiction. At present, this includes Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and On 25 May 2018, the Regulation (EU) 2016/679 (General Data Uruguay. Transfer to the US is possible under the condition that the rel- Protection Regulation (GDPR)) became effective. The GDPR stipulates evant cloud provider meets the requirements stipulated in the EU–US a comprehensive framework for the processing of personal data. The Privacy Shield. use of cloud computing generally entails the processing of personal www.gettingthedealthrough.com 45

18 What are the typical terms of a B2B public cloud computing Update and trends contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and The implementation of the GDPR is a main challenge in the variation? context of cloud computing. Many provisions of the GDPR are formulated rather vaguely and generally. In practice, there are Agreements on the remuneration of the cloud provider vary depend- many uncertainties in the interpretation of the GDPR, which are ing on the service. SaaS are often charged by the number of users/per still to be clarified by the courts, the supervisory authorities and the application. IaaS and PaaS are often billed according to the volume of legal literature. This development requires constant monitoring data processed. It is common that additional fees are charged for sup- and, if necessary, adjustment of the measures taken to implement porting services (eg, consulting, training, data migration). Many con- the GDPR. tracts contain a price increase clause, which must, however, meet the Furthermore, it is currently being discussed in Germany and strict requirements of the Price Clause Act in order to be effective. If at EU level whether the legislator should regulate the ownership of non-personal data as a specific right and how such a right could such clause is contained in standard business terms, the provisions be structured. In particular, the question arises as to who should of the German Civil Code on prohibited clauses (section 307 et seqq) retain ownership of newly generated data. The creation of such data must also be taken into account. ownership would likely have a significant impact on the design of B2B public cloud computing contracts in Germany usually contains contracts for cloud services. rules on the acceptable use or refer to an ‘acceptable use policy’. Such There are currently no significant reform projects on the legal rules usually prohibit the use of cloud services for any kind of illegal framework for cloud computing in Germany. activities, in particular using the cloud services for the infringement of intellectual property rights, to send spam emails, to carry out denial-of- service attacks or to distribute malware. If there is no such adequacy decision, it is necessary that the relevant cloud provider provides appropriate safeguards for the respective 19 What are the typical terms of a B2B public cloud computing cloud service as set out in article 44 et seqq GDPR. The most impor- contract in your jurisdiction covering data and confidentiality tant instruments to do so in practice are the ‘standard data protection considerations? clauses’ (SDCs). The SDCs are provided by the European Commission Usually B2B public cloud computing contracts in Germany require and need to be entered into between the cloud provider and the cus- the cloud provider to take measures in order to ensure the confiden- tomer as a binding contract. tiality of the data processing and the integrity and availability of the processed data. It is common practice to agree on an addendum to the Cloud computing contracts contract that includes a detailed catalogue on the technical and organi- 16 What forms of cloud computing contract are usually adopted sational measures to be implemented by the cloud service provider. in your jurisdiction, including cloud provider supply chains (if Furthermore, the cloud service provider is often obliged to comply applicable)? with information security standards such as the ISO/IEC 27000 Series and to provide the customer with a certification according to these In civil court jurisdiction and in the German legal literature, it is con- standards. troversial which provisions of the contract law (see German Civil Code) With regard to the GDPR, which permits the transfer of personal may apply to cloud computing contracts. So far, there is no common data to third countries only under strict conditions (see question 15), opinion on this issue. However, in essence, one may state that most of some German customers require that the data processing should only the cloud contracts are a hybrid of different contract types. take place on servers located in Germany or in the EU. Most of the Against this background, it is common practice in Germany to reg- German and the major international cloud providers offer such geo- ulate all issues relevant to the parties in connection with cloud services graphical restriction for an additional charge. by detailed individual contractual agreements or by comprehensive standard business terms. 20 What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and 17 What are the typical terms of a B2B public cloud computing provision of service? contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and It is common practice that cloud providers attempt to limit their liabil- dispute resolution? ity in their standard business terms. In most of the commonly used liability limitation clauses, the liability of the cloud provider is limited to Article 3, paragraph 1 Regulation (EC) No. 593/2008 (Rome I) provides personal damage, damage caused by gross negligence or wilful miscon- the parties of a B2B public cloud computing contract the freedom of duct, damage caused by material breach of contract and claims arising choice on which law should govern their contractual relationship. from guarantees or the basis of the Product Liability Law. Additionally, Which law is actually chosen by the parties usually depends on liability is often limited to the typical and foreseeable damage or to a where the cloud provider is located. Most of the German cloud provid- certain amount in total for all claims arising from the respective cloud ers are not willing to agree on the application of foreign law on their contract or to a certain amount per event of damage. cloud services and only accept an explicit choice of German law, which For limitations beyond what is stipulated above, it is questionable if would be applicable anyway if no explicit choice of law was made. such liability clauses comply with German law, which only allows limi- Contrary to that, the standard business terms of the major interna- tation of liability clauses in standard business terms to a very limited tional cloud providers usually contain a choice of law clause in favour extent (see section 307 et seqq, German Civil Code). of the law of the country in which their headquarters is located or in The quality and the availability of the cloud service to be provided favour of a third country. is usually determined by a detailed service level agreement (SLA). The The competent jurisdiction is normally determined in accordance SLA usually also contains sanctions (eg, contractual penalties, price with the law chosen by the parties. reductions) in the event that the cloud provider does not meet the The enforceability as well as cross-border issues are generally requirements set out in the SLA. not subject to special contractual terms. However, on the basis of the Regulation (EU) No 1215/2012 (Brussels I), a judgment given in a 21 What are the typical terms of a B2B public cloud computing member state of the European Union will be recognised in the other contract in your jurisdiction covering intellectual property member states without any special procedure being required and is rights (IPR) ownership in content and the consequences of enforceable in any other member state without any additional declara- infringement of third-party rights? tion of enforceability. Alternative dispute resolution is becoming more common regard- In the SaaS model, the cloud provider usually guarantees that it holds ing disputes arising from B2B public cloud computing contracts. all necessary intellectual property rights to provide the SaaS to the cus- However, the contractual agreements on this issue are very different tomer or that the necessary licences have been granted by the rights and best practice has not yet been established in Germany. holder. In the event that a claim is made against the customer by a third party due to an alleged infringement of intellectual property rights by

46 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Noerr LLP GERMANY the respective cloud service, the cloud provider is obliged to defend the 23 Identify any labour and employment law considerations that customer and, if necessary, indemnify the customer from the claim to apply specifically to cloud computing in your jurisdiction. reimburse him or her for the costs of legal defence. If a customer of cloud services has a works council, the provisions of The customer usually guarantees that their use of the cloud ser- the Works Council Constitution Act must be taken into account when vice does not constitute an infringement of third-party rights. The introducing and using cloud services. The customer may be obliged to cloud provider regularly reserves the right to temporarily suspend the inform the works council on the introduction of a new cloud service provision of the cloud service if there is reasonable evidence that the and to discuss the effects of the respective cloud service on employees customer infringes third-party rights by using the cloud service or pro- with the works council. In addition, the works council may also have cessing unlawfully collected data with the cloud service. The cloud pro- mandatory statutory co-determination rights. vider is obliged to immediately inform the customer on the suspension of the cloud service and to make the cloud service immediately avail- Taxation able again if the suspicion of illegal activities is not confirmed. Additionally, the general provisions on liability and on the con- 24 Outline the taxation rules that apply to the establishment and sequences of a breach of contract apply because the infringement of operation of cloud computing companies in your jurisdiction. intellectual property rights or an illegal use of the cloud service consti- A cloud provider located in Germany and using infrastructure located tutes a breach of contract. in Germany is subject to German income tax. The German income tax is governed by various laws – in particular, the German Corporation 22 What are the typical terms of a B2B public cloud computing Tax Act and the German Income Tax Act. contract in your jurisdiction covering termination? In cross-border cases, for example, a German cloud provider uses Often a minimum contract term is agreed. A minimum contract term infrastructure in foreign countries or a foreign cloud provider uses of one or two years is common practice. Most of these contracts are infrastructure in Germany, the crucial question is if and where a per- automatically extended (usually by one year) if the contract is not ter- manent establishment exists in order to determine in which country minated on time (often with three months’ notice to the end of the cal- and to what extent the incomes of the respective cloud service are endar year). subject to income tax. In these cases, double taxation agreements are It is also popular to agree an unlimited contract term with a right of particularly relevant. periodic termination (for example, at the end of each quarter). In many Additionally, cloud providers operating their business in Germany cases, the right to ordinary termination is then excluded for a certain may be subject to trade tax charged by the municipalities. period (usually one to two years). Both, the income tax and the trade tax are, in principle, calculated Furthermore, detailed agreements are regularly made for termina- on the basis of the annual profit. According to the OECD, in 2016, the tion without notice for a compelling reason. The reasons for such a ter- average combined corporate tax rate – considering income tax and mination are often specified by way of examples that, typically, include trade tax – was 29.83 per cent. a significant deterioration of the financial situation of the contractual partner, significant payment defaults by the customer as well as signifi- 25 Outline the indirect taxes imposed in your jurisdiction that cant defects and failures of the cloud service. apply to the provision from within, or importing of cloud Regarding the consequences of termination, it is common computing services from outside, your jurisdiction. practice to clarify that all data stored in the cloud by the customer There are no specific taxes imposed on cloud services. However, must be returned without undue delay. Often the cloud provider is cloud service provided in Germany can be subject to the German VAT obliged to support the customer in migrating his or her data from the depending on where the cloud provider and the customer are located. cloud to another cloud provider or to the customer’s own IT system. Additionally, it is usually regulated how long the cloud provider has to Recent cases store the customer’s data after a termination and what additional service fees the provider may charge. 26 Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model. There are no notable cases in the past three years in Germany that have directly involved cloud computing as a business model.

Thomas Thalhofer [email protected] Lars Powierski [email protected]

Brienner Straße 28 Tel: +49 89 286280 80333 Munich Fax: +49 89 280110 Germany www.noerr.com

www.gettingthedealthrough.com 47

India

Samuel Mani and Abraham Mathew Kandathil Mani Chengappa & Mathur

Market overview nature of the Indian market, the cost efficiencies offered by cloud computing will be core to making the Digital India mission successful. 1 What kinds of cloud computing transactions take place in your jurisdiction? Policy The Indian cloud computing market is a very vibrant market and there are all varieties of cloud computing transactions taking place. The 6 Does government policy encourage the development of your private sector is leading the way but the central government is also jurisdiction as a cloud computing centre for the domestic actively considering and implementing various cloud-based comput- market or to provide cloud services to foreign customers? ing initiatives. Currently, the government of India is considering a separate policy in order to create a separate legal framework for cloud computing. The 2 Who are the global international cloud providers active in Telecom Regulatory Authority of India released a consultation paper your jurisdiction? in 2016 on Cloud Computing in India and recommendations on cloud All of the major global cloud providers are active in India. Amazon and services in 2017 in furtherance of this. Microsoft are the leaders with their AWS and Azure offerings respec- The Ministry of Electronics and Information Technology (MEITY) tively, while Digital Ocean, Google and IBM are also very active. addresses some aspects pertaining to cloud computing in its National Policy on Information Technology and the National Telecom Policy of 3 Name the local cloud providers established and active in your 2012. One of the objectives of these policies is to develop an ecosys- jurisdiction. What cloud services do they provide? tem to allow India to emerge as a global leader in the development and provision of cloud services. This focus is further enhanced in the Draft There are a host of smaller cloud providers in India. Given the nature National Digital Communications Policy, 2018 released for consulta- of cloud computing, it is somewhat difficult to identify India-based and tions by the Department of Telecommunications on 1 May 2018. This India-centric cloud service providers. Some of the cloud providers out- policy, when finalised and notified, will form the overarching policy side of the large global players that are commonly referred to in com- framework for all aspects of digital technologies in India over the next puting circles are NetMagic, BlueHost, HostingRaja and SoftLayer. few years. The draft policy envisages establishing India as a global hub They provide everything from web hosting to infrastructure-as-a-ser- for cloud computing which includes a light touch regulatory approach vice (IaaS) to platform-as-a-service (PaaS) and software-as-a-service to cloud computing. Hence, it seems reasonable to expect a growing (SaaS). India’s burgeoning technology product ecosystem is largely and beneficial policy focus on cloud computing in India over the next cloud-centric. Notable examples that have a significant Indian heritage few years. include Zoho and Freshdesk. 7 Are there fiscal or customs incentives, development grants 4 How well established is cloud computing? What is the size of or other government incentives to promote cloud computing the cloud computing market in your jurisdiction? operations in your jurisdiction? The Indian cloud computing market is well established. India’s small Currently, there are no government schemes or policies that provide and medium-sized businesses are actively migrating to cloud-based incentives or grants specifically to enterprises in the cloud computing applications and large enterprises are also following suit. As a case sector. Fiscal incentives are extended to enterprises in certain catego- in point, the Reserve Bank of India (RBI) recently granted more than ries such as: 20 new banking licences to banks with various target markets. These • export-oriented enterprises set up inside special economic zones new banks are very actively leveraging cloud-based infrastructure as notified by the government of India; and and applications, including mission critical applications such as core • start-up ventures that are engaged in innovation and development banking solutions. Gartner estimates that the public cloud market in of products, processes or services through use of intellectual prop- India will be worth US$2.5 billion in 2018. The growth rate of the Indian erty and technology, or that have a scalable business model with public cloud market is expected to be 37.5 per cent, which is the sec- a high potential of employment generation or wealth creation. (A ond highest growth rate globally after China (www.gartner.com/news- start-up is an entity incorporated or registered as a company or reg- room/id/3874299). This shows that India is a critical growth market for istered partnership or limited liability partnership less than seven all types of cloud computing players. years from the date of its incorporation or registration, that has a turnover less than 250 million rupees). 5 Are data and studies on the impact of cloud computing in your jurisdiction publicly available? MEITY has, by way of the Public Procurement (Preference to make in There are numerous studies that are carried out in the cloud comput- India) Order, 2017 (Order), stated that purchase preference (amounting ecosystem in India. Reports and studies are published by leading ing to 50 per cent of total procurement) should be provided to local sup- researchers such as Gartner, Forrester, IDC and Zinnov as well as pliers in all procurements to be undertaken by procurement entities in trade bodies such as NASSCOM. One such report is the Gartner report India as part of government of India’s ‘Make in India’ policy with a view referred to above. to enhance income and employment in India. Therefore, public sector The government of India has made Digital India one of its core procurement will favour domestic cloud computing providers. missions and it is leveraging open, scalable and cost-efficient com- Other than fiscal incentives, start-up ventures are allowed exemp- puting models to make this mission a reality. Given the cost-sensitive tion from compliances under specific environmental and labour laws.

48 Getting the Deal Through – Cloud Computing 2019

Cloud computing providers that meet the aforesaid parameters will be The government retains the authority to intercept any information eligible for these benefits. transmitted through a computer system, network, database or software for the prevention of serious crimes or under grave circumstances Legislation and regulation affecting public order and national security. Please also refer to the paragraph pertaining to the Bill (see ques- 8 Is cloud computing specifically recognised and provided for tion 8) and its proposed impact on obligations of entities with respect to in your legal system? If so, how? privacy and data protection in India. There is no legislation in India that specifically recognises cloud computing. However, cloud computing services would fall under the ambit 11 What are the consequences for breach of the laws directly of the following: or indirectly prohibiting, restricting or otherwise governing • ‘Cloud services’ have been specifically recognised under the cloud computing? Integrated Goods and Services Tax Act 2017 (the GST Act) under The IT Act and Privacy Rules prescribe payment of damages on account ‘online information and database access or retrieval services’ and of failure to or in case of negligence in implementing or maintaining therefore the services rendered by cloud services providers would reasonable security practices to protect any sensitive personal infor- be subject to goods and services tax. mation. The non-compliant entity is required to pay damages to the • Section 43A of the Information Technology Act 2000 (the IT Act) aggrieved party to the extent of wrongful loss or damage suffered by read with the Information Technology (Reasonable security prac- the aggrieved party. Further, any person who has received any personal tices and procedures and sensitive personal data or information) or sensitive personal information for performing any services, and Rules 2011 (the Privacy Rules) provide guidelines for the collec- discloses it with a mala fide intent is liable to a fine of up to 500,000 tion, use and protection of any sensitive personal data or infor- rupees or imprisonment of up to three years, or both. mation of natural persons by a body corporate that possesses, The sector-specific regulations (see question 10) set out sanc- deals with or handles such data. The IT Act and the Privacy Rules tions by regulators in case of non-compliance with them, which could together set out the regulatory framework for creation, collection, range from fines to suspension or revocation of the licence to carry on storage, processing and use of electronic data (including personal business. and sensitive personal information recorded in electronic form) in It is important to note that the Bill proposes to impose heavy mon- India. Cloud computing services that deal with personal or sensi- etary sanctions involving a percentage of total worldwide turnover, for tive personal information need to comply with the requirements non-compliance with the privacy and data protection measures laid set out under the Privacy Rules relating to security, encryption, down by it. There is good reason to believe that this position will prevail access to data subject, disclosure, international transfer and pub- when the law comes into force. lication of policy statements. Cloud service providers in India may also be required to comply with the Information Technology 12 What consumer protection measures apply to cloud (Intermediaries Guidelines) Rules 2011 (Intermediary Guidelines) computing in your jurisdiction? prescribed under the IT Act. • The government of India has a published a Personal Data Protection The IT Act provides for the following consumer protection measures: Bill, 2018 (the Bill) which if notified will overhaul the existing pri- • The IT Act (and therefore the penal consequences of the Act) cov- vacy and data protection framework in India. The Bill is in many ers offences committed outside of India if the offence involves a respects similar to the EU’s General Data Protection Regulation computer, computer system or computer network located in India. and it, inter alia, enhances the stringency of obligations and cor- This would protect consumers within India who procure cloud responding penalties governing data protection from a customer computing services from service providers located outside India. perspective. The Bill has also set high standards for the processing • The Privacy Rules protect consumers by casting obligations on of personal data within India and abroad and is expected to replace cloud computing providers with regard to the collection and stor- or amend the IT Act and the Privacy Rules in these respects. age of personal information. These include broadly: • disclosures to be made to such users or consumers regarding 9 Does legislation or regulation directly and specifically the fact that the information is being collected or stored; prohibit, restrict or otherwise govern cloud computing, in or • the purpose of collection; outside your jurisdiction? • the manner in which such information can be transferred; and • the minimum security practices and procedures to be imple- As specified in question 8, there is no regulation in India that spe- mented by cloud service providers when processing per- cifically prohibits, restricts or governs cloud computing. Question 8 sonal information. describes the principal legislation that indirectly governs cloud computing services in India. Indian regulators are increasingly focused on all aspects relating to Other than the above, the use of cloud services by banks and insur- data protection and data localisation. The RBI recently mandated ance providers is separately regulated under sector-specific regulations. that all providers of payment systems must ensure that all data relating to payment systems operated by them are only stored in systems 10 What legislation or regulation may indirectly prohibit, restrict within India. The new Bill also proposes to enhance consumer protec- or otherwise govern cloud computing, in or outside your tion measures by introducing data localisation requirements wherein jurisdiction? in respect of cross border transactions, a data controller is required to Cloud computing services are primarily regulated (though indirectly) maintain at least one copy of personal data on a server or a data centre by the IT Act and Privacy Rules (see question 8). in India. This in turn would, inter alia, have the effect of relative ease in In addition to the IT Act and Privacy Rules, the use of cloud enforcement of claims by customers under consumer protection laws. computing in the banking and insurance sectors is subject to specific restrictions. 13 Describe any sector-specific legislation or regulation that The RBI’s guidelines on Managing Risks and Code of Conduct in applies to cloud computing transactions in your jurisdiction. Outsourcing of Financial Services by Banks read along with the Report See questions 8 and 10. of Working Group of RBI on Electronic Banking set out specific requirements to be complied with by banks while engaging cloud service pro- 14 Outline the insolvency laws that apply generally or viders. These requirements, inter alia, relate to vendor selection, data specifically in relation to cloud computing. security, form of agreement, business continuity and disaster recovery or management practices. There is no specific law in India that determines what happens to any The Insurance Regulatory and Development Authority of India’s data of the customer once the cloud service provider becomes insol- Guidelines on Information and Cyber Security for Insurers require vent and this would ideally be governed by the contract between the insurers to comply with requirements, inter alia, in relation to data, service provider and the customer. application and network security, incident management, and informa- The Companies Act 2013, as amended by the Insolvency and tion security audit while using services from a cloud service provider. Bankruptcy Code 2016, governs procedure to be followed when a www.gettingthedealthrough.com 49

© Law Business Research 2018 INDIA Mani Chengappa & Mathur company becomes insolvent. In the absence of any contractual under- 18 What are the typical terms of a B2B public cloud computing standing regarding the treatment of customer data in case of insol- contract in your jurisdiction covering material terms, such vency of the service provider, the liquidator of the company will decide as commercial terms of service and acceptable use, and how such data would be treated. variation? Given the prevalence of international standard form contracts in the Data protection/privacy legislation and regulation Indian market, the typical terms are similar to terms that are com- 15 Identify the principal data protection or privacy legislation monly used in large markets such as the US and the UK. applicable to cloud computing in your jurisdiction. 19 What are the typical terms of a B2B public cloud computing The IT Act and Privacy Rules (see question 8) is currently the primary contract in your jurisdiction covering data and confidentiality legislation governing data protection and privacy with respect to cloud considerations? computing in India. However, on 24 August 2017, a nine-judge bench of the Supreme Court of India conclusively held that the right to privacy is Data security and confidentiality obligations are very important as a fundamental right guaranteed to the citizens of India (subject to rea- users may upload confidential and proprietary information as well sonable restrictions) and such right would also be exercisable against as personal data. The Privacy Rules prescribe that sensitive personal the state. See question 8 for more details on the proposed changes in information should be stored in ISO 27001-compliant data centres. the privacy and data protection framework in India that resulted from Clauses surrounding data privacy, confidentiality and data transfer, this decision of the Supreme Court. and preservation are largely similar to clauses found in international standard form contracts prevalent in the US and UK. Once the Bill Cloud computing contracts becomes law, there will be significant changes on the data front.

16 What forms of cloud computing contract are usually adopted 20 What are the typical terms of a B2B public cloud computing in your jurisdiction, including cloud provider supply chains (if contract in your jurisdiction covering liability, warranties and applicable)? provision of service? The most common form of cloud computing contracts in India are Clauses around liability, warranties and provision of service are solely international standard form contracts with fixed terms and are in dependent on the contractual arrangement reached between the par- most instances non-negotiable, with certain exceptions. However, ties. Most service providers will have standard service availability and if the cloud service provider is a small service provider the user may service levels specified in the agreement that they would not be will- have more room to negotiate terms. The terms of the contract will also ing to negotiate. Similarly, most service providers would have standard depend on the service delivery model (ie, whether it is IaaS, SaaS or business continuity and disaster recovery processes in place. PaaS). 21 What are the typical terms of a B2B public cloud computing 17 What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property contract in your jurisdiction covering governing law, rights (IPR) ownership in content and the consequences of jurisdiction, enforceability and cross-border issues, and infringement of third-party rights? dispute resolution? Under a B2B public cloud computing contract, the service provider Under Indian laws, parties to a contract have the right to choose the or its licensors will continue to hold all rights, title and interest in the governing law. However, in the event of a dispute, the courts will not cloud computing resources, while the user will continue to hold all only take into consideration the governing law as included in the con- rights, title and interest in the data it uploads as well as in any output tract but also its link with the contract. Usually, parties agree to the that is generated through the use of such data. exclusive jurisdiction of the courts in the same country as the govern- Usually, a typical (and, in most instances, the only) indemnity that ing law. the service provider may be willing to provide is for indemnification for Under section 44A of the Indian Code of Civil Procedure 1908, third-party intellectual property infringement claims and such indem- a decree of any superior court of a reciprocating territory that is so nity is not capped. declared by the government of India, will be executed in India similar to any decree passed by a district court in India. All other judgments or 22 What are the typical terms of a B2B public cloud computing decrees will face extensive re-adjudication in Indian courts. contract in your jurisdiction covering termination? Arbitration is a fairly commonly accepted method of dispute reso- Apart from termination rights set out in the agreement, a party has a lution. Parties should ideally also include an escalation clause for dis- statutory right to terminate in case of a breach by the other party. Other pute resolution. than that, a party whose consent to an agreement is obtained through coercion, fraud or misrepresentation can elect to terminate it. Most

Samuel Mani [email protected] Abraham Mathew Kandathil [email protected]

2nd Floor Tel: +91 80 4148 1999 Divyasri No. 26 SBI Colony www.mcmlaw.in 3rd Block Koramangala Bangalore 560034 India

50 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Mani Chengappa & Mathur INDIA agreements may also contain a right for both parties to be able to ter- 25 Outline the indirect taxes imposed in your jurisdiction that minate for convenience without incurring any liability. apply to the provision from within, or importing of cloud In the instance the service provider is dependent on a third party computing services from outside, your jurisdiction. for essential services required to provide the cloud computing services, Provision of cloud computing services from within India to a recipi- the services provider may retain the right to immediately terminate ent also within India will attract goods and services tax (currently, at a without incurring any liability if the service provider’s relationship with composite rate of 18 per cent) under the GST Act. Where cloud comput- the third party is affected in any manner. ing services are exported and, therefore, consumed outside of India, Post-expiry or on termination of the agreement, the agreement the rate of applicable goods and services tax is zero (subject to meeting will usually provide for payment of any fees due and payable as well certain requirements). as refund of fees for services not rendered (though this may not be The GST Act replaces the earlier service tax regime. As per the GST something larger cloud service providers may agree with). Provisions Act, cloud service providers are now able to claim credit on the input regarding return of user data are also included, with the service pro- hardware used for providing services. vider specifying the duration that they are willing to retain such data post which the data may be irretrievably deleted. The parties should Recent cases also agree on the format in which the data would be returned. Most service providers will not agree on any further post-termination obliga- 26 Identify and give details of any notable cases, or commercial, tions. However, if the agreement is negotiable the user can ask for data private, administrative or regulatory determinations within retrieval, transfer or migration services. the past three years in your jurisdiction that have directly involved cloud computing as a business model. 23 Identify any labour and employment law considerations that The government of India has recently launched a National Cloud apply specifically to cloud computing in your jurisdiction. Initiative – GI Cloud – in order to optimise the government’s spending There are no such labour or employment law considerations that would on internet and communications technology and to facilitate large- apply to a business customer. scale adoption of cloud computing and services within the governance mechanism. MEITY has provisionally accredited private cloud service Taxation providers for the development of cloud infrastructure. Currently, NIC Cloud (cloud.gov.in), a government website, offers service models such 24 Outline the taxation rules that apply to the establishment and as PaaS, IaaS, SaaS and storage-as-a-service. operation of cloud computing companies in your jurisdiction. Further, given the pervasiveness of cloud computing today, a num- Providers of cloud computing services are subject to both direct and ber of private and quasi-governmental organisations have formulated indirect taxes. draft models for the development of cloud services in India. For exam- Direct taxes apply to the income of the cloud computing company ple, the Cloud Computing Innovation Council published a white paper and are collected on a combination of withholding at source and direct titled ‘A Framework and Roadmap on Cloud Computing Innovation in remittance by the cloud computing company. India’ that sets out a proposed roadmap for the development of cloud As a consumer of goods and services, the company would mostly computing services in India through three phases: have a responsibility to bear the economic burden of tax specified • establishment of National Cloud Authority; under the GST Act. The provider of goods and services, generally, • setting up government clouds based on the certain interoperability has the responsibility of collection and remittance of the goods and standards emerged within India; and services tax. • adoption of these interoperability standards by other Indian cloud companies on a large scale.

www.gettingthedealthrough.com 51

Japan

Atsushi Okada and Hideaki Kuwahara Mori Hamada & Matsumoto

Market overview line have been decreasing in recent years and their market sizes shrink- ing, in contrast to the rapid expansion of the cloud computing market. 1 What kinds of cloud computing transactions take place in your jurisdiction? Policy Public and private cloud models are both common in Japan. In the public cloud model, multiple users share a single cloud environment 6 Does government policy encourage the development of your provided by a cloud provider, and in the private cloud model, a com- jurisdiction as a cloud computing centre for the domestic pany builds its own cloud environment for its use or use by its group market or to provide cloud services to foreign customers? companies. While both are expanding their market sizes year on year, The Japanese government established the Strategic Headquarters for currently, private cloud models have a larger share. The preference the Promotion of an Advanced Information and Telecommunications for most Japanese companies currently seems to be the private cloud Network Society (IT Strategic Headquarters) within the Cabinet in model, probably because of concerns about the security level of public January 2001. This organisation is tasked with promoting measures cloud environments. A recent trend within the private cloud model is for an advanced information and telecommunications network soci- the increasing use of the ‘community cloud’, where a limited number ety, expeditiously and intensively. Further, to encourage collaboration of companies share a private cloud, which is more cost-effective than between the government, industry and academia in cloud comput- an ordinary private cloud, which requires a user to construct their ing services, the MIAC, the Ministry of Economy, Trade and Industry own cloud environment. Various types of cloud computing services, (METI) and the Ministry of Agriculture, Forestry and Fisheries, have including software-as-a-service, infrastructure-as-a-service and plat- established the Japan Cloud Consortium. This is a private sector organi- form-as-a-service, are provided by many prominent cloud providers. sation with more than 400 member corporations or organisations, and provides a forum for the members to share information on cloud com- 2 Who are the global international cloud providers active in puting services. MIAC in discussion with ASP-SaaS-Cloud Consortium, your jurisdiction? a non-governmental organisation, deals with matters regarding the International cloud computing providers in Japan include Amazon. provision and use of cloud computing services and guidelines regarding com, Microsoft, Google and IBM for both public and private cloud security issues. Moreover, MIAC regularly engages in discussions with computing services. foreign countries regarding security issues in cloud computing services.

3 Name the local cloud providers established and active in your 7 Are there fiscal or customs incentives, development grants jurisdiction. What cloud services do they provide? or other government incentives to promote cloud computing operations in your jurisdiction? Local cloud computing providers in Japan include NTT Communications Corporation, NTT DATA Corporation, KDDI Government authorities such as METI and the Tokyo Metropolitan Corporation, Softbank Group Corporation, Fujitsu Limited, NEC Government grant subsidies to businesses aiming to introduce cloud Corporation and Internet Initiative Japan Inc. These entities provide computing services that use data centres with high energy efficiency, both public and private cloud computing services. with a view to promoting energy conservation.

4 How well established is cloud computing? What is the size of Legislation and regulation the cloud computing market in your jurisdiction? 8 Is cloud computing specifically recognised and provided for in Cloud computing in Japan is fairly well established and has been con- your legal system? If so, how? stantly evolving. The market is currently valued at about ¥700 billion Although there are numerous legal issues pertaining to cloud comput- and is expected to increase up to about ¥1,200 billion by 2023. The ing, as we discuss below in detail, current Japanese statutory laws do majority of Japanese companies now use cloud services, it being espe- not define cloud computing as a specific area of service to which certain cially popular among finance and insurance companies, and large-cap restrictions or regulations apply. companies. Companies use cloud computing services for various purposes such as inter- and intra-office communication, preserving and 9 Does legislation or regulation directly and specifically sharing data electronically, operating company servers and portal prohibit, restrict or otherwise govern cloud computing, in or sites. outside your jurisdiction? There is no legislation or regulation that directly and specifically prohib- 5 Are data and studies on the impact of cloud computing in its, restricts or otherwise governs cloud computing in or outside Japan. your jurisdiction publicly available? The Ministry of Internal Affairs and Communications (MIAC) issues 10 What legislation or regulation may indirectly prohibit, restrict a white paper on telecommunications annually, which contains the or otherwise govern cloud computing, in or outside your results of surveys that MIAC conducts regarding the cloud comput- jurisdiction? ing market. Further, think tanks such as Nomura Research Institute Under the Telecommunications Business Act (TBA), if cloud computing publish statistics and analyses of the current and future cloud comput- services include (i) telecommunications between the cloud provider and ing market. According to the IT Navigator 2018, published by Nomura the customer and (ii) mediating telecommunications between two or Research Institute, users of traditional network services such as leased more customers, then the cloud provider has either to file a notification

52 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Mori Hamada & Matsumoto JAPAN or (if the cloud provider falls within the categories stipulated in TBA) information) and oblige the medical institution to regularly supervise register as a telecommunications carrier with the MIAC. the cloud provider. Under the Foreign Exchange and Foreign Trade Act, when a per- Additionally, a financial institution that uses a cloud computing ser- son or entity preserves data regarding certain technologies in servers vice for its customers’ confidential information is required to follow cer- located in foreign countries, that person or entity must obtain prior per- tain laws and guidelines regarding the security of the cloud computing mission from METI. However, the interpretational guidelines issued by service to which it outsources the handling of such information. METI have clarified that if a customer preserves information in an over- For example, the relevant financial laws and regulations, such seas server of the cloud provider for the customer’s own use, then such as the Banking Act and the Financial Instruments and Exchange Act, permission is not necessary. require that if a financial institution preserves customer information through cloud computing services, it must establish the necessary sys- 11 What are the consequences for breach of the laws directly tems for maintaining the security of such information and for supervis- or indirectly prohibiting, restricting or otherwise governing ing the cloud provider to which it has delegated the handling of such cloud computing? information. A person who breaches the obligation described in the first paragraph Further, the Center for Financial Industry Information Systems of question 10 is liable to be punished by imprisonment with labour for authorised by the Cabinet Office issued a report in November 2014, no more than three years or a fine of no more than ¥2 million under the recommending that financial institutions take the following meas- TBA. ures to ensure the proper handling by the cloud provider of customer information: 12 What consumer protection measures apply to cloud • conducting due diligence when selecting a cloud provider and exe- computing in your jurisdiction? cuting a service agreement with the cloud provider; • requesting the cloud provider to disclose information regarding the First, with respect to business-to-consumer (B2C) cloud service agree- operation of the service and security management system; ments, certain provisions that could be considered unfair to an individ- • ensuring the proper operation of the cloud computing service ual customer who does not execute the agreement on business (defined including encryption of the confidential information and mainte- as a ‘consumer’) would be nullified under the Consumer Contract Act. nance of the storage devices; Such provisions include: • upon the termination of the cloud service agreement, deleting, • totally exempting the cloud provider from liability to compensate or having the cloud provider delete, the data, and/or transfer it to the consumer for damages arising from default or tort by the cloud another cloud provider; and provider; • supervising the cloud provider’s handling of the confidential infor- • partially exempting the cloud provider from liability to compensate mation (including through on-site inspections). the consumer for damages arising from default or tort by the cloud provider (limited to default or tort owing to the cloud provider’s 14 Outline the insolvency laws that apply generally or specifically intentional act or gross negligence); in relation to cloud computing. • setting an agreed amount of liquidated damages or establishing a fixed penalty in the event of cancellation, which amount or penalty If a cloud provider is subject to a ruling for the commencement of bank- would exceed the normal amount of damages that would be paya- ruptcy proceedings, the cloud service agreement, which is typically ble to the cloud provider as a result of the cancellation of a contract, categorised as a quasi-mandate (Jun-inin) contract, will automatically when compared to other contracts of the same type; and terminate pursuant to the Japanese Civil Code, unless the parties have • limiting the consumer’s right to terminate the cloud service agree- stipulated otherwise in the agreement. ment when the cloud provider is in default. On the other hand, if a cloud provider is subject to a ruling for the commencement of rehabilitation proceedings, the cloud service agree- Second, the Act on General Rules for Application of Laws also includes ment will not automatically terminate, although a customer may ter- a rule to protect consumers. Under this rule, if the governing law in a minate the agreement if the cause of termination (such as the cloud cloud service agreement is a law other than the law of the consumer’s provider’s breach of the agreement) has already existed before the com- habitual residence, and the consumer has manifested his or her inten- mencement of rehabilitation proceedings. tion to the cloud provider that a specific mandatory provision from If the cloud service agreement does not automatically terminate within the law of the consumer’s habitual residence should be applied, or is not terminated by the customer, the trustee of the cloud provider such mandatory provision would apply to the matters stipulated by such as appointed under bankruptcy laws can decide whether the cloud pro- mandatory provision with regard to the formation and effect of the vider should continue the agreement or terminate it under Japanese cloud service agreement. bankruptcy laws. If the agreement is terminated, the customer can And third, under the Japanese Code of Civil Procedure: request the trustee to return its data stored in the cloud provider’s server, • a consumer would be able to sue the cloud provider in a Japanese regardless of whether there is a specific provision in the cloud service court if the consumer’s residence is in Japan at the time the cloud agreement that enables the customer to do so. However, under the cur- service agreement is executed; and rent laws in Japan, it is unclear whether the customer can request the • the cloud provider would not be able to sue the consumer in a for- trustee to destroy or delete the data from the cloud server completely. eign court that both parties have agreed has the jurisdiction unless: • the consumer’s habitual residence was in the foreign country Data protection/privacy legislation and regulation when the cloud service agreement was executed; or 15 Identify the principal data protection or privacy legislation • the consumer sues the cloud provider in the foreign court or applicable to cloud computing in your jurisdiction. agrees to defend himself or herself against the cloud provider’s Unless the cloud service agreement prohibits a cloud provider from claim in the foreign court. handling personal information provided by a customer (eg, where the personal information is stored in a data centre owned by the cloud pro- 13 Describe any sector-specific legislation or regulation that vider but the personal information is not accessible to the cloud provider applies to cloud computing transactions in your jurisdiction. at all), the cloud provider is obliged to handle the personal information When a medical institution uses a cloud computing service to handle subject to the Act on the Protection of Personal Information (APPI). its patients’ sensitive information, such as diagnostic records, maintain- Such obligations include the following items: ing the security of the cloud environment that stores such information • The cloud provider has an obligation to take necessary and appro- is of crucial importance. Therefore, the Ministry of Health, Labour and priate measures to ensure the secure management of personal data Welfare, METI and MIAC each issue several guidelines that require (generally, personal information compiled in a database) (personal such medical institutions to select a cloud provider that has a reliable data). security code and system, execute an agreement that ensures the cloud • The cloud provider shall, in having its employees handle personal provider’s proper handling of the confidential information (including data, exercise necessary and appropriate supervision over the prohibiting the provider’s unauthorised browsing or analysis of the employees so as to ensure the security of the personal data. www.gettingthedealthrough.com 53

• The cloud provider is prohibited from providing any personal data • activities that may obstruct or endanger the cloud provider’s sys- to a third party without the prior consent of the person who origi- tems or communication lines; nally provided the personal data (data subject), unless exceptions • pretending to be the cloud provider or a third party when using the to the consent requirement apply. An example of such exceptions cloud service; is where the cloud provider delegates all or part of the handling of • accessing the cloud provider’s system or network without the personal data to an outsourcing company. However, in that case, authorisation of the cloud provider; the cloud provider must exercise necessary and appropriate super- • transmitting illegal or otherwise harmful contents to the cloud vision over the outsourcing company to ensure the secure manage- server; or ment of the personal data. • other activities that are illegal or otherwise immoral.

Under a provision of APPI regarding overseas data transfers, a cloud 19 What are the typical terms of a B2B public cloud computing provider must obtain the prior consent of the data subject before it can contract in your jurisdiction covering data and confidentiality transfer his or her personal data to a third party located in a foreign considerations? country. It is common to require the cloud provider to implement necessary and However, the data subject’s consent to overseas data transfers is not reasonable security protection measures to secure the confidentiality necessary if: of the customer’s data. To implement the requirement, it is also com- (i) the foreign country is specified in the Personal Information mon to allow the cloud provider to take certain measures including Protection Commission Ordinance (the PPC Ordinance) as a coun- suspension of the service when the cloud provider recognises the risk try which has a data protection regime with a level of protection of the customer’s data being (or having been) divulged by, for example, equivalent to that of Japan; or a third party’s unauthorised access or malfunction of the cloud provid- (ii) the third-party recipient has a system of data protection that meets er’s systems or communication lines. the standards prescribed by the PPC Ordinance. However, there are provisions that exempt the cloud provider from all or part of liabilities arising from the security issues, described here- For item (i), as of July 2018, the PPC Ordinance has not identified any inafter. For example, some agreements stipulate that the cloud provider such foreign country. However, the recent adequacy dialogue between will not guarantee the thorough prevention of a third party’s unauthor- Japan and the EU confirmed that the PPC intends to identify the EU as ised access or use of the server, nor indemnify damages incurred by having an adequate data protection regime in 2018. the customer resulting from known or unknown security weaknesses. For item (ii), under the PPC Ordinance, the standards of the data Other agreements require the customer to make backups of the data protection system that a third-party recipient outside Japan must meet that it stores in on the cloud server and to preserve the ID or password are either of the following: appropriately, and exempt the provider from any liability when such ID • there is assurance, by appropriate and reasonable means (typically or passwords are used by a third party. by entering into a contract), that the recipient will treat the disclosed Some agreements allow the customer to select the country where personal data in accordance with the principles of the requirements the cloud server is located. for handling personal data under the APPI; or • the recipient is certified under an international arrangement, rec- 20 What are the typical terms of a B2B public cloud computing ognised by the PPC, regarding its system of handling personal contract in your jurisdiction covering liability, warranties and information. provision of service? In B2B cloud computing contracts, it is typical for the cloud provider Cloud computing contracts and the customer to execute a service level agreement (SLA). Typical 16 What forms of cloud computing contract are usually adopted SLA terms include: in your jurisdiction, including cloud provider supply chains (if • the period during which the service is provided; applicable)? • the level of manpower of the support desk; For cloud computing services that are rendered in Japan, most cloud • the rate of operation and the management of data; and providers usually provide these services on the same terms and condi- • handling of system malfunction and level of security. tions for all customers, especially in B2C contracts. The normal practice is to provide a standard cloud service agreement on their websites, Many SLAs stipulate that if the cloud provider fails to meet the service which the users must accept in order to use the services. level obligations, the customer may be exempted from paying part of the future service fees, or that the cloud provider will refund part of the 17 What are the typical terms of a B2B public cloud computing service fee already paid. contract in your jurisdiction covering governing law, Typical cloud service agreements include a provision that limits jurisdiction, enforceability and cross-border issues, and the cloud provider’s liabilities. For example, many cloud service agree- dispute resolution? ments set a cap on the damages to be paid by the cloud provider to the customer as a result of actions attributable to the cloud provider, and Standard cloud service agreements provided by cloud providers typi- allow the customer to claim only direct and ordinary damages (and cally stipulate that the location of the cloud provider’s head office is the exclude indirect, special and consequential damages). Other typical governing law and the court that has jurisdiction over the head office is cloud service agreements exempt the cloud provider from any liability the court of first instance. However, conferring jurisdiction on a foreign when the cloud provider is not at fault (such as in case of a third party’s court may sometimes be regarded as invalid under the Code of Civil unauthorised access, natural disaster, malfunction of systems or com- Procedure, as described in question 12. munication lines, or attack by a computer virus). It is also customary to stipulate that the cloud provider does not guarantee the commercial- 18 What are the typical terms of a B2B public cloud computing ity, fitness for a specific purpose or non-existence of an infringement contract in your jurisdiction covering material terms, such of third parties’ rights. as commercial terms of service and acceptable use, and variation? 21 What are the typical terms of a B2B public cloud computing Material terms commonly include a stipulation for fees to be calculated contract in your jurisdiction covering intellectual property as a fixed-rate or measured-rate fee, to be paid by a customer to the bank rights (IPR) ownership in content and the consequences of account designated by the cloud provider. infringement of third-party rights? It is also common to prohibit a customer from undertaking certain Many cloud service agreements provide that the ownership of the activities such as: intellectual property in data or information stored on the cloud server • infringing the cloud provider’s or a third party’s IP or other rights; belongs to the person or entity who stored the data or information on • altering or deleting data owned by the cloud provider or a third the server (ie, the customer). Some agreements allow the cloud pro- party that is stored in the cloud server; vider to copy the data in limited situations, such as when the cloud provider has to repair the communication line or equipment.

54 Getting the Deal Through – Cloud Computing 2019

Further, in order to prevent the customer from infringing third Taxation parties’ rights and thereby causing the cloud provider to incur any 24 Outline the taxation rules that apply to the establishment and liabilities towards the third parties, agreements also usually stipulate operation of cloud computing companies in your jurisdiction. that the customer must not infringe a third party’s rights when it uses the cloud services. If the customer breaches the obligation and stores If a foreign cloud provider does its business through ‘a permanent content that infringes third-party rights on the cloud server, the cloud establishment’ (as defined in the OECD Model Tax Convention) provider will be able to claim an exemption from liability for any third located in Japan, which is likely to include the cloud server, then such a party claims as a result. cloud provider will be subject to Japanese business income tax.

22 What are the typical terms of a B2B public cloud computing 25 Outline the indirect taxes imposed in your jurisdiction that contract in your jurisdiction covering termination? apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction. Many cloud service agreements allow the customer a simple termination option, whereby a customer may terminate the cloud service Providing cloud computing services through telecommunication lines agreement without cause, just by giving prior notice. However, some (typically, the internet), will be regarded as a ‘provision of service using agreements require the customer to use the service for a minimum telecommunication’. period and if the customer terminates the agreement before the com- A provision of service using telecommunication will be subject pletion of such period, the customer has to pay a certain amount of to Japanese Consumption Tax if it is regarded as a ‘domestic transac- money to the cloud provider. tion’. If the service is provided to the customer whose residence is in Cloud service agreements also usually allow the cloud provider to Japan, then this will be regarded as a domestic transaction regardless terminate the agreement if the customer is in breach of its obligation of whether the cloud computing service is provided from within or out- under the agreement or the customer is adjudged insolvent or bank- side Japan. In that case, Japanese Consumption Tax will be imposed on rupt, or is liquidated or the like. the customer. In light of the security management of the data stored on the cloud server, it is customary to require the customer to download the Recent cases data before the cloud service agreement is terminated or expired at 26 Identify and give details of any notable cases, or commercial, the customer’s own responsibility, and limit or deny access to the data private, administrative or regulatory determinations within after termination or expiry. The cloud provider, on the other hand, is the past three years in your jurisdiction that have directly required to delete all of the customer’s data stored on the server to involved cloud computing as a business model. ensure the confidentiality of the data. There are no notable cases, or commercial, private, administrative 23 Identify any labour and employment law considerations that or regulatory determinations within the past three years in Japan that apply specifically to cloud computing in your jurisdiction. have directly involved cloud computing as a business model. There are no Japanese labour or employment laws currently regulating cloud computing.

Atsushi Okada [email protected] Hideaki Kuwahara [email protected]

16th Floor, Marunouchi Park Building Tel: +81 3 5220 1821 2-6-1 Marunouchi Fax: +81 3 5220 1721 Chiyoda-ku www.mhmjapan.com Tokyo 100-8222 Japan

www.gettingthedealthrough.com 55

Korea

Seungmin Jasmine Jung, Jeong Kyu Choe and Jung Han Yoo Jipyong LLC

Market overview Policy 1 What kinds of cloud computing transactions take place in 6 Does government policy encourage the development of your your jurisdiction? jurisdiction as a cloud computing centre for the domestic A comprehensive variety of cloud computing services are being pro- market or to provide cloud services to foreign customers? vided, and being adopted by, companies in Korea. Public, hybrid and Yes. To promote and develop cloud computing services, Korea has private cloud models are all provided by cloud service providers. Cloud adopted the Act on the Development of Cloud Computing and service users use cloud computing services in the form of software-as- Protection of its Users (the Cloud Computing Act) to develop the cloud a-service (SaaS), infrastructure-as-a-service (IaaS), platform-as-a-ser- computing industry in Korea and to promote Korean cloud computing vice (PaaS) or for mere storage, based on the particular user’s needs. services to foreign customers. Cloud computing is in the process of being adopted in various sectors Under the Cloud Computing Act, the government can conduct such as healthcare, finance and information communications technol- the following activities to promote international cooperation on cloud ogy. In particular, cloud computing has been widely adopted in the computing and overseas expansion of cloud computing technology and online gaming industry. services: • international exchange of cloud computing-related information, 2 Who are the global international cloud providers active in technology and personnel; your jurisdiction? • overseas marketing and promoting activities such as cloud com- In general, most large global cloud service providers are active in Korea. puting exhibits; Notably, Amazon Web Services, Microsoft Azure, Google Cloud, IBM • joint research and development of cloud computing with other Cloud, Oracle Cloud, HP Cloud, Akamai and Rackspace have a pres- nations; ence in Korea. • information collection, analysis and provision regarding information related to the overseas expansion of cloud computing; 3 Name the local cloud providers established and active in your • mutual cooperation with other nations to ensure the effectiveness jurisdiction. What cloud services do they provide? of international cooperation in relation to cloud computing; and • other activities to promote international cooperation and overseas There are numerous cloud computing service providers in Korea. The expansion of cloud computing. largest domestic cloud service providers are established companies in the information communication technology network providers, such as 7 Are there fiscal or customs incentives, development grants KT (uCloud) and SK (CloudZ), and internal portal companies, such as or other government incentives to promote cloud computing Naver (NAVER Cloud) and Kakao. operations in your jurisdiction? 4 How well established is cloud computing? What is the size of In order to develop and promote use of cloud computing technology the cloud computing market in your jurisdiction? and services, the government and municipalities can adopt measures such as tax incentives. Also, the government can provide support to Cloud computing is becoming more and more widely adopted in Korea, small and medium-sized businesses related to cloud computing such with legislation being adopted by each industry to relax the legacy as the following: restrictions that made it difficult to adopt cloud computing. According • provide information and advice related to cloud computing to the article published by the Korean Association of Cloud Industry business; (KACI), the expected volume of sales for cloud computing for 2019 is • subsidise funds and provide technology assistance for the purpose more than 2 trillion Korean won. KACI also provides a breakdown of of user protection; the estimated total sales volume for 2019 as follows: • training of cloud computing professionals; and • IaaS: 37.9 per cent; • other activities necessary with regard to fostering small and • PaaS: 0.1 per cent; medium-sized businesses related to cloud computing. • SaaS: 32.2 per cent; • Cloud software: 26.6 per cent; Furthermore, the government and municipalities can provide admin- • Cloud hardware: 3 per cent; and istrative, fiscal and technical support to parties that are establishing • Miscellaneous: 0.2 per cent. collective information communication facilities using cloud computing technology. 5 Are data and studies on the impact of cloud computing in your jurisdiction publicly available? Legislation and regulation Data and studies on the impact of cloud computing are publicly available. For example, KACI periodically posts studies and data on its 8 Is cloud computing specifically recognised and provided for website and the government provides a dedicated cloud portal (cloud. in your legal system? If so, how? or.kr). Based on these studies and data, cloud computing is likely to The Cloud Computing Act defines cloud computing, cloud computing grow at a rapid pace in the Korean market and will affect traditional IT technology and cloud computing service as follows: vendors and IT outsourcing.

56 Getting the Deal Through – Cloud Computing 2019

Cloud computing 11 What are the consequences for breach of the laws directly An information processing system that enables elastic use of integrated or indirectly prohibiting, restricting or otherwise governing and shared resources for information and communications (such as cloud computing? devices for information and communications, information and com- A cloud computing service provider could become subject to crimi- munications systems, and software) through information and commu- nal penalties in the event the cloud computing service user’s data is nications networks, to fit the users’ requirements or demands. provided to a third party by the cloud computing service provider. As noted above, the Cloud Computing Standards do not have the force of Cloud computing technology law and therefore, in theory, the quality, performance and data protec- Technology required for setting up and using the cloud including the tion levels stated therein are not mandatory. The failure to notify the following: occurrence of any infiltration incidents to the relevant authorities or • virtualisation technology: technology for virtually combining or to the users or return or destroy information will be subject to a fine. dividing resources for information and communications including Furthermore, if the cloud service provider breaches any provisions of integrated or shared information and communications devices, the PIPA or the Network Act, the cloud service provider could be sub- information and communications facilities, and software; ject to a fine, corrective measure or criminal penalty based on the rel- • distributed processing technology: technology that processes a evant statutory provisions. large volume of information by dispersing it into multiple information and communications resources; and 12 What consumer protection measures apply to cloud • others: technology that utilises information and communications computing in your jurisdiction? resources in setting up and using cloud computing systems, includ- Pursuant to the Cloud Computing Act, the Ministry of Science and ing technologies that automate the placement, management and ICT, in consultation with the Fair Trade Commission, has published a so on of information and communications resources. model cloud computing agreement for business-to-business (B2B) and business-to-consumer (B2C), respectively. The purpose of this model Cloud computing services agreement is to protect the rights of the users and to establish fair trade. Commercial services for providing resources for information and com- The Ministry of Science ICT can issue a recommendation to use this munications by utilising cloud computing including the following: model agreement to cloud computing providers. • service of providing servers, storage, networks, among others; The model agreement includes the following protective measures: • service of providing software, including applications; • the PIPA and the Network Act will apply to personal information • service of providing an environment for developing, distributing, thereby reinforcing the protection of personal information; operating, managing, and suchlike, software, including applica- • any incident of leakage of user information must be notified to the tions; and user and the Ministry of Science and ICT to enable prompt reme- • other services combining at least two of the above services. dial measures with respect to such incident; • to enhance the user’s right to know, in the event the user’s data is 9 Does legislation or regulation directly and specifically stored overseas, the user can demand disclosure of the country prohibit, restrict or otherwise govern cloud computing, in or where data is stored and the fact that cloud computing is being outside your jurisdiction? used, with respect to which recommendation measures for disclo- The purpose of the Cloud Computing Act is to promote and develop sure can be issued; and cloud computing rather than to regulate cloud computing. Under the • to prevent the misuse of user data, any provision of user data to Cloud Computing Act, an agreement between the cloud computing third parties without consent or use of user data beyond the agreed service provider and the cloud service user will be deemed to satisfy purpose shall be subject to criminal penalties. the requirements for IT facilities, devices and systems that are necessary to obtain permits, approvals, registration or designations pursuant 13 Describe any sector-specific legislation or regulation that to other laws. However, the Cloud Computing Act does not contain applies to cloud computing transactions in your jurisdiction. explicit prohibitions. Rather, detailed measures that directly or indi- Public sector rectly restrict to cloud computing are contained in industry specific The Cloud Computing Act states the obligation of governmental agen- laws and the privacy laws of Korea. In other words, Korea adopts a neg- cies to use efforts to adopt cloud computing and recommends that gov- ative regulatory approach, where cloud computing is generally permit- ernmental agencies use the cloud computing systems developed by the ted unless explicitly restricted by a specific statute. private sector rather than developing its own cloud computing system. To support the adoption of cloud computing in the public sector, a joint 10 What legislation or regulation may indirectly prohibit, restrict policy commission consisting of the Ministry of the Interior and Safety, or otherwise govern cloud computing, in or outside your the Ministry of Science and ICT, the Ministry of Economy and Finance, jurisdiction? the Public Procurement Service and the National Intelligence Service For personal information protection in the cloud, the Personal has been set up. A security review by the National Intelligence Service Information Protection Act (the PIPA) and the Act on Promotion is required for governmental agencies to adopt a certain cloud comput- of Information and Communications Network Utilization and ing system. Information Protection, etc (the Network Act) apply. Accordingly, the collection, use, provision, delegation, destruction, storage of personal Finance sector information being processed by cloud computing is subject to the PIPA Due to the recent amendments to the Regulation on Supervision of and the Network Act. Both the PIPA and the Network Act contain strin- Electronic Financial Transactions, the overseas delegation and sub- gent provisions to ensure the protection of data subjects with corre- delegation of IT facilities and financial services is possible. In particu- sponding heavy penalties. Under the PIPA, a cloud computing service lar, for IT systems that do not process customer data (such as personal provider is considered a delegatee who has been delegated with per- identification information or personal credit information), cloud com- sonal information processing and is treated as a data processor. puting can be adopted by the financial institution designating such With regard to data security, the Ministry of Science and ICT systems as ‘non-material data-processing systems’ to which physical has promulgated ‘Standards for Information Protection by Cloud network separation does not apply. However, ‘material data processing Computing Providers’ (Cloud Computing Standards). The Cloud systems’ (ie, systems that deal with customer data) are still subject to Computing Standards do not have the effect of binding law but compli- the requirement of physical network separation, thereby precluding the ance therewith is, nonetheless, recommended. full adoption of cloud computing in the finance sector.

Healthcare sector The amendment to the Standards on Facilities and Devices for Administration and Retention of Electronic Medical Records in 2016 has paved the way for adoption of cloud computing in the healthcare www.gettingthedealthrough.com 57

© Law Business Research 2018 KOREA Jipyong LLC sector. The amendment revises the requirement to store electronic 17 What are the typical terms of a B2B public cloud computing medial records inside hospitals and allows the administration and stor- contract in your jurisdiction covering governing law, age of medical records with external companies or at remote locations jurisdiction, enforceability and cross-border issues, and that meet certain qualifications. However, electronic medical records dispute resolution? cannot be stored outside of Korea. Article 24 of the Cloud Computing Act states that the Ministry of Science and ICT, in consultation with the Fair Trade Commission, 14 Outline the insolvency laws that apply generally or may establish a model agreement for cloud computing to protect the specifically in relation to cloud computing. rights of cloud computing users and establish fair trade practices. In There are no insolvency laws that only apply to cloud computing ser- December 2016, the Ministry of Science and ICT published two ver- vice providers. However, the Cloud Computing Act contains a provisions of Model Cloud Agreement for Protection of Cloud Service Users sion that applies when the cloud computing provider suspends its and Establishment of Fair Trade Practices, one for B2B and one for service due to reasons such as sudden insolvency. Under this provision, B2C. the cloud computing service provider and the user can agree to tempo- Under the Model Cloud Agreement for Protection of Cloud Service rarily store the user’s data with a third party. Also, if a cloud comput- Users and Establishment of Fair Trade Practices for B2B (B2B Model ing service provider intends to terminate its business, it must notify the Agreement), Korean law is the governing law and any disputes arising user of such termination and return or destroy all data to the user prior out of the agreement are subject to the jurisdiction of the Korean court. to the date of termination of business. If, for any reason, it becomes impossible to return the information (for example, the user fails to 18 What are the typical terms of a B2B public cloud computing accept, or refuses, the return of such information), the cloud comput- contract in your jurisdiction covering material terms, such ing service provider must destroy the information. as commercial terms of service and acceptable use, and variation? Data protection/privacy legislation and regulation Under the B2B Model Agreement, the cloud service provider must 15 Identify the principal data protection or privacy legislation provide cloud computing services in accordance with the B2B Model applicable to cloud computing in your jurisdiction. Agreement, and the specific service levels will be subject to the service level agreements. Any modifications to the service levels should be As noted above, the PIPA and the Network Act apply to cloud comput- mutually discussed, provided that any modifications that are material ing service providers in connection with data privacy. In principle, the or are contrary to the interests of the cloud computing user are subject privacy laws of Korea are structured to require the prior consent of the to the user’s consent. data subject for the collection, use and provision of personal informa- The B2B Model Agreement divides service fees into basic fees tion. Within personal information, sensitive information and personal and ancillary fees. The details of the service fees (type, price, method identification information is subject to more stringent regulations. of pricing, discounts, etc) must be listed in an attachment to the B2B Under the PIPA and the Network Act, overseas provision of personal Model Agreement or on the service website. In principle, the service information to third parties requires the consent of the data subject. fees are on a monthly basis and prorated on a daily basis upon termi- The overseas delegation of personal information processing to third nation. Any discount or waiver of fees can be determined based on parties does not require the consent of the data subject under the PIPA, mutual discussion. In the event of temporary suspension or disruption whereas consent is required under the Network Act. of services, the user will be entitled to request discount of the service A personal information processor must take technical, organi- fees or seek damages arising from such suspension or disruption. sational and physical measures stated in the privacy laws to ensure against the loss, theft or leakage of personal information. Upon leak- 19 What are the typical terms of a B2B public cloud computing age of personal information, the personal information processor must contract in your jurisdiction covering data and confidentiality notify the data subject and the relevant authorities without delay. Any considerations? violation of the privacy laws may be subject to administrative sanctions or criminal penalties. In particular, any loss, theft, leakage, alteration Under the B2B Model Agreement, the cloud computing provider must: or damage to personal information due to the lack of the security meas- • adopt the Cloud Computing Standards; ures under the PIPA will be subject to a criminal penalty of not more • provide adequate security measures; and than two years’ imprisonment or a monetary penalty of not more than • ensure protection against leakage of personal information and 10 million Korean won. third-party infiltration.

Cloud computing contracts Further, the cloud computing provider cannot provide the user‘s information to a third party without the user’s consent or use the user’s data 16 What forms of cloud computing contract are usually adopted beyond the agreed purpose. The user is responsible for controlling its in your jurisdiction, including cloud provider supply chains (if ID and password and bear responsibility for any theft or inappropriate applicable)? use due to the user’s failure to exercise due care. In practice, cloud computing contracts usually adopted in Korea are Data protection measures not stated in the B2B Model Agreement similar to those globally used by cloud computing service providers. will be subject to the privacy laws such as the PIPA, Network Act or Many cloud computing service providers adopt modular agreements industry-specific laws based on the user’s business. composed of several different components such as: • a master agreement between the customer and cloud servicer 20 What are the typical terms of a B2B public cloud computing provider; contract in your jurisdiction covering liability, warranties and • service level agreements and terms for each service; provision of service? • the cloud service provider’s acceptable use policies; and In general, under the B2B Model Agreement, the cloud computing ser- • end-user licence agreement. vice provider is liable for damages incurred by the user owing to intentional or negligent service disruptions or for failure to meet the level of Often these agreements are presented as clickwrap agreements with quality or performance of the services under the relevant service level non-negotiable terms. Accordingly, to protect the rights of the cloud agreement. service users, the Ministry of Science and ICT has published a model However, absent any intentional misconduct or negligence, the agreement that is analysed in questions 17 to 22. cloud computing service provider will not be liable for the user’s damages because of: • inevitable service interruption due to system upgrade, prevention of infiltration such as hacking or network failure, force majeure events that have been notified to the user pursuant to the B2B Model Agreement;

58 Getting the Deal Through – Cloud Computing 2019

• service suspension due to force majeure events beyond the control of existing technical capability; Update and trends • service suspension, disruption or termination of B2B Model Agreement owing to the user’s intentional misconduct or The adoption of cloud computing in the financial services industry has been a topic that is subject to heated debate and negligence; gradual changes. Given the highly confidential nature of financial • the network service provider’s discontinuation or disruption of information, the IT systems of financial institutions have been network services; subject to strict network separation, both logically and physically. • ancillary issues arising from the user’s computer environment or While logical network separation can be implemented in the cloud, network environment; and physical network separation cannot be accommodated. In fact, • user’s computer error or erroneous identification information or physical network separation is a concept incompatible with cloud incorrect email address. computing. In 2016, the Financial Services Commission (FSC) announced that the financial services industry would be able to Further, the cloud computing provider is not liable for the credibility or use the cloud and eliminated the requirement for physical network separation for non-material systems (ie, systems not dealing with accuracy of the information or material transmitted using the services customer data). Due to such limited scope, the cloud adoption rates or posted on the service website absent any intentional misconduct or of Korean financial institutions are staggered compared with foreign negligence. financial institutions. In mid-2018, FSC officials have been quoted Additionally, the cloud service provider will not be liable in dis- on relaxing the physical network separation requirement for material putes regarding cloud computing services between users or between a systems but no official announcements have been made as yet. user and a third party if all of the following conditions are met: • the cloud computing service provider has not violated the Cloud Computing Act; • the cloud computing service provider terminates its cloud comput- • the cloud computing service provider has proved that there is no ing business. intentional misconduct or negligence on its part; • the cloud computing service provider does not have the authority The cloud computing service provider must return the data to the user or capacity to control the acts of the user that is infringing on the upon the rescission, termination of the B2B Model Agreement or upon rights of other users or third parties; expiry of the service term. If the return of data is practically impossible, • even if the cloud computing service provider does have the author- the cloud computing service provider must destroy the user data in an ity or capacity to control the user against the infringement of the irreversible manner. The cloud computing service provider must also rights of other users or third parties, the cloud computing service cooperate in transferring the user’s data to a different cloud computing provider does not financially benefit from such infringement; and service. • the cloud computing service provider immediately suspends the infringement once it becomes aware of the fact or circumstances 23 Identify any labour and employment law considerations that that a user or third party is infringing on the user’s rights. apply specifically to cloud computing in your jurisdiction. There are no labour or employment laws specific to the cloud comput- On the other hand, if the user has caused damages to the cloud coming industry. puting service provider, it will be liable for the damages incurred by the cloud computing service provider. Taxation 21 What are the typical terms of a B2B public cloud computing 24 Outline the taxation rules that apply to the establishment and contract in your jurisdiction covering intellectual property operation of cloud computing companies in your jurisdiction. rights (IPR) ownership in content and the consequences of In general, to establish a corporation in Korea, a capital registration infringement of third-party rights? tax of 0.48 per cent of the initial capital applies. After establishment of Under the B2B Model Agreement, the user must not violate the the corporation, VAT, corporate income tax and local income tax will Copyright Act and related laws or moral customs and social order. apply and other taxes such as withholding tax and municipal tax may Further, absent any intentional misconduct or negligence, the cloud also apply. It is notable that VAT applies to cloud computing services computing service provider will not be liable for any infringement on provide by Korean companies. Corporate income tax will be imposed IPR between users or between a user and a third party. Other matters at the following tax rates: concerning IPR ownership are not specifically mentioned in the B2B Model Agreement and would, therefore, be subject to the intellectual Tax basis (Korean won) Tax rate* property laws of Korea. 200 million or less 10 per cent 22 What are the typical terms of a B2B public cloud computing 200 million up to 20 billion 20 million + (20 per cent of the contract in your jurisdiction covering termination? excess over 200 million) Under the B2B Model Agreement, both the cloud computing ser- 20 billion up to 300 billion 3.98 billion + (22 per cent of vicer provider and the user can rescind or terminate the B2B Model the excess over 20 billion) Agreement. The termination rights of the cloud computing service pro- More than 300 billion 65.58 billion + (25 per cent of vider and user are as follows: the excess over 300 billion)

User * Local income tax equivalent to 10 per cent of the corporate income • Cloud computing service provider is unable to or there is a materi- tax calculated based on the above will apply. ally adverse effect on its ability to perform its obligations; • the cloud computing service provider fails to provide services as 25 Outline the indirect taxes imposed in your jurisdiction that contracted; and apply to the provision from within, or importing of cloud • a material event has occurred that makes is impossible to maintain computing services from outside, your jurisdiction. the contractual relationship. Although Korean companies are subject to VAT for cloud computing services, foreign companies are not. To resolve this discrepancy, in Cloud computing service provider 2018, the government proposed amendments to the Value Added Tax • The user violates its obligations such as payment default or assigns Act that will impose VAT to cloud computing services provided by for- its rights to a third party without the consent of the cloud comput- eign companies from 1 July 2019. ing service provider; • a user whose use has been restricted under the B2B Model Agreement fails to cure the cause for such restriction for a substantial period of time; and www.gettingthedealthrough.com 59

Recent cases 26 Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model. There are no such cases or determinations relating to cloud computing as a business model.

Jipyong LLC

Seungmin Jasmine Jung [email protected] Jeong Kyu Choe [email protected] Jung Han Yoo [email protected]

10F, KT&G Seodaemun Tower Tel: +82 2 6200 1600 60 Chungjeong-ro Fax: +82 2 6200 0800 Seodaemun-gu www.jipyong.com Seoul 03740 Korea

60 Getting the Deal Through – Cloud Computing 2019

New Zealand

Richard Wells MinterEllisonRuddWatts

Market overview In addition, New Zealand has a range of smaller cloud providers, including: 1 What kinds of cloud computing transactions take place in • Batten Services, which provides cloud-hosted Voice over Internet your jurisdiction? Protocol solutions, off-site live data backup facilities and mail A range of cloud computing transactions take place in New Zealand. consultation; Surveys conducted among IT professionals show a slight pref- • Catalyst IT Limited, which specialises in developing, design- erence among New Zealand businesses towards hybrid models. ing and supporting enterprise grade systems using open-source For example, a survey of 100 NZ IT professionals by Microsoft New technologies; Zealand in March 2017 showed that 42 per cent of respondents said • Onenet Limited, which delivers cloud services of hosted Microsoft they already leveraged, or planned to leverage, hybrid cloud solutions. Exchange email, customer relationship management, SharePoint, Microsoft said it expected the percentage to increase to 47 per cent in desktops-as-a-service, infrastructure-as-a-service, online PC and the next 12 to 18 months; 46 per cent use the private cloud and 12 per- server data; cent use a public cloud solution alone. • Umbrellar, New Zealand’s largest web-hosting company; and Recent publicised cloud transactions of note include: • XIT Cloud Solutions, a Christchurch-based company providing • the June 2018 merger between IT companies The Instillery and Voice over Internet Protocol, hosted mail and online offsite backup Vo2 Group, designed to drive wider adoption of cloud technologies solutions. across the New Zealand; • the appointment of Dynamo6, a Waikato-based cloud computing, 4 How well established is cloud computing? What is the size of mobile, web and app development company being appointed as a the cloud computing market in your jurisdiction? New Zealand Google Cloud partner in March 2018; Cloud computing is well established in New Zealand, with an esti- • the New Zealand government announcing its all-of-government mated 85 per cent of the New Zealand market now leveraging some agreement with Amazon Web Services (one of the first whole-of- form of cloud-based service (IDC 2017 New Zealand Ecosystem study). government contracts that AWS has signed globally) in May 2017; New Zealand businesses are increasingly taking advantage of and cloud computing as a flexible and cost-efficient alternative to tradi- • Genesis Energy (New Zealand’s largest electricity and gas retailer tional data storage options. According to a PricewaterhouseCoopers and power generator) in March 2017 completing a large-scale report published in 2015, New Zealand and Australia are leading cloud migration of its IT infrastructure to Spark’s Revera cloud platform. adoption globally (PricewaterhouseCoopers New Zealand Managing the Shadow Cloud: Perspectives from New Zealand and Australia 2 Who are the global international cloud providers active in (August 2015)). your jurisdiction? There are various international cloud providers active in New Zealand 5 Are data and studies on the impact of cloud computing in your including Google’s Cloud Platform, Amazon Web Services, Microsoft jurisdiction publicly available? Azure, IBM Cloud Computing, Salesforce.com, Infor Cloudsuite and Data and studies on the impact of cloud computing in New Zealand are Dimension Data. not widely publicly available. Most studies or surveys on the impact of cloud computing are undertaken by independent researchers, such as 3 Name the local cloud providers established and active in your IDC Research, Inc, Gartner, Inc or by cloud providers themselves. jurisdiction. What cloud services do they provide? It is not possible to create an exhaustive list but the following is a guide Policy of some local cloud providers that we have encountered. The major cloud providers established in New Zealand include: 6 Does government policy encourage the development of your • Revera Limited, which offers cloud migration and in-country and jurisdiction as a cloud computing centre for the domestic global cloud platforms; and market or to provide cloud services to foreign customers? • Datacom Group Limited, which provides a range of cloud services Government policy does not specifically encourage the development of including an infrastructure-as-a-service platform, cloud migration, New Zealand as a cloud computing centre for the domestic market, or private cloud, shared private cloud and hybrid cloud solutions. to provide cloud services to foreign customers. However, the New Zealand government recognises that the digi- Cloud providers offering specialist solutions include: tal technology sector in general is ‘an important driver of innovation • Xero, a cloud-based software-as-a-service accounting system; and increases in jobs and export growth, and the application of tech- • PeopleSafe Limited, creators of a health and safety software nology across all sectors of the economy can make our businesses application; more resilient, productive, and internationally competitive’ (Business • Promapp Solutions Limited, an Auckland-based company that Growth Agenda: Building a Digital Nation, March 2017). The technol- developed a process management software for creating and stor- ogy sector is New Zealand’s third-largest exporting sector, contributing business processes online called Promapp; and ing NZ$16 billion to New Zealand’s GDP. The Ministry of Business, • Silkroad, provider of cloud-based, end-to-end human resources Innovation and Employment, together with the Technology Investment solutions. Network, produces a guide to New Zealand technology investment in order to drive investment in the sector. www.gettingthedealthrough.com 61

or consumption and who does not acquire the goods or services, for 7 Are there fiscal or customs incentives, development grants various specified business purposes) that would apply to consumers or other government incentives to promote cloud computing obtaining cloud services. operations in your jurisdiction? In addition, the Fair Trading Act 1986 (FTA) would apply to protect No. However, locally, the New Zealand government operates a ‘Cloud consumers where they obtain cloud services, and the Privacy Act 1993 First’ policy, which requires government agencies to adopt cloud ser- (discussed above) will apply whenever a business collects personal vices in preference to traditional IT systems. According to the New information about a consumer and stores it in the cloud. Zealand government, this is because cloud services are more cost- In summary, the CGA implies certain warranties and remedies into effective, agile, generally more secure and provide greater choice. sales transactions with consumers, relating to the quality and standard of goods and services supplied. Legislation and regulation The FTA prohibits conduct that is likely to be misleading or deceptive. This veto is extremely broad and includes not only the making 8 Is cloud computing specifically recognised and provided for of untrue claims or statements, but also omitting to give all relevant in your legal system? If so, how? details and failing to correct mistaken impressions. The FTA also con- Cloud computing is not specifically recognised or regulated under New tains prohibitions on unfair selling practices. Zealand law. As such, cloud computing is subject to the range of laws The FTA also contains a regime on the use of unfair contract terms of general application, including the Privacy Act 1993 (which is likely in standard form consumer contracts (UCT regime), which was intro- to undergo significant reform soon – see discussion below), the Fair duced in 2015. The UCT regime prohibits the use of terms that may Trading Act 1986 and the Copyright Act 1994. be ‘unfair’ in standard form ‘consumer contracts’ – that is, where one A number of New Zealand government agencies have released party is acquiring goods or services of a kind ‘ordinarily acquired for guidance material covering either their own, or their recommended, personal, domestic, or household use or consumption’ and does not approach to cloud computing. resupply them in trade. For example, the Office of the Privacy Commissioner (an independent Crown Entity that administers the Privacy Act 1993) released 13 Describe any sector-specific legislation or regulation that guidance material for small and medium-sized businesses to help them applies to cloud computing transactions in your jurisdiction. protect personal information when using cloud computing in February There is no sector-specific legislation or regulation that specifically 2013 entitled Cloud Computing: a guide to making the right choices. applies to cloud computing transactions in New Zealand. In addition, in April 2017, the Ministry of Health released its policy However, as mentioned above, a number of government depart- on cloud computing (in conjunction with the Department of Internal ments have released guidance on cloud computing. Affairs’ Government Chief Information Office). In April 2017, the Ministry of Health released its policy on cloud computing (in conjunction with the Department of Internal Affairs’ 9 Does legislation or regulation directly and specifically Government Chief Information Office). Specific privacy rules for agen- prohibit, restrict or otherwise govern cloud computing, in or cies in the health sector are set out in the Health Information Privacy outside your jurisdiction? Code. Cloud computing is not directly regulated or specifically prohibited or According to the Ministry of Health, the use of cloud or hosted restricted by New Zealand legislation. services is a viable option for funders and providers of health and dis- ability support services (health agencies) because of its cost and con- 10 What legislation or regulation may indirectly prohibit, restrict venience. The Ministry requires District Health Boards to: or otherwise govern cloud computing, in or outside your • satisfy themselves via certain prescribed cloud risk assessment jurisdiction? processes that the product or service meets the requirements of HISO 10029:2015 Health Information Security Framework – sec- Cloud computing itself is not indirectly prohibited, restricted or other- tion 18 Cloud Computing and Outsourced Processing; wise governed by New Zealand legislation or regulation. • forward a copy of completed risk assessments to the Department However, businesses using cloud computing will be subject to the of Internal Affairs’ Government Chief Information Office. A copy range of laws of general application, including the Privacy Act 1993, Fair must also be provided to the Ministry of Health prior to the com- Trading Act 1986 and Copyright Act 1994, and Telecommunications mencement of the cloud service use; and (Interception Capability and Security) Act 2013 (TICSA), which contain • record each individual public cloud service utilised within its appli- a number of provisions that indirectly govern cloud computing. cation portfolio management system. For example, the Privacy Act 1993 applies to ‘agencies’ (including cloud computing businesses to the extent they handle personal infor- 14 Outline the insolvency laws that apply generally or mation) and sets out rules in relation to the collection, use, storage specifically in relation to cloud computing. and disclosure of such personal information. The Act provides that an organisation that holds personal information must ensure that it is pro- In New Zealand, when a company becomes insolvent, a liquidator can tected using reasonable security safeguards against loss, access, use, be appointed by the shareholders, directors or the court on the applica- modification, unauthorised disclosure and misuse. A business remains tion of a creditor. The liquidator is then entitled to take possession of, legally responsible for those obligations when personal information is protect, realise and distribute the assets of the company to the com- stored in the cloud. pany’s creditors and shareholders in accordance with the Companies The TICSA applies to cloud computing in New Zealand indirectly, Act 1993. The liquidator acts as the agent of the company. and sets out obligations for New Zealand’s telecommunications net- In the context of company insolvency, a receiver can also be work operators and service providers in relation to interception capa- appointed by a secured creditor. The receiver will take control of the bility and network security. company assets and trade on the company or sell the company as a going concern or sell the company’s assets, as the case may be. 11 What are the consequences for breach of the laws directly Because there are no insolvency laws in New Zealand specifically or indirectly prohibiting, restricting or otherwise governing relating to a cloud computing supplier, the rights to the stored data will cloud computing? largely depend on the nature of the contractual arrangement between the service provider and the customer. The terms of cloud contracts Not applicable. can vary significantly between service providers and, if not negotiated properly at the outset, can include terms that allow insolvency practi- 12 What consumer protection measures apply to cloud tioners to access and sell off customer data. computing in your jurisdiction? Certain rights and remedies are implied into contracts with consumers (defined in the Consumer Guarantees Act 1993 (CGA)), in summary, as a person who acquires from a supplier goods or services of a kind ordinarily acquired for personal, domestic, or household use

62 Getting the Deal Through – Cloud Computing 2019

Data protection/privacy legislation and regulation Update and trends 15 Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction. The European Union’s General Data Protection Regulation (GDPR) New Zealand’s principal data protection and privacy provisions are came into force earlier this year, and will impact New Zealand because of its extra-territorial reach. Two key principles from the contained in the Privacy Act 1993. regulation, ‘data portability’ and the ‘right of erasure’, are not In summary, the Privacy Act 1993 controls how ‘agencies’ collect, yet reflected in the Privacy Bill. These principles may, however, use, disclose, store and give access to ‘personal information’. It also feature in the next round of drafting of the Bill and are likely to contains a set of information privacy principles that cover: have significance for New Zealand cloud computing businesses • the collection, storage and security, and accuracy of personal and customers. For those New Zealand businesses that process EU information; data subjects, it is still unclear how the EU regulators will enforce • requests for access to and correction of personal information; the GDPR against a New Zealand company. Importantly, however, • retention, use and disclosure of personal information; and many of the principles of the GDPR are (or are likely to be, when the • using unique identifiers. Bill is passed) replicated in New Zealand’s own privacy law. While there are no draft laws or legislative initiatives specific to cloud computing that are being developed or contemplated, New The Privacy Commissioner has the power to issue privacy Codes of Zealand’s privacy law will undergo significant reform with the recent Practice. To date, codes exist in the specific areas of the justice sector, introduction of the Privacy Bill. Now at the Parliamentary Select health, superannuation schemes, telecommunications, credit report- Committee stage, the Bill aims to restore individuals’ confidence ing and national emergencies. As discussed, the Privacy Bill is likely to that agencies will keep their personal information secure; and change the privacy law landscape in New Zealand. provide the Privacy Commissioner with greater powers to address agencies’ failure to handle personal information appropriately. Cloud computing contracts The changes that are proposed by the Bill seek to enforce this in two ways. First, to impose compliance on agencies by greater 16 What forms of cloud computing contract are usually adopted regulations, and second to increase fines against agencies for in your jurisdiction, including cloud provider supply chains (if breaches of the Bill. If passed, the changes will be particularly applicable)? relevant to companies dealing with vast volumes of data, such as cloud computing businesses. There is no standard form of cloud computing contract that is adopted but standard methods of contracting for cloud-based solutions that are adopted in other jurisdictions, in particular, England and Australia, What are the typical terms of a B2B public cloud computing would be recognised and accepted in New Zealand. 19 contract in your jurisdiction covering data and confidentiality considerations? 17 What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, Cloud computing contracts in New Zealand generally include detailed jurisdiction, enforceability and cross-border issues, and data security and confidentiality provisions. dispute resolution? Customers typically require suppliers to comply at all times with relevant privacy law in respect of the data, process data in accordance Where possible, New Zealand businesses will try to ensure that New with the customer’s instructions and any relevant policies, and, in Zealand law is the governing law, and that the parties submit to the some cases, not to transfer data outside of certain jurisdictions. These jurisdiction of New Zealand courts. However, many global interna- clauses also provide for the prevention of unauthorised access, disclo- tional cloud providers insist on including governing law and jurisdic- sure or misuse of data. tion clauses from the countries of their own head offices. Data clauses often set out a process that must be followed in the Dispute resolution clauses in New Zealand cloud computing con- case of any data breach, generally including notification, cooperation, tracts typically provide for an escalation procedure (often including a mitigation and providing regular updates while resolving the breach. notice of dispute, mediation and, in some cases, arbitration), which Confidentiality provisions tend to allow the parties, notwithstand- must be followed before a party may start court proceedings, except ing their confidentiality obligations, to use and disclose information where a party seeks urgent interlocutory relief. required by law, a competent authority or listing rules. 18 What are the typical terms of a B2B public cloud computing 20 What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such contract in your jurisdiction covering liability, warranties and as commercial terms of service and acceptable use, and provision of service? variation? It is standard practice to exclude liability for indirect or consequen- The commercial terms of service operate as a subscription model, usu- tial loss or damage in New Zealand cloud computing contracts. Force ally for a minimum term and then on a rolling basis (either one or three majeure clauses typically provide that a party is not liable for any fail- months). Payment is usually made in advance and subject to usual pro- ure or delay arising directly from a force majeure event (provided that visions around interest for late payment and suspension of services if the party in default uses its best endeavours to mitigate the effects of fees remain unpaid for a period of time (usually no more than five busi- the force majeure). ness days unless there is a genuine dispute). In addition, a limitation of liability is generally included. Loss aris- Generally, acceptable use policies (AUPs) require the customer ing out of wilful default or breach, or a breach of confidentiality provi- to be solely responsible for the content stored on the public cloud sions, is often excluded from the limitation of liability. and impose usage limits and apply the ability to ‘throttle’ bandwidth. Content and use of the services must always comply with law (including What are the typical terms of a B2B public cloud computing privacy, SPAM and intellectual property law). We are seeing increased 21 contract in your jurisdiction covering intellectual property use of provisions noting cybersecurity requirements and specifically rights (IPR) ownership in content and the consequences of prohibiting conduct that uses the services to gain unauthorised access infringement of third-party rights? to third-party computer systems or sites. In most AUPs, the cloud provider reserves its rights to block access Intellectual property clauses typically provide for ownership of intel- to the client content if it believes that the AUP is being breached or lectual property as follows: circumvented. In some cases, continued or flagrant abuse of the AUP • each party’s pre-existing intellectual property remains the prop- gives rise to a termination right. erty of the original party; • the parties must agree on the ownership of any intellectual property rights in intellectual property developed during the course of the contract; and • each party grants a licence to the other to use each party’s intellectual property for the purposes of fulfilling its obligations under the agreement. www.gettingthedealthrough.com 63

It is typical to see IP indemnities in cloud computing contracts, whereby 25 Outline the indirect taxes imposed in your jurisdiction that one party indemnifies the other against any loss suffered in relation to apply to the provision from within, or importing of cloud third-party claims of IP infringement. computing services from outside, your jurisdiction. A supplier of goods and services is required to register for and charge 22 What are the typical terms of a B2B public cloud computing goods and services tax (GST) at a rate of 15 per cent if they make sup- contract in your jurisdiction covering termination? plies of goods and services in New Zealand that exceed NZ$60,000 Cloud computing contracts generally provide for termination: per annum. • by either party on default (including material breach of obligations A cloud computing company making supplies will be deemed to be under the contract, insolvency, receivership or force majeure); and making supplies in New Zealand if the company is tax-resident in New • by either party (or one) for convenience. Zealand. A company will be tax-resident in New Zealand if it meets one of the residency tests outlined in question 24, or if the company has a In addition, some customers require termination rights where the sup- fixed or permanent place of business in New Zealand. plier comes under the control of another entity, or where a significant In contrast to the position for tax residents, supplies made by a breach or crisis affects the customer’s business (which is the fault of, or non-resident company will generally be treated as being made outside arises out of the actions of, the supplier). of New Zealand. However, a non-resident company will be deemed to Following termination, each party is generally required to destroy supply services in New Zealand if they provide ‘remote services’ to cus- or deliver to the other party, any property and confidential information. tomers that are not GST-registered. Services will be ‘remote services’ In some instances, suppliers are required to novate to the customer any when there is no necessary connection between the physical location third-party licence agreements required for the continuation of the of the service recipient and the place where the service is performed. contract. Many customers require suppliers to provide transition assistance Recent cases if the agreement is terminated, as well as step-in rights for the cus- 26 Identify and give details of any notable cases, or commercial, tomer if the supplier becomes insolvent. private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly 23 Identify any labour and employment law considerations that involved cloud computing as a business model. apply specifically to cloud computing in your jurisdiction. In Cloud House Ltd v Bulletproof Group Ltd [2018] NZHC 1450, the High There are no labour or employment law considerations in New Zealand Court granted the defendant security for costs over a dispute concern- that specifically relate to cloud computing. However, a business cus- ing the ‘earn out’ provisions contained in a deed for the sale of a New tomer entering into a cloud computing contract may wish to consider Zealand cloud computing services business by an established cloud the key pieces of employment legislation in New Zealand, includ- services provider in Australia. Cloud alleged that its prospects of earn- ing: Employment Relations Act 2000, Holidays Act 2003, Health and ing the earn-out payments had been compromised by Bulletproof’s Safety at Work Act 2015 and the Privacy Act 1993. alleged pre-contractual misrepresentations and breach of warranties. In particular, Cloud pointed to a decision by Bulletproof to alter the Taxation business model by entering into a partnership with Microsoft Azure 24 Outline the taxation rules that apply to the establishment and as damaging the business relationship with a major supplier, AWS. operation of cloud computing companies in your jurisdiction. This, together with a number of other administrative and staffing deci- New Zealand’s income tax rules operate on the principles of source and sions, amounted to Bulletproof intentionally taking action that would residency. reduce the amount of the earn-out payment in breach of the warranty. A cloud computing company that is tax-resident in New Zealand Bulletproof claimed that the earn-out was not achieved due to Cloud’s (on the basis that it is incorporated in New Zealand, has its head office financial forecasting not being prepared with due care or based on or centre of management in New Zealand or is controlled by its direc- assumptions that were reasonable. tors from New Zealand) will be subject to tax on its worldwide income At the time of writing, filings are being made for the substantive (at the corporate tax rate of 28 per cent). hearing. A cloud computing company that is not tax-resident in New Zealand may only be taxed on New Zealand-sourced income, unless a double tax agreement (DTA) applies to alter this treatment. A DTA is an agreement between nations that aims to prevent double taxation of the same income. Most of New Zealand’s DTAs prevent New Zealand from taxing the business profits of non-resident companies unless those profits are attributable to a permanent establishment that the company has in New Zealand.

Richard Wells [email protected]

Lumley Centre Level 18 88 Shortland Street 125 The Terrace Auckland 1010 Wellington 6011 Tel: +64 9 353 9700 Tel: +64 4 498 5000 Fax: +64 9 353 9701 Fax: +64 4 498 5001

www.minterellison.co.nz

64 Getting the Deal Through – Cloud Computing 2019

Poland

Krzysztof Wojdyło and Rafał Kuchta Wardyński & Partners

Market overview Oktawave A platform of infrastructure on demand (IaaS), in which clients can 1 What kinds of cloud computing transactions take place in run, process or store any resources – a website, business application or your jurisdiction? enterprise solution. Poland was ranked 11th of 24 countries examined with regard to the regulatory and political framework for cloud computing in the Atende Business Cloud – CloudiA 2018 Global Cloud Computing Scorecard, prepared by the BSA|The Offers application hosting (application hosting charged for real con- Software Alliance. The Polish government has adopted a programme sumption of resources), DRC back-up data centre (ensuring business on integrated implementation of IT solutions and expansion of usage security and continuity of a company’s operations), platforms for www of cloud computing solutions is one of its goals. services (platforms for website or e-commerce for the smooth support In Poland, public, hybrid and private cloud models are all in use. of up to a million users), test and development environments (auto- According to a survey commissioned by Aruba Cloud in 2017, 27 per mated and flexible test and development environments available on cent of firms declared that they use cloud services. Among these, 50 request). per cent used private clouds, 26 per cent – public clouds, and 23 per cent – hybrid clouds. However, according to several reports and stud- COIG ies, hybrid cloud and public cloud models are expected to gain popular- Offers SaaS (access to ERP system), PaaS (virtual desktop, licence and ity. The reason behind the popularity of the private cloud computing application availability), IaaS (hire of computing power) and DaaS. model among Polish companies seems to be the direct control it gives each company over data security and tailor-made services. Unicloud (Asseco) As far as infrastructure-as-a-service (IaaS), platform-as-a-service Offers IaaS and PaaS models, autoscaling. (PaaS) and software-as-as-service (SaaS) models are concerned, all of these have been adopted in Poland. Other services available are: T-MobileCloud data-as-a-service (DaaS), backup-as-a-service (BaaS), wired-commu- Telecommunications operator offers cloud services (applications, pro- nication-as-a-service (Ucaas), contact-centre-as-a-service (CcaaS), grammes and IT services in cloud). digital-signage-as-a-service (DSaaS) and disaster-recovery-as-a-service (DraaS). Over the last few years, plenty of new Polish companies and start- Onetcloud ups are offering cloud computing services. The popularity of such Cloud solution designed by IBM for medium-sized and large enter- services is expected to grow still further. Regarding specific publicly prises that seek additional computing power, as well as a ‘disaster known transactions, in 2017 Asseco Bussiness Solutions acquired recovery’ model. Macrologic SA, a provider of enterprise resource planning (ERP) systems, including cloud-based solutions, for approximately US$28.5 Comarch million (107.8 million zloty). The transaction was a share deal and the One of Poland’s largest IT companies offers cloud computing services companies have subsequently merged. including ERP for all kinds of enterprises, e-commerce, bookkeeping services, hosting, backup and sync, business intelligence, medical ser- 2 Who are the global international cloud providers active in vices and timekeeping. your jurisdiction? Ergonet International cloud providers active in Poland are: Microsoft Exchange, Office 365, Microsoft Sharepoint, Microsoft Lync, • Amazon; Ergonet Drivebox, Ergonet Backup, Ergonet Antispam (applications, • Microsoft; office, servers in the cloud, hosting), offers private, hybrid, managed • Google; and ergonet cloud. • IBM; • Dropbox; • Apple; and InfoCloud24 • Oracle. Data storage centre, a member of the VMware Service Provider Program and a Microsoft Services Provider. The data centre is based 3 Name the local cloud providers established and active in your on VMware and Microsoft. jurisdiction. What cloud services do they provide? Intratel e24cloud and beyond.pl Offers IaaS and SaaS for companies. E24cloud is the infrastructure on demand (IaaS), which enables rapid creation, flexible scaling and easy management of space and comput- Opteam ing power for IT projects. Beyond.pl offers cloud computing services All Optel’s solutions are offered in the cloud (ERP, IT security, business for businesses. aplications, mobile solutions, IT infrastructure and data centre).

www.gettingthedealthrough.com 65

ATMAN Cloud Information society in Poland. Results of statistical surveys in the Offers Klaster compute and Klaster storage and highly efficient years 2013-2017 Ethernet 40 Gbe. This publication presents the results of annual public statistical surveys conducted by the Polish Statistical Office over 2013–2017 concerning Talex the development of the information society in Poland. Offers data storage centre, data recovery and disaster recovery services. Poland IT Services Market 2018–2022 Forecast and 2017 Analysis Linx DataCenter According to description provided by IDC, this study presents a com- Offers IaaS, remote storage of data, virtual data centre, DRaaS (emer- prehensive view of the cloud services market in Poland and includes gency recovering of data), BaaS (backup copy as a service). market sizing for public and private cloud delivery models. It contains quantitative data from 2017 as well as market forecasts for 2018–2022; EXEA it also summarises the major issues and impacts of cloud services on Data centre that offers data storage, using computer power provided the IT industry as a whole and presents end-user views. The report is by VMware, offers private cloud services in the ‘pay as you go’ model, available for a fee. designs tailor-made cloud environments for companies. Polish Cloud Computing Market in 2018. Market Analysis and LST-NET Predictions for 2018-2013 Offers IaaS, PaaS, SaaS and data centre. According to description provided by PMR, this report covers trends, key data and predictions on cloud use by small, medium and large Software Studio enterprises as well as in the public sector. Information about the Polish Offers IT outsourcing. market is presented against the backdrop of global market. The report is available for a fee. BCC Business-to-business (B2B) platform enabling creation, sharing and Study Comarch Cloud 2014 exchange of the documents and data of clients and providers (through Comarch is one of the largest producers of software for companies in the portal, network services). Poland. This report analyses the answers provided by respondents covering a variety of interests, such as popular knowledge about the cloud, OVH reasons for using the cloud and types of entities using the cloud. Offers public, hybrid and private cloud services, hosting and data storage, backup copies and cloud desktop. Report on cloud services providers market in Poland with particular emphasis on IaaS 2015 3S Cloud2B This report prepared by Audytel analyses cloud services providers in Offers private and public cloud services, has a data centre to store data Poland, with an accent on IaaS. It contains details of service platforms, and provide backup copies. sharing of services, typical pricing and market growth forecasts.

RootBox Cloud computing in the financial sector – report prepared by the Servers in the cloud, so far the company has set up more than 3,000 Association of Polish Banks 2013 servers in the cloud. A task force on technologies and cloud computing prepared this report to clarify some uncertainties relating to use of cloud computing in the Integrated Solutions financial sector. The publication has an educational character with the This is another Polish company offering cloud services including goal of preparing banks and workers for implementation of cloud com- UCaaS, CCaaS, BaaS, DSaaS and integrated computing. puting services in banks.

Serwery.pl 2018 BSA Global Cloud Computing Scorecard Polish platform registering domains, offers cloud hosting – servers in The 2018 BSA Global Cloud Computing Scorecard ranks the cloud the cloud. computing readiness of 24 countries that account for 80 per cent of the world’s IT markets. Each country is graded on its strengths and weak- Comtegra Enterprise Cloud nesses in seven key policy areas. This edition highlights, among others, This company provides private, public and hybrid cloud services, has issues related to privacy and security laws. consolidated and virtualised servers in the only state-owned bank (BGK), and public cloud in Linxdatacenter. 2018 BSA Country Report Poland (on cloud computing) The summary and full report with detailed information on cloud com- 4 How well established is cloud computing? What is the size of puting in Poland. the cloud computing market in your jurisdiction? According to an International Data Corporation (IDC) estimates at the Policy end of 2017, the value of the Polish cloud computing market in 2017 was 6 Does government policy encourage the development of your to exceed US$200 million and predicted to reach nearly US$300 mil- jurisdiction as a cloud computing centre for the domestic lion in 2019 and US$412 million by 2021. market or to provide cloud services to foreign customers? Figures from the Polish Statistical Office for 2017 indicate that The government encourages the development of Poland as a cloud only 10 per cent of Polish companies used cloud computing technol- computing centre mostly for the domestic market. At the most gen- ogy. Among larger firms and corporations, however, usage – at 37.1 per eral level, in early 2017, the government adopted the Strategy for cent – was far higher. In addition, in comparison with 2016 cloud usage Responsible Development for the period up to 2020 (including the increased among companies of all sizes. perspective up to 2030), which recognises cloud computing as one of the important technologies that will shape the economy. The strategy 5 Are data and studies on the impact of cloud computing in your underscores the importance of cloud solutions for the whole economy, jurisdiction publicly available? with a particular emphasis on applications related to data processing as Some of the studies are publicly available, but access to many is part of the Industry 4.0 trend. It also mentions the use of cloud solu- restricted. The following is a list of reports that cover cloud computing tions in public administration. issues. In order to specify some of the aims and tasks from the IT area mentioned in the more general, strategic documents, the Polish Ministry for Digitalisation has designed the National Integrated Informatisation Programme. Among other things, this programme aims to facilitate the

66 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Wardyński & Partners POLAND use of cloud computing services by the administration. For example, • sector-specific legislation, for example: the government began working on developing a universal system for • Banking Law of 29 August 1997; electronic document management across the administration, which • Payment Services Act of 19 August 2011; will be based on a private cloud solution. • Trade in Financial Instruments Act of 29 July 2005; Another example of cloud use in the public administration is the • Insurance and Reinsurance Act of 11 September 2015; and Polish Ministry of Finance, which relies on a public cloud solution sup- • Telecommunications Law of 16 July 2004. plied by Microsoft to receive and store large volumes of encrypted information supplied by taxpayers via a standard audit file-tax system. 11 What are the consequences for breach of the laws directly After receipt, the information is transmitted for processing to the min- or indirectly prohibiting, restricting or otherwise governing istry’s own IT systems. At the same time, the ministry is also developing cloud computing? a private cloud for other administrative purposes. The consequences, which vary between the laws and depend on the Another Polish government initiative that is likely to increase usage type of breach, may include: of cloud computing services is the National Broadband Plan. Under this • partial or complete invalidity of a contract; plan, by 2020, 100 per cent of the Polish population should have access • replacement of contractual terms by statutory terms; to speeds of at least 30Mbps, and by 2025, 50 per cent of households • contractual liability; should have access at 100Mbps. • administrative sanctions, for example: Finally, it is worth noting that Poland’s deputy prime minister • monetary fines; (and Minister for Higher Education and Science), in conjunction with • orders to cease and remedy any violations; and Microsoft and the National Center for Research and Development, • revocation of regulatory licence; introduced a pilot programme called ‘Cloud Computing Services’. This • criminal sanctions, for example: programme aims to facilitate usage of cloud computing services in • monetary fines; research and development (R&D) projects, and to encourage research • restriction of freedom; and and development works with the usage of complex systems simula- • imprisonment. tions. The programme should enable the study of massive datasets and implementation of AI methods and genetic research. 12 What consumer protection measures apply to cloud computing in your jurisdiction? 7 Are there fiscal or customs incentives, development grants The primary source of consumer protection measures that could or other government incentives to promote cloud computing apply to cloud computing in Poland is the Consumer Rights Act of operations in your jurisdiction? 30 May 2014, which implements the Consumer Rights Directive No such incentives have been identified. In respect of R&D tax breaks, (2011/83/EU). Notable protections envisioned by the Act are the see question 24. following: • mandatory information that must be provided when entering Legislation and regulation into a distance contract (eg, concerning service parameters and 8 Is cloud computing specifically recognised and provided for remuneration); in your legal system? If so, how? • an obligation to include information on delivery and payment methods on the provider’s website; Polish law expressly refers to the notion of cloud computing in the • a 30-day time limit for responding to consumer complaints; and National Cybersecurity System Act of 5 July 2018, which is based on EU • a customer’s right to withdraw from contract within 14 days. Network and Information Security Directive (2016/1148). Under the legislation, certain categories of businesses must apply specific cyber- Consumers are granted further protection in other acts, for example: security measures, including incident reporting, and providers of cloud • protection from abusive contract clauses under Civil Code of computing services are one such category. Cloud computing is defined 23 April 1964; in general clauses deemed abusive do not bind the as a service that enables access to a scalable and elastic pool of comput- consumer (implementation of Directive 93/13/EEC). The following resources for the shared use by multiple users. ing clauses in particular could be regarded as abusive: • any limitations of liability towards a consumer for per- 9 Does legislation or regulation directly and specifically sonal damage; prohibit, restrict or otherwise govern cloud computing, in or • significant limitations of liability towards a consumer for outside your jurisdiction? non-performance; See above. • right to assign the contract to a third party without consumer consent; 10 What legislation or regulation may indirectly prohibit, restrict • right to unilaterally change the contract without an important or otherwise govern cloud computing, in or outside your reason specified in contract; jurisdiction? • renewal clauses where the time to object is disproportionately The following legislation may indirectly prohibit, restrict or otherwise short; and govern cloud computing: • certain jurisdiction clauses; • the Civil Code of 23 April 1964; • the Counteracting Unfair Commercial Practices Act of 23 August • the Electronic Services Act of 18 July 2002; 2007, which implements Directive 2005/29/EC, forbids epony- • the Copyright and Related Rights Act of 4 February 1994; mous practices and grants affected consumers a right of action • the Consumer Rights Act of 30 May 2014; against the perpetrator (a consumer can, in particular, file for • the Personal Data Protection Act of 10 May 2018, which supple- abandonment of the practice, for remedying its effects, and for ments the EU General Data Protection Regulation (2016/679); damages); • the Classified Information Protection Act of 5 August 2010; • contract terms for Polish consumers must generally be available in • the Police Act of 6 April 1990 (and other similar acts governing the Polish (under the Polish Language Act of 7 October 1999); and surveillance powers of various law enforcement agencies); • alternative dispute resolution measures described in the Out-of- • the Criminal Procedure Code of 6 June 1997; court Consumer Dispute Resolution Act of 23 September 2016 and • the Foreign Trade in Goods, Technologies and Services of Strategic the EU Online Dispute Resolution Regulation (524/2013). Importance to State Security and to Maintaining International Peace and Security Act of 29 November 2000; 13 Describe any sector-specific legislation or regulation that • the Council Regulation (EC) No 428/2009 of 5 May 2009 setting up applies to cloud computing transactions in your jurisdiction. a Community regime for the control of exports, transfer, brokering In the public sector, minimal technical requirements for ICT systems and transit of dual-use items; and electronic data exchange determined under the Informatising • the Informatising Activities of Bodies Performing Public Tasks Act Activities of Bodies Performing Public Tasks Act of 17 February 2005 of 17 February 2005; and may apply to cloud computing transactions involving public sector www.gettingthedealthrough.com 67

© Law Business Research 2018 POLAND Wardyński & Partners bodies. These requirements aim to ensure the interoperability of sys- legal relationship in the event of the filing of a bankruptcy petition or a tems used by the public administration. declaration of bankruptcy are invalid. In the private sector, financial service providers are subject to The opening of court restructuring affects the debtor also in sev- additional outsourcing requirements that may affect cloud comput- eral ways. For example: ing transactions. These requirements do not apply to outsourcing in • If a court supervisor is appointed for the debtor, the debtor exer- general, but rather to outsourcing of specific functions or services indi- cises the management of its assets in the ordinary course of busi- cated in the legislation. ness. The court supervisor oversees the debtor’s enterprise and For example, under the Banking Law, an outsourcing contract activities that affect its assets. The court supervisor’s consent must always be in writing, it cannot restrict a provider’s liability for is required for the debtor to engage in activities exceeding the damage caused to the bank’s customers, it must provide for the pro- ordinary course of business (unless the law requires consent of tection of bank’s professional secrets, and it must grant audit rights to the creditors’ council). Lack of required consent invalidates the the bank and its regulator. A bank must also keep records indicating action. the location where the entrusted functions are performed, as well as • If an administrator is appointed for the debtor, the debtor loses the identifying all contractors and subcontractors. right to manage its assets and the administrator takes over their Furthermore, a contractor cannot cooperate with subcontrac- management. Legal acts performed by the debtor are invalid. tors without the bank’s written permission. If an outsourcing contract • The provisions of a contract to which the debtor is party, which involves performing certain actions outside the EU or cooperating with prevent or impede the achievement of the purpose of restructur- a provider that is not established in the EU, a bank must obtain regula- ing proceedings, are ineffective in relation to debtor’s estate. tory approval before entering into such contract. Besides the Banking Law, a contract between a bank and a cloud provider must also follow Moreover, the opening of remedial proceedings (a type of court the requirements specified in the regulator’s recommendation on man- restructuring) is the source of the administrator’s right to withdraw - aging the IT technology area and IT environment security in banks. under the terms specified in the Restructuring Act and with the con- Similar requirements apply to payment institutions under the sent of the judge-commissioner – from mutual agreements to which Payment Services Act of 19 August 2011, to insurers under the Insurance the debtor is party (e.g. service contracts). and Reinsurance Act of 11 September 2015, and to investment firms In addition, contractual provisions stipulating a modification to or under the Trade in Financial Instruments Act of 29 July 2005. termination of legal relationships to which the debtor is a party in the Besides the above, sector-specific legislation for certain indus- event of a request for opening restructuring proceedings or in the event tries, such as the Telecommunications Law of 16 July 2004, sometimes of their opening are invalid. In relation to proceedings for approval of impose professional secrecy obligations on service providers. These the arrangement such effect cannot be associated with submission of obligations must be observed when entering into contracts with cloud an application for approval of the arrangement or the approval of the providers. arrangement.

14 Outline the insolvency laws that apply generally or Data protection/privacy legislation and regulation specifically in relation to cloud computing. 15 Identify the principal data protection or privacy legislation In relation to cloud computing, the general provisions of the Bankruptcy applicable to cloud computing in your jurisdiction. Law of 28 February 2003 and provisions of the Restructuring Law Apart from the upcoming cybersecurity rules mentioned earlier, of 15 May 2015 apply. The restructuring opportunity under the cloud computing does not have dedicated data protection legislation Restructuring Act is available also to debtors who are only threatened and it is governed by the general rules of the General Data Protection with insolvency. Regulation (GDPR), supplemented by the Personal Data Protection If a cloud provider is declared bankrupt, among other things: Act of 10 May 2018. The government is also working on legislation that • On the day of declaring bankruptcy, the bankrupt’s property forms adapts sector-specific rules to the GDPR. the bankruptcy estate. The bankrupt is obliged to indicate and The GDPR outlines extensive requirements for data-processing release to the official receiver all of its assets and documentation. contracts. Notably in the context of cloud computing, such contracts The official receiver immediately takes over the assets, manages should provide audit rights for the controller or an external auditor them, protects them from destruction, damage or removal by authorised by the controller , require his or her approval for engaging strangers, and proceeds with their liquidation. The bankrupt’s subcontractors (sub-processors) and oblige the provider to assist the business may continue to be operated after the bankruptcy is controller in, among other things, reporting data breaches and exer- declared only if it is possible to reach an arrangement with credi- cising data subject rights. Under the Act, local data controllers must tors, or the bankrupt’s business may be sold in its entirety or in its notify their data protection officer (if appointed) with the local regula- organised parts. tor. One should mention that cloud providers established outside the • It is presumed that assets in possession of the bankrupt on the date EU may still fall under the scope of the GDPR in certain circumstances of bankruptcy announcement are part of the bankrupt’s estate. (basically in cases where the processing relates to data of persons in However, the official receiver should make sure that all compo- the EU), in which case they must comply with all the obligations and nents of the bankrupt’s estate that do not belong to the bankrupt designate a representative in the EU. are returned to their owners. Nonetheless, should a dispute arise The GDPR imposes general obligations with regard to protecting in this relation between the official receiver and the owner of the and securing personal data that must be observed by both controller asset, the latter may apply for the asset to be exempted from the and processor (eg, a cloud provider), but they are, in principle, free to bankruptcy estate. choose specific measures through which to achieve this aim. Transfers • Service contracts concluded by the bankrupt, in which it accepted of data outside the European Economic Area (EEA) are permitted only the commission, can be waived at the date of bankruptcy declara- in circumstances listed in the GDPR, such as transfers based on EU tion without compensation. standard contractual clauses, adequacy decisions or binding corpo- • A provision of a contract to which the bankrupt is party, which pre- rate rules. In addition, the GDPR grants data subjects several rights to vents or hinders the purpose of insolvency proceedings, is ineffec- control processing of their data and establishes procedures for exercis- tive in relation to the bankruptcy estate. ing them. In the context of cloud computing, the rights related to data • The official receiver may, with the consent of the judge-commis- access, erasure and portability are especially worth highlighting. sioner, obtain the right to withdraw from an arbitration clause, subject to certain conditions set forth in the Bankruptcy Act (this Cloud computing contracts does not apply to proceedings in progress prior to the commencement of the bankruptcy). 16 What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains In addition, regardless of whether or not bankruptcy is declared, (if applicable)? according to the Bankruptcy Act, the provisions of a contract, to which The following forms of cloud computing contracts are usually adopted the bankrupt is party, stipulating a modification or termination of the in Poland:

68 Getting the Deal Through – Cloud Computing 2019

• terms and conditions (T&Cs) (eg, applicable use, terms of service); 19 What are the typical terms of a B2B public cloud computing • service level agreements; and contract in your jurisdiction covering data and confidentiality • data-processing agreements (where personal data is involved). considerations? Typically, parties to the contract will sign a data-processing agree- 17 What are the typical terms of a B2B public cloud computing ment where the cloud processing involves personal data. Personal data contract in your jurisdiction covering governing law, processing agreements are subject to detailed requirements under the jurisdiction, enforceability and cross-border issues, and GDPR, which have already been described elsewhere. dispute resolution? The T&Cs will also normally contain provisions on data and data In typical cloud computing contracts, there is usually a clause stating confidentiality. Usually service providers undertake to use reasonable that the agreement will be governed by Polish law. care to prevent other parties from obtaining customers’ data and trade Regarding the seat of the court, in the majority of cloud comput- secrets. They agree to treat the personal data as confidential and keep it ing contracts concluded in Poland, the parties decide that the Polish secret both during the term of the agreement and after its end. Service common courts are exclusively competent to settle disputes or claims providers must ensure that only properly authorised staff have access to arising from the contracts or related non-contractual disputes and data and that it must not be made available to third parties without the claims. Typically, cloud computing service providers will stipulate that customer’s consent unless applicable law obliges the provider to dis- the relevant court for settling disputes will be the court local to their close it. Service providers must also inform customers of their privacy registered office. and security policies. There are often exemptions from the above confidentiality obliga- 18 What are the typical terms of a B2B public cloud computing tions. For example, data can be made known if information: contract in your jurisdiction covering material terms, such • is or becomes generally known or available; as commercial terms of service and acceptable use, and • is required to be disclosed by law; and variation? • when the customer gives his or her consent to disclose the data. Commercial terms As far as payment regulations are concerned, the typical B2B public Customers are responsible for the legal sufficiency of data and its con- cloud computing contract is designed so that the customer pays for tent. Service providers are not owners of the customers’ data. exact usage (scaling). There is a usually a trial period, typically one month, during which customers are not charged. After this free period, 20 What are the typical terms of a B2B public cloud computing customers have three basic options: contract in your jurisdiction covering liability, warranties and • pay every time the service is used (usually the minimum time unit provision of service? is one hour); Service providers will try to exclude their liability as broadly as they are • pay on a monthly basis depending on usage – usually the amount is able. Usually they include provisions under which their total liability for set out in an invoice; or any loss, cost, claim or damages will not exceed the fees paid or payable • pay on an annual basis – with the amount estimated in advance, in the agreed period of time. This rule does not apply to damages that based on 12 times the minimum monthly fee. If actual use exceeds cannot be limited or that are excluded by law. The terms of the service the minimum monthly amount, the excess is then charged monthly providers’ liability are often set down in the service level agreement. in arrears based on the then-current pricing. Providers typically include provisions specifying that in no event will either party be liable for any indirect, special, incidental, punitive VAT is payable on cloud computing services. Interest at statutory rates or consequential damages (including damages for loss of goodwill, is charged on late payments. work stoppage, computer failure or malfunction, lost or corrupted data, lost profits, lost business or opportunity), cover damages or any Acceptable use other similar damages under any theory of liability, even if they were With reference to the second issue – the typical acceptable use terms, informed of that possibility. under Polish law, there is an obligation that customers must be If an unauthorised person gains access to a customer’s account, he informed in the T&Cs of any technical requirements for services ren- or she will be held liable. dered electronically. In their T&Cs, service providers usually specify a complaints Another requirement is that commercial and marketing communi- procedure. cations can only be sent after the customer gives explicit consent for With reference to warranties: contracts typically include a clause these. stating that the cloud computing service, equipment and other ser- Use of a cloud computing service to conduct unlawful activities is vices are made available ‘as is’. Service providers will disclaim all other forbidden. Customers must abide by cloud computing terms encapsu- warranties, express, implied or statutory, including the implied war- lated in contracts. They cannot disseminate illegal content or use the ranties of merchantability, satisfactory quality, title, fitness for a par- service to send viruses or malicious software. Also, customers must ticular purpose, non-infringement, compatibility, security, timeliness, take care proper care to secure their accounts (create adequate pass- completeness or accuracy. They also add the proviso that they do not words, not allow third parties to use their accounts). warrant that access to cloud computing service will be uninterrupted Customers are required to cooperate with service providers, keep or error-free. contact information up to date and inform providers of any unauthorised access to their account. 21 What are the typical terms of a B2B public cloud computing Service providers usually undertake to provide undisturbed access contract in your jurisdiction covering intellectual property to customers. Services are available 24/7 with some exceptions (eg, rights (IPR) ownership in content and the consequences of planned downtime at non-peak hours, unavailability caused by circum- infringement of third-party rights? stances beyond the provider’s reasonable control, including failure of The typical terms of a B2B public cloud computing contract covering or delay to the internet connection). IPR include the rules that rights to use services are non-exclusive, limited to the T&Cs, non-transferrable and for business use. Service pro- Variations viders make the reservation that they own all rights, titles, and interests Any amendments to T&Cs must be posted online or notified to custom- in and to cloud computing services. ers by email. If after receiving such notifications customers continue to Customers are not permitted to license, sell, lease or otherwise use the service, it is assumed that they agree to be bound by the modi- make the services available to non-customers or take any action that fied terms. Alternatively, in these circumstances, they are also able to might disclose confidential or proprietary information or acquire any chose to terminate the contract. right in the cloud computing service. Often, contracts contain a clause prohibiting use of the cloud computing services for reproducing or disseminating unlawful content and content infringing or likely to infringe third-party intellectual rights.

www.gettingthedealthrough.com 69

The typical contract usually contains two sections on IPR: one limited partnerships) are transparent entities, which means that no concerning the service provider’s IPR and the other relating to the cus- income tax is charged at the level of the partnership and instead is pay- tomer’s IPR. able by the individual partners. Companies (ie, limited liability companies, joint-stock companies 22 What are the typical terms of a B2B public cloud computing and joint-stock limited partnerships) are subject to corporate income contract in your jurisdiction covering termination? tax (CIT). CIT, at a rate of 19 per cent, is charged on income calculated The typical terms covering termination in the contract relate to non- as the difference between revenue and tax deductible costs. Newly payment or material reasons for termination if customers are using established companies in the first tax year and small companies (whose cloud computing services for unlawful or improper purposes. They revenue does not exceed the zloty equivalent of €1.2 million including must, however, give written notice of immediate termination or it will VAT) are subject to CIT at a reduced rate of 15 per cent. Losses can be be null and void. carried forward for five consecutive tax years, although no more than Either party may terminate a contract for a justified reason upon 50 per cent of the loss can be deducted in any single year. providing written notice and allowing an agreed number of days for the Cloud computing companies may qualify for R&D tax breaks in the breaching party to remedy the problem. In this case, the termination is form of an additional set-off of costs against taxable income from busi- normally effective at the end of the calendar month. ness (ie, excluding capital gains), if carry out R&D activity. Costs that Customers may end the contract at any time but usually must wait qualify for this tax break include salaries of employees engaged in R&D out the agreed notice period. activities, and depreciation and amortisation of tangible and intangi- Other reasons for termination include breach of acceptable use ble assets used in R&D activity (except for cars and buildings). If the policies, or receiving third-party complaints regarding breach of their value of the allowed relief exceeds taxable income, it may be deducted intellectual property rights. in the consecutive six years. Taxpayers starting their activity may apply After termination of an agreement the customer’s right to access for the refund in cash for the first year of activity. Cash refund is also the service will normally expire immediately. The service provider will available for small and medium-sized enterprises for the second year retain the customer’s data for a set period, during which time the cus- of their activity. tomer may request a full copy of its data. Polish transfer pricing regulations generally implement the OECD Certain sections of the contract remain valid even after termina- guidelines. Transactions between related entities should therefore tion, typically: confidentiality clause, conditions of use, customer data, generally be in line with market prices. Under certain conditions, trans- payments, warranty disclaimer, indemnification obligations and limi- fer pricing documentation needs to be prepared. tation of liability. Cloud computing services rendered by foreign service providers may be subject to the Polish 20 per cent withholding tax, unless rel- 23 Identify any labour and employment law considerations that evant double taxation avoidance agreement states otherwise. apply specifically to cloud computing in your jurisdiction. 25 Outline the indirect taxes imposed in your jurisdiction that There are no labour or employment laws specifically dedicated to cloud apply to the provision from within, or importing of cloud computing. Therefore, generally binding labour and employment laws computing services from outside, your jurisdiction. will apply to any employment matters pertaining to the cloud computing business. This also concerns Polish laws reflecting the notion of Cloud computing services are subject to VAT at the standard rate of 23 transfer of employment undertaking (or its part) under the Acquired per cent. Cloud computing services are classed as electronic services Right Directive. Although recently reported Polish Supreme Court within the meaning of the Polish VAT Act (in general, coherent with cases do not entirely exclude that a transfer of services may result in the VAT Directive). If such services are supplied to a consumer (in a transfer of an employing undertaking (or its part), a cloud computing business-to-consumer transaction) the transaction is subject to VAT in contract purely structured as a services agreement most likely will not the country in which the consumer resides (the VAT rate of that coun- result in the transfer of an employing undertaking (or its part) as not try will apply). Export of cloud computing services in a B2B transaction meeting ‘forming separate part of business’ and ‘identity retention’ is not subject to VAT in Poland (the VAT is settled under the domes- tests. tic laws of the country in which their recipient has its registered seat). Import of cloud computing services in a B2B transaction is subject to Taxation Polish VAT at the 23 per cent rate (to be settled by the Polish recipient of the service being VAT payer seated or having a fixed place of business 24 Outline the taxation rules that apply to the establishment and in Poland). operation of cloud computing companies in your jurisdiction. A cloud computing company acquiring cloud computing services Polish tax law does not provide specific rules for the establishment and has a right to deduct input VAT under general rules. operation of cloud computing enterprises. The rules of taxation depend on the legal form of the cloud computing business and, for example, partnerships (except for joint-stock

Krzysztof Wojdyło [email protected] Rafał Kuchta [email protected]

Aleje Ujazdowskie 10 Tel: +48 22 437/537 82 00 00-478 Warsaw Fax: +48 22 437/537 82 01 Poland www.wardynski.com.pl

70 Getting the Deal Through – Cloud Computing 2019

www.gettingthedealthrough.com 71

Sweden

Peter Nordbeck and Dahae Roland Advokatfirman Delphi

Market overview not a conclusive list (source: METISfiles – Cloudscape Sweden V1.1, September 2016). 1 What kinds of cloud computing transactions take place in your jurisdiction? 3 Name the local cloud providers established and active in your The demand for and use of cloud-based services in Sweden is rapidly jurisdiction. What cloud services do they provide? growing. There is also an increased focus on information security due There are numerous Swedish cloud service providers. Important local to additional requirements in this respect when processing critical IaaS providers are, inter alia, Zitcom, TDC Hosting, Loopia, Bahnhof or sensitive information. The services and cloud infrastructure var- and Glesys. These providers are common hosting partners to SaaS pro- ies depending on the users’ requirements and needs. There are three viders. Among the top Swedish SaaS providers are iZettle and Klarna internationally established types of cloud services that describe three (payment), Truecaller and Tele2 (communications), and Ericsson. different function areas: software-as-a-service (SaaS), infrastructure- There are fewer Swedish PaaS providers. However, local PaaS pro- as-a-service (IaaS) and platform-as-a-service (PaaS). All three are used viders that can be mentioned are Accedo, Bariumlive and Cloudnet on the Swedish cloud service market to various extents. (source: METISfiles – Cloudscape Sweden V1.1, September 2016). In a recent study carried out by the Swedish Pension Agency determining the most used services among public authorities in Sweden, the 4 How well established is cloud computing? What is the size of Agency concluded that IaaS was used by 30 per cent, PaaS by 23 per the cloud computing market in your jurisdiction? cent and SaaS by 78 per cent. This may lead to a conclusion that SaaS is the most common cloud service used by Swedish authorities (source: The cloud adaption in Sweden is among the largest in Europe – in Pensionsmyndigheten – Molntjänster i staten – En ny generation av 2016, almost 48 per cent of Swedish enterprises used cloud comput- outsourcing). ing services. Only Finland had a higher share of enterprises using cloud Another report from 2016 that examined the private sector’s use of computing services in the European Union (source: Eurostat – Cloud cloud services presents similar conclusions. Out of the top 200 Swedish computing: statistics on the use by enterprises, December 2016). The public cloud computing providers, SaaS constitutes 76 per cent of the total cloud computing market in Sweden was valued to 16 billion krona segment, while IaaS represents 22 per cent and PaaS only 2 per cent. in 2016 and the annual growth is currently estimated to be around 30 Out of the SaaS providers, 62 per cent use IaaS partners, out of which per cent (source: Framtidens Karriär – Kostnadsjakt driver molntill- half of the infrastructure providers are located in Sweden. The remain- växt, 2017-02-07). ing SaaS providers have their own infrastructure. Recently, Sweden has also seen an increase in the number of SaaS providers owing to an 5 Are data and studies on the impact of cloud computing in your uptake in the number of e-commerce services, fintech development jurisdiction publicly available? and general digitalisation (source: METISfiles – Cloudscape Sweden There are some reports published regarding cloud computing in V1.1, September 2016). Sweden. A notable report on cloud computing’s impact on state agen- When looking at the different models for providing cloud services cies was published by the Swedish Pensions Agency in January 2016. in Sweden, the NIST and ISO standard describe four ways of service The Swedish Pensions Agency concluded in its report that factors such deployment: public clouds, partner clouds, hybrid clouds and private as innovation, cost-efficiency, flexibility and accessibility are strongly clouds. Hybrid clouds are quite common within both the public and pri- benefited by the use of cloud services. Furthermore, the report con- vate sector, and reports are stating that the use will probably increase cludes that cloud services could have a positive effect on the coopera- in the future. Among public authorities, partner clouds are often used tion between authorities and simplify the access to governmental data to ensure that all security requirements are met, which has been a and services (source: Molntjänster i staten – En ny generation av out- concern in the use of public clouds (source: Pensionsmyndigheten – sourcing, Pensionsmyndigheten, January 2016). Molntjänster i staten – En ny generation av outsourcing). The Swedish Civil Contingencies Agency and the Swedish Data Recently, Sweden has had numerous notable cloud transactions Protection Authority (DPA) have published guidelines and policies for and has been described as a leading country when it comes to innova- public authorities regarding, inter alia, information security require- tion and risk capital investment. Just a few years ago, Amazon moved ments in the public procurement process for cloud services as well as part of its cloud service, Amazon Web Service (AWS), to Sweden and is privacy concerns that must be considered. currently planning the move of its e-commerce as well. In addition, the Swedish government has taken further steps to ensure continued digital growth. In 2016, it presented five strategic 2 Who are the global international cloud providers active in cooperation programme that will help meet several of the social chal- your jurisdiction? lenges facing Sweden. To stimulate digitalisation of Swedish industry, Sweden is an attractive market for cloud providers and many of the the Swedish government is requesting extensive cooperation between international providers are active within Sweden. Many Swedish SaaS different actors (source: Regeringen – Strategiska samverkansprogram providers prefer to use a Swedish IaaS partner; however, the largest en kraftsamling för nya sätt att möta samhällsutmaningar). hosting partner within Sweden is Amazon (US) that represents 32 per The research company METISfiles has published its report cent of the segment, followed by Microsoft, Hetzner and Rackspace. Cloudscape 2016: An Overview of the Swedish and Danish Cloud Other international cloud providers active in Sweden are giants such Market in English that examines the cloud market in these countries. as Google, Dropbox, LinkedIn, Facebook and iCloud; however, this is

72 Getting the Deal Through – Cloud Computing 2019

Policy sector. Swedish public authorities are subject to the principle of public access to public documents, which means that all documents submitted 6 Does government policy encourage the development of your to or drawn up by the authority are, in principle, public documents and jurisdiction as a cloud computing centre for the domestic must be made available for anyone to read. Exemptions from this rule market or to provide cloud services to foreign customers? are documents that are subject to statutory secrecy under the Public Sweden is currently attracting foreign risk capital investors due to the Access to Information and Secrecy Act (SFS 2009:400) (the Secrecy fast digitalisation and innovation. Numerous governmental initiatives Act), which means that they may not be disclosed to any third party. In have been launched to ensure that Sweden continues to develop in the cases where such classified information will be processed in the cloud, digital arena and to live up to future requirements regarding privacy, additional restrictions regarding the data apply and must, inter alia, be IT and security. As one step in this process, the Swedish government taken into consideration when assessing the risks and which security requested the Swedish Pension Agency to analyse and evaluate the measures must be implemented. potential for using cloud services within the public sector and by the In addition, if information subject to secrecy under the Secrecy Act state in a way that contributes to a simpler, more transparent and effi- may be available to the provider as a result of an agreement between cient management. Other steps consist of a strong focus on general the parties, it must be evaluated whether the data becomes ‘disclosed’ digitalisation both within the administration and the private sector. within the meaning of the Secrecy Act. Thus, one opinion is that the Secrecy Act generally prevents authorities from using cloud services. 7 Are there fiscal or customs incentives, development grants Another opinion is, however, that it is possible for authorities to use or other government incentives to promote cloud computing cloud services if the relevant authority has made a thorough assess- operations in your jurisdiction? ment of the risks based on the character of the information, but further Various grants are available for small to medium-sized companies for clarification on how these rules are to be interpreted is needed. projects involving innovation and digitalisation and are awarded by the Furthermore, public authorities must also comply with numerous Swedish government, public agencies and other organisations. Support other pieces of legislation such as the Archives Act (SFS 1990:782), the to large companies also occurs, one significant example being the Administrate Procedure Act (SFS 1971:291), the Public Procurement regional investment grant of around 100 million kronor awarded by the Act (SFS 2016:1145) and the Security Protection Act (SFS 1996:627). Swedish Agency for Economic and Regional Growth when Facebook Also, many public authorities and agencies have sector-specific provi- established server halls in Luleå in the north of Sweden in 2011. Grants sions regarding data processing and information security requirements also exist for the expansion of the Swedish IT infrastructure. such as the Patient Data Act (SFS 2008:355).

Legislation and regulation 11 What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing 8 Is cloud computing specifically recognised and provided for cloud computing? in your legal system? If so, how? The failure to report an IT incident under the Act on Information secu- There is no specific recognition of cloud services in Swedish legislation. rity for vital societal functions and digital services is subject to administrative fines. Further, the rules indirectly regulating cloud computing 9 Does legislation or regulation directly and specifically in Sweden are connected to several sanctions and consequences for prohibit, restrict or otherwise govern cloud computing, in or breaches thereof. The sanctions for lack of compliance with the GDPR outside your jurisdiction? include prohibitory injunctions, payment of damages as well as admin- As a general rule, Sweden lacks direct and specific regulation regard- istrative fines. Lack of compliance with the Electronic Communications ing cloud computing as such. Swedish legislations and regulations are Act (SFS 2003:389) and the Electronic Commerce Act (SFS 2002:562) in general technology neutral, which implicates that Swedish legisla- may also cause sanctions, such as prohibitions and orders combined tions lacks that sort of specific targeting. However, the legal concerns with penalties as well as damages and criminal proceedings. Breaches are regulated indirectly in several legislations and regulations. The of the Secrecy Act (SFS 2009:400) may lead to disciplinary or crimi- most relevant regulations are MSBFS 2016:1 and MSBFS 2016:2 that nal proceedings. There are also various sanctions of similar character regulate the public authorities’ internal information security poli- for the sector-specific regulation as well as supervision from relevant cies and work, as well as the requirement to report IT incidents to the public agencies. Swedish Civil Contingencies Agency. Cloud services are regulated by explicit requirements for internal policies and routines regarding inci- 12 What consumer protection measures apply to cloud dent management, the requirement that organisations must be able to computing in your jurisdiction? handle threats and risks through models and routines for incident and There is no cloud service-specific regulation protecting the rights of continuity management. consumers in Swedish law, but the Swedish consumer protection leg- Sweden has implemented the NIS Directive (EU) 2016/1148 islation includes legislation with focus on e-commerce and digital through the Act on Information security for vital societal functions and transactions including Distance and Off-Premises Contracts Act (SFS digital services (SFS 2018:1174), thereby extending the requirements on 2005:59), Consumer Contracts Act (SFS 1994:1512) and the Electronic security and to report IT incidents to cloud service providers. Commerce Act (SFS 2002:562). The standard Swedish consumer protection for buying goods and services, the Consumer Sales Act 10 What legislation or regulation may indirectly prohibit, restrict (SFS 1990:932) and the Consumer Services Act (SFS 1985:716), is not or otherwise govern cloud computing, in or outside your directly applicable on purchases of digital content, but is still consid- jurisdiction? ered to have an impact when courts are evaluating consumer contracts. Regarding indirect regulations and legislation, there are several to take The consumer protection legislation, inter alia, ensures the consumer into account. When using cloud services to store data from telecoms rights in regards to quality and performance from the commercial or e-commerce business, it is important to observe the Electronic actor, includes the right to withdraw from distance and off-premises Communications Act (SFS 2003:389), which aims to provide individu- contracts within 14 days, bestows a responsibility for commercial actors als and authorities with secure and effective electronic communica- to provide consumers with information, and provides that courts can tions, and the Electronic Commerce Act (SFS 2002:562), which states prohibit contract terms that are unfair towards consumers from further an obligation to provide certain information to customers. use and may interpret vague contract terms in favour of consumers. However, the main legislation to take into account regarding cloud The Swedish consumer protection for digital services is also continu- services are the provisions on privacy and information security. On ously affected by the EU digital single market reform, and now includes 25 May 2018, the General Data Protection Regulation (GDPR) entered the right to settle disputes online through the Alternative Dispute into force in Sweden and provides significantly stricter standards, for Resolution For Consumer Disputes Act (SFS 2015:671), and principles example, on impact assessments and information security. about net neutrality and open internet access through Regulation (EU) Information security is regulated throughout different provisions, 2015/2120, as well as a new proposed directive regarding contracts for such as regulations from the Swedish Civil Contingencies Agency, the the supply of digital content. GDPR and sector-specific regulations, such as within the healthcare www.gettingthedealthrough.com 73

13 Describe any sector-specific legislation or regulation that based, such as the laws of Ireland or the US. However, you may also applies to cloud computing transactions in your jurisdiction. find contracts that are governed by Swedish law, in particular from local There is a wide variety of sector-specific legislation in Sweden that con- Swedish cloud suppliers, but also larger international enterprises that cern both private and public actors. There is no legislation that covers have opened up local Swedish entities. cloud computing in particular but these services often fall within the For data privacy, Swedish law will typically apply, in particular scope of the legislation depending on the sector of operation. Some sig- since this is a regulatory requirement from the Swedish DPA or at least nificant legislation concerns matters of national security in the Security that was the case prior to the GDPR. As to jurisdiction, principles corre- Protection Act (SFS 1996:627), with specific requirements of, for sponding with those above would normally apply. In most Swedish B2B instance, information security and access to information. A new, more contracts, arbitration is used as a method of dispute resolution and this stringent Security Protection Act (SFS 2018:585) has been enacted and would typically also apply to cloud computing contracts. Ultimately, will enter into force on 1 April 2019. the choice of rules for dispute resolution as well as governing law and Cloud companies competing in providing services for public insti- jurisdiction would be the result of the parties’ negotiations. Many of the tutions are covered by the Swedish legislation on public procurement larger cloud service providers will not accept that the agreement will be – inter alia, the Public Procurement Act (SFS 2016:1145). Public agen- governed by Swedish law. The enforceability of a cloud service contract cies are encouraged by the Swedish Civil Contingencies Agency to use is, however, uncertain as there is very limited case law regarding this private or partner clouds to be able to provide the necessary security. matter. There is specific regulation for the processing of personal data in, Cross-border issues are mostly discussed in respect of data privacy among others, the health and finance sectors of relevance for transac- and secrecy. Data privacy cross-border issues are usually regulated tions in these sectors. In the health sector, personal data is governed by through the use of the standard contractual clauses decided by the EU the GDPR supplemented by the Patient Data Act (SFS 2008:355). The Commission on 5 February 2010 (2010/87/EU) that supplement the legislation in the finance sector, most significantly the Banking and cloud computing contract to allow transfer of personal data outside the Finance Business Act (SFS 2004:297), is complemented by regulations EEA. Many cloud service providers are reluctant to provide a guarantee from the Financial Supervisory Authority, including, inter alia, rules that data will not be processed outside the EU and EEA even if they regarding outsourcing and information security. may commit to mainly use data centres within the EEA as their main Other sector-specific legislation that is worth noting includes the facilities for the services. The newly adopted US Cloud Act, giving US energy and telecommunications sectors. For private actors, there are authorities a right of access to data that is stored by US cloud service no sector-specific requirements regarding cloud service infrastructure providers worldwide, is likely to add to the complex landscape. besides the above-mentioned requirements in the Act on Information security for vital societal functions and digital services and careful 18 What are the typical terms of a B2B public cloud computing assessments regarding privacy and IT security. contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and 14 Outline the insolvency laws that apply generally or variation? specifically in relation to cloud computing. Commercial terms of service and acceptable use are commonly agreed There is no specific insolvency legislation that applies to cloud comput- on the basis of the supplier’s standard cloud computing contract. Price ing in Sweden, but the standard legal framework for insolvency apply, model and payment terms vary depending on the services offered, how- notably the Bankruptcy Act (SFS 1987:672), the Enforcement Code ever, services are commonly purchased as subscriptions and invoiced (SFS 1981:774) and general Swedish principles of property law. For in advance. Provided that payment is overdue, the supplier may reserve movable property, the right to property is, in general, decided by who is the right to suspend the services immediately, however, sometimes in possession of the property. For intellectual property, the right to the excluding cases where payment is withheld in good faith. Principles property is instead decided from what is stipulated by contract. for acceptable use commonly include customary restrictions, such as prohibition against redistribution of the services, use of the services for Data protection/privacy legislation and regulation provision of outsourcing services and transmission of infringing material or malicious code. 15 Identify the principal data protection or privacy legislation As to variation, the supplier’s standard cloud computing contract applicable to cloud computing in your jurisdiction. will, in many cases, include the unilateral right for the supplier to Since 25 May 2018, the GDPR is the principal legislation governing change the services, including the functionality and security. Such pro- data protection in relation to cloud computing in Sweden. The GDPR visions may often be the subject of negotiations between the parties, for is supplemented by the Data Protection Act (SFS 2018:218) and various example, when the customer is a regulated entity and the provisions are sector-specific legislation. in violation of the regulatory requirements applicable to the customer.

Cloud computing contracts 19 What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality 16 What forms of cloud computing contract are usually adopted considerations? in your jurisdiction, including cloud provider supply chains (if In terms of data, cloud computing contracts have in recent years been applicable)? greatly influenced by the statements and decisions of the Swedish DPA Usually, the supplier’s standard cloud computing contract is applied. regarding the processing of personal data by cloud computing suppli- Given the bargaining power of the customer, the cloud comput- ers. These statements and decisions prescribe, among other things, ing contract may, in rare cases, be based on the customer’s standard that the customer must ensure that: template, in particular, when the supplier is a local cloud provider. • a sufficient data processor agreement is entered into with the Notwithstanding the above, for certain areas of the cloud computing supplier; contract, the suppliers, including international cloud providers, have • the supplier is not allowed to independently process personal data become more recipient towards implementing customer requirements but only in accordance with the customer’s instructions; in the contract. This relates in particular to regulatory requirements, • the contract stipulates that Swedish law applies as regards the pro- such as requirements deriving from privacy legislation and regulations, cessing of personal data; and requirements on public sector entities and financial regulations. • the customer is informed of all sub-processors involved in the processing of personal data type of services and the location of such 17 What are the typical terms of a B2B public cloud computing sub-processors. contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and In addition, the customer should ensure that it is entitled to perform dispute resolution? audits for the purpose of ascertaining the supplier’s compliance with As cloud computing contracts are often drafted on the basis of the the customer’s requirements on the processing and that a process for supplier’s standard cloud computing contract, governing law will, in exit of the agreement is established, which safeguards that the supplier many cases, be the law that applies where the supplier’s business is will not process the personal data post termination of the contract.

74 Getting the Deal Through – Cloud Computing 2019

Update and trends The main challenge in the next few years, in respect of cloud above, entities within the public sector are also struggling with whether computing services, is to ensure compliance under the GDPR while their use of cloud services are compatible with undertakings regarding using and providing cloud computing services. Notably, many cloud statutory secrecy under the Secrecy Act (SFS 2009:400). suppliers have been swift to ensure that their contracts comply with the Another challenge is that cloud service providers in general are requirements under the GDPR for data-processing agreements. reluctant to provide more detailed information regarding the security The new US Cloud Act conflicts with the GDPR and is likely to of the services. Information of third-party reports, its business have an impact on organisations’ choice of cloud suppliers going continuity and disaster recovery plans are crucial to assess the risks and forward. As of August 2018, the Swedish DPA has not yet taken a stance to determine the possibility of using the services. in respect of the Cloud Act and the uncertainty as to its implications is The rules in the GDPR will likely have a great effect on the use used as a sales argument by many local Swedish cloud suppliers. of cloud services. The Financial Supervisory Authority is regularly Another challenge is that many cloud suppliers are – sometimes providing financial institutions with guidance on how the adaptations due to their position in the market, strict (US) corporate policies or of the requirements on outsourcing are to be applied in a cloud because the Swedish market is fairly limited in size – very restrictive environment. In addition, there are ongoing discussions on public with accepting any amendments to their contractual documents at entities’ use of cloud services in light of their obligations under the all. If the supplier is not willing to discuss or make any additions or Secrecy Act (SFS 2009:400). It is hoped more clarification on the amendments to its terms, this could very well spell the end of and government’s position regarding these matters can be expected in the organisation’s relationship with a particular cloud service, since many near future. of the terms and conditions offered by cloud suppliers may not fulfil It should also be mentioned that the National Government Service all the legal requirements required for the entity to be able to use the Centre, under the authority of the Swedish government, issued a report services. This is a particular challenge for entities governed by sector- in February 2017 with a proposal to implement a governmental cloud specific rules, such as financial institutions, entities within the health service. The purpose of such cloud service, according to the report, is sector and public entities. to set up secure national cloud services that all government entities The challenge for banks and other financial institutions, is that (more or less) will be obliged to use for hosting services and similar the Swedish regulatory authority, the Financial Supervisory Authority, cloud-related services. No formal decision on the proposal in the report considers cloud services to be a form of outsourcing and, as a result, has been made but, in August 2017, the Swedish government assigned specific regulatory requirements for outsourcing must be met in order the Swedish Social Insurance Agency to set up and offer centralised to be able to use these services. Owing to the nature of cloud services national hosting services for use by Swedish government agencies. and the content and form of the cloud suppliers’ standard terms and Pursuant to the decision, the use of such services will be optional and conditions, fulfilling these requirements may be difficult. As mentioned the assignment runs until 2020.

Moreover, the customer is, as a general rule, obligated to perform a in the event of non-fulfilment of the SLAs are often limited to fairly legality assessment and risk and vulnerability analysis prior to entering low amounts and are sometimes a customer’s sole remedy for such into the cloud computing contract. The purpose of the legality assess- non-fulfilment. ment is to determine whether the supplier’s processing of personal data Business continuity and disaster recovery plans could be neces- under the cloud computing contract will be allowed under the data pro- sary to implement as a result of the risk and vulnerability analysis tection legislation. This includes measures such as ensuring that a data performed by the customer prior to entering into the cloud computing processor agreement is entered into, an assessment regarding cross- contract and this would also normally be required by customers that border transfers and any security measures necessary. The purpose of are regulated entities. the risk and vulnerability analysis is to assess whether it is possible to assign the processing of personal data to the supplier and determine 21 What are the typical terms of a B2B public cloud computing appropriate security levels and necessary measures that need to be contract in your jurisdiction covering intellectual property taken in the light of the integrity risks involved. rights (IPR) ownership in content and the consequences of Following the entering into force of the GDPR, it is currently not infringement of third-party rights? clear whether the above principles will be upheld by the Swedish DPA. The supplier generally reserves the IPR to the services and non-cus- Confidentiality provisions are commonly mutual. tomer-specific content, whereas the customer reserves the IPR to customer data. Customary consequences of infringement of IPR normally 20 What are the typical terms of a B2B public cloud computing apply (ie, modification of the services so that they are no longer infring- contract in your jurisdiction covering liability, warranties and ing, obtaining a licence for the customer’s continued use of the services provision of service? or, ultimately, termination of subscription and refund of licence costs). Since the cloud computing contract in many cases is based on the The customer is often undertaking to indemnify the supplier for any supplier’s standard contract, the supplier’s warranties are normally claims made towards the supplier due to the content of the customer limited. A typical warranty would imply that the services are materi- data entered into the services. ally consistent with the documentation, and that the supplier will not materially change the functionality of the services or the security of 22 What are the typical terms of a B2B public cloud computing the services. Ultimately, the warranties may be subject to negotiation contract in your jurisdiction covering termination? between the parties. Either party will typically have the right to terminate the cloud com- Limitation of liability is often mutual with a cap and excluding puting contract in case of material breach of the contract by the other indirect and consequential damages. There is normally a carve-out for party. Additionally, the customer often has the right to terminate the liability for death and personal injury and damages caused by intent contract in cases where the supplier appoints a sub-processor that the or gross negligence. In some agreements, liability for breach of con- customer on objective grounds refuses to accept. Following termina- fidentiality is uncapped but with a carve-out for loss of customer data tion of the contract, the supplier will no longer have a right to process entered into the cloud services, which instead falls under the general personal data for which the customer is the controller; however, the liability in the agreement. supplier is usually allowed a certain period of time to remove such data The supplier would normally provide indemnities for intellectual (up to 180 days are often seen, but it remains to be seen whether this property rights (IPR) infringements caused by the proper use of the period will change given the GDPR). services and, correspondingly, the customer would provide for the IPR The supplier may offer migration services on a time and material infringements caused by the proper use of customer data. You may also basis. find other types of indemnities (eg, in case of violation of applicable law or customers’ misuse of the services). 23 Identify any labour and employment law considerations that Service levels is a typical area where the cloud computing contracts apply specifically to cloud computing in your jurisdiction. are less flexible and the customer will in many cases have to accept The Acquired Rights Directive 2001/23/EC would (at least in prin- the supplier’s standard SLAs. Penalties and similar possible remedies ciple) apply to a business customer entering into a cloud computing www.gettingthedealthrough.com 75

© Law Business Research 2018 SWEDEN Advokatfirman Delphi contract, provided that the cloud computing services are deemed to be Recent cases outsourcing. 26 Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within Taxation the past three years in your jurisdiction that have directly 24 Outline the taxation rules that apply to the establishment and involved cloud computing as a business model. operation of cloud computing companies in your jurisdiction. There is limited case law in Sweden regarding the use of cloud comput- Cloud computing companies are subject to the taxation rules generally ing. Most case law is based on disputes regarding public procurements. applicable to companies in Sweden. An international cloud computing In one notable case from the Administrative Court in 2014, the Court company providing services to Swedish customers may be subject to found that there had been shortcomings in a Swedish municipality’s Swedish taxation, provided it can be held to have a permanent estab- agreement with Google regarding the use of cloud services by a public lishment in Sweden. Subject to the nature of the payment under the school. cloud computing agreement, withholding tax issues may arise that need to be addressed in the cloud computing agreement.

25 Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction. VAT (25 per cent) will be imposed on provision of cloud computing services from within Sweden. In respect of cloud computing services provided within the EU, a reverse charge will, as a general rule, apply. Specific rules apply for cloud computing services provided from outside the EU.

Peter Nordbeck [email protected] Dahae Roland [email protected]

Mäster Samuelsgatan 17 Tel: +46 8 677 54 00 PO Box 1432 Fax: +46 8 20 18 84 111 84 Stockholm www.delphi.se Sweden

76 Getting the Deal Through – Cloud Computing 2019

Switzerland

Jonas Bornhauser Bär & Karrer Ltd

Market overview 5 Are data and studies on the impact of cloud computing in your jurisdiction publicly available? 1 What kinds of cloud computing transactions take place in your jurisdiction? See,for example, the study ‘ISG Provider Lens Germany 2017 – Cloud Transformation/Operation Services & XaaS’ from ISG/Experton Cloud computing (and anything-as-a-service (XaaS)) continues to be Group, a global market research company, in which ISG/Experton one of the most important trends in the Swiss IT sector. Although most takes a close look at the cloud market in Switzerland (accessible online of the cloud solutions are still deployed in-house (besides traditional at: http://research.isg-one.de/research/studien/isg-provider-lens-ger- outsourcing and managed services), software-as-a-service (SaaS), in many-2017-cloud-transformationoperation-services-xaas/ergebnisse- particular, is becoming more and more important as a procurement ch.html?L=0, the study has been conducted and published for the model. Cloud computing is now available for most of the areas of appli- fourth time). cation (ie, including, besides SaaS, infrastructure-as-a-service (IaaS), In addition, the eCH Cloud Computing Group (www.egov- platform-as-a-service (PaaS) and backend-as-a-service (BaaS)). Private ernment.ch/en/umsetzung/e-government-schweiz-2008-2015/ clouds are most commonly used (63 per cent), public clouds and hybrid cloud-computing-schweiz/) has been conducting researches clouds are on a par with 28 per cent each, although hybrid scenarios and studying the cloud computing sector since the end of 2014 continue to gain in popularity as companies are seeking to build an IT (the respective papers are accessible online at: www.egovern- services mix based on individual preferences. In this regard, the secu- ment.ch/de/umsetzung/e-government-schweiz-2008-2015/ rity of companies’ data and cloud providers’ data centres as well as a cloud-computing-schweiz). high availability of cloud services play an important role. EveryWare AG acquired 100 per cent of the shares in the Zurich- Policy domiciled iSource AG as of 1 January 2018. Both companies operate as cloud and IT service providers for medium-sized business customers. 6 Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic 2 Who are the global international cloud providers active in market or to provide cloud services to foreign customers? your jurisdiction? A strategy on cloud computing has been developed by the Swiss Federal The international cloud providers are Amazon, Google, SAP, IBM and Strategy Unit for Information Technology (FSUIT) together with Oracle. Microsoft is expected to provide cloud services as of 2019. experts from the Confederation, the cantons, the communes, enterprises affiliated with the Confederation and the private sector, and was 3 Name the local cloud providers established and active in your adopted by the eGovernment Steering Committee on 25 October 2012. jurisdiction. What cloud services do they provide? The strategy serves to promote both the responsible use of cloud The leading national cloud providers include myfactory, bexio and services and the offering of cloud solutions for authorities at all gov- ABACUS. Such providers mainly provide SaaS – and, in particular, SaaS ernment levels (the respective paper is accessible online at: www. enterprise resource planning (ERP) and unified-communication-as-a- egovernment.ch/de/umsetzung/e-government-schweiz-2008-2015/ service – to private (small and medium-sized) businesses. These pro- cloud-computing-schweiz). viders operate private as well as public or on-premise clouds. 7 Are there fiscal or customs incentives, development grants 4 How well established is cloud computing? What is the size of or other government incentives to promote cloud computing the cloud computing market in your jurisdiction? operations in your jurisdiction? The software market in Switzerland is undergoing substantial changes No. due to the rising importance of ‘as-a-service’ offerings. Such services do not only transform the market but also buying patterns. It must, Legislation and regulation however, be noted that despite SaaS being the fastest-growing segment 8 Is cloud computing specifically recognised and provided for at the moment, market shares are still limited in relation to on-prem- in your legal system? If so, how? ises solutions (in particular, software). It appears the latter will remain No, Switzerland has not (yet) introduced specific regulations for cloud important for the foreseeable future. computing. The applicable laws, ordinances and regulations were usu- The total market volume of managed private clouds in Switzerland ally enacted at a time when cloud computing, its possibilities and risks in 2016 was around 440 million Swiss francs and the public cloud mar- were unknown. According to the above-mentioned strategy on cloud ket is reported to be around 810 million Swiss francs. In both sectors, computing (see question 6), the authorities, in cooperation with asso- SaaS account for significantly more than 50 per cent of the market vol- ciations and interest group, must identify necessary adjustments with ume (58.7 per cent private cloud and 81.1 per cent public cloud). The regard to the current legislation. However, as of today, no cloud-spe- entire market for conventional hardware, software and IT services cific regulation has been proposed by the said parties. amounts to more than 27 billion Swiss francs.

www.gettingthedealthrough.com 77

9 Does legislation or regulation directly and specifically residence have jurisdiction, at the discretion of the consumer. Such prohibit, restrict or otherwise govern cloud computing, in or place of jurisdiction is mandatory and cannot be waived in advance. outside your jurisdiction? The cloud provider can, however, only take civil action against the con- No, there are no legal provisions in Switzerland that would (directly sumer at the consumer’s domicile or ordinary residence or the place of or indirectly) prohibit, restrict or otherwise govern, cloud computing, performance. Consumer contracts are defined as contracts for goods onshore or offshore. and services that are for current personal or family consumption and are not connected with the professional or business activity of the 10 What legislation or regulation may indirectly prohibit, restrict consumer. or otherwise govern cloud computing, in or outside your Furthermore, regarding consumer contracts, the choice of law is jurisdiction? excluded, meaning that they are governed by the law of the state of the consumer’s ordinary residence in any of the following instances: Where the customer of a cloud services provider is subject to compli- • the supplier received the order in that state; ance (eg, national and international stock exchange regulations, obli- • the contract was entered into after an offer or advertisement in that gations in connection with accounting regulations, document retention state and the consumer performed the acts required to enter into obligations and audit rights of authorities, etc) or contractual obliga- the contract in his or her state; and tions vis-à-vis third parties (eg, licence restrictions concerning the use • the consumer was induced by the supplier (cloud provider) to go of software and confidentiality obligations), respective obligations abroad for the purpose of delivering the order. must be regulated in the contracts with the cloud services provider which indirectly is obliged to comply with the regulations and obliga- Entering into business contracts online with a Swiss consumer will, in tions. This also applies to compliance with data protection regulations most cases, fall under the first two groups above. Consequently, the that are imposed on the customers of cloud service providers. contracts cloud providers enter into with Swiss consumers concluded In addition, the Swiss parliament adopted on 18 March 2016 the by electronic means are generally governed by Swiss law. revised Federal Act on the Surveillance of Mail and Telecommunication Traffic (BÜPF). This act entered into force on 1 March 2018. The revised 13 Describe any sector-specific legislation or regulation that statute’s objective is to improve criminal investigations if telecom- applies to cloud computing transactions in your jurisdiction. munication services are involved. The revised statute is expected to apply also to cloud services providers since they qualify as providers There is no sector-specific legislation or regulation that applies to cloud of derived communication services that permit one-way or multiple- computing transactions in Switzerland. Sector-specific laws, however, way communication. Providers of email services, of chat rooms, of indirectly apply to cloud computing transactions. In particular, highly platforms, such as Facebook, that permit communication as well as sensitive data such as data on health, data subject to attorney–client providers of platforms where documents can be uploaded (for exam- confidentiality or bank client data are subject to special legal conditions ple, Google Docs) are, for example, deemed providers of derived com- regarding confidentiality, data protection and data security. When data munication services. It is expected that the statute and the respective is collected in clouds, special information and due diligence obliga- duties may not be enforced upon non-Swiss domiciled companies, tions must be respected depending on the type of data that is collected that is, probably most of the providers of such derived communica- and/or processed and the actual locations of the cloud data centres. tion services. Providers of derived communication (eg, cloud service providers) are obliged to tolerate surveillance measures and, upon 14 Outline the insolvency laws that apply generally or request, permit access to their data processing systems. Furthermore, specifically in relation to cloud computing. if available, they must disclose the telecommunication ‘marginal data’. Lacking specific insolvency laws for internet providers (including cloud However, the BÜPF does not impose an obligation to store such data service providers), the general Swiss insolvency laws apply according during six months on providers of derived communication (as is the to which, with the opening of bankruptcy proceedings, claims that are case with regard to telecommunication service providers). Moreover, not for a sum of money are converted into a monetary claim of corre- they are under no obligation to identify their customers. sponding value. The bankruptcy administration, however, would have the right in the debtor’s (cloud provider’s) stead to fulfil synallagmatic 11 What are the consequences for breach of the laws directly contracts that had only partly been fulfilled at the time of the opening or indirectly prohibiting, restricting or otherwise governing of the bankruptcy. However, given that the bankruptcy administration cloud computing? is not qualified to provide cloud services, cloud computing contracts Unless a conduct is covered by another criminal law provision, non- are usually terminated if bankruptcy proceedings open. In such cases, compliance may result in a fine of up to 100,000 Swiss francs in the a creditor may only request segregation of items (from the bankrupt following cases: estate), such as its data, that are the property of the creditor but are in • non-adherence to a request of the surveillance office; and possession of the debtor. • disclosure of a confidential surveillance ordered by the surveil- However, according to the prevailing legal doctrine, the Swiss lance office. Federal Supreme Court and the practice of the debt enforcement and bankruptcy agencies, such segregation can principally only be claimed In addition, the breach of confidentiality obligations, in particular, of for physical objects but not for non-physical ones, such as electronic the business secrecy (article 162, the Swiss Criminal Code) and the data. A customer may therefore currently only request segregation if banking secrecy (article 47, the Banking Act) may be sentenced to the cloud computing provider is in possession of a separate data carrier imprisonment (not exceeding three years) or a fine. that is owned by the customer. For the time being, the customer should therefore be able to continue its operations in the case of the provider’s 12 What consumer protection measures apply to cloud insolvency (eg, backups, etc). computing in your jurisdiction? Data protection/privacy legislation and regulation The distinction between business-to-business (B2B) and business-to consumer (B2C) transactions is not significant in Switzerland. In par- 15 Identify the principal data protection or privacy legislation ticular, no separate body of laws or rules for B2B deals exist but, for B2C applicable to cloud computing in your jurisdiction. contracts, some restrictions apply in regard to consumer protection The processing of personal data may only be assigned by an entity to (see the following paragraph). However, Swiss law does not provide for a cloud service provider (B2B) based on an outsourcing agreement, if: an equivalent to EU customers’ mandatory withdrawal rights set forth • the data is processed only in the manner permitted for the instruct- in the Directive 97/7/EC on the protection of consumers in respect of ing party itself; and distance contracts (Distance Selling Directive) for online sales. • it is not prohibited by a statutory or contractual duty of According to the Swiss Federal Private International Law Act confidentiality. (PILA), for disputes arising out of in connection with consumer contracts, the Swiss courts of the consumer’s domicile or ordinary In addition, the assigning entity must further ensure, that the cloud residence or of the offeror’s (cloud provider’s) domicile or ordinary service provider guarantees data security. In particular, the personal

78 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Bär & Karrer Ltd SWITZERLAND integrity of the data subject must be protected through adequate tech- • customer to indemnify the provider against any third-party nical and organisational measures against unauthorised or accidental claims resulting from illegal use of the cloud services; destruction, accidental loss, technical faults, forgery, theft or unlawful • security: use, unauthorised alteration, copying, access or other unauthorised • technical, personnel and organisational security measures to processing (see article 7, DPA and article 8 et seq, Swiss Data Protection be taken by provider; Ordinance). Additionally, if cloud computing services involve disclo- • requirements concerning standardisation and compatibility of sures of personal data abroad, the specific requirements for cross- technical systems; border data flows must be complied with (see article 6, DPA), which • service levels: are largely aligned with the ones of the GDPR. Furthermore, despite • if specific parameters relating to the availability of the cloud the assignment of the data processing to cloud service providers, the services have been agreed upon, the B2B public cloud comput- assigning entity remains under an obligation to provide the informa- ing contract usually sets out the legal consequences of devia- tion requested by one of its customers. The cloud provider is only tions from the services, which are: obliged to provide information if it does not disclose the identity of the • requirements concerning data backup, return, disaster assigning entity, that is, the controller, or if the controller is not domi- recovery; and ciled in Switzerland (see article 8, DPA). • requirements concerning data protection, security and A Swiss-domiciled cloud service provider not established in the EU audit rights; may further fall within the scope of GDPR with respect to EU/EEA resi- • remuneration: dent natural persons: • customer may usually choose between different price • if it is processing the personal data of such persons; and metrics; and • if the processing activities are related to the intentional, active • limitation of liability: offering of goods or services to the EU/EEA resident persons. • liability usually only for gross negligence and unlawful intent; or Cloud computing contracts • if liability is only for mere negligence then limitation of the amount for which a party may be sued. 16 What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if 19 What are the typical terms of a B2B public cloud computing applicable)? contract in your jurisdiction covering data and confidentiality Cloud computing contracts may comprise various services containing considerations? elements of software licence agreements, lease agreements, service Since data that is the object of the cloud computing agreement may level agreements, hardware and software support agreements, data include sensitive information (eg, business and trade secrets or patient storage agreements and data transmission agreements. information), cloud computing agreements must also address the con- Agreements concerning the provision of IaaS may usually be quali- fidential nature of data stored with the cloud service provider and the fies as lease agreements or at least as special contracts with substantial consequences of a breach of the confidentiality obligation. lease elements. However, processing ability does not form part of a typical lease contract. It qualifies rather as a mandate agreement (arti- 20 What are the typical terms of a B2B public cloud computing cle 397 et seq) or, depending on the specifications of the contract, as a contract in your jurisdiction covering liability, warranties and contract for works in accordance with article 363 et seq. provision of service? Agreements concerning the provision of PaaS, SaaS or XaaS are usually deemed special contracts if the deployed hardware is used by The typical terms in this context are: means of a virtual server. Such special contracts comprise lease and • service availability; service contract elements, and, depending on the services to be ren- • asssurance of compliance with data protection regulations; dered, contract for work elements. • guarantee of data integrity, data security, etc; • implementation of high security standards (encryption, access 17 What are the typical terms of a B2B public cloud computing management, monitoring, telecommunication connections, etc.); contract in your jurisdiction covering governing law, • backup scenarios; jurisdiction, enforceability and cross-border issues, and • backup of data; dispute resolution? • audit rights to verify compliance with data protection regulations; • correct and necessary labelling for the identification of dedicated Swiss cloud service providers usually insist that the cloud computing (ie, customer owned) IT infrastructure in the event of bankruptcy contracts they enter into are governed by Swiss law (under exclusion (unless the customer explicitly states other wishes); of the United Nations Convention on Contracts for the International • conclusion of insurance solutions for data stock/integrity; and Sale Goods, 11 April 1980, and other international treaties). The same • implementation of regular checks of data security and integrity. applies with regard to the place of jurisdiction (Switzerland. Careful attention must be given to dispute resolution mechanisms. The fact that the cloud service provider can have access to important Time is often crucial and the customer should ensure that he or she can business data of the customer because the data is located on its infra- obtain fast resolution against the cloud service provider if need be. structure must be reflected accordingly in the scope and amount of liability. A corresponding service level agreement for business-critical 18 What are the typical terms of a B2B public cloud computing services from the cloud should be part of the cloud computing contract. contract in your jurisdiction covering material terms, such The same applies to contractual penalties, in particular in the event of as commercial terms of service and acceptable use, and breaches of data protection regulations, service-level agreements and variation? confidentiality undertakings. The general terms and conditions of Swiss B2B public cloud computing providers typically contain the following terms: 21 What are the typical terms of a B2B public cloud computing • rights to use the software provided by the provider; contract in your jurisdiction covering intellectual property • use restrictions: rights (IPR) ownership in content and the consequences of • use of the functionalities of the software exclusively according infringement of third-party rights? to the specifications and the licensing terms as well as within The cloud service providers usually grant the customer the licence the scope of the cloud service provided by the provider; and rights to use the required software applications within the framework • prohibition to make any changes to the software (eg, by further of the cloud contract, either for the subscription of IaaS, SaaS or XaaS. developing the software); However, updates or upgrades, release management and so on are the • acceptable use policy: responsibility of the cloud service provider, since the customer has nei- • customer to assume the sole responsibility for the content of ther licence and maintenance contracts with the corresponding soft- the data that is being processed in connection with the use of ware suppliers, nor do they have the necessary access rights to perform the cloud services; and such work. www.gettingthedealthrough.com 79

22 What are the typical terms of a B2B public cloud computing A cloud computing company with its domicile abroad may have a contract in your jurisdiction covering termination? PE in Switzerland and hence is subject to Swiss profit/capital tax (appli- If a Swiss court qualifies a cloud computing agreement or the substan- cable rates vary, depending on the location of the PE) if it has a fixed tial parts thereof as mandate agreement in accordance with article 394 place of business in Switzerland in which all or a part of the business et seq, the Swiss Code of Obligation, such an agreement may be termi- activity of the enterprise is carried out. The tax liability in this case is nated by either party without cause at any time with immediate effect. in principle limited to the profit/capital to be allocated to the PE. There This termination right (article 404, the Swiss Code of Obligation) is is currently no guidance published by the Swiss tax authorities based mandatory and cannot be validly excluded. However, if termination is on what circumstances a foreign cloud computing service provider may effected at an improper time, the party terminating is liable to the other create a PE in Switzerland. A case-by-case assessment is required and party for the damages caused. Outside the scope of article 404, the obtaining a tax ruling would be recommended. parties are free to agree on the contract term and termination rights. However, the tendency is that the customers do not want to enter into 25 Outline the indirect taxes imposed in your jurisdiction that long-term agreements with cloud service providers so they can have apply to the provision from within, or importing of cloud flexibility to swiftly change the provider. computing services from outside, your jurisdiction. Cloud computing agreements usually contain termination provi- Cloud computing services qualify as an electronic supply of services in sions for both ordinary and extraordinary circumstances and include the sense of the Swiss VAT Act and are taxable at the ordinary rate of detailed exit and post-termination assistance provisions. Appropriate currently 7.7 per cent. The determination of the place of supply follows notice periods allow the parties to transfer the outsourced services to a the place-of-receipt principle. third-party provider or take them back in-house. A Swiss company offering such services mandatorily needs to register for Swiss VAT and subsequently charge Swiss VAT on the services 23 Identify any labour and employment law considerations that in case its annual turnover from taxable services in Switzerland and apply specifically to cloud computing in your jurisdiction. abroad exceeds 100,000 Swiss francs (below this threshold, a volun- The parties to a cloud services agreement should consider whether the tary Swiss VAT registration generally is possible). agreement may result in the transfer of a business unit and, therefore, Cloud computing services imported into Switzerland are subject to the automatic transfer of the customer’s employees employed with the reverse charge at the level of a Swiss VAT-registered recipient (for non- business unit to the cloud service provider. VAT-registered recipients, no reverse charge applies). To the extent a foreign company provides respective services to Swiss non-VAT-regis- Taxation tered recipients, the company needs to mandatorily register for Swiss VAT (and subsequently charge VAT on the services) in case its annual 24 Outline the taxation rules that apply to the establishment and turnover from taxable services in Switzerland and abroad exceeds operation of cloud computing companies in your jurisdiction. 100,000 Swiss francs. A cloud computing company established with its domicile (and place of effective management) in Switzerland is generally subject to unlim- Recent cases ited Swiss profit and capital tax (applicable rates vary, depending on the 26 Identify and give details of any notable cases, or commercial, canton of domicile) on its full profit or taxable capital, potentially sub- private, administrative or regulatory determinations within ject to an international tax allocation in the specific case (eg, generally the past three years in your jurisdiction that have directly no taxation right for profit derived from a permanent establishment involved cloud computing as a business model. (PE) abroad) and depending on applicable double taxation treaties. A stamp issuance duty is levied on the creation or increase of the nomi- None to date. nal value of shares in a Swiss company, on the amount of share capital or share premium exceeding a once exempt amount of 1 million Swiss francs.

Jonas Bornhauser [email protected]

Brandschenkestrasse 90 Tel: +41 58 261 50 00 8027 Zurich Fax: +41 58 261 50 01 Switzerland www.baerkarrer.ch

80 Getting the Deal Through – Cloud Computing 2019

United Kingdom

Mark Lewis Bryan Cave Leighton Paisner LLP

Market overview definition/G-cloud-government-cloud). In February 2017, the UK government reaffirmed the Government Cloud First Policy, under which 1 What kinds of cloud computing transactions take place in your public sector organisations must consider and evaluate potential public jurisdiction? cloud as a deployment model, before considering any other IT option. As a G7 economy with mature IT and related services markets, the UK Cloud First is mandatory for central government departments and is one of the most important global markets for cloud computing. It agencies, but is strongly recommended to the wider UK public sector: ranks third worldwide in the top 20 economies identified as attractive www.gov.uk/guidance/government-cloud-first-policy. For the origins export markets for US cloud service providers (with Canada and Japan of this important cloud initiative, see the UK government’s 2011 paper, in the first two places, respectively): US Department of Commerce, Government Cloud Strategy, at: www.gov.uk/government/publications/ International Trade Administration, 2016 Top Markets Report Cloud government-cloud-strategy. Recent research shows that 78 per cent of Computing Country Case Study (US Top Markets Report 2016) (see UK public sector organisations are using some form of cloud-based ser- www.trade.gov/topmarkets/pdf/Cloud_Computing_United_Kingdom. vice, compared with only 38 per cent in 2010 (www.outsourcery.co.uk/ pdf and the 2017 sector snapshot update at www.trade.gov/topmarkets/ about-us/news/public-sector-cloud-adoption-soaring/). However, as at pdf/Sector%20Snapshot%20Cloud%20Computing%202017.pdf. August 2017, adoption of cloud services by UK local government is lag- Using the US National Institute of Standards and Technology ging behind central government’s rate of deployment. (NIST) definition of cloud computing (http://nvlpubs.nist.gov/nist- With the UK being one of the most advanced global markets for pubs/Legacy/SP/nistspecialpublication800-145.pdf), there is extensive cloud computing, there is a sizeable business ecosystem serving the pri- use of the three NIST service models: software-as-a-service (SaaS), mary market, for example in data centres. As at August 2017, driven by platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), the adoption of cloud computing, the London carrier neutral data cen- referred to below as ‘service models’. Of the four NIST deployment tre market is the largest in Europe, virtually equalling the capacity avail- models (private cloud, community cloud, public cloud and hybrid cloud able in the whole of Amsterdam, Frankfurt and Paris combined (www. (deployment models)), private, public and hybrid clouds are widely techmarketview.com/ukhotviews/archive/2017/08/08/new-research- adopted. Community clouds are, however, also used. cloud-drives-record-year-for-london-data-centre-market – subscrip- As part of the UK’s cloud business ecosystem, there are cloud ser- tion only). vice brokers (providers who aggregate several different cloud services to provide a unified offering to a customer) and cloud exchanges (providers 2 Who are the global international cloud providers active in your that offer direct connections between several cloud platforms, enabling jurisdiction? their customers access to and portability among separate cloud plat- All are active in the UK, including (as a small sample): forms, without their data passing through the internet). ‘Cloudbursting’ • Accenture; – in the context of the hybrid deployment model, with customers mov- • Adobe; ing specific processes running in-house to public cloud services to pro- • AWS; vide greater capacity – is becoming more common. • Avaya; Cloud in all of its service and deployment models has been adopted • Cisco; in most, if not all, UK industry sectors. The Cloud Industry Forum (CIF), • Citrix; a not-for-profit industry body that promotes the adoption of cloud in the • Dell EMC; UK, reported in 2017 from a poll of 250 companies and public sector • Dropbox; organisations that overall adoption had reached 88 per cent, with 67 per • Equinix; cent of organisations polled expecting to increase their usage of cloud • Facebook (Workplace); during 2017. CIF concluded that, since 2010, the overall cloud adoption • Google; rate had increased by 83 per cent (www.cloudindustryforum.org/con- • Huawei; tent/uk-cloud-adoption-rate-reaches-88-finds-new-research-cloud- • IBM; industry-forum). Though CIF has not produced a similar report since, • Interoute; these figures may still be taken, overall, as a true representation of cloud • Joyent; adoption in the UK. • Kaspersky; Although there is inconsistency in the statistical data and its analysis • Microsoft; in classifying the adoption of the deployment models in the UK, current • NetApp; data suggests that UK organisations still prefer hybrid cloud to public • Oracle; and private cloud models (see the US Top Markets Report 2016 cited • Rackspace; above, and see also www.cloudindustryforum.org/content/uk-cloud- • Red Hat; adoption-rate-reaches-88-finds-new-research-cloud-industry-forum). • SalesForce; A notable feature of the UK market is the adoption by central and • SAP; local government of cloud computing. In 2012, the government intro- • SAS; duced the G-Cloud, which enables government departments and state • Skype; agencies to buy and deploy cloud services from pre-approved vendors, • Sungard; which include some of the biggest cloud providers, for example Amazon • Symantec; Web Services (AWS) (http://searchcloudcomputing.techtarget.com/ • VMware; and www.gettingthedealthrough.com 81

• Workday. There are seven elements to this policy, together with a framework for action: (See www.cloudpro.co.uk/providers.) • connectivity – building world-class digital infrastructure for the UK; 3 Name the local cloud providers established and active in your • digital skills and inclusion – giving everyone access to the digital jurisdiction. What cloud services do they provide? skills they need; The following is a small, illustrative, selection by service segment. • the digital sectors – making the UK the best place to start and grow • server, storage and infrastructure: RedstoneConnect, ElasticHosts, a digital business; Fasthosts, Flexiant, Memset, and VMhosts; • the wider economy – helping every British business become a digi- • managed services: BT, Claranet, Colt, Interoute, iomart, IT Lab, tal business; Nasstar, TIG and Webfusion; • a safe and secure cyberspace – making the UK the safest place in • data backup and security: BT, Cloud Direct, iomart, IT Lab, the world to live and work online; Memset, RedstoneConnect, TIG, UKFast, UK2 and Vodafone; • digital government – maintaining the UK government as a world • hosted desktop: Colt, Nasstar and Vodafone; and leader in serving its citizens online; and • channel enablement, go-to-market, digitisation and CRM: BCSG • data – unlocking the power of data in the UK economy and improv- and NewVoiceMedia. ing confidence in its use. The paper affirmed the UK’s commitment to implementing the General Data Protection Regulation (See www.computerweekly.com/tutorial/UK-hosted-desktop-cloud- (GDPR) by May 2018 (https://ico.org.uk/for-organisations/data- providers;www.talkincloud.com/talkin-cloud-top-100-cloud-ser- protection-reform/overview-of-the-gdpr). Accordingly, the Data vices providers/02252015/top-7-cloud-services-providers-csps-uk#sl Protection Act 2018 came into force on 25 May 2018. The Act ide-0-field_images-41721.) incorporates the GDPR into law in the UK and supplements its provisions. 4 How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction? In April 2017, the Digital Economy Act 2017 was enacted to implement the government’s digital strategy (www.gov.uk/government/ See question 1 for the findings of the US Top Markets Report 2016. In collections/digital-economy-bill-2016 and www.legislation.gov.uk/ the UK section, the authors of that report acknowledge the scarcity ukpga/2017/30/contents/enacted). It is clear from the UK’s digital of credible data on the size of the UK cloud computing market. They strategy, the Digital Economy Act 2017 and examples of government suggest that, in 2014, its value might have been around US$9.5 billion support given directly or indirectly to cloud computing and cloud-ena- (approximately £7.3 billion at the time of writing) (www.trade.gov/top- bled organisations (see question 7), that the policy and implementation markets/pdf/Cloud_Computing_United_Kingdom.pdf). In light of the framework embraces all the cloud service models and deployment TechMarketView report cited below, this estimate seems too high. models. And, as outlined in question 1, the UK government is a world I have benefited from a more recent, authoritative and comprehen- leader in its deployment of cloud computing through its Government sive (subscription-only) UK source: TechMarketView’s UK Software and Cloud First Policy. IT Services Market Trends & Forecasts 2017, published in late June 2017 (www.techmarketview.com/news/archive/2017/06/28/new--research- 7 Are there fiscal or customs incentives, development grants market-trends-forecasts-2017-2020). TechMarketView forecasts that or other government incentives to promote cloud computing 2017 will prove to have been the first year that all IT growth will have operations in your jurisdiction? been driven by cloud computing; and that, conversely, it will prove to have been the first year for which the market for non-cloud products Yes. Although in most cases cloud computing is not specifically men- and services will start to decline. TechMarketView estimates the value tioned, and eligibility for fiscal benefits, funding and other incentives of the UK cloud computing market to be £5.1 billion in 2017 – with the will depend on specific criteria for particular applications and uses of non-cloud market by far exceeding the cloud market at £42.1 billion. ICT, it is clear that the incentives do extend to cloud computing and (Note the significant variance between this estimate and that in the US individual elements of it. Top Markets Report 2016.) But TechMarketView forecasts that, by 2020, Broadly, these incentives are directed at start-ups and early-stage the UK cloud computing market will have at least doubled its 2016 size companies as well as more mature technology companies. They gen- to reach over £9 billion, or about 18 per cent of the total UK IT products erally cover: tax incentives for the companies themselves as well as and services market. It seems clear that it will take some time for the UK their investors, grant funding, contributions towards running costs and cloud market to achieve parity with the non-cloud market. start-up and later-stage corporate development loans. Specifically, these incentives include the following as a representa- 5 Are data and studies on the impact of cloud computing in your tive sample. jurisdiction publicly available? The Seed Enterprise Investment Scheme (SEIS) As stated above, credible, specific, recent data on the true size and there- Offering tax efficient benefits to investors in return for investment in fore impact of cloud computing in the UK is hard to find. See the two small and early stage start-up technology businesses in the UK (www. reports referred to under question 4. Of the two, the TechMarketView seis.co.uk/about-seis). report (subscription-only) is the most recent and authoritative.

Policy The Enterprise Investment Scheme (EIS) Also offering tax benefits to investors in technology companies (www. 6 Does government policy encourage the development of your gov.uk/government/publications/the-enterprise-investmentscheme- jurisdiction as a cloud computing centre for the domestic introduction). market or to provide cloud services to foreign customers? In short, yes. The policy manifests itself in various forms and initia- R&D tax credits tives, but comprehensive coverage of them is beyond the scope of this Available for both small and medium-sized enterprises (SMEs) and larger chapter. companies (at different levels) tax credits for qualifying R&D, which may The starting point is the government’s policy paper, UK Digital include subcontractor costs, supporting software and SaaS, and some Strategy 2017, published on 1 March 2017 by the responsible govern- hardware costs: https://granttree.co.uk/tax-credits/#r&d-tax. ment department, The Department for Digital, Culture, Media & Sport (www.gov.uk/government/publications/uk-digital-strategy/ The Patent Box uk-digital-strategy). The stated core aim of the policy is ‘to create a Enables SMEs and larger companies to apply a lower rate of UK world-leading digital economy that works for everyone. It is part of Corporation Tax to profits earned after 1 April 2013 from their patented this government’s Plan for Britain, strengthening our economy for the inventions (www.gov.uk/guidance/corporation-tax-the-patent-box). long term as we take advantage of the opportunities that leaving the European Union provides.’ (Ministerial foreword, page 2.)

82 Getting the Deal Through – Cloud Computing 2019

Innovation funding the circumstances and context of their supply – be subject to the leg- For innovative products, processes or services, funding of between islation and regulation that apply to all similar IT services. Given the £25,000 and £10 million is available. Innovate UK runs funding com- breadth and complexity of the cloud computing business ecosystem petitions for projects led by UK-based companies. As at July 2018, com- in the UK, other participants in the provision of elements of cloud petitions include the opportunity for technology companies to apply infrastructure and in the cloud supply chain may be subject to that for a share of £20 million to deliver ‘game changing’ or disruptive legislation and regulation, too, for example a communications service innovations, and the chance to participate in funded trials around the provider supplying a transmission service enabling the CSP to commu- adoption of productivity boosting technology (www.gov.uk/guidance/ nicate with a cloud customer, or the provider of cloud servers to a CSP. innovation-apply-for-a-funding-award and https://apply-for-innova- As such (and with applicable B2C cloud computing consumer-pro- tion-funding.service.gov.uk/competition/search). tection measures referred to under question 12 and data protection law referred to under question 15), the following are likely to apply to cloud Regional growth funds (RGF) computing (or elements of it) in the UK: Grants and loans are available through RGF programmes, namely • Digital Economy Act 2017 (www.legislation.gov.uk/ schemes run by national or local organisations that have been ukpga/2017/30/contents/enacted – see question 6); awarded RGF funds to offer grants and loans to eligible businesses. As • Investigatory Powers Act 2016 (www.legislation.gov.uk/ukpga/ at 28 July 2017, RGF programmes have allocated £1.6 billion to 20,400 2016/25/contents/enacted – interception of communications SMEs. Each RGF will have specific criteria for applications (www.gov. and data retention, etc) - as amended by the Data Retention and uk/guidance/regional-growth-fund-programmes-guide). Acquisition Regulations 2018 and the Communications Data Code of Practice. At the time of writing, both have yet to come into The British Business Bank (TBBB) and enterprise capital funds force. Together they will amend the existing regime concerning TBBB invests alongside venture capital funds (partners) under a roll- the retention of communications data. ing programme. Funding is aimed at smaller UK growth companies. • EU Dual-Use Regulation 2009, Council Regulation (EC) No As at August 2017, capacity was approximately £1 billion. One of 428/2009 (and associated legal amendments) (www.gov.uk/guid- TBBB’s partners, Notion Capital, invests in enterprise SaaS and other ance/controls-on-dual-use-goods – regulates the export of dual- cloud computing businesses. In July 2015, Notion Capital announced use technologies and software); a US$120 million fund that would continue to invest in European • Export Control Order 2008: www.legislation.gov.uk/ business-to-business (B2B) high-growth SaaS companies (british-busi- uksi/2008/3231/contents/made – controls on the export of military ness-bank.co.uk/british-business-bank.co.uk/british-business-bank- and certain other technologies and software; partner-notion-capital-launches-new-fund/; www.notioncapital. • Communications Act 2003 (www.legislation.gov.uk/ com/about/). ukpga/2003/21/contents– overall regulatory structure and powers for communications and media in the UK, including the regulator, Legislation and regulation Ofcom); • Export Control Act 2002 (www.legislation.gov.uk/ukpga/2002/28/ 8 Is cloud computing specifically recognised and provided for contents – controls on the export of, among others, strategic in your legal system? If so, how? technologies); No, not specifically. • Regulation of Investigatory Powers Act 2000 (www.legislation. gov.uk/ukpga/2000/23/introduction – interception of commu- 9 Does legislation or regulation directly and specifically nications and data retention, etc) as amended, in particular by prohibit, restrict or otherwise govern cloud computing, in or the Investigatory Powers Act 2016 (at the time of writing, these outside your jurisdiction? amendments have yet to come into force); and Yes, in respect of cyber security and resilience and cyber incident • Unfair Contract Terms Act 1977 (www.legislation.gov.uk/ reporting. The Network and Information Systems Regulations 2018 ukpga/1977 – makes unenforceable certain terms in B2B contracts (www.legislation.gov.uk/uksi/2018/506/pdfs/uksi_20180506_en.pdf), that do not satisfy the requirements of ‘reasonableness’). which implement the NIS Directive (2016/1148/ EU), specifically govern a ‘cloud computing service’, meaning ‘a digital service that enables The above is not an exhaustive list, and readers should also consider access to a scalable and elastic pool of shareable computing resources’: other areas covered by UK legislation and regulation, for example regulation 1(2). Cloud service providers (CSPs) who fall within the regarding intellectual property rights and employment law, some of definition of a ‘relevant digital service provider’ (RDSP) must, broadly which are covered below. stated, take appropriate and proportionate technical and organisational Apart from legal and regulatory enactments, particularly in the measures to prevent and minimise the impact of cyber incidents and context of cloud computing, readers should be aware of various related risks to their systems. RDSPs are also required to notify within international law enforcement measures under treaty and applicable 72 hours the UK Information Commissioner’s Office (ICO, the regula- EU measures that are likely to be relevant. These generally relate to tor for these purposes) of any incident that has a substantial impact on cybercrime, criminal investigations and enforcement, and inter-state the provision of the cloud services. The ICO has a range of enforce- mutual legal assistance in criminal matters (MLA). (See, for example: ment powers, including the right to issue financial penalties for mate- the Council of Europe Convention on Cybercrime 2004, ETS No. 185 at rial contraventions, up to a maximum of £17 million. RDSPs must have www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185; registered with the ICO by 1 November 2018. There are exceptions for, the Agreement on Mutual Legal Assistance between the United States among others, small or micro businesses. of America and the European Union signed 25 June 2003 at ec.europa. The ICO has issued a detailed and helpful Guide to the NIS eu/world/agreements/prepareCreateTreatiesWorkspace/treaties- Regulations, which as a first step all CSPs operating in the UK should GeneralData.do?step=0&redirect=true&treatyId=5461&back=5441; consult: https://ico.org.uk/for-organisations/the-guide-to-nis/. and the UK’s (then) proposed bilateral ratification of the Agreement Included in the Guide are pointers to the cloud services to be governed on Mutual Legal Assistance between the United States of America and by the Regulations. The Guide states that PaaS and IaaS service models the European Union signed 25 June 2003 at www.gov.uk/government/ will be covered, but that SaaS will only be regulated to the extent that uploads/system/uploads/attachment_data/file/238612/7613.pdf.) the service is ‘scalable and elastic’ and B2B. Readers are also referred Although beyond the scope of this section, readers will be aware of to the UK National Cyber Security Centre’s guidance at: www.ncsc.gov. the extraterritorial impact of the USA PATRIOT Act on cloud services uk/guidance/introduction-nis-directive. (www.wired.com/insights/2011/12/us-cloud). To give readers a complete view, the same rules and principles 10 What legislation or regulation may indirectly prohibit, restrict (including as to liability) that apply to consumer and commercial or otherwise govern cloud computing, in or outside your technology-related services contracts under the three UK jurisdictions jurisdiction? (England and Wales, Scotland, and Northern Ireland) will apply to cloud computing contracts – again subject to the scope of the services In the UK, as business-to-consumer (B2C) and B2B IT services, cloud and the circumstances and context of their supply. computing services will – depending on the scope of the services and www.gettingthedealthrough.com 83

Although it is not legislation or public regulation, for the rea- • the Consumer Contracts (Information, Cancellation and sons given below, the Cloud Industry Forum (see question 1) Code of Additional Charges) Regulations 2013 (www.legislation.gov.uk/ Practice for Cloud Service Providers (CIF Code) is relevant. Its stated uksi/2013/3134/contents/made); and purpose is ‘to bring greater transparency and trust to doing business • the Consumer Rights Act 2015 (www.legislation.gov.uk/ in the cloud’ – for an overview, see www.cloudindustryforum.org/ ukpga/2015/15/contents/enacted). content/code-practice-cloud-service-providers). The CIF Code could influence the choice of CSP by potential customers, whether consum- Together these cover matters including distance selling, the provision ers or commercial organisations. CSPs claiming compliance with the of certain information to consumers, marketing and marketing claims, CIF Code and the right to use CIF certification may, for validated onerous and unfair contract terms and how they are presented, cancel- infringement, face sanctions by CIF, including publication of CIF’s lation rights, ‘cooling-off’ periods, choice of law and venue for con- findings on its website and press releases. So, while the CIF Code does sumer litigation. not have any public legal effect, it may be normative to the conduct of Other legislation includes: CSPs and it may influence the choice of CSP by commercial end users • the Financial Services and Markets Act 2000 (www.legislation. and consumers, as well as the public’s view of certain CSPs –especially gov.uk/ukpga/2000/8/contents (FSMA)); those who have contravened the CIF Code. • the Financial Services and Markets Act 2000 (Regulated Finally, though it too is not legislation or public regulation, the role Activities) Order 2001 (www.legislation.gov.uk/uksi/2001/544/ of the UK Advertising Standards Authority (ASA) is important in the contents/made); and fast-growing cloud services market. The ASA’s role is to ensure that all • the Consumer Credit Act 1974 (as amended) (www.legislation. advertisements are ‘legal, decent, honest and truthful’ (www.asa.org. gov.uk/ukpga/1974/39). uk/about-asa-and-cap.html). The ASA publishes codes that it administers and under which it hears and rules on complaints. ASA rulings Together these regulate B2C credit terms, including any form of are published weekly and are ‘a transparent record of what is and isn’t ‘financial accommodation’, and specify certain contract terms and acceptable’ in advertising. The rulings can remain on the ASA web- restrictions (with sanctions, including legal unenforceability except by site for five years (www.asa.org.uk/codes-and-rulings/rulings.html.) court order), the provision of certain kinds of information, the format Though ASA rulings do not have any legal effect, an adverse ruling of that information, ‘cooling-off’ periods and termination processes. may have significant commercial impact, especially if a business is The above are not exhaustive lists. seen to be disregarding rules designed to protect consumers. And, as The Competition and Markets Authority (CMA), the UK’s pri- a last resort, if advertisers persistently break the ASA codes and are mary competition and consumer authority, has taken a close interest unwilling to change their practices, the ASA states that it can and does in B2C cloud storage contracts, in particular to see if consumers are refer those advertisers to enforcement agencies – who do have legally being fairly treated when saving and storing their content online. The enforceable powers and the ability to impose legal sanctions – for fur- CMA has found that some CSPs are using contract terms and prac- ther action, for example UK Trading Standards or Ofcom (the commu- tices that it was concerned could breach consumer protection law (‘An nications regulator) (www.asa.org.uk/codes-and-rulings/sanctions. open letter to cloud storage providers on complying with consumer html). It is worth noting that the ASA has considered several specific law’, May 2016, www.gov.uk/government/uploads/system/uploads/ cloud computing-related advertisements and has found against adver- attachment_data/file/526355/open-letter-cloud-storage-providers. tisers (www.asa.org.uk/rulings/jdi-backup-ltd-a14-260786.html, pdf.) The upshot is that several of the leading B2C cloud storage pro- www.asa.org.uk/rulings/jdi-backup-ltd-a13-226451.html; www.asa. viders, including Amazon, Apple and Microsoft, have voluntarily org.uk/rulings/jc-inc-a12-215093.html; www.asa.org.uk/rulings/uk- modified their terms for the benefit of UK consumers (www.gov.uk/ 2-ltd-a13-252423.html). Although it is not legislation or public regu- government/news/cma-secures-better-deal-for-cloud-storage-users). lation, for the reasons given below, the Cloud Industry Forum (see question 1) Code of Practice for Cloud Service Providers (CIF Code) 13 Describe any sector-specific legislation or regulation that is relevant. Its stated purpose is ‘to bring greater transparency and applies to cloud computing transactions in your jurisdiction. trust to doing business in the cloud’. For an overview, see www.cloud- The extent (if any) to which UK industry sectoral regulation may apply industryforum.org/content/code-practice-cloud-service-providers. to cloud computing will require knowledge and the examination of The CIF Code could influence the choice of CSP by potential custom- sector-specific legislation, regulations, guidance and regulatory and ers, whether consumers or commercial organisations. CSPs claiming statutory codes of conduct. In the UK – and with the following excep- compliance with the CIF Code and the right to use CIF certification tion – at the time of writing this edition there is no regulation that may, for validated infringement, face sanctions by CIF, including pub- applies specifically or directly to cloud computing as such. Where reg- lication of CIF’s findings on its website and press releases. So, while ulation is found to apply to a cloud computing project, the approval, the CIF Code does not have any public legal effect, it may be norma- licence or consent – or at least the informal go-ahead – of a regulator tive to the conduct of CSPs and it may influence the choice of CSP by may be required. Common sense and best practice dictate that, where commercial end users and consumers, as well as the public’s view of applicable, the regulated entity should consult its regulator as soon certain CSPs –especially those who have contravened the CIF Code. as practicable and as fully as possible. This should also be of concern to a CSP expecting to enter a cloud arrangement with a regulated 11 What are the consequences for breach of the laws directly customer. or indirectly prohibiting, restricting or otherwise governing Only in the UK financial services sector has cloud comput- cloud computing? ing been specifically addressed. In July 2016, one of the UK’s finan- For laws and regulations, the consequences of breach range from con- cial services regulators, the Financial Conduct Authority (FCA), tractual unenforceability and civil enforcement remedies to criminal issued its finalised FG 16/5 – ‘Guidance for firms outsourcing to the and regulatory fines, penalties and other sanctions. In some situations, ‘cloud’ and other third-party IT services’ (www.fca.org.uk/publi- company directors and senior executives may face personal sanctions. cations/finalised-guidance/fg16-5-guidance-firms-outsourcing- (For the CIF Code and ASA codes, see question 1o.) %E2%80%98cloud%E2%80%99-and-other-third-party-it; www. fca.org.uk/publication/finalised-guidance/fg16-5.pdf (FCA Cloud 12 What consumer protection measures apply to cloud Guidance)). While some regulatory objectives are issued by the FCA computing in your jurisdiction? and the other of the UK’s main financial services regulators, the For B2C cloud computing arrangements, the following main consumer Prudential Regulation Authority (PRA), as ‘guidance’ (as opposed to protection measures will apply. rules), it would be a foolhardy regulated financial services organisa- • the Electronic Commerce (EC Directive) Regulations 2002 (www. tion that disregarded such guidance or diluted it too far in application. legislation.gov.uk/uksi/2002/2013/contents/made); Before outlining the FCA Cloud Guidance, it must be put in its • the Consumer Protection from Unfair Trading Regulations 2008 sectoral regulatory context. When financial services organisations (www.legislation.gov.uk/uksi/2008/1277/contents/made); (firms) regulated under FSMA (see question 12) by the FCA and PRA engage in any IT, business process or other outsourcing, they must have regard to and, if applicable, comply with, the regulatory guidance

84 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Bryan Cave Leighton Paisner LLP UNITED KINGDOM and rules governing that outsourcing. The PRA supervises banks, and authorised electronic money institutions) if it relates to ‘impor- insurance companies, building societies, credit unions and certain tant operational functions’. Each of these terms is defined in the FCA large investment entities. The FCA regulates the conduct of business Handbook and the Electronic Money Regulations 2011 (www.legis- of all financial services organisations within its statutory jurisdiction, lation.gov.uk/uksi/2011/99/contents/made and Payment Services including those prudentially supervised by the PRA. Some outsource Regulations 2009: www.legislation.gov.uk/uksi/2009/209/contents/ providers (who, incidentally, are also CSPs) are themselves authorised made; paragraph 3.6 FCA Cloud Guidance). Overall, if the above kinds and regulated by the FCA. of functions are ‘outsourced’ to the cloud, regulated firms will have The PRA and FCA rules are complex and their application to out- more stringent duties with regard to management of operational risk sourcing will depend on the nature of the firm (the outsourcing cus- in the transaction, as will CSPs in enabling firms to comply with their tomer), the financial services and related activities to be outsourced, obligations. In addition, firms must notify the FCA when entering into and the impact of the proposed outsourcing. The main rules and guid- or significantly changing material or critical cloud services arrange- ance governing outsourcing by regulated firms are contained in the ments (paragraph 3.7 FCA Cloud Guidance). FCA Handbook and PRA Rulebook. There is also more general FCA In some cases, banks, building societies, investment firms and guidance on outsourcing to meet FSMA compliance. These are the central counterparties (those institutions covered by the UK resolution main sources of prudential and operational provisions regulating out- and recovery regime) will also have to consider resolution arrange- sourcing by financial services firms and regulated outsource providers ments when entering into cloud services projects. These arrange- in the UK. There are also specific outsourcing-related obligations on ments are designed to ensure continuity in distressed economic insurance and reinsurance companies under the Solvency II Directive circumstances or insolvency to ensure that ‘critical economic func- and related subordinate rules and guidelines (eur-lex.europa.eu/ tions’ are maintained (paragraph 3.8 FCA Cloud Guidance and www. legal-content/EN/TXT/?uri=CELEX%3A32009L0138 and www. bankofengland.co.uk/financialstability/Pages/role/risk_reduction/ bankofengland.co.uk/pra/Pages/solvency2/default.aspx). srr/resolution.aspx). The detailed rules governing outsourcing under the PRA Rulebook, FCA Handbook, Solvency II Directive and Solvency 2 Regulations are Legal and regulatory considerations beyond the scope of this section. In essence, though, the rules provide These include having a business case or rationale for the decision for what should be regarded as sensible outsourcing practice, having to ‘outsource’ to the cloud and the use of one or more CSPs for the regard to systemic risk, initial diligence and ongoing operational risk delivery of critical or important operational functions, or a material affecting the conduct of regulated business and the interests of busi- outsourcing; due diligence risk assessment of the proposed project; ness and consumer end-customers, and the needs of the regulators to relative risks of each type of cloud service or deployment model (eg, supervise and intervene if necessary (for a fuller statement, see the private versus public cloud); knowing where the CSP service and other FCA Handbook, Systems and Controls (SYSC), chapters, 3, 4, 8, 13 relevant locations are situated; and the need to identify all service pro- and 14: www.handbook.fca.org.uk/handbook/SYSC/). The Markets viders in the cloud supply chain – to ensure that the regulatory require- in Financial Instruments Directive (MiFID) II (2014/65/EU), which ments are met throughout the supply chain. repealed and recast the MiFID Directive (2004/39/EC) and (largely) entered into force on 3 January 2018, imposes on regulated firms a Risk management wide range of conduct of business and organisational requirements. Including: conducting and documenting a risk assessment of the pro- These include requirements relating to outsourcing, as well as more posed cloud project; monitoring concentration risk, to avoid too great general record keeping and business continuity issues. The FCA hand- a dependency on any one CSP; and understanding what action to take book has been updated to reflect these new requirements. if the CSP failed. Why are the outsourcing rules and guidance relevant to cloud computing? The FCA Cloud Guidance is addressed to all firms authorised International standards under FSMA ‘when outsourcing to the ‘cloud’ and other third party Including: as part of due diligence, assessing the CSP’s adherence to IT services’ (my emphasis). As will be evident from the FCA Cloud accepted international IT and service standards; and applying greater Guidance itself, for the FCA, not only is cloud computing equivalent standards of assurance when the functions concerned are critical or to outsourcing in its potential impact on regulated firms, their opera- important or a material outsourcing. tions and end-customers, but also it sees the cloud ‘as encompassing a range of IT services provided in various formats over the Internet’ CSP oversight (paragraph 1.4 FCA Cloud Guidance). Accordingly, the FCA sees no Including: clarity about the allocation of responsibilities between the distinction between private, public or hybrid cloud deployment (para- firm and the CSP; the firm having an internal function responsible for graph 1.4 FCA Cloud Guidance). And it says that ‘[from] a regulatory the strategic and day-to-day management of the CSP; and ensuring perspective, the exact form of the service used does not, in itself, alter that the firm’s staff have sufficient skills and resources to oversee and the regulatory obligations placed on firms’. So, where a third party test the cloud services and properly manage an exit or migration from (including a CSP) delivers services on behalf of a regulated firm, this is the existing CSP. In other words, this would mean firms having and considered outsourcing. Firms therefore need to consider the relevant retaining specific cloud service management expertise. regulatory obligations and how they comply with them.’ (Paragraph 3.3 FCA Cloud Guidance.) Data security The stated aim of the FCA Cloud Guidance is to facilitate adop- Including: conducting a specific risk assessment; agreeing data resi- tion of cloud computing in the regulated financial services sector, dency terms with the CSP, setting out contractually the locations in recognising the benefits of cloud computing and innovation in the sec- which the firm’s data can be stored, processed and managed; consid- tor. It came about because firms and CSPs had told the FCA that they ering how the firm’s data will be segregated (for public cloud); assess- were unsure about how to apply its Handbook outsourcing rules to ing the sensitivity of data and how the data will be transmitted, stored the cloud: this uncertainty may have been acting ‘as a barrier to firms and encrypted, where necessary – noting that encryption keys or other using the cloud’ (paragraph 1.3 FCA Cloud Guidance). forms of authentication must be accessible to the FCA or PRA. Apart from the regulated firms themselves, the FCA Cloud Guidance is addressed (for information in this case) to CSPs and other third-party IT providers, trade associations and consumer groups, pro- Data protection fessional advisers and the auditors of regulated firms. Including: continuing compliance with data protection laws. Firms In outline and focusing below on the most important aspects of are, of course, required separately to comply with UK data protec- the FCA Cloud Guidance for cloud computing, the regulated firm must tion law (now the GDPR, as supplemented by the Data Protection have regard to the following. Act 2018). In that sense, though the data protection laws are separate, the FCA Cloud Guidance forms part of the firm’s compliance with its duties as a regulated firm. Firms should consider the UK Information Criticality or materiality of the cloud service Commissioner’s guidance concerning the transmission of personal Whether the function being processed under the cloud service is ‘criti- data outside the European Economic Area (EEA). cal or important’ or ‘material’ and (for authorised payment institutions www.gettingthedealthrough.com 85

Effective access to data being ‘fully tested’; firms understanding how they would migrate the ‘Data’ is used here in its widest meaning. Firms should ensure that the cloud services to an alternative CSP and maintain business continuity; cloud computing arrangement has addressed the following: access for contractually requiring the CSP (and by implication its supply chain) to the firm, their auditors, the regulators and other competent authorities cooperate fully with the firm and the incoming CSP to ensure a smooth to the firm’s data; contractual ability for the regulators to contact the transition; the firm understanding how it could and would remove its CSP directly where the firm cannot for any reason disclose the data; data from the CSP’s systems on exit. While there is no record of recent ensuring that the data is not stored in jurisdictions that may prevent CSP insolvencies affecting UK financial services institutions, those sit- or inhibit effective access for UK regulators; geopolitical stability as it uations show that, in the context of cloud services and cloud contracts, concerns the data; whether the CSP’s jurisdiction provides for data pro- understanding and operating such contingency processes is at best dif- tection; the law enforcement provisions of the relevant jurisdiction or ficult (see http://diginomica.com/2015/01/06/cios-worst-nightmare- jurisdictions where data is to be processed, for example whether and cloud-provider-goes-bankrupt/; see also question 14). how easily the authorities in the CSP’s jurisdiction may intervene in As noted above, the aim of the FCA Cloud Guidance is to help accessing the firm’s data. overcome the barriers created by the perceived regulatory uncertainty in the adoption of cloud computing by UK financial services Access to business premises firms. As the FCA says: ‘We see no fundamental reason why cloud ‘Premises’ here include head offices and operations centres, but not services (including public cloud services) cannot be implemented, necessarily data centres. The guidance includes: knowing which CSP or with appropriate consideration, in a manner that complies with our supply chain premises are relevant for the cloud services and effective rules.’ (Paragraph 1.6 FCA Cloud Guidance.) And the FCA points out oversight of them (the FCA recognising that CSPs may have legitimate that it has supported both new and existing firms to use the cloud and reasons for limiting access to some sites, eg, data centres); providing achieve regulatory compliance (paragraph 1.7 FCA Cloud Guidance; for the unrestricted contractual and legal ability for the firm or its audi- for an example of a new ‘challenger’ bank adopting the cloud, see www. tors to request an onsite visit to the business premises – on reasonable ft.com/content/36c4eba2-2280-11e6-9d4d-c11776a5124d?mhq5j=e1). prior notice, except in the case of an emergency or crisis; enabling vis- In its UK Software and IT Services Market Trends & Forecasts its by the financial services regulators or other competent authorities 2017 (subscription-only), the UK research and analytics firm as they deem necessary and required by law or regulation, without any TechMarketView observed ‘continued growth in spending on cloud- conditions being imposed; having the CSP commit contractually to based systems’ in the UK financial services markets (page 15). However, cooperating with all reasonable requests of the regulators during such in reporting on the 2017 drivers and trends in the UK financial services visits; affording the regulators the right to observe the provision of the market, TechMarketView’s data shows that, while the move to cloud is cloud services to the firm or any of its affiliates (although the regulators certainly growing, it is not a dominant trend in these markets (page 16). may commit to minimising disruption to the CSP’s operations). Other research – and my own and colleagues’ experience – shows that, despite the FCA’s laudable efforts to help firms around financial Relationship between service providers services regulatory hurdles in adopting the cloud, there are still signifi- Including: considering how the cloud supply chain is constructed and cant concerns about the compatibility of cloud computing with regula- operates; enabling the firm to review subcontracting and other supply tory compliance. In an article in Finextra on 27 June 2017, Tim Brazier chain arrangements to ensure that they facilitate the firm’s compliance wrote: ‘Financial firms have cited regulation and compliance as the big- with its regulatory requirements, including security, effective access to gest challenges to overcome in cloud migration. In a paper published in data and business sites; understanding the roles of CSPs within the sup- February 2017, the UK banking sector trade body, the British Bankers’ ply chain; knowing how a CSP’s services will interface with the firm’s Association (BBA, now UK Finance), identified seven barriers to cloud own systems or other necessary third-party systems (eg, agency bank- adoption’ (www.finextra.com/blogposting/14231/public-cloud-adop- ing arrangements for payments). tion-in-financial-services-challenges-and-opportunities (footnote omitted). The barriers financial firms identified were: Change management • the regulatory approach to ‘important’ and ‘critical functions; Including: ensuring that contractual and operational provision is made • supervision and oversight; for changes to the cloud services; and establishing how changes will be • the risk framework; tested. • access to CSP sites and services by regulators; • data residency; • termination; and Continuity and business planning • data breaches and monitoring. Including: providing contractually and operationally for appropriate arrangements for the continuity of functions and the ability of the firm Most of these concerns will be identifiable from the FCA Cloud to meet its regulatory obligations in the event of an ‘unforeseen inter- Guidance summarised above. And readers will note that the BBA’s ruption’ of the cloud services; having a plan documenting the continu- report was finally published five months after the publication of the ity, business interruption and recovery arrangements; regular testing of the business continuity plan; and putting in place contractual and FCA Cloud Guidance – in other words, it appears that the FCA Cloud Guidance had not yet achieved its objective. Readers will reach their operational measures to ensure regulatory access to data in an insol- own conclusions. vency or other disruption of the cloud services. On 28 March, the European Banking Authority (the EBA) issued its final recommendations on outsourcing to cloud service providers. Resolution These follow a period of public consultation. The final recommenda- This guidance will only apply to certain firms (see ‘Criticality or materi- tions are available here and came into force as of 1 July. Pursuant to ality of the cloud service’ above). In this context, the main aspect of the the recommendations, competent authorities, including the FCA, and resolution and recovery arrangements and the Bank of England’s ‘stabi- financial institutions (defined as credit institutions and investment lisation’ powers that will concern firms, CSPs and providers within the firms under article 4(1) of the EU’s Capital Requirements Regulations, cloud supply chain is this: neither financial distress or insolvency lead- 2013/36/EU) must make every effort to comply. The FCA Cloud ing to resolution, nor the change of ownership or control of the firm fol- Guidance largely addresses the requirements in the EBA’s recommen- lowing that event, will enable the CSP or a cloud supply chain provider dations, so reflect minimal change for financial institutions in the UK to terminate the contract or the provision of cloud services. Moreover, that are compliant with the FCA Guidance. On 25 July 2018, the FCA the CSP and its supply chain may have to provide the cloud services published its updated Cloud Guidance to reflect the EBA’s recommen- to the resolution successor entity or firm for a transitional period. The dations www.fca.org.uk/publications/finalised-guidance/fg16-5-guid- CSP (and by implication providers in its supply chain) must agree not to ance-firms-outsourcing-cloud-and-other-third-party-it. Note that the delete, revoke or change the firm’s data in the case of resolution. policy contained in the FCA’s Guidance reflects the existing UK and EU regulatory framework. The FCA has confirmed that it will keep its Exit planning Guidance under review to assess what, if any, changes are required, Including: firms having contractually documented exit plans and termi- including as a result of Brexit. nation assistance arrangements to ensure continuity, and these plans

86 Getting the Deal Through – Cloud Computing 2019

14 Outline the insolvency laws that apply generally or Territorial scope specifically in relation to cloud computing. The GDPR applies to a controller or processor established in the EU. It There are no insolvency laws that apply to cloud computing specifi- will also apply to the processing of personal data of data subjects in the cally. The main UK primary insolvency laws are the Insolvency Act EU by data controllers and processors with no EU establishment where 1986 (www.legislation.gov.uk/ukpga/1986/45/contents) and the the processing relates to offering goods and services (free or for pay- Insolvency (England and Wales) Rules 2016 (www.legislation.gov.uk/ ment) to EU data subjects, or to monitoring the behaviour taking place uksi/2016/1024/contents/made) (both as amended). For an overall in the EU of such data subjects (article 3(2)). The GDPR applies, there- guide to the UK insolvency regime, see www.pwc.co.uk/assets/pdf/ fore, to CSPs (assuming them to be either processors or controllers) insolvency-in-brief.pdf. without sites in the EU, if they meet either or both of the above tests. The rules that govern the insolvency of a CSP or a cloud customer, Certain controllers or processors (including CSPs) will have to appoint as well as those governing how corporate insolvencies are managed a local EU representative for legal enforcement purposes (article 27). and disposed of, are complex. And experience in the UK has shown just how difficult it can be for cloud customers when a CSP suffers financial Data controllers distress and insolvency. In early 2013 UK CSP 2e2 went into administra- Generally speaking – though it should not always be assumed – in B2B tion and subsequently liquidation (http://diginomica.com/2015/01/06/ cloud computing the customer will be the controller, determining the cios-worst-nightmare-cloud-provider-goes-bankrupt/). As a result, UK purposes and means of the processing of personal data (article 4(7)). It CSP customers are advised to consider carefully the selection of their will be in the interests of CSPs to ensure that this characterisation con- CSP and ongoing monitoring of the financial robustness of the CSP and tinues under the GDPR, as ultimately the controller will be bound by the terms of their cloud service contracts, including ownership of the more stringent duties than the processor. The challenge in B2C cloud customer’s tangible and intangible assets, exit arrangements and data computing, especially for social media and network services, is how migration where the CSP suffers financial distress or insolvency. CSPs ensure that their standard public cloud contract terms maintain In addition, CSPs and other IT providers operating in the UK need consumer customers as data controllers. to be aware of recent legislation that could severely restrict their ability The controller, or cloud customer, will be primarily liable for law- to withdraw service from insolvent customers, terminate supply con- ful processing, including implementing appropriate technical and tracts or demand higher payments for continuity of supply. The legisla- organisational measures to ensure, and be able to demonstrate, that tion overrides conflicting terms in a supply contract – the Insolvency processing is performed in accordance with the GDPR, including ongo- (Protection of Essential Supplies) Order 2015 (www.legislation.gov.uk/ ing reviews and the updating of those measures (article 24(1)). Cloud uksi/2015/989/article/2/made). The 2015 Order amended the relevant customer-controllers must, therefore, be able to demonstrate that pro- provisions of the Insolvency Act 1986 (sections 233 and 233A). cessing performed on their behalf by CSPs is compliant, which in turn Until 2015, UK insolvency laws allowed insolvency officeholders will mean having to satisfy themselves that CSP contract terms facili- (eg, administrators) to compel statutory suppliers of ‘essential sup- tate the controller’s obligations. plies’ (water, electricity, gas and communication services) to continue Controllers should only engage processors who provide sufficient providing supplies in specified formal insolvency situations (subject to ‘guarantees’ to implement appropriate technical and organisational certain safeguards and reliefs for suppliers). Providers cannot require measures in such a way that the processing will meet the requirements payment of outstanding charges as a condition of continuing supply. of the GDPR and ensure the rights of data subjects (article 28(1)). This The 2015 Order ensures that, like utility services, ‘communication ser- raises important questions for cloud customer due diligence in appoint- vices’ and other IT supplies will be treated as essential supplies. ‘IT ing CSPs. In some cases, for example regulated financial services firms supplies’ include a ‘supply of goods and services . . . for the purpose deciding to engage CSPs for their operations, this aspect of the decision of enabling or facilitating anything to be done by electronic means’, will almost certainly have to be documented (see question 13). specifically including computer hardware and software; information, The controller may refer to the adherence to approved codes of advice and technical assistance in connection with the use of infor- conduct under article 40 or to approved certification mechanisms mation technology; data storage and processing; and website hosting under article 42 for the purpose of demonstrating compliance with – in other words, they are wide enough to cover cloud computing ser- its GDPR obligations (for the current European Union Agency for vices. Termination clauses in cloud supply contracts and those seeking Network and Information Security (ENISA) framework see www.enisa. to change the terms of the contract or to require higher payments for europa.eu/news/enisa-news/enisa-cloud-certification-schemes-meta- maintaining supply will be overridden if triggered by an administra- framework/). We should expect to see the development by CSP indus- tion or a company voluntary arrangement. There are, however, various try organisations of cloud-specific codes of conduct and certification safeguards and forms of relief available to CSPs in such circumstances. mechanisms, for example, the CIF Code referred to under question 10; although such codes and certification mechanisms will have to be Data protection/privacy legislation and regulation approved. While article 28 is headed ‘Processor’, it is clear that some of the 15 Identify the principal data protection or privacy legislation obligations it imposes, for example under article 28(1), are directed to applicable to cloud computing in your jurisdiction. and will be the primary responsibility of controllers. And so it is with The main data protection and privacy legislation in the UK are the article 28(3), which requires – as under current law – not only for there to GDPR and the Data Protection Act 2018 (DPA). The DPA is the UK’s be a binding contract between the controller and processor governing implementation of the GDPR; although the DPA also supplements data processing, but also for that contract to stipulate a range of specific the GDPR in certain areas. It is the successor to the previous Data provisions (article 28(3)(a)–(h)), including for example: that processing Protection Act 1998. The ICO issued, for organisations rather than will only be in accordance with the controller’s documented instruc- members of the public, specific guidance on the use of cloud comput- tions, including with regard to third country data transfers; confidenti- ing. Although this guidance has not yet been updated to reflect the ality undertakings by all those authorised to process the data; controls DPA, the ICO states that it ‘still considers the information useful’. At on the engagement of sub-processors (see below); and processor obli- the time of writing, the ICO has confirmed that the guidance will be gations to assist the controller in ensuring compliance under articles updated soon. 32 to 36 regarding its obligations of data security, pseudonymisation The following section outlines the likely and most direct impact on and encryption, data breaches and notifications, and data protection cloud computing in the UK of the GDPR and the DPA. impact assessments. Cloud customers and CSPs must address these General knowledge of the principles of the GDPR and the termi- requirements in their cloud computing contracts, whether on the CSP’s nology used in that legislation is assumed. It is beyond the scope of this standard contract terms or otherwise. There will continue to be stand- section fully to cover the contents and operation of the GDPR. The fol- ard contractual clauses (SCC) laid down by the European Commission, lowing focuses on certain elements of the GDPR that are new to data and also under the GDPR by national supervisory authorities, or both protection law or that have particular significance for cloud computing. (article 28(6)). This outline is not, therefore, exhaustive. References below to articles are to the articles of the GDPR.

www.gettingthedealthrough.com 87

Data processors per cent of the preceding financial year’s worldwide annual turnover, As stated above, in B2B cloud computing, the CSP is usually likely to be whichever is higher (article 83(5)). – and to prefer to be – the entity processing personal data on behalf of There are other processes and sanctions available for non-compli- the controller, namely the processor: article 4(8). Among the changes ance, including audits, access rights, reprimands and administrative to data protection law made by the GDPR is that data processors – orders (article 58). hence CSPs – will for the first time be directly accountable for and liable to data subjects and regulators for infringements. Aside from the need Cross-border data transfers for a binding contract between the controller and processor with its These rules are dealt with in articles 44 to 50. As applied to cloud various contractual stipulations (see above), additional requirements computing and cloud supply chains, they are an important part of the imposed on processors will include the following. GDPR’s regulation. Personal data transfers to recipients in ‘third coun- • Processors must not engage sub-processors without the control- tries’ (those outside the EEA) continue to be closely regulated, broadly ler’s prior specific or general written authorisation, including to ensure that the level of data protection for EU data subjects is not changes to sub-processors after general written authorisation has undermined (article 44). Overall, the GDPR framework for such trans- been given – so giving the controller the opportunity to object to fers is similar to that under the previous Data Protection Act 1998 and those changes: article 28(2). This could clearly have a material Data Protection Directive, with some useful new compliance meas- impact on cloud supply chains and changes to them. Moreover, ures, including the ability of data exporters to demonstrate compli- where a processor has engaged sub-processors, it must impose by ance through approved codes of conduct and approved certification contract the same data protection requirements on those sub-pro- mechanisms (article 46(2)). Breach of these provisions will be a non- cessors as apply in the controller-processor ‘head’ contract, in par- compliance issue for which the upper tier of administrative fines can ticular to ensure that sub-processors provide sufficient ‘guarantees’ be imposed (see sanctions and remedies above). Both controllers and to implement appropriate technical and organisational measures processors will be liable to non-compliance proceedings. to meet the requirements of the GDPR. Processors will be liable to controllers for the acts and omissions of sub-processors (article Privacy Shield 28(4)). Adopted by the European Commission in July 2016 (http://europa.eu/ • Processors must keep a written or electronic record of all categories rapid/press-release_IP-16-2461_en.htm), this applies to EU-US data of processing activities undertaken for a controller (article 30(2)). transfers and is relevant for cloud computing in EU-US and related There is an exemption for organisations employing fewer than 250 trade. Microsoft claimed to be the first US CSP to appear on the US employees, with certain exceptions (article 30(5)). Department of Commerce’s list of Privacy Shield certified entities • There is a specific requirement for processors to cooperate with (https://azure.microsoft.com/en-gb/blog/microsoft-cloud-is-first- data protection supervisory authorities (article 31). csp-behind-the-privacy-shield/). At the time of writing, the Privacy • Another new set of obligations on processors relates to data secu- Shield is under threat, as the European Parliament has issued a reso- rity and breach reporting. In their own right, processors must – lution requesting that the European Commission suspend the Privacy having regard to the state of the art, costs, risk, etc – implement Shield until such time as the USA can demonstrate full compliance with appropriate technical and organisational measures to ensure data its terms. security, including the pseudonymisation and encryption of personal data; the confidentiality, integrity, availability and resilience Access to EU personal data by third country governments of processing systems and services; the restoration and availabil- In the light of the Snowden disclosures and the litigation that followed ity of data following ‘physical or technical’ incidents; and regular them (eg, Microsoft v. United States, No. 14-2985 (2d Cir. 2016) http:// security testing (article 32(1)). The economics of cloud computing law.justia.com/cases/federal/appellate-courts/ca2/14-2985/14-2985- – especially in public cloud deployment models – are likely to be 2016-07-14.html), it is worth noting that article 48 of the GDPR con- challenged by these requirements. tains specific safeguards against third country governments’ access • Under article 33(2), the processor must notify the controller ‘with- to EU personal data. Any third country judgment or administrative out undue delay’ after becoming aware of a breach. This must be decision requiring a controller or processor to disclose EU personal seen in the context of the controller’s new obligation to notify its data will only be enforceable if it is based on an international agree- supervisory authority – except for breaches unlikely to compromise ment, for example a mutual assistance treaty between that third coun- data subjects’ rights – without undue delay and, where feasible, not try and the EU or a member state. (See also question 10 on MLAs; and later than 72 hours after becoming aware of a data breach, including the Agreement on Mutual Legal Assistance between the United States details surrounding the breach (article 33(1) and (3)). It is clear that of America and the European Union signed 25 June 2003 at http:// CSP processors are going to be required to support B2B customer ec.europa.eu/world/agreements/prepareCreateTreatiesWorkspace/ controllers in breach management and notification, which will in treatiesGeneralData.do?step=0&redirect=true&treatyId=5461&b turn need to be reflected in cloud arrangements and contracts. ack=5441.)

Sanctions and remedies Cloud computing contracts Under the GDPR controllers and (as mentioned above) processors will be directly accountable and liable for non-compliance, both to data 16 What forms of cloud computing contract are usually adopted subjects and regulators. The allocation of responsibility and liability for in your jurisdiction, including cloud provider supply chains (if infringements as between cloud customers and CSPs has, therefore, applicable)? assumed even greater importance in B2B and B2C-related cloud con- It follows from the answer to question 1 that, in the UK, contracts cover tracts – particularly because of the extent and scale of the GDPR sanc- the full range of cloud deployment and service models and reflect the tions and remedies. UK’s large and sophisticated cloud business ecosystem, including CSP Any person who has suffered ‘material or non-material’ damage as supply chains. a result of an infringement will have a right to receive compensation One aspect of cloud contracting that tends to cause difficulties for from the controller or processor (article 82(1)). Controllers will remain cloud customers is where, as is typical, cloud contract formats are mod- liable overall for such damage, while processors will only be liable ular. This means that the provisions of the contract must be located where they have not complied with the GDPR obligations specifically from a combination of offline and online sets of terms or – more typi- directed to them or where they have acted outside or contrary to the cally – from a combination of multiple online sets of terms, policies, etc, lawful instructions of controllers (article 82(2)). which users must access by clicking on different hypertext links. These Administrative fines will depend on the gravity of the sets of terms are then ‘assembled’ and stipulated by the CSP to form the non-compliance (article 83(2) (a)–(k), 83(3)). There are two tiers of fine entire contract. In my experience, these formats and contract processes for specified infringements: a lower level of up to €10 million or, in the make it difficult even for sophisticated corporate customers to ascer- case of businesses, up to 2 per cent of the preceding financial year’s tain the full extent of cloud contracts and, in some cases, to determine worldwide annual turnover, whichever is higher (article 83(4)); and an what terms will govern them. In B2C contracts, and possibly where B2B upper level of up to €20 million or, in the case of businesses, up to 4 cloud customers are negotiating on CSP standard terms of business,

88 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Bryan Cave Leighton Paisner LLP UNITED KINGDOM this could in certain circumstances ultimately result in the legal inef- security risks to the cloud service, the CSP or other cloud service users, fectiveness or unenforceability of certain contract terms and lead to or infringing third-party rights. Suspension may be on notice or, where regulatory intervention. urgent (as in the case of security risks), without notice. In some cases, The answers to questions 17 to 22 are based on a review and knowl- the customer will remain liable to pay the charges during the suspen- edge of a limited, but meaningful, range of B2B public cloud service sion period, while service credits (see below) will not accrue. agreements (CSAs) and related documents proposed by the major international CSPs that are available from public resources. It is beyond Acceptable use policy the scope of this work to survey a much wider range of such contracts The CSAs of all the major CSPs contain an AUP: it has become one of or to segment them by deployment model, service model or specific the defining features of CSAs in the UK as elsewhere. Readers will be cloud services within each service model. (Readers are referred to the familiar with the standard terms of AUPs, which address conduct by work of leading UK academics at: https://journals.law.stanford.edu/ both customers and their end users in using the cloud services, and will sites/default/files/stanford-technology-law-review/online/cloudcon- include prohibitions on: tracts.pdf (2012) and Cloud Computing Law, Christopher Millard (ed.), • illegal activities of any kind; (Oxford University Press 2013), noting that, inevitably there will have • violation of any third-party rights; been changes to CSA practice and terms since. I also wish to acknowl- • gaining or attempting to gain unauthorised access to any networks, edge the excellent reports and other deliverables produced by the (now systems, devices or data; decommissioned) SLALOM Project teams, which I used to sense-check • unauthorised disruption of any networks, systems, devices or data; my own review of the CSAs referred to above. SLALOM documentation • sending unsolicited messages or marketing; and is recommended reading for this area and may be downloaded from the • distributing malware. links at: https://cordis.europa.eu/news/rcn/134076_en.html. The answers below do not identify CSPs by name; they reflect a As stated above and under question 22, breach of the AUP may entitle composite, high-level, view of the CSAs and related materials reviewed. the CSP to suspend or terminate the CSA – in some cases, the breach Moreover, they do not attempt to assess the reasonableness, fairness or of a single end user could result in suspension or termination. Other validity of the terms outlined. Here, I adopt the approach taken by the CSAs contain indemnities for AUP breaches. Where the AUP has been SLALOM Project team: readers will be aware that, in assessing these breached, or the CSP suspects it has been breached by illegal conduct, matters, much will depend on the context of the service and deploy- the CSP may report those activities to the authorities or interested third ment and service model or models adopted, the relative bargaining parties and reserve the right to cooperate with them. strength of the parties, the economic basis of the cloud arrangement, cost or no-cost, and whether it is a beta product or service, etc. Variation The European Commission actively promotes the devel- One of the more disquieting terms of CSAs in the UK as elsewhere is opment and use of fair standard cloud computing con- that CSPs may without the customer’s consent vary cloud services, tracts and there will be further developments under this SLAs and other terms of the CSA – usually without any justification and initiative (see http://ec.europa.eu/justice/contract/cloud-comput- in some cases even without the obligation to notify customers before- ing/index_en.htm, https://ec.europa.eu/digital-single-market/en/ hand. Typically, when exercised, variation does not entitle the cus- cloud-select-industry-group-service-level-agreements). tomer to terminate the CSA. Finally, the role of international standards will be ever more important as applied to cloud computing services, service level agreements 19 What are the typical terms of a B2B public cloud computing (SLAs) and CSAs (see for cloud computing and distributed platforms contract in your jurisdiction covering data and confidentiality ISO/IEC JTC1 SC38, www.iso.org/committee/601355.html and www. considerations? iso.org/standard/67545.html). To reflect the entry into force of the GDPR, all the major CSPs operating within, or providing services to, the EEA have introduced detailed 17 What are the typical terms of a B2B public cloud computing data protection and processing terms for incorporation into their CSAs, contract in your jurisdiction covering governing law, in some cases in separate addenda or supplements. jurisdiction, enforceability and cross-border issues, and Typically, the GDPR-related terms will include: dispute resolution? • the allocation of processor and controller roles and functions With limited exceptions, the governing law of the CSP’s home juris- between the customer and the CSP, with the CSP as processor and diction or a chosen regional location will apply. For certain purposes, with the right for the CSP to appoint sub-processors (subject to the for example EU data protection SCC, the choice of governing law and customer’s right to object to the appointment of new sub-proces- jurisdiction may be those of the customer’s location. Courts (rather sors and with concomitant sub-processor obligations); than arbitral tribunals) competent in the CSP’s jurisdiction are most • the application of technical and security features provided to the commonly chosen. US CSPs usually require all customers to commit to customer to enable it to comply with the technical and organisa- compliance with applicable US export controls, sanctions and related tional measures required by the GDPR; laws and regulations. • deeming of ‘documented’ customer instructions to the CSP with regard to the CSP’s processing of customer data in accordance with 18 What are the typical terms of a B2B public cloud computing the GDPR; contract in your jurisdiction covering material terms, such • confidentiality obligations of the CSP in relation to customer data; as commercial terms of service and acceptable use, and • terms for the handling of data subject access requests; variation? • detailed operational security provisions, including security breach Pricing and payment notification obligations on the CSP; Pricing will, of course, vary depending on the deployment and service • CSP data security certification and audits ; model offered, and whether the contract is formed on- or offline. Some • provision for the transfer of personal data outside the EEA, with the CSPs reserve the right to vary charges for existing services. There are incorporation of SCC accordingly; and usually remedies for late payment, including interest and, in some • the return or deletion of customer data on termination of the CSA. cases, the right for the CSP to suspend service for payment defaults. If the customer defaults on payment when due, all CSAs reviewed entitle As at the time of writing, there have been no reported legal challenges the CSP to terminate them (see question 22). emanating from the UK to CSP GDPR terms.

Suspension of service by the CSP 20 What are the typical terms of a B2B public cloud computing It is common to see suspension rights in addition to specific termination contract in your jurisdiction covering liability, warranties and rights (and sometimes for the same or overlapping triggering events). provision of service? The most typical cause for suspension is where there has been a breach Liability by the customer or an end user of the acceptable use policy (AUP – see Understandably, all CSAs contain limitations and exclusions of liabil- below), which will usually include the customer or an end user causing ity: some are written from a US perspective, while others are localised. www.gettingthedealthrough.com 89

The CSP’s liability is commonly limited (sometimes mutually) to the Commonly, CSAs do not provide specific SLA breach reporting amount of charges paid by the customer – usually during the 12 months mechanisms, which would of course make monitoring and enforcing preceding the event giving rise to liability. Liability caps of this kind the SLA or service credit regime difficult for the customer. In other situ- are sometimes tiered by reference to different services, for example ations, customers are required, within stipulated deadlines, to follow the greater of a specified monetary amount or the total charges paid, specified procedures to report the service level breaches, as well as pro- depending on the service. viding details of them for verification by the CSP, who may retain the Some CSAs exclude from this limitation the CSP’s liability for option of rejecting the customer’s claim. third-party IPR infringements (whether under an indemnity or other- Some CSAs entitle the CSP unilaterally to vary the SLAs and ser- wise), and for confidentiality and data protection breaches. vice credits. It is common for CSAs to exclude liability: It is usual for CSAs to exclude the operation of the SLA, where for • in general for indirect, consequential, incidental, exemplary, puni- example: tive or special losses or damages (even if some of those kinds of • there is a force majeure event; loss or damages are not recognised in the UK jurisdictions); and • the customer or an end user is in breach of the AUP or other terms • for a range of specific losses, including loss of revenue, loss of prof- of the CSA; its, loss of customers or goodwill, loss of use of data, loss of antici- • the services have been lawfully suspended; pated savings, loss of the use of the cloud service, etc. • the service outage is attributable to technology not provided by the CSP; and Some CSAs disclaim liability for unauthorised access to, and for loss • the CSP’s systems are down for maintenance. or destruction of, uploaded content and data. In other cases, CSAs will acknowledge the CSP’s liability for content or data loss where the CSP See also question 20 under ‘Warranties’. has failed to meet its own security obligations. Many CSAs require customers to take responsibility for making backup copies of their own Business continuity and disaster recovery content and data or otherwise mitigating their own risks in using the In general, unless the CSP is providing a cloud-based business con- cloud service. tinuity service, CSAs do not contain any, or in any detail, business continuity or disaster recovery terms – although it is typical for CSAs Warranties and provision of service to contain force majeure provisions excusing the CSP’s performance Some CSAs contain a CSP warranty that it will deliver the services in such cases. This is a feature of CSAs in the UK, US and elsewhere in accordance with the SLA or some other service description. Some (see the useful report, Public Cloud Service Agreements: What to CSAs state that cloud services are provided ‘as is’. Almost invariably, Expect and What to Negotiate Version 2.0 produced by the US Cloud any other express or implied warranties (eg, as to fitness for purpose, Standards Customer Council, www.cloud-council.org/deliverables/ satisfactory quality, non-infringement) are disclaimed to the extent CSCC-Public-Cloud-Service-Agreements-What-to-Expect-and-What- permitted by law. Some CSPs specifically exclude any express or to-Negotiate.pdf). implied warranty that the operation of the cloud service or software Usually, the customer is expected or obliged to make its own made available through it will be uninterrupted or error-free. backup arrangements to ensure continuity. Sometimes, CSAs will refer Also, typical of many CSAs is that customers will not be entitled to CSPs having their own disaster contingency plans for their data cen- to claim for service unavailability for scheduled or unscheduled down- tres, using redundant processing and storage capacity to back up data time or other service interruptions. held in those data centres, but without any contractually binding commitment to implement such plans. Indemnities It is common for the customer to have to indemnify the CSP against the 21 What are the typical terms of a B2B public cloud computing customer’s and any end user’s: contract in your jurisdiction covering intellectual property • act or omission or use of the cloud service that infringes any third rights (IPR) ownership in content and the consequences of party’s rights; infringement of third-party rights? • breaches of the CSA generally and the AUP specifically; Typical terms are as follows. • infringement of applicable law; and • The customer usually warrants that it owns or has all necessary • creation or use of uploaded content; rights to use its content (eg, software, data) processed by the cloud in each case where the act, omission, use, etc, gives rise to claims, service or to grant any licences to the CSP under the CSA, and that costs, losses, and so on. its content or end users’ use of the customer’s content will not breach the AUP (which may entitle the CSP to suspend or termi- Where there are detailed data processing provisions, including data nate the CSA). transfer agreements (see question 19), some CSAs will provide for cus- • The customer retains IPR in the contents uploaded or created by it tomer indemnification of the CSP against breach of data protection law in using the cloud service. The CSP may use the contents to provide caused by the customer or an end user. the cloud service or to comply with regulatory or governmental For the CSPs’ obligations to indemnify or (quite commonly) to directions or orders. ‘defend’ the customer against third-party IPR infringement claims or • The CSP may use without restriction any suggestions for improve- final judgments, see question 21. ments to the cloud service made by the customer, in some cases, with an obligation to assign ownership in such suggestions to the Service availability, quality, service levels and service credits CSP. Many B2B public cloud CSAs contain or incorporate by reference spe- • The CSP reserves rights in all IPR relating to its cloud services, cific SLAs as applicable to the service modules provided to the cus- including IPR in the applications and infrastructure used in provid- tomer. (For an example of CSA service levels applied by the major CSPs ing the services. (and some others), readers are referred to the SLALOM Project’s docu- • If the cloud services are found, or understood by the CSP, to infringe mentation available from the links at: https://cordis.europa.eu/news/ any third-party IPR, the CSP may at its discretion, and usually as rcn/134076_en.html. an exclusive remedy, procure the necessary rights for customers The application of specified service credits is usually expressed to continue using the services, modify the services so that they to be the sole and exclusive remedy for service-level breaches. Some become non-infringing without any material loss of functionality, CSPs make specific claims or promises about their levels of service and or provide equivalent services in substitution for the infringing ser- are willing to enable the customer to terminate the CSA for stipulated vices – or failing that, to terminate the cloud services concerned. breaches of those service levels, subject to following mandated proce- In some cases, instead of the above ‘work around’ language, the dures for doing so, with repayment of any prepaid charges. Many CSAs CSP will undertake to ‘defend’ or indemnify the customer against contain caps on the maximum amount of service credits allowable in a the claims, costs, losses, etc, arising from final judgments. Where specified period. CSAs are governed by the laws of a US jurisdiction, customers may find that the obligation to ‘defend’ does not include the obligation

90 Getting the Deal Through – Cloud Computing 2019

to indemnify – though this is, of course, to be determined under the migrated to another CSP after the initial cloud migration, or back to the relevant US jurisdiction if validly chosen. original customer, if it wishes to resume the IT service in-house. This can constitute a service provision change under TUPE regulation 3(1) 22 What are the typical terms of a B2B public cloud computing (b). The workforce (organised grouping) carrying on the activities liable contract in your jurisdiction covering termination? to transfer must be based in Great Britain and the principal purpose of CSAs may allow termination for convenience on specified notice for that workforce must be to carry out those activities for the customer. both the customer and the CSP. In broad terms this means they must be ‘essentially dedicated’ to the Either party will usually have a right to terminate for the (unrem- customer; although they may still do work for others (TUPE regulation edied) material breach of the other, change of control of the other, or 3(3); and see generally www.gov.uk/transfers-takeovers). More signifi- the insolvency of the other. There is often also a range of specific rights cantly for cloud computing arrangements, the activities to be carried of termination by the CSP, including: out by the CSP must be ‘fundamentally the same’ as those undertaken • non-payment by the customer of due invoices; previously by the customer’s staff (TUPE regulation 3(2A) www.legisla- • where the cloud service is dependent on third-party IPR (eg, soft- tion.gov.uk/uksi/2014/16/regulation/1/made#regulation-1-2). ware) licences, when a relevant third-party licence expires or is So, the threshold question in cloud computing migration is most terminated; likely to be: will the activities to be undertaken by the CSP be ‘funda- • for a specified period of customer inactivity; mentally the same’ as those undertaken previously by the customer’s • where the customer or an end user’s use of the cloud service pre- IT staff? This will come down to an analysis of fact and degree. One sents a security risk to the CSP or any third party (typically con- – and only one – factor will be a reduction in the volume or scope of tained in the AUP); work, which is likely to be the case in migration from ‘traditional’ • contravention of export and sanctions controls laws and regula- IT activities to the cloud (see Department for Education v Huke and tions; and another UKEAT/0080/12, www.employmentcasesupdate.co.uk/site. • one or more (other) breaches of the AUP or any other term of the aspx?i=ed13195; OCS Group UK Ltd v Jones and another UKEAT/0038/09, CSA by the customer or an end user. www.employmentappeals.gov.uk/public/upload/09_0038fhwwcea. doc). The consequences of termination may include: At first glance, IT activities or services migrated to, say, a public or • the customer’s obligation to cease using or to return any propri- hybrid cloud, from which the customer may then receive very different etary material (eg, software), or to destroy any content provided by cloud services (at least by reference to scope and possibly volume) to the CSP; the services or activities previously provided in-house, simply do not • that the CSP will not erase the customer’s data for a specified intuitively look and feel ‘fundamentally the same’ in the cloud. And – if period after termination, and in some cases that the customer will they addressed the question at all – it would be understandable if the be entitled to retrieve its data (usually also subject to a charge by customer and CSP considered that the activities to be carried out by the CSP); the CSP are not ‘fundamentally the same’ as the original in-house IT • where the CSP has terminated for cause, that the customer must activities, so that TUPE would not apply. For the reasons given below, pay all unpaid charges for the remainder of the term; and this could be a costly mistake. • where the customer has terminated for cause, that the CSP will There will, of course, be other questions about which of the cus- refund any prepaid charges for the remainder of the term. tomer’s staff members and how many of its IT workforce are in scope for TUPE, if it is likely to apply (see www.gov.uk/transfers-takeovers). 23 Identify any labour and employment law considerations that And it is worth reiterating that TUPE can apply equally to the sub- apply specifically to cloud computing in your jurisdiction. sequent move by the customer from one CSP to another, or back in- house to the customer, subject to the rules referred to above. There are none that apply specifically to cloud computing. In cloud computing arrangements, it is quite likely that the CSP However, depending on the cloud deployment model or ser- will be based outside the UK or that the cloud services will be provided vice model adopted and the circumstances of the migration to cloud from an offshore location. If there is an assigned workforce based in or the termination of the cloud service, cloud customers and CSPs Great Britain, TUPE can apply to such arrangements, even if the ser- should consider the application of the Transfer of Undertakings vice is provided from offshore. (Protection of Employment) Regulations 2006 (www.legislation.gov. In outsourcing transactions, because the application of TUPE is so uk/uksi/2006/246/contents/made), as amended by (among others) well settled in the UK, it has become customary for the customer and the Collective Redundancies and Transfer of Undertakings (Protection outsource provider to provide specifically and in some detail in the out- of Employment) (Amendment) Regulations 2014 (www.legislation. sourcing contract for the legal, regulatory and financial implications of gov.uk/uksi/2014/16/regulation/1/made#regulation-1-2) (together, TUPE – allocating duties, risk, costs and liabilities between them. In TUPE). TUPE implements in the UK the EU Acquired Rights Directive public and hybrid cloud contracts, the issue is often simply not consid- 2001/23/EC (ARD). ered and therefore is not provided for, probably because the parties do The application of the ARD and TUPE to, and their effect on, out- not expect that TUPE will apply to such cloud arrangements or because sourcing are now widely understood in relation to the UK, where the CSPs who are based outside the EU are unaware of the ARD and TUPE. government has expanded TUPE’s application to outsourced services For the reasons given above, neither CSPs nor their customers with the intention that TUPE should generally apply to outsourcing should assume that TUPE cannot or does not apply in relation to any of transactions. It is worth reiterating that TUPE is mandatory law: par- the cloud deployment models or service models. They should at least ties cannot ‘disapply’ or contract out of TUPE. consider the question and take advice accordingly. In broad terms, where TUPE does apply, it transfers automatically by operation of law the staff from one organisation to another. Taxation Their terms and conditions of employment and continuity of service are preserved, and there are other procedural and substantive protec- 24 Outline the taxation rules that apply to the establishment and tions for the staff before and after a ‘TUPE transfer’, for example pro- operation of cloud computing companies in your jurisdiction. tection against dismissal and changes to the transferring staff’s terms Consideration of the tax treatment of cloud computing will gener- and conditions of employment. There are also prescribed consultation ally be more complex than in the case of ‘terrestrial’, in-country-only, processes before any transfer (see generally www.acas.org.uk/index. IT services. This is because tax authorities and businesses alike are aspx?articleid=1655). Accordingly, if TUPE applies to a cloud comput- grappling with the tax implications of cloud computing. The first step ing arrangement (in which one of the key drivers is cost-reduction) the required is to correctly classify the underlying transaction in order to financial implications for both the cloud customer and more particu- ascertain the correct tax treatment. Individual elements within the larly the CSP may be significant and could undermine the economics scope of, and transactions comprising, the cloud services will need to of the arrangement. be analysed, in order to determine whether there is a transfer of prop- In the UK, the most relevant trigger for TUPE in the context of erty to the customer (ie, a sale, lease or licence of tangible property). If cloud computing will be where an in-house IT service ceases to be there is no such transfer then it is necessary to consider the tax rules in provided by the customer itself and is then provided by the CSP – or is respect of the provision of services, assuming that the cloud services www.gettingthedealthrough.com 91

Update and trends The single biggest challenge currently facing cloud computing in provided into Europe from the UK (particularly post-Brexit – see further the UK is compliance with the GDPR (see question 15). As noted in below). this chapter, this legislation imposes more extensive and stringent It goes without saying that Brexit could represent a challenge obligations on both controllers (typically, cloud customers) and to cloud computing services being provided between the UK and processors (typically, CSPs), reinforced by much more onerous financial Europe (potentially in both directions), mainly from the divergence penalties. Cloud services provided within the UK, or into the UK from in legal order between the UK and EU that could result over time (for a third country, will be directly impacted, and the cloud customer and example, if specific EU regulation of cloud computing is not mirrored CSP must address the specific GDPR compliance risks in the CSA. in the UK). In addition, although UK and EU data protection laws In contrast, the trend from within the EU in many areas of legal are currently aligned, the UK will become a third country for data competence is to seek further regulation, especially to protect the protection purposes after Brexit. An adequacy decision from the interests of consumers. There is a higher likelihood, therefore, that European Commission (or similar such mechanism agreed between the EU will sooner rather than later adopt a specific position on the the UK and EU27) will be needed if data flows (which are an essential regulation of cloud computing. This enhanced regulation may be part of cloud computing services) from the EU to the UK are to continue a result of new cloud-specific legislation, or it may emanate from a uninterrupted. European Court of Justice ruling on an aspect of cloud computing or a At the time of writing, there are no indications that the UK broader legal question that has relevance to CSAs. Whatever its source, government intends to enact any further legislation specifically any such enhanced EU regulation will impact cloud services being governing cloud computing.

are properly characterised as services (eg, data processing, an informa- Withholding taxes tion service or a communications service). Consideration will also need These may apply at the rate of 20 per cent to sales, services and (in broad to be given to the location of the CSP and its customers, to the source terms) income derived from annual payments, patent royalties and cer- of the payments, and also to whether the location of the servers from tain other payments arising from the exercise of intellectual property which the services are provided can give rise to taxation. rights paid by a UK resident company to a non-UK resident person who The approach to taxation will also depend on the operating model is not a corporate taxpayer, subject to reduction under an applicable of the supply chain of the cloud service, for example whether it is tax treaty. For example, withholding taxes may apply where in a CSP intra-group or there are external providers in the supply chain and, group structure, a non-UK, IPR-owning or licensor group company has if intra-group, whether the local CSP subsidiary performs sales and put in place intra-group IPR licensing arrangements and the UK-based marketing functions for another group company or delivers the cloud group CSP is required to remit payments to the non-UK licensor for the services directly to local customers. (For an invaluable guide see Ernst exploitation, licensing or distribution of that IPR. New legislation was & Young’s Worldwide Digital Tax Guide, www.ey.com/gl/en/services/ enacted in the UK in 2016 to address the abuse of double taxation trea- tax/ey-digital-tax-guide.) ties in this context. (See generally http://taxsummaries.pwc.com/ID/ The following is a high-level outline of the UK taxes that are likely United-Kingdom-Corporate-Withholding-taxes.) to be most relevant to cloud computing operations and the income The government has recently consulted on proposed legislation to derived from them. Readers – both CSPs and cloud customers – should extend the scope of withholding tax to royalties and similar payments seek specific advice on direct tax questions relating to UK cloud opera- made to a connected party in connection with profits derived from tions and service arrangements. And for tax and other fiscal incentives UK sales, regardless of whether the payer has a taxable presence in available for cloud computing businesses in the UK, see questions 6 the UK. The legislation will apply when such payments are made to an and 7. IPR-owning group company in a low or no tax jurisdiction in order to minimise the tax paid in the UK. It was proposed that these new rules Corporation tax and permanent establishment (PE) would have effect from April 2019. The outcome of the consultation is A company resident in the UK is subject to tax on the whole of its world- outstanding. wide profits wherever they arise. A non-resident company is liable to This new legislation is aimed at Internet-based businesses that corporation tax on profits attributable to a trade carried on in the UK derive substantial profits from the UK market, but do not have a tax- through a PE in the UK. In determining whether a PE exists, the UK able establishment in the UK to which value can be attributed for broadly adopts the OECD definition of PE. If a non-UK resident CSP tax purposes: https://assets.publishing.service.gov.uk/government/ has a fixed place of business in the UK through which some or all of its uploads/system/uploads/attachment_data/file/663889/Royalties_ business is conducted, or has an agent acting on its behalf, it may be Withholding_Tax_-_consultation.pdf. treated as having a PE in the UK and may be liable to UK corporation tax (currently 19 per cent but reducing to 17 per cent in April 2020). Will Taxing the digital economy the presence of cloud servers in the UK be decisive in the determina- The UK government is also considering a further extension to the scope tion of a PE? The HM Revenue & Customs (HMRC) approach is that of tax, recognising that, in the digital economy, there are new ways in the mere presence of a server or servers will not of itself create a PE. which profits are created. In March 2018, the government published However, if the CSP is providing hosting services and the UK servers an updated position paper, outlining proposals to ensure that digital are essential for that hosting, this may result in the existence of a PE. businesses are taxed in the jurisdiction(s) where their value is created. Ultimately, whether a server will create a PE will depend on the func- Specifically, the government is looking at digital business models, tionality of the server or servers as well as the business activities in the where value is actually created as a result of the active participation and UK. engagement of users of digital platforms. The business models that may be impacted by these proposals include online networks, social media UK diverted profits tax platforms, search engines, file-sharing platforms, and online content Introduced in 2015 to counter the use of aggressive tax planning tech- providers. Some of these operating and business models are likely niques by multinational enterprises to divert profits from the UK, this directly or indirectly to cover CSPs. Although the UK is participating in tax is also known as the ‘Google tax’. It is charged at 25 per cent when the OECD project, which is seeking a long-term solution to this issue, a foreign company artificially avoids having a UK taxable PE or when a the UK has indicated its willingness to adopt interim measures targeted UK company, or a foreign company with a UK PE, would benefit from at defined digital services revenues that can be attributed to UK users. a tax advantage (i.e. a reduced UK tax liability) through the use of group structures, entities or transactions that lack economic substance. 25 Outline the indirect taxes imposed in your jurisdiction that HMRC will consider various aspects of the structure, including the apply to the provision from within, or importing of cloud allocation of profits throughout the supply chain. (See generally www. computing services from outside, your jurisdiction. gov.uk/government/publications/diverted-profits-tax-guidance.) Again, readers – both CSPs and cloud customers – are advised to seek specific advice on indirect tax questions relating to UK cloud operations and service arrangements.

92 Getting the Deal Through – Cloud Computing 2019

The rules for applying VAT to electronically supplied services dif- Recent cases fer depending on whether the CSP and its customers are inside or out- 26 Identify and give details of any notable cases, or commercial, side the UK or the EU; whether the cloud services are for business or private, administrative or regulatory determinations within personal use; and if they are B2B supplies, whether they are ‘used and the past three years in your jurisdiction that have directly enjoyed’ within the UK, elsewhere in the EU, or outside it. involved cloud computing as a business model. A UK CSP will be expected to register and be liable to charge and account for VAT on the supply of cloud services delivered in the UK. Pippa Middleton and James Matthews v Person or persons unknown However, specific consideration should be given to CSP intra-group [2016] EWHC 2354 (QB) arrangements, particularly the structure of, and transactions under, The iCloud account of the sister of the Duchess of Cambridge had been those arrangements. Non-UK principals are not expected to be VAT- hacked, apparently resulting in the theft of some 3,000 images. Ms registered. For B2B cloud transactions supplied in the UK by a UK CSP Middleton and her then fiancé, Mr Matthews, had successfully applied value added tax (VAT) at the standard rate of 20 per cent will gener- for an interim privacy injunction against persons unknown to prevent ally be payable in respect of cloud services. Cloud customers will be the use, publication or disclosure of the stolen images. In this case, they expected to account themselves for VAT on payments for services pro- successfully applied for a continuation of the injunction and the exten- vided by non-UK based CSPs – the cloud customer should act as if it is sion of its scope to cover material and information from the iCloud both the supplier and the customer: it charges itself the VAT and then, account other than images, because Ms Middleton had good reason to assuming that the service relates to VAT taxable supplies that it makes, believe that all the information in her iCloud account had been hacked, it can claim the VAT back (so rendering the transaction VAT-neutral). not just her photographs. As reliance on iCloud and similar B2C storage In terms of the CSP, the service is disregarded, and it does not need services grows even more widely, such cases are likely to become more to account for any VAT. This is called the ‘reverse charge’ but is also frequent, especially where prominent personalities are involved. known as a ‘tax shift’. For B2C cloud transactions VAT at the standard rate of 20 per cent Skyscape Cloud Services Ltd v Sky Plc [2016] EWHC 1340 (IPEC) will generally be payable. A UK CSP will usually be registered and liable Skyscape supplied cloud services to UK public sector organisations to charge and account for VAT on the supply of cloud services in the under the G-Cloud scheme (see question 1). Sky Plc is a well-known UK. UK provider of broadcast and communications services (including an Non-UK CSPs providing cloud services to UK consumers should email service) under the trademark ‘SKY’. Sky Plc claimed trademark particularly note that the VAT rules for digital services (eg, webhost- infringement against Skyscape, the CSP, which sought a declaration of ing services, internet-streaming services, database storage, supplies of non-infringement (DNI) for its marks ‘SKYSCAPE’ and ‘SKYSCAPE software and software update services, and other electronically sup- CLOUD SERVICES’ as applied to its cloud services. The court found plied services) do not follow the standard place of supply rules. The that there was a likelihood that a significant part of the relevant public services are treated as supplied in the ‘place of residence of the con- and therefore the average consumer, seeing the sign SKYSCAPE used sumer’ (and not the place of residence of the supplier). VAT is payable, for an email service, would confuse it with yet another service offered on, and CSPs are VAT-accountable for, supplies of digital services to by Sky Plc. The DNI was refused. This case is mentioned because UK consumers, regardless of whether the CSPs are established in or of the apparent popularity of the word ‘sky’ in the branding of cloud outside the EU (www.gov.uk/government/publications/vat-supplying- services and the position of Sky Plc in the UK market, together with digital-services-to-private-consumers/vat-businesses-supplying-dig- its registered SKY trademarks. In the result, Skyscape was rebranded ital-services-to-private-consumers). Accordingly, a CSP established as UKCloud (www.theregister.co.uk/2016/07/28/skyscape_now_uk_ and operating outside the EU that sells digital services to UK consum- cloud/). Unless CSPs are willing to forgo the use of ‘sky’ in branding ers (and consumers in other EU member states) will be required either and marketing their cloud services in the UK, cases of this kind will to register for VAT in each EU member state where it has customers proliferate (see Sky Plc and others v SkyKick UK Ltd and another [2018] and comply with all local VAT rules, or to register for the EU’s VAT Mini EWHC 155 (Ch) http://www.bailii.org/ew/cases/EWHC/Ch/2018/155. One Stop Shop (MOSS) scheme in a single EU member state (which html; and also British Sky Broadcasting Group plc and others v Microsoft should rationalise the VAT accounting requirements). Corporation and another [2013] EWHC 1826 (Ch) below). Similar disputes have arisen about the use of the word ‘cloud’. For example, in Massive Bionics v EUIPO, www.bailii.org/eu/cases/EUECJ/2017/ T22316.html, the EU General Court partially upheld an opposition by Apple to the registration of ‘Dricloud’ for cloud services by Massive Bionics on the basis that this sign was similar overall to Apple’s own trademark ‘iCloud’ also covering cloud services.

Mark Lewis [email protected]

Adelaide House Tel: +44 203 400 1000 London Bridge Fax: +44 203 400 1111 London EC4R 9HA www.bclplaw.com United Kingdom

www.gettingthedealthrough.com 93

Majekodunmi v City Facilities Management UK Ltd and others Microsoft contested the validity of Sky’s UK SKY trademarks in [2015] UKEAT 0157_15_2509 their application to ‘goods and services pertaining to cloud storage’. It In this case, the UK Employment Appeal Tribunal (EAT) had to con- alleged that: sider whether the claimant had validly served his notice of appeal when the attachments containing his notice could only be accessed by a link ‘sky’ is a convenient and common word used by traders to describe to Dropbox, the cloud-based file-hosting service. The EAT rejected or allude to a cloud storage system (be that system a good or a ser- the claimant’s case, finding that sending a link to where a required vice) such that (a) it is incapable of distinguishing a cloud storage document is located online is not ‘serving’ or ‘attaching’ that docu- system of one undertaking from that of another, and (b) it should ment. While zip files are a valid form of service, in this case the EAT be kept free for use by all traders offering such systems. needed the internet to access the zip file location in the cloud. The file had therefore not ‘hit’ the EAT’s server as a standard attachment to Microsoft also claimed that the word ‘sky’ would be ‘recognized by the an email would. The EAT then had to decide whether the documents average consumer as descriptive of a characteristic of a cloud storage were effectively ‘attached’ to the email purporting to serve the required system, namely by indicating that the system is for the storage of data notice. It held that they were not, because all that had been provided remotely, being notionally in ‘the cloud’ or ‘the sky’’. Microsoft’s chal- was a link to another location where the documents could be found – lenge of invalidity was rejected. the documents themselves had not actually been attached. This is a sig- Aside from the linguistic and symbolic connections between ‘sky’ nificant decision for users of cloud-based file-hosting services such as and ‘the cloud’, the case is also interesting because of the judge’s tech- Dropbox. The case also contains an interesting legal consideration of nological comparison between broadband services and certain cloud the cloud storage and transmission technologies used. It will be worth services. He said: watching the development of court and tribunal rules in this regard. It seems to me that the evidence reveals that there is a close con- British Sky Broadcasting Group plc and others v Microsoft nection between file storage, management and sharing software Corporation and another [2013] EWHC 1826 (Ch) and the provision of broadband services, including the provision The court ruled that Microsoft’s ‘SkyDrive’ mark for cloud stor- of email services . . . Not all data storage providers are broadband age services infringed British Sky Broadcasting’s ‘SKY’ UK and (EU) providers but it seems to me that the evidence reveals that a sig- Community trademarks. The court’s decision was influenced by the nificant number of broadband providers also provide data storage fact that consumers were unable to discern any Microsoft connection to SkyDrive as a preloaded app on any device. This finding was sup- In 2014, Microsoft rebranded ‘SkyDrive’ as ‘OneDrive’ (www. ported by evidence that 17 British Sky Broadcasting (Sky) customers techrepublic.com/article/microsoft-renames-skydrive-to-more-con- had contacted Sky’s helpline, because they assumed (in actual confu- fusing-onedrive-amid-legal-complaint/). sion) that SkyDrive was a Sky-provided service.

94 Getting the Deal Through – Cloud Computing 2019

United States

Amy Farris, Manita Rawat and Matthew Mousley Duane Morris

Market overview which the US market constitutes a material portion – is expected to increase from US$67 billion in 2015 to US$162 billion in 2020. The US 1 What kinds of cloud computing transactions take place in your federal government is expected to exceed US$10 billion in spending for jurisdiction? cloud computing by 2023. All manner of cloud computing transactions take place in the United The largest players in public cloud offerings – particularly private States, including public, hybrid and private cloud models and software- data storage – are Amazon Web Services, Microsoft, IBM, Google, and as-a-service (SaaS), infrastructure-as-a-service (IaaS) and platform-as- Oracle. See: a-service (PaaS) models. There is a growing trend in both the private • www.zdnet.com/article/cloud-providers-ranking-2018-how-aws- and public sectors to utilise cloud offerings not only for the benefits of microsoft-google-cloud-platform-ibm-cloud-oracle-alibaba- such offerings over legacy models, but out of necessity, as a growing stack/; number of products and services procured by businesses and govern- • www.forbes.com/sites/louiscolumbus/2017/04/29/roundup-of- mental entities are being replaced by cloud-only offerings. cloud-computing-forecasts-2017/#6eb471b931e8; and The most common examples of public cloud offerings are service • www.marketresearchmedia.com/?p=145. providers who provide software applications (ie, SaaS) and data storage to the general public. By comparison, the most popular private cloud 5 Are data and studies on the impact of cloud computing in your offerings are IaaS, which permits a customer to access IT infrastructure jurisdiction publicly available? services as a service, and PaaS, which can include a variety of services There are many publicly available studies about the impact of from simple cloud-based applications to more sophisticated enter- cloud computing in the US. These studies indicate that the impact prise applications. As noted above, because cloud offerings have begun has been considerable and will continue to grow over the next five largely to replace legacy offerings, in practice, most customers imple- years. For instance, according to a cloud computing study by IDG ment and integrate public and private cloud offerings to create a hybrid Communications, 73 per cent of 550 surveyed organisations had at least cloud environment. one application or a portion of their computing infrastructure in the In addition to the considerable cloud offerings available to the pri- cloud; the average environment included 53 per cent non-cloud infra- vate sector in the US, there are a number of notable government plat- structure and 23 per cent SaaS, 16 per cent IaaS, and 9 per cent PaaS forms for cloud computing, including Amazon Web Services (AWS) resources; and more than a third of respondents felt pressure to migrate GovCloud and Microsoft Azure Government. These platforms address 100 per cent to the cloud (see www.idg.com/tools-for-marketers/2018- the specific regulatory and compliance requirements required by govcloud-computing-survey/ and www.infoworld.com/article/3297397/ ernment agencies and customers, including adherence to the US cloud-computing/cloud-computing-2018-how-enterprise-adoption- International Traffic in Arms Regulations requirements. See: is-taking-shape.html). As previously reported by Forbes, market intelli- • http://fortune.com/2016/09/02/us-government-embraces-cloud/; gence firm IDC has stated that cloud computing is growing at 4.5 times • www.wired.com/insights/2012/08/5-coolest-gov-cloud-projects/; the rate of IT spending since 2009 and is expected to grow at more than https://aws.amazon.com/govcloud-us/; six times the rate from 2015 to 2020 (www.salesforce.com/assets/pdf/ • https://azure.microsoft.com/en-us/global-infrastructure/govern- misc/IDC-salesforce-economy-study-2016.pdf). ment/; and As noted above, as cloud offerings are very rapidly becoming the • https://www.cio.gov/. default, legacy offerings such as on-premises solutions and traditional models of IT outsourcing are both less in demand and less available. 2 Who are the global international cloud providers active in your jurisdiction? Policy Generally speaking, all of them. The largest include AWS, Microsoft Azure, Google Cloud, IBM Cloud, and Salesforce.com; smaller provid- 6 Does government policy encourage the development of your ers (as measured by market share) include Rackspace, Oracle, NTT, jurisdiction as a cloud computing centre for the domestic Fujitsu, Alibaba and HP Enterprise. See www.zdnet.com/article/cloud- market or to provide cloud services to foreign customers? providers-ranking-2018-how-aws-microsoft-google-cloud-platform- Yes. Policy in this area tends to focus on moving government agen- ibm-cloud-oracle-alibaba-stack/. cies to cloud services. One example is the Cloud First Initiative, launched by former US government CIO Vivek Kundra, which aimed 3 Name the local cloud providers established and active in your to cut waste and increase efficiencies within the US federal govern- jurisdiction. What cloud services do they provide? ment’s technology services by reducing government IT expenditures Many of the ‘local’ cloud providers are the same as the global interna- by US$4 billion dollars over the next two years (www.wired.com/ tional cloud providers listed above. Although some global international insights/2012/08/5-coolest-gov-cloud-projects/). As one result of this cloud providers, such as Alibaba, do not have headquarters in the US, initiative, the General Services Administration, the federal govern- they typically have data centres and other operations in the US. ment’s procurement agency, has developed a number of resources to assist government agencies in procuring cloud services (www.gsa.gov/ 4 How well established is cloud computing? What is the size of portal/content/190333). The current administration has continued the cloud computing market in your jurisdiction? these efforts by working to implement the Modernizing Government Technology Act, which has, as one of its goals, transitioning legacy Cloud computing is very well established in the US. According to some IT systems to commercial cloud computing platforms, particularly projections, worldwide spending on public cloud offerings alone – of www.gettingthedealthrough.com 95

© Law Business Research 2018 UNITED STATES Duane Morris platforms serving more than one covered agency with common require- Portability and Accountability Act of 1996, Pub. L. 104-191; the ments (www.whitehouse.gov/wp-content/uploads/2017/11/M-18-12. Gramm-Leach-Bliley Act, Pub. L. 106-102, 113 Stat. 1338, codified in rel- pdf). And, in 2017, President Trump signed an Executive Order on evant part at 15 U.S.C. §§6801-6809 and §§6821-6827; and the Family cybersecurity mandating that federal systems move to the cloud (www. Educational Rights and Privacy Act, 20 U.S.C. § 1232g; 34 CFR Part 99. geekwire.com/2017/trump-cybersecurity-cloud/). Health Insurance Portability and Accountability Act (HIPAA) 7 Are there fiscal or customs incentives, development grants Under HIPAA’s Privacy Rule, an entity may not use or disclose pro- or other government incentives to promote cloud computing tected health information (PHI) except as permitted or required operations in your jurisdiction? by the Rule, or as authorised in writing by the individual affected. In addition to the policies discussed generally above, certain develop- HIPAA’s Security Rule complements the Privacy Rule and deals spe- ment and government grants and other incentives promote technologi- cifically with Electronic PHI. This Rule lays out three types of security cal investment, which increasingly means cloud services as a default. safeguards required for compliance: administrative, physical and tech- For example, the US federal government’s Centers for Medicare & nical. The Rule identifies various security standards for each of these Medicaid Services established Medicare and Medicaid Electronic types. Required specifications must be adopted and administered as Health Record (EHR) Incentive Programs to encourage eligible dictated by the Rule. The HITECH Act provisions are also applicable as healthcare providers to adopt, implement, upgrade, and demonstrate they have expanded and enhanced HIPAA privacy and security rules. meaningful use of certified EHR technology. The availability of these Further, any HIPAA-covered entity would first have to negotiate ‘meaningful use monies’ has spurned a lot of spending on EHR sys- and enter into a business associate agreement with a cloud provider tems, which nearly always involve some cloud computing components. before the cloud provider could store records containing PHI in a cloud computing facility as such cloud providers would be ‘business associ- Legislation and regulation ates’ under HIPAA. In some cases, HIPAA’s substantive requirements could conflict with the cloud provider’s operations or terms of service, 8 Is cloud computing specifically recognised and provided for and a covered entity would risk a HIPAA violation by using such a pro- in your legal system? If so, how? vider to store or process PHI. From a legal perspective, cloud computing is principally dealt with in commercial contracts and, therefore, governed by contract law, which The Gramm-Leach-Bliley Act (GLBA) is generally a matter of state law (as opposed to federal law) in the US. For entities subject to the GLBA, the use of a cloud provider would Additionally, cloud computing implicates numerous federal and state be subject to similar restrictions. The GLBA’s Privacy and Safeguards laws drawn to specific related topics or issues, including data security Rules restrict financial institutions from disclosing consumers’ non- laws, data breach and notification laws, data transfer laws and various public personal information to non-affiliated third parties. Any such data-specific regulations, like those addressing the processing, storage disclosures that are permitted under the GLBA are subject to numerous and use of healthcare information, financial transaction information restrictions under both the Privacy Rule and Safeguards Rule. Pursuant and other confidential information. These laws are addressed in more to the Privacy Rule, prior to disclosing consumer personal information detail in the sections below. to a service provider, a financial institution must enter into a contract with the service provider prohibiting the service provider from disclos- 9 Does legislation or regulation directly and specifically ing or using the information other than to carry out the purposes for prohibit, restrict or otherwise govern cloud computing, in or which the information was disclosed. Under the Safeguards Rule, prior outside your jurisdiction? to allowing a service provider access to customer personal information, We are not aware of any laws or regulations that ‘directly and specifi- the financial institution must: (i) take reasonable steps to ensure that cally prohibit, restrict or govern’ cloud computing. However, there are the service provider is capable of maintaining appropriate safeguards numerous federal and state laws that indirectly impact cloud comput- (ie, the entity must undertake appropriate due diligence with respect to ing services, as discussed further below. the service provider’s data security practices); and (ii) require the service provider by contract to implement and maintain such safeguards. 10 What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your Family Educational Rights and Privacy Act (FERPA) jurisdiction? FERPA is a federal law that protects student personally identifying information collected by educational institutions and associated ven- While we are not aware of any laws or regulations specifically address- dors. These institutions must have the student’s consent prior to dis- ing cloud computing per se, there are numerous federal and state laws closure of personal data, including grades, enrolment status or billing that indirectly impact cloud computing services. information. FERPA does not prohibit the use of cloud computing solutions for the purpose of hosting education records; rather, FERPA State privacy laws requires schools to use reasonable methods to ensure the security of Generalised data privacy and data breach notification laws in the US are their IT solutions, which includes cloud providers. generally a matter of state law (as opposed to federal law). All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands Also, although not a US law, the EU’s General Data Protection now have specific breach notification laws (www.ncsl.org/research/ Regulation is commonly interpreted to have a significant effect on the telecommunications-and-information-technology/security-breach- operations of US entities and interests, which effect often implicates notification-laws.aspx). These laws differ in significant respects as to use of cloud computing resources to collect, process, and store personal how and when notification requirements are triggered, and whether information (www.businesswire.com/news/home/20180815005111/ and how cloud computing is implemented in any given scenario affects en/Gartner-Survey-Cloud-Computing-Remains-Top-Emerging). how these laws are applied to determine parties’ rights and obligations. In addition to official laws and regulations, there are certain industry standards implicated by cloud computing that are so commonly Federal privacy laws adopted and implemented that they are treated effectively as official There is no comprehensive US federal law regarding generalised data regulations would be in a commercial transaction. For example, the privacy or security or data breach notification. Instead, there are vari- Payment Card Industry Data Security Standard (PCI DSS), which is ous sectoral federal laws imposing regulation on data security for cer- referenced as a standard by some state laws, was jointly developed by tain types of information, including information that is often stored in payment card companies to simplify compliance for merchants and the cloud. payment processors. It has six core areas and 12 requirements that Certain US regulatory frameworks require data owners to ensure cover best practices for, for example, perimeter security, data privacy that their third-party service providers are capable of maintaining the and layered security. As a practical matter, any cloud-based application privacy and security of personal information entrusted to them. This that processes payment card transactions typically must comply with is typically accomplished through the use of contractual provisions PCI DSS. mandating particular security measures. Three federal privacy laws that restrict the activities of service providers are the Health Insurance

96 Getting the Deal Through – Cloud Computing 2019

11 What are the consequences for breach of the laws directly which, among other things, require online services to post a privacy or indirectly prohibiting, restricting or otherwise governing policy; cloud computing? • the California Shine the Light law, which, among other things, Violation of the laws and regulations identified above are typically addresses the practice of sharing personal information of consum- addressed by fines and penalties, which can be significant, particularly ers for marketing purposes; if tallied on a per violation basis across any appreciable volume of busi- • the Massachusetts Standards for the Protection of Personal ness. For example, violations of HIPAA’s data security provisions can Information of Residents of the Commonwealth, which, among range from US$100 per violation for an unknowing violation to fines other things, provides security requirements for organisations that of US$250,000 per violation and imprisonment up to 10 years for the handle private data of payment card residents; intent to sell, transfer or use individually identifiable health information • Illinois and Texas laws governing the collection and use of biomet- for commercial advantage, personal gain or malicious harm. See: ric data; and • www.hhs.gov/hipaa/for-professionals/compliance-enforcement/ • the Illinois Geolocation Privacy Protection Act. index.html; and • www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/ Additionally, the California legislature passed a broad digital privacy index.html. law in 2018 as the first US law approaching generalised data regulation similar to that seen in the EU. This law is not set to go into effect until 12 What consumer protection measures apply to cloud January 2020 and is expected to be modified before then, but it is likely computing in your jurisdiction? to significantly change the landscape for generalised data regulation in the US (www.nytimes.com/2018/06/28/technology/california-online- We are not aware of any consumer protection measures specific to cloud privacy-law.html). computing, but general consumer protection measures could apply to cloud computing products and services (eg, cooling-off periods, implied Cloud computing contracts warranties covering quality and performance, restrictions on excluding and limiting liability, dispute resolution and venue for proceedings 16 What forms of cloud computing contract are usually adopted in the consumer’s jurisdiction, governing law and other mandatory or in your jurisdiction, including cloud provider supply chains (if overriding local laws for the benefit of the consumer). These protections applicable)? are typically a matter of state (as opposed to federal) contract and con- Cloud computing contracts typically manifest in different forms and sumer protection laws and enforcement actions and initiatives of state draw on different legacy contracts and precedents depending on the attorneys general (ie, the chief lawyers and law enforcement officers in particular vendor, offering and customer. For example, cloud comput- each state) and vary from state to state. ing contracts can resemble legacy software licence agreements, legacy At the federal level, consumer protection generally is handled by managed services or hosting agreements, and limited purpose out- the Federal Trade Commission (FTC). The FTC has broad jurisdiction sourcing agreements. As cloud services become more and more com- to regulate unfair or deceptive acts or practices in or affecting com- moditised, cloud computing contracts are increasingly being presented merce. In the area of cloud computing, the FTC is most concerned with by vendors as click-wrap agreements that are little- to non-negotiable issues of privacy and security of consumer data. agreements or as otherwise negotiable agreements that have significant portions that are designated as non-negotiable (eg, links to click- 13 Describe any sector-specific legislation or regulation that wrap maintenance, warranty, service level, acceptable use and privacy applies to cloud computing transactions in your jurisdiction. terms). As discussed in more detail above, relevant federal laws in particular tend to be sector-specific: the GLBA and PCI DSS are relevant to the 17 What are the typical terms of a B2B public cloud computing financial sector, HIPAA and HITECH are relevant to the healthcare sec- contract in your jurisdiction covering governing law, tor, and FERPA is relevant to the education sector. jurisdiction, enforceability and cross-border issues, and dispute resolution? 14 Outline the insolvency laws that apply generally or specifically Governing law in relation to cloud computing. It is common practice in the US to choose as the governing law of a B2B We are not aware of any insolvency laws that apply specially to cloud public cloud contract the law of the state where one of the parties is computing. In practice, the issues that typically arise in this context are located, typically the vendor (ie, where the party is headquartered or has whether and to what extent data held on third-party servers are ‘assets’ a principal place of business). The governing law provision typically also of a debtor subject to the automatic stay that generally halts actions by includes a specific statement that the named state’s choice of law prin- creditors to collect debts from the debtor. For example, different ques- ciples should not apply. This statement is important because one state’s tions arise when a cloud service provider files for bankruptcy (eg, is choice of law principles may mandate application of another state’s laws third-party data held on its servers part of the bankruptcy estate or how under the circumstances, which would subvert the intent of choosing does the third party who owns the data recover it) versus when a data the state’s law to apply. Also, it is common to include an express state- owner files for bankruptcy (eg, can a non-debtor cloud service provider ment that the UN Convention on Contracts does not apply, usually delete or alter the debtor’s data unilaterally or does it need relief from because the parties are more familiar and comfortable with US case the bankruptcy court to do so?). law. As an alternative to the law of the state where one of the parties is located, the parties may choose a neutral state’s law to apply. Common Data protection/privacy legislation and regulation choices for a neutral state with significant commercial contract case law include New York and Delaware. 15 Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction. Jurisdiction As discussed above, at the federal level, data protection and privacy It is common practice in the US to choose a specific city or county legislation is addressed sectorally, by laws such as HIPAA, GLBA and located within the state that was chosen for the governing law as having FERPA. Additionally, the Children’s Online Privacy Protection Act exclusive jurisdiction over a dispute relating to the contract. is a federal law enforced by the FTC that governs the online collection of information from children under the age of 13. See www.ftc. Enforceability/cross-border issues gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/ In cloud computing contracts, there are a number of cross-border childrens-online-privacy-protection-rule. issues, particularly relating to data protection laws. State laws typically address data protection and privacy more generally, with laws varying from state to state. As noted above, many states Dispute resolution have data breach notification laws. Other relevant state laws include Dispute resolution tends to include some mechanism for internal • the California Online Privacy Protection Act, Delaware Online dispute resolution, which may be pro forma or more meaningful, fol- Privacy and Protection Act, and the Nevada online policy law, lowed by either arbitration or litigation. Whether the parties agree www.gettingthedealthrough.com 97

© Law Business Research 2018 UNITED STATES Duane Morris on arbitration or litigation depends on the parties’ experiences and Data integrity preferences. Customers typically request an express statement that they own all their data and are only granting the cloud provider the right to access, 18 What are the typical terms of a B2B public cloud computing use or manipulate the data as required to provide the cloud service. contract in your jurisdiction covering material terms, such Cloud providers often want to have rights to aggregate and use custom- as commercial terms of service and acceptable use, and ers’ data; this is a point of negotiation in some cases. variation? Price/payment Data preservation Typically there are subscription fees for the cloud service that are Customers typically want their data backed up by the cloud provider, invoiced monthly. Certain professional services may be offered and with visibility into the process and geography implicated by the back- are typically billed as a fixed fee or on a time and materials basis. up, and commitments (ie, warranties) regarding frequency, recovery Professional services could include implementation, integration, train- point objective, recovery time objective and periodic restoration testing, support, enhanced maintenance (beyond that covered by the sub- ing. Typically, upon termination of the agreement, cloud providers scription fees), customisation or data analysis. are obligated to promptly return all data to the customer, in an agreed- upon format (preferably a standard format) or to certify destruction in Audits writing after return of the data and confirmation by the customer that Cloud agreements generally contain audit provisions to ensure compli- the data are accessible. ance with billing or payment obligations. However, audits may also be directed to other issues, such as regulatory and compliance, quality, and Premises and data security security. The audit provision typically specifies parameters and limita- This can vary widely. For data centres, customers look for electrical tions for the audit (eg, during business hours, once per year), use of a sources and generator backups, cooling, humidity and temperature third-party professional, such as an accountant, confidentiality and lim- controls, internet connectivity, physical security (video cameras, locks ited use of results of an audit. and access badges, escorted visitors, security personnel stationed there), information security (firewalls, passwords, encryption, etc), Insurance maintenance and redundancy. Usually require third-party security Either party (most commonly the vendor) or, in some cases, both par- audits such as SOC2 or SOC3. ties may be required to obtain and maintain specified levels of insurance during the term of the agreement (eg, commercial general liability, Data disclosure errors and omissions) and cyber insurance that specifically covers a data Data disclosure is typically limited only to employees or agents who breach. These provisions typically require the other party to be provided have a ‘need to know’ for the purpose of the agreement and who have with a certificate of insurance or the actual policy (to confirm scope of signed a confidentiality agreement or are bound by professional obliga- coverage) and to be named as an additional insured. tions of confidentiality. Disclosures may only be made if required by law (subpoena, court Acceptable use order, etc) so long as the party that received the data provides notice to Typical acceptable use restrictions include: and cooperates with the party that disclosed the data to the receiving • personnel limitation can only be used by customer and customer’s party so that the disclosing party can seek to fight the disclosure. employees, and whether or not affiliates or subcontractors are included is negotiated; Location of servers and data • maximum number of users; Customers typically want the data to stay in their jurisdiction (ie, stay • no reverse engineering; inside the US) and commonly vendors will not be able to move the • internal business purposes only; location of servers or data without prior written approval from the • no modifying or creating derivative works; customer. • no interference with use of the platform by other users; • no testing the platform for vulnerabilities, regardless of motive; Cross-border data transfers • no use that infringes or violates the rights of third parties (eg, intel- There are numerous laws and mechanisms governing cross-border lectual property or privacy rights); data transfers. The most recent is the EU–US Privacy Shield. • no use for an unlawful purpose; • no use to harass, defame or abuse a third party; and 20 What are the typical terms of a B2B public cloud computing • no posting of obscene, profane, sexually explicit, violent, threaten- contract in your jurisdiction covering liability, warranties and ing or discriminatory content. provision of service? Representations and warranties Often the cloud provider will include as a remedy its ability to suspend Typical representations and warranties in a cloud computing contract or terminate the service for any breach of the acceptable use restrictions. fall into three categories: ability to enter or perform the agreement generally, service-related and software-related. 19 What are the typical terms of a B2B public cloud computing The first category of representations and warranties is directed to contract in your jurisdiction covering data and confidentiality the parties stating that they have the ability to enter into the agreement, considerations? they have all the rights necessary to grant the rights granted therein, Data and confidentiality (generally) they aren’t under any pre-existing agreement that would limit their Most cloud computing contracts include mutual confidentiality provi- ability to perform this agreement, they will not enter into any agree- sions. The definition of confidential information is categorical, but may ment that would limit their ability to perform this agreement, and they include specific items each party wants to protect as confidential infor- will comply with all applicable laws (including data breach notification mation (eg, the customer’s data). Obligations of confidentiality typically laws). survive termination or expiration of the agreement, and it is not uncom- The second category of representations and warranties target the mon for this survival to have a sunset (eg, five years after termination performance of services under the agreement. Generally, the vendor or expiration), with or without express carve-outs for trade secrets. In is required to represent and warrant that it will perform all services in recent practice, the US federal Defend Trade Secrets Act requires cer- a good and workmanlike manner, with qualified personnel having the tain language to be included in agreements to make clear that indi- skill required of the industry, it will replace any unsatisfactory person- viduals may share confidential information with attorneys or with law nel (if applicable) and re-perform any unsatisfactory services, and it enforcement in connection with whistle-blowing activities. Because will use its established, industry-standard methodologies to provide this language must be included to preserve certain remedies in the services. The vendor may also expressly warrant that it will meet its event of a trade secret claim later, this language is more and more often service levels. being added to agreements that include confidentiality provisions. The third category of representations and warranties target the software components of the cloud service. Typically the vendor will

98 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 Duane Morris UNITED STATES represent and warrant that there is no malicious code or virus within the cloud software, and that the software itself (and use of it) does not Update and trends violate any third-party intellectual property right (eg, patents and copy- rights). Open source representations and warranties may be appropri- The main challenges facing cloud computing in the US are the same as those faced by jurisdictions worldwide. Adoption of ate or not depending on the offering. cloud computing offerings in replacement of legacy resources will continue in view of the favourable economies for both vendors and Limitation of liability customers. Data privacy and protection issues, both in terms of The limitation of liability provision is closely connected to the indemni- practical implementation and legal compliance, will remain among fication provisions and addresses qualitative limits on type of damages the most significant issues related to cloud computing. and quantitative limits on amount of damages. The limit on type of The California legislature passed a broad digital privacy law damages typically excludes indirect, consequential, special, incidental in 2018 as the first US law approaching generalised data regulation and punitive damages and may expressly exclude lost revenues or prof- similar to that seen in the EU. This law is not set to go into effect until January 2020 and is expected to be modified before then, but its, loss of use and loss of data. The limit on amount of damages can be it is likely to significantly change the landscape for generalised data set at a specific number or it can scale (eg, with reference to the amount regulation in the US (www.nytimes.com/2018/06/28/technology/ paid or payable under the agreement (or some multiple thereof)) over california-online-privacy-law.html). a certain period of time. Typically, when the quantitative limitation of liability references amounts paid or payable over some period of time, there is also some reasonable floor to cover a significant liability in the 21 What are the typical terms of a B2B public cloud computing early part of the contract term when payments have not accrued suf- contract in your jurisdiction covering intellectual property ficiently to cover such a liability. rights (IPR) ownership in content and the consequences of Often there are exceptions to the limitations of liability for specific infringement of third-party rights? items, such as breach of an obligation of confidentiality or data security or privacy, indemnification obligations, misuse of intellectual property, IP ownership bodily injury (including death) and injury to personal or real property Typically, the cloud vendor owns the software underlying the cloud (not unusual to see, but less likely to be relevant in a cloud computing computing services and any software the vendor makes available for agreement), fraud, gross negligence or wilful misconduct. The parties direct use by the customer. The customer typically owns all its data and typically will spend a lot of time negotiating the limit on liability excep- provides a licence right to the cloud vendor to access and use the data as tions. An alternative is to set a separate (often higher) limit for these needed to provide the service. items (rather than excepting them from any limitation of liability). If there is any development work or customisation work, the parties typically negotiate ownership rights. Typically, the customer will Indemnification own all right, title, and interest in and to all work product created under The indemnification provision typically includes an obligation to the agreement specifically for the customer, and the vendor will name indemnify and hold the other party harmless for certain enumerated the customer as ‘the person for whom the work is prepared’ and desig- circumstances. Often the indemnification provision includes an obli- nate the work product as a ‘work made for hire’. The vendor should also gation to defend, though this depends on the offering and the parties. assign all of its right, title, and interest in and to such work product to Indemnified parties are typically defined to include the parties to the customer, in case any work product does not meet statutory require- the agreement, their affiliates and their directors, officers, employees ments to be a ‘work made for hire’, and provide further assurances and successors. This list can be expanded to include subcontractors, from itself and its employees as necessary to vest ownership rights in suppliers, and customers, under certain circumstances. customer. Typically, the vendor will also give a licence to any of its back- The items for which a party (typically the vendor, but in some cir- ground technology that is used in the work product. cumstances the customer) has an indemnification obligation in cloud computing contracts typically include: IP infringement • breach of the agreement (or, more specifically, breach of a repre- As discussed above, IP infringement is typically addressed via a representation or warranty); sentation and warranty that there is no infringement or by an indemni- • IP infringement claims; fication obligation for third-party IP infringement claims. • tort actions (ie, bodily injury, death or damage to personal property) due to acts or omissions of a party; 22 What are the typical terms of a B2B public cloud computing • fraud, gross negligence and wilful misconduct; contract in your jurisdiction covering termination? • breach of confidentiality; Termination for cause • breach of data security provisions or data breach; and There is typically a mutual right of termination for cause (ie, for a mate- • violation of law. rial breach of the agreement by the other party that has not been cured Also addressed in the indemnification provision is the procedure for for a certain period of time since notice of the material breach, eg, 30 obtaining indemnification, including terms for notice, cooperation and days). The parties may specifically identify certain breaches that are the right to participate in the defence. deemed material breaches in order to forgo any dispute over materiality later. For example, the customer may seek an express termination right Service-level agreements (SLAs) if the vendor catastrophically fails to meet an availability SLA. SLAs typically address availability (uptime), latency, incident response times and work levels until resolution, and backup and restoration Termination for convenience procedures. Often the customer will want a termination for convenience clause, The single most common SLA is availability, and some vendors, if which allows the customer to terminate the agreement at any time and they offer any SLAs, will offer only an availability SLA. It is common for for any reason, upon written notice to the vendor. A termination for con- a vendor to qualify an availability SLA with a commitment to use ‘com- venience right can greatly help to mitigate a customer’s risk in a con- mercially reasonable efforts’ to achieve a stated availability (though this tract. Vendors very commonly object to a customer’s right to terminate is often objected to by the customer). The availability SLA commonly for convenience. Often, for a vendor to accept a customer’s right to ter- has exclusions for scheduled and emergency maintenance and force minate for convenience, there is typically a liquidated damages term (ie, majeure events, and specific notice and reporting to customer in prepa- an early termination fee). The amount of the fee varies. ration for downtime. Customers will want vendors to self-monitor and Survival of terms report compliance with SLAs to the customer, whereas the vendor will The parties typically stipulate which provisions survive termination want customers to have to monitor (or ‘feel’) and report suspected SLA of the agreement. Often, the parties want terms for confidentiality, IP failures to the vendor. ownership, dispute resolution, limitations on liability and indemnifica- Often the remedy for a breach of an SLA will be limited to the ven- tion to survive termination. dor providing a service credit to customers.

www.gettingthedealthrough.com 99

Transition services 25 Outline the indirect taxes imposed in your jurisdiction that The customer typically will seek some level of transition services upon apply to the provision from within, or importing of cloud expiration or termination of the agreement, which typically includes computing services from outside, your jurisdiction. an extension of cloud services for a set time after termination, such as See question 24. 30–90 days, so that the customer will still have access to the cloud solution while it transitions to a replacement provider. Transition services Recent cases typically also include a provision that the vendor will cooperate as necessary with the replacement provider in order to assist with the transfer 26 Identify and give details of any notable cases, or commercial, of the customer’s data and operations. private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly Effect of termination involved cloud computing as a business model. The parties typically include in an ‘effect of termination’ provision The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) (H.R. terms that require the return or deletion of all data and confidential 4943) was enacted on 23 March 2018. The CLOUD Act amends the information of the other party, and transfer of all deliverables, whether Stored Communications Act of 1986 (SCA) to allow federal law enforce- complete or in progress, from the vendor to the customer. ment to compel US-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether 23 Identify any labour and employment law considerations that the data are stored in the US or foreign jurisdictions. apply specifically to cloud computing in your jurisdiction. One of the motivating forces behind the CLOUD Act was United There is typically a provision that states that the parties are independent States v Microsoft Corp. In that case, federal law enforcement agents contractors and not in an employment or joint venture relationship, with applied for a warrant requiring Microsoft to disclose all emails and an express statement that neither party has the ability to bind the other other information associated with the account of one of its customers. party. Less common is a provision that distinguishes between working Microsoft resisted the warrant because the account’s email contents hours and non-working hours for non-exempt employees under the Fair were stored in its Dublin data centre. The district court held Microsoft Labor Standards Act. in civil contempt for refusing to comply with the warrant, but the appellate court vacated the civil contempt. The case was on appeal to the Taxation Supreme Court of the United States when the CLOUD Act was passed. With the enactment of the CLOUD Act, the government procured and 24 Outline the taxation rules that apply to the establishment and served a new warrant pursuant to the new law, which the parties agreed operation of cloud computing companies in your jurisdiction. replaced the original contested warrant. This replacement warrant In general, taxation is divided into income tax issues, gross receipt tax rendered the parties’ dispute moot, so the Court vacated the ruling on issues and sales tax issues. As applied to taxation of cloud computing review and remanded the case with instructions to dismiss. See United offerings, the nexus for each category of issues may be different, and States v Microsoft Corp, 138 S. Ct. 1186 (2018). how to calculate the tax impact of a certain offering varies for the type On 6 June 2018, IBM Corp and SAP SE announced plans to launch of tax and the tax authority involved. For example, as a sales tax, a city an edition of the SAP Cloud Platform running on the IBM Cloud for such as Chicago might tax cloud usage depending on the type of usage private cloud deployments. The companies said the collaboration by classifying it as a remote taxable lease, whereas a city such as New would help clients in regulated industries build new applications in the York might classify certain cloud usage as a non-taxable service, certain cloud without jeopardising security and control (www.ibm.com/blogs/ cloud usage as a taxable remote lease and other cloud usage as a taxable cloud-computing/2018/06/06/ibm-sap-cloud-partnership/). information service. On 27 August 2018, Amazon and VMware introduced a version of Some of the considerations that affect these issues include the own- Amazon’s cloud-based database management software aimed at com- ership of intellectual property in the cloud; the locations of the vendor panies that use on-premises data centres. Amazon and VMware started and the customer; different tax authority definitions applicable to the working together on a combination of cloud and on-premises technol- cloud offering or the business model under which the offering is made; ogy in October 2016. how much of the offering can be characterised as a service versus tangible personal property; how much of the offering can be characterised as software versus goods and services; and whether implicated software is off-the-shelf versus customised.

Amy Farris [email protected] Manita Rawat [email protected] Matthew Mousley [email protected]

30 South 17th Street 2475 Hanover Street Philadelphia, PA 19103-4196 Palo Alto United States California, CA 94304 Tel: +1 215 979 1000 United States Tel: +1 650 847 4150 www.duanemorris.com

100 Getting the Deal Through – Cloud Computing 2019

www.gettingthedealthrough.com 101

102 Getting the Deal Through – Cloud Computing 2019

www.gettingthedealthrough.com 103

104 Getting the Deal Through – Cloud Computing 2019

© Law Business Research 2018 GETTING THE DEAL THROUGH Cloud Computing 2019 Private Antitrust Litigation Private Management & Wealth Banking Private ClientPrivate EquityPrivate Private M&A Product Liability Product Recall Project Finance Public M&A Partnerships Public-Private Public Procurement Rail Transport EstateReal M&A Estate Real Energy Renewable Restructuring & Insolvency Right of Publicity Risk Management & Compliance Securities Finance Securities Litigation Activism & Engagement Shareholder Ship Finance Shipbuilding Shipping Immunity Sovereign AidState Structured & Securitisation Finance Controversy Tax on Inbound Investment Tax & Media Telecoms & CustomsTrade Trademarks Pricing Transfer Agreements Vertical 2018 Research Business Law © Environment & Climate Regulation & Climate Environment Derivatives Equity Benefits & Employee Compensation Executive Financial Services Compliance Financial Services Litigation Fintech Review Investment Foreign Franchise Fund Management Gaming Regulation Gas Investigations Government Relations Government & Litigation Enforcement Healthcare Debt High-Yield Initial Public Offerings & Reinsurance Insurance Litigation Insurance PropertyIntellectual & Antitrust Arbitration Treaty Investment & Markets Finance Islamic Ventures Joint Labour & Employment Secrecy & Professional Privilege Legal Licensing SciencesLife Loans & Secured Financing Mediation Control Merger Mining RegulationOil Outsourcing Patents Plans & Retirement Pensions AntitrustPharmaceutical Ports & Terminals

ISBN 978-1-78915-001-8ISBN

www.gettingthedealthrough.com Online Also available digitally available Also Acquisition FinanceAcquisition & Marketing Advertising Agribusiness Air Transport Anti-Corruption Regulation Laundering Anti-Money Appeals Arbitration Art Law Asset Recovery Automotive & Leasing Finance Aviation Liability Aviation RegulationBanking Cartel Regulation Actions Class Cloud Computing Contracts Commercial Competition Compliance Litigation Commercial Complex Construction Copyright GovernanceCorporate ImmigrationCorporate Reorganisations Corporate Cybersecurity & Privacy Protection Data Capital Markets Debt Resolution Dispute & Agency Distribution Domains & Domain Names Dominance e-Commerce Regulation Electricity Disputes Energy Judgments ofEnforcement Foreign Getting the Deal Through Deal the Getting