Cloud Computing

2020

Contributing editor
Mark Lewis

© Law Business Research 2019

Publisher
Tom Barnes

Cloud Computing
[email protected]

Subscriptions
Claire Bagnall

2020
[email protected]

Senior business development managers

Adam Sargent
[email protected]

Dan White
[email protected] Contributing editor
Published by
Law Business Research Ltd
Mark Lewis
Meridian House Bryan Cave Leighton Paisner LLP
34–35 Farringdon Street
London, EC4A 4HL
United Kingdom

The information provided in this publication Lexology Getting The Deal Through is delighted to publish the third edition of Cloud Computing,
is general and may not apply in a specific which is available in print and online at www.lexology.com/gtdt.
situation. Legal advice should always
Lexology Getting The Deal Through provides international expert analysis in key areas of
be sought before taking any legal action
law, practice and regulation for corporate counsel, cross-border legal practitioners, and company
based on the information provided. This
directors and officers.
information is not intended to create, nor
Throughout this edition, and following the unique Lexology Getting The Deal Through format,
does receipt of it constitute, a lawyer–
the same key questions are answered by leading practitioners in each of the jurisdictions featured.
client relationship. The publishers and
Our coverage this year includes a new chapter on Austria.
authors accept no responsibility for any
acts or omissions contained herein. The
Lexology Getting The Deal Through titles are published annually in print. Please ensure you
information provided was verified between are referring to the latest edition or to the online version at www.lexology.com/gtdt.
September and October 2019. Be advised Every effort has been made to cover all matters of concern to readers. However, specific
that this is a developing area. legal advice should always be sought from experienced local advisers.
Lexology Getting The Deal Through gratefully acknowledges the efforts of all the contributors
© Law Business Research Ltd 2019 to this volume, who were chosen for their recognised expertise. We also extend special thanks to
No photocopying without a CLA licence. the contributing editor Mark Lewis of Bryan Cave Leighton Paisner LLP, for his continued assis-
First published 2017 tance with this volume.
Third edition
ISBN 978-1-83862-164-3

Printed and distributed by

Encompass Print Solutions
Tel: 0844 2480 112
London
October 2019

Reproduced with permission from Law Business Research Ltd 

This article was first published in November 2019
For further information please contact [email protected]

www.lexology.com/gtdt 1
© Law Business Research 2019
 Contents

Global overview 3 India52

Mark Lewis Samuel Mani and Rosa Thomas
Bryan Cave Leighton Paisner LLP Mani Chengappa & Mathur

Argentina5 Japan57
Diego Fernández Atsushi Okada and Hideaki Kuwahara
Marval, O’Farrell & Mairal Mori Hamada & Matsumoto

Austria12 Korea62
Árpád Geréd Young-Hee Jo, Seungmin Jasmine Jung and Youngju Kim
Maybach Görg Lenneis Geréd Rechtsanwälte GmbH LAB Partners

Bangladesh18 Sweden68
Sharif Bhuiyan and Maherin Khan Peter Nordbeck and Dahae Roland
Dr Kamal Hossain and Associates Advokatfirman Delphi

Belgium22 Switzerland74
Edwin Jacobs, Stefan Van Camp and Bernd Fiten Jonas Bornhauser
Timelex Bär & Karrer Ltd

Brazil30 United Kingdom 79

José Mauro Decoussau Machado, Ana Carpinetti and Mark Lewis
Gustavo Gonçalves Ferrer Bryan Cave Leighton Paisner LLP
Pinheiro Neto Advogados
United States 95
France37 Amy Farris, Manita Rawat and Matthew Mousley
Olivier de Courcel and Stéphanie Foulgoc Féral-Schuhl/Sainte-Marie Duane Morris
Alain Recoules Arsene Taxand

Germany46
Viola Bensinger and Laura Zentner
Greenberg Traurig Germany, LLP

2 Cloud Computing 2020

© Law Business Research 2019
Global overview
Mark Lewis
Bryan Cave Leighton Paisner LLP

It took from November 2009 to September 2011 and 15 drafts for the US the cloud infrastructure . . . provisioned for open use by the
National Institute of Standards and Technology (NIST) to produce its final general public. It may be owned, managed, and operated by a
definition of cloud computing. (For the short story of that journey, see business, academic, or government organisation, or some combi-
www.nist.gov/news-events/news/2011/10/final-version-nist-cloud- nation of them. It exists on the premises of the cloud provider.
computing-definition-published, and for the final version of the definition, (NIST definition, page 3)
see The NIST Definition of Cloud Computing, Recommendations of the
National Institute of Standards and Technology, Peter Mell and Timothy It is the cloud model for which the most extensive claims are made in
Grance, Special Publication 800-145 http://nvlpubs.nist.gov/nistpubs/ this computing model: utility, multi-client, location neutral, almost infi-
Legacy/SP/nistspecialpublication800-145.pdf.) It was worth the wait, nitely scalable and pay-per-use (see ‘Essential Characteristics’, NIST
because in practice the NIST definition remains the definitive universal definition, page 2).
statement of what cloud computing is. But migrating from ‘traditional’ computing models to the public
In the time it took the NIST to produce 15 drafts and release a cloud has real challenges: chief information officers (CIOs), chief infor-
final version of the world’s favourite cloud computing definition, the mation security officers (CISOs) and chief risk officers (CROs) worry
global public cloud services market had grown from US$58.6 billion about, among others, cybersecurity, compliance with data protection and
to US$92.97 billion by revenue (58.65 per cent). By 2018, global public privacy laws, data residency, service resilience and portability of data
cloud services revenue had almost doubled to US$182.4 billion. During on termination of cloud arrangements. So, to avail themselves of some
2019, worldwide revenue is expected to reach US$214.3 billion (17.49 of the benefits of the archetypal cloud, organisations have deployed
per cent growth). And by 2022, it is predicted to have surged to US$331.2 instead the hybrid cloud: an infrastructure composed of ‘two or more
billion (54.55 per cent up on 2019) – three times the growth of overall distinct cloud infrastructures (private, community or public) that remain
global IT services revenues during that period. (See Gartner Forecasts unique entities, but are bound together by standardised or proprietary
Worldwide Public Cloud Revenue to Grow by 17.5 Percent in 2019, technology that enables data and application portability (eg, cloud
https://www.gartner.com/en/newsroom/press-releases/2019-04-02- bursting for load balancing between clouds)’. (NIST definition, page 3.)
gartner-forecasts-worldwide-public-cloud-revenue-to-g.) These metrics Hybrid cloud is not without its challenges, but it reflects a more
demonstrate that public cloud computing has not just come of age – it is measured approach. Organisations that are even more concerned about
becoming the norm in computing models. risk and compliance (eg, regulated financial services firms), but that
To return to the NIST’s definition of cloud computing, arranged over want some of the benefits of the computing model, are likely to deploy a
just one and a half pages, it is: private cloud, which is ‘provisioned for exclusive use by a single organi-
sation comprising multiple consumers (eg, business units). It may be
a model for enabling ubiquitous, convenient, on-demand network owned, managed and operated by the organisation, a third party, or
access to a shared pool of configurable computing resources (eg, some combination of them, and it may exist on or off premises’. (NIST
networks, servers, storage, applications, and services) that can be definition, page 3.) Alternatively, in a community of common interests,
rapidly provisioned and released with minimal management effort for example within local government, health and law enforcement
or service provider interaction. This cloud model is composed communities, they may deploy a community cloud:
of five essential characteristics, three service models, and four
deployment models. provisioned for exclusive use by a specific community of
consumers from organizations that have shared concerns (eg,
The three NIST service models are: software-as-a-service (SaaS), mission, security requirements, policy, and compliance considera-
platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS). tions). It may be owned, managed, and operated by one or more
TechMarketView, a UK software and IT services industry analyst, has of the organizations in the community, a third party, or some
proposed two useful additions to the NIST service models: business combination of them, and it may exist on or off premises. (NIST
process-as-a-service (BPaaS) – an IT-enabled business service deliv- definition, page 3)
ered from a SaaS platform – and application-as-a-service (AaaS). In
their view, it is important to distinguish between software delivered as a As the community cloud shares the characteristic of ‘exclusive use’ with
service by proprietary software houses and SaaS provided by IT service the private cloud deployment model, we may treat it as a variant of the
providers. Accordingly, in their definition, AaaS is SaaS delivered by IT private cloud for the purposes of this work.
service providers. The four deployment models are currently in use, but to varying
The four NIST deployment models are: private cloud, community degrees. For the reasons given below, in our analysis of how cloud
cloud, public cloud and hybrid cloud. In general, what most people mean computing has been adopted in the countries covered by this work, in
when they refer generically to cloud computing is the third deployment general we address the deployment models as a composite of cloud
model, which is often seen as the archetypal cloud (ie, the public cloud): computing – and as virtually interchangeable. This is largely because

www.lexology.com/gtdt 3
© Law Business Research 2019
 Global overview Bryan Cave Leighton Paisner LLP

locating data to compare and contrast the adoption of each of the

deployment models (and for that matter each of the service models)
that will be freely available to our readership, while also being authori-
tative, is a real challenge. And it does not help that, in their endeavours,
law and policymakers and regulators have not generally – yet – seen
the need to distinguish precisely between each of the cloud deployment
and service models. However, where we can do so within the limitations
of our allotted space, we try to identify the characteristics of a deploy-
ment model that may be relevant to our analysis. Take, for example, the Mark Lewis
[email protected]
question concerning labour and employment law considerations appli-
cable to the cloud. And in particular, whether the EU Acquired Rights
Directive (ARD) and EU member state legislation implementing it will Adelaide House
apply to a cloud migration. If that legislation does apply, it will transfer London Bridge
staff automatically on their existing terms of employment to the cloud London EC4R 9HA
service provider (CSP) where their employer is migrating some or all United Kingdom
in-house IT functions to the cloud. And this will almost certainly extin- Tel: +44 20 3400 1000
Fax: +44 20 3400 1111
guish the financial case for the cloud migration. In considering whether
www.bclplaw.com
there is an ARD transfer of an undertaking, it may well make a differ-
ence that the migration is to a public cloud (where you might struggle
to discern the transfer of an undertaking, because the ‘before and after’
activities are so different), rather than to a private cloud (which could • Public and private sector organisations around the world worry
have many characteristics of an outsourcing, to which the ARD has been about – and some have already had to cope with – what happens
held to apply). Or will it? Readers with business interests in the EU will when a CSP becomes insolvent. What insolvency laws will apply in
have to decide for themselves – alerted to the possibility by this work those situations?
and, one hopes, properly advised.
For the reasons given above, it is mostly beyond the scope of this Almost all surveys of CIOs, CISOs, CROs and other business leaders
work to differentiate precisely or at all between and focus on each of around the world highlight their continuing concern about cyber and
SaaS, PaaS and IaaS. Accordingly, in this work we attempt to cover the data security in the cloud, as well as whether and how they continue to
broadest possible spectrum of cloud computing adoption, including comply with data protection and privacy regulation in migrating to the
(mostly interchangeably) the public, hybrid and private cloud deploy- cloud – especially since the coming into operation of the EU General
ment models and the service models, all in a business-to-business (B2B) Data Protection Regulation in May 2018. So, we identify the principal
context, but recognising that business-to-consumer (B2C) arrange- data protection or privacy legislation applicable to cloud computing.
ments will also be of interest to many of our readers, mainly because We turn next to what I personally have found to be the most chal-
of consumer protection regulation. For each contributing country, this lenging set of questions to answer. After outlining what forms of cloud
approach will, naturally, be somewhat different, depending on the size computing contract are usually adopted, we analyse as far as we can
and state of development of cloud computing in its local market, as well from publicly available sources, the typical key terms of B2B public
as local contractual, legal and regulatory conditions. cloud computing contracts in local markets.
Our survey starts with the market in each of the countries covered It is clear that cloud computing will – if not now, then in the near
and examines what kinds of cloud computing transactions take place term – have a significant impact in the workplace, so we also identify
and which of the global and local cloud providers are active in that labour and employment law considerations that apply.
country, as well as the cloud services the latter provide. Because much of the developed world and many emerging econo-
Next, we address how well-established cloud computing is, mies are becoming increasingly concerned about how to tax online and
including by its market size, referring (where practicable) to data and digital products and services, especially where supplies cross borders
studies that are publicly available. and will be made from IT product and services providers without a
How active is central or regional government in the development of permanent establishment in their target markets, we outline the direct
cloud? Are there specific, cloud-friendly policies? How are those policies and indirect taxation rules that apply to the establishment and operation
implemented – by fiscal or customs incentives or development grants, of CSPs and their customer transactions.
or other means? And what other government initiatives apply? Finally, we identify recent notable cases as well as commercial,
We turn next to the core of this work: law, regulation, contract and administrative or regulatory decisions or actions that have directly
market practice. We address the following questions for each country. involved cloud computing as a business model. And we close with a
• Is cloud computing specifically recognised and provided for in the survey of updates and trends as far as they can be discerned.
local legal system and, if so, how? With a new and fast-developing area such as cloud computing, we
• Is there any legislation or regulation that directly and specifically must keep our questions under review for future editions. And it follows
prohibits, restricts or otherwise governs cloud computing? that our answers to those questions may change over time. Of course,
• What legislation or regulation indirectly prohibits, restricts or law and regulation will change, as will contract and market practice.
otherwise regulates cloud computing? The country contributors and I very much hope that you will find this
• What are the consequences of breach of those laws and third edition of Lexology Getting The Deal Through – Cloud Computing
regulations? both stimulating and useful, and a worthwhile addition to this series.
• Recognising the importance of B2C cloud adoption, what local
consumer protection measures apply to cloud computing?
• Knowing that cloud – especially public cloud – may pose real chal-
lenges in certain sectors, for example, financial services and health,
what (if any) sector-specific legislation or regulation applies?

4 Cloud Computing 2020

© Law Business Research 2019
Argentina
Diego Fernández
Marval, O’Farrell & Mairal

MARKET OVERVIEW Impact studies

5 Are data and studies on the impact of cloud computing in your
Kinds of transaction jurisdiction publicly available?
1 What kinds of cloud computing transactions take place in
your jurisdiction? To the best of our knowledge, there are no hard studies with specific
numbers. Nevertheless, cloud services allow companies to start new
Almost all kinds of cloud computing transactions take place in the region. businesses or new operating units in a few months. These are some of
In connection with public cloud services, software-as-a-service the benefits that companies will find when turning to cloud services.
(SaaS), infrastructure-as-a-service (Iaas) and platform-as-a-service
(PaaS) are all common. Of these segments, SaaShas has had the most POLICY
marked growth in the recent years. Private cloud models have mostly
been adopted by different types of companies. Encouragement of cloud computing
There has been a growing interest in cloud solutions from the 6 Does government policy encourage the development of your
insurance, telecommunications and banking industries. Furthermore, jurisdiction as a cloud computing centre for the domestic
both the national and local governments have begun turning to cloud market or to provide cloud services to foreign customers?
solutions, in any of these architectures (Saas, IaaS or PaaS).
In general, Argentina does not have a federal policy to encourage
Active global providers the development of the country as a cloud computing centre for the
2 Who are the global international cloud providers active in domestic market or provide cloud services to foreign customers.
your jurisdiction? However, Argentina has a law that seeks to foster the growth of
the software industry in general and has also recently enacted Law
The most common providers operating in Argentina include Oracle, IBM, No. 27,506, which provides for a promotional regime for the Knowledge
Microsoft Azure and AWS. Economy, which aims to promote economic activities that apply the
use of knowledge and the digitalisation of information (supported
Active local providers by progress in science and technology) to obtain goods, provision of
3 Name the local cloud providers established and active in your services or improvements in processes (see question 7).
jurisdiction. What cloud services do they provide? Furthermore, the Argentine government is involved in cloud
computing through ARSAT. ARSAT has constructed a state-of-the-art
Oracle, Microsoft and IBM are the main providers, although not all of data centre with the goal of facilitating cloud computing for consumers.
them have Saas, Iaas, and Paas as part of their service offering. The data centre’s design and construction has made it the sole Uptime
Also, most telecommunications companies provide cloud Institute Tier III data centre in Argentina. The data centre has also
computing capabilities to offer their services to companies and homes. received ISO/IEC Certification 27001:2013 as well as Communication ‘A’
Local companies providing cloud services include Claro, Movistar and 4609 approval from the Argentine Central Bank, both of which certify the
ARSAT (a government-owned telecommunications company). The busi- rigour of the data centre’s information security.
ness model is mostly based on providing hosting and offering flexible Moreover, despite the fact that there is no formal government
payment options. law specifically fostering the development of cloud architecture, many
industry associations publish different recommendations regarding
Market size the cloud.
4 How well established is cloud computing? What is the size of
the cloud computing market in your jurisdiction? Incentives
7 Are there fiscal or customs incentives, development grants
Despite the fact that many companies have already acquired cloud solu- or other government incentives to promote cloud computing
tions, cloud architecture is today under analysis by different companies operations in your jurisdiction?
as a way to modernise, update or escalate their solutions.
Cloud architecture solutions are being incorporated by new small Although there are no specific regulations to promote cloud computing
and medium-sized companies that now have access to world-class solu- in Argentina, the Software Promotion Law No. 25,922 (the Software
tions. At the same time, cloud services have also been incorporated by Law) sets forth a broadly supportive regime for the software industry in
large corporations with a need to update their current solutions to be general, that will remain in effect until 1 December 2019.
able to escalate and move quickly to more modern solutions.

www.lexology.com/gtdt 5
© Law Business Research 2019
 Argentina Marval, O’Farrell & Mairal

Pursuant to this law, Argentine-incorporated companies whose fee (0.5 per cent over cost, insurance and freight (CIF) valuation) and
activities are the creation, design, development, production, implemen- are also exempted from some advanced payments on internal taxation
tation, adjustment, or upgrade of developed software systems and their collected upon the definitive importation of goods.
associated documents, may participate in the benefits created by this These are also capital goods that, if imported on a used condition,
regime, provided they comply with certain requirements. Beneficiaries are subject not only to regular import taxation but also to a specific
of the regime will benefit from: regime that alters their import duties rate (up to twice the import
• fiscal stability; duty rate) and requires a specific certificate granted by the Ministry
• conversion of certain monthly social security tax payments into a of Production before its importation. Depending on their tariff posi-
tax credit; tion, the importation into Argentina of used servers may be completely
• non applicability of any VAT withholding or collection regimes; forbidden.
• a 60 per cent reduction in the total amount of corporate income tax
as applied to income derived from software activities; and LEGISLATION AND REGULATION
• exclusion from any kind of present or future restriction on the
currency transfers matching the payouts for imports of software Recognition of concept
products by the beneficiaries, provided the imported goods are 8 Is cloud computing specifically recognised and provided for in
necessary for the software production activities. your legal system? If so, how?

Furthermore, the Promotion Regime of Knowledge Economy Law Cloud computing is not recognised or regulated by a specific law.
No. 27,506 provides for a promotional regime (the Regime), which However, there are different regulations that apply to matters that
will become effective as of 1 January 2020 and will be valid until may relate indirectly to cloud computing, including general provisions
1 December 2029. Among others, the regime will benefit the following on contract law, data protection, consumer protection, labour, intellec-
activities: software, computer and digital services; audiovisual produc- tual property, tax and public procurement regulations. Taken as a whole,
tion and post-production; biotechnology, neurotechnology and genetic these constitute the framework that would apply to cloud computing.
engineering; geological and prospecting services and others related to
electronics and communications; professional services as long as they Governing legislation
are exported; nanotechnology and nanoscience; aerospace and satellite 9 Does legislation or regulation directly and specifically
industry; nuclear industrial engineering; artificial intelligence, robotic prohibit, restrict or otherwise govern cloud computing, in or
and industrial internet, the internet of things, augmented and virtual outside your jurisdiction?
reality, etc.
Regarding the tax benefits of the Regime, we highlight the following: There is no legislation that directly and specifically prohibits, restricts or
• Fiscal stability: as of the moment of the registration and for the otherwise governs cloud computing in Argentina.
term of validity of the Regime. This benefit may be also extended to Section 8 of the Argentine Digital Law No. 27,078 (the ADL), as
provincial and municipal taxes, as long as such jurisdictions adhere amended by Decree 267/2015, establishes that the provision of informa-
to the law. tion, communications and technology services (ICT services) requires a
• Income tax: the general corporate tax rate is reduced to 15 per corresponding licence. ICT services are defined by the ADL as the set
cent, to the extent that the beneficiaries maintain their payroll. In of resources, tools, equipment, software, applications, networks and
addition, beneficiaries will be allowed to deduct a tax credit derived means that allow the compilation, processing, storing and transmis-
from any payment or withholding of foreign taxes, if the taxed sion of information, such as voice, data, text, video and images, among
income constitutes an Argentine source of income. others. Section 6, subsection (g) of the ADL establishes that each ICT
• Value added tax (VAT): beneficiaries will not be subject to any with- service will be subject to its specific regulatory framework.
holding and/or collection VAT regimes. At present, there is no specific telecom regulation in Argentina
• Employer social security contributions: beneficiaries will be able governing cloud computing services. In principle, cloud computing
to fully detract from their employer social security contributions, services would not fall under the Argentine telecoms regulations since
in relation to each employee, an amount equal to the maximum they would not be an ICT service with specific regulation but merely an
established in article 4 of Decree 814/2001 (which currently is application of – or business solution that runs on – the public internet,
17,509.20 pesos). provided locally by an authorised local internet service provider.
• Additional benefit: beneficiaries will be able to obtain a one- Therefore, a reasonable interpretation is that cloud computing services
time transferrable tax credit bond, which can be used for paying would not be subject to any licensing or other regulatory requirement
advances or balances of income tax or VAT. The bond is equal to in Argentina.
1.6 times the amount of the employer’s social security contribu- Discussions of a new legal framework for telecommunications
tions that the beneficiary did not pay due to the benefit mentioned (and media) activities are still pending. Thus, if such discussions are
in the above paragraph. resumed there may be changes in such regulations in the future and
we cannot disregard those changes affecting cloud computing services.
In addition, it is worth noting that, from a customs perspective, cloud Finally, in connection with personal data protection and regulation
computing services may not be construed as a ‘good’ that may be of international data transfers, see question 15.
imported. However, pursuant to a new regulation on the export of
services, cloud computing services that are rendered in Argentina but 10 What legislation or regulation may indirectly prohibit, restrict
exploited abroad may be construed as an ‘export’ subject to export duties. or otherwise govern cloud computing, in or outside your
Some specific provisions may apply when importing servers into jurisdiction?
Argentina, depending on which tariff code they are subject to under the
Mercosur Common Nomenclature. These goods are singled out as ‘tech- There are several provisions that could indirectly restrict or otherwise
nological goods’ and, if imported new, have a reduced VAT rate (10.5 govern cloud computing, and which could apply depending on the char-
per cent) for their definitive importation, are exempt from the statistical acteristics and nature of the services and the parties involved.

6 Cloud Computing 2020

© Law Business Research 2019
Marval, O’Farrell & Mairal Argentina

For instance, the Argentine Data Protection Law No. 25,326 will Consumer protection measures
apply to the use of cloud computing insofar as it entails the processing 12 What consumer protection measures apply to cloud
of personal data. The Consumer Protection Law No. 24,240 (the CPL) computing in your jurisdiction?
will also apply to cloud services if they are provided to consumers.
Market-specific laws like Decree No. 274/2019 of Fair Trade may also If cloud computing services are provided to consumers, Argentine
be relevant. Furthermore, general intellectual property, tax and labour consumer protection regulations will apply. In particular, the CPL and
regulations should be taken into account. the provisions of the Civil and Commercial Code (the CCC) on consumer
electronic contracts will be relevant.
Breach of laws The CPL protects consumers, defined as any physical person or
11 What are the consequences for breach of the laws directly entity that acquires or uses, whether for a fee or not, goods or services
or indirectly prohibiting, restricting or otherwise governing as an end user, for its own benefit or for the benefit of its family or
cloud computing? social group.
Some central aspects of general protection consumer law that may
There are no laws directly prohibiting, restricting or otherwise be relevant to e-commerce are the following:
governing cloud computing. In the case of any laws that may apply indi- • under the CPL, every description of the service or product adver-
rectly, consequences will vary depending on the pertinent regulation. tised by any means of communication is considered part of the
For instance, in the case of the Argentine Data Protection Law No. offer and a binding term of the contract;
25,326, a breach may lead to administrative sanctions, civil proceedings, • suppliers are forbidden from compelling the consumer to reject
or criminal penalties. The Data Protection Authority (DPA) may apply goods or service to avoid the payment of a fee (opt-out sales); and
the following administrative penalties in the event of violation of the • the CPL entitles the consumer to terminate the contract by the
Argentine Data Protection Law: same means used to agree upon it (ie, telephone, internet, etc).
• observation;
• suspension; Further, section 40 of the CPL states that there is joint liability between
• fines of between 1,000 and 100,000 pesos (DPA Rule No. 71 E/2016 all those involved in the supply chain for damages resulting from
capped fines applicable for various infringements encompassed defects or risks associated with goods or service.
by the same administrative proceeding, stating a maximum cap of In addition, the CCC contains provisions that refer specifically to
5 million pesos); the protection of consumers in electronic transactions (sections 1106-
• business closure; or 1116). For instance, an important provision is section 1106, which states
• cancellation of the database. that electronic means may be used in contracts and have the same
force of law as written contracts. Section 1110 CCC grants consumers a
Sections 117-bis and 157-bis of the Criminal Code also punish, with 10-day term to revoke the online transaction (with exceptions for: goods
between one month and three years of imprisonment, those who: that are personalised or that, by their nature, cannot easily be returned;
• illegally insert false information in a database; video or audio recordings or software that upon delivery can be quickly
• knowingly supply false information stored in a database to a and indefinitely stored and copied; and for daily or periodical publica-
third party; tions, such as newspapers). Moreover, section 2655 CCC provides that
• knowingly and illegally gain access to a database containing if the cloud computing service located outside offers or advertises
personal data in violation of its security systems; the service in Argentina, or performs another activity in Argentina in
• disclose personal data protected by duty of confidentiality pursuant connection with the proposed contract, and the targeted consumer
to law; or also performs acts in Argentina addressed at executing the contract,
• illegally insert data in a database. then, Argentine law (CCC and CPL) will apply. In turn, section 2654 CCC
states that the court of the place where the consumers perform acts
In the case of any infringements of the Consumer Protection Law addressed at executing the contract has jurisdiction to hear their claims.
No. 24,240, the following sanctions: Choice of law and jurisdiction clauses will be almost certainly set aside
• observation; by local courts, which would apply the provisions of the CCC instead.
• fines of between 100 and 5 million pesos;
• seizure of infringing merchandise or products; Sector-specific legislation
• business closure or suspension of the provided service for up 13 Describe any sector-specific legislation or regulation that
to 30 days; applies to cloud computing transactions in your jurisdiction.
• suspension for up to five years from the registries that allow
suppliers to contract with the government; and In the public sector, there is no specific legislation or regulation that
• loss of concessions, privileges, and any special tax or credit applies to cloud computing transactions at a federal level. However, the
conditions. Federal Information Technology Office – responsible to the Government
Secretariat of Modernisation – has approved a Code of Good Practice for
Further, the CPL provides that punitive damages may be imposed on the Development of Public Software in the Elaboration, Extension and
the infringer. Improvement of Software Solutions for the Public Sector (Disposition
Additionally, in case of violation of the Fair Trade Decree, the No. 2/2019) (the Code), applicable to the federal public sector. Pursuant
Authority may impose the following sanctions: to its section 3, all public sector agencies must manifest compliance
• fines of up to 264 million pesos; with the Code every time a software project is carried out.
• suspension of licences to contract with the state; The Code includes number of recommendations that relate to
• potential loss of any tax or credit exemptions or benefits; and cloud services, such as:
• closing of business for up to 30 days. • the public sector should choose cloud-services solutions over any
other option when requesting new information technology services;
• public sector entities will choose which cloud service to procure; and

www.lexology.com/gtdt 7
© Law Business Research 2019
 Argentina Marval, O’Farrell & Mairal

• providers of cloud services to the public sector will have to DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
comply with certain minimum requirements during the procure-
ment process. Principal applicable legislation
15 Identify the principal data protection or privacy legislation
In general terms, public procurement regulations provide for the applicable to cloud computing in your jurisdiction.
sanction of particular bidding terms and conditions for each type of
procurement. Pursuant to Argentina’s political system, the procurement Argentine Data Protection Law No. 25,326 (the Argentine Data Protection
legal framework differs in each jurisdiction and can also vary depending Law) will apply to the use of cloud computing insofar as it entails the
on the relevant entity. The procurement framework at the federal level processing of personal data. The Argentine Data Protection Law, and its
mainly consists of: accompanying Decree No. 1158/01, constitute the main framework on
• Decree No. 1023/2001; and data protection in Argentina. They are enforced by the DPA.
• Decree No. 1030/2016 (together, the General Legal Framework), The Argentine Data Protection Law defines personal data as any
which provide general rules that cannot be neglected even by way kind of information referring to identified or identifiable individuals or
of private negotiation. legal entities. The general principle under the Argentine Data Protection
Law is that any processing of personal data (including any disclosure,
Pursuant to the General Legal Framework, it is the public sector that collection, storage, amendment and destruction) must be specifically
will determine and announce the service that needs to be procured, consented to by the data subject. Such consent must be prior, given
along with the scope and modalities under which the service will be freely, based upon the information previously provided to the data
rendered, by means of the bidding terms and conditions and the tech- subject (informed) and expressed in writing or by equivalent means,
nical specifications. depending on each case.
In relation to the banking industry, it is worth noting that in Several provisions of the Argentine Data Protection Law and its
November 2017, the Argentine Central Bank issued Communiques complementary regulations can be relevant in connection with cloud
which made important modifications to the regulations which apply to computing. These include its provisions on cross-border data transfers,
the decentralisation, outsourcing and delegation of activities of financial data processing agreements, and security measures and confidentiality
entities. Among other faculties, these regulations authorised finan- obligations.
cial entities to hire information technology services provided by third Regarding cross-border data transfers, the Argentine Data
parties, subject to the condition that such activities fall within the list Protection Law prohibits the transfer of personal data from Argentina
provided by the Argentine Central Bank. to other countries or to international organisations if the countries or
These new rules were an important update to the regulatory organisations do not provide an adequate level of data protection, with
framework applicable to financial entities, and aimed to allow them to certain exceptions. In cases when adequate data protection is not set
make a more extensive use of technological services. up, transfers may still be made when the data subject consents to the
transfer or when adequate protections arise from contractual clauses
Insolvency laws or self-regulated systems (as, for example, Binding Corporate Rules).
14 Outline the insolvency laws that apply generally or DPA Rule No. 60-E/2016 (Rule 60) provides a list of jurisdictions
specifically in relation to cloud computing. which the DPA considers to provide an adequate level of protection.
These are the member states of the European Union and the European
Where a company fails to meet its obligations, the contractual provi- Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man,
sions entered into by the parties are the first source of regulation for the the Faroe Islands, Canada (only applicable to their private sector),
conflict. In B2B contracts, where the negotiation leverage is supposedly New Zealand, Andorra, the United Kingdom and Northern Ireland, and
fairer for the parties, the contract will govern what occurs in cases of Uruguay. Moreover, Rule 60 approved two sets of standard model
non-compliance, which will generally come about if a company becomes clauses addressing the two most common types of data transfers:
insolvent. In B2C contracts, the same contractual provisions will apply the assignment of data to a third party and the transfer of data for the
with the caveat that, in this case, consumer-specific legislation might rendering of data-processing services.
apply and might offer more protection to a customer. In connection with data processing, any entities that provide
In connection with insolvency, general insolvency laws will apply outsourced processing services, including cloud computing entities, are
to cloud computing, since there is no specific regulation in connection considered data processors. In that case, the Argentine Data Protection
with insolvency and cloud computing services. The most important Law requires a data processing agreement between data processor
Argentine regulation on this matter is the Law on Reorganisation and and data controller. Decree No. 1558/2001 provides that the agree-
Bankruptcy Proceedings No. 24,522. ment must:
If the reorganisation procedure regulated by this law is successful, • detail the security measures mandated by the Argentine Data
the service provider should be able to clear its debts and continue Protection Law;
operating. Therefore, the provision of services to the customer should • include the parties’ confidentiality obligations;
remain relatively unaffected. If, however, the service provider under- • establish that the data processor will only act as instructed by the
goes bankruptcy, the customer would, at some point, stop receiving data controller; and
the services. The customer would have to direct any actions – such as • establish that the data processor is also bound by the Argentine
claims for services paid but not performed – against the insolvent entity Data Protection Law’s data security requirements.
in the bankruptcy proceeding.
The data may only be used for the purpose outlined in the agreement,
and may not be assigned. After the data processing has been rendered,
the data must be destroyed.
Lastly, in relation to security and confidentiality, the Argentine Data
Protection Law states that the data controller and the data processor
must adopt the necessary technical and organisational measures to

8 Cloud Computing 2020

© Law Business Research 2019
Marval, O’Farrell & Mairal Argentina

guarantee the protection and confidentiality of the data. DPA Resolution Typical terms covering data protection
No. 47/2018 approved two sets of recommendations in connection with 19 What are the typical terms of a B2B public cloud computing
security measures for the processing and conservation of personal contract in your jurisdiction covering data and confidentiality
data. One is aimed at computerised data processing, while the other considerations?
is aimed at non-computerised processing. They include guidelines on
measures on collection, access, modification, recovery and destruction Cloud computing contracts tend to provide that the service providers
of data, as well as on vulnerability management, security incidents and will implement security measures to protect their customer’s content
development. and prevent any unauthorised access. In particular, this type of agree-
ments may establish that only the service provider’s employees or
CLOUD COMPUTING CONTRACTS contractors will have access to the customer’s content and, only as
required, to render the services. Some systems may include the possi-
Types of contract bility of encrypting certain data, or of replicating data in different servers
16 What forms of cloud computing contract are usually adopted to ensure access to the content in the event of a system failure.
in your jurisdiction, including cloud provider supply chains (if
applicable)? Typical terms covering liability
20 What are the typical terms of a B2B public cloud computing
As a rule, cloud computing contracts are generally non-negotiated, contract in your jurisdiction covering liability, warranties and
and customers may choose from different options. Pay-as-you-go type provision of service?
subscriptions, baseline agreements and PaaS subscriptions are all
common. In baseline agreements, the customers are able to estimate Cloud computing services contracts generally contain clauses which
the amount of services they expect to require, which allows them to limit the provider’s liability. Some of these clauses limit the total liability
have access to better pricing conditions than those available in pay-as- of the provider for any claim to the amounts paid for the service. Others
you-go models. state that liability is limited to the farthest extent allowed by the appli-
Overall, provisions contained in cloud services agreements are cable laws.
more or less standardised among different global providers, and tend Under the CCC, any provisions that limit liability are invalid if they
not to vary greatly. affect inalienable rights, are against good faith, good customs or imper-
ative laws, or are abusive.
Typical terms for governing law In relation to warranties and provision of services, it is common for
17 What are the typical terms of a B2B public cloud computing agreements to include a clause that states that services are provided
contract in your jurisdiction covering governing law, ‘as-is’. Conversely, they tend to exclude specific warranties, such as non-
jurisdiction, enforceability and cross-border issues, and interruption of services or freedom from errors. They may, however,
dispute resolution? include clauses related to a reasonable level of care or diligence.

In connection with governing law, some providers establish the law and Typical terms covering IP rights
courts of the country where their headquarters are located. However, 21 What are the typical terms of a B2B public cloud computing
providers with local presence may establish the application of Argentine contract in your jurisdiction covering intellectual property
law instead. Dispute resolution terms may differ, and include local rights (IPR) ownership in content and the consequences of
courts, foreign courts or arbitration. infringement of third-party rights?
Choice of law and jurisdiction clauses may be subject to restric-
tions if Argentine law applies. For example, under the CCC, disputes In connection with IPR ownership of content, cloud computing contracts
arising from consumer agreements cannot be resolved by arbitration. usually state that the customers’ content belongs exclusively to them,
and that the agreement grants the service provider no IPR rights.
Typical terms of service Any access or use of the content by the service provider is generally
18 What are the typical terms of a B2B public cloud computing restricted to that which is necessary to provide the services.
contract in your jurisdiction covering material terms, such Moreover, cloud services agreements generally state that the
as commercial terms of service and acceptable use, and customer is responsible for its content, and must obtain all the neces-
variation? sary consents and ensure that there is no infringement of third-party
rights. An infringement of third-party rights could be listed as an action
In connection with commercial terms, providers tend to offer a range of that violates acceptable use. In addition, there could be a limitation
various rates and prices for different services. Payment schemes can of liability or indemnity provision related to IPR claims filed by third
be either fixed or offer greater flexibility. Prices are usually set in US parties for customer content.
dollars and converted to Argentine pesos at the exchange rate appli-
cable when issuing the invoice. Most providers allow for payment in US Typical terms covering termination
dollars or Argentine pesos. 22 What are the typical terms of a B2B public cloud computing
Acceptable use policy terms usually list behaviours and actions contract in your jurisdiction covering termination?
that are considered unacceptable, and state that the provider reserves
the right to discontinue the service if the customer engages in these Considering that, in the case of B2B cloud computing, the services
activities. Regarding variations in the terms of service, providers tend to provided may be important for the customer to be able to continue its
include provisions that allow them to alter the terms and conditions of ordinary business, the terms of a cloud contract may include provisions
the services and regulate how notification occurs. that aim to regulate the transition to another service provider or the
migration of data.
Regarding termination, contracts usually state that either party
may terminate the cloud services agreement due to non-compliance of

www.lexology.com/gtdt 9
© Law Business Research 2019
 Argentina Marval, O’Farrell & Mairal

the other party. From the standpoint of the service provider, a customer Indirect taxes
infringement could include lack of payment, violation of the acceptable 25 Outline the indirect taxes imposed in your jurisdiction that
use provision or infringement of third-party rights. There may also be a apply to the provision from within, or importing of cloud
unilateral right to terminate the contract for both parties, after a certain computing services from outside, your jurisdiction.
prior notice has been granted.
In relation to VAT, this tax applies, among other things, to the provi-
Employment law considerations sion of services rendered within Argentina. The current general rate
23 Identify any labour and employment law considerations that for this tax is 21 per cent. However, in cases where the services are
apply specifically to cloud computing in your jurisdiction. rendered in Argentina but effectively used or exploited abroad, they
would be deemed as rendered abroad and, therefore, would not be
There are no labour or employment law considerations that specifically subject to VAT.
apply to cloud computing. As a result, general principles and provisions A recent amendment to the VAT Law introduced a new taxable
set forth in international treaties, the Argentine National Constitution, event related to the provision of digital services by an individual or
the Labour Contract Law No. 20,744, collective bargaining agreements, company domiciled abroad when its use or effective exploitation is
case law and any other labour regulations could be applicable. carried out in Argentina, as long as the customer is not subject to the
These general principles include the employer’s ability to organise tax for other taxable events and does not assume the status of a regis-
the company economically and technically, and the control over the tered taxpayer.
worker’s activity and working conditions. A corporate policy on elec- The VAT Law also includes a definition of digital services, which are
tronic communications and tools in the workplace could be considered understood, regardless of the device used for download, display or use,
among those instructions. In turn, employees’ compliance with the as those carried out through the internet or any adaptation or applica-
policy could be regarded as part of the duty of due diligence and coop- tion of protocols, platforms or technology used by the internet or other
eration. A case-by-case analysis, though, is key to confirming this rule networks through which equivalent services are provided that, by their
as applicable to specific facts. nature, are basically computerised and require minimum human inter-
During the past few years, labour case law has been developing vention. The tax resulting as a consequence of the provision of digital
an increasing broad concept of working tools, which have included services is paid by the customer directly or through a reverse with-
not only a corporate email account, but also information technologies, holding mechanism.
computers, software, internet access and internet use, among others.
As a result, case law and most legal authors agree that corporate RECENT CASES
email and other communication tools should be deemed as work tools
and, thus, the employer should be authorised to duly control its use. Notable cases
Nevertheless, taking into account that the situation is doubtful and has 26 Identify and give details of any notable cases, or commercial,
no specific legal framework, it is of high relevance that monitoring of private, administrative or regulatory determinations within
any kind over the employee’s electronic communications and devices the past three years in your jurisdiction that have directly
is performed with extreme caution, as the existence of potential claims involved cloud computing as a business model.
cannot be ruled out. The chances of an employer’s success in the event
of a claim for such unilateral email control would be higher, yet with The EU’s General Data Protection Regulation (GDPR) may have an
no result guaranteed, if there is a specific policy regarding terms and impact on the provision of cloud computing services in Argentina,
conditions for use of the electronic communications and devices, duly since the most important service providers are global companies. In
notified to the employees in writing. This provides employees with a this context, and taking into account that the GDPR has extraterritorial
hard copy of the internal policy applying to the employees in Spanish, application in some instances, its existence may translate in practice to
or two languages, and the employer should have them sign an acknowl- a higher common standard in data protection matters.
edgement of receipt and acceptance of its terms and conditions in Also, as already mentioned, the regulation issued by the Argentine
wet ink signature that, among other aspects, would be convenient to Central Bank in November 2017 allowing financial entities – among
expressly indicate: others – to hire from third parties those information technology services
• how to use email accounts provided by the company; listed by the Central Bank, has been seen as a step forward in fostering
• that the employer is entitled to regularly check and monitor such cloud services in the financial sector.
email accounts and there shall be no expectation of privacy; and
• that any breach to the employer’s policies could lead to the appli- UPDATE AND TRENDS
cable sanctions.
Key developments of the past year
TAXATION 27 What are the main challenges facing cloud computing within,
from or to your jurisdiction? Are there any draft laws or
Applicable tax rules legislative initiatives specific to cloud computing that are
24 Outline the taxation rules that apply to the establishment and being developed or are contemplated?
operation of cloud computing companies in your jurisdiction.
There are currently no draft laws that refer specifically to cloud
Any company performing activities in Argentina will be subject to computing.
the general tax regime. In addition, if the company complies with the Furthermore, in 2018, the Argentine Executive Branch introduced
requirements set forth in the Software Law (which will remain in effect before Congress a bill intended to replace the Argentine Data Protection
until 1 December 2019) and/or the Promotion Regime of Knowledge Law (the Data Protection Bill). The Data Protection Bill is generally in
Economy Law (which will become effective as of 1 January 2020 and will line with many approaches proposed by the European General Data
be valid until 1 December 2029) to qualify for this promotion regime, it Protection Regulation (GDPR). The Data Protection Bill includes several
may also benefit (see question 7). aspects relevant to cloud computing. Among other things, it:

10 Cloud Computing 2020

© Law Business Research 2019
Marval, O’Farrell & Mairal Argentina

• limits the concept of data subject to natural persons and excludes

legal entities;
• revisits general concepts included in the current Argentine Data
Protection Law, such as databases, personal data and sensitive
data, and it incorporates new ones;
• includes accountability obligations and eliminates the requirement
of registering databases with the DPA;
• establishes that the legal basis for the processing of personal data
is still the data subject’s express consent, although under specific Diego Fernández
[email protected]
circumstances, consent can be given implicitly, with the addition of
the data processor’s legitimate interest as a new legal basis;
• expressly acknowledges the right to be forgotten and the right to Av Leandro N Alem 882
data portability; Buenos Aires
• includes an obligation to notify of data breaches in certain cases; Argentina
• includes an obligation to appoint a data protection officer in public Tel: +54 11 4310 0100
agencies, big data operations, and when the processing of sensitive Fax: +54 11 4310 0200
www.marval.com
data is a principal activity; and
• mandates the enactment of an impact analysis when the data
processor intends to treat personal data in such a way that there is
a high risk of affecting fundamental data subject rights.

www.lexology.com/gtdt 11
© Law Business Research 2019
 Austria
Árpád Geréd
Maybach Görg Lenneis Geréd Rechtsanwälte GmbH

MARKET OVERVIEW Active local providers

3 Name the local cloud providers established and active in your
Kinds of transaction jurisdiction. What cloud services do they provide?
1 What kinds of cloud computing transactions take place in
your jurisdiction? Naming all Austrian cloud service providers would be impossible, since
most of them are small to medium-sized IT service providers that also
Austria has seen a rising adoption of cloud computing applications in offer managed and cloud services, usually storage and backup solu-
recent years. Although less than a decade ago the legal possibility of tions, first and foremost to their existing customers.
using cloud computing was still widely discussed, now most Austrian Among the largest local cloud providers are the former federal
businesses make use of cloud computing offerings, ranging from full data centre, the BRZ, now a publicly owned private entity, as well as
cloud-sourcing to single applications. Fabasoft, a company that started with software solutions tailored to
Of the various XaaS offerings, the use of infrastructure-as-a-service public authorities and is now a major local cloud provider with data
(IaaS) as well as software-as-a-service (SaaS) are the most preva- centres in Austria, Germany and Switzerland.
lent. Due to the large amount of small and medium-sized businesses,
cloud storage and backup solutions as well as cloud applications are Market size
statistically used most and have a very high acceptance in relation to 4 How well established is cloud computing? What is the size of
the number of businesses. This is also due to even small IT service the cloud computing market in your jurisdiction?
providers offering managed or cloud solutions, usually related to
storage and backup. Those offerings are hosted either at the providers’ According to the most recent data published by Eurostat (the statistical
own data centres or collocated at premises of a larger provider mostly office of the European Union situated in Luxembourg), adoption of cloud
in Austria or Germany. computing solutions is increasing. While with 23 per cent it is still below
The systematic and strategic use of multiple cloud offerings, up to the EU average of 26 per cent, it has nevertheless doubled since 2014.
full cloud-sourcing is usually reserved to IT- or medium to large compa- To put this into context: the heaviest users of cloud computing in the EU
nies in Austria. However, even there private and hybrid cloud models are Finnish and Swedish businesses with an adoption of 65 per cent and
are prevalent. 57 per cent respectively.
Public authorities also make use of cloud offerings, though more This percentage once again varies according to the size of the busi-
from national providers rather than big international providers. In this ness in question, with larger businesses showing a significantly higher
area the former federal data centre, the BRZ, now a publicly owned – more than 50 per cent – adoption of cloud services than small or
private entity, is seen as the prime provider, also hosting third-party medium-sized ones.
solutions for public authorities. Although this data is accurate in regard to major cloud services,
The most noteworthy public cloud offering is the Electronic Data it does not fully take into account the small local managed and cloud
Management portal, a SaaS-application that is provided by the Federal service offerings from, for example, IT service providers.
Ministry of the Environment, hosted at a publicly owned private entity Of all the cloud computing offerings, storage, email and office soft-
and independently certified by the StarAudit (www.staraudit.org). ware are the most widely used cloud solutions.
The value of the Austrian cloud computing market was around
Active global providers €600 million in 2018 and is estimated to increase to about €685 million
2 Who are the global international cloud providers active in until 2021.
your jurisdiction?
Impact studies
Almost every international cloud service provider is offering their 5 Are data and studies on the impact of cloud computing in your
solutions in Austria. While companies from the United States as well jurisdiction publicly available?
as Europe have been in the market almost from the very beginning,
companies from Asia entered the market only relatively recently. Thus, Various studies on the use of cloud computing are publicly available
disregarding single receptions, there is in general a west-to-east decline and updated regularly. However, the only truly independent study is the
as far as market share is concerned. one conducted by the Statistik Austria, the federal statistical office of
Austria, the data of which is then shared with the Eurostat.
Most of the studies are conducted by stakeholders and audit compa-
nies can, therefore, not be considered truly independent. Nevertheless,
they sometimes provide very detailed insight into various aspects of

12 Cloud Computing 2020

© Law Business Research 2019
Maybach Görg Lenneis Geréd Rechtsanwälte GmbH Austria

cloud offering. As such, they are very often the only sources for certain, Governing legislation
detailed statistical information. 9 Does legislation or regulation directly and specifically
prohibit, restrict or otherwise govern cloud computing, in or
POLICY outside your jurisdiction?

Encouragement of cloud computing Austrian law does not provide any specific rules related to cloud
6 Does government policy encourage the development of your computing. The closest any generally applicable legal provision gets
jurisdiction as a cloud computing centre for the domestic to influencing the potential use of cloud offerings are the EU General
market or to provide cloud services to foreign customers? Data Protection Regulation (GDPR) and the Austrian Data Protection Act
(DSG), which generally prohibit the transfer of personal data to coun-
The Austrian government, especially the Kurz government (December tries that do not meet the data protection standards applicable in the EU.
2017 to May 2019), has a strong focus on not only aiding the adoption The only legal provision, albeit a very specific one, mentioning the
of new technologies but also fostering the creation of such technologies use of cloud computing (though not by name) are the Guidelines for the
and the uses for the same. The keyword used for this in Austria is ‘digital- exercise of the legal profession (RL-BA), which, in principle, merely aim
isation’ and the Kurz government even denominated a federal ministry to to ensure and protect a lawyer’s legal obligation to confidentiality. In
be responsible for all such matters. Cloud computing as a basis of many article 40, paragraph 3, the guidelines state that any lawyer ‘employing
modern technologies is the natural beneficiary of this policy. the services of an external data centre to store internal documents’
With Austria’s leading role in the field of e-government (ranking 6 of needs to contractually oblige the provider to inform the authorities in
34 in the 2018 eGovernment Benchmark of the European Commission), case of a seizure that the data of a law office is stored and thus cannot
a general commitment of the federal government to pool and most be seized. Also, the provider needs to be contractually obliged to inform
efficiently use IT-resources and the above-mentioned fostering of ‘digi- the law office in the case of any such seizure or ascertain that the data
talisation’, cloud computing has been and still is on the rise in Austria, cannot be illegally seized.
doubling the number of businesses moving to the cloud between The guidelines explicitly prohibit the use of any provider that does
2014 and 2018. not meet these requirements, thus effectively ruling out all providers
Despite all this, the Austrian government has never adopted a true that either do not offer the required options or cannot be negotiated with
‘cloud first’ strategy and has also refrained from obliging public entities to amend their contract accordingly. In practice, IT service providers
to ask for at least one cloud offering when inviting tenders for software, providing cloud storage services, as well as other local cloud providers,
IT infrastructure or IT services. usually accept the necessary safeguards so that Austrian law firms are
not restricted to a few specialist providers.
Incentives
7 Are there fiscal or customs incentives, development grants 10 What legislation or regulation may indirectly prohibit, restrict
or other government incentives to promote cloud computing or otherwise govern cloud computing, in or outside your
operations in your jurisdiction? jurisdiction?

While Austria does not offer any fiscal, custom or other direct monetary As in every civil law country, Austria has a large number of laws
incentives simply for making use of cloud computing offers, Austria governing various aspects of business or other activities. As far as cloud
offers a wide range of funding programmes, many of them together with computing is concerned, any law providing legal rules or restrictions
the EU, for the purpose of promoting digitalisation. regarding business activities, including laws on employment relation-
Many of the programmes are tailored to research projects, though ship, is thus, in principle, able to indirectly affect and govern the use of
also including projects that aim to create solutions suitable for public cloud computing. This is particularly true for special legal rules relating
use. However, there are also programmes funding investment into IT in to certain businesses, such as banks or insurance agencies.
general and e-business applications. Some are exclusive to small and The most prominent examples remain the GDPR and the DSG, the
medium-sized businesses. Austrian Data Protection Act. However, the Austrian Labour Relations
Apart from entities on the state level, the Austrian Research Act (ArbVG) (articles 96, paragraph 3 and 96a) is another prominent
Promotion Agency is the main federal funding body. legal provision with significant practical influence on the use of cloud
computing and any new technology in general. According to this provi-
LEGISLATION AND REGULATION sion, the implementation of any technical system used to control
employees requires the consent of the works council if such system
Recognition of concept affects human dignity. This also applies to the implementation of
8 Is cloud computing specifically recognised and provided for in systems automatically gathering data on the employees ‘that go beyond
your legal system? If so, how? the general information and prerequisites related to the employee’ as
well as evaluation systems requiring the works council’s consent. While
Austria has a tradition of keeping its laws as technology neutral as consent for the latter two systems may also be obtained directly from
possible. Consequently, it has no law regulating cloud computing or any the employees, the former rule cannot be circumvented by individual
other technology. Rather, the general rules of civil law apply. Due to agreements between employer and employee. Rather, such ‘control
the nature of cloud computing and the many parties usually involved systems’ are absolutely forbidden should no works council exist. As to
in providing a certain service, special attention is given to the rules on which systems are actually covered by these provisions, interpretations
liability for third parties employed to fulfil a contractual obligation. can vary widely and usually depend on the point of view of the evalu-
Over the years, many guidelines, such as from the EuroCloud ating person. In practice, however, this has led to employers regularly
Austria or the Austrian Chamber of Commerce, have helped to establish informing works councils of new technologies, even if only to mention
general recommendations and best practices but also to harmonise the that they do not constitute any control, data gathering or evaluation
general expectations relating to business-to-business cloud computing system according to article 96, paragraph 3 and 96a ArbVG. In turn,
contracts. works councils regularly make use of their rights to information and

www.lexology.com/gtdt 13
© Law Business Research 2019
 Austria Maybach Görg Lenneis Geréd Rechtsanwälte GmbH

consultation in such cases, thus giving them significant practical influ- As far as digital services are concerned, however, the law provides
ence on decisions regarding new IT solutions in general, including cloud the possibility to waive this right of withdrawal. Namely, if a service
computing. provider starts with the provision of the services upon explicit request
of the consumer before expiration of the 14-day deadline, the consumer
Breach of laws thereby waives his or her right of withdrawal. In practice, cloud
11 What are the consequences for breach of the laws directly service providers as well as app stores and providers of digital media
or indirectly prohibiting, restricting or otherwise governing require the consumer to explicitly consent to the immediate provision
cloud computing? of services, usually by ticking a box, before expiration of the deadline.
Without such consent, the providers simply do not conclude a contract
As no laws specific to cloud computing exist in Austria (if one disregards with the consumer in the first place.
the RL-BA), the consequences of a breach are always those attached to In the case of disputes between a business and a consumer, though
the law itself. As such, in general one can distinguish between criminal, not in cases of disputes between businesses, the Austrian Alternative
administrative or civil consequences. Dispute Resolutions Act additionally applies.
Criminal consequences are usually a result of a breach of
the Austrian Penal Act. In relation to technology this is the case, for Sector-specific legislation
example, with hacking or identity theft. Depending on the nature and 13 Describe any sector-specific legislation or regulation that
severity of the crime committed, the consequences can range from a applies to cloud computing transactions in your jurisdiction.
fine to imprisonment.
Administrative consequences are usually fines due to a breach of With the notable exception of the RL-BA (see question 9), Austrian law
public law. The most prominent example of one such law is the GDPR. does not contain specific rules relating to cloud computing. As such,
But also breach of, for example, the Austrian Banking Act can lead sector, industry or profession-specific rules apply to and affect cloud
to administrative proceedings and fines, in this case by the Financial computing insofar as they impose specific rules and requirements on
Markets Authority. third parties that the relevant regulated business or entity deals with.
Finally, civil consequences are those related to either tort or In general such rules can be found, for example, in the Austrian
a breach of contract, which in turn need to be evaluated against the Act on Public Tenders and associated the case law as far as rules are
general civil legal rules. The usual consequence of such a breach is set forth on how to evaluate the suitability and qualification of a party
the obligation to compensate financially for any damage caused. In the providing an offer.
case of unfair competition, publication of the verdict may be ordered Other rules may be found in the banking, finance, insurance, energy
in addition. or telecom sectors, where providers are regulated very strictly and care
Of course, the consequences are not exclusive. Thus any breach is taken that the strict obligations are not watered down by using for
of criminal, administrative or civil rules may additionally lead to example for core services and obligations third parties that do not meet
consequences of another nature. Once again, the GDPR can serve as those strict requirements.
an example. Article 82 explicitly grants any person the right to claim
compensation for damage caused by a breach of the GDPR. This right Insolvency laws
exists in addition to and independently of the national data protection 14 Outline the insolvency laws that apply generally or
authority’s (DPA’s) right to impose a fine upon the company in breach specifically in relation to cloud computing.
of the law. Thus even if the DPA would decide to abstain from a fine and
merely issue a reprimand for a minor breach, any affected person may In the absence of specific legal rules on cloud computing in Austria, the
still claim compensation should the breach have caused damage. general rules of the Austrian Insolvency Act (IO) apply.
Of particular note and importance to cloud computing are articles
Consumer protection measures 21 and 25a IO. According to these provisions, the insolvency adminis-
12 What consumer protection measures apply to cloud trator has the right to decide whether to continue or end any contracts
computing in your jurisdiction? still in force and not completely fulfilled by the time insolvency proceed-
ings are opened. The contracting partner of the insolvent business,
Consumer protection rules are mostly stipulated in the Austrian however (in our case: the cloud service provider), is barred from termi-
Consumer Protection Act (KSchG). However, for business-to-consumer nating the contract, unless for a good cause, for a period of six months
contracts concluded on the internet, the rules set forth in the Austrian after opening insolvency proceedings, if such termination may endanger
Act on distance and out-of-office selling (FAGG) are the most relevant the continuation of the insolvent business. In practice, this means that
and have partially been moved over from the KSchG. usually no cloud provider, except for very minor and niche services, can
In general, the FAGG stipulates very strict and detailed information terminate the contract and suspend provision of the services upon the
obligations regarding the identity and contact details of the business, opening of insolvency proceedings. Rather, they would need to ask for
even more so than the generally applicable E-Commerce Act. In addi- a declaration of the insolvency administrator as to whether he or she
tion to requiring businesses to provide the required information to the chooses to continue or terminate the contract.
consumer before a contract is concluded, businesses are furthermore While this provision was created with services such as electricity
obliged to transmit that information as well as the contractual terms to in mind, it nevertheless affects all other business-critical services,
the consumer in a way that allows him or her to save all this information including cloud offerings.
and documents. In practice, this is usually effected by sending a confir-
mation email with attachments to the consumer. In the case of a breach,
the law grants the consumer a very long deadline within which to decide
to withdraw from the contract without any consequences.
Even after the binding conclusion of a contract, the consumer can
still decide to withdraw from the contract without giving any reason and
without consequences within 14 days.

14 Cloud Computing 2020

© Law Business Research 2019
Maybach Görg Lenneis Geréd Rechtsanwälte GmbH Austria

DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION GDPR those businesses shied away from investing the required, and not
insubstantial, amounts of time and money to implement proper technical
Principal applicable legislation and especially organisational measures and have preferred to imple-
15 Identify the principal data protection or privacy legislation ment a minimum or perhaps modicum of technical security measures.
applicable to cloud computing in your jurisdiction. With the increase in the DPA’s fines for not implementing appropriate
technical and organisational measures, this aspect of the GDPR becomes
The most important and general rules on data protection in Austria are more important. In this regard, cloud computing providers can actually
set forth in the GDPR and the DSG. However, specific data protection provide an added benefit for their business users by implementing just
rules, for instance, relating to employment contracts, have additionally those appropriate technical and organisational measures that the user
been introduced into the relevant sector, business or topic-specific acts. would be lacking if it was still storing the data on its own premises.
All data protection rules have in common that they only govern the This also ties in with the duty of articles 33 and 34 GDPR to report
processing of personal data, which is data by which a natural person can data breaches within 72 hours and also provide certain details required
be identified. Since business data always also contains personal data by law. Without a proper IT security system in place, which includes an
(for example, the names of users or contact persons), the relevant rules appropriate organisation, businesses would be hard pressed to meet
are also applicable if such data is stored at a cloud computing provider. those requirements.
In principle, the GDPR demands personal data to be processed A final very important rule of the GDPR is the requirement of the
only based on legal grounds. Those can be, for instance, consent or the controller to ensure that data is only transferred to countries with an
necessity to process the personal data to fulfil a contract concluded adequate level of data protection, consistent with the level provided by
between the natural person (data subject, here the user) and the the GDPR (see articles 44 and following GDPR). This, of course, adds
contracting partner (processor, here the cloud provider). A typical appli- additional hurdles to the transfer of data to cloud providers or any of
cation of a necessity to process would be the processing of the user’s their data centres situated outside of the EU or a country with a recog-
name and address by the cloud provider for the purpose of billing. nised adequate level of data protection. In practice, this has, on the one
Furthermore, the GDPR demands that any personal data shall only hand, led many international cloud providers to store the data of their
be processed for specific purposes. Thus in the example above the cloud EU users only within their EU data centres. On the other hand, busi-
provider is not allowed to use the user’s contact data for marketing nesses from the EU are now more than ever looking for and preferring
purposes if it was only collected for the purpose of fulfilling the contract cloud service providers (be they IaaS, PaaS or SaaS-providers) who
(that is, maintaining an account with credentials, billing and any other offer just this added benefit and legal ease of use.
use required by the service itself).
This configuration becomes more complex in a typical business-to- CLOUD COMPUTING CONTRACTS
business environment, where the user is no longer the data subject, but
rather a business that itself processes personal data of its own users, Types of contract
employees and others and is thus itself controller. The cloud provider’s 16 What forms of cloud computing contract are usually adopted
role is then changed to that of the ‘processor’: an entity that no longer in your jurisdiction, including cloud provider supply chains (if
processes personal data for its own use but for, and according to the applicable)?
instructions of, a controller. In this configuration the rules regarding
the legitimate processing of personal data still apply. Thus the business Austrian law does not require contract to abide to any of the contract
user (controller) needs to ensure that it cannot just legitimately use, forms determined by law. Rather, businesses are free to combine
but can also transfer personal data to the cloud provider (processor). any and all elements. Only in case of a dispute and if the contract is
Additionally, the controller needs to conclude a written contract with the unclear will a court determine under which contractual form a provi-
processor ensuring that it will process the personal data only within the sion in dispute needs to be interpreted. This then determines the legal
scope of the contract with and instructions of the controller (see article consequences attached to such form. Austrian courts, however, regu-
28 GDPR for further details). Even though the controller and processor larly determine the form for each provision in dispute separately. Mixed
are jointly liable according to the GDPR, the main accountability and contracts are common and widely accepted in Austria.
liability nevertheless rests with the controller. In practice, however, this poses fewer issues than one might
While contracts requiring cloud providers to generally follow believe. Since, especially in a business-to-business environment, the
instructions from their users regarding the data stored in their envi- parties are free to conclude agreements that differ from the legal rules
ronment would have been quite unthinkable a few years back, such applicable in the case of a lack of an individual agreement, a detailed
contracts have now become a legal requirement and thus the norm. contractual agreement usually helps to finally determine all contractual
Apart from formalities involving written contracts, declarations and rights and obligations and avoid a differing interpretation in the case of
similar, the single most fundamental rule of the GDPR is that compliance a dispute.
requires appropriate technical and organisational measures to fulfil the
obligations set forth by the GDPR and protect the personal data, where Typical terms for governing law
‘appropriate’ depends on the sensitivity of the personal data involved. 17 What are the typical terms of a B2B public cloud computing
As such, healthcare data needs to be better secured against illegitimate contract in your jurisdiction covering governing law,
access and use than merely some names. With this rule, the GDPR jurisdiction, enforceability and cross-border issues, and
requires cloud providers but also their business users to take proper dispute resolution?
IT security measures, which never involve only a technical component,
but always also an organisational one, at least in the form of raising the In most cases, cloud providers in Austria conclude contracts based on
awareness of the employees in regard to security, personal data and their own standard contract templates or general terms and conditions.
compliance in general coupled with explaining why the rules are in place Notable exceptions are significantly large users and public enti-
and need to be observed. This is, in practice, one of the bigger hurdles – ties, which usually have their own standard contractual templates or
less so for larger businesses, be they cloud users or cloud providers, but clauses, and tenders, where the patron usually provides the contract as
rather for small and sometimes even medium businesses. Before the part of the tender.

www.lexology.com/gtdt 15
© Law Business Research 2019
 Austria Maybach Görg Lenneis Geréd Rechtsanwälte GmbH

Since most of the international cloud providers also have compa- of protection. These include technical and organisational measures.
nies in Austria, the governing law is usually Austrian law with the venue Thus, in contrast to existing standard clauses, where parties tended to
being the relevant court at the seat of the cloud provider. These clauses consider next to every information ‘confidential’ and simply demanded
also serve to clarify any cross-border issues that may arise from either the recipient to implement ‘at least the same level of protection’, the new
the user and the provider having their seats in different countries or the understanding ties in rather well with the rules of the GDPR demanding
cloud service being provided in multiple countries. appropriate technical and organisational measures. While this does not
Enforceability is not an issue within the EU, due to the cross- prohibit parties from considering every type of information confidential,
border recognition of judgments according to the Brussels I-Regulation it at least helps to clarify which measures of protection can be deemed
(Regulation (EU) 1215/2012). Otherwise, the parties (usually the user) appropriate. In contracts containing an annex listing the technical and
will need to evaluate and decide whether the relevant special rules organisational measures taken for the purposes of data security and
regarding enforceability are simple enough to accept the jurisdiction. protection, those measures are at the same time considered appro-
This being said, not only are alternative means of dispute reso- priate for the protection of the confidential information, unless agreed
lution becoming more and more common in cloud contracts, but also otherwise.
more cooperative approaches are seeing increased use in IT contracts
in general. The aim of those is not to provide alternatives to a state Typical terms covering liability
court, but rather to implement determine a communication system, 20 What are the typical terms of a B2B public cloud computing
which helps the contracting parties to discuss and solve issues before contract in your jurisdiction covering liability, warranties and
they can escalate. provision of service?

Typical terms of service Usually, cloud providers tend to limit their general liability to gross
18 What are the typical terms of a B2B public cloud computing negligence and wilful misconduct and, further to foreseeable and posi-
contract in your jurisdiction covering material terms, such tive damage. This is, however, a limitation quite prevalent in business
as commercial terms of service and acceptable use, and to business contracts. Another often used limitation is to further cap
variation? the liability for gross negligence with an amount tied to the value of
the contract.
Owing to the large number of providers and services, there are not clear While liability for personal injuries cannot be limited by law, this
‘typical’ terms for public business contracts. type of liability is irrelevant for cloud computing contracts in practice.
In general, most SaaS offerings are paid according to the number That being said, Austrian cloud providers in particular are relatively
of users, while the price of IaaS and PaaS usually depends on the generous where their liability for service levels (availability, reaction
amount of data. time, etc) is concerned, often offering penalties if the agreed service
In general, public cloud contracts contain a minimum to modicum levels are either not met or not met after a certain period of time.
amount of service, which can then be expanded either in whole pack-
ages or by purchasing additional modules or services. This helps to Typical terms covering IP rights
meet a large basic demand while still offering standardised upgrade 21 What are the typical terms of a B2B public cloud computing
possibilities. contract in your jurisdiction covering intellectual property
As a rule, public offerings tend to be more restrictive towards rights (IPR) ownership in content and the consequences of
the user, especially regarding rights and liability rather than private infringement of third-party rights?
offerings.
Usually the liability regarding intellectual property rights are divided
Typical terms covering data protection between the cloud provider and the user, depending on who provides
19 What are the typical terms of a B2B public cloud computing which content. Therefore, the cloud provider usually assumes liability
contract in your jurisdiction covering data and confidentiality for any infringement caused by the cloud offering itself, while the cloud
considerations? user assumes liability for infringements caused by the content it stores,
alters or generates using the cloud offering. Both parties guarantee
Typical data protection terms are heavily regulated by the GDPR and reciprocally that they each hold all necessary intellectual property
the DSG. Therefore, cloud providers and their users have relatively rights to provide the service or store, alter or generate the content
little leeway in fleshing out the legal rules. In practice, most of the data respectively.
provisions in cloud and other IT contracts are very similar, with small With regard to the generated content, some SaaS contractually
variations depending on whether the cloud provider or the user has offerings reserve all rights regarding automatically generated content
drafted the contract. based on raw data, for example, graphics, charts or analysis’, granting
A new trend introduced by the GDPR involves annexes with a (as the user merely a right to use the thus generated content for the contrac-
the case may be more or less detailed) list of all technical and organisa- tual purposes. While such provisions have not yet been challenged
tional measures in force at the cloud provider. While such annexes were before court (or at least no relevant decision has been published), it
provided from time to time before, most cloud providers preferred not is doubtful whether they would hold up before judicial scrutiny, as the
to share such information for security reasons. generated content nevertheless also depends on the input and could,
Confidentiality is also ensured contractually by standard clauses, therefore, be qualified as a joint work, to which the cloud provider and
for example, determining what constitutes confidential information cloud user jointly hold all intellectual property rights.
and ensuring access only on a need-to-know basis. A new trend in this
regard is slowly developing due to the transposition of the Trade Secrets
Directive into Austrian law, namely articles 26a to 26j of the Austrian Act
on Unfair Trade Practices (UWG). According to the now legal definition
of a ‘trade secret’ in article 26b UWG, trade secrets not only need to
be confidential and of value, but also subject to appropriate measures

16 Cloud Computing 2020

© Law Business Research 2019
Maybach Görg Lenneis Geréd Rechtsanwälte GmbH Austria

Typical terms covering termination

22 What are the typical terms of a B2B public cloud computing
contract in your jurisdiction covering termination?

The termination options of cloud contracts greatly depend on the

service in question.
While many public, easy to implement offerings, such as storage or
SaaS solution, allow for flexible conclusion, amendment and termination
of the contract, other, more complex offerings, especially private cloud Árpád Geréd
[email protected]
solutions, provide for a minimum contract term of one or two years,
much depending on any costs of implementation and expected amor-
tisation. Almost all contracts have in common that they automatically Museumstrasse 5
extend rather than end after the end of the minimum contractual term. 1070 Vienna
Today most contracts not only contain detailed provisions on Austria
immediate termination for good cause, but also on procedures to allow Tel: +43 1 997 19 66
the user to export its data from the cloud environment. This includes Fax: +43 1 997 19 66 100
www.mglp.eu
advance warning notifications and, in many cases, even a period of
a few weeks up to a number of months after the effective end of the
contract for which the cloud providers guarantee to keep copies of the
data to ensure proper export and migration. Assistance for this purpose
is usually subject to additional payment. Indirect taxes
Since the entry into effect of the GDPR almost all cloud contracts 25 Outline the indirect taxes imposed in your jurisdiction that
also specifically state the deadline within which the user’s data will apply to the provision from within, or importing of cloud
finally be deleted. computing services from outside, your jurisdiction.

Employment law considerations No special taxes apply to cloud computing offerings in Austria. Rather,
23 Identify any labour and employment law considerations that such offerings are subject to the same taxes, including VAT, as any other
apply specifically to cloud computing in your jurisdiction. service for which Austrian tax law does not provide specific rules.

The most relevant employment law rules relating to cloud computing RECENT CASES
are articles 96 para 3 and 96a ArbVG. These provisions require the
consent of the works council for the implementation of any technical Notable cases
system used to control employees that affects human dignity as well 26 Identify and give details of any notable cases, or commercial,
systems automatically gathering data on the employees ‘that go beyond private, administrative or regulatory determinations within
the general information and prerequisites related to the employee’ as the past three years in your jurisdiction that have directly
well as evaluation systems. Only the consent for the latter two systems involved cloud computing as a business model.
may also be obtained directly from the employees. Due to the rather
broad understanding of the potentially relevant systems, employers In Austria no notable cases or decisions regarding cloud computing
regularly inform works councils of new technologies and works coun- offerings have been published.
cils regularly make use of their rights to information and consultation,
giving them significant practical influence on decisions regarding new UPDATE AND TRENDS
IT solutions in general, including cloud computing. See question 10
for details. Key developments of the past year
27 What are the main challenges facing cloud computing within,
TAXATION from or to your jurisdiction? Are there any draft laws or
legislative initiatives specific to cloud computing that are
Applicable tax rules being developed or are contemplated?
24 Outline the taxation rules that apply to the establishment and
operation of cloud computing companies in your jurisdiction. After the entry into effect of the GDPR, the currently biggest challenge
cloud providers and cloud users are facing is the increased focus of the
Taxation for cloud computing companies in Austria does not follow any data protection authorities on accountability. Thus, where the lenient
special rules. Thus cloud companies are taxed in the same way as any treatment of infringements in 2018 caused many companies to consider
business, and taxation in Austria is first determined by whether the main their implementation of the GDPR rules as future-proof, a sharp increase
seat of the business is in Austria, and if not, on the offerings provided in fines in 2019 is causing a trend to re-evaluate the existing measures.
in Austria. Another open question is the impact of the very recent NIS Act (the
Servers in Austria are usually not considered sufficient legal Austrian transposition of the NIS Directive) on cloud offerings. While,
grounds for taxation, unless they or the data stored on them represents in principle, only binding for providers of critical infrastructure, some
a ‘significant part of the business’. Should this test lead to the taxation cloud providers are nevertheless considered as such. Furthermore,
of a company (be it a cloud provider or cloud user) both in the country decisions and recommendations on best practices are also expected to
of its main seat and those of its servers, the relevant double taxation influence measures taken by providers and users alike.
agreements apply.

www.lexology.com/gtdt 17
© Law Business Research 2019
 Bangladesh
Sharif Bhuiyan and Maherin Khan
Dr Kamal Hossain and Associates

MARKET OVERVIEW government is planning to move to cloud computing ‘G’ (government) to

preserve the country’s sensitive data.
Kinds of transaction According to the Information Security Policy Guidelines, all govern-
1 What kinds of cloud computing transactions take place in ment agencies will be brought under the e-governance framework.
your jurisdiction? Different government ministries or divisions, departments or agencies
and their subordinate bodies have started implementing e-governance.
Users in Bangladesh are able to access all kinds of cloud computing The intention is to improve and ease the government work process and
services including software-as-a-service (SaaS), infrastructure-as-a- to increase the productivity of the government.
service, platform-as-a-service (PaaS) and storage. Most users generally According to the ‘National Information and Communication
use global international cloud providers. Technology Guidelines 2015’, one of the action plans of the government
includes creating data centres to preserve government information and
Active global providers central hosting of e-services.
2 Who are the global international cloud providers active in One of the leading national daily newspapers reported in 2016
your jurisdiction? that the construction of the national data centre (National Tier IV Data
Centre) will be completed by 2017. This US$154- million project is being
Users in Bangladesh are able to access all the global international cloud implemented by Chinese telecom giant ZTE Corporation. ZTE started
providers. building the government-sponsored centre at the Hi-Tech Park in
Kaliakoir, Gazipur. The test run of the data centre, which will preserve
Active local providers all sensitive data of the country, started in February 2018 (www.thedai-
3 Name the local cloud providers established and active in your lystar.net/business/national-data-centre-be-ready-2017-1302760).
jurisdiction. What cloud services do they provide?
Incentives
Some local companies provide cloud computing services. Their services 7 Are there fiscal or customs incentives, development grants
include providing SaaS, PaaS and storage services. or other government incentives to promote cloud computing
operations in your jurisdiction?
Market size
4 How well established is cloud computing? What is the size of The National Information and Communication Technology Guidelines
the cloud computing market in your jurisdiction? 2015 envisages the establishment of software technology parks, hi-tech
parks and ICT incubators. To encourage investment in this sector, the
Cloud computing is still not very established in Bangladesh. We were guidelines also envisage tax holiday and other incentives.
not able to find any reliable market statistics. Under section 46C of the Income Tax Ordinance 1984 (ITO), certain
tax exemptions are available to hi-tech parks, ICT villages or software
Impact studies technology zones and IT parks.
5 Are data and studies on the impact of cloud computing in your
jurisdiction publicly available? LEGISLATION AND REGULATION

We were unable to find any reliable data or studies on the impact of Recognition of concept
cloud computing in Bangladesh. 8 Is cloud computing specifically recognised and provided for in
your legal system? If so, how?
POLICY
Cloud computing is not yet expressly mentioned as a commercial, tech-
Encouragement of cloud computing nological or operational concept in our legal system.
6 Does government policy encourage the development of your
jurisdiction as a cloud computing centre for the domestic
market or to provide cloud services to foreign customers?

The government of Bangladesh is taking various steps to develop the

IT sector in Bangladesh. In 2014, it was reported that the Bangladesh

18 Cloud Computing 2020

© Law Business Research 2019
Dr Kamal Hossain and Associates Bangladesh

Governing legislation Sector-specific legislation

9 Does legislation or regulation directly and specifically 13 Describe any sector-specific legislation or regulation that
prohibit, restrict or otherwise govern cloud computing, in or applies to cloud computing transactions in your jurisdiction.
outside your jurisdiction?
There is no sector-specific legislation that applies to cloud computing
There is no legislation or regulation that directly and specifically transactions in Bangladesh.
prohibits, restricts or otherwise governs cloud computing, in (onshore)
or outside (offshore) Bangladesh. Bangladesh is not part of the EU and, Insolvency laws
as such, EU laws do not have any direct effect in our jurisdiction. 14 Outline the insolvency laws that apply generally or
specifically in relation to cloud computing.
10 What legislation or regulation may indirectly prohibit, restrict
or otherwise govern cloud computing, in or outside your The insolvency laws in Bangladesh do not expressly deal with bank-
jurisdiction? ruptcy of a cloud computing supplier. Therefore, the general bankruptcy
laws would be applicable. Bankruptcy in Bangladesh is primarily
Section 35 of the Bangladesh Telecommunication Regulation Act, 2001 governed by the Bankruptcy Act 1997. The Act makes provision for, inter
(the 2001 Act) sets out the circumstances under which one needs licence alia, the order of preferential payments from the distributable assets
from the Bangladesh Telecommunication Regulatory Commission of the bankrupt, management of distributable assets, appointment of
(BTRC). Section 35 of the 2001 Act, inter alia, provides as follows: receiver and so on.

Requirement for licence for telecommunication, internet etc – DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
(1) Subject to subsection (3), no person shall, without a licence:
(a)  install or operate a telecommunication system in Principal applicable legislation
Bangladesh or undertake any construction work of 15 Identify the principal data protection or privacy legislation
such system; applicable to cloud computing in your jurisdiction.
(b)  provide in Bangladesh or to any place outside
Bangladesh any telecommunication service; There is no specific data protection or privacy legislation applicable
(c)  undertake any construction work for providing to cloud computing contracting or contracts. There are some sector-
internet service or install or operate any apparatus for specific data protection laws. However, these provisions apply generally
such service. and are not limited to cloud computing contracting or contracts.
(Unofficial translation) For example, under the Bank Companies Act 1991, permission from
Bangladesh Bank (the central bank of Bangladesh) would be required
The term ‘telecommunication’ has been defined in section 2(11) of the for a banking company to remove from Bangladesh certain records
2001 Act to mean transmission and reception of any speech, sound, sign, or documents. Bangladesh Bank has issued various guidelines and
signal, writing, visual image or any other intellectual expression by way circulars on cybersecurity and ICT security. These guidelines and circu-
of using electricity or electro-magnetic or electro-chemical or electro- lars set out various requirements that banks and non-bank financial
mechanical energy through cable, pipe, radio, optical fibre or other institutions must adhere to. The Guideline on ICT Security for Banks
electro-magnetic or electro-chemical or electro-mechanical or satellite and Non-Bank Financial Institutions of 2015, for example, sets out the
communication system. minimum requirements to which banks and non-banking financial insti-
Although the aforesaid provisions may be interpreted as indirectly tutions (NBFI) must adhere to (eg, the bank or NBFI, which provides
covering cloud computing, on contacting BTRC on a no-name basis, we payment card services, should implement adequate safeguards to
were informed that cloud computing service does not require a licence protect sensitive payment card data). The banks or NBFIs are required
under these provisions. to ensure that sensitive card data is encrypted to ensure the confidenti-
Bangladesh is not a part of the EU and, as such, EU laws do not ality and integrity of these data in storage and transmission. It also sets
have direct effect in our jurisdiction. out detailed procedure for the security of data centres in which crit-
ical systems and data of a bank or NBFI are concentrated and housed.
Breach of laws Banks or NBFIs are required to establish baseline standards to ensure
11 What are the consequences for breach of the laws directly security for operating systems, databases, network equipments and
or indirectly prohibiting, restricting or otherwise governing portable devices.
cloud computing? In the telecoms sector, operators are required to maintain confi-
dentiality of subscriber information. The Cellular Mobile Phone Operator
Not applicable. Regulatory and Licensing Guidelines 2011 and Regulatory and Licensing
Guidelines for Establishing, Operating and Maintaining 3G Cellular
Consumer protection measures Mobile Phone Services stipulate various conditions in the licences of
12 What consumer protection measures apply to cloud the mobile phone operators. One such condition is subscriber confi-
computing in your jurisdiction? dentiality. Accounting information and user information of subscribers
cannot be transferred to any person or place outside Bangladesh.
There are no specific consumer protection measures that apply to cloud Similar restrictions apply to licensees providing other telecommunica-
computing in Bangladesh. tion services, such as an internet protocol telephony service.
The government has also taken a number of measures to ensure
cybersecurity and information security. For example, the National
Cybersecurity Strategy outlines a framework for organising and
prioritising efforts to manage risks to the cyberspace or critical infor-
mation infrastructure. It outlines minimum-security measures that

www.lexology.com/gtdt 19
© Law Business Research 2019
 Bangladesh Dr Kamal Hossain and Associates

stakeholders must abide by to claim compliance with national cyberse-

curity requirements.
The Information Security Policy Guidelines was issued to help
Dr. Kamal Hossain &
government agencies formulate their own Information Security Policy to Associates
protect their information in the cyberspace (including information that
is moving in the intranet or LAN or in the cloud, or simply stored in an Barristers .Advocates .Leg al Consultants
internal database or in a PC).

CLOUD COMPUTING CONTRACTS Sharif Bhuiyan

[email protected]
Types of contract Maherin Khan
16 What forms of cloud computing contract are usually adopted [email protected]
in your jurisdiction, including cloud provider supply chains (if
applicable)? Metropolitan Chamber Building, 2nd Floor
122-124 Motijheel C/A
There is no specific form of cloud computing contracts. Dhaka 1000
Bangladesh
Typical terms for governing law Tel: +880 2 955 2946/956 4954
17 What are the typical terms of a B2B public cloud computing Fax: +880 2 956 4953
contract in your jurisdiction covering governing law, www.khossain.com
jurisdiction, enforceability and cross-border issues, and
dispute resolution?

Not applicable. Employment law considerations

23 Identify any labour and employment law considerations that
Typical terms of service apply specifically to cloud computing in your jurisdiction.
18 What are the typical terms of a B2B public cloud computing
contract in your jurisdiction covering material terms, such There are no labour or employment law considerations that apply
as commercial terms of service and acceptable use, and specifically to cloud computing contracting or contracts.
variation?
TAXATION
Not applicable.
Applicable tax rules
Typical terms covering data protection 24 Outline the taxation rules that apply to the establishment and
19 What are the typical terms of a B2B public cloud computing operation of cloud computing companies in your jurisdiction.
contract in your jurisdiction covering data and confidentiality
considerations? There are no specific taxation rules that apply to the establishment and
operation of ‘cloud computing companies’. However, under section 46C
Not applicable. of the ITO, certain tax exemptions are available to hi-tech parks, ICT
villages or software technology zone and IT parks.
Typical terms covering liability Under section 46C(1) of the ITO, income, profits and gains from
20 What are the typical terms of a B2B public cloud computing certain physical infrastructure facilities (including hi-tech parks,
contract in your jurisdiction covering liability, warranties and ICT villages or software technology zones and IT parks) set up in
provision of service? Bangladesh between 1 July 2011 and 30 June 2019 (both days inclusive)
are exempted from the tax payable under the ITO for 10 years beginning
Not applicable. with the month of commencement of commercial operation, and at the
rate, specified below.
Typical terms covering IP rights
21 What are the typical terms of a B2B public cloud computing Period of exemption Rate of exemption
contract in your jurisdiction covering intellectual property For the first and second year 100 per cent of income
rights (IPR) ownership in content and the consequences of
For the third year 80 per cent of income
infringement of third-party rights?
For the fourth year 70 per cent of income

Not applicable. For the fifth year 60 per cent of income

For the sixth year 50 per cent of income
Typical terms covering termination For the seventh year 40 per cent of income
22 What are the typical terms of a B2B public cloud computing For the eighth year 30 per cent of income
contract in your jurisdiction covering termination?
For the ninth year 20 per cent of income
For the tenth year 10 per cent of income
Not applicable.

20 Cloud Computing 2020

© Law Business Research 2019
Dr Kamal Hossain and Associates Bangladesh

Indirect taxes
25 Outline the indirect taxes imposed in your jurisdiction that
apply to the provision from within, or importing of cloud
computing services from outside, your jurisdiction.

Cloud computing services are not expressly provided for in taxation laws.
However, VAT is payable on ‘information technology enabled services’
(service code: S099.10), which includes digital content development and
management, animation (both 2D and 3D), GIS, IT support and software
maintenance services, website services, business process outsourcing,
data entry, data processing, call centre, graphics design, search engine
optimisation, web listing, e-commerce and online shopping, document
conversion, imaging and archiving, any automated services rendered by
internet or electronic network, e-procurement and e-auction.

RECENT CASES

Notable cases
26 Identify and give details of any notable cases, or commercial,
private, administrative or regulatory determinations within
the past three years in your jurisdiction that have directly
involved cloud computing as a business model.

None.

UPDATE AND TRENDS

Key developments of the past year

27 What are the main challenges facing cloud computing within,
from or to your jurisdiction? Are there any draft laws or
legislative initiatives specific to cloud computing that are
being developed or are contemplated?

None.

www.lexology.com/gtdt 21
© Law Business Research 2019
 Belgium
Edwin Jacobs, Stefan Van Camp and Bernd Fiten
Timelex

MARKET OVERVIEW over seven years were signed. IBM agreed to implement a cloud infra-
structure to expand ISFF services into new markets and optimise its
Kinds of transaction existing information technology management. In 2018, Belfius Group
1 What kinds of cloud computing transactions take place in and IBM extended their partnership. As a result, a joint venture called
your jurisdiction? PI-Square was founded. The joint venture will perform services exclu-
sively for Belfius Group (source: https://datanews.knack.be/ict/
With regard to public, hybrid and private cloud models: the public nieuws/ibm-en-belfius-verlengen-samenwerking-tot-2023/article-
cloud usage in Belgian companies has grown in the period from 2012 normal-1002527.html).
to 2016, from 6 per cent to 12 per cent to 15 per cent in 2018 . (source:
Cloudmakelaar, http://cloudmakelaar.be/2016/12/meer-dan-de-helft- Active global providers
van-belgische-bedrijfsvestigingen-gebruikt-cloud-applicaties). Hybrid 2 Who are the global international cloud providers active in
clouds are also used, although no exact numbers are available your jurisdiction?
for this specific category (https://belgiumcloud.com/2018/12/24/
de-belgium-cloud-barometer-editie-2018/). These are:
In the public sector, a notable community cloud project is the • Microsoft (61 per cent, source: Beltug, https://www.beltug.be/
development of the G-cloud. This is a voluntary cloud service for all event/61/6256/Microsoft_Azure_populairste_cloudprovider_in_
public sectors and services to centralise public governance in a single Belgie/);
cloud. The G-cloud is a hybrid cloud, with the possibility of offering • Amazon (35 per cent);
infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and • Google (16 per cent) (Gmail, Google Drive, Google Docs, Google+,
software-as-a-service (SaaS). For the development and functioning of search engine);
the G-cloud, the government uses private cloud providers, such as IBM, • HP;
Microsoft and Oracle. • IBM;
Of the companies that use cloud services (see question 4), the • LaCie;
following percentages apply. Storage cloud services are the most used • NetApp;
cloud service employed by Belgian companies (71 per cent). Next to • Oracle;
storage services, e-mail services through the cloud are also strongly • Salesforce; and
represented in the Belgian economy (71 per cent). With regard to SaaS, • Zenith.
software tools for managing finance and accounting (41 per cent in
2018), standard office software (59 per cent in 2018), and customer Active local providers
relationship management (CRM) (40 per cent in 2018) are commonly 3 Name the local cloud providers established and active in your
used in Belgium. Regarding IaaS the most used applications are hosting jurisdiction. What cloud services do they provide?
services for company databases ( 55 per cent in 2018) https://ec.europa.
eu/eurostat/statistics-explained/index.php?title=File:Use_of_cloud_ • Acerta (SaaS for payroll and other HR services);
computing_services_in_enterprises,_2018.png), processing power for • Adc Antwerp (tier 3 data centre);
proprietary company software (31.8 per cent). • ADMB (SaaS for payroll and other HR services);
Of all e-banking and e-learning solutions, almost 94 and, respec- • Amplidata (storage facilities);
tively, 80 per cent are cloud solutions. HR solutions take third place, of • Arxus (hosting services);
which almost 40 per cent is a cloud-based solution (https://belgium- • Attentia (SaaS for payroll and other HR services);
cloud.com/2018/12/24/de-belgium-cloud-barometer-editie-2018/). • Calligo (IaaS, SaaS, PaaS);
In HR, cloud solutions are often offered by social secretariats such as • Combell (hosting services);
Partena, Attentia, SD Worx, Xerius and Securex. • CRM-Warehouse (cloud integrators);
Regarding notable cloud transactions, the Belgian bank Belfius • First Served (hosting services);
relies on the company Genesys to provide workforce management tools, • Groep S (SaaS, PaaS for payroll and other HR services);
which stem from cloud-based solutions. • Impro Biz (implementation of salesforce CRM);
Another notable cloud transaction was announced in 2013. IBM • Informat (SaaS for school administration);
signed an agreement with Belgian bank Dexia and several major finan- • Isabel (SaaS for e-banking);
cial institutions in Europe to build and manage their IT infrastructure. An • LCL (tier 3 data centre);
IBM company called Innovative Solutions for Finance (ISFF) was desig- • Nucleus (cloud hosting services);
nated for this, and sourcing contracts for a total value of US$1.3 billion • Partena (SaaS for payroll and other HR services);

22 Cloud Computing 2020

© Law Business Research 2019
Timelex Belgium

• Protime (SaaS for workforce management); past three months, 38 per cent have used cloud storage facilities for
• Proximus (XaaS private, public or hybrid cloud services); private purposes (in 2018) (source: FPS Economy, https://economie.
• SAAS45 Channel (SaaS); fgov.be/nl/themas/online/telecommunicatie/cloudcomputing). This
• SaaSForce (cloud services distributor – SaaS); percentage does not differ much from the years before according to the
• SAP (PaaS for app development); same source. It is also close to the European average of 37 per cent.
• SD Worx (SaaS for payroll and other HR services); If we look at the difference between men and women, we see a small
• Securex (SaaS for payroll and other HR services); difference. Men make slightly more use of cloud storage facilities for
• Systemat (local cloud integrator); private purposes than women. It is not entirely clear what the reason
• Telenet (PaaS); for this difference is.
• UnifiedPost (Saas);
• Xaop (system integration in the cloud); Impact studies
• ZapFi (OTT Wi-Fi cloud platform); and 5 Are data and studies on the impact of cloud computing in your
• Cloudmakelaar (http://cloudmakelaar.be/wp-content/uploads/ jurisdiction publicly available?
2017/12/CSP-catalog-2017_v2.pdf).
Cloud computing communities such as Belgium Cloud bring out reports
Market size about the state of cloud computing in Belgium from time to time. The
4 How well established is cloud computing? What is the size of Belgium Cloud community has published several studies on the impact
the cloud computing market in your jurisdiction? of cloud computing in Belgium – for example, the ‘Belgium Cloud
Barometer – Editie 2018’ (https://belgiumcloud.com/2018/12/24/
We have found that the figures on the adoption rate of cloud computing de-belgium-cloud-barometer-editie-2018/). Also, there are other
services vary depending on the source. Possible reasons for this are studies or barometers conducted by non-governmental actors such as
that it is not always clear what exactly is defined as a cloud solution and Computer Profile and Cloudmakelaar (‘Dit is de toestand van de Cloud
how the figures were collected and analysed. anno 2018 in België’ (https://cloudmakelaar.be/2018/03/dit-is-de-
With regard to professional cloud computing use, 40.2 per cent toestand-van-de-cloud-anno-2018-in-belgie/) or IT companies such as
of the enterprises in Belgium used cloud computing services in 2018 Christiaens.
according to Eurostat (source: Eurostat, https://ec.europa.eu/eurostat/
statistics-explained/index.php/Cloud_computing_-_statistics_on_the_ POLICY
use_by_enterprises#Types_of_cloud_computing:_public_and_private_
cloud). This figure has been rising for a number of years now and it is Encouragement of cloud computing
significantly higher than the European Union average of 26.2 per cent. 6 Does government policy encourage the development of your
According to the FPS Economy, the use of cloud computing jurisdiction as a cloud computing centre for the domestic
services varies strongly in Belgium depending on the size of the enter- market or to provide cloud services to foreign customers?
prise: 76 per cent of larger companies (ie, 250 employees or more) use
cloud computing services in Belgium, while only 49 per cent of smaller Yes, through the creation of, among others, Digital Belgium. This action
companies (ie, 10 to 249 employees) use cloud computing services plan establishes a long-term vision for the digital economy in Belgium
(source: FPS Economy, https://economie.fgov.be/nl/themas/online/ and aims to place Belgium in the top three of the European Digital
telecommunicatie/cloudcomputing). Economy and Society Index by 2020. Additional goals are the creation
Belgium Cloud is an independent group of Belgian entrepreneurs of 1,000 new enterprises and 50,000 new jobs across all sectors, also by
that brings together ICT experts to share and exchange information and 2020 (source: Digital Belgium, http://digitalbelgium.be/en).
expertise about the cloud and cloud computing. This group of experts Wallonia attempts to attract big players such as Microsoft and
is housed at Beltug. According to their research, there seemed to be a Google through attractive research grants and further investigation into
stagnation in the use of SaaS in 2014 and 2016, but an increase was subsidising (done by AWEX). As a consequence, Google built its first data
again noted in 2018. According to their most recent report, 64 per cent centre outside of the US in Mons (Wallonia) in 2015 (source: Wallonia,
of corporate establishments in Belgium use cloud applications (source: www.wallonia.be/en/news/google-inaugurates-second-data-center-
Belgium Cloud, https://belgiumcloud.com/2018/12/24/de-belgium- mons). In 2018, NRB Group’s new data centre in Villers-le-Bouillet, a
cloud-barometer-editie-2018/ ). In 2010, the adoption rate of cloud new shared data centre established by a joint venture between NRB
solutions in Belgium was a mere 13 per cent. and Etix Everywhere, was put into operation. The project offers more
Furthermore, the use of cloud computing differs greatly from and secure computing space to increase the capabilities of NRB’s hybrid
region to region in Belgium. A 2015 report by cloud service provider cloud strategy (source: NRB, https://www.nrb.be/en/about/news/
Aspex shows that the familiarity rate of SMEs with the cloud is high inauguration-belgiumdc-nrb-s-new-data-centre-minister-p-y-jeholet).
in Brussels (with 53 per cent of respondents claiming familiarity with In the public sector, a notable government initiative is the commu-
cloud computing) while Flanders and Wallonia have low familiarity nity cloud project ‘G-cloud’. This is a voluntary cloud service for all
rates of 20 per cent and 26 per cent, respectively (source: Aspex, http:// public sectors and services to centralise public governance in a single
blog.aspex.be/nl/zijn-er-nog-belgen-in-de-cloud). These figures have cloud. The G-cloud is a hybrid cloud, with the possibility of offering IaaS,
also increased according to a 2017 study conducted by Computer PaaS and SaaS. For the development and functioning of the G-cloud,
Profile. This study shows that cloud penetration in the Flanders region the government uses private cloud providers, such as IBM, Microsoft
totalled 72 per cent, followed by the Brussels region with 58 per cent. and Oracle (source: G-Cloud, www.gcloud.belgium.be/nl/index.html).
Lastly, the Wallonia region only counts a penetration rate of 44 per The Belgian eHealth platform (see also question 13) makes use of
cent (source: Belgium Cloud, https://belgiumcloud.com/2018/12/24/ the G-cloud API Gateway as transaction platform (source: https://
de-belgium-cloud-barometer-editie-2018/). www.gcloud.belgium.be/nl/downloads/asset/b56a4c30fcc00e16969b-
With regard to individual cloud computing use, a study of the infor- bad3ce87c87eb8d4891e/eHP%20temoignageGcloud_nl_290618.pdf/
mation society in Belgium has been conducted. This research shows application%252Fpdf). The eHealth platform is a Belgian federal govern-
that, of all Belgian individuals that have used the internet over the ment institution that offers an electronic platform where all parties

www.lexology.com/gtdt 23
© Law Business Research 2019
 Belgium Timelex

involved in public health (healthcare providers, institutions, health 10 What legislation or regulation may indirectly prohibit, restrict
insurance funds, patients) can exchange information, including personal or otherwise govern cloud computing, in or outside your
data, in a secure and efficient manner. jurisdiction?

Incentives In addition to the previous question, there is also Belgian legislation

7 Are there fiscal or customs incentives, development grants applicable to cloud computing services that may indirectly prohibit,
or other government incentives to promote cloud computing restrict or otherwise govern cloud computing services.
operations in your jurisdiction? This kind of legislation includes, first of all, legislation on data
protection, such as the European General Data Protection Regulation
The Microsoft Innovation Centre (MIC) Flanders aims to stimulate (GDPR) which is directly applicable since 25 May 2018. A cloud provider
the development of Information and Communication Technology will typically act as a processor of personal data, which means that a
in the Flanders region. One of their programs is a Microsoft Azure data processing agreement has to be concluded.
Developer Camp. Here, companies can discover the possibilities of Also, legislation on outsourcing in the financial sector in the Law of
developing an app in the cloud through Microsoft Azure with the goal 11 March 2018 (replacing the Law of 21 December 2009) on the statute
of improving, strengthening or changing their corporate projects and supervision of payment institutions and the institutions for elec-
and methods (source: Microsoft, https://mva.microsoft.com/en-US/ tronic currencies, the access to the company of the payment services
training-courses/transforming-it-infrastructure-services-with-azure-at- provider and the activity of issuance of electronic money and the access
microsoft-18474?l=PqWWJPMVF_1612263987). to payment systems, may affect cloud computing services. In this regard,
Also, Flanders offers some fiscal incentives that promote cloud cloud computing services are subject to the same principles as tradi-
computing activities by both Belgian and foreign companies, such as a tional outsourcing in the financial sector. However, cloud computing is
deduction of innovation income up to 85 per cent, an investment deduc- not directly addressed by the Law of 11 March 2018, but the National
tion for R&D projects and an exemption of payment of 80 per cent of Bank of Belgium (NBB) stated in its communication of 9 October 2012
the personal income withholding tax of researchers in certain scien- that cloud computing is considered as a type of outsourcing.
tific fields (source: Flanders, https://www.flandersinvestmentandtrade. The same communication of the NBB states that the circulars
com/invest/en/sectors/digital-society/cloud-computing). dealing with outsourcing, which establish rules on good practices,
will remain applicable. Subsequently, the communication states that,
LEGISLATION AND REGULATION in principle, there is no prior authorisation by the NBB required for
outsourcing (in contrast to De Nederlandsche Bank in the Netherlands:
Recognition of concept see www.dnb.nl/nieuws/dnb-nieuwsbrieven/nieuwsbrief-banken/nieu-
8 Is cloud computing specifically recognised and provided for in wsbrief-banken-februari-2015/dnb319119.jsp). Nevertheless, the NBB
your legal system? If so, how? emphasises that it should be informed in advance on how these rules
on good practices will be applied in practice (see circular PPB 2004/5
Yes, since the transposition of the NIS Directive (see below). Also, refer- on healthy management practices in outsourcing by credit institutions
ence should be made to contract law, to specific rules on data protection and investment companies, issued by the Belgian Banking, Finance
(see question 15) and to the system of liability of data storage service and Insurance Commission on 22 June 2004, available at www.nbb.
providers (see question 10). be/doc/cp/nl/ki/circ/pdf/ppb_2004_5_circular.pdf, and circular PPB
2006/1 CPA on healthy management practices in outsourcing by insur-
Governing legislation ance companies, issued by the Belgian Banking, Finance and Insurance
9 Does legislation or regulation directly and specifically Commission on 6 February 2006, available at www.nbb.be/doc/cp/nl/vo/
prohibit, restrict or otherwise govern cloud computing, in or circ/pdf/ppb_2006_1_cpa_circular.pdf). Recently, the NBB has issued
outside your jurisdiction? a new circular (NBB_2019_19) implementing the guidelines issued by
the European Banking Authority (EBA) on outsourcing. These guide-
Yes, the European Directive (EU) 2016/1148 on security of network and lines will apply from 30 September 2019 and clarify the NBB’s approach
information systems (the NIS Directive) defines the notion of ‘cloud with regard to less significant institutions, non-EEA branches, payment
computing service’ for the first time. Pursuant to article 4(19) of the and electronic money institutions. From 31 December 2021, when this
NIS Directive, a cloud computing service is a digital service that enables circular becomes applicable to all outsourcing agreements, circulars
access to a scalable and elastic pool of shareable computing resources. PPB_2004/5 and NBB_2018_20, communication NBB_2012_11 and the
The NIS Directive was adopted by the European Parliament CBFA communication of 5 November 2007 will no longer be applicable.
on 6 July 2016, and has been transposed into Belgian legislation. The Belgian Civil Code contains provisions on service contracts
Consequently, the Belgian Law of 7 April 2019 does mention and define (article 1779 ff). These provisions may be relevant for cloud computing
cloud computing services (source: E-Justice, www.ejustice.just.fgov. services. Other relevant legislation is to be found in the Belgian Code of
be/cgi/article_body.pl?language=nl&caller=summary&pub_date=19- Economic Law, which contains provisions on distance contracts (Book VI
05-03&numac=2019011507). Providers of cloud computing services and Book XIV) and information society services, which also contains
(granting access to a scalable and elastic pool of scalable computer provisions on the liability of data storage service providers (Book XII), as
capacity) that process personal data are obliged to appoint a data well as new provisions introduced by the Law of 4 April 2019 in Book VI of
protection officer. this Code concerning unfair clauses in a B2B relationship that may create
an imbalance between the rights and obligations of contracting parties
and the abuse of a dependency between the parties. The latter law may
have an impact on liability clauses and clauses concerning unilateral
modification of contracts that are common in cloud computing contracts.
Article XII.19 of the Code of Economic Law states that where an
information society service is provided that consists of the storage of
information provided by a recipient of the service, the service provider

24 Cloud Computing 2020

© Law Business Research 2019
Timelex Belgium

is not liable for the information stored at the request of a recipient of the Breach of laws
service, on the condition that the provider does not have actual knowl- 11 What are the consequences for breach of the laws directly
edge of illegal activity or information and, as regards damage claims, or indirectly prohibiting, restricting or otherwise governing
is not aware of facts or circumstances from which the illegal activity or cloud computing?
information is apparent; or the provider, upon obtaining such knowledge
or awareness, acts expeditiously to remove or to disable access to the The consequences for breach of the laws directly or indirectly prohib-
information, provided that he or she immediately communicates this to iting, restricting or otherwise governing cloud computing depend on the
the Public Prosecutor. law that was infringed.
Additionally, criminal law provisions in the Belgian Criminal Code The GDPR contains some penal provisions in articles 83-84
and the Code of Criminal Proceedings may also indirectly prohibit, meaning that member states should give data protection authorities,
restrict or otherwise govern cloud computing services in Belgium. This such as the Belgian Data Protection Authority (replacing the Belgian
includes, for example, a provision on the search in computer systems Privacy Commission), the competence to impose administrative fines
which can be extended to a computer system or a part thereof that is on non-compliant companies. If the organisation falls within the scope
located in another place other than the place where the search takes of the Belgian Act of 30 July 2018 on the protection of individuals with
place (article 39-bis, article 88-ter and 88-quater). regard to the processing of personal data, the administrative sanctions
It should also be noted that other Belgian legislation may, whether and criminal sanctions provided for in that Act are also possible (arti-
or not implicitly, require that certain data remains within the jurisdiction cles 221–230).
of Belgium, such as article 14 of the Law of 8 August 1983 establishing In the financial sector, payment institutions are subject to super-
a National Register of natural persons. However, with regard to the vision by the NBB, and the NBB may, in certain cases, withdraw the
free flow of data across member states within the European Union, the licence of a payment institution. That could be the case with the violation
legality or applicability of this kind of data localisation legislation may of circulars about outsourcing.
be uncertain in the future. Regarding distance contracts and information society services, it
Other legislation worth mentioning is the Belgian Income Tax Code is worth mentioning that the Belgian Code of Economic Law contains
(article 315) and the Law of 13 June 2005 on electronic communications, a Book XV on legal enforcement. Unfair clauses or clauses based on
which contains provisions i.a. on the principles applicable to the confi- abuse of an economic dependency, in B2B or B2C relationships, may be
dentiality of communications. declared null and void. However, in a B2B context there is new legis-
In the health sector, the Coordinated law of 10 July 2008 on hospi- lation that has not been applied yet by courts and it is unclear which
tals and other care facilities was amended in such a way that it does course will be followed by case law.
not anymore indirectly prohibit the use of cloud computing services by
hospitals. Article 20 section 1 of the Coordinated law of 10 July 2008 now Consumer protection measures
states that the patient file must be kept ‘by’ the hospital, and no longer 12 What consumer protection measures apply to cloud
‘in’ the hospital. After that, the FPS Public Health has drafted guidelines computing in your jurisdiction?
on this matter which were approved by the Belgian Privacy Commission
(now called the Belgian Data Protection Authority) in Opinion 04/2015 of As regards consumer protection measures applicable to B2C cloud
25 February 2015 (available at www.privacycommission.be/sites/priva- computing services in Belgium, it should be noted that cloud computing
cycommission/files/documents/advies_04_2015.pdf). contracts are generally concluded over the internet, which means that
The Belgian eIDAS law, implementing the eIDAS Regulation (EU) those contracts are distance contracts.
910/2014 on electronic identification and trust services for electronic The European Directive 2011/83/EU on consumer rights (the
transactions in the internal market, may also have indirect conse- Consumer Rights Directive) establishes rules on distance selling, which
quences for cloud computing in Belgium. It governs, in particular, is transposed into Belgian legislation. The transposition of the provi-
electronic archiving, which can be very relevant for cloud computing, sions of the Capital Requirements Directive can be found in Book VI
but it contains also rules on electronic registered mail, electronic seals, of the Belgian Code of Economic Law. These provisions may also be
electronic signatures, websites authentication, trust service providers applicable to cloud contracts. Consequently, in some cases, the right of
and electronic identification schemes. withdrawal for 14 days may have to be taken into account for the conclu-
It should also be noted that the Belgian Data Protection Authority sion of certain cloud computing contracts. However, in some cases, the
mentions on its website that the Authority is preparing two docu- right of withdrawal related to service contracts may be excluded (article
ments on cloud computing: an opinion on ‘the risks and deployment of VI.53 Code of Economic Law).
unfolding the cloud strategy at the level of public services, including the The European Regulation (EU) 1215/2012 on jurisdiction and the
Federal Police and Defence’ and a recommendation on cloud computing recognition and enforcement of judgments in civil and commercial
targeting companies. The public sector opinion will enable public author- matters (Brussels I-bis) implies that a consumer may bring proceed-
ities to make an informed decision about how to use cloud computing to ings against the cloud service provider (CSP) to a contract either in the
perform their tasks. The private sector opinion will include legal guide- courts of the member state in which the CSP is domiciled or, regard-
lines, as well as information security guidelines. Among other things, less of the domicile of the CSP, in the courts for the place where the
the issue of server locations will be discussed. In addition, the Authority consumer is domiciled. The Belgian Code of International Private Law of
will determine who is responsible for processing for each stage where 16 July 2004 is in accordance with the Brussels I-bis Regulation.
data is placed ‘in the cloud’ (source: Belgian Data Protection Authority, Pursuant to the European Regulation (EC) 593/2008 on the law
https://www.gegevensbeschermingsautoriteit.be/cloud-computing). applicable to contractual obligations (Rome I), a B2C cloud computing
Since these opinions are not yet available, it is not yet clear whether contract will be governed by the law of the country where the consumer
this will indirectly restrict cloud computing services in Belgium. has his or her habitual residence, provided that the CSP pursues his or her
commercial or professional activities in the country where the consumer
has his or her habitual residence, or by any means, directs such activities
to that country or to several countries including that country, and the
cloud computing contract falls within the scope of such activities.

www.lexology.com/gtdt 25
© Law Business Research 2019
 Belgium Timelex

Sector-specific legislation The termination of the bankruptcy procedure can only be ordered
13 Describe any sector-specific legislation or regulation that by the court at the request of the insolvency administrator.
applies to cloud computing transactions in your jurisdiction. Traditionally, source code escrow agreements are used to protect
software licensees against the bankruptcy of licensors. It is generally
In the public sector, the Law of 21 August 2008 established the eHealth considered, however, that this practice is less interesting in the frame-
platform in Belgium. One of the tasks assigned to the eHealth platform work of SaaS contracts. In some circumstances, it can still be helpful
is to check whether software packages for managing electronic patient to obtain the source code, if it is possible to deploy the software on a
files comply with the established ICT-related functional and technical different system than the system provided by the SaaS CSP. In such a
standards, specifications, and to identify these software packages. case, it is possible that stored data must be migrated as well.
Cloud service providers have to comply with certain requirements, such
as security and privacy standards. DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
In Opinion 04/2015 of 25 February 2015, the Belgian Privacy
Commission also stated that the choice for a community or private cloud Principal applicable legislation
does not necessarily provide more safeguards than a public cloud in 15 Identify the principal data protection or privacy legislation
terms of a better protection of personal data. Regardless of the type applicable to cloud computing in your jurisdiction.
of cloud, the focus should be on effective data protection safeguards,
according to the Privacy Commission. The Belgian Privacy Act of 8 December 1992 (as subsequently amended
In the financial sector, the implementation of the European Directive and further implemented by the Royal Decree of 13 February 2001),
2014/65/EU on markets in financial instruments (the MiFiD Directive) which was the transposition into national law of the European Data
has led to some operational requirements with respect to investment Protection Directive 95/46/EC is replaced by the Belgian Data Protection
firms and regulated markets, which also affect their ability to employ Act of 30 July 2018 on the protection of individuals with regard to the
subcontracting or outsourcing services, including for ICT services such processing of personal data (http://www.ejustice.just.fgov.be/cgi_loi/
as cloud computing (see above). loi_a.pl?N=&=&sql=(text+contains+(%27%27))&rech=1&language=nl&t
ri=dd+AS+RANK&numero=1&table_name=wet&cn=1992120832&calle
Insolvency laws r=image_a1&fromtab=wet&la=N&pdf_page=10&pdf_file=http://www.
14 Outline the insolvency laws that apply generally or ejustice.just.fgov.be/mopdf/2018/09/05_1.pdf). The main source of
specifically in relation to cloud computing. privacy legislation applicable to cloud computing services in Belgium is
the GDPR supplemented by the Belgian Data Protection Act. Other EU
On 1 May 2018, new insolvency legislation entered into force in Belgium. instruments may also have an impact, such as the European Directive
A new Book XX was added to the Belgian Code of Economic Law. A CSP 2002/21/EC (Framework Directive) and Directive 2002/58/EC (ePrivacy
can be declared bankrupt by the commercial court if three conditions Directive).
are met, namely: the CSP is engaged in commercial activities, the CSP
has suspended payments to its creditors, and is no longer creditworthy, CLOUD COMPUTING CONTRACTS
and so the CSP will continue not to meet its obligations to creditors. If
those three conditions are met, the CSP will formally be declared bank- Types of contract
rupt by a bankruptcy judgment of the business court. 16 What forms of cloud computing contract are usually adopted
With regard to the fate of contracts concluded before the date of in your jurisdiction, including cloud provider supply chains (if
the bankruptcy (which are not terminated by the judgment declaring the applicable)?
bankruptcy), Book XX article 139 provides that the insolvency adminis-
trator may terminate those contracts unilaterally when the management Cloud computing contracts can be focused on the processing of data
of the estate necessarily requires this and that such a decision may not residing in the cloud, or can be regarded as contracts of the SaaS
affect the rights in rem of third parties against the estate. The contracts category, involving the online operation of applications of all kind,
are not automatically terminated unless a termination clause explicitly including more and more business-critical applications such as enter-
states so. prise resource planning programmes and supply chain and logistics
The bankruptcy judgment is published in the Belgian State Gazette, management, asset management and asset maintenance, workflow
as well as in two regional papers. The judgment appoints the insolvency management, human resources, CRM, among others.
administrator (the receiver), who will perform his or her duties under
the general supervision of a supervisory judge, and the judgment also Typical terms for governing law
provides the term for creditors to declare their claims to the insolvency 17 What are the typical terms of a B2B public cloud computing
administrator and the court (with a maximum period of 30 days). This contract in your jurisdiction covering governing law,
declaration is necessary for all creditors who wish to assert claims jurisdiction, enforceability and cross-border issues, and
against the CSP. dispute resolution?
Subsequently, the insolvency administrator has to decide in
due time whether to continue performing the valid cloud computing B2B public cloud computing contracts are often made by international
contracts. The customer can demand the insolvency administrator to service providers, who include governing law and jurisdiction of their
decide on whether to perform the contract, and if the insolvency admin- home state, or may include international arbitration. Belgian service
istrator does not decide within 15 days from the date of that demand, the providers often include an arbitration clause indicating specialized
cloud computing contract is considered terminated. Belgian arbitration forums as competent for claims. Some contracts
It is also worth mentioning that there is a ranking of the claims that contain dispute resolution clauses that set forth an escalation of
are duly declared. All estate debts and creditors having the benefit of disputes up to the level of the executive board of the parties, and if this
security interest and privileges will be satisfied first. Then the remaining does not result in a positive outcome, then arbitration, court procedures,
assets of the CSP will be distributed by the insolvency administrator or mediation by an external third person are possibilities. With respect
among the unsecured creditors, who rank pari passu. to enforceability, salvation clauses normally foresee that clauses that

26 Cloud Computing 2020

© Law Business Research 2019
Timelex Belgium

would be invalid or unenforceable, will be automatically adapted in a Typical terms covering liability
way that remains as close as possible to the intended meaning of the 20 What are the typical terms of a B2B public cloud computing
relevant clause. contract in your jurisdiction covering liability, warranties and
provision of service?
Typical terms of service
18 What are the typical terms of a B2B public cloud computing Every cloud contract contains some kind of limitation of liability for any
contract in your jurisdiction covering material terms, such damage caused by the service; liability for consequential and other
as commercial terms of service and acceptable use, and indirect damages are usually excluded and direct damages are usually
variation? limited (often referring to the fee paid for the service as the limitation for
damage in the aggregate).
If implementation services are involved, a separate price is foreseen for Damage caused by intentional fault or fraud cannot be limited
the implementation service, and this will be paid according to milestones, nor excluded by law. Although the possible liabilities of the customer
where the acceptance of the delivered service will oblige the customer to are often considered as less likely, many contracts will balance the
pay the relevant price. The operational cloud service is typically paid as a customer’s liability in a similar way. Indemnities are usually provided
subscription, with annual, trimestral or monthly payments, typically paid as a safe harmless clause when a customer is confronted with a claim
up front. The price can be based on the allowed number of users or the of a third party for infringement of its intellectual property rights. The
used volume or number of transactions. The cloud contracts normally customer can be liable for infringement on third party’s rights based on
include an acceptable use policy, providing suspension and possibly infringing applications provided by the service provider, and in that case
even termination of the contract if the use policy is not respected. the service provider will take control of legal proceedings or negotia-
Because the cloud service is often a one-to-many relationship, the tions and will not hold the customer liable for damages.
service provider is practically obliged to include a variation clause in the In the direct relationship between a data controller and his or her
contract, enabling him or her to modify the service unilaterally when this customer, liability for breach of the data protection rules cannot be
is needed to provide an acceptable service. To balance the rights of the limited. Similarly, when the customer has a direct claim against a data
customer, such clause will provide a termination right of the customer processor (eg, the CSP) based on a breach of these rules, his or her
with an acceptable notice period if he or she does not agree, especially liability cannot be limited. It is, however, accepted that between a data
when the cost of the service is increased or certain functionalities are controller and his or her CSP (acting as data processor), the liability can
lost. New legislation concerning abusive clauses in a B2B context may be limited even for damage caused by breach of the data protection rules.
have an impact on such variation clauses (see above). SLAs are becoming a normal standard of cloud contracts, guar-
anteeing the availability of the service, timely response of a helpdesk
Typical terms covering data protection and performance levels. The levels can be negotiated by the customer
19 What are the typical terms of a B2B public cloud computing unless the service is standard for many customers: in which case, the
contract in your jurisdiction covering data and confidentiality SLA is a take-it or leave-it matter. SLAs are not always sanctioned by
considerations? financial penalties; however, financial service credits are increasingly
applied when the service levels are not met by the provider.
Cloud contracts will contain a description of the data centre, the commu- A normal cloud contract should contain clear explanation and
nication lines and the security provisions protecting the communication warranties regarding business continuity and disaster recovery (eg,
and safety of the data. Data are usually located in a data centre provided through replication of data or applications to spare servers); specific
by the service provider or by one of his or her suppliers. Customers that key performance indicators can be set forth to cover maximum loss of
are well aware of the risks will ask for service levels that are included data packages and the time needed to be up again after a shutdown.
in a service-level agreement (SLA) with clear levels and financial sanc- Damages for loss of data are often excluded as damage compensation.
tions (credits). Regarding data security, the service provider will usually
provide encryption and access management, authorisation methods; Typical terms covering IP rights
more and more the compliance with industry standards is demon- 21 What are the typical terms of a B2B public cloud computing
strated through certificates. contract in your jurisdiction covering intellectual property
When personal data is involved, the requirements will at least allow rights (IPR) ownership in content and the consequences of
compliance with the legal and sectoral standards for data protection. infringement of third-party rights?
In that case, customers require a warranty that data remain located in
servers in the EU territory. If data must be transferred to, or used from, The intellectual property rights of the applications involved in SaaS
third countries such as the US, the European compliance measures agreements or similar contracts remain with the provider of the cloud
must be respected. Before the GDPR, clauses regarding the notification service; this is usually the case for developed interfaces and specific
of data breaches were not very common, but this has changed since the adaptations as well. Data and other content that is created by the
GDPR. General awareness about the risk of breaches on privacy has customer usually belongs to the customer. The service provider’s right
increased. to use such data for statistical purposes or for service improvement, or
The ownership of business data is often specified in a contract, and for other uses, are more and more explicitly safeguarded or, inversely,
may have an impact on the possibilities of a SaaS provider to make limited. Most contracts contain a provision that warrants the return of
use of business data of customers (eg, for statistical use or for service data during the course of, or after the termination of, a cloud contract.
improvement). Depending on the concrete circumstances, a customer When the cloud service is endangered because of infringement
may seek to limit such right (eg, if he or she believes that the busi- of third-party rights by the applications of the service provider, the
ness data could be abused or could be used in a competitive context). contract clauses usually state that the service provider has the right to
Similarly, the right to obtain the data after the termination of the contract apply the appropriate remedy chosen by him or her, such as the adap-
is a critical issue and should be warranted by contract, whether or not at tation or replacement of infringing code, and if that is not feasible, the
a cost price, and whether or not through migration obligations that must termination of the contract with a partial refund of any upfront payment
be executed by the cloud service provider. of fees. Damage compensation is usually excluded or at least limited.

www.lexology.com/gtdt 27
© Law Business Research 2019
 Belgium Timelex

Typical terms covering termination other electronic device’ and some of the obligations have been made
22 What are the typical terms of a B2B public cloud computing to apply even if the data is stored abroad. The intention was to extend
contract in your jurisdiction covering termination? the scope to cloud solutions (source: https://www.iba-boekhouding.be/
wp-content/uploads/2019/06/de-fiscus-op-bezoek_0.pdf).
B2B cloud computing contracts usually have a rather short applicability
period (typically of one year, automatically renewable unless terminated Indirect taxes
by either party before the anniversary date of the contract). If an impor- 25 Outline the indirect taxes imposed in your jurisdiction that
tant investment was involved, such a contract can be agreed for three apply to the provision from within, or importing of cloud
years, but usually not longer. computing services from outside, your jurisdiction.
Termination for no cause will always take a notice period into
consideration that is sufficient for both parties to find an alternative The VAT imposed on cloud computing services follows the standard
contract partner. Termination for cause, on the other hand, is foreseen Belgian tariff of 21 per cent for goods and services that do not fall under
in the case of material breach, usually after a grace period of one month, the exhaustively determined categories of goods and services which
and in cases of bankruptcy and insolvency procedures. have a reduced tariff of 12 per cent or 6 per cent. Cloud computing
The retention and return of data is of utmost importance in case of services also do not fall within the limited category of goods and
termination and is usually foreseen, although any assistance with data services that are exempted from VAT. More information on the place
migration can be subject to an additional payment. The service provider of the provision of electronic services to persons who are not liable
will usually not provide a retention right for himself or herself, unless in to VAT can be found here: https://financien.belgium.be/sites/default/
case of non-payment of service fees where it might be used as a pres- files/downloads/electronic-services-en.pdf.
sure mechanism
RECENT CASES
Employment law considerations
23 Identify any labour and employment law considerations that Notable cases
apply specifically to cloud computing in your jurisdiction. 26 Identify and give details of any notable cases, or commercial,
private, administrative or regulatory determinations within
In some cases, outsourcing of a company’s IT department may be seen the past three years in your jurisdiction that have directly
as the transition of a corporate entity. In that case, the provisions of involved cloud computing as a business model.
collective labour agreement No. 32-bis could be applicable (available at
www.cnt-nar.be/CAO-COORD/cao-032-bis.pdf). Announced in 2013 – but still ongoing – is the already mentioned IBM
agreement with several major European financial institutions to build
TAXATION and manage their IT infrastructure through ISFF, which was desig-
nated for this (see question 1). The total value of the deal amounts to
Applicable tax rules US$1.3 billion over seven years. IBM will set up a cloud infrastructure
24 Outline the taxation rules that apply to the establishment and so that ISFF can expand services into new markets and optimise its
operation of cloud computing companies in your jurisdiction. information technology management. In April 2018, IBM and Belfius
announced a multi-million euro extension of their existing technology
There are no specific fiscal rules that apply to the establishment and services agreement until the end of 2023.
operation of cloud computing companies in Belgium. Instead, the same Arguably the most important and notable case of cloud computing
taxation regime as for other digital service providers – and indeed, for within Belgium was the establishment of the G-cloud. As noted before,
companies in general – is maintained. Important in the context of cloud this is a community cloud project initiated by the government. G-cloud is
computing, however, is that these rules may require that data is held at a voluntary cloud service for all public sectors and services to centralise
all times within the jurisdiction of Belgium. Two separate regimes must public governance in a single cloud. Furthermore, it is a hybrid cloud,
be differentiated. with the possibility of offering IaaS, PaaS and SaaS. For the development
Article 60 of the VAT Code discusses record-keeping concerning and functioning, the government uses private cloud providers such as
invoices and equivalent documents (such as credit notes) for any IBM, Microsoft and Oracle (source: G-cloud, www.gcloud.belgium.be/nl/
taxpayer (meaning both natural and legal persons). Documents can be index.html).
stored wherever the taxpayer wishes, yet they must be made available NRB, the third-largest ICT service provider in Belgium, signed an
whenever the tax administration so requests. If the storage does not agreement with IBM. NRB’s Intelligence self-service platform works as
guarantee complete and online access, then mandatorily the invoices a ‘cloud broker,’ which advises the customer about the managing and
must be stored in Belgium. At all times, and regardless of the format, processing of his or her data, either in a private cloud, a public cloud or
the authenticity, integrity and legibility of the invoices must be ensured. a combination of the two (source: https://www.nrb.be/nl/over/nieuws/
Article 315 of the Income Tax Code also applies to all taxpayers and nrb-maakt-sprong-naar-grensverleggend-cloud-computing-dankzij-
determines that accounting books and support documents of accounting partnerschap-met-ibm).
entries must be kept on record if they can help determine the amount
of taxable income. They must be kept at the disposal of the tax admin-
istration in the office, agency, branch or other professional or private
premises of the taxpayer where they have been kept, prepared or sent.
Subject to an exception that may be granted, the books and records may
be kept in another place, provided that immediate access to the books
and records can be granted or that such documents can be provided on
short notice in case of unannounced control. The taxation rules have
been amended over the years, in particular by the Programme Law of
1 July 2016. The words ‘computer system’ have been replaced by ‘any

28 Cloud Computing 2020

© Law Business Research 2019
Timelex Belgium

UPDATE AND TRENDS

Key developments of the past year

27 What are the main challenges facing cloud computing within,
from or to your jurisdiction? Are there any draft laws or
legislative initiatives specific to cloud computing that are
being developed or are contemplated?

The Belgian law of 7 April 2019 that implements the NIS directive is Edwin Jacobs
[email protected]
a recent framework law that still needs concrete secondary legisla-
tion specifying the obligations of the organisations targeted by this Stefan Van Camp
legislation. Cloud service providers can be seriously impacted by the [email protected]
requirements, even if the cloud service is provided on a limited scale. Bernd Fiten
For example, under the current wording of the law cloud service [email protected]
providers are required to appoint data protection officers if they process
personal data, even if the service is very limited. Furthermore, the EU
Joseph Stevensstraat 7
Cybersecurity Act (Regulation 2019/881 of 17 April 2019), providing
1000 Brussels
a cybersecurity certification framework for IT services, will have an
Belgium
impact that must be closely monitored.
Tel: 0032 2 893 20 95
The recent law of 4 April 2019 on unfair clauses and abuse of an Fax: 0032 2 893 22 98
economic dependency in B2B relationships may result in the invalidity www.timelex.eu/en
of some typical clauses currently found in cloud computing contracts
(eg, concerning limitation of liability and unilateral variations of the
contract). It will be necessary to follow up on case law that will apply
the legislation in a more or less rigorous or realistic manner.

www.lexology.com/gtdt 29
© Law Business Research 2019
 Brazil
José Mauro Decoussau Machado, Ana Carpinetti and Gustavo Gonçalves Ferrer
Pinheiro Neto Advogados

MARKET OVERVIEW certain ministries, agencies, institutes and others), and was awarded a
29.9 million reais contract.
Kinds of transaction Telecommunications companies, such as Vivo (controlled by
1 What kinds of cloud computing transactions take place in the Spanish group Telefónica), also provide storage services to their
your jurisdiction? customers.

Cloud computing is a reality in Brazil in various industry sectors and Market size
businesses. Cloud computing services and business models include the 4 How well established is cloud computing? What is the size of
offering of cloud-based storage solutions, software-as-a-service (SaaS), the cloud computing market in your jurisdiction?
infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), cloud-
related consultancy and other services, and both the private sector and Brazil is already a large market for cloud providers, with its figures
public entities take part in contracting cloud-based solutions. drastically increasing each year.
According to a 2018 research developed by Logicalis (www. According to a recent research by Citrix (referenced in this article:
la.logicalis.com/globalassets/latin-america/advisors/pt/_it_snap- https://computerworld.com.br/2018/08/30/brasil-ampliara-investi-
shot_2018_web.pdf), the private cloud model was adopted by mento-em-cloud-em-linha-com-cenarios-futuros/ and https://exame.
60 per cent of companies, while 53 per cent used the public model and abril.com.br/negocios/dino/us-43-bilhoes-de-um-lado-us-93-bilhoes-
31 per cent used a hybrid solution. Hybrid solutions were expected to de-outro-cloud-e-seguranca-destacam-empresas-brasileiras/), 57 per
reach 64 per cent by the end of 2018. cent of Brazilian companies already adopt cloud computer solutions for
their businesses. Moreover, 74 per cent of Brazilian companies intend to
Active global providers invest in cloud technologies in the near future and to integrate services
2 Who are the global international cloud providers active in and applications to a cloud in the next three years.
your jurisdiction? The International Data Corporation estimated that, in 2017, invest-
ment in the cloud computing sector reached approximately US$20
The most relevant worldwide cloud service providers already have billion (https://exame.abril.com.br/negocios/dino/us-43-bilhoes
local presence or operations aimed at Brazilian customers including, -de-um-lado-us-93-bilhoes-de-outro-cloud-e-seguranca-destacam-
for example, Microsoft, Oracle, Verizon, SAP, IBM, Google, AWS and empresas-brasileiras/).
Capgemini. According to a 2019 study published by the Brazilian Association
Some international providers offer cloud-based products or of Software Companies (ABES) (http://central.abessoftware.com.br/
licences to Brazilian customers or companies through local subsidiaries Content/UploadedFiles/Arquivos/Dados%202011/ABES-EstudoMercad
or partners. Local entities are used by major international providers for oBrasileirodeSoftware2019.pdf), the public cloud market in Brazil was
marketing purposes or for maintenance and implementation, while the expected to reach US$2.3 billion and grow 35.5 per cent per year until it
cloud products or licences are actually provided by foreign entities of reaches US$5.8 billion in 2022.
the same economic group. However, a portion of Brazilian companies still do not completely
Apple and telecommunications companies, such as Vivo and Claro, trust the security of the cloud computing model and fear being
also provide cloud storage services in a business-to-consumer model. dependent on a service provider (lock-in). They view the quality of tele-
communications infrastructure as a limitation for adopting cloud-based
Active local providers solutions (www.la.logicalis.com/globalassets/latin-america/advisors/
3 Name the local cloud providers established and active in your pt/_it_snapshot_2018_web.pdf).
jurisdiction. What cloud services do they provide?
Impact studies
Apart from the local entities of international groups, the number 5 Are data and studies on the impact of cloud computing in your
of Brazilian cloud providers is increasing each year. These compa- jurisdiction publicly available?
nies include Locaweb, Cloud2Go, Tivit, Mandic, Primesys (owned by
Embratel/Claro, a telecommunications company currently owned by the Publicly available research on the impact of cloud computing in
Mexican company América Móvil), Uol Diveo, Binario Cloud, BRCloud, Brazil is primarily developed by private entities, with a few exceptions
Globalweb, which offer cloud-based services, consultancy services published by the government. A recent study by Logicalis (a private
and some of which use their partners’ servers to provide services. consulting entity) predicts an optimistic future for the IT market (www.
In January 2019, Primesys/Embratel won a public bidding to provide la.logicalis.com/globalassets/latin-america/advisors/pt/_it_snap-
cloud-related services to several entities of the government (including shot_2018_web.pdf).

30 Cloud Computing 2020

© Law Business Research 2019
Pinheiro Neto Advogados Brazil

According to this research, half of the Brazilian companies that The Ministry of Economics issued this April 2019 Normative
were interviewed have IT solution budgets 14 per cent higher in 2018 Instruction No. 1/2019, which sets forth rules for the contracting of
than 2017, while 34 per cent of companies expect to keep the same level information and communication technology solutions by certain public
of investment as 2017. entities. This Normative Instruction provides that, if public entities need
The Brazilian Association of Software Companies – ABES also to create, improve or renew their datacentre infrastructure, they should
publishes studies with overviews and trends for the Brazilian software opt for cloud computing, unless such option is not viable according
market that contains data about cloud-based solutions. The last edition to pre-contractual studies. This means that even the government is
of such study was published in 2019 with data from 2018 (http://central. favouring cloud computing services in lieu of other solutions.
abessoftware.com.br/Content/UploadedFiles/Arquivos/Dados%20
2011/ABES-EstudoMercadoBrasileirodeSoftware2019.pdf). LEGISLATION AND REGULATION

POLICY Recognition of concept

8 Is cloud computing specifically recognised and provided for in
Encouragement of cloud computing your legal system? If so, how?
6 Does government policy encourage the development of your
jurisdiction as a cloud computing centre for the domestic There is no express reference to cloud computing in Brazilian federal
market or to provide cloud services to foreign customers? laws. However, the Brazilian Central Bank issued Resolution No. 4,658
on 26 April 2018, which sets forth requisites for processing and storing
The government is taking steps to encourage the development and data and for cloud computing solutions for information collected by
dissemination of new technologies, including cloud computing. One initi- financial institutions (see question 13).
ative is a federal programme called the Strategic Program for Software Although there are no laws referencing cloud computing, the
and IT Services. Information Security Cabinet of the President’s Office and the Ministry
The government issued a statement in 2012 stating that it planned of Planning, Budget and Management (which is now part of the Ministry
to invest 486 million reais in this sector alone (40 million real only for of Economics) issued in 2018 and 2016, respectively, a complemen-
start-ups and 446 million reais for companies that develop software tary norm and a general guideline with norms and best practices to
for certain industries) and, in 2014, six major technology companies be followed by federal entities in contracting cloud computing services.
entered into memoranda of understanding with the Ministry of Science, Cloud computing is defined in such documents as a computational model
Technology and Innovation to instal research and development centres that allows access on-demand, independently of where it is located, to
in Brazil. computational resources (network, servers, hosting, applications and
Other government programmes, such as ‘Brasil Mais TI’, are also services) provided and made available with minimal management
targeted at developing its students’ IT-related skills, including those efforts or interactions with the service provider.
related to programming, the internet and cloud. The Ministry of Economics also issued in April 2019 Normative
Additionally, in 2016, the federal government published a guide Instruction No. 1/2019, which provides that certain public entities must
to assist public bodies in contracting cloud computing services favour cloud-based services for their datacentre infrastructure, and
(www.governodigital.gov.br/documentos-e-arquivos/Orientacao%20 explicitly references the President Office’s complementary norm indi-
servicos%20em%20nuvem.pdf). This guide included recommendations cated above.
for data to be kept on Brazilian territory and for the adoption of a hybrid There are federal laws that apply specifically to internet opera-
cloud solution for cases that do not compromise national security. tions and to data protection, which impact cloud computing and their
The fact that a public bid was opened in 2018 and, in January 2019, providers.
resulted in the award of a 29.9 million reais agreement to a private The Brazilian Civil Rights Framework for the Internet (Federal Law
company to provide cloud services to several government agencies also No. 12,965/2014 (the MCI)), which was further regulated by Federal
reflects the fact that public authorities may shift their focus to cloud- Decree No. 8,771/2016, provides for principles, rights and obligations
related services in the coming years. regarding the use of the internet in Brazil, and sets forth obligations for
internet connection and application providers, which are relevant for
Incentives cloud computing solutions in general.
7 Are there fiscal or customs incentives, development grants Recently, the Brazilian General Data Protection Act (Federal Law
or other government incentives to promote cloud computing No. 13,709/2018 (the BR GDPA)) was sanctioned and will come into force
operations in your jurisdiction? in August 2020. The BR GDPA will apply irrespective of industry or busi-
ness when personal data is collected or processed. Among other norms,
Currently, there are no specific fiscal or customs incentives for cloud it provides for user consent for the collection, processing and transfer
computing in Brazil. Nor is there a definition on which tax is applicable of data (with specific provisions pertaining cross-border transfer), data
– if ICMS (a VAT-like tax) should apply, which is collected by Brazilian security and data breaches, sensitive personal data and situations for
states, or if ISS (service tax) should apply, which is collected by Brazilian ceasing the processing of data.
municipalities.
If the service tax ends up prevailing, then there is an indirect incen- Governing legislation
tive for cloud service providers to be located in the Brazilian territory (ie, 9 Does legislation or regulation directly and specifically
a local entity as the cloud provider) since the amount of taxes applicable prohibit, restrict or otherwise govern cloud computing, in or
to providers located abroad are significant for importation of services. outside your jurisdiction?
After there is a definition on which tax is applicable to cloud
computing solutions, it is very likely that Brazilian states (in case of Brazilian legislation does not directly and specifically prohibit or restrict
VAT-like tax) or municipalities (in the case of service tax) will create tax cloud computing services, either in or outside Brazil.
incentives to bring service providers to their locations. In 2018, the Brazilian Central Bank issued Resolution No. 4,658,
See questions 24 and 25 for more tax-related information. which provides for precautions to be taken by financial institutions in

www.lexology.com/gtdt 31
© Law Business Research 2019
 Brazil Pinheiro Neto Advogados

contracting cloud services and for the responsibility of such institutions offender and the principle of proportionality between the severity of the
for the reliability, integrity, availability, security and confidentiality of offence and the intensity of the penalty; and suspension or prohibition of
the contracted cloud services. The financial institution must notify the the activities pertaining to the collection, storage or processing of logs,
Central Bank prior to contracting the services and certain requirements personal data or communications.
must be met for the cloud service to be rendered abroad. Apart from administrative fines that may be imposed according to
See questions 8 and 10 for information on norms applicable to the MCI, courts can impose fines for non-compliance with preliminary
cloud computing and internet-based services. injunctions or final decisions ordering the removal of content or the
producing of data. There is no limit on such penalties, which are set by
10 What legislation or regulation may indirectly prohibit, restrict judges on a case-by-case basis. Courts may also award damages if the
or otherwise govern cloud computing, in or outside your company fails to obey the court order to remove the content.
jurisdiction? If the company does not take down a specific content after a court
order, this could be considered a crime of ‘disobedience’ (article 330
The MCI provides for rights and obligations for different stakeholders on of the Brazilian Criminal Code), the penalty for which is 15 days’ to six
the internet and sets forth parameters for the protection of user data. months’ imprisonment (for officers or administrators) and a fine. The
The MCI is applicable to internet connection and application providers risk of criminal liability is higher in matters involving criminal organisa-
in general. It provides for a vague and broad definition of internet appli- tions or child pornography.
cation providers (‘a set of features that might be accessed through a Regarding infringements to the provisions of the BR GDPA, in addi-
computer connected to the internet’), which potentially makes cloud tion to liability for moral and material damages, data-processing agents
computing services and their providers subject to such legislation. are subject to the following administrative sanctions: warning with a
General requirements are related to the following obligations and deadline implementing corrective measures; fine of up to two per cent
provisions: of the revenues earned by the legal entity, group or conglomerate in
• access logs data retention by internet application providers; Brazil in the preceding year, net of taxes, capped at 50 million reais per
• users’ rights in connection with personal data; offence; daily fine, subject to the cap referred to above; disclosure of
• agreement provisions that might be considered void under the offence after the occurrence thereof having being investigated and
Brazilian law; confirmed; blocking of the personal data to which the offence refers,
• obligation to provide information on data processing activities; until the processing activity is regularised; and deletion of the personal
• data request by Brazilian authorities; and data related to the infringement.
• liability for content created by third parties.
Consumer protection measures
The BR GDPA will be applicable irrespective of industry or business 12 What consumer protection measures apply to cloud
when it comes to the processing of personal data. Among other norms, computing in your jurisdiction?
it provides for user consent for the collection, processing and transfer
of data (with specific provisions pertaining cross-border transfer), data Legal consumer relations in Brazil are regulated by Law No. 8,078/1990
security and data breaches, sensitive personal data and situations for (the Consumer Protection Code or CDC), which governs all consumer
ceasing the processing of data. relationships, including cloud computing products or services where
It is also worth mentioning Federal Decree No. 9,637/2018, which there is a supplier on one side and a consumer on the other side.
disciplined the National Information Security Policy and created the ‘Consumer’ for this purpose is defined as any individual or legal entity
Information Security Management Committee, a government body that that acquires or uses products or services as an end user.
advises the Institutional Security Cabinet of the President’s Office in The CDC protects consumers and, in general, its language allows
information security-related matters. consumers to file claims against companies involved in the supply
chain. If an entity is not directly responsible for damage suffered by
Breach of laws the consumer, such company may seek the amount paid by it to the
11 What are the consequences for breach of the laws directly consumer from the other liable company.
or indirectly prohibiting, restricting or otherwise governing The CDC sets forth a 30-day or 90-day deadline for the consumer
cloud computing? to file a suit pertaining to a defective product or service and a five-year
period for damages caused to the consumer’s physical or mental health.
According to the MCI, if an internet application provider (in which cate- The supplier (where the consumer is an individual) cannot disclaim
gory cloud computing providers are included) fails to comply with a or limit its liability for product or service defects, and all contractual
take-down order issued by a court (or with an extrajudicial letter sent clauses with this language will be null and void. The agreement also
by an affected party in case of pornography or sexual content), it may be cannot include clauses impairing, disclaiming or mitigating obliga-
held liable for content created by third parties. Thus, the MCI established tions to indemnify. There is no legal restriction on the warranty term
a safe harbour for such situations, by which an application provider is apart from the 30-day or 90-day terms counted from the delivery of
not held liable before it is notified either by a party or by a judge. the product or from the rendering of the service, by any contractual
If the application provider fails to comply with a court order or warranty must be clear, precise and additional to the legal warranty.
extrajudicial letter, it would likely be sentenced to pay an indemnifica- The CDC also provides for a right to regret, by which consumers
tion for material or moral rights to the aggrieved party, depending on have the prerogative to return a product or a service contracted outside
the facts of the case (there are several types of content that may be the point of sale within seven days of delivery. Currently, this rule
deemed unlawful under Brazilian law, the most common types being applies to purchases made through the internet, where the consumer
defamation, racism, child pornography, bullying, rights of publicity and has no physical contact with the product or service.
other personality rights). Choice of foreign law and arbitration or foreign venue clauses in
The MCI also provides for penalties of warning; administrative fines consumer contracts are usually held null and void by Brazilian courts,
of up to 10 per cent of the income of the economic group in Brazil, net especially small claims courts, because they tend to complicate the
of taxes, to be calculated according to the economic condition of the consumer’s pursuit of his or her rights. However, in a 2018 decision,

32 Cloud Computing 2020

© Law Business Research 2019
Pinheiro Neto Advogados Brazil

the Superior Court of Justice considered that the nullity of a choice of DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
venue clause (where the elected venue was a different city of the same
Brazilian state) was contingent on the proof of harm to the consumer’s Principal applicable legislation
ability to claim his or her rights. 15 Identify the principal data protection or privacy legislation
applicable to cloud computing in your jurisdiction.
Sector-specific legislation
13 Describe any sector-specific legislation or regulation that The BR GDPA is the main norm to be applicable (after August 2020) to
applies to cloud computing transactions in your jurisdiction. any personal data processing activity in Brazil. It will create a robust
legal landscape for personal data processing and will strengthen data
The Brazilian Central Bank issued Resolution No. 4,658 on 26 April 2018, subjects’ rights in relation to their personal data. It applies irrespective
which sets forth requisites for processing and storing data and for of industry or business when it comes to the processing of personal
cloud computing activities related to information collected by financial data. Among other norms, it provides for user consent for the collec-
institutions. tion, processing and transfer of data (with specific provisions pertaining
Resolution No. 4,658/18 sets forth that the outsourcing of relevant cross-border transfer), data security and data breaches, sensitive
data processing, storage and cloud computing services must be commu- personal data and situations for ceasing the processing of data.
nicated in advance by the financial institution to the Central Bank. Such It also provides to the implementation of controlled processes to
communication must comprise the name of the service provider, the ensure data subjects’ rights, such as the rights to access, correction,
service being outsourced and the indication of the countries where the anonymisation, blocking, deletion and portability of personal data, as
services may be rendered and the data may be stored and processed. well as provide for the possibility of creation of several documents by
The financial institution contracting cloud services must imple- companies, including privacy policies, consent forms, internal manuals,
ment procedures to verify the service provider’s ability (companies that agreements with data operators and companies with whom it shares
offer cloud computing, data storage and processing services to financial collected personal data, documentation supporting cross-border trans-
institutions) to ensure: fers of personal data and impact assessment reports.
• compliance with prevailing laws and regulations; Additionally, there are provisions of the MCI and the Federal
• the institution’s access to the data and information to be processed Decree No. 8,771/2016 that are applicable to data processing in general,
or stored by the service provider; including cloud computing providers. Such provisions include obli-
• the confidentiality, integrity, availability and recovery of data and gations to keep access logs for a minimum period of time; to obtain
information being processed or stored by the service provider; consent for the processing of personal data (and such processing must
• the service provider’s adherence to certifications required by the be adequate and clear); to use the data only for the purposes that justify
institution for outsourcing of the corresponding services; its collection; and to delete the collected personal data as soon as its
• the institution’s access to reports prepared by an independent processing is finished.
expert audit company hired by the service provider concerning the General provisions provided by sparse laws may also be applicable
controls and procedures being adopted for outsourced services; depending on the issue involved (eg. for consumer relationships, the
• the availability of management information and resources compe- Consumer Protection Code will apply).
tent for monitoring the outsourced services;
• the identification and segregation of data belonging to the institu- CLOUD COMPUTING CONTRACTS
tion’s clients, via physical or logical controls; and
• the quality of access controls targeted at protecting the data and Types of contract
information referring to the institution’s clients. 16 What forms of cloud computing contract are usually adopted
in your jurisdiction, including cloud provider supply chains (if
For contracts with entities of the public administration regarding applicable)?
services related to datacentre infrastructure, there are rules favouring
the contracting of cloud-based solutions, as mentioned in ques- There are a few main forms of cloud computing contracts usually adopted
tions 7 and 8. in Brazil: infrastructure-as-a-Service (IaaS, where the contracting party
seeks to rent IT infrastructure usually for the processing, storing or
Insolvency laws transferring of data); platform-as-a-Service (PaaS, mainly for developing,
14 Outline the insolvency laws that apply generally or delivering and managing software applications); and Software-as-a-
specifically in relation to cloud computing. Service (SaaS, for a wide range of activities, including communications,
collaboration, productivity, customer management, taxing and account
There are no insolvency laws in the Brazilian legal system that apply activities etc).
specifically to cloud computing. The general provisions governing
liquidation and recovery in insolvency proceedings are provided for in Typical terms for governing law
Federal Law No. 11,101/2005 (the Insolvency Act). 17 What are the typical terms of a B2B public cloud computing
The Insolvency Act sets forth which credits or creditors have prec- contract in your jurisdiction covering governing law,
edence over others in insolvency or credit recovery, and a Brazilian jurisdiction, enforceability and cross-border issues, and
customer seeking to enforce rights against an insolvent cloud computing dispute resolution?
provider would have to follow the regular procedures, being in general
a regular creditor (unless there is a specific guarantee with respect to In B2B contracts, parties are generally free to choose the applicable
the services provided). Micro or small companies, for instance, have law and to elect a venue for dispute resolution. When the parties to
certain benefits (representation in general meetings, for example) and the contract are all Brazilian entities, the governing law and the venue
their credits come before general unprivileged credits. chosen for dispute resolutions are usually Brazilian.
When the cloud computing provider is not a Brazilian entity (eg,
when the provider does not have operations in Brazil or when its local

www.lexology.com/gtdt 33
© Law Business Research 2019
 Brazil Pinheiro Neto Advogados

entity is only for marketing, implementation or maintenance), the parties cover a substantial amount of the damage caused by a provider to the
may negotiate different applicable law and dispute resolution clauses, contracting party.
including foreign law and foreign courts or arbitration tribunals. Finally, the CDC (which may apply to agreements entered into by
However, the MCI provides that, in adhesion agreements, where legal entities) provides that, although any clause that limits the respon-
the terms of the agreement are standard and the contracting party is sibility of the supplier for damage caused to individual consumers will be
not able to negotiate its clauses, any foreign forum selection clause for null, this is not the case for consumer relationships where the consumer
disputes arising out of services rendered in Brazil will be null and void. is a legal entity and there is justification for the limitation of liability.
Under the CDC, a company could be considered a consumer if it
acquires the product or service as an end user and it is vulnerable when Typical terms covering IP rights
compared with the supplier of products or services, so the CDC may 21 What are the typical terms of a B2B public cloud computing
also apply in B2B contracts. In this case, any provision that limits or contract in your jurisdiction covering intellectual property
impairs the consumer’s pursuit of rights (such as the election of foreign rights (IPR) ownership in content and the consequences of
law or foreign courts or arbitration) is likely to be considered null and infringement of third-party rights?
void by Brazilian courts.
Cloud computing agreements usually provide that there will be no
Typical terms of service transfer of ownership and that all intellectual property will be held by
18 What are the typical terms of a B2B public cloud computing the party who owns it in the first place.
contract in your jurisdiction covering material terms, such This means that the cloud computing provider will keep all intellec-
as commercial terms of service and acceptable use, and tual property related to the provision of services and to the technology
variation? related to the services, and the customer will keep all intellectual prop-
erty on the content that it provides for the services to be rendered (for
In general, cloud computing services are paid for on a monthly basis, example, the content uploaded to a cloud storage).
and prices can be either a fixed amount or an amount according to the It is also common to include in contracts clauses by which the
volume of use (eg, the amount of data stored or processed). The agree- customer declares that it is responsible for the content that it provides
ments may include regular monetary adjustments according to national for the rendering of services, and that it shall not infringe any third-
inflation indexes. party rights (eg, that the customer will not keep infringing material in
Service level agreements are also common, and they usually cloud storage).
provide for minimum efficiency levels and discounts or penalties in case In the case of third-party intellectual property infringement, the
such levels are not met. parties usually agree that the infringing party will indemnify the other
in case it is held liable.
Typical terms covering data protection Also common is the inclusion of clauses by which the customer
19 What are the typical terms of a B2B public cloud computing declares to be responsible for any content that it uploads to or create
contract in your jurisdiction covering data and confidentiality in the cloud. This is supported by a safe harbour provision of the MCI
considerations? according to which an application provider (ie, the cloud provider) will
only be liable in the civil sphere for damages caused by content created
Cloud computing contracts usually cover security measures applicable by third parties (ie, customers) if it fails to remove such content after a
to data, especially personal data collected by a party. These security specific court order, to the extent technically possible, or after received
measures may comprise data isolation, minimum standards and param- notice, in case of sexual-related content. Copyright infringement is not
eters, encryption and backups. explicitly covered by the MCI provision until a specific legal provision
Some companies provide in their contracts that the data will be is passed.
kept in servers in Brazilian territory (which may be a requirement for
public contracting entities). Typical terms covering termination
After the MCI, companies have been including consent clauses in 22 What are the typical terms of a B2B public cloud computing
their agreements to support their collection and processing of personal contract in your jurisdiction covering termination?
data. This will be strengthened and more detailed in contracts until
August 2020, when the BR GDPA enters into force and the companies’ Termination clauses depend on the nature of services being rendered.
practices will need to comply with its provisions, so changes to the While certain agreements allow for any party to terminate at any time,
standard cloud computing agreements are expected by then. others may provide for predetermined agreement terms or extension
cycles (eg, one-year terms extendable for successive one-year terms)
Typical terms covering liability with certain periods for termination notices (eg, at least 30 days before
20 What are the typical terms of a B2B public cloud computing the end of the current term). In this situation, there could be penalties
contract in your jurisdiction covering liability, warranties and where the agreement is terminated early or not in accordance with the
provision of service? procedure set forth in the termination clause.
Typically, termination clauses cover the return or destruction of the
Parties are generally free to negotiate clauses covering liability, data provided by the customer under the agreement in a safe manner
warranties and provision of service. Thus, liability or indemnification to ensure that no data will be lost or unduly breached by third parties,
caps are common, as well as warranties for the rendered services and and confidentiality terms will apply to both parties for an indefinite or
service level agreements with a minimum level of service to be met by limited amount of time.
the provider. The MCI obliges all internet application providers (and such defini-
If the clauses are abusive, especially if the contracting party tion comprises cloud computing providers) to keep internet application
is vulnerable and not able to negotiate the contract terms (eg, in the access logs for a minimum of six months, and some companies include
case of an adhesion contract), they could be considered null and void this data retention in their agreements to inform their customers about
in litigation. This could be the case for small liability caps that do not this legal obligation.

34 Cloud Computing 2020

© Law Business Research 2019
Pinheiro Neto Advogados Brazil

The BR GDPA provides that personal data should be deleted after It is currently not clear which tax should apply to such digital activi-
its processing purpose has been reached, with a few exceptions, which ties, fuelled by a dispute between Brazilian states and municipalities,
include transfer to third parties and exclusive use of anonymised data. because ICMS is collected by the former and ISS by the latter.
This matter can be included in a termination clause in case the cloud Specifically regarding SaaS activities, the Tax Authorities of the
computing provider wishes to use data after the termination of the municipality of São Paulo published Normative Ruling No. 1/17 stating
agreement, provided that all limitations under the BR GDPA are met. that SaaS activities are subject to ISS based on item 1.05 (software
licensing) of the list of services of Complementary Law 116/2003.
Employment law considerations In this same Normative Ruling, authorities also recognised the
23 Identify any labour and employment law considerations that hybrid nature of SaaS activities and, consequently, the possibility of it
apply specifically to cloud computing in your jurisdiction. encompassing additional services classified on items 1.03 (indicated
above) and 1.07 (technical support in IT, including the installation,
There are no specific labour laws applicable to cloud computing. configuration and maintenance of computer programs and databases).
If, in a specific contractual situation, cloud computing is considered The consumption taxes mentioned above are applicable if the
as not a mere provision of services but as an outsourcing of the work- service is provided from within or imported from outside.
force for the contracting party, then certain labour laws could apply. In
this case, if the cloud computing provider fails to pay its employees their RECENT CASES
wages and benefits, the contracting party could be held responsible and
be obliged to fulfil such labour law obligations. Notable cases
26 Identify and give details of any notable cases, or commercial,
TAXATION private, administrative or regulatory determinations within
the past three years in your jurisdiction that have directly
Applicable tax rules involved cloud computing as a business model.
24 Outline the taxation rules that apply to the establishment and
operation of cloud computing companies in your jurisdiction. In September 2018, Engineering do Brasil, SAP and Google Cloud
announced a commercial partnership to promote innovative solutions
Cloud computing providers are subject to the corporate income tax and using artificial intelligence, machine learning and cloud computing.
the social contribution on net profits at the joint rate of 34 per cent, These three companies are working on an artificial intelligence that
as well as the contribution to the profit participation programme (PIS) assists other companies in managing their tax obligations. For this
and the social security financing (COFINS), at 9.25 per cent (over total project, the objective is to integrate the technologies provided by Google
revenue) under the non-cumulative regime or 3.65 per cent under the Cloud and SAP with Engineering do Brasil’s tax expertise.
cumulative regime. Another notable commercial partnership was entered into in 2017
Based on the nature of cloud services, revenues should be subject by Microsoft and Infraero, a state-owned organisation responsible for
to the non-cumulative PIS and COFINS regime with the application of managing Brazilian commercial airports. Both companies developed
the 9.25 per cent rate and the possibility of using credits. a cloud-based corporate social network to unite employees of the
If the cloud services are imported from outside, remittances are Brazilian company. The network aims to improve the communication
subject to the withholding tax at a 15 per cent rate (or 25 per cent, if and collaboration between Infraero teams and directors.
the beneficiary is located in a tax haven jurisdiction). Tax authorities The Brazilian Central Bank is also interested in regulating and
have recently manifested themselves, when analysing the taxation of incentivising cloud computing technologies, which is evident from
remittances related to the resale of SaaS, that such remittances should this year’s issuance of Resolution No. 4,658 and from the creation of
be classified as technical services subject to the federal contribution a Technological Financial Innovation Lab, coordinated by the Central
(CIDE) at a 10 per cent rate, and to the PIS/COFINS at the combined Bank, which has AWS, IBM, Microsoft and Oracle (relevant companies in
9.25 per cent rate. the provision of cloud computing services) as supporters.
In January 2019, Primesys/Embratel was awarded, after a bid
Indirect taxes in which numerous Brazilian and foreign companies participated, an
25 Outline the indirect taxes imposed in your jurisdiction that agreement with the public administration for the rendering of cloud
apply to the provision from within, or importing of cloud computing services. The value of the contract is 29.9 million reais.
computing services from outside, your jurisdiction. In April 2019, the Ministry of Economics issued a Normative
Instruction setting forth rules for the contraction of information tech-
The most relevant analysis from a Brazilian tax perspective is whether nology solutions by public entities. Among several provisions, there
cloud computing services are subject to ICMS or to ISS (service tax). is one by which cloud computing must be favoured for the creation,
Both ISS and ICMS are consumption taxes. improvement or renewal of datacentre infrastructure, unless it is not a
ICMS is assessed over the sale of goods and the provision of viable option according to technical studies.
communication and transport services. Recent modifications in the
legislation regulated the procedures for charging ICMS for transactions
related to digital goods.
ISS, in turn, is a service tax assessed over any service (except
those subject to ICMS) as long as the service is provided for in a list of
services attached to Complementary Law 116/2003.
Item 1.03 of Complementary Law 116/2003 includes processing,
storage of hosting of data, texts, images, videos, web pages, apps,
information systems, among other forms, and congeners in the list
of services taxed by ISS, and these activities are at the heart of cloud
computing.

www.lexology.com/gtdt 35
© Law Business Research 2019
 Brazil Pinheiro Neto Advogados

UPDATE AND TRENDS

Key developments of the past year

27 What are the main challenges facing cloud computing within,
from or to your jurisdiction? Are there any draft laws or
legislative initiatives specific to cloud computing that are
being developed or are contemplated?

Currently, one of the main challenges for cloud computing providers José Mauro Decoussau Machado
[email protected]
(and for companies in general) in Brazil is conforming to its business
practices according to obligations and customer rights set forth in the Ana Carpinetti
BR GDPA, which, in many cases, involve costly and comprehensive [email protected]
adaptations and investments in security measures. This will be either Gustavo Gonçalves Ferrer
facilitated or complicated after the effective creation of the Brazilian [email protected]
Data Protection Authority, which shall have the power to enact specific
norms and guidelines to supplement the general rules of the BR GDPA
Rua Hungria 1100
and to create additional obligations on companies of specific sectors.
São Paulo 01455-906
Also challenging is the decision as to which consumption tax should
Brazil
apply to digital or cloud services, whether ICMS or ISS (see question 25),
Tel: +55 11 3247 8400
since Brazilian states and municipalities still do not agree and tend to Fax: +55 11 3247 8600
tax companies according to their local rules. www.pinheironeto.com.br

36 Cloud Computing 2020

© Law Business Research 2019
France
Olivier de Courcel and Stéphanie Foulgoc Féral-Schuhl/Sainte-Marie
Alain Recoules Arsene Taxand

MARKET OVERVIEW Active local providers

3 Name the local cloud providers established and active in your
Kinds of transaction jurisdiction. What cloud services do they provide?
1 What kinds of cloud computing transactions take place in
your jurisdiction? While the principal global providers are dominant players on the market
for both the software-, platform- and infrastructure-as-a-service activities,
The official statistics define ‘cloud computing’ as the IT services used in France this market includes pure players such as OVH and Outscale
on the internet to access a software, processing power or a storage (IaaS and PaaS) as well as providers integrating both public and private
capacity and that include all the following characteristics: cloud services offerings such as Atos, Orange, Capgemini and Sopra Steria
• to be delivered from IT servers operated by service providers; (www.usinenouvelle.com/article/atos-tire-30-de-son-chiffre-d-affaires-
• to be easily increased or decreased; 2018-du-digital-pas-assez-pour-dynamiser-sa-croissance/). As there are
• once installed, to enable use without the need for human contact numerous providers active in France, some of them can be found among
with the provider; and the members of the EuroCloud association (www.eurocloud.fr/adher-
• to be payable either by the user or depending on the capacity used ents/) (SaaS, PaaS) or of the Cloud Infrastructure Services Providers in
or to be prepaid. Europe association (CISPE: https://cispe.cloud/publicregister) (IaaS).

These services may include connections via a virtual private network Market size
(VPN) (https://www.insee.fr/fr/statistiques/3856105?sommaire). 4 How well established is cloud computing? What is the size of
The different varieties of cloud computing services covered by the cloud computing market in your jurisdiction?
this definition are offered in France. In 2018, the services the most
frequently used were infrastructure-as-a-service (IaaS, according to the According to the official statistics (see question 1), 19 per cent of French
NIST typology), mainly in the form of file storage (27,002 companies out companies with at least 10 employees were using cloud computing
of the reportedly 35,280 using cloud computing services). Software-as- services in 2018.
a-service (SaaS) was also very frequently used by businesses (mainly The research firm Markess published a barometer estimating the
for messaging services; otherwise, for office automation software, size of the French cloud computing market to be nearly €12 billion in
customer relationship management and accounting software), just as 2019, representing a growth of 20 per cent over the previous year (www.
much as database hosting (in the platform-as-a-service (PaaS) cate- usinenouvelle.com/article/le-cloud-en-france-un-pactole-de-12-milli-
gory) (Insee, TIC 2018 enquiry, TAB08: Use of cloud computing services ards-d-euros-en-2019.N862810).
by internet).
Furthermore, according to the same statistical enquiry, in 2018 Impact studies
the businesses that purchase cloud computing services on shared IT 5 Are data and studies on the impact of cloud computing in your
servers (public cloud) are almost as numerous as those requesting jurisdiction publicly available?
servers exclusively reserved for their needs (private cloud).
Numerous analyses and official studies are regularly undertaken on the
Active global providers digital sector in France including, more specifically, on cloud computing
2 Who are the global international cloud providers active in services. The INSEE statistics (www.insee.fr) and the analyses of the
your jurisdiction? Ministry of Economy and Finance (www.entreprises.gouv.fr/observa-
toire-du-numerique/usages) are the most prominent ones.
Amazon Web Services enjoys a dominant position in France like else- The administration is particularly focused on the modus operandi
where, and the other principal global providers, Microsoft Azure for the different forms of cloud computing and publishes its works for
and Google Cloud Platform, are also very active (www.lesechos.fr/ the needs of the public bodies (for example, www.entreprises.gouv.fr/
tech-medias/hightech/google-cloud-sera-aussi-gros-quamazon-web- numerique/guide-du-cloud-computing-et-des-datacenters).
services-dans-deux-ans-1030266). Numerous other international players Ad hoc analyses are undertaken by professional organisations
commercialise their services directly or indirectly in the country (eg, IBM, such as EuroCloud (www.eurocloud.fr), which includes 200 service
Rackspace, Oracle, NTT, Salesforce, Alibaba, Tencent) (https://www. providers on the cloud market, or Syntec Numérique, which represents
zdnet.fr/actualites/top-2019-des-fournisseurs-de-cloud-aws-azure- digital service companies, software publishers and technology consul-
gcp-ibm-sur-l-hybride-et-salesforce-domine-le-saas-39880577.htm). tancy companies (www.syntec-numerique.fr). On the side of users,
associations such as Cigref (www.cigref.fr) or software user clubs such
as SAP’s (www.usf.fr) also publish such analyses.

www.lexology.com/gtdt 37
© Law Business Research 2019
 France 

POLICY engines, for which the providers are obliged to comply with certain
security obligations (see question 9).
Encouragement of cloud computing
6 Does government policy encourage the development of your Governing legislation
jurisdiction as a cloud computing centre for the domestic 9 Does legislation or regulation directly and specifically
market or to provide cloud services to foreign customers? prohibit, restrict or otherwise govern cloud computing, in or
outside your jurisdiction?
Successive governments express concern about the security of data
originating from their administrations and other public bodies. In The Law No. 2018-133 dated 26 February 2018 transposed Directive
2012, the government encouraged the creation of two data hosting No. 2016/1148 of the European Parliament and the Council dated 6
providers, Cloudwatt and Numergy, to enable data storage on national July 2016, which aims to meet a uniform high level of security for the
territory, out of reach of foreign legislations and extraterritorial networks and information systems set up in the EU (NIS).
access by foreign governments (‘sovereign cloud’). Yet, this initia- This law obliges digital services providers (including cloud
tive was short-lived as major public customers prefer major classic computing providers) to identify the risks that affect their networks and
players (for example, the national railways, the city council of Paris, information systems’ security and to take the technical and organisa-
the Ministry of Defence – see www.lesechos.fr/idees-debats/cercle/ tional measures necessary for managing these risks, to guarantee the
le-secteur-public-a-besoin-dun-cloud-souverain; www.zdnet.fr/actual- continuity of their services.
ites/, microsoft-et-ministere-de-la-defense-le-debat-sur-le-contrat-open These providers must notify the National Cybersecurity Agency
-bar-fait-son-retour/). (ANSSI) of any incident that has a significant impact on the provision of
Beyond such concerns for data security, cloud computing is one their services. Upon the Prime Minister’s initiative, they may be subject
of the hot topics in every new government economic development plan to compliance and security controls, which will be made by the same
(eg, ‘Nouvelle France Industrielle’, 2013; ‘Grand plan d’Investissement’, agency. When they offer their services in the EU but are located in a
2017…). third-party state, such providers must designate a representative in a
member state.
Incentives Further to the adoption of the General Data Protection Regulation
7 Are there fiscal or customs incentives, development grants (GDPR) (see question 15), the EU enacted on 14 November 2018
or other government incentives to promote cloud computing Regulation No. 2018/1807, which establishes a framework for the free
operations in your jurisdiction? flow of non-personal data within the EU. Specifically, this text prohibits
member states from requiring the localisation on their territory of
Although not limited to such operations, various financial funding and the processing of data that is neither personal data nor ‘inextricably
tax benefits may help support investments in cloud computing activities. linked’ to personal data. Exceptions are allowed only if based on public
Specifically, financial funding for innovation and loans may be safety grounds and balanced accordingly and must be reported to
granted in the context of the Investment Plan for Europe (the Juncker the EU Commission by 30 May 2021. These provisions will concern, in
Plan) and of the ‘FrenchTech’ programme in support of start-ups. particular, the use of cloud computing services by state administrations
These programmes are managed by the public agencies usually in and other public bodies, whose data are currently considered as ‘public
charge of financing the economy, the Deposits and Consignments archives’ and must not be exported out of the territory (Heritage Code,
Fund (www.caissedesdepots.fr/developper-le-numerique-sur-le-terri- article L111-7).
toire) and BPIFrance (www.bpifrance.fr/A-la-une/Actualites/Systancia
-securise-les-applications-dans-le-cloud-35047). 10 What legislation or regulation may indirectly prohibit, restrict
Preferential tax benefits such as the tax credit on research and or otherwise govern cloud computing, in or outside your
development costs, the tax exemption for innovative new companies or jurisdiction?
the tax credit for innovation expenses may also be called upon under
their own terms. Posts and Electronic Communications Code (CPCE) (telecom
operators)
LEGISLATION AND REGULATION Under the existing EU ‘telecom package,’ services relating to digital
‘content’ provided online (eg, online platforms, search engines,
Recognition of concept site hosting, portal management, edition of online content, etc) are
8 Is cloud computing specifically recognised and provided for in distinguished from telecommunication services, which concern the
your legal system? If so, how? ‘container’. Telecommunication operators are governed by their own
provisions which, historically, have been more burdensome than those
The concept of cloud computing has been acknowledged by the offi- applicable to cloud and other digital services providers, for instance, as
cial texts since 2010, when the terminology commission in charge of regards internet neutrality (governed by EU Regulation No. 2015/2120
establishing the official definition of new terms in the French language dated 25 November 2015), personal data protection, confidentiality of
defined ‘cloud computing’ (that is, a ‘means of processing client data, correspondence, neutrality in respect of messages content or access to
the exploitation of which is made via internet, in the form of services emergency numbers. Yet, in practice, the boundaries between services
provided by a service provider’) and provided an official translation in are not as obvious. For instance, the main digital services providers
the French language. set up cache servers in the operators’ networks in order to bring their
For the purpose of implementing the EU directive on Network content closer to end customers. Accordingly, about 50 per cent of the
and Information System Security of 9 July 2016, the French legislator incoming traffic to internet access providers originate from the four
enacted in February 2018 a statutory definition of the ‘cloud computing main content providers – Google, Netflix, Akamai, Facebook (Regulatory
service’ (that is, ‘a digital service that enables access to a set of flexible Authority for Telecommunications (ARCEP), 2019 Report). It was not
and variable IT resources that may be shared’). This service is classi- until recently that the European Court of Justice itself had to determine
fied among the ‘digital services’, along with online platforms and search whether Skype should be considered as a telecommunication service

38 Cloud Computing 2020

© Law Business Research 2019
 France

and fall within the telecommunication regulatory regime (ECJ, No. C142- Others
18, Skype Communications Sarl v IBPT, 5 June 2019). Other examples may be found in a variety of texts, including the second
The forthcoming EU Electronic Communications Code (due to be version of the European Payment Services Directive (PSD2), which
transposed by the member states by 21 December 2020) attempts to entered into force in January 2018 and makes strong authentication
restore fairer competition conditions. It will cover the existing telecom- mandatory for payments over €30.
munications services but also ‘interpersonal communications services’, Furthermore, cloud computing transactions are indirectly governed
regardless of whether users connect through publicly assigned by sector-specific legislation or regulations, as discussed in question 13,
numbering resources or otherwise. Voice over IP and messaging SaaS as well as by data protection and privacy legislation applicable to any
services such as Skype, WhatsApp, Wechat or Facebook Messenger kind of personal data processing, as discussed in question 15.
should, therefore, fall within the scope of the regulated services. More generally, all regulations governing business-to-business
On another note, the CPCE defines and regulates a service category (B2B) relations apply to transactions between cloud computing service
which combines both telecom and cloud computing aspects, the ‘elec- providers and businesses. For instance, the French Law No. 2016-1691
tronic safe’. The purpose of this service is the receipt, storage, removal on transparency, fight against corruption and modernisation of the
and transmission of data and electronic documents in conditions that economy of 9 December 2016 (Sapin II Law) requires large businesses
must retain their integrity and exactitude of origin (article L.103). The to take measures to prevent and detect acts of corruption and suborna-
providers of these services must set up the security measures neces- tion. Cloud computing records will be key to demonstrating compliance.
sary to meet these conditions and to ensure the traceability of the
operations made on the data and documents. They must set up a tech- Breach of laws
nical file to provide proof of their adherence to the legal requirements. 11 What are the consequences for breach of the laws directly
or indirectly prohibiting, restricting or otherwise governing
Defence Code (Fundamental Operators) cloud computing?
Since the law of military programming No. 2013-1168 dated 18
September 2013, the Defence Code submits a specific category of The Law No. 2018-133 dated 26 February 2018 (see question 9) sanc-
players, the infrastructures and systems of which are strategic for the tions the directors of digital service providers to a fine of €100,000 when
country, designated as Fundamental Operators (OIV), to specific rules they prevent audit and security operations from being carried out in
concerning the security of their information systems (article L1332- accordance with the law, and a fine of €75,000 when they do not comply
6-1 et seq). Each OIV is obliged to provide a map of its information with security measures that they have been formally required to take as
system, ensure that it is homologated and establish a security policy a result of such an audit. If they fail to declare an incident or disclose
for its system. The OIVs must inform the Prime Minister of the incidents information to the public as legally required, these directors may be
affecting the functioning or security of their information systems. They subject to a fine of €50,000.
must enable the ANSSI to carry out audits and must set up any security The Posts and Electronic Communications Code sanctions opera-
measures requested by the latter. Such obligations require the service tors and their agents to a one-year prison sentence and a fine of €75,000
agreements to be adapted, including those that they may enter into with for failure to delete or ensure the anonymity of any data relating to
digital service providers for cloud computing. communications or for not retaining technical communication data in
accordance with the legal requirements (article L39-3) (see question
General tax code (clients) 10). Furthermore, those who offer a connection to the public enabling
All companies are obliged to retain the documents on which the French an online communication via an internet access, including for free, are
tax authorities have a right of communication, enquiry and control. The required to comply with the provisions applicable to telecoms opera-
documents in question must be kept for at least six years (Tax Procedure tors, including to register themselves with the competent regulatory
Code, article L102 B). In this context, the use of a cloud computing authority (ARCEP). Accordingly, they are subject to the same sanctions
service to store invoices must meet the various conditions concerning as telecoms operators (article L34-1).
the terms of conservation of the documents and the countries of loca- The Defence Code sanctions directors of the OIVs to a fine of
tion of the storage servers (Tax Procedure Code, article L102 C). The €150,000 if they fail to set up a protection plan, to accomplish works
invoices issued or received by a company must remain accessible from they have scheduled or to carry out the works requested following an
its principal establishment or registered office in France, regardless of audit, or otherwise fail to comply with their legal obligations (article
the country of storage. The French tax authorities must be informed of L1332-7). These sanctions may be multiplied fivefold for the operators
the location of storage of the invoices. as legal persons.
Furthermore, when an accounting department works with auto-
mated systems (including SaaS), the tax authorities’ right of control Consumer protection measures
applies to all the information, data and software processing that are used 12 What consumer protection measures apply to cloud
to establish the results and statements for the tax authorities, as well as computing in your jurisdiction?
the documentation relating to the analysis, programming and the perfor-
mance of IT processing (Tax Procedure Code, articles L13, IV and L47 A,II). With regard to consumers, the cloud computing service providers are
For such a purpose, the tax authority may set up its own IT obliged to respect the provisions of the Consumer Code. This code
processing on the company’s equipment. Furthermore, since 2014, regulates the entire relationship with a client, from the obligation to
all companies must communicate their online accounting to the tax provide pre-contractual information (article L111-1 et seq), the process
authorities according to the required standards (Fichier des Ecritures for entering into an online contract (article L121-16), the prohibition or
Comptables). Finally, the tax authority may, after court authorisation, regulation of commercial practices and abusive clauses, the provision of
launch a search and seizure procedure, including the seizure of data guarantees, through to the terms for terminating such contracts.
hosted on IT servers. The location abroad of the servers concerned The pre-contractual information must be provided in a legible and
does not constitute an excuse (Paris Court of Appeal, order dated 31 understandable manner and a written confirmation of the contract must
August 2012). be provided as well (article L221-5). Insofar as the request for cloud
computing services usually implies immediate use, the usual right of

www.lexology.com/gtdt 39
© Law Business Research 2019
 France 

withdrawal that lasts for 14 days will most often not apply (article L121- provides that the relevant businesses must remain able to terminate
21-8 1°). Finally, the consumers benefit from a right of portability of their at any time the outsourcing services they use without this affecting the
personal data within the conditions of the GDPR (see question 15). continuity or quality of the services they provide.
More recently, the European Banking Authority issued
Sector-specific legislation ‘Recommendations on outsourcing to cloud service providers’ which
13 Describe any sector-specific legislation or regulation that address five key areas: the security of data and systems, the location of
applies to cloud computing transactions in your jurisdiction. data and data processing, access and audit rights, chain sub-processing,
and contingency plans and exit strategies (www.eba.europa.eu). These
A number of sector-specific legislation or regulations that do not specifi- recommendations must be applied by the national authorities (eg, the
cally target cloud computing transactions actually apply indirectly ACPR) to the relevant businesses.
thereto. In regulated sectors (eg, healthcare, banking, etc), regulations
or recommendations in this respect are usually issued by the authority Inter-professional Agreement dated 3 October 2016 concerning
in charge of the sector. The following provides only a few examples. the obligation to seek continued exploitation relating to
cinematographic and audio-visual works (cinema sector).
General Security Referential (public sector) In the cinema industry, a trade agreement provides for the film producers’
Since Decree No. 2010-112 dated 2 February 2010, the state administra- duty to ensure the conservation of the works used to create movies, so
tions, local authorities and other administrative bodies must guarantee as to guarantee that such works are recorded in digital formats that
the security of the information systems that they are using to provide enable their availability online. This agreement has been made manda-
the users with online services (for example, the payment of criminal tory by government decree. In furtherance thereof, a trade association,
fees for minor offences) and to correspond with them electronically. the Technical Superior Board of Image and Sound, has issued technical
For such purpose, they must respect a general security referential, recommendations concerning, among others, the material conditions for
which defines the rules and best practices to be followed, and terms the conservation of works under the contracts concluded with service
such as certification, official approval or security audits (www.ssi.gouv. providers (www.cst.fr: CST-RT043-2017-12-18-12h02.pdf).
fr/entreprise/reglementation/confiance-numerique/le-referentiel-
general-de-securite-rgs/). This general referential indirectly applies to Insolvency laws
the service providers used by the administration, including for cloud 14 Outline the insolvency laws that apply generally or
computing services. specifically in relation to cloud computing.
In this context, the ANSSI adopted a referential of specific require-
ments for cloud computing service providers called ‘SecNumCloud’. The French Commercial Code provides the rules applicable to the insol-
The last version of this document was published on 11 June 2018 vency of companies. No specific provision applies to cloud computing
(www.ssi.gouv.fr/uploads/2014/12/secnumcloud_referentiel_v3.1 service providers, even though the consequences of their insolvency
_anssi.pdf). It covers the various types of cloud computing services: the could be severe on consumers and professionals alike.
software delivered as online services, the infrastructures (offices and Therefore, appropriate precautions against the loss of data due
data centres) and the operating, management and operational proce- to such situations should be incorporated into the contractual provi-
dures of the providers. This label is considered as much more demanding sions governing the services, particularly with regard to reversibility
than others such as ISO 27000. So far, one provider is a ‘qualified service and pricing.
provider’ for cloud computing services under this referential (Oodrive).
As at July 2019, six other certification applications were in progress DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
(https://www.ssi.gouv.fr/liste-produits-et-services-qualifies).
Principal applicable legislation
Heritage Code (public sector) 15 Identify the principal data protection or privacy legislation
The Heritage Code defines the legal regime for the archives of the state applicable to cloud computing in your jurisdiction.
and other public bodies in general. It sets obligations for their safe-
keeping, which may only be outsourced if the provider is approved and The processing of personal data is subject to the GDPR of 27 April 2016.
if the archives are kept on French territory (article R212-23). This text has been supplemented by national legislation (Ordonnance
No. 2018-1125 of 12 December 2018 amending the Law No. 78-17 of
French Public Health Code (health sector) 6 January 1978 on information technology, files and freedoms; Decree
Article L1111-8 of the French Public Health Code requires that health No. 2019-536 of 29 May 2019). The main data protection rules appli-
data hosting providers implement specific safeguards, fulfil certain cable to cloud computing services delivered in France are the same
commitments and be certified. Failure to meet the requirements defined as in the other EU member states (which was the main reason for
by the public health agency (ASIP Santé) is sanctioned by a fine of enacting a regulation under EU legislation). The following aspects may
€45,000 (and three years’ imprisonment (article L1115-1)). be noteworthy.

Order dated 3 November 2014 of the French Finance Ministry Data controller and data processor
relating to the internal control of companies in the banking sector In most cases, a cloud computing service provider will be considered
and others (financial sector) as a ‘data processor’ (ie, as acting pursuant to and under the instruc-
The French Supervisory and Regulatory Control Body (ACPR), which tions of its client). The client will, in turn, be considered as the ‘data
is in charge of preserving the stability of the financial system and controller’ (ie, the party who determines the purposes and means of the
protecting the customers, insurance policyholders, members and data processing (GDPR, articles 4 and 28)).
beneficiaries of the businesses under its control, clarified in 2013 that Consequently, obligations pertaining to the relations with the
cloud computing services should comply with the rules governing concerned individuals (‘data subjects’) will continue prima facie to be
the outsourcing of banking activities. These rules are now set forth assumed by the clients. This concerns, in particular, the requirement
in an Order of 3 November 2014. Among other requirements, this text for the individuals’ consent to the data processing; the duty to minimise

40 Cloud Computing 2020

© Law Business Research 2019
 France

data collection to the types of data actually necessary; the duty to keep • a service-level agreement defining the key performance indicators
data up-to-date and for no longer than is necessary to fulfil the process- and the quality and service level commitments;
ing’s purposes; the duty to ensure the security and confidentiality of the • a data processing agreement or privacy policy defining the commit-
data against unauthorised or unlawful processing and against accidental ments and exclusions relating to personal data protection; and
loss, destruction or damage; the duty to respond to individuals’ requests • an ‘acceptable use policy’ specifying the lawful conditions for use
to correct, delete or transfer their data. On the other hand, insofar as of the service.
they qualify as data processors, the service providers will be responsible
mainly for the implementation of technical and organisational measures These documents are multiplied according to the requirements of each
that ensure a level of security appropriate to the risks inherent to the data service, which results in the service providers presenting comprehen-
processing. Their obligations in this respect are detailed in question 19. sive and complex catalogues.
However, it must be emphasised that the GDPR expressly provides These standard documents are generally recent and are regularly
that the parties to a service contract may be considered as joint data updated. The entry into force of the GDPR on 25 May 2018 (see ques-
controllers. In a market where certain types of cloud computing tions 15 and 19) requires significant adaptations, just like Order No.
services are dominated by a few service providers, this clarification is 2016-131 dated 10 February 2016 reforming the French law of contracts
intended to correct some imbalances inherent in adhesion contracts (with its ratification Act No. 2018-287 of 20 April 2018). Among various
(see question 16). provisions aimed at sustaining contractual justice, the new contract law
indeed provides that a contract that includes a set of non-negotiable
Cross-border transfers clauses that are predefined by one of the parties constitutes an ‘adhe-
Under the GDPR, personal data may be transferred out of the EU only if sion contract’.
adequate safeguards are implemented (article 44 et seq). This require- In such a contract, a clause will be considered as non-existent
ment also applies to cloud services directed at individuals residing where it causes a significant imbalance between the parties’ rights and
in France but based on servers located outside the EU. Thus, the use obligations. In the event of any doubt, an adhesion contract will be inter-
of servers outside the EU is not prohibited per se, but it is regulated, preted against the party that proposed the contract. Comparisons may
with a view to granting individuals the same protection as within the be made with the abusive clauses regime which protects consumers in
EU. Furthermore, data is considered as being transferred to any given business-to-consumer contracts.
country as soon as access to such data is technically possible from such This new statutory regime may help alleviate certain one-sided
country. To locate the servers within the EU is, therefore, not sufficient provisions that thrive in standard cloud computing contracts and help
to determine that data is not processed abroad and that a cross-border introduce more balance in favour of customers, as will be seen in the
transfer is not taking place. Similarly, one may not consider that cloud following questions. Such a reassessment remains contingent, however,
services based on servers located in France are per se compliant, if the on the application of French law to the contract.
data controller does not ensure that ‘sufficient guarantees’ are provided
by the cloud computing service provider. Typical terms for governing law
17 What are the typical terms of a B2B public cloud computing
Individuals’ rights contract in your jurisdiction covering governing law,
In the event that the cloud computing service provider proposes to jurisdiction, enforceability and cross-border issues, and
transfer personal data out of the EU, the data subjects must be informed dispute resolution?
not only that their personal data is processed by a data processor, but
also that it is transferred outside the EU (GDPR, articles 13 and 14). In Governing law and dispute resolution
the event that the service provider is faced with a security breach, it Standard contracts always include a clause defining the applicable law
must notify its client without delay and notify the persons whose data is and which court has jurisdiction. The service providers thereby submit
involved. Also, the service provider will have to enable ‘data portability’ their contracts to the law and courts of the state where their estab-
(ie, to enable its client to deliver the personal data upon request to the lishment is located. Often, they have an establishment in the European
relevant data subjects, in a structured, commonly used and machine- Union. In France, their contracts are therefore often subject to the law
readable format), and to transmit such data to another controller and jurisdiction of a member state of the EU.
without any impediment (article 20).
The French data protection authority (CNIL) issued recom- Enforceability
mendations on cloud computing services in 2012 (www.cnil.fr: The public cloud contracts do not offer much opportunity for negotiation.
Recommandations_pour_les_entreprises_qui_envisagent_de_ As a consequence, the enforceability of their provisions is not neces-
souscrire_a des_services_de_Cloud.pdf). Although they need to be sarily guaranteed under the law – for example, in regard to the consent
updated with the GDPR, these recommendations provide useful guid- given by the client on standard documents that prove to be inaccessible
ance on how to implement data protection in agreements. or that allegedly should evolve without his or her express approval.
The clients frequently request the right to audit how the services
CLOUD COMPUTING CONTRACTS are carried out in order to verify the services compliance with the
provider’s commitments, in particular with regard to security. The GDPR
Types of contract provides for this right (article 28.3). Since, in practice, it is difficult and
16 What forms of cloud computing contract are usually adopted costly for the providers to continuously accommodate the auditors sent
in your jurisdiction, including cloud provider supply chains (if by the clients, the providers try to obtain certifications (eg, ISO 27000)
applicable)? and propose in their clauses to communicate their own audit reports in
order to limit the need for the clients to carry out additional verifications.
Cloud computing offerings are characterised by a multitude of contract
documents, which for most providers include, as a minimum:
• the general conditions;
• the conditions specific to the given service;

www.lexology.com/gtdt 41
© Law Business Research 2019
 France 

Typical terms of service Microsoft was obtaining information on all the applications downloaded
18 What are the typical terms of a B2B public cloud computing and installed by the users as well as the time spent on each applica-
contract in your jurisdiction covering material terms, such tion, which was not necessary for providing the service. Furthermore,
as commercial terms of service and acceptable use, and an advert ID was activated by default upon the installation of Windows
variation? 10, which enabled Microsoft to follow the user’s browsing and to target
the advertisements without the latter’s prior consent. The corrections
Flexibility requested by the CNIL have since been made.
Flexibility is a key component of cloud computing contracts. The hosting The confidentiality clauses also show their limits in front of legis-
services are generally invoiced on the basis of the resources granted to lation requiring the service providers to disclose users’ data to their
the client (eg, number of servers, CPUs, etc). Agreements usually offer governmental authorities (eg, US Patriot Act and US Cloud Act). The
the possibility to cease both use and payment of the resources at short GDPR meets this type of situation by requesting the providers to inform
notice. Clients may add services or increase their capacity through online their clients beforehand on the legal obligations of communication that
portals without the need to sign contract amendments. Flexibility is also may apply and prohibit them from deferring to such requests if they are
reflected in the contract duration, which may run by the month, thereby not based on a mutual legal assistance treaty or similar (GDPR, articles 28
enabling the clients to include the costs in their operating expenses. and 48). To date, many clauses still need to be more specific on this issue.

Acceptable use Location of data and data processing

A cloud computing contract generally includes clauses to define limita- In this context, numerous services attempt to reassure clients by guar-
tions of use of the service by the client and its employees (often grouped anteeing that the data will only be stored in their country of residence
together in an ‘acceptable use policy’ appendix). Usual clauses prohibit: or elsewhere in the European Union. The clauses often provide that
• use beyond the client’s internal business purposes; the client may or will be informed of any modification of the location
• use violating third parties’ intellectual property rights; and or country of storage. Under the GDPR, the client’s approval as data
• use for unlawful purposes, including to harass, defame or abuse controller is required and must be given prior to such modifications.
third parties or to post obscene, violent or discriminatory content. It must be restated that this consent is necessary for any kind of data
transfer, however: this is not limited to the country where data is stored,
Although cloud computing services are often presented as being ‘content but applies to all the countries in which access to the data is possible.
neutral’ and customers’ data considered as protected by confidentiality, When the cloud computing provider acts solely as a data processor
service providers reserve the right to enquire about suspicious use and within the meaning of the GDPR (ie, does not define the aims and means
to suspend access and to put an end to the service in the event whereby of the data processing), the GDPR requires that its agreement with
the client’s data would appear to infringe upon the restrictions of use. the data controller specifically define certain obligations (article 28),
This reflects the increasingly stringent legal constraints to ensure including for the provider:
that the internet players assume responsibility for the online content. • to process the client’s personal data only on documented instruc-
For example, an employer must ensure that his or her internet access tions from the controller, including with regard to cross-border
is not used by his or her employees to replicate or disseminate works transfers;
protected by copyright (article 336-3 of the French Intellectual Property • to implement appropriate technical and organisational measures
Code). This indirectly concerns the cloud computing service provider to ensure a level of security appropriate to the risk. Such measures
working for such employer. may include, as appropriate:
• pseudonymisation and data encryption;
Typical terms covering data protection • ensuring the ongoing confidentiality, integrity, availability and
19 What are the typical terms of a B2B public cloud computing resilience of processing systems and services;
contract in your jurisdiction covering data and confidentiality • maintaining the provider’s ability to restore the availability
considerations? and access to personal data in a timely manner in the event of
a physical or technical incident; and
Confidentiality • regularly testing and evaluating the effectiveness of the
The terms and conditions covering data and confidentiality in contracts measures taken to ensure the security of the processing; and
subject to French law are similar to those found under other laws. By • to engage sub-processors only with the client’s prior authorisation
way of principle, cloud service providers undertake to protect the confi- and to have them subject to the same data protection requirements.
dentiality of their clients’ data. Access to such data is granted to their
employees on a ‘need-to-know-only’ basis, insofar as required to deliver Typical terms covering liability
the services. Reference is often made to the employees’ individual confi- 20 What are the typical terms of a B2B public cloud computing
dentiality commitment, which is required by the GDPR and will usually contract in your jurisdiction covering liability, warranties and
be provided for in labour contracts. provision of service?
Unlike pure players, which focus their services on the provision
of infrastructure or storage for clients’ data and purport to be ‘content Service levels and warranties
agnostic’, cloud service providers that provide software or other value The stakes of the cloud computing contracts reside in the characterisa-
added services often seek to gain a right to access and use customers’ tion of the providers’ obligations, with the well-known contrast under
data with a view to building up ‘big data’ pools on their own. This will French law between the best-efforts obligation (for example, ‘the
often be provided for through a clause enabling such use for the purpose service provider will use reasonable efforts to provide the services with
of ‘improving the services’ or ‘customising the customer’s experience’ of the level of diligence and competence that could reasonably be expected
the service. Such purpose often covers targeted advertising. for services of a such nature and of a complexity substantially similar
In such circumstances, the confidentiality of clients’ and individuals’ to that of the services’) and the performance obligation (‘the provider
data may be jeopardised. For example, in July 2016, the CNIL noticed guarantees the continuous availability of the service during business
that through the processing of users’ data for Windows applications, hours’). In general, the service provider contracts avoid guaranteeing

42 Cloud Computing 2020

© Law Business Research 2019
 France

the availability and performance of their services or formulate service or renewed, expressly or tacitly, but the client does not necessarily
levels and exceptions (eg, planned maintenance, minimum downtime, benefit from a renewal guarantee. In this regard, the new French law of
etc) that enable a large degree of latitude. contracts sets forth that no party may impose the renewal of a contract
The challenge for the cloud computing service providers is indeed (Civil Code, article 1212). Therefore, attention should be paid to the
to offer a service that is ready to use and works ‘end-to-end’, whereas, in notice period and the terms of renewal.
practice, they do not master the production chain which begins at their More traditionally, the termination clauses provide an exit right for
servers through to their clients’ workstations. The cloud providers are each party in the event of non-compliance by the other party. In non-
rarely telecom operators and do not operate the internet connections. negotiated contracts, it will be difficult for the client to use such clauses
Furthermore, SaaS providers rarely own their data centres and, accord- as a credible threat against non-compliance relating to the service level
ingly, are dependent on hosting providers. The IaaS and PaaS providers or quality of the service provision.
are, in practice, the ones actually in control of the service levels
concerning the availability, reliability and quality of the cloud computing Reversibility
services. For these reasons, the service-level agreements are often At the end of a cloud computing service, the client must recuperate its
sanctioned by a notion of ‘service credit’, which allegedly compensates assets (ie, programs and data). As they are standard , the reversibility of
for a default in the service with an extension of its duration. the IaaS and PaaS services does not require the transfer of know-how
and knowledge specific to the provider. Nonetheless, assistance from
Liability the latter is often available as an option.
As the cloud computing services market is dominated by a few global However, the specificities of a program implemented on the cloud
infrastructure and platform providers, the liability clauses significantly (eg, specific developments and settings according to the client’s busi-
restrict their indemnification commitments. The liability cap in the event ness rules, etc) and data formats set up by the provider (sometimes
of a loss of client data is frequently fixed at the level of the monthly proprietary or using variants of the existing standards) may result in
instalment paid by the client although, under French law, any clause a lockout of the client. The reproduction of the existing solution or the
that nullifies the debtor’s essential obligation will be considered void system’s output available for data migration may also pose a problem.
(New French Civil Code, article 1170). Despite their multitude, contractual documents are often lacking speci-
With regard to the damages applicable in the event of non-compli- fications and commitments in this regard (see question 26).
ance with the GDPR, a client may request a guarantee from its cloud The entry into force of the GDPR should encourage the emergence
computing provider insofar as the latter acted as a ‘sub-contractor’ and of more adapted stipulations, as this text obliges data controllers to
failed to comply with his or her regulatory obligations specific to sub- enable data portability (see question 15). The clients could use this as
contractors or with the instructions received from his or her client in guidance to address the practical issues raised by reversibility situations.
this regard (article 82). In any case, healthy competition between several providers and services
remains the most effective tool in order to avoid harmful dependence.
Typical terms covering IP rights
21 What are the typical terms of a B2B public cloud computing Employment law considerations
contract in your jurisdiction covering intellectual property 23 Identify any labour and employment law considerations that
rights (IPR) ownership in content and the consequences of apply specifically to cloud computing in your jurisdiction.
infringement of third-party rights?
In cases where activities are transferred from one company to another,
The terms and conditions governing intellectual property rights (IPRs) the Labour Code will govern the transfer of employment contracts (arti-
in contracts subject to French law are similar to those found in contracts cles L1224-1 and L1224-2). A contract for the supply of private cloud
subject to other laws: typically, each party remains the sole rights holder computing services may be part of or may follow such a transfer of
on all the IPRs applicable to its materials, that is, the software programs personnel from the client to the service provider. However, it will
it provides via the services, as regards the service provider, and the usually rather be considered as an outsourcing contract. In general,
data and third-party software programs stored in the cloud and used by cloud computing contracts per se are indeed not understood to involve
the client, as regards the latter. a transfer of personnel by the client. This is reflected in the statutory
Licence rights are granted by each party to the other insofar as definitions of cloud computing (see questions 8 and 9), which do not
necessary for the other party’s supply or use of the services, as appli- refer to such an element.
cable. Customisation is not typical of standard services such as IaaS and
PaaS, but should this arise in the form of copyrighted work (eg, specific TAXATION
developments), the service provider will, in general, grant licence rights
and avoid any IPR assignment to the client. Applicable tax rules
In the same vein, cloud computing contracts require each party to 24 Outline the taxation rules that apply to the establishment and
indemnify the other against any infringement claims from third parties. operation of cloud computing companies in your jurisdiction.
Often, the service providers’ standard terms and conditions will entitle
them to terminate their services in cases where the client is found to The cloud computing service providers are currently subject solely to
infringe third-party rights. the standard corporate tax, at 33.33 per cent. This rate should progres-
sively diminish to reach 25 per cent in 2022.
Typical terms covering termination Nonetheless, as cloud computing providers may exercise an activity
22 What are the typical terms of a B2B public cloud computing in a country without any human and material resources and, accord-
contract in your jurisdiction covering termination? ingly, may be considered as not having a ‘fixed establishment’ in the
country, French corporate tax does not apply equally to all the providers
Term and termination of the sector that sell services in France. The judgment rejecting the
Cloud computing contracts are usually entered into for a fixed term, taxation of Google Ireland Limited imposed by the French tax authorities
typically from one month to one year. This duration may be extended is a relevant example (Paris Administrative Court, Google, 12 July 2017).

www.lexology.com/gtdt 43
© Law Business Research 2019
 France 

This situation should evolve in the coming years with the progressive
modification of the applicable international rules, including the redefini-
tion of the notion of fixed establishment and the creation of a tax specific
to cross-border digital services. Pending the adoption of such a tax treaty
by the OECD members, the French government has decided to impose a
tax on digital services providers with digital revenues in excess of €750
million internationally and €25 million nationally, based on their turn-
over and amounting to 3 per cent thereof. In the summer of 2019, the
French government declared at the G-7 meeting that France will adhere Olivier de Courcel
[email protected]
to the new tax regime to be defined by the OECD in respect of digital
activities, once the member states converge on a global consensus, and Stéphanie Foulgoc
that the government will subsequently unwind the French digital tax [email protected]
and refund the overpaid amount to the tech companies, if any.
24, rue Erlanger
Indirect taxes
75016 Paris
25 Outline the indirect taxes imposed in your jurisdiction that France
apply to the provision from within, or importing of cloud Tel: +33 1 70 71 22 00
computing services from outside, your jurisdiction. Fax: +33 1 70 71 22 22
www.feral-avocats.com
The French General Tax Code classifies the cloud computing services
in the category of ‘electronic service provisions’ (appendix 3, article 98
C, c). These services are subject to the standard VAT rate (20 per cent).
The application of VAT to cloud computing services is complex, as
the location of the provider’s taxation varies depending on whether the
client is itself liable to charge VAT (the location is then his or her estab-
lishment in France) or not (the location of taxation is the place where
the beneficiary of the services is established, at his or her domicile or
habitual residence, including abroad) (article 259 et seq).
Whether they are established in the EU or not, the service providers
may follow a special tax regime for clients that are not VAT collectors,
which provides a mini one-stop-shop mechanism to liquidate VAT owed
Alain Recoules
in the various member states of the EU. [email protected]

RECENT CASES
32, Rue de Monceau
Notable cases 75008 Paris
France
26 Identify and give details of any notable cases, or commercial,
Tel: +33 1 70 38 88 00
private, administrative or regulatory determinations within
Fax : +33 1 70 38 88 10
the past three years in your jurisdiction that have directly www.arsene-taxand.com
involved cloud computing as a business model.

Paris Administrative Court, Google, 12 July 2017

Even though the French administration focused on the search engine CNIL, Google LLC, 21 January 2019, No. SAN - 2019-001
activity and the income gained from the advertising services invoiced Upon verification of the data processing relating to the use of the
by Google to its French clients (AdWords), the discharge by the Android operating system on mobile phones, including the creation
Administrative Court of the tax reassessments requested in terms of of a Google account, the CNIL observed that the information on the
corporate tax, withholding tax, VAT and various contributions could processing of advertising customisation was excessively disseminated
also apply to cloud computing services (see question 25). This litiga- in separate documents and, therefore, not easily accessible to users. As
tion shows the significant challenges inherent in the business model of a consequence, the regulatory authority determined that the consent
international cloud computing service providers (http://paris.tribunal- on which Google relies for this processing is not obtained validly with
administratif.fr/Actualites-du-Tribunal/Communiques-de-presse/ regard to the law of 6 January 1978 on data processing and freedoms
La-societe-irlandaise-Google-Ireland-Limited-GIL-n-est-pas-imposable- and the GDPR. In light of the data processing operations and the number
en-France-sur-la-periode-de-2005-a-2010). of persons concerned, the CNIL considered that the lack of transparency
as well as the lack of valid consent constituted substantial breaches
Versailles Court of Appeal, 19 May 2015, No. 14/08016 of privacy and run counter to the legitimate aspirations of individuals
In the context of an objection procedure against the registration of a wishing to retain control of their data. It ordered Google LLC to pay a
trademark ‘CLOUD CUBE’, the Versailles Court of Appeal judged that the fine of €50 million.
term ‘CLOUD’ can be readily understood by the consumer as referring
to the expression ‘cloud computing’ and, consequently, that it already
shows the destination of a certain number of products and services.
Accordingly, it cannot be considered to be distinctive. The dismissal for
the registration of the trademark was being requested by the holder of
a prior trademark ‘+ LE CUBE’ and was upheld by the court.

44 Cloud Computing 2020

© Law Business Research 2019
 France

UPDATE AND TRENDS

Key developments of the past year

27 What are the main challenges facing cloud computing within,
from or to your jurisdiction? Are there any draft laws or
legislative initiatives specific to cloud computing that are
being developed or are contemplated?

Although the pressure of software publishers on their customers to

shift their office automation and other software applications to the cloud
is maximal (eg, Office365 and OneDrive) and raises questions about the
concentration of the cloud computing market onto a few global players,
a yearly enquiry by CyberArk’s Global Advanced Threat Landscape
Report shows that privileged access is the biggest cloud security issue:
‘The risks created by the lack of clarity about who is responsible for
security in the cloud are compounded by a general failure by organi-
sations to secure privileged access in these environments’, according
to Adam Bosnian, executive vice president, global business develop-
ment. Only 47 per cent of organisations reportedly currently have
an access management and security strategy in place for cloud and
workload infrastructure (https://www.cyberark.com/press/global-
advanced-threat-landscape-2019-focus-on-cloud/).

www.lexology.com/gtdt 45
© Law Business Research 2019
 Germany
Viola Bensinger and Laura Zentner
Greenberg Traurig Germany, LLP

MARKET OVERVIEW and innovative cloud solutions, and often specialise in a particular type
of cloud solution or service.
Kinds of transaction
1 What kinds of cloud computing transactions take place in Market size
your jurisdiction? 4 How well established is cloud computing? What is the size of
the cloud computing market in your jurisdiction?
All types and service models of cloud computing are used in Germany.
In the private sector, and both in B2B and B2C relationships, the use The German cloud computing market offers diverse solutions and
of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and services, and is fast-expanding. Cloud services are accepted and used
platform-as-a-service (SaaS), including storage, is common. Due to by a growing number of companies, including numerous small and
security concerns, companies prefer private cloud computing rather medium-sized enterprises (SMEs). Also, Microsoft is reported to rein-
than a public cloud. However, according to the most recent ‘Cloud- troduce a new version of its German cloud after previously having
Monitor’ – a study by German industry association Bitkom – public cloud discontinued this service for German customers in September 2018.
models are gaining ground, with more and more companies willing to According to statistical reports published by Statista, currently the
store information in public clouds. Nevertheless, the most important German market’s volume is €4.5 billion for SaaS, €421 million for PaaS,
factor for companies in selecting a cloud provider is compliance with and €705 million for IaaS. Total turnover for the (B2B) cloud computing
the EU General Data Protection Regulation (GDPR). sector is forecast to be €22.5 billion in 2020.
German government agencies also increasingly rely on the ‘federal Bitkom’s ‘Cloud Monitor 2019’ also evidences that cloud computing
cloud’, a light house project established in 2016 and operated by the in Germany continues to grow. In 2018, three out of four companies
Federal Information Technology Centre (ITZ Bund). The federal cloud (73 per cent) used cloud computing services, compared to two-thirds
offers all service models including IaaS (eg, Federal Cloud Server), (66 per cent) in 2017. A further 19 per cent of the enterprises surveyed
PaaS (eg, Federal Cloud Development Environment) as well as SaaS (eg, intend to use a cloud in the future. For only 8 per cent of enterprises,
Federal Cloud Runtime Environment) and is to become the standard for cloud services are not an option. Remaining concerns, especially of
federal authorities. It ensures that all data are stored on servers within smaller enterprises, are data protection or integration issues, and fear
Germany. In addition, and subject to certain requirements, federal and of losing control of the cloud computing service.
regional public authorities also use cloud services offered by private
German and global providers. Impact studies
5 Are data and studies on the impact of cloud computing in your
Active global providers jurisdiction publicly available?
2 Who are the global international cloud providers active in
your jurisdiction? Several studies on cloud computing in Germany are publicly avail-
able (eg, Bitkom’s annual Cloud Monitor, see question 4) or studies by
Apart from the three most prominent cloud service providers, Amazon the Federal Office for Information Security (BSI). In addition to market
(Amazon Web Services), Microsoft (Azure) and Google (Google Cloud figures, trends and the overall attitude of companies as regards cloud
Platform), many other global enterprises offer cloud services in computing, such studies also provide more specific insight, such as the
Germany. Especially IBM, Alibaba, Deutsche Telekom, Oracle, Exoscale decisive factors for cloud users in Germany and of the remaining chal-
and Profitbricks hold an appreciable position on the German cloud lenges of cloud computing for German enterprises.
computing market. Recently, the European Commission launched a study to assess
The German business community is increasingly opening up to current and future energy consumption and state-of-the-art cloud
both existing and new cloud services. The market is likely to remain computing services in Europe. The study aims to develop recommenda-
attractive and profitable for the industry’s global players. tions for energy-efficient cloud computing, particularly regarding future
research and development, green public procurement and market poli-
Active local providers cies. The study is expected to be finished in early 2020.
3 Name the local cloud providers established and active in your
jurisdiction. What cloud services do they provide?

Even though two-thirds of all cloud users rely on global providers, there
is a distinctive market in Germany for local cloud providers offering their
own variety of services. These smaller players (eg, Strato) offer secure

46 Cloud Computing 2020

© Law Business Research 2019
Greenberg Traurig Germany, LLP Germany

POLICY The BSIG imposes certain IT security obligations on providers of critical

infrastructure.
Encouragement of cloud computing Pursuant to section 2, paragraph 11 No. 3 BSIG, cloud computing
6 Does government policy encourage the development of your qualifies as ‘digital services’ that enable ‘access to a scalable and
jurisdiction as a cloud computing centre for the domestic elastic pool of commonly usable computing resources’. Generally, cloud
market or to provide cloud services to foreign customers? computing services do not fall under the definition of critical infrastruc-
ture of the BSIG and associated regulations (except for cloud services
There is no government policy generally promoting establishment of operated by state or federal administration, eg, the ‘federal cloud’).
cloud computing centres in Germany. Rather, the programmes in place However, non-governmental cloud services may qualify as critical
encourage cloud providers to meet certain quality and security stand- infrastructure for the information technology and telecommunications
ards, thereby improving their market position. sector in the future, and would then have to meet requirements under
One example is the Trusted Cloud project, originally a governmental BSIG. Also, and more importantly, where a provider of a critical infra-
subsidy programme that today is led by a non-profit organisation. The structure uses a cloud service, it will try and contractually impose the
project provides certification (Trusted Cloud Label) and a marketplace legal requirements on the cloud provider.
for ’trusted’ cloud services through the Trusted Cloud Portal. The criteria BSIG stipulates various IT security requirements for providers of
for certification include IT and data security, quality and transparency, cloud services of a certain size, including the obligation to take adequate
data protection and service contracts (details on www.trusted-cloud.de). technical and organisational measures to maintain a level of IT secu-
The portal aims at both cloud users and providers; however, primarily rity that minimises risks to the security of the network and information
it targets SMEs. systems used for the service. Cloud providers that are subject to BSIG
The government agency BSI offers another standard, ‘Cloud also must report to BSI all security incidents that have significant impact
Computing Compliance Controls Catalogue’ (C5), which primarily on the respective service.
addresses large and medium-sized enterprises and focuses on IT secu-
rity and transparency. C5 is more detailed with higher thresholds than 10 What legislation or regulation may indirectly prohibit, restrict
Trusted Cloud, and C5 certification is deemed to also evidence that the or otherwise govern cloud computing, in or outside your
requirements for TOMs under GDPR are met. jurisdiction?
The German federal government also provides for its own ‘federal
cloud’ infrastructure (see question 1), which currently is only available A variety of German regulations and legislation may have indirect
to federal institutions. impact on cloud computing services. In addition to the general provi-
sions of the German Civil and Commercial Codes and the rules against
Incentives unfair competition, particular attention should be paid to the relevant
7 Are there fiscal or customs incentives, development grants data protection provisions of the GDPR and the German Data Protection
or other government incentives to promote cloud computing Act. However, each cloud computing service may face specific issues
operations in your jurisdiction? depending on its business model and offerings.
Software made available via cloud computing may be subject to
There are no specific tax or custom incentives or other government German copyright law. While software packages made available via
subsidies for cloud computing in Germany. cloud are usually used online without being copied to the user’s device,
However, both the federal government and the governments of the the use may still qualify as an action that requires a licence (contrary to
German federal states offer a wide variety of state aid programmes to a mere copyright neutral enjoyment of a work).
promote digitisation of the European or German economy. In particular, The provisions of the German Telecommunications Act (TKG)
support is provided to SMEs for digitisation projects, but usually only for may apply to cloud computing services only in exceptional cases (ie,
the users of cloud infrastructures (and not for providers). The platform if the service qualifies as a telecommunications service within the
www.foerderdatenbank.de provides a comprehensive overview of avail- meaning of section  3,  No.  24  TKG, eg, because it includes Voice-over-
able subsidies. Internet-Protocol, video conferencing, instant messaging or email
services). In this case, the service would be subject to strict rules of
LEGISLATION AND REGULATION secrecy of telecommunications and obliged to register with the Federal
Network Agency.
Recognition of concept
8 Is cloud computing specifically recognised and provided for in Breach of laws
your legal system? If so, how? 11 What are the consequences for breach of the laws directly
or indirectly prohibiting, restricting or otherwise governing
There is no legal framework in Germany specifically for cloud cloud computing?
computing. Therefore, cloud computing services are subject to general
laws such as the German Civil Code, the German Commercial Code, Under German law, there is no general consequence applying to legal
the GDPR, the German Copyright Act or the rules against unfair violations in the context of cloud computing. Depending on which
competition. provisions are violated, the following main types of consequences or
sanctions must be considered.
Governing legislation If providers or customers do not comply with regulatory require-
9 Does legislation or regulation directly and specifically ments, this may trigger administrative proceedings. This may, for
prohibit, restrict or otherwise govern cloud computing, in or example, result in investigations, conditions to be completed or even
outside your jurisdiction? prohibition of the practice complained about, or, in exceptional cases, of
the respective cloud service.
The only specific legislation governing cloud computing is German IT In the case of certain infringements, supervisory authorities
security law (BSIG), which now also implements the EU NIS Directive. may also impose administrative fines on cloud providers or users,

www.lexology.com/gtdt 47
© Law Business Research 2019
 Germany Greenberg Traurig Germany, LLP

for example, in the area of data protection. According to the GDPR, • the Insurance Supervision Act applies to insurance companies;
fines of up to €20 million or 4 per cent of the worldwide turnover of • Companies in the energy sector are subject to the Electricity and
the preceding financial year, whichever is higher, may be imposed on Gas Supply Act; and
providers or customers who operate or use cloud computing services • the telecommunications sector is governed by the TKG.
not in compliance with the requirements.
Certain particularly serious infringements may result in criminal Companies in the healthcare and legal sectors are subject to certain
liability. Currently, German law only holds individuals liable under provisions of the German Criminal Code and rules of conduct.
criminal law (however this may change as it is being discussed to The respective supervisory authorities usually issue guidelines to
extend criminal liability to enterprises). For example, employees of the specify these sector-specific requirements. For example, federal finan-
cloud provider may be liable to prosecution for certain forms of ille- cial supervisory authority BaFin provides detailed information on the
gally tampering data. In addition, if a cloud provider is commissioned legally compliant use of IT, including cloud computing, for the finan-
by persons subject to professional secrecy (eg doctors, attorneys, tax cial sector, particularly regarding IT security, contractual design and
advisors), the provider’s employees may also be liable if they disclose data protection. In the public sector, the resolutions of the Council of
information protected by professional secrecy to third parties (section IT Officers (2015) and the IT Planning Council (2016) provide criteria for
203, paragraph 3 German Criminal Code). the use of cloud services by the federal administration (cloud services of
If cloud providers violate certain regulations of unfair competition private providers may only be used subordinately, and data may only be
law, competitors or customers may claim injunctive relief or damages, stored in Germany and may not be subject to disclosure or publication
or both. As far as consumer protection regulations are concerned, obligations, such as the US CLOUD Act).
also consumer protection organisations are entitled to issue warnings
against such cloud providers and to claim injunctive relief. Insolvency laws
14 Outline the insolvency laws that apply generally or
Consumer protection measures specifically in relation to cloud computing.
12 What consumer protection measures apply to cloud
computing in your jurisdiction? As there is no specific insolvency law for providers of cloud computing
or other IT services, the general German Insolvency Statute applies (if
German law provides for a range of consumer protection measures, of German insolvency law is applicable under conflict of laws rules).
which the rules on distance selling (sections 312c et seq German Civil For most insolvent companies an insolvency administrator will
Code) have notable impact on cloud services. Among other obligations, be appointed. The administrator is generally free to either continue to
providers are subject to extensive information requirements (eg on perform, or to refuse to perform, the ongoing obligations of the cloud
provider details, scope of services, total costs, warranty). Consumers computing contract.
also have a 14-day withdrawal right from the contract. If the customer of a cloud provider becomes insolvent, the admin-
In addition, the provisions in sections 305 et seq German Civil Code istrator is likely to refuse performance of the contract and to cease
on the use of standard terms and conditions restrict provider-friendly payments, in which case the provider is entitled to cease provision
drafting, and prohibit surprising or unequitable terms, particularly in of the services due to payment defaults. The administrator may also
B2C contracts. Restrictions include controls on the exclusion and limita- elect to continue the contract for a limited time if necessary (and
tion of liability, dispute resolution clauses, venue and governing law, feasible) for the administered company but then needs to pay for
contractual penalties, or contract term. These provisions are mandatory (future) services.
law that, vis-à-vis customers residing in Germany, cannot be circum- If the cloud provider files for insolvency, the administrator may
vented by choice of a different law. choose to refuse performance (ie, stop the provision of services). In this
Regulation (EU) No. 524/2013 on online dispute resolution for case, customers should in most cases be entitled to claim separation of
consumer disputes imposes further information obligations on providers. their stored data, and the migration or deletion of such data. The prac-
tical enforceability of such a claim may, however, depend on whether
Sector-specific legislation the insolvency estate has sufficient funds to operate the respective
13 Describe any sector-specific legislation or regulation that servers. If not, the administrator (or hardware provider) will switch off
applies to cloud computing transactions in your jurisdiction. the servers and prevent further access to the customers’ data. Should
the cloud provider’s administrator elect to continue the contract, the
There is no general cross-industry and cross-sector legislation for cloud services will be available irrespective of the insolvency proceedings.
computing in Germany. However, the BSI Act (BSIG) contains industry- Customers will then have to assess whether they have a contractual
and sector-specific IT  security requirements for operators of critical right to terminate the cloud computing contract, which remains enforce-
infrastructure such as energy, telecommunications, insurance or health. able in the provider’s insolvency.
If companies in these critical sectors use (or provide) digital services A contractual termination right in the event of the other party’s
such as cloud computing, they may have to comply with increased insolvency is often unenforceable under German law.
requirements for technical and organisational measures to protect their
IT systems, and to report significant IT security incidents to BSI. In 2017, DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
BSI also published a Cloud Computing Compliance Controls Catalogue
(C5; see also chapter 6) defining criteria for assessing IT security of Principal applicable legislation
cloud services. Based on international standards, C5 provides compa- 15 Identify the principal data protection or privacy legislation
nies with a uniform and generally recognised framework for ensuring IT applicable to cloud computing in your jurisdiction.
security in cloud computing.
In addition, companies in specific sectors need to comply with In Germany, any (automated) processing of personal data is governed
industry-specific legal requirements, for example: by the GDPR and the supplementing provisions of the Federal Data
• the German Banking Act, Payment Services Supervision Act, German Protection Act. If cloud solutions are used, login data and other content
Securities Trading Act, Investment Act regulate the financial sector; containing personal data are typically transferred to and processed

48 Cloud Computing 2020

© Law Business Research 2019
Greenberg Traurig Germany, LLP Germany

by the provider. Therefore, ensuring compliance with applicable data CLOUD COMPUTING CONTRACTS
protection law is a crucial issue for cloud computing services.
GDPR applies to cloud providers and customers established in the Types of contract
EU/EEA, regardless of whether the processing of data takes place in 16 What forms of cloud computing contract are usually adopted
the EU/EEA or the data pertains to EU/EEA residents. Providers estab- in your jurisdiction, including cloud provider supply chains (if
lished outside the EU/EEA may also be subject to GDPR, particularly applicable)?
if they address the German market or offer cloud services to individ-
uals residing elsewhere in the EU/EEA. If they offer their services to As cloud services exist in various forms, their provision cannot uniformly
corporate customers established in the EU/EEA, those customers will be characterised as a specific type of contract under German law. There
impose certain obligations under GDPR on cloud providers by means is also no consistent case law on this issue. While most cloud computing
of a data processing agreement, standard contract clauses and similar contracts will be a hybrid of different contract types, the following may
instruments. serve as a guideline:
GDPR stipulates various requirements for the processing of • IaaS: The provision of storage capacity usually qualifies as a lease
personal data. If a provider or customer fails to comply with relevant contract, while the provision of computing power classifies as a
requirements, fines of up to €20 million or 4 per cent of the worldwide service contract;
turnover of the preceding financial year may be imposed, depending on • PaaS: Access to infrastructure for development tends to be a lease
the nature and severity of the infringement. In addition, the supervisory contract; and
authority may carry out investigations including data protection audits, • SaaS: Such contract on providing software usually qualifies as
or order the respective entity to remedy the violation (eg, to change a lease contract (or a loan contract if the SaaS service is free
processes or even to cease using a particular service). of charge).
The following requirements are particularly relevant for cloud
computing. However, accurately classifying a cloud computing contract will always
From a GDPR perspective, it is usually the cloud user who is depend on the individual circumstances. To minimise the considerable
deemed responsible controller deciding on the processing of personal legal uncertainties, cloud computing contracts (both individual contracts
data, while the cloud provider is deemed to process data on behalf of the and standard business terms) typically comprehensively describe the
user. To comply with GDPR, the parties must conclude a data processing terms of use of the respective services as well as other relevant issues.
agreement with certain minimum contents pursuant to article 28 GDPR.
This includes provisions obligating the cloud provider to only process Typical terms for governing law
data per the customer’s instructions, and to not use subcontractors 17 What are the typical terms of a B2B public cloud computing
without the customer’s consent. contract in your jurisdiction covering governing law,
If cloud services are based on infrastructure located outside the jurisdiction, enforceability and cross-border issues, and
EU/EEA, personal data are transferred to third countries. If there is dispute resolution?
no adequacy decision adopted by the EU Commission for the respec-
tive third country (eg, the United States), under GDPR the parties are According to article 3 of the Rome I Regulation (EC No. 593/2008), the
required to ensure appropriate safeguards achieving an adequate parties in B2B cloud computing relationships are free to choose the
level of protection. To that end, providers (and any subcontractors) and governing law both in individual contracts or standard business terms.
customers usually enter into EU standard contract clauses for proces- For German cloud providers, the choice of German law is usually non-
sors. If the provider or subcontractor is located in the US, they can negotiable, whereas large global providers regularly insist on the law of
alternatively obtain certification under the EU–US Privacy Shield, which the country of their primary establishment.
also establishes an adequate level of protection. The place of jurisdiction is typically chosen corresponding to the
Cloud providers must also sufficiently evidence to have imple- governing law. Agreements on enforceability or (other) cross-border
mented appropriate technical and organisational measures (TOMs) for issues, however, are uncommon in cloud contracts.
data processing, and to ensure protection of the rights of customers, Arbitration clauses have become more common in cloud contracts,
employees, or other third parties. but still are not typical in Germany.
To provide practical guidance on how to use cloud computing
solutions in compliance with data protection law, German super- Typical terms of service
visory authorities have issued a joint guideline. This guideline 18 What are the typical terms of a B2B public cloud computing
‘Cloud-Computing Version 2.0’, issued in 2014 by the Conference of Data contract in your jurisdiction covering material terms, such
Protection Commissioners of the Federal Government and the States, as commercial terms of service and acceptable use, and
summarises the most important risks when processing data in clouds, variation?
requirements for the contractual set-up of cloud services, and recom-
mendations for technical and organisational requirements. Since the If the cloud service is not free of charge, the cloud computing agree-
guideline still refers to the legal situation before GDPR entered into ment usually provides for prices and payment modalities. In the case of
force, an updated version is currently being drafted. IaaS and PaaS, providers often charge by time or volume of processed
For cloud providers subject to US law, the obligations to disclose data, based either on actual usage (actual on-demand service) or on
data under the US Cloud Act is particularly problematic. According to a capacity held. SaaS are often billed at a fixed price per user or applica-
statement of the European Data Protection Board, there is no valid legal tion, or based on actual usage (eg, per time). Additional services such as
basis for such data transfers to authorities in the US except in few excep- training or data migration are usually charged separately.
tional cases. Furthermore, it is unclear whether customers also violate Price adjustment clauses in cloud computing contracts are quite
the GDPR, and therefore risk a fine, when using a US cloud provider. common. In order for such clauses to be enforceable, the price increase
may only be linked to comparable products pursuant to the German
Price Clause Act. If the price adjustment is included in standard busi-
ness terms, it must also meet the requirements in section 305 et seq

www.lexology.com/gtdt 49
© Law Business Research 2019
 Germany Greenberg Traurig Germany, LLP

German Civil Code, particularly regarding transparency and adequacy The customer may not modify the provider’s software or use it in
or equity. Benchmarking clauses are probably more common. any unauthorised way, and has to impose any obligations and usage
Most cloud computing contracts include an acceptable use policy restrictions under the cloud computing contract on their customers.
(AUP) which prohibits the use of the services for illegal activities (eg, The customer will need to warrant that it holds all necessary rights
infringing third-party intellectual property or other rights, sending email to content stored in the cloud, and that the storage, use or transfer of
spam, or spreading viruses or other malware). Often, such AUP also the contents does not violate applicable laws or third-party right. The
prohibits excessive use. If users violate these rules, the cloud provider customer must also hold harmless and indemnify the provider from and
typically reserves the right to terminate the contract. against any third-party claims (including reasonable legal costs) made
owing to unlawful actions or a breach of warranty by the customer.
Typical terms covering data protection The cloud provider regularly reserves the right to suspend provi-
19 What are the typical terms of a B2B public cloud computing sion of service, or even terminate the contract, if there is reasonable
contract in your jurisdiction covering data and confidentiality evidence of a violation of third-party rights or other unlawful use of
considerations? the service by the customer (or any of its customers). The provider will
sometimes also reserve the right to perform licence audits, and oblige
Data protection is an indispensable issue in cloud computing because customers (and their customers) to cooperate in such audits.
of the underlying processing of personal data and its inherently cross- Also, for any breach of IPR warranties or obligations, the (contrac-
border nature. Nevertheless, cloud framework agreements typically tual and/or statutory) general provisions on liability and on the remedies
do not contain detailed data protection provisions in their main body, for breach of contract apply, including injunction of the violation and
but refer to stipulations in annexes. Mostly, the customer and the payment of damages.
cloud provider enter into a data processing agreement in accordance
with article  28 GDPR. Where international data transfers take place, Typical terms covering termination
EU standard contract clauses are typically concluded and added as 22 What are the typical terms of a B2B public cloud computing
another annex. contract in your jurisdiction covering termination?

Typical terms covering liability Cloud computing contracts can be entered into for an unlimited contract
20 What are the typical terms of a B2B public cloud computing term or for a fixed term, (typically for one or two years). However,
contract in your jurisdiction covering liability, warranties and usually any fixed term will be extended automatically if the contract is
provision of service? not terminated by one of the parties.
Any cloud services contract may further usually be extraordinarily
As the contractual relationship is often based on the cloud provider’s terminated without notice for good cause. The conditions for extraordi-
terms and conditions, their liability is typically excluded as far as nary termination as well as circumstances establishing a ‘good cause’
legally permitted, and capped at a maximum amount either per event of are usually specified in cloud computing contracts. They commonly
damage or for all claims arising from the contract. stipulate a right of extraordinary termination in the event of serious and
However, according to German law governing standard business repeated breaches of duty, such as major failures of the cloud service or
terms, standard terms may not limit liability for damage to life and significant payment defaults by the customer.
health and for damage caused by gross negligence or wilful miscon- It is highly recommended to provide for an exit management.
duct. To enforceably further limit or exclude the provider’s liability, the Otherwise, there is a risk that the cloud services will cease to be avail-
liability clause needs to be individually negotiated. able to the customer immediately after the contract is terminated. As
Most cloud contracts include specific Service Level Agreements part of the exit management, the cloud provider is typically obliged to
(SLAs) containing performance obligations, obligations regarding continue to provide services for a specified period after termination of
the availability of service or timely response of a helpdesk, etc. The the contract, and to support the user in transitioning the cloud services
customer will typically have to accept the provider’s standard SLAs. (and migrating data) to a new provider’s (or the user’s own) systems.
While SLAs usually contain sanctions such as penalties or price reduc-
tions for failure to meet the stipulated standard, such penalties are often Employment law considerations
limited to fairly low amounts. 23 Identify any labour and employment law considerations that
Further, a cloud contract should contain warranties regarding apply specifically to cloud computing in your jurisdiction.
business continuity and disaster recovery.
The introduction of cloud computing services by a company may
Typical terms covering IP rights be subject to participation rights of third parties under German
21 What are the typical terms of a B2B public cloud computing employment law.
contract in your jurisdiction covering intellectual property If a data protection officer has been appointed by the company, they
rights (IPR) ownership in content and the consequences of must be informed prior to the introduction of cloud computing appli-
infringement of third-party rights? cations qualifying under article 38 GDPR and sections 6 and 38 of the
Federal Data Protection Act.
Typically, the provider grants to the customer a non-exclusive, non- If a works council exists in a company of cloud computing, it must
transferable licence to use the provider’s platform and – for example, for be informed about the introduction at the preliminary planning stage.
SaaS services – the provider’s access or other software. The provider The works council also has a right of co-determination with respect to
usually warrants to hold all necessary rights or licences to provide the the introduction and use of technical equipment intended to monitor the
services to the customer. The provider may further agree to defend behaviour or performance of employees, which is why the introduction
and hold harmless the customer from any claims made against it by a of cloud computing services, owing to its technical possibilities, may
third party due to an alleged infringement of IPR by the cloud service. require prior consent of the work council.
However, such indemnification by the provider is not typical unless the While unlikely, the introduction of cloud computing may qualify
customer has considerable leverage. as a change of business if it leads to extensive changes in the

50 Cloud Computing 2020

© Law Business Research 2019
Greenberg Traurig Germany, LLP Germany

company’s organisation or work processes, or triggers a major reduc-

tion in personnel. In this case, a reconciliation of interest procedure with
the works council would have to be conducted, as well as a social plan
concluded.

TAXATION

Applicable tax rules

24 Outline the taxation rules that apply to the establishment and Viola Bensinger
[email protected]
operation of cloud computing companies in your jurisdiction.
Laura Zentner
Companies established in Germany are subject to income tax and trade [email protected]
tax (regarding VAT see question 25). Any individual or corporation
starting a business in Germany is obligated to notify the responsible tax Kollhoff-Tower
office before commencing business. Potsdamer Platz 1
Income tax for individuals is governed by the German Income 10785 Berlin
Tax Act and for corporations by the German Corporate Income Tax Germany
Act. Partnerships as such are not subject to income tax but treated as Tel: +49 30 700 171 100
transparent and the profit shares are to be taxed by its partners. For www.gtlaw.com
individuals the tax rates vary from 14 per cent to 45 per cent. For corpo-
rations the tax is 15 per cent. In addition, there is a ‘solidarity surcharge’
of 5.5 per cent on the amount of income tax due.
Businesses (and partnerships) are also subject to trade tax. The Indirect taxes
basis for trade tax is the taxable profit for income tax purposes with 25 Outline the indirect taxes imposed in your jurisdiction that
certain additions and reductions. The tax rate depends on the place of apply to the provision from within, or importing of cloud
establishment, and generally varies from 7 per cent to 18 per cent. computing services from outside, your jurisdiction.
In addition, companies may be subject to withholding obligations.
The most important withholding taxes for cloud computing providers If cloud computing takes place between two German parties, and only
are for the salaries of its employees (wage tax) and on licence fees (at a local facilities are used for the service, there are hardly any tax differ-
rate of 15 per cent) if paid to recipients outside Germany. ences compared to other commercial services.
Foreign cloud computing companies providing services to
customers in Germany are not subject to income tax or trade tax unless RECENT CASES
they maintain a permanent establishment in Germany. While the use
of storage capacity on computers located in Germany as such is not Notable cases
considered to create a permanent establishment, maintaining (owned 26 Identify and give details of any notable cases, or commercial,
or rented) computers in a designated area of a building may qualify private, administrative or regulatory determinations within
as permanent establishment and trigger income and trade tax liability. the past three years in your jurisdiction that have directly
The fees paid for cloud computing services are generally not qualified involved cloud computing as a business model.
as licence fees, and therefore not subject to withholding tax if paid by
German customers to foreign cloud providers. In the past three years, there has not been notable German case law,
nor have there been commercial, private, administrative or regulatory
Indirect taxes determinations in Germany, directly involving cloud computing as a
25 Outline the indirect taxes imposed in your jurisdiction that business model.
apply to the provision from within, or importing of cloud
computing services from outside, your jurisdiction. UPDATE AND TRENDS

Regarding VAT on cloud computing services supplied from outside Key developments of the past year
of Germany to customers in Germany, there is a distinction between 27 What are the main challenges facing cloud computing within,
services rendered to VAT payers and services rendered to consumers. from or to your jurisdiction? Are there any draft laws or
For B2C transactions, cloud computing services qualify as elec- legislative initiatives specific to cloud computing that are
tronic services, which are deemed to be supplied and subject to VAT being developed or are contemplated?
at the place of the customer’s residency or establishment. Hence the
provider is liable for VAT, at a standard rate of 19 per cent. From a purely legal perspective, and leaving business considerations
For B2B transactions, although the service is deemed to be aside, the main challenges for both providers and users of cloud services
performed and subject to VAT at the place of the customer’s establish- certainly are security, meeting legal and industry security requirements
ment, not the supplier but the customer is liable for the tax (reverse as well as balancing effective and customer-friendly workflows against
charge mechanism). proper security safeguards. While there currently are no cloud-specific
The fact that the customer is a business must be evidenced by legislative initiatives, etc, there are several envisaged changes that will
providing a valid VAT identification number. certainly affect cloud providers, such as the planned revision of the EU
Foreign cloud computing companies rendering only electronic product liability directive (and its implementation into national laws).
services to consumers in Germany may claim any VAT incurred in
Germany under the refund procedure.

www.lexology.com/gtdt 51
© Law Business Research 2019
 India
Samuel Mani and Rosa Thomas
Mani Chengappa & Mathur

MARKET OVERVIEW including mission critical applications such as core banking solutions.
According to a report by Gartner, and according to NASSCOM’s report
Kinds of transaction ‘Cloud – Next Wave of Growth in India’ (www.nasscom.in/knowledge-
1 What kinds of cloud computing transactions take place in center/publications/nasscom-cloud-next-wave-growth-india-2019),
your jurisdiction? the current estimated spending as of 2018 on cloud services in India,
is estimated at US$2.5 billion. This accounts for 6 per cent of India’s
The Indian cloud computing market is a very vibrant market, and expenditure on information technology. This is further expected to grow
there are all varieties of cloud computing transactions taking place, in at 30 per cent per annum, to reach US$7.2 billion in 2022, which is nearly
consonance with newer concepts as well, such as machine learning, a threefold increase. The growth rate of the Indian public cloud market
edge computing and anything-as-a-service (XaaS). The private sector is the second highest growth rate globally, after China (www.gartner.
is leading the way, but the central government and state governments com/newsroom/id/3874299). This shows that India is a critical growth
are also actively considering and implementing various cloud-based market for all types of cloud computing players.
computing initiatives, in addition to partnering with private players to
set up necessary infrastructure. Impact studies
5 Are data and studies on the impact of cloud computing in your
Active global providers jurisdiction publicly available?
2 Who are the global international cloud providers active in
your jurisdiction? There are numerous studies that are carried out in the cloud computing
ecosystem in India. Reports and studies are published by leading
All of the major global cloud providers are active in India. Amazon and researchers such as Gartner, Forrester, IDC and Zinnov as well as trade
Microsoft are the leaders with their AWS and Azure offerings respec- bodies such as NASSCOM. Examples of such reports are Gartner’s and
tively, while Digital Ocean, Google, Cisco and IBM are also very active. NASSCOM’s reports referred to above.
The government of India has made Digital India one of its core
Active local providers missions and it is leveraging open, scalable and cost-efficient computing
3 Name the local cloud providers established and active in your models to make this mission a reality. Given the cost-sensitive nature of
jurisdiction. What cloud services do they provide? the Indian market, the cost efficiencies offered by cloud computing will
be core to making the Digital India mission successful.
There are a host of smaller cloud providers in India. Given the nature
of cloud computing, it is somewhat difficult to identify India-based and POLICY
India-centric cloud service providers. Some of the cloud providers
outside of the large global players that are commonly referred to in Encouragement of cloud computing
computing circles are NetMagic, BlueHost, HostingRaja and SoftLayer. 6 Does government policy encourage the development of your
They provide numerous services, which include web hosting, jurisdiction as a cloud computing centre for the domestic
infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), soft- market or to provide cloud services to foreign customers?
ware-as-a-service (SaaS), data security, fault tolerance, and disaster
recovery. India’s burgeoning technology product ecosystem is largely Currently, the government of India is considering a separate policy to
cloud-centric. Notable examples that have a significant Indian heritage create a separate legal framework for cloud computing. The Telecom
include Zoho, Freshdesk, Freshworks and CtrlS. Regulatory Authority of India released a consultation paper in 2016 on
Cloud Computing in India and recommendations on cloud services in
Market size 2017 in furtherance of this.
4 How well established is cloud computing? What is the size of The Ministry of Electronics and Information Technology (MEITY)
the cloud computing market in your jurisdiction? addresses some aspects pertaining to cloud computing in its National
Policy on Information Technology and the National Telecom Policy of
The Indian cloud computing market is well established. India’s small and 2012. One of the objectives of these policies is to develop an ecosystem
medium-sized enterprises are actively migrating to cloud-based applica- to allow India to emerge as a global leader in the development and
tions and large enterprises are also following suit. As a case in point, the provision of cloud services. This focus is further enhanced in the
Reserve Bank of India (RBI) recently granted more than 20 new banking National Digital Communications Policy 2018 released on 22 October
licences to banks with various target markets. These new banks are 2018, which forms the overarching policy framework for all aspects of
very actively leveraging cloud-based infrastructure and applications, digital technologies in India over the next few years. The draft policy

52 Cloud Computing 2020

© Law Business Research 2019
Mani Chengappa & Mathur India

envisages establishing India as a global hub for cloud computing, inter and sensitive personal information recorded in electronic form) in
alia, through: (i) promoting the establishment of International Data India. Cloud computing services that deal with personal or sensi-
Centres, Content Delivery Networks and independent interconnect tive personal information need to comply with the requirements
exchanges in India; (ii) establishing a light-touch regulatory approach set out under the Privacy Rules relating to security, encryption,
to cloud computing; and (iii) establishing captive fibre networks. Hence, access to data subject, disclosure, international transfer and
it seems reasonable to expect a growing and beneficial policy focus on publication of policy statements. Cloud service providers in India
cloud computing in India over the next few years. may also be required to comply with the Information Technology
(Intermediaries Guidelines) Rules 2011 (Intermediary Guidelines)
Incentives prescribed under the IT Act.
7 Are there fiscal or customs incentives, development grants • The government has a published a Personal Data Protection Bill
or other government incentives to promote cloud computing 2018 (the Bill), which if notified will overhaul the existing privacy
operations in your jurisdiction? and data protection framework in India. The Bill is in many respects
similar to the EU’s General Data Protection Regulation and it, inter
Currently, there are no government schemes or policies that provide alia, enhances the stringency of obligations and corresponding
incentives or grants specifically to enterprises in the cloud computing penalties governing data protection from a customer perspective.
sector. Fiscal incentives are extended to enterprises in certain catego- The Bill has also set high standards for the processing of personal
ries such as: data within India and abroad and is expected to replace or amend
• export-oriented enterprises set up inside special economic zones the IT Act and the Privacy Rules in these respects. Data sovereignty
as notified by the government; and has lately become one of the primary areas of concern of the Indian
• start-up ventures that are engaged in innovation and development government, as national security could be compromised to threats
of products, processes or services through use of intellectual prop- in digital space. In pursuance of safeguarding data sovereignty,
erty and technology, or that have a scalable business model with Indian legislature has proposed norms on data localisation in
a high potential of employment generation or wealth creation. (A the Bill. Furthermore, the RBI, has mandated all payment system
start-up is an entity incorporated or registered as a company or providers to store payment related data in systems in India. This
registered partnership or limited liability partnership less than data may include full end-to-end transaction details or information
seven years from the date of its incorporation or registration, that collected, carried or processed as part of the message or payment
has a turnover less than 250 million rupees). instruction. These norms have been introduced for the benefit of
the local players in the cloud computing market. However, the draft
MEITY has, by way of the Public Procurement (Preference to make in e-commerce policy deviates from the relatively conservative posi-
India) Order 2017 (Order), stated that purchase preference (amounting tion adopted in the Bill on data localisation insofar as it inter alia
to 50 per cent of total procurement) should be provided to local permits cross-border transfer of technology related data as long as
suppliers in all procurements to be undertaken by procurement entities it has no personal or community implications.
in India as part of government of India’s ‘Make in India’ policy with a view
to enhance income and employment in India. Therefore, public sector Governing legislation
procurement will favour domestic cloud computing providers. 9 Does legislation or regulation directly and specifically
Other than fiscal incentives, start-up ventures are allowed exemp- prohibit, restrict or otherwise govern cloud computing, in or
tion from compliances under specific environmental and labour laws. outside your jurisdiction?
Cloud computing providers that meet the aforesaid parameters will be
eligible for these benefits. As specified in question 8, there is no regulation in India that specifically
prohibits, restricts or governs cloud computing. Question 8 describes
LEGISLATION AND REGULATION the principal legislation that indirectly governs cloud computing
services in India.
Recognition of concept Other than the above, the use of cloud services by banks and insur-
8 Is cloud computing specifically recognised and provided for in ance providers is separately regulated under sector-specific regulations.
your legal system? If so, how?
10 What legislation or regulation may indirectly prohibit, restrict
There is no legislation in India that specifically recognises cloud or otherwise govern cloud computing, in or outside your
computing. However, cloud computing services would fall under the jurisdiction?
ambit of the following:
• ‘Cloud services’ have been specifically recognised under the Cloud computing services are primarily regulated (though indirectly) by
Integrated Goods and Services Tax Act 2017 (the GST Act) under the IT Act and Privacy Rules (see question 8).
‘online information and database access or retrieval services’ and In addition to the IT Act and Privacy Rules, the use of cloud
therefore the services rendered by cloud services providers would computing in the banking and insurance sectors is subject to specific
be subject to goods and services tax. restrictions.
• Section 43A of the Information Technology Act 2000 (the IT Act) The RBI’s guidelines on Managing Risks and Code of Conduct in
read with the Information Technology (Reasonable security Outsourcing of Financial Services by Banks read along with the Report
practices and procedures and sensitive personal data or infor- of Working Group of RBI on Electronic Banking set out specific require-
mation) Rules 2011 (the Privacy Rules) provide guidelines for the ments to be complied with by banks while engaging cloud service
collection, use and protection of any sensitive personal data or providers. These requirements, inter alia, relate to vendor selection,
information of natural persons by a body corporate that possesses, data security, form of agreement, business continuity and disaster
deals with or handles such data. The IT Act and the Privacy Rules recovery or management practices.
together set out the regulatory framework for creation, collection, The Insurance Regulatory and Development Authority of India’s
storage, processing and use of electronic data (including personal Guidelines on Information and Cyber Security for Insurers require

www.lexology.com/gtdt 53
© Law Business Research 2019
 India Mani Chengappa & Mathur

insurers to comply with requirements, inter alia, in relation to data, payment systems operated by them are only stored in systems within
application and network security, incident management, and informa- India. The new Bill also proposes to enhance consumer protection meas-
tion security audit while using services from a cloud service provider. ures by introducing data localisation requirements wherein in respect
The government retains the authority to intercept any information of cross-border transactions, a data controller is required to maintain at
transmitted through a computer system, network, database or software least one copy of personal data on a server or a data centre in India. This
for the prevention of serious crimes or under grave circumstances in turn would, inter alia, have the effect of relative ease in enforcement
affecting public order and national security. of claims by customers under consumer protection laws.
See also the paragraph pertaining to the Bill (see question 8) and
its proposed impact on obligations of entities with respect to privacy and Sector-specific legislation
data protection in India. 13 Describe any sector-specific legislation or regulation that
applies to cloud computing transactions in your jurisdiction.
Breach of laws
11 What are the consequences for breach of the laws directly See questions 8 and 10.
or indirectly prohibiting, restricting or otherwise governing
cloud computing? Insolvency laws
14 Outline the insolvency laws that apply generally or
The IT Act and Privacy Rules prescribe payment of damages on account specifically in relation to cloud computing.
of failure to or in case of negligence in implementing or maintaining
reasonable security practices to protect any sensitive personal infor- There is no specific law in India that determines what happens to any
mation. The non-compliant entity is required to pay damages to the data of the customer once the cloud service provider becomes insolvent
aggrieved party to the extent of wrongful loss or damage suffered by and this would ideally be governed by the contract between the service
the aggrieved party. Further, any person who has received any personal provider and the customer.
or sensitive personal information for performing any services, and The Companies Act 2013, as amended by the Insolvency and
discloses it with a mala fide intent is liable to a fine of up to 500,000 Bankruptcy Code 2016, governs procedure to be followed when a
rupees or imprisonment of up to three years, or both. company becomes insolvent. In the absence of any contractual under-
The sector-specific regulations (see question 10) set out sanc- standing regarding the treatment of customer data in case of insolvency
tions by regulators in case of non-compliance with them, which could of the service provider, the liquidator of the company will decide how
range from fines to suspension or revocation of the licence to carry such data would be treated.
on business.
It is important to note that the Bill proposes to impose heavy DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
monetary sanctions involving a percentage of total worldwide turnover,
for non-compliance with the privacy and data protection measures laid Principal applicable legislation
down by it. There is good reason to believe that this position will prevail 15 Identify the principal data protection or privacy legislation
when the law comes into force. applicable to cloud computing in your jurisdiction.

Consumer protection measures The IT Act and Privacy Rules (see question 8) is currently the primary
12 What consumer protection measures apply to cloud legislation governing data protection and privacy with respect to cloud
computing in your jurisdiction? computing in India. However, on 24 August 2017, a nine-judge bench of
the Supreme Court of India conclusively held that the right to privacy is a
The IT Act provides for the following consumer protection measures: fundamental right guaranteed to the citizens of India (subject to reason-
• the IT Act (and therefore the penal consequences of the Act) able restrictions) and such right would also be exercisable against the
covers offences committed outside of India if the offence involves a state. See question 8 for more details on the proposed changes in the
computer, computer system or computer network located in India. privacy and data protection framework in India that resulted from this
This would protect consumers within India who procure cloud decision of the Supreme Court.
computing services from service providers located outside India;
• the Privacy Rules protect consumers by casting obligations on CLOUD COMPUTING CONTRACTS
cloud computing providers with regard to the collection and
storage of personal information. These include broadly: Types of contract
• disclosures to be made to such users or consumers regarding 16 What forms of cloud computing contract are usually adopted
the fact that the information is being collected or stored; in your jurisdiction, including cloud provider supply chains (if
• the purpose of collection; applicable)?
• the manner in which such information can be transferred; and
• the minimum-security practices and procedures to be imple- The most common form of cloud computing contracts in India are
mented by cloud service providers when processing personal international standard form contracts with fixed terms and are in most
information. instances non-negotiable, with certain exceptions. However, if the cloud
service provider is a small service provider the user may have more
The Consumer Protection Act 2019 (which is yet to come into force) room to negotiate terms. The terms of the contract will also depend on
grants the right to the central government to make rules for measures to the service delivery model (ie, whether it is IaaS, SaaS or PaaS).
be taken to prevent unfair trade practices in e-commerce, direct selling
and also to protect the interest and rights of consumers in this regard.
Indian regulators are increasingly focused on all aspects relating
to data protection and data localisation. The RBI recently mandated that
all providers of payment systems must ensure that all data relating to

54 Cloud Computing 2020

© Law Business Research 2019
Mani Chengappa & Mathur India

Typical terms for governing law Typical terms covering IP rights

17 What are the typical terms of a B2B public cloud computing 21 What are the typical terms of a B2B public cloud computing
contract in your jurisdiction covering governing law, contract in your jurisdiction covering intellectual property
jurisdiction, enforceability and cross-border issues, and rights (IPR) ownership in content and the consequences of
dispute resolution? infringement of third-party rights?

Under Indian laws, parties to a contract have the right to choose the Under a B2B public cloud computing contract, the service provider or its
governing law. However, in the event of a dispute, the courts will not only licensors will continue to hold all rights, title and interest in the cloud
take into consideration the governing law as included in the contract but computing resources, while the user will continue to hold all rights, title
also its link with the contract. Usually, parties agree to the exclusive and interest in the data it uploads as well as in any output that is gener-
jurisdiction of the courts in the same country as the governing law. ated through the use of such data.
Under section 44A of the Indian Code of Civil Procedure 1908, Usually, a typical (and, in most instances, the only) indemnity that
a decree of any superior court of a reciprocating territory that is so the service provider may be willing to provide is for indemnification for
declared by the government, will be executed in India similar to any third-party intellectual property infringement claims and such indem-
decree passed by a district court in India. All other judgments or decrees nity is not capped.
will face extensive re-adjudication in Indian courts.
Arbitration is a fairly commonly accepted method of dispute resolu- Typical terms covering termination
tion. Parties should ideally also include an escalation clause for dispute 22 What are the typical terms of a B2B public cloud computing
resolution. contract in your jurisdiction covering termination?

Typical terms of service Apart from termination rights set out in the agreement, a party has
18 What are the typical terms of a B2B public cloud computing a statutory right to terminate in case of a breach by the other party.
contract in your jurisdiction covering material terms, such Other than that, a party whose consent to an agreement is obtained
as commercial terms of service and acceptable use, and through coercion, fraud or misrepresentation can elect to terminate it.
variation? Most agreements may also contain a right for both parties to be able to
terminate for convenience without incurring any liability.
Given the prevalence of international standard form contracts in the In the instance the service provider is dependent on a third-party
Indian market, the typical terms are similar to terms that are commonly for essential services required to provide the cloud computing services,
used in large markets such as the US and the UK. the services provider may retain the right to immediately terminate
without incurring any liability if the service provider’s relationship with
Typical terms covering data protection the third-party is affected in any manner.
19 What are the typical terms of a B2B public cloud computing Post-expiry or on termination of the agreement, the agreement
contract in your jurisdiction covering data and confidentiality will usually provide for payment of any fees due and payable as well
considerations? as refund of fees for services not rendered (though this may not be
something larger cloud service providers may agree with). Provisions
Data security and confidentiality obligations are very important as users regarding return of user data are also included, with the service
may upload confidential and proprietary information as well as personal provider specifying the duration that they are willing to retain such data
data. The Privacy Rules prescribe that sensitive personal informa- post which the data may be irretrievably deleted. The parties should
tion should be stored in ISO 27001-compliant data centres. Clauses also agree on the format in which the data would be returned. Most
surrounding data privacy, confidentiality and data transfer, and pres- service providers will not agree on any further post-termination obliga-
ervation are largely similar to clauses found in international standard tions. However, if the agreement is negotiable the user can ask for data
form contracts prevalent in the US and UK. Once the Bill becomes law, retrieval, transfer or migration services.
there will be significant changes on the data front.
Employment law considerations
Typical terms covering liability 23 Identify any labour and employment law considerations that
20 What are the typical terms of a B2B public cloud computing apply specifically to cloud computing in your jurisdiction.
contract in your jurisdiction covering liability, warranties and
provision of service? There are no such labour or employment law considerations that would
apply to a business customer.
Clauses around liability, warranties and provision of service are solely
dependent on the contractual arrangement reached between the TAXATION
parties. Most service providers will have standard service availability
and service levels specified in the agreement that they would not be Applicable tax rules
willing to negotiate. Similarly, most service providers would have 24 Outline the taxation rules that apply to the establishment and
standard business continuity and disaster recovery processes in place. operation of cloud computing companies in your jurisdiction.

Providers of cloud computing services are subject to both direct and

indirect taxes.
Direct taxes apply to the income of the cloud computing company
and are collected on a combination of withholding at source and direct
remittance by the cloud computing company.
As a consumer of goods and services, the company would mostly
have a responsibility to bear the economic burden of tax specified under

www.lexology.com/gtdt 55
© Law Business Research 2019
 India Mani Chengappa & Mathur

the GST Act. The provider of goods and services, generally, has the
responsibility of collection and remittance of the goods and services tax.

Indirect taxes
25 Outline the indirect taxes imposed in your jurisdiction that
apply to the provision from within, or importing of cloud
computing services from outside, your jurisdiction.

Provision of cloud computing services from within India to a recip-

ient also within India will attract goods and services tax (currently, Samuel Mani
[email protected]
at a composite rate of 18 per cent) under the GST Act. Where cloud
computing services are exported and, therefore, consumed outside of Rosa Thomas
India, the rate of applicable goods and services tax is zero (subject to [email protected]
meeting certain requirements).
The GST Act replaces the earlier service tax regime. As per the GST
Divyasri No. 26, SBI Colony
Act, cloud service providers are now able to claim credit on the input 3rd Block Koramangala
hardware used for providing services. Bangalore 560034
India
RECENT CASES Tel: +91 80 4148 1999
www.mcmlaw.in
Notable cases
26 Identify and give details of any notable cases, or commercial,
private, administrative or regulatory determinations within
the past three years in your jurisdiction that have directly
involved cloud computing as a business model.

The government recently launched a National Cloud Initiative – GI

Cloud – to optimise the government’s spending on internet and commu-
nications technology and to facilitate large-scale adoption of cloud
computing and services within the governance mechanism. MEITY has
provisionally accredited private cloud service providers for the devel-
opment of cloud infrastructure. Currently, NIC Cloud (cloud.gov.in), a
government website, offers service models such as PaaS, IaaS, SaaS
and storage-as-a-service.
Further, given the pervasiveness of cloud computing today, a
number of private and quasi-governmental organisations have formu-
lated draft models for the development of cloud services in India. For
example, the Cloud Computing Innovation Council published a white
paper titled ‘A Framework and Roadmap on Cloud Computing Innovation
in India’ that sets out a proposed roadmap for the development of cloud
computing services in India through three phases:
• establishment of National Cloud Authority;
• setting up government clouds based on the certain interoperability
standards emerged within India; and
• adoption of these interoperability standards by other Indian cloud
companies on a large scale.

UPDATE AND TRENDS

Key developments of the past year

27 What are the main challenges facing cloud computing within,
from or to your jurisdiction? Are there any draft laws or
legislative initiatives specific to cloud computing that are
being developed or are contemplated?

See questions 8 and 10.

56 Cloud Computing 2020

© Law Business Research 2019
Japan
Atsushi Okada and Hideaki Kuwahara*
Mori Hamada & Matsumoto

MARKET OVERVIEW and large-cap companies. Companies use cloud computing services
for various purposes such as inter- and intra-office communication,
Kinds of transaction preserving and sharing data electronically, operating company servers
1 What kinds of cloud computing transactions take place in and portal sites.
your jurisdiction?
Impact studies
Public and private cloud models are both common in Japan. In the 5 Are data and studies on the impact of cloud computing in your
public cloud model, multiple users share a single cloud environment jurisdiction publicly available?
provided by a cloud provider, and in the private cloud model, a company
builds its own cloud environment for its use or use by its group The Ministry of Internal Affairs and Communications (MIAC) issues a
companies. While both are expanding their market sizes year on year, white paper on telecommunications annually, which contains the results
currently, private cloud models have a larger share. The preference of surveys that MIAC conducts regarding the cloud computing market.
for most Japanese companies currently seems to be the private cloud Further, think tanks such as Nomura Research Institute publish statis-
model, probably because of concerns about the security level of public tics and analyses of the current and future cloud computing market.
cloud environments. A recent trend within the private cloud model is According to the IT Navigator 2018, published by Nomura Research
the increasing use of the ‘community cloud’, where a limited number Institute, users of traditional network services such as leased line have
of companies share a private cloud, which is more cost-effective than been decreasing in recent years and their market sizes shrinking, in
an ordinary private cloud, which requires a user to construct their own contrast to the rapid expansion of the cloud computing market.
cloud environment. Various types of cloud computing services, including
software-as-a-service, infrastructure-as-a-service and platform-as-a- POLICY
service, are provided by many prominent cloud providers.
Encouragement of cloud computing
Active global providers 6 Does government policy encourage the development of your
2 Who are the global international cloud providers active in jurisdiction as a cloud computing centre for the domestic
your jurisdiction? market or to provide cloud services to foreign customers?

International cloud computing providers in Japan include Amazon. The Japanese government established the Strategic Headquarters for
com, Microsoft, Google and IBM for both public and private cloud the Promotion of an Advanced Information and Telecommunications
computing services. Network Society (IT Strategic Headquarters) within the Cabinet in
January 2001. This organisation is tasked with promoting measures
Active local providers for an advanced information and telecommunications network society,
3 Name the local cloud providers established and active in your expeditiously and intensively. Further, to encourage collaboration
jurisdiction. What cloud services do they provide? between the government, industry and academia in cloud computing
services, the MIAC, the Ministry of Economy, Trade and Industry (METI)
Local cloud computing providers in Japan include NTT Communications and the Ministry of Agriculture, Forestry and Fisheries, have established
Corporation, NTT DATA Corporation, KDDI Corporation, Softbank Group the Japan Cloud Consortium. This is a private sector organisation with
Corporation, Fujitsu Limited, NEC Corporation and Internet Initiative more than 400 member corporations or organisations, and provides
Japan Inc. These entities provide both public and private cloud a forum for the members to share information on cloud computing
computing services. services. MIAC in discussion with ASP-SaaS-Cloud Consortium, a non-
governmental organisation, deals with matters regarding the provision
Market size and use of cloud computing services and guidelines regarding security
4 How well established is cloud computing? What is the size of issues. Moreover, MIAC regularly engages in discussions with foreign
the cloud computing market in your jurisdiction? countries regarding security issues in cloud computing services.

Cloud computing in Japan is fairly well established and has been

constantly evolving. The market is currently valued at about
¥700 billion and is expected to increase up to about ¥1,200 billion by
2023. The majority of Japanese companies now use cloud services, it
being especially popular among finance and insurance companies,

www.lexology.com/gtdt 57
© Law Business Research 2019
 Japan Mori Hamada & Matsumoto

Incentives customer who does not execute the agreement on business (defined as
7 Are there fiscal or customs incentives, development grants a ‘consumer’) would be nullified under the Consumer Contract Act. Such
or other government incentives to promote cloud computing provisions include:
operations in your jurisdiction? • totally exempting the cloud provider from liability to compensate
the consumer for damages arising from default or tort by the
Government authorities such as METI and the Tokyo Metropolitan cloud provider;
Government grant subsidies to businesses aiming to introduce cloud • partially exempting the cloud provider from liability to compensate
computing services that use data centres with high energy efficiency, the consumer for damages arising from default or tort by the cloud
with a view to promoting energy conservation. provider (limited to default or tort owing to the cloud provider’s
intentional act or gross negligence);
LEGISLATION AND REGULATION • setting an agreed amount of liquidated damages or establishing
a fixed penalty in the event of cancellation, which amount or
Recognition of concept penalty would exceed the normal amount of damages that would
8 Is cloud computing specifically recognised and provided for in be payable to the cloud provider as a result of the cancellation of a
your legal system? If so, how? contract, when compared to other contracts of the same type; and
• limiting the consumer’s right to terminate the cloud service agree-
Although there are numerous legal issues pertaining to cloud computing, ment when the cloud provider is in default.
as we discuss below in detail, current Japanese statutory laws do not
define cloud computing as a specific area of service to which certain Second, the Act on General Rules for Application of Laws also includes
restrictions or regulations apply. a rule to protect consumers. Under this rule, if the governing law in a
cloud service agreement is a law other than the law of the consum-
Governing legislation er’s habitual residence, and the consumer has manifested his or her
9 Does legislation or regulation directly and specifically intention to the cloud provider that a specific mandatory provision from
prohibit, restrict or otherwise govern cloud computing, in or within the law of the consumer’s habitual residence should be applied,
outside your jurisdiction? such mandatory provision would apply to the matters stipulated by such
mandatory provision with regard to the formation and effect of the cloud
There is no legislation or regulation that directly and specifically service agreement.
prohibits, restricts or otherwise governs cloud computing in or And third, under the Japanese Code of Civil Procedure:
outside Japan. • a consumer would be able to sue the cloud provider in a Japanese
court if the consumer’s residence is in Japan at the time the cloud
10 What legislation or regulation may indirectly prohibit, restrict service agreement is executed; and
or otherwise govern cloud computing, in or outside your • the cloud provider would not be able to sue the consumer in a
jurisdiction? foreign court that both parties have agreed has the jurisdic-
tion unless:
Under the Telecommunications Business Act (TBA), if cloud computing • the consumer’s habitual residence was in the foreign country
services include (i) telecommunications between the cloud provider and when the cloud service agreement was executed; or
the customer and (ii) mediating telecommunications between two or • the consumer sues the cloud provider in the foreign court or
more customers, then the cloud provider has either to file a notification agrees to defend himself or herself against the cloud provid-
or (if the cloud provider falls within the categories stipulated in TBA) er’s claim in the foreign court.
register as a telecommunications carrier with the MIAC.
Under the Foreign Exchange and Foreign Trade Act, when a person Sector-specific legislation
or entity preserves data regarding certain technologies in servers 13 Describe any sector-specific legislation or regulation that
located in foreign countries, that person or entity must obtain prior applies to cloud computing transactions in your jurisdiction.
permission from METI. However, the interpretational guidelines issued
by METI have clarified that if a customer preserves information in an When a medical institution uses a cloud computing service to handle its
overseas server of the cloud provider for the customer’s own use, then patients’ sensitive information, such as diagnostic records, maintaining
such permission is not necessary. the security of the cloud environment that stores such information is
of crucial importance. Therefore, the Ministry of Health, Labour and
Breach of laws Welfare, METI and MIAC each issue several guidelines that require
11 What are the consequences for breach of the laws directly such medical institutions to select a cloud provider that has a reliable
or indirectly prohibiting, restricting or otherwise governing security code and system, execute an agreement that ensures the cloud
cloud computing? provider’s proper handling of the confidential information (including
prohibiting the provider’s unauthorised browsing or analysis of the
A person who breaches the obligation described in the first paragraph of information) and oblige the medical institution to regularly supervise
question 10 is liable to be punished by imprisonment with labour for no the cloud provider.
more than three years or a fine of no more than ¥2 million under the TBA. Additionally, a financial institution that uses a cloud computing
service for its customers’ confidential information is required to follow
Consumer protection measures certain laws and guidelines regarding the security of the cloud computing
12 What consumer protection measures apply to cloud service to which it outsources the handling of such information.
computing in your jurisdiction? For example, the relevant financial laws and regulations, such
as the Banking Act and the Financial Instruments and Exchange Act,
First, with respect to business-to-consumer (B2C) cloud service agree- require that if a financial institution preserves customer information
ments, certain provisions that could be considered unfair to an individual through cloud computing services, it must establish the necessary

58 Cloud Computing 2020

© Law Business Research 2019
Mori Hamada & Matsumoto Japan

systems for maintaining the security of such information and for super- data (generally, personal information compiled in a database)
vising the cloud provider to which it has delegated the handling of such (personal data).
information. • The cloud provider shall, in having its employees handle personal
Further, the Center for Financial Industry Information Systems data, exercise necessary and appropriate supervision over the
authorised by the Cabinet Office issued a report in November 2014, employees so as to ensure the security of the personal data.
recommending that financial institutions take the following meas- • The cloud provider is prohibited from providing any personal data
ures to ensure the proper handling by the cloud provider of customer to a third party without the prior consent of the person who origi-
information: nally provided the personal data (data subject), unless exceptions
• conducting due diligence when selecting a cloud provider and to the consent requirement apply. An example of such exceptions
executing a service agreement with the cloud provider; is where the cloud provider delegates all or part of the handling
• requesting the cloud provider to disclose information regarding of personal data to an outsourcing company. However, in that
the operation of the service and security management system; case, the cloud provider must exercise necessary and appropriate
• ensuring the proper operation of the cloud computing service supervision over the outsourcing company to ensure the secure
including encryption of the confidential information and mainte- management of the personal data.
nance of the storage devices;
• upon the termination of the cloud service agreement, deleting, or Under a provision of APPI regarding overseas data transfers, a cloud
having the cloud provider delete, the data, and/or transfer it to provider must obtain the prior consent of the data subject before
another cloud provider; and it can transfer his or her personal data to a third party located in a
• supervising the cloud provider’s handling of the confidential infor- foreign country.
mation (including through on-site inspections). However, the data subject’s consent to overseas data transfers is
not necessary if:
Insolvency laws 1 the foreign country is specified in the Personal Information
14 Outline the insolvency laws that apply generally or Protection Commission Ordinance (the PPC Ordinance) as a
specifically in relation to cloud computing. country which has a data protection regime with a level of protec-
tion equivalent to that of Japan; or
If a cloud provider is subject to a ruling for the commencement of bank- 2 the third-party recipient has a system of data protection that meets
ruptcy proceedings, the cloud service agreement, which is typically the standards prescribed by the PPC Ordinance.
categorised as a quasi-mandate (Jun-inin) contract, will automatically
terminate pursuant to the Japanese Civil Code, unless the parties have For item (1), as of July 2018, the PPC Ordinance has not identified any
stipulated otherwise in the agreement. such foreign country. However, the recent adequacy dialogue between
On the other hand, if a cloud provider is subject to a ruling for Japan and the EU confirmed that the PPC intends to identify the EU as
the commencement of rehabilitation proceedings, the cloud service having an adequate data protection regime in 2018.
agreement will not automatically terminate, although a customer may For item (2), under the PPC Ordinance, the standards of the data
terminate the agreement if the cause of termination (such as the cloud protection system that a third-party recipient outside Japan must meet
provider’s breach of the agreement) has already existed before the are either of the following:
commencement of rehabilitation proceedings. • there is assurance, by appropriate and reasonable means (typi-
If the cloud service agreement does not automatically terminate cally by entering into a contract), that the recipient will treat the
or is not terminated by the customer, the trustee of the cloud provider disclosed personal data in accordance with the principles of the
as appointed under bankruptcy laws can decide whether the cloud requirements for handling personal data under the APPI; or
provider should continue the agreement or terminate it under Japanese • the recipient is certified under an international arrangement,
bankruptcy laws. If the agreement is terminated, the customer can recognised by the PPC, regarding its system of handling personal
request the trustee to return its data stored in the cloud provider’s information.
server, regardless of whether there is a specific provision in the cloud
service agreement that enables the customer to do so. However, under CLOUD COMPUTING CONTRACTS
the current laws in Japan, it is unclear whether the customer can
request the trustee to destroy or delete the data from the cloud server Types of contract
completely. 16 What forms of cloud computing contract are usually adopted
in your jurisdiction, including cloud provider supply chains (if
DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION applicable)?

Principal applicable legislation For cloud computing services that are rendered in Japan, most cloud
15 Identify the principal data protection or privacy legislation providers usually provide these services on the same terms and condi-
applicable to cloud computing in your jurisdiction. tions for all customers, especially in B2C contracts. The normal practice
is to provide a standard cloud service agreement on their websites,
Unless the cloud service agreement prohibits a cloud provider from which the users must accept in order to use the services.
handling personal information provided by a customer (eg, where the
personal information is stored in a data centre owned by the cloud
provider but the personal information is not accessible to the cloud
provider at all), the cloud provider is obliged to handle the personal
information subject to the Act on the Protection of Personal Information
(APPI). Such obligations include the following items:
• The cloud provider has an obligation to take necessary and appro-
priate measures to ensure the secure management of personal

www.lexology.com/gtdt 59
© Law Business Research 2019
 Japan Mori Hamada & Matsumoto

Typical terms for governing law Typical terms covering liability

17 What are the typical terms of a B2B public cloud computing 20 What are the typical terms of a B2B public cloud computing
contract in your jurisdiction covering governing law, contract in your jurisdiction covering liability, warranties and
jurisdiction, enforceability and cross-border issues, and provision of service?
dispute resolution?
In B2B cloud computing contracts, it is typical for the cloud provider and
Standard cloud service agreements provided by cloud providers typi- the customer to execute a service level agreement (SLA). Typical SLA
cally stipulate that the location of the cloud provider’s head office is the terms include:
governing law and the court that has jurisdiction over the head office is • the period during which the service is provided;
the court of first instance. However, conferring jurisdiction on a foreign • the level of manpower of the support desk;
court may sometimes be regarded as invalid under the Code of Civil • the rate of operation and the management of data; and
Procedure, as described in question 12. • handling of system malfunction and level of security.
•
Typical terms of service Many SLAs stipulate that if the cloud provider fails to meet the service
18 What are the typical terms of a B2B public cloud computing level obligations, the customer may be exempted from paying part of
contract in your jurisdiction covering material terms, such the future service fees, or that the cloud provider will refund part of the
as commercial terms of service and acceptable use, and service fee already paid.
variation? Typical cloud service agreements include a provision that limits
the cloud provider’s liabilities. For example, many cloud service agree-
Material terms commonly include a stipulation for fees to be calculated ments set a cap on the damages to be paid by the cloud provider to
as a fixed-rate or measured-rate fee, to be paid by a customer to the the customer as a result of actions attributable to the cloud provider,
bank account designated by the cloud provider. and allow the customer to claim only direct and ordinary damages
It is also common to prohibit a customer from undertaking certain (and exclude indirect, special and consequential damages). Other
activities such as: typical cloud service agreements exempt the cloud provider from
• infringing the cloud provider’s or a third party’s IP or other rights; any liability when the cloud provider is not at fault (such as in case
• altering or deleting data owned by the cloud provider or a third of a third party’s unauthorised access, natural disaster, malfunction of
party that is stored in the cloud server; systems or communication lines, or attack by a computer virus). It is
• activities that may obstruct or endanger the cloud provider’s also customary to stipulate that the cloud provider does not guarantee
systems or communication lines; the commerciality, fitness for a specific purpose or non-existence of an
• pretending to be the cloud provider or a third party when using infringement of third parties’ rights.
the cloud service;
• accessing the cloud provider’s system or network without the Typical terms covering IP rights
authorisation of the cloud provider; 21 What are the typical terms of a B2B public cloud computing
• transmitting illegal or otherwise harmful contents to the cloud contract in your jurisdiction covering intellectual property
server; or rights (IPR) ownership in content and the consequences of
• other activities that are illegal or otherwise immoral. infringement of third-party rights?

Typical terms covering data protection Many cloud service agreements provide that the ownership of the
19 What are the typical terms of a B2B public cloud computing intellectual property in data or information stored on the cloud server
contract in your jurisdiction covering data and confidentiality belongs to the person or entity who stored the data or information on the
considerations? server (ie, the customer). Some agreements allow the cloud provider to
copy the data in limited situations, such as when the cloud provider has
It is common to require the cloud provider to implement necessary and to repair the communication line or equipment.
reasonable security protection measures to secure the confidentiality of Further, in order to prevent the customer from infringing third
the customer’s data. To implement the requirement, it is also common parties’ rights and thereby causing the cloud provider to incur any
to allow the cloud provider to take certain measures including suspen- liabilities towards the third parties, agreements also usually stipulate
sion of the service when the cloud provider recognises the risk of the that the customer must not infringe a third party’s rights when it uses
customer’s data being (or having been) divulged by, for example, a third the cloud services. If the customer breaches the obligation and stores
party’s unauthorised access or malfunction of the cloud provider’s content that infringes third-party rights on the cloud server, the cloud
systems or communication lines. provider will be able to claim an exemption from liability for any third
However, there are provisions that exempt the cloud provider from party claims as a result.
all or part of liabilities arising from the security issues, described here-
inafter. For example, some agreements stipulate that the cloud provider Typical terms covering termination
will not guarantee the thorough prevention of a third party’s unauthor- 22 What are the typical terms of a B2B public cloud computing
ised access or use of the server, nor indemnify damages incurred by contract in your jurisdiction covering termination?
the customer resulting from known or unknown security weaknesses.
Other agreements require the customer to make backups of the data Many cloud service agreements allow the customer a simple termination
that it stores in on the cloud server and to preserve the ID or password option, whereby a customer may terminate the cloud service agreement
appropriately, and exempt the provider from any liability when such ID without cause, just by giving prior notice. However, some agreements
or passwords are used by a third party. require the customer to use the service for a minimum period and if
Some agreements allow the customer to select the country where the customer terminates the agreement before the completion of such
the cloud server is located. period, the customer has to pay a certain amount of money to the cloud
provider.

60 Cloud Computing 2020

© Law Business Research 2019
Mori Hamada & Matsumoto Japan

Cloud service agreements also usually allow the cloud provider to

terminate the agreement if the customer is in breach of its obligation
under the agreement or the customer is adjudged insolvent or bank-
rupt, or is liquidated or the like.
In light of the security management of the data stored on the cloud
server, it is customary to require the customer to download the data
before the cloud service agreement is terminated or expired at the
customer’s own responsibility, and limit or deny access to the data after
termination or expiry. The cloud provider, on the other hand, is required Atsushi Okada
[email protected]
to delete all of the customer’s data stored on the server to ensure the
confidentiality of the data. Hideaki Kuwahara
[email protected]
Employment law considerations
23 Identify any labour and employment law considerations that 16th Floor, Marunouchi Park Building
apply specifically to cloud computing in your jurisdiction. 2-6-1 Marunouchi
Chiyoda-ku
There are no Japanese labour or employment laws currently regulating Tokyo 100-8222
cloud computing. Japan
Tel: +81 3 5220 1821
TAXATION Fax: +81 3 5220 1721
www.mhmjapan.com
Applicable tax rules
24 Outline the taxation rules that apply to the establishment and
operation of cloud computing companies in your jurisdiction.
UPDATE AND TRENDS
If a foreign cloud provider does its business through a ‘permanent
establishment’ (as defined in the OECD Model Tax Convention) located Key developments of the past year
in Japan, which is likely to include the cloud server, then such a cloud 27 What are the main challenges facing cloud computing within,
provider will be subject to Japanese business income tax. from or to your jurisdiction? Are there any draft laws or
legislative initiatives specific to cloud computing that are
Indirect taxes being developed or are contemplated?
25 Outline the indirect taxes imposed in your jurisdiction that
apply to the provision from within, or importing of cloud No update at this time.
computing services from outside, your jurisdiction.
The information in this chapter is correct as at October 2018.
Providing cloud computing services through telecommunication lines
(typically, the internet), will be regarded as a ‘provision of service using
telecommunication’.
A provision of service using telecommunication will be subject to
Japanese Consumption Tax if it is regarded as a ‘domestic transaction’.
If the service is provided to the customer whose residence is in Japan,
then this will be regarded as a domestic transaction regardless of
whether the cloud computing service is provided from within or outside
Japan. In that case, Japanese Consumption Tax will be imposed on the
customer.

RECENT CASES

Notable cases
26 Identify and give details of any notable cases, or commercial,
private, administrative or regulatory determinations within
the past three years in your jurisdiction that have directly
involved cloud computing as a business model.

There are no notable cases, or commercial, private, administrative or

regulatory determinations within the past three years in Japan that
have directly involved cloud computing as a business model.

www.lexology.com/gtdt 61
© Law Business Research 2019
 Korea
Young-Hee Jo, Seungmin Jasmine Jung and Youngju Kim
LAB Partners

MARKET OVERVIEW 2018 2019 2020 2021 2022

Cloud Business
Kinds of transaction Process Services 174,207 196,530 220,103 244,684 271,235
1 What kinds of cloud computing transactions take place in (BPaaS)
your jurisdiction? Cloud Application
Infrastructure 215,457 258,237 302,048 347,941 392,554
Services (PaaS)
A comprehensive variety of cloud computing services is being provided
and being adopted by companies in Korea. Public, hybrid and private Cloud Application
778,711 962,156 1,167,356 1,366,834 1,574,564
Services (SaaS)
cloud models are all provided by cloud service providers. Cloud service
users use cloud computing services in the form of software-as-a-service Cloud
Management and 195,045 228,866 263,468 300,665 337,992
(SaaS), infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS)
Security Services
or for mere storage, based on the particular user’s needs. Cloud
Cloud System
computing is in the process of being adopted in various sectors such
Infrastructure 577,251 696,982 828,838 979,971 1,147,494
as healthcare, finance and information communications technology. Services (IaaS)
In particular, cloud computing has been widely adopted in the online
Total 1,940,671 2,342,771 2,781,813 3,240,095 3,723,839
gaming industry.
(Unit: one million won)
Active global providers
2 Who are the global international cloud providers active in Impact studies
your jurisdiction? 5 Are data and studies on the impact of cloud computing in your
jurisdiction publicly available?
In general, most large global cloud service providers are active in
Korea. Notably, Amazon Web Services, Microsoft Azure, Google Cloud, Data and studies on the impact of cloud computing are publicly avail-
IBM Cloud, Oracle Cloud, HP Cloud, Akamai and Rackspace have a pres- able. For example, the Korea Association of Cloud Industry (KACI)
ence in Korea. periodically posts studies and data on its website and the government
provides a dedicated cloud portal (K-ICT Cloud Innovation Center, www.
Active local providers cloud.or.kr). Based on these studies and data, cloud computing is likely
3 Name the local cloud providers established and active in to grow at a rapid pace in the Korean market and will affect traditional
your jurisdiction. What cloud services do they provide? IT vendors and IT outsourcing.

There are numerous cloud computing service providers in Korea. The POLICY
largest domestic cloud service providers are established companies in
the information communication technology network providers, such as Encouragement of cloud computing
KT (KT Cloud) and SK (Cloud Z), and internal portal companies, such as 6 Does government policy encourage the development of your
Naver (NAVER Cloud) and Kakao. jurisdiction as a cloud computing centre for the domestic
market or to provide cloud services to foreign customers?
Market size
4 How well established is cloud computing? What is the size of Yes. To promote and develop cloud computing services, Korea has
the cloud computing market in your jurisdiction? adopted the Act on the Development of Cloud Computing and Protection
of its Users (the Cloud Computing Act) to develop the cloud computing
Cloud computing is becoming more and more widely adopted in Korea, industry in Korea and to promote Korean cloud computing services to
with legislation being adopted by each industry to relax the legacy foreign customers.
restrictions that made it difficult to adopt cloud computing. Under the Cloud Computing Act, the government can conduct
According to the Worldwide Public Cloud Services Market Forecast the following activities to promote international cooperation on cloud
(2019) published by Gartner in April 2019, the amount of spending by computing and overseas expansion of cloud computing technology
end-users of public cloud services in Korea is estimated as follows: and services:
• international exchange of cloud computing-related information,
technology and personnel;

62 Cloud Computing 2020

© Law Business Research 2019
LAB Partners Korea

• overseas marketing and promoting activities such as cloud Cloud computing services
computing exhibits; Commercial services for providing resources for information and
• joint research and development of cloud computing with communications by utilising cloud computing including the following:
other nations; • service of providing servers, storage, networks, among others;
• information collection, analysis and provision regarding informa- • service of providing software, including applications;
tion related to the overseas expansion of cloud computing; • service of providing an environment for developing, distributing,
• mutual cooperation with other nations to ensure the effectiveness operating, managing, and suchlike, software, including appli-
of international cooperation in relation to cloud computing; and cations; and
• other activities to promote international cooperation and overseas • other services combining at least two of the above services.
expansion of cloud computing.
Governing legislation
Incentives 9 Does legislation or regulation directly and specifically
7 Are there fiscal or customs incentives, development grants prohibit, restrict or otherwise govern cloud computing, in or
or other government incentives to promote cloud computing outside your jurisdiction?
operations in your jurisdiction?
The purpose of the Cloud Computing Act is to promote and develop
In order to develop and promote the use of cloud computing technology cloud computing rather than to regulate cloud computing. Under the
and services, the government and municipalities can adopt measures Cloud Computing Act, an agreement between the cloud computing
such as tax incentives. Also, the government can provide support to service provider and the cloud service user will be deemed to satisfy the
small and medium-sized businesses related to cloud computing such requirements for IT facilities, devices and systems that are necessary
as the following: to obtain permits, approvals, registration or designations pursuant to
• provide information and advice related to cloud computing business; other laws. However, the Cloud Computing Act does not contain explicit
• subsidise funds and provide technology assistance for the purpose prohibitions. Rather, detailed measures that directly or indirectly
of user protection; restrict to cloud computing are contained in industry specific laws and
• training of cloud computing professionals; and the privacy laws of Korea. In other words, Korea adopts a negative regu-
• other activities necessary with regard to fostering small and latory approach, where cloud computing is generally permitted unless
medium-sized businesses related to cloud computing. explicitly restricted by a specific statute.

Furthermore, the government and municipalities can provide admin- 10 What legislation or regulation may indirectly prohibit, restrict
istrative, fiscal and technical support to parties that are establishing or otherwise govern cloud computing, in or outside your
collective information communication facilities using cloud computing jurisdiction?
technology.
For personal information protection in the cloud, the Personal
LEGISLATION AND REGULATION Information Protection Act (the PIPA) and the Act on Promotion of
Information and Communications Network Utilization and Information
Recognition of concept Protection, etc (the Network Act) apply. Accordingly, the collection, use,
8 Is cloud computing specifically recognised and provided for in provision, delegation, destruction, storage of personal information being
your legal system? If so, how? processed by cloud computing is subject to the PIPA and the Network
Act. Both the PIPA and the Network Act contain stringent provisions
The Cloud Computing Act defines cloud computing, cloud computing to ensure the protection of data subjects with corresponding heavy
technology and cloud computing service as follows: penalties. Under the PIPA, a cloud computing service provider is consid-
ered a delegatee who has been delegated with personal information
Cloud computing processing and is treated as a data processor.
An information processing system that enables elastic use of inte- With regard to data security, the Ministry of Science and ICT has
grated and shared resources for information and communications promulgated ‘Standards for Information Protection by Cloud Computing
(such as devices for information and communications, information Providers’ (Cloud Computing Standards). The Cloud Computing
and communications systems, and software) through information and Standards do not have the effect of binding law but compliance there-
communications networks, to fit the users’ requirements or demands. with is, nonetheless, recommended.

Cloud computing technology Breach of laws

Technology required for setting up and using the cloud including the 11 What are the consequences for breach of the laws directly
following: or indirectly prohibiting, restricting or otherwise governing
• virtualisation technology: technology for virtually combining or cloud computing?
dividing resources for information and communications including
integrated or shared information and communications devices, A cloud computing service provider could become subject to crim-
information and communications facilities, and software; inal penalties in the event the cloud computing service user’s data is
• distributed processing technology: technology that processes a provided to a third party by the cloud computing service provider. As
large volume of information by dispersing it into multiple informa- noted above, the Cloud Computing Standards do not have the force of
tion and communications resources; and law and therefore, in theory, the quality, performance and data protec-
• others: technology that utilises information and communications tion levels stated therein are not mandatory. The failure to notify the
resources in setting up and using cloud computing systems, occurrence of any infiltration incidents to the relevant authorities or
including technologies that automate the placement, management to the users or return or destroy information will be subject to a fine.
and so on of information and communications resources. Furthermore, if the cloud service provider breaches any provisions of

www.lexology.com/gtdt 63
© Law Business Research 2019
 Korea LAB Partners

the PIPA or the Network Act, the cloud service provider could be subject security measures applicable to the finance sector (article 14-2,
to a fine, corrective measure or criminal penalty based on the relevant section 1, Annex 2-2), which did not exist previously.
statutory provisions. • The amendments impose a new obligation to financial institutions
and electronic financial companies to assess the security of the
Consumer protection measures data processing systems in the cloud and to conduct a review
12 What consumer protection measures apply to cloud and decision process by their internal data protection committee
computing in your jurisdiction? (article 14-2, sections 1 and 2).
• The amendments reinforce the supervisory role of the regulatory
Pursuant to the Cloud Computing Act, the Ministry of Science and authorities by requiring financial institutions and electronic finan-
ICT, in consultation with the Fair Trade Commission, has published a cial companies to report the use of cloud services for personal
model cloud computing agreement for business-to-business (B2B) and credit information and personal identification information, for
business-to-consumer (B2C), respectively. The purpose of this model matters that materially impact the security and credibility of elec-
agreement is to protect the rights of the users and to establish fair tronic financial transactions and for other critical events (article
trade. The Ministry of Science and ICT can issue a recommendation to 14-2, sections 3 and 6).
use this model agreement to cloud computing providers. • To ensure regulatory enforcement and consumer protection, only
The model agreement includes the following protective measures: cloud computing providers whose data processing systems are
• the PIPA and the Network Act will apply to personal information in Korea can be used for processing personal information and
thereby reinforcing the protection of personal information; personal identification information (article 14-2, section 8).
• any incident of leakage of user information must be notified to the
user and the Ministry of Science and ICT to enable prompt remedial Healthcare sector
measures with respect to such incident; The amendment to the Standards on Facilities and Devices for
• to enhance the user’s right to know, in the event the user’s data is Administration and Retention of Electronic Medical Records in 2016 has
stored overseas, the user can demand disclosure of the country paved the way for the adoption of cloud computing in the healthcare
where data is stored and the fact that cloud computing is being sector. The amendment revises the requirement to store electronic
used, with respect to which recommendation measures for disclo- medical records inside hospitals and allows the administration and
sure can be issued; and storage of medical records with external companies or at remote loca-
• to prevent the misuse of user data, any provision of user data to tions that meet certain qualifications. However, electronic medical
third parties without consent or use of user data beyond the agreed records cannot be stored outside of Korea.
purpose shall be subject to criminal penalties.
Insolvency laws
Sector-specific legislation 14 Outline the insolvency laws that apply generally or
13 Describe any sector-specific legislation or regulation that specifically in relation to cloud computing.
applies to cloud computing transactions in your jurisdiction.
There are no insolvency laws that only apply to cloud computing service
Public sector providers. However, the Cloud Computing Act contains a provision that
The Cloud Computing Act states the obligation of governmental agen- applies when the cloud computing provider suspends its service due
cies to use efforts to adopt cloud computing and recommends that to reasons such as sudden insolvency. Under this provision, the cloud
governmental agencies use the cloud computing systems developed computing service provider and the user can agree to temporarily store
by the private sector rather than developing its own cloud computing the user’s data with a third party. Also, if a cloud computing service
system. To support the adoption of cloud computing in the public sector, provider intends to terminate its business, it must notify the user of
a joint policy commission consisting of the Ministry of the Interior and such termination and return or destroy all data to the user prior to the
Safety, the Ministry of Science and ICT, the Ministry of Economy and date of termination of business. If, for any reason, it becomes impos-
Finance, the Public Procurement Service and the National Intelligence sible to return the information (for example, the user fails to accept, or
Service has been set up. A security review by the National Intelligence refuses, the return of such information), the cloud computing service
Service is required for governmental agencies to adopt a certain cloud provider must destroy the information.
computing system.
DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
Finance sector
The amendments to the Electronic Finance Supervisory Regulations Principal applicable legislation
announced by the Financial Services Commission became effective on 15 Identify the principal data protection or privacy legislation
1 January 2019. These amendments allow personal credit information applicable to cloud computing in your jurisdiction.
to be processed on the cloud while strengthening the security level and
management supervisory systems of cloud computing used in the finan- The PIPA and the Network Act apply to cloud computing service
cial sector. The major amendments are as follows: providers in connection with data privacy. In principle, the privacy
• The most important amendment is the expanded scope of cloud laws of Korea are structured to require the prior consent of the data
use that is permitted. In the past, financial institutions and elec- subject for the collection, use and provision of personal information.
tronic financial companies could only use the cloud to process Within personal information, sensitive information and personal identi-
non-critical information in the cloud. Now, under the amendments fication information is subject to more stringent regulations. Under the
to the Electronic Finance Supervisory Regulations, the cloud can PIPA and the Network Act, overseas provision of personal information
be used for personal credit information and personal identification to third parties requires the consent of the data subject. The overseas
information as well (article 14-2, sections 1 and 8). delegation of personal information processing to third parties does not
• The amendments provide for a new finance-sector-specific require the consent of the data subject under the PIPA, whereas consent
standard for the use and provision of cloud services such as is required under the Network Act.

64 Cloud Computing 2020

© Law Business Research 2019
LAB Partners Korea

A personal information processor must take technical, organisa- are contrary to the interests of the cloud computing user are subject to
tional and physical measures stated in the privacy laws to ensure against the user’s consent.
the loss, theft or leakage of personal information. Upon leakage of The B2B Model Agreement divides service fees into basic fees and
personal information, the personal information processor must notify the ancillary fees. The details of the service fees (type, price, method of
data subject and the relevant authorities without delay. Any violation of pricing, discounts, etc) must be listed in an attachment to the B2B Model
the privacy laws may be subject to administrative sanctions or criminal Agreement or on the service website. In principle, the service fees are
penalties. In particular, any loss, theft, leakage, alteration or damage to on a monthly basis and prorated on a daily basis upon termination. Any
personal information due to the lack of the security measures under the discount or waiver of fees can be determined based on mutual discus-
PIPA or the Network Act will be subject to a criminal penalty of not more sion. In the event of temporary suspension or disruption of services,
than two years’ imprisonment or a monetary penalty of not more than 20 the user will be entitled to request discount of the service fees or seek
million Korean won (article 73 of PIPA and article 73 of the Network Act). damages arising from such suspension or disruption.

CLOUD COMPUTING CONTRACTS Typical terms covering data protection

19 What are the typical terms of a B2B public cloud computing
Types of contract contract in your jurisdiction covering data and confidentiality
16 What forms of cloud computing contract are usually adopted considerations?
in your jurisdiction, including cloud provider supply chains (if
applicable)? Under the B2B Model Agreement, the cloud computing provider must:
• adopt the Cloud Computing Standards;
In practice, cloud computing contracts usually adopted in Korea are • provide adequate security measures; and
similar to those globally used by cloud computing service providers. • ensure protection against leakage of personal information and
Many cloud computing service providers adopt modular agreements third-party infiltration.
composed of several different components such as:
• a master agreement between the customer and cloud servicer Further, the cloud computing provider cannot provide the user‘s infor-
provider; mation to a third party without the user’s consent or use the user’s data
• service level agreements and terms for each service; beyond the agreed purpose. The user is responsible for controlling its ID
• the cloud service provider’s acceptable use policies; and and password and bears responsibility for any theft or inappropriate use
• end-user licence agreement. due to the user’s failure to exercise due care.
Data protection measures not stated in the B2B Model Agreement
Often these agreements are presented as clickwrap agreements with will be subject to the privacy laws such as the PIPA, Network Act or
non-negotiable terms. Accordingly, to protect the rights of the cloud industry-specific laws based on the user’s business.
service users, the Ministry of Science and ICT has published a model
agreement that is analysed in questions 17 to 22. Typical terms covering liability
20 What are the typical terms of a B2B public cloud computing
Typical terms for governing law contract in your jurisdiction covering liability, warranties and
17 What are the typical terms of a B2B public cloud computing provision of service?
contract in your jurisdiction covering governing law,
jurisdiction, enforceability and cross-border issues, and In general, under the B2B Model Agreement, the cloud computing service
dispute resolution? provider is liable for damages incurred by the user owing to intentional or
negligent service disruptions or for failure to meet the level of quality or
Article 24 of the Cloud Computing Act states that the Ministry of Science performance of the services under the relevant service level agreement.
and ICT, in consultation with the Fair Trade Commission, may establish However, absent any intentional misconduct or negligence,
a model agreement for cloud computing to protect the rights of cloud the cloud computing service provider will not be liable for the user’s
computing users and establish fair trade practices. In December 2016, the damages because of:
Ministry of Science and ICT published two versions of the Model Cloud • inevitable service interruption due to system upgrades, prevention
Agreement for Protection of Cloud Service Users and Establishment of of infiltration such as hacking or network failure, force majeure
Fair Trade Practices, one for B2B and one for B2C. events that have been notified to the user pursuant to the B2B
Under the Model Cloud Agreement for Protection of Cloud Service Model Agreement;
Users and Establishment of Fair Trade Practices for B2B (B2B Model • service suspension due to force majeure events beyond the control
Agreement), Korean law is the governing law and any disputes arising of existing technical capability;
out of the agreement are subject to the jurisdiction of the Korean court. • service suspension, disruption or termination of the B2B Model
Agreement owing to the user’s intentional misconduct or negligence;
Typical terms of service • the network service provider’s discontinuation or disruption of
18 What are the typical terms of a B2B public cloud computing network services;
contract in your jurisdiction covering material terms, such • ancillary issues arising from the user’s computer environment or
as commercial terms of service and acceptable use, and network environment; and
variation? • the user’s computer error or erroneous identification information or
incorrect email address.
Under the B2B Model Agreement, the cloud service provider must
provide cloud computing services in accordance with the B2B Model Further, the cloud computing provider is not liable for the credibility or
Agreement, and the specific service levels will be subject to the service accuracy of the information or material transmitted using the services
level agreements. Any modifications to the service levels should be or posted on the service website absent any intentional misconduct or
mutually discussed, provided that any modifications that are material or negligence.

www.lexology.com/gtdt 65
© Law Business Research 2019
 Korea LAB Partners

Additionally, the cloud service provider will not be liable in disputes The cloud computing service provider must return the data to the user
regarding cloud computing services between users or between a user upon the rescission, termination of the B2B Model Agreement or upon
and a third party if all of the following conditions are met: expiry of the service term. If the return of data is practically impossible,
• the cloud computing service provider has not violated the Cloud the cloud computing service provider must destroy the user data in an
Computing Act; irreversible manner. The cloud computing service provider must also
• the cloud computing service provider has proved that there is no cooperate in transferring the user’s data to a different cloud computing
intentional misconduct or negligence on its part; service.
• the cloud computing service provider does not have the authority
or capacity to control the acts of the user that is infringing on the Employment law considerations
rights of other users or third parties; 23 Identify any labour and employment law considerations that
• even if the cloud computing service provider does have the authority apply specifically to cloud computing in your jurisdiction.
or capacity to control the user against the infringement of the
rights of other users or third parties, the cloud computing service There are no labour or employment laws specific to the cloud computing
provider does not financially benefit from such infringement; and industry.
• the cloud computing service provider immediately suspends the
infringement once it becomes aware of the fact or circumstances TAXATION
that a user or third party is infringing on the user’s rights.
Applicable tax rules
On the other hand, if the user has caused damages to the cloud 24 Outline the taxation rules that apply to the establishment and
computing service provider, it will be liable for the damages incurred by operation of cloud computing companies in your jurisdiction.
the cloud computing service provider.
In general, to establish a corporation in Korea, a capital registration
Typical terms covering IP rights tax of 0.48 per cent of the initial capital applies. After establishment
21 What are the typical terms of a B2B public cloud computing of the corporation, VAT, corporate income tax and local income tax will
contract in your jurisdiction covering intellectual property apply and other taxes such as withholding tax and municipal tax may
rights (IPR) ownership in content and the consequences of also apply. It is notable that VAT applies to cloud computing services
infringement of third-party rights? provided by Korean companies. Corporate income tax will be imposed
at the following tax rates:
Under the B2B Model Agreement, the user must not violate the
Copyright Act and related laws or moral customs and social order. Tax basis (Korean won) Tax rate*
Further, absent any intentional misconduct or negligence, the cloud 200 million or less 10 per cent
computing service provider will not be liable for any infringement on
20 million + (20 per cent of the excess
IPR between users or between a user and a third party. Other matters 200 million up to 20 billion
over 200 million)
concerning IPR ownership are not specifically mentioned in the B2B
3.98 billion + (22 per cent of the
Model Agreement and would, therefore, be subject to the intellectual 20 billion up to 300 billion
excess over 20 billion)
property laws of Korea.
65.58 billion + (25 per cent of the
More than 300 billion
excess over 300 billion)
Typical terms covering termination
* Local income tax equivalent to 10 per cent of the corporate income tax
22 What are the typical terms of a B2B public cloud computing calculated based on the above will apply.
contract in your jurisdiction covering termination?

Under the B2B Model Agreement, both the cloud computing service Indirect taxes
provider and the user can rescind or terminate the B2B Model 25 Outline the indirect taxes imposed in your jurisdiction that
Agreement. The termination rights of the cloud computing service apply to the provision from within, or importing of cloud
provider and user are as follows. computing services from outside, your jurisdiction.

User The Value-Added Tax Act has been amended and become effective
• Cloud computing service provider is unable to or there is a materi- as of 1 July 2019 to include cloud computing services as one of the
ally adverse effect on its ability to perform its obligations; taxable electronic services provided by foreign corporations (article
• the cloud computing service provider fails to provide services as 53, section 1, paragraph 3). This amendment was made to ensure tax
contracted; and equality between Korean corporations and foreign corporations. As a
• a material event has occurred that makes is impossible to maintain result of this amendment, foreign cloud service providers are obligated
the contractual relationship. to charge a 10 per cent VAT.

Cloud computing service provider

• The user violates its obligations such as payment default or
assigns its rights to a third party without the consent of the cloud
computing service provider;
• a user whose use has been restricted under the B2B Model
Agreement fails to cure the cause for such restriction for a substan-
tial period of time; and
• the cloud computing service provider terminates its cloud
computing business.

66 Cloud Computing 2020

© Law Business Research 2019
LAB Partners Korea

RECENT CASES

Notable cases
26 Identify and give details of any notable cases, or commercial,
private, administrative or regulatory determinations within
the past three years in your jurisdiction that have directly
involved cloud computing as a business model.

As of yet, there are no such cases or determinations relating to cloud Young-Hee Jo

[email protected]
computing as a business model.
Seungmin Jasmine Jung
UPDATE AND TRENDS [email protected]
Youngju Kim
Key developments of the past year
[email protected]
27 What are the main challenges facing cloud computing within,
from or to your jurisdiction? Are there any draft laws or
8th Floor, VPLEX
legislative initiatives specific to cloud computing that are
501 Teheran-ro, Gangnam-gu
being developed or are contemplated?
Seoul 06168
Korea
Important changes were made with respect to cloud computing in Tel: +82 2 6956 0250
2019, most notably the expanded scope of cloud use permitted in the Fax: +82 2 6956 0280
finance sector and the imposition of VAT to cloud services provided by http://labpartners.co.kr
foreign corporations. Nonetheless, there are still regulatory hurdles
that make full-scale cloud adoption difficult. One of the main barriers
to the proliferation of cloud adoption are the strict data privacy laws
of Korea. According to the 2018 cloud industry survey conducted by
the Ministry of Science and ICT and the National IT Industry Promotion
Agency, 47.8 per cent of cloud service providers cited ‘security’ as an
obstacle to the development of the cloud computing industry. Under the
current privacy laws such as the Personal Information Protection Act
and the Network Act, the adoption of cloud computing is deemed delega-
tion of data processing, and, therefore, requires compliance with the
strict requirements for delegation. Such strict requirements are often
not compatible with the nature of cloud computing, thereby making
companies hesitant to adopt cloud computing. Accordingly, there are
discussions as to whether the Cloud Computing Act should prevail over
privacy laws to enable widespread adoption of cloud computing.

www.lexology.com/gtdt 67
© Law Business Research 2019
 Sweden
Peter Nordbeck and Dahae Roland
Advokatfirman Delphi

MARKET OVERVIEW Active global providers

2 Who are the global international cloud providers active in
Kinds of transaction your jurisdiction?
1 What kinds of cloud computing transactions take place in your
jurisdiction? Sweden is an attractive market for cloud providers and many of the
international providers are active within Sweden. Many Swedish SaaS
The demand for and use of cloud-based services in Sweden is rapidly providers prefer to use a Swedish IaaS partner; however, the largest
growing. There is also an increased focus on information security due to hosting partner within Sweden is Amazon (US) that represents 43 per
additional requirements in this respect when processing critical or sensi- cent of the segment, followed by Microsoft, DGC and IP-Only. Other inter-
tive information. The services and cloud infrastructure vary depending national cloud providers active in Sweden are giants such as Google,
on the users’ requirements and needs. There are three internationally Dropbox, LinkedIn, Facebook and iCloud; however, this is not a conclu-
established types of cloud services that describe three different function sive list (source: METISfiles – Cloudscape Sweden V1.1, September
areas: software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) 2016 and METISfiles - Cloudscape Sweden V1.2, September 2018).
and platform-as-a-service (PaaS). All three are used on the Swedish
cloud service market to various extents. Active local providers
In a recent study carried out by the Swedish Pension Agency deter- 3 Name the local cloud providers established and active in your
mining the most used services among public authorities in Sweden, the jurisdiction. What cloud services do they provide?
Agency concluded that IaaS was used by 30 per cent, PaaS by 23 per
cent and SaaS by 78 per cent. This may lead to a conclusion that SaaS There are numerous Swedish cloud service providers. Important local
is the most common cloud service used by Swedish authorities (source: IaaS providers are, inter alia, Atea, Bahnhof, Evry, Knowit and Tieto.
Pensionsmyndigheten – Molntjänster i staten – En ny generation av These providers are common hosting partners to SaaS providers.
outsourcing). Among the top Swedish SaaS providers are iZettle and Klarna (payment),
Reports from 2016 and 2018 that examined the private sector’s use Truecaller and Tele2 (communications), and Ericsson. There are fewer
of cloud services present similar conclusions. Out of the top 250 Swedish Swedish PaaS providers. However, local PaaS providers that can be
public cloud computing providers, SaaS constitutes 74 per cent of the mentioned are Accedo, Bariumlive and Cloudnet (source: METISfiles –
segment, while IaaS represents 26 per cent. Out of the SaaS providers, 67 Cloudscape Sweden V1.1, September 2016 and METISfiles - Cloudscape
per cent use IaaS partners, out of which 36 per cent of the infrastructure Sweden V1.2, September 2018).
providers are located in Sweden. The remaining SaaS providers have
their own infrastructure. Recently, Sweden has also seen an increase Market size
in the number of SaaS providers owing to an uptake in the number of 4 How well established is cloud computing? What is the size of
e-commerce services, fintech development and general digitalisation the cloud computing market in your jurisdiction?
(source: METISfiles – Cloudscape Sweden V1.1, September 2016 and
METISfiles – Cloudscape Sweden V1.2, September 2018). The cloud adaption in Sweden is among the largest in Europe – in 2018,
When looking at the different models for providing cloud services in 57 per cent of Swedish enterprises used cloud computing services.
Sweden, the NIST and ISO standard describe four ways of service deploy- Only Finland had a higher share of enterprises using cloud computing
ment: public clouds, partner clouds, hybrid clouds and private clouds. services in the European Union (source: Eurostat – Cloud computing:
Hybrid clouds are quite common in both the public and private sector, statistics on the use by enterprises, December 2018). The total cloud
and reports are stating that the use will probably increase in the future. computing market in Sweden was valued to 16 billion krona in 2016
Among public authorities, partner clouds are often used to ensure that and the annual growth is currently estimated to be around 30 per
all security requirements are met, which has been a concern in the use of cent (source: Framtidens Karriär – Kostnadsjakt driver molntillväxt,
public clouds (source: Pensionsmyndigheten – Molntjänster i staten – en 2017-02-07).
ny generation av outsourcing).
Recently, Sweden has had numerous notable cloud transactions Impact studies
and has been described as a leading country when it comes to innova- 5 Are data and studies on the impact of cloud computing in your
tion and risk capital investment. Just a few years ago, Amazon moved jurisdiction publicly available?
part of its cloud service, Amazon Web Service (AWS), to Sweden and
representatives of AWS have stated that AWS is planning to increase its There are some reports published regarding cloud computing in
presence in the Nordic countries without mentioning any cities targeted Sweden. A notable report on cloud computing’s impact on state agen-
for the expansion. cies was published by the Swedish Pensions Agency in January 2016.

68 Cloud Computing 2020

© Law Business Research 2019
Advokatfirman Delphi Sweden

The Swedish Pensions Agency concluded in its report that factors LEGISLATION AND REGULATION
such as innovation, cost-efficiency, flexibility and accessibility are
strongly benefited by the use of cloud services. Furthermore, the report Recognition of concept
concludes that cloud services could have a positive effect on the coop- 8 Is cloud computing specifically recognised and provided for in
eration between authorities and simplify the access to governmental your legal system? If so, how?
data and services (source: Molntjänster i staten – En ny generation av
outsourcing, Pensionsmyndigheten, January 2016). There is no specific recognition of cloud services in Swedish legislation.
The Swedish Civil Contingencies Agency and the Swedish Data
Protection Authority (DPA) have published guidelines and policies for Governing legislation
public authorities regarding, inter alia, information security require- 9 Does legislation or regulation directly and specifically
ments in the public procurement process for cloud services as well prohibit, restrict or otherwise govern cloud computing, in or
as privacy concerns that must be considered. The Swedish Civil outside your jurisdiction?
Contingencies Agency has also published a study that maps the use of
cloud services by public authorities and the risks associated with their As a general rule, Sweden lacks direct and specific regulation regarding
use (source: MSB - Studie, Säkerhet vid molnlösningar). cloud computing as such. Swedish legislations and regulations are
In addition, the Swedish government has taken further steps to in general technology neutral, which implicates that Swedish legisla-
ensure continued digital growth. In 2016, it presented five strategic tions lacks that sort of specific targeting. However, the legal concerns
cooperation programme that will help meet several of the social chal- are regulated indirectly in several legislations and regulations. The
lenges facing Sweden. To stimulate digitalisation of Swedish industry, most relevant regulations are MSBFS 2016:1 and MSBFS 2016:2 that
the Swedish government is requesting extensive cooperation between regulate the public authorities’ internal information security policies
different actors (source: Regeringen – Strategiska samverkansprogram and work, as well as the requirement to report IT incidents to the
en kraftsamling för nya sätt att möta samhällsutmaningar). Swedish Civil Contingencies Agency. Cloud services are regulated by
The research company METISfiles has published its report explicit requirements for internal policies and routines regarding inci-
Cloudscape v. 1.2 2018: An Overview of the Swedish and Danish Cloud dent management, the requirement that organisations must be able to
Market in English that examines the cloud market in these countries. handle threats and risks through models and routines for incident and
continuity management.
POLICY Sweden has implemented the NIS Directive (EU) 2016/1148
through the Act on Information security for vital societal functions and
Encouragement of cloud computing digital services (SFS 2018:1174), thereby extending the requirements on
6 Does government policy encourage the development of your security and to report IT incidents to cloud service providers.
jurisdiction as a cloud computing centre for the domestic
market or to provide cloud services to foreign customers? 10 What legislation or regulation may indirectly prohibit, restrict
or otherwise govern cloud computing, in or outside your
Sweden is currently attracting foreign risk capital investors due to the jurisdiction?
fast digitalisation and innovation. Numerous governmental initiatives
have been launched to ensure that Sweden continues to develop in the Regarding indirect regulations and legislation, there are several to take
digital arena and to live up to future requirements regarding privacy, into account. When using cloud services to store data from telecoms
IT and security. As one step in this process, the Swedish government or e-commerce business, it is important to observe the Electronic
requested the Swedish Pension Agency to analyse and evaluate the Communications Act (SFS 2003:389), which aims to provide individuals
potential for using cloud services within the public sector and by the and authorities with secure and effective electronic communications,
state in a way that contributes to a simpler, more transparent and effi- and the Electronic Commerce Act (SFS 2002:562), which states an obli-
cient management. Other steps consist of a strong focus on general gation to provide certain information to customers.
digitalisation both within the administration and the private sector. However, the main legislation to take into account regarding cloud
services are the provisions on privacy and information security. On
Incentives 25 May 2018, the General Data Protection Regulation (GDPR) entered
7 Are there fiscal or customs incentives, development grants into force in Sweden and provides significantly stricter standards, for
or other government incentives to promote cloud computing example, on impact assessments and information security.
operations in your jurisdiction? Information security is regulated throughout different provisions,
such as regulations from the Swedish Civil Contingencies Agency, the
Various grants are available for small to medium-sized companies GDPR and sector-specific regulations, such as within the healthcare
for projects involving innovation and digitalisation and are awarded sector. Swedish public authorities are subject to the principle of public
by the Swedish government, public agencies and other organisations. access to public documents, which means that all documents submitted
Support to large companies also occurs, one significant example being to or drawn up by the authority are, in principle, public documents and
the regional investment grant of around 100 million kronor awarded by must be made available for anyone to read. Exemptions from this rule
the Swedish Agency for Economic and Regional Growth when Facebook are documents that are subject to statutory secrecy under the Public
established server halls in Luleå in the north of Sweden in 2011. Grants Access to Information and Secrecy Act (SFS 2009:400) (the Secrecy Act),
also exist for the expansion of the Swedish IT infrastructure. which means that they may not be disclosed to any third party. In cases
where such classified information will be processed in the cloud, addi-
tional restrictions regarding the data apply and must, inter alia, be taken
into consideration when assessing the risks and which security meas-
ures must be implemented.
In addition, if information subject to secrecy under the Secrecy Act
may be available to the provider as a result of an agreement between

www.lexology.com/gtdt 69
© Law Business Research 2019
 Sweden Advokatfirman Delphi

the parties, it must be evaluated whether the data becomes ‘disclosed’ Sector-specific legislation
within the meaning of the Secrecy Act. Thus, one opinion is that the 13 Describe any sector-specific legislation or regulation that
Secrecy Act generally prevents authorities from using cloud services. applies to cloud computing transactions in your jurisdiction.
Another opinion is, however, that it is possible for authorities to use
cloud services if the relevant authority has made a thorough assess- There is a wide variety of sector-specific legislation in Sweden that
ment of the risks based on the character of the information, but further concern both private and public actors. There is no legislation that
clarification on how these rules are to be interpreted is needed. covers cloud computing in particular but these services often fall
Furthermore, public authorities must also comply with numerous within the scope of the legislation depending on the sector of opera-
other pieces of legislation such as the Archives Act (SFS 1990:782), the tion. Some significant legislation concerns matters of national security
Administrate Procedure Act (SFS 1971:291), the Public Procurement Act in the Security Protection Act (SFS 2018:585), with specific requirements
(SFS 2016:1145) and the Security Protection Act (SFS 1996:627). Also, of, for instance, information security and access to information. The
many public authorities and agencies have sector-specific provisions Security Protection Act entered into force on 1 April 2019 and is more
regarding data processing and information security requirements such stringent than its predecessor from 1996.
as the Patient Data Act (SFS 2008:355). Cloud companies competing in providing services for public insti-
tutions are covered by the Swedish legislation on public procurement,
Breach of laws inter alia, the Public Procurement Act (SFS 2016:1145). Public agen-
11 What are the consequences for breach of the laws directly cies are encouraged by the Swedish Civil Contingencies Agency to use
or indirectly prohibiting, restricting or otherwise governing private or partner clouds to be able to provide the necessary security.
cloud computing? There is specific regulation for the processing of personal data in,
among others, the health and finance sectors of relevance for transac-
The failure to report an IT incident under the Act on Information security tions in these sectors. In the health sector, personal data is governed
for vital societal functions and digital services is subject to adminis- by the GDPR supplemented by the Patient Data Act (SFS 2008:355). The
trative fines. Further, the rules indirectly regulating cloud computing legislation in the finance sector, most significantly the Banking and
in Sweden are connected to several sanctions and consequences for Finance Business Act (SFS 2004:297), is complemented by regulations
breaches thereof. The sanctions for lack of compliance with the GDPR from the Financial Supervisory Authority, including, inter alia, rules
include prohibitory injunctions, payment of damages as well as admin- regarding outsourcing and information security as well as the European
istrative fines. Lack of compliance with the Electronic Communications Banking Association guidelines on outsourcing.
Act (SFS 2003:389) and the Electronic Commerce Act (SFS 2002:562) Other sector-specific legislation that is worth noting includes the
may also cause sanctions, such as prohibitions and orders combined energy and telecommunications sectors. For private actors, there are
with penalties as well as damages and criminal proceedings. Breaches no sector-specific requirements regarding cloud service infrastructure
of the Secrecy Act (SFS 2009:400) may lead to disciplinary or criminal besides the above-mentioned requirements in the Act on Information
proceedings. There are also various sanctions of similar character for security for vital societal functions and digital services and careful
the sector-specific regulation as well as supervision from relevant assessments regarding privacy and IT security.
public agencies.
Insolvency laws
Consumer protection measures 14 Outline the insolvency laws that apply generally or
12 What consumer protection measures apply to cloud specifically in relation to cloud computing.
computing in your jurisdiction?
There is no specific insolvency legislation that applies to cloud
There is no cloud service-specific regulation protecting the rights of computing in Sweden, but the standard legal framework for insolvency
consumers in Swedish law, but the Swedish consumer protection apply, notably the Bankruptcy Act (SFS 1987:672), the Enforcement
legislation includes legislation with focus on e-commerce and digital Code (SFS 1981:774) and general Swedish principles of property law.
transactions including Distance and Off-Premises Contracts Act (SFS For movable property, the right to property is, in general, decided by
2005:59), Consumer Contracts Act (SFS 1994:1512) and the Electronic who is in possession of the property. For intellectual property, the right
Commerce Act (SFS 2002:562). The standard Swedish consumer to the property is instead decided from what is stipulated by contract.
protection for buying goods and services, the Consumer Sales Act
(SFS 1990:932) and the Consumer Services Act (SFS 1985:716), is not DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
directly applicable on purchases of digital content, but is still consid-
ered to have an impact when courts are evaluating consumer contracts. Principal applicable legislation
The consumer protection legislation, inter alia, ensures the consumer 15 Identify the principal data protection or privacy legislation
rights in regard to quality and performance from the commercial applicable to cloud computing in your jurisdiction.
actor, includes the right to withdraw from distance and off-premises
contracts within 14 days, bestows a responsibility for commercial actors As of 25 May 2018, the GDPR is the principal legislation governing
to provide consumers with information, and provides that courts can data protection in relation to cloud computing in Sweden. The GDPR is
prohibit contract terms that are unfair towards consumers from further supplemented by the Data Protection Act (SFS 2018:218) and various
use and may interpret vague contract terms in favour of consumers. sector-specific legislation.
The Swedish consumer protection for digital services is also continu-
ously affected by the EU digital single market reform, and now includes
the right to settle disputes online through the Alternative Dispute
Resolution For Consumer Disputes Act (SFS 2015:671), and principles
about net neutrality and open internet access through Regulation (EU)
2015/2120, as well as a new proposed directive regarding contracts for
the supply of digital content.

70 Cloud Computing 2020

© Law Business Research 2019
Advokatfirman Delphi Sweden

CLOUD COMPUTING CONTRACTS model and payment terms vary depending on the services offered,
however, services are commonly purchased as subscriptions and
Types of contract invoiced in advance. Provided that payment is overdue, the supplier
16 What forms of cloud computing contract are usually adopted may reserve the right to suspend the services immediately, however,
in your jurisdiction, including cloud provider supply chains (if sometimes excluding cases where payment is withheld in good faith.
applicable)? Principles for acceptable use commonly include customary restric-
tions, such as prohibition against redistribution of the services, use of
Usually, the supplier’s standard cloud computing contract is applied. the services for provision of outsourcing services and transmission of
Given the bargaining power of the customer, the cloud computing infringing material or malicious code.
contract may, in rare cases, be based on the customer’s standard As to variation, the supplier’s standard cloud computing contract
template, in particular, when the supplier is a local cloud provider. will, in many cases, include the unilateral right for the supplier to
Notwithstanding the above, for certain areas of the cloud computing change the services, including the functionality and security. Such provi-
contract, the suppliers, including international cloud providers, have sions may often be the subject of negotiations between the parties, for
become more recipient towards implementing customer requirements example, when the customer is a regulated entity and the provisions are
in the contract. This relates in particular to regulatory requirements, in violation of the regulatory requirements applicable to the customer.
such as requirements deriving from privacy legislation and regulations,
requirements on public sector entities and financial regulations. Typical terms covering data protection
19 What are the typical terms of a B2B public cloud computing
Typical terms for governing law contract in your jurisdiction covering data and confidentiality
17 What are the typical terms of a B2B public cloud computing considerations?
contract in your jurisdiction covering governing law,
jurisdiction, enforceability and cross-border issues, and In terms of data, cloud computing contracts have in recent years been
dispute resolution? greatly influenced by the statements and decisions of the Swedish DPA
regarding the processing of personal data by cloud computing suppliers.
As cloud computing contracts are often drafted on the basis of the These statements and decisions prescribe, among other things, that the
supplier’s standard cloud computing contract, governing law will, in customer must ensure that:
many cases, be the law that applies where the supplier’s business is • a sufficient data processor agreement is entered into with the
based, such as the laws of Ireland or the US. However, you may also supplier;
find contracts that are governed by Swedish law, in particular from local • the supplier is not allowed to independently process personal data
Swedish cloud suppliers, but also larger international enterprises that but only in accordance with the customer’s instructions;
have opened up local Swedish entities. • the contract stipulates that Swedish law applies as regards the
For data privacy, Swedish law will typically apply, in particular processing of personal data; and
since this is a regulatory requirement from the Swedish DPA or at least • the customer is informed of all sub-processors involved in the
that was the case prior to the GDPR. As to jurisdiction, principles corre- processing of personal data type of services and the location of
sponding with those above would normally apply. In most Swedish B2B such sub-processors.
contracts, arbitration is used as a method of dispute resolution and this
would typically also apply to cloud computing contracts. Ultimately, In addition, the customer should ensure that it is entitled to perform
the choice of rules for dispute resolution as well as governing law and audits for the purpose of ascertaining the supplier’s compliance with
jurisdiction would be the result of the parties’ negotiations. Many of the the customer’s requirements on the processing and that a process for
larger cloud service providers will not accept that the agreement will be exit of the agreement is established, which safeguards that the supplier
governed by Swedish law. The enforceability of a cloud service contract will not process the personal data post termination of the contract.
is, however, uncertain as there is very limited case law regarding Moreover, the customer is, as a general rule, obligated to perform a
this matter. legality assessment and risk and vulnerability analysis prior to entering
Cross-border issues are mostly discussed in respect of data privacy into the cloud computing contract. The purpose of the legality assess-
and secrecy. Data privacy cross-border issues are usually regulated ment is to determine whether the supplier’s processing of personal
through the use of the standard contractual clauses decided by the EU data under the cloud computing contract will be allowed under the data
Commission on 5 February 2010 (2010/87/EU) that supplement the protection legislation. This includes measures such as ensuring that
cloud computing contract to allow transfer of personal data outside the a data processor agreement is entered into, an assessment regarding
EEA. Many cloud service providers are reluctant to provide a guarantee cross-border transfers and any security measures necessary. The
that data will not be processed outside the EU and EEA even if they may purpose of the risk and vulnerability analysis is to assess whether it
commit to mainly use data centres within the EEA as their main facilities is possible to assign the processing of personal data to the supplier
for the services. The newly adopted US Cloud Act, giving US authorities and determine appropriate security levels and necessary measures that
a right of access to data that is stored by US cloud service providers need to be taken in the light of the integrity risks involved.
worldwide, is likely to add to the complex landscape. Following the entering into force of the GDPR, it is currently not
clear whether the above principles will be upheld by the Swedish DPA.
Typical terms of service Confidentiality provisions are commonly mutual.
18 What are the typical terms of a B2B public cloud computing
contract in your jurisdiction covering material terms, such
as commercial terms of service and acceptable use, and
variation?

Commercial terms of service and acceptable use are commonly agreed

on the basis of the supplier’s standard cloud computing contract. Price

www.lexology.com/gtdt 71
© Law Business Research 2019
 Sweden Advokatfirman Delphi

Typical terms covering liability days are often seen, but it remains to be seen whether this period will
20 What are the typical terms of a B2B public cloud computing change given the GDPR).
contract in your jurisdiction covering liability, warranties and The supplier may offer migration services on a time and mate-
provision of service? rial basis.

Since the cloud computing contract in many cases is based on the suppli- Employment law considerations
er’s standard contract, the supplier’s warranties are normally limited. A 23 Identify any labour and employment law considerations that
typical warranty would imply that the services are materially consistent apply specifically to cloud computing in your jurisdiction.
with the documentation, and that the supplier will not materially change
the functionality of the services or the security of the services. Ultimately, The Acquired Rights Directive 2001/23/EC would (at least in prin-
the warranties may be subject to negotiation between the parties. ciple) apply to a business customer entering into a cloud computing
Limitation of liability is often mutual with a cap and excluding contract, provided that the cloud computing services are deemed to be
indirect and consequential damages. There is normally a carve-out for outsourcing.
liability for death and personal injury and damages caused by intent or
gross negligence. In some agreements, liability for breach of confidenti- TAXATION
ality is uncapped but with a carveout for loss of customer data entered
into the cloud services, which instead falls under the general liability in Applicable tax rules
the agreement. 24 Outline the taxation rules that apply to the establishment and
The supplier would normally provide indemnities for intellectual operation of cloud computing companies in your jurisdiction.
property rights (IPR) infringements caused by the proper use of the
services and, correspondingly, the customer would provide for the IPR Cloud computing companies are subject to the taxation rules generally
infringements caused by the proper use of customer data. You may also applicable to companies in Sweden. An international cloud computing
find other types of indemnities (eg, in case of violation of applicable law company providing services to Swedish customers may be subject to
or customers’ misuse of the services). Swedish taxation, provided it can be held to have a permanent establish-
Service levels is a typical area where the cloud computing contracts ment in Sweden. Subject to the nature of the payment under the cloud
are less flexible and the customer will in many cases have to accept the computing agreement, withholding tax issues may arise that need to be
supplier’s standard SLAs. Penalties and similar possible remedies in the addressed in the cloud computing agreement.
event of non-fulfilment of the SLAs are often limited to fairly low amounts
and are sometimes a customer’s sole remedy for such non-fulfilment. Indirect taxes
Business continuity and disaster recovery plans could be necessary 25 Outline the indirect taxes imposed in your jurisdiction that
to implement as a result of the risk and vulnerability analysis performed apply to the provision from within, or importing of cloud
by the customer prior to entering into the cloud computing contract and computing services from outside, your jurisdiction.
this would also normally be required by customers that are regulated
entities. VAT (25 per cent) will be imposed on provision of cloud computing
services from within Sweden. In respect of cloud computing services
Typical terms covering IP rights provided within the EU, a reverse charge will, as a general rule, apply.
21 What are the typical terms of a B2B public cloud computing Specific rules apply for cloud computing services provided from
contract in your jurisdiction covering intellectual property outside the EU.
rights (IPR) ownership in content and the consequences of
infringement of third-party rights? RECENT CASES

The supplier generally reserves the IPR to the services and non- Notable cases
customer-specific content, whereas the customer reserves the IPR 26 Identify and give details of any notable cases, or commercial,
to customer data. Customary consequences of infringement of IPR private, administrative or regulatory determinations within
normally apply (ie, modification of the services so that they are no longer the past three years in your jurisdiction that have directly
infringing, obtaining a licence for the customer’s continued use of the involved cloud computing as a business model.
services or, ultimately, termination of subscription and refund of licence
costs). The customer is often undertaking to indemnify the supplier for There is limited case law in Sweden regarding the use of cloud computing.
any claims made towards the supplier due to the content of the customer Most case law is based on disputes regarding public procurements. In
data entered into the services. one notable case from the Administrative Court in 2014, the Court found
that there had been shortcomings in a Swedish municipality’s agree-
Typical terms covering termination ment with Google regarding the use of cloud services by a public school.
22 What are the typical terms of a B2B public cloud computing
contract in your jurisdiction covering termination? UPDATE AND TRENDS

Either party will typically have the right to terminate the cloud computing Key developments of the past year
contract in case of material breach of the contract by the other party. 27 What are the main challenges facing cloud computing within,
Additionally, the customer often has the right to terminate the contract from or to your jurisdiction? Are there any draft laws or
in cases where the supplier appoints a sub-processor that the customer legislative initiatives specific to cloud computing that are
on objective grounds refuses to accept. Following termination of the being developed or are contemplated?
contract, the supplier will no longer have a right to process personal
data for which the customer is the controller; however, the supplier is eSAm is an organisation consisting of 23 Swedish authorities and the
usually allowed a certain period of time to remove such data (up to 180 Swedish Association of Local Authorities and Regions. In October 2018,

72 Cloud Computing 2020

© Law Business Research 2019
Advokatfirman Delphi Sweden

eSam issued a statement in which eSam urged public authorities to

exercise caution when contracting with suppliers whose ownership or
other circumstances may mean the supplier is bound to comply with the
laws of a foreign country and that the foreign law forces the supplier to
disclose confidential information without there being a legal basis for
the disclosure under Swedish law. The US Cloud Act is named as an
example of foreign law that obliges a supplier to disclose confidential
information.
According to the same statement, caution shall also be exercised Peter Nordbeck
[email protected]
if the ownership of the supplier or the geographical location of the
supplier’s tool are such that there is reason to question the protection of Dahae Roland
human rights (eg, the protection of private life) or safeguard the public [email protected]
interest (eg, state security). This essentially means that a supplier that
is bound by foreign law may contribute to confidential information being Mäster Samuelsgatan 17
disclosed and that this circumstance must be considered when a cloud PO Box 1432
service is potentially implemented by a public authority. 111 84 Stockholm
eSam’s statement has been supported by the Swedish Association Sweden
of Local Authorities and Regions, which also points out that there is a Tel: +46 8 677 54 00
need to conduct a broader analysis prior to a local authority or region Fax: +46 8 20 18 84
deciding to implement a cloud service. The analysis shall include a www.delphi.se
comparison against the current IT environment and its capacity and
several questions shall be answered in regard to, inter alia, the safety,
risk and legal requirements of the use of cloud services.
The conclusions are also supported by the central purchasing
centre at the Legal, Financial and Administrative Services Agency in a
pre-study that was published in February 2019.
In the light of the position taken by eSam and the Swedish
Association of Local Authorities and Regions, it can be assumed that
contracts with public authorities will take longer to negotiate and that
there will be detailed discussions between the parties so the authority
can make a thorough analysis and well-founded decision on whether or
not to implement cloud services.

www.lexology.com/gtdt 73
© Law Business Research 2019
 Switzerland
Jonas Bornhauser*
Bär & Karrer Ltd

MARKET OVERVIEW at the moment, market shares are still limited in relation to on-prem-
ises solutions (in particular, software). It appears the latter will remain
Kinds of transaction important for the foreseeable future.
1 What kinds of cloud computing transactions take place in The total market volume of managed private clouds in Switzerland
your jurisdiction? in 2016 was around 440 million Swiss francs and the public cloud
market is reported to be around 810 million Swiss francs. In both
Cloud computing (and anything-as-a-service (XaaS)) continues to be sectors, SaaS account for significantly more than 50 per cent of the
one of the most important trends in the Swiss IT sector. Although most market volume (58.7 per cent private cloud and 81.1 per cent public
of the cloud solutions are still deployed in-house (besides traditional cloud). The entire market for conventional hardware, software and IT
outsourcing and managed services), software-as-a-service (SaaS), in services amounts to more than 27 billion Swiss francs.
particular, is becoming more and more important as a procurement
model. Cloud computing is now available for most of the areas of Impact studies
application (ie, including, besides SaaS, infrastructure-as-a-service 5 Are data and studies on the impact of cloud computing in
(IaaS), platform-as-a-service (PaaS) and backend-as-a-service (BaaS)). your jurisdiction publicly available?
Private clouds are most commonly used (63 per cent), public clouds
and hybrid clouds are on a par with 28 per cent each, although hybrid See, for example, the study ‘ISG Provider Lens Germany 2017 – Cloud
scenarios continue to gain in popularity as companies are seeking to Transformation/Operation Services & XaaS’ from ISG/Experton
build an IT services mix based on individual preferences. In this regard, Group, a global market research company, in which ISG/Experton
the security of companies’ data and cloud providers’ data centres as takes a close look at the cloud market in Switzerland (accessible
well as a high availability of cloud services play an important role. online at: http://research.isg-one.de/research/studien/isg-provider-
EveryWare AG acquired 100 per cent of the shares in the Zurich- lens-germany-2017-cloud-transformationoperation-services-xaas/
domiciled iSource AG as of 1 January 2018. Both companies operate as ergebnisse-ch.html?L=0, the study has been conducted and published
cloud and IT service providers for medium-sized business customers. for the fourth time).
In addition, the eCH Cloud Computing Group (www.egov-
Active global providers ernment.ch/en/umsetzung/e-government-schweiz-2008-2015/
2 Who are the global international cloud providers active in cloud-computing-schweiz/) has been conducting researches
your jurisdiction? and studying the cloud computing sector since the end of 2014
(the respective papers are accessible online at: www.egovern-
The international cloud providers are Amazon, Google, SAP, IBM and ment.ch/de/umsetzung/e-government-schweiz-2008-2015/
Oracle. Microsoft was expected to provide cloud services as of 2019. cloud-computing-schweiz).

Active local providers POLICY

3 Name the local cloud providers established and active in
your jurisdiction. What cloud services do they provide? Encouragement of cloud computing
6 Does government policy encourage the development of your
The leading national cloud providers include myfactory, bexio and jurisdiction as a cloud computing centre for the domestic
ABACUS. Such providers mainly provide SaaS – and, in particular, market or to provide cloud services to foreign customers?
SaaS enterprise resource planning (ERP) and unified-communication-
as-a-service – to private (small and medium-sized) businesses. These A strategy on cloud computing has been developed by the Swiss
providers operate private as well as public or on-premise clouds. Federal Strategy Unit for Information Technology (FSUIT) together with
experts from the Confederation, the cantons, the communes, enter-
Market size prises affiliated with the Confederation and the private sector, and was
4 How well established is cloud computing? What is the size of adopted by the eGovernment Steering Committee on 25 October 2012.
the cloud computing market in your jurisdiction? The strategy serves to promote both the responsible use of cloud
services and the offering of cloud solutions for authorities at all
The software market in Switzerland is undergoing substantial changes government levels (the respective paper is accessible online at: www.
due to the rising importance of ‘as-a-service’ offerings. Such services egovernment.ch/de/umsetzung/e-government-schweiz-2008-2015/
do not only transform the market but also buying patterns. It must, cloud-computing-schweiz).
however, be noted that despite SaaS being the fastest-growing segment

74 Cloud Computing 2020

© Law Business Research 2019
Bär & Karrer Ltd Switzerland

Incentives the BÜPF does not impose an obligation to store such data during six
7 Are there fiscal or customs incentives, development grants months on providers of derived communication (as is the case with
or other government incentives to promote cloud computing regard to telecommunication service providers). Moreover, they are
operations in your jurisdiction? under no obligation to identify their customers.

No. Breach of laws

11 What are the consequences for breach of the laws directly
LEGISLATION AND REGULATION or indirectly prohibiting, restricting or otherwise governing
cloud computing?
Recognition of concept
8 Is cloud computing specifically recognised and provided for in Unless a conduct is covered by another criminal law provision, non-
your legal system? If so, how? compliance may result in a fine of up to 100,000 Swiss francs in the
following cases:
No, Switzerland has not (yet) introduced specific regulations for cloud • non-adherence to a request of the surveillance office; and
computing. The applicable laws, ordinances and regulations were • disclosure of a confidential surveillance ordered by the surveil-
usually enacted at a time when cloud computing, its possibilities and lance office.
risks were unknown. According to the above-mentioned strategy on
cloud computing (see question 6), the authorities, in cooperation with In addition, the breach of confidentiality obligations, in particular, of the
associations and interest group, must identify necessary adjustments business secrecy (article 162, the Swiss Criminal Code) and the banking
with regard to the current legislation. However, as of today, no cloud- secrecy (article 47, the Banking Act) may be sentenced to imprisonment
specific regulation has been proposed by the said parties. (not exceeding three years) or a fine.

Governing legislation Consumer protection measures

9 Does legislation or regulation directly and specifically 12 What consumer protection measures apply to cloud
prohibit, restrict or otherwise govern cloud computing, in or computing in your jurisdiction?
outside your jurisdiction?
The distinction between business-to-business (B2B) and business-
No, there are no legal provisions in Switzerland that would (directly to consumer (B2C) transactions is not significant in Switzerland. In
or indirectly) prohibit, restrict or otherwise govern, cloud computing, particular, no separate body of laws or rules for B2B deals exist but, for
onshore or offshore. B2C contracts, some restrictions apply in regard to consumer protection
(see the following paragraph). However, Swiss law does not provide for
10 What legislation or regulation may indirectly prohibit, restrict an equivalent to EU customers’ mandatory withdrawal rights set forth
or otherwise govern cloud computing, in or outside your in the Directive 97/7/EC on the protection of consumers in respect of
jurisdiction? distance contracts (Distance Selling Directive) for online sales.
According to the Swiss Federal Private International Law Act (PILA),
Where the customer of a cloud services provider is subject to compliance for disputes arising out of in connection with consumer contracts, the
(eg, national and international stock exchange regulations, obligations Swiss courts of the consumer’s domicile or ordinary residence or of the
in connection with accounting regulations, document retention obliga- offeror’s (cloud provider’s) domicile or ordinary residence have juris-
tions and audit rights of authorities, etc) or contractual obligations as diction, at the discretion of the consumer. Such place of jurisdiction is
regards third parties (eg, licence restrictions concerning the use of mandatory and cannot be waived in advance. The cloud provider can,
software and confidentiality obligations), respective obligations must however, only take civil action against the consumer at the consumer’s
be regulated in the contracts with the cloud services provider which domicile or ordinary residence or the place of performance. Consumer
indirectly is obliged to comply with the regulations and obligations. This contracts are defined as contracts for goods and services that are for
also applies to compliance with data protection regulations that are current personal or family consumption and are not connected with the
imposed on the customers of cloud service providers. professional or business activity of the consumer.
In addition, on 18 March 2016, the Swiss parliament adopted the Furthermore, regarding consumer contracts, the choice of law is
revised Federal Act on the Surveillance of Mail and Telecommunication excluded, meaning that they are governed by the law of the state of the
Traffic (BÜPF). This act entered into force on 1 March 2018. The revised consumer’s ordinary residence in any of the following instances:
statute’s objective is to improve criminal investigations if telecommu- • the supplier received the order in that state;
nication services are involved. The revised statute is expected to apply • the contract was entered into after an offer or advertisement in
also to cloud services providers since they qualify as providers of that state and the consumer performed the acts required to enter
derived communication services that permit one-way or multiple-way into the contract in his or her state; and
communication. Providers of email services, of chat rooms, of platforms, • the consumer was induced by the supplier (cloud provider) to go
such as Facebook, that permit communication as well as providers of abroad for the purpose of delivering the order.
platforms where documents can be uploaded (for example, Google
Docs) are, for example, deemed providers of derived communication Entering into business contracts online with a Swiss consumer will, in
services. It is expected that the statute and the respective duties may most cases, fall under the first two groups above. Consequently, the
not be enforced upon non-Swiss domiciled companies, that is, prob- contracts cloud providers enter into with Swiss consumers concluded
ably most of the providers of such derived communication services. by electronic means are generally governed by Swiss law.
Providers of derived communication (eg, cloud service providers) are
obliged to tolerate surveillance measures and, upon request, permit
access to their data processing systems. Furthermore, if available,
they must disclose the telecommunication ‘marginal data’. However,

www.lexology.com/gtdt 75
© Law Business Research 2019
 Switzerland Bär & Karrer Ltd

Sector-specific legislation data flows must be complied with (see article 6, DPA), which are largely
13 Describe any sector-specific legislation or regulation that aligned with the ones of the GDPR. Furthermore, despite the assign-
applies to cloud computing transactions in your jurisdiction. ment of the data processing to cloud service providers, the assigning
entity remains under an obligation to provide the information requested
There is no sector-specific legislation or regulation that applies to cloud by one of its customers. The cloud provider is only obliged to provide
computing transactions in Switzerland. Sector-specific laws, however, information if it does not disclose the identity of the assigning entity,
indirectly apply to cloud computing transactions. In particular, highly that is, the controller, or if the controller is not domiciled in Switzerland
sensitive data such as data on health, data subject to attorney–client (see article 8, DPA).
confidentiality or bank client data are subject to special legal conditions A Swiss-domiciled cloud service provider not established in the EU
regarding confidentiality, data protection and data security. When data may further fall within the scope of GDPR with respect to EU/EEA resi-
is collected in clouds, special information and due diligence obligations dent natural persons:
must be respected depending on the type of data that is collected or • if it is processing the personal data of such persons; and
processed and the actual locations of the cloud data centres. • if the processing activities are related to the intentional, active
offering of goods or services to the EU/EEA resident persons.
Insolvency laws
14 Outline the insolvency laws that apply generally or CLOUD COMPUTING CONTRACTS
specifically in relation to cloud computing.
Types of contract
Lacking specific insolvency laws for internet providers (including cloud 16 What forms of cloud computing contract are usually adopted
service providers), the general Swiss insolvency laws apply according in your jurisdiction, including cloud provider supply chains (if
to which, with the opening of bankruptcy proceedings, claims that are applicable)?
not for a sum of money are converted into a monetary claim of corre-
sponding value. The bankruptcy administration, however, would have Cloud computing contracts may comprise various services containing
the right in the debtor’s (cloud provider’s) stead to fulfil synallagmatic elements of software licence agreements, lease agreements, service
contracts that had only partly been fulfilled at the time of the opening level agreements, hardware and software support agreements, data
of the bankruptcy. However, given that the bankruptcy administration storage agreements and data transmission agreements.
is not qualified to provide cloud services, cloud computing contracts Agreements concerning the provision of IaaS may usually be
are usually terminated if bankruptcy proceedings open. In such cases, qualifies as lease agreements or at least as special contracts with
a creditor may only request segregation of items (from the bankrupt substantial lease elements. However, processing ability does not form
estate), such as its data, that are the property of the creditor but are in part of a typical lease contract. It qualifies rather as a mandate agree-
possession of the debtor. ment (article 397 et seq) or, depending on the specifications of the
However, according to the prevailing legal doctrine, the Swiss contract, as a contract for works in accordance with article 363 et seq.
Federal Supreme Court and the practice of the debt enforcement and Agreements concerning the provision of PaaS, SaaS or XaaS are
bankruptcy agencies, such segregation can principally only be claimed usually deemed special contracts if the deployed hardware is used
for physical objects but not for non-physical ones, such as electronic by means of a virtual server. Such special contracts comprise lease
data. A customer may therefore currently only request segregation if and service contract elements, and, depending on the services to be
the cloud computing provider is in possession of a separate data carrier rendered, contract for work elements.
that is owned by the customer. For the time being, the customer should
therefore be able to continue its operations in the case of the provider’s Typical terms for governing law
insolvency (eg, backups, etc). 17 What are the typical terms of a B2B public cloud computing
contract in your jurisdiction covering governing law,
DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION jurisdiction, enforceability and cross-border issues, and
dispute resolution?
Principal applicable legislation
15 Identify the principal data protection or privacy legislation Swiss cloud service providers usually insist that the cloud computing
applicable to cloud computing in your jurisdiction. contracts they enter into are governed by Swiss law (under exclusion of
the United Nations Convention on Contracts for the International Sale
The processing of personal data may only be assigned by an entity to Goods, 11 April 1980, and other international treaties). The same applies
a cloud service provider (B2B) based on an outsourcing agreement, if: with regard to the place of jurisdiction (Switzerland).
• the data is processed only in the manner permitted for the Careful attention must be given to dispute resolution mechanisms.
instructing party itself; and Time is often crucial and the customer should ensure that he or she
• it is not prohibited by a statutory or contractual duty of can obtain fast resolution against the cloud service provider if need be.
confidentiality.
Typical terms of service
In addition, the assigning entity must further ensure, that the cloud 18 What are the typical terms of a B2B public cloud computing
service provider guarantees data security. In particular, the personal contract in your jurisdiction covering material terms, such
integrity of the data subject must be protected through adequate tech- as commercial terms of service and acceptable use, and
nical and organisational measures against unauthorised or accidental variation?
destruction, accidental loss, technical faults, forgery, theft or unlawful
use, unauthorised alteration, copying, access or other unauthorised The general terms and conditions of Swiss B2B public cloud computing
processing (see article 7, DPA and article 8 et seq, Swiss Data Protection providers typically contain the following terms:
Ordinance). Additionally, if cloud computing services involve disclosures • rights to use the software provided by the provider;
of personal data abroad, the specific requirements for cross-border • use restrictions:

76 Cloud Computing 2020

© Law Business Research 2019
Bär & Karrer Ltd Switzerland

• use of the functionalities of the software exclusively • conclusion of insurance solutions for data stock/integrity; and
according to the specifications and the licensing terms as • implementation of regular checks of data security and integrity.
well as within the scope of the cloud service provided by the
provider; and The fact that the cloud service provider can have access to important
• prohibition to make any changes to the software (eg, by business data of the customer because the data is located on its infra-
further developing the software); structure must be reflected accordingly in the scope and amount of
• acceptable use policy: liability. A corresponding service level agreement for business-critical
• customer to assume the sole responsibility for the content of services from the cloud should be part of the cloud computing contract.
the data that is being processed in connection with the use of The same applies to contractual penalties, in particular in the event of
the cloud services; and breaches of data protection regulations, service-level agreements and
• customer to indemnify the provider against any third-party confidentiality undertakings.
claims resulting from illegal use of the cloud services;
• security: Typical terms covering IP rights
• technical, personnel and organisational security measures to 21 What are the typical terms of a B2B public cloud computing
be taken by provider; and contract in your jurisdiction covering intellectual property
• requirements concerning standardisation and compatibility of rights (IPR) ownership in content and the consequences of
technical systems; infringement of third-party rights?
• service levels:
• if specific parameters relating to the availability of the cloud The cloud service providers usually grant the customer the licence
services have been agreed upon, the B2B public cloud rights to use the required software applications within the framework
computing contract usually sets out the legal consequences of the cloud contract, either for the subscription of IaaS, SaaS or XaaS.
of deviations from the services, which are: However, updates or upgrades, release management and so on are the
• requirements concerning data backup, return, disaster responsibility of the cloud service provider, since the customer has
recovery; and neither licence and maintenance contracts with the corresponding soft-
• requirements concerning data protection, security and ware suppliers, nor do they have the necessary access rights to perform
audit rights; such work.
• remuneration:
• customer may usually choose between different price Typical terms covering termination
metrics; and 22 What are the typical terms of a B2B public cloud computing
• limitation of liability: contract in your jurisdiction covering termination?
• liability usually only for gross negligence and unlawful
intent; or If a Swiss court qualifies a cloud computing agreement or the substan-
• if liability is only for mere negligence then limitation of the tial parts thereof as mandate agreement in accordance with article
amount for which a party may be sued. 394 et seq, the Swiss Code of Obligation, such an agreement may be
terminated by either party without cause at any time with immediate
Typical terms covering data protection effect. This termination right (article 404, the Swiss Code of Obligation)
19 What are the typical terms of a B2B public cloud computing is mandatory and cannot be validly excluded. However, if termination
contract in your jurisdiction covering data and confidentiality is effected at an improper time, the party terminating is liable to the
considerations? other party for the damages caused. Outside the scope of article 404,
the parties are free to agree on the contract term and termination rights.
Since data that is the object of the cloud computing agreement may However, the tendency is that the customers do not want to enter into
include sensitive information (eg, business and trade secrets or patient long-term agreements with cloud service providers so they can have
information), cloud computing agreements must also address the confi- flexibility to swiftly change the provider.
dential nature of data stored with the cloud service provider and the Cloud computing agreements usually contain termination provi-
consequences of a breach of the confidentiality obligation. sions for both ordinary and extraordinary circumstances and include
detailed exit and post-termination assistance provisions. Appropriate
Typical terms covering liability notice periods allow the parties to transfer the outsourced services to a
20 What are the typical terms of a B2B public cloud computing third-party provider or take them back in-house.
contract in your jurisdiction covering liability, warranties and
provision of service? Employment law considerations
23 Identify any labour and employment law considerations that
The typical terms in this context are: apply specifically to cloud computing in your jurisdiction.
• service availability;
• asssurance of compliance with data protection regulations; The parties to a cloud services agreement should consider whether the
• guarantee of data integrity, data security, etc; agreement may result in the transfer of a business unit and, therefore,
• implementation of high security standards (encryption, access the automatic transfer of the customer’s employees employed with the
management, monitoring, telecommunication connections, etc); business unit to the cloud service provider.
• backup scenarios;
• backup of data;
• audit rights to verify compliance with data protection regulations;
• correct and necessary labelling for the identification of dedicated
(ie, customer owned) IT infrastructure in the event of bankruptcy
(unless the customer explicitly states other wishes);

www.lexology.com/gtdt 77
© Law Business Research 2019
 Switzerland Bär & Karrer Ltd

TAXATION

Applicable tax rules

24 Outline the taxation rules that apply to the establishment and
operation of cloud computing companies in your jurisdiction.

A cloud computing company established with its domicile (and place

of effective management) in Switzerland is generally subject to unlim-
ited Swiss profit and capital tax (applicable rates vary, depending on the
canton of domicile) on its full profit or taxable capital, potentially subject Jonas Bornhauser
to an international tax allocation in the specific case (eg, generally no [email protected]
taxation right for profit derived from a permanent establishment (PE)
abroad) and depending on applicable double taxation treaties. A stamp
Brandschenkestrasse 90
issuance duty is levied on the creation or increase of the nominal value
8002 Zurich
of shares in a Swiss company, on the amount of share capital or share Switzerland
premium exceeding a once exempt amount of 1 million Swiss francs. Tel: +41 58 261 50 00
A cloud computing company with its domicile abroad may have a Fax: +41 58 261 50 01
PE in Switzerland and hence is subject to Swiss profit/capital tax (appli- www.baerkarrer.ch
cable rates vary, depending on the location of the PE) if it has a fixed
place of business in Switzerland in which all or a part of the business
activity of the enterprise is carried out. The tax liability in this case is in
principle limited to the profit/capital to be allocated to the PE. There is UPDATE AND TRENDS
currently no guidance published by the Swiss tax authorities based on
what circumstances a foreign cloud computing service provider may Key developments of the past year
create a PE in Switzerland. A case-by-case assessment is required and 27 What are the main challenges facing cloud computing within,
obtaining a tax ruling would be recommended. from or to your jurisdiction? Are there any draft laws or
legislative initiatives specific to cloud computing that are
Indirect taxes being developed or are contemplated?
25 Outline the indirect taxes imposed in your jurisdiction that
apply to the provision from within, or importing of cloud No update at this time.
computing services from outside, your jurisdiction.
* The information in this chapter is correct as at October 2018.
Cloud computing services qualify as an electronic supply of services in
the sense of the Swiss VAT Act and are taxable at the ordinary rate of
currently 7.7 per cent. The determination of the place of supply follows
the place-of-receipt principle.
A Swiss company offering such services mandatorily needs to
register for Swiss VAT and subsequently charge Swiss VAT on the
services in case its annual turnover from taxable services in Switzerland
and abroad exceeds 100,000 Swiss francs (below this threshold, a volun-
tary Swiss VAT registration generally is possible).
Cloud computing services imported into Switzerland are subject
to reverse charge at the level of a Swiss VAT-registered recipient (for
non-VAT-registered recipients, no reverse charge applies). To the extent
a foreign company provides respective services to Swiss non-VAT-regis-
tered recipients, the company needs to mandatorily register for Swiss
VAT (and subsequently charge VAT on the services) in case its annual
turnover from taxable services in Switzerland and abroad exceeds
100,000 Swiss francs.

RECENT CASES

Notable cases
26 Identify and give details of any notable cases, or commercial,
private, administrative or regulatory determinations within
the past three years in your jurisdiction that have directly
involved cloud computing as a business model.

None to date.

78 Cloud Computing 2020

© Law Business Research 2019
United Kingdom
Mark Lewis*
Bryan Cave Leighton Paisner LLP

MARKET OVERVIEW to public cloud services to provide greater capacity – has become
more common.
Kinds of transaction A notable feature of the UK market is the adoption by central and
1 What kinds of cloud computing transactions take place in local government of cloud computing. In 2012, the UK government
your jurisdiction? introduced the G-Cloud, which enables government departments and
state agencies to buy and deploy cloud services from pre-approved
As a G7 economy with mature IT and related services markets, the vendors, which include some of the biggest cloud providers, for
UK is one of the most important global markets for cloud computing. example Amazon Web Services (AWS) (http://searchcloudcomputing.
According to Gartner, judged by cloud spending rates and growth, techtarget.com/definition/G-cloud-government-cloud). In February
the UK is among the fastest cloud adopters globally, ranking behind 2017, the UK government reaffirmed the Government Cloud First Policy,
the USA (the world leader in cloud adoption since 2015) and Canada: under which public sector organisations must consider and evaluate
https://www.gartner.com/smarterwithgartner/cloud-adoption-where- potential public cloud as a deployment model, before considering any
does-your-country-rank/. In its 2018 BSA Global Cloud Computing other IT option. Cloud First has been mandatory for central govern-
Scorecard (the latest version since first publication in 2012 and claimed ment departments and agencies, but has been strongly recommended
to be the only global report to rank countries’ preparedness for the to the wider UK public sector: www.gov.uk/guidance/government-
adoption and growth of cloud computing services), BSA|The Software cloud-first-policy. For the origins of this important cloud initiative, see
Alliance ranks the UK at fourth after Germany, Japan and the USA. To the UK government’s 2011 paper, Government Cloud Strategy, at: www.
account for the difference in the UK’s standing in these two reports, it gov.uk/government/publications/government-cloud-strategy. Recent
is worth explaining that the BSA Global Cloud Computing Scorecard research has shown that 78 per cent of UK public sector organisa-
is based on a methodology that emphasises policy areas that ‘matter tions are using some form of cloud-based service, compared with
most to cloud computing’, such as data protection and privacy laws, only 38 per cent in 2010 (www.outsourcery.co.uk/about-us/news/
cybersecurity regimes and intellectual property protection (ie, the public-sector-cloud-adoption-soaring/). However, although adoption
effectiveness of the legal and regulatory environment for cloud of cloud services by UK local government still lags behind central
computing). And it also applies a test of IT infrastructure readiness, in government’s rate of deployment, the adoption rate at local govern-
particular access to broadband: https://cloudscorecard.bsa.org/2018/ ment level is apparently steadily increasing.
pdf/BSA_2018_Global_Cloud_Scorecard.pdf. Other market analysts, In May 2019, it was reported in the UK technology sector media
such as MarketsandMarkets™ (https://www.marketsandmarkets. that the UK government’s Cloud First policy is under review and that
com/), observe that successful implementation of the UK’s National it is likely to be replaced by an updated approach that reflects the
Broadband Plan has resulted in faster mobile data connection speeds growing demand for hybrid cloud deployment in the public sector:
in the UK, which in turn has facilitated the more rapid adoption of cloud https://www.computerweekly.com/news/252463001/Government-
services in the UK. cloud-first-policy-under-review-by-CCS-and-GDS.
Using the US National Institute of Standards and Technology With the UK being one of the most advanced global markets for
(NIST) definition of cloud computing (http://nvlpubs.nist.gov/nist- cloud computing, there is a sizeable business ecosystem serving the
pubs/Legacy/SP/nistspecialpublication800-145.pdf), there is extensive primary market, for example, in data centres.
use of the three NIST service models: software-as-a-service (SaaS),
platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), Active global providers
referred to below as ‘service models’. Of the four NIST deployment 2 Who are the global international cloud providers active in
models (private cloud, community cloud, public cloud and hybrid cloud your jurisdiction?
(deployment models)), private, public and hybrid clouds are widely
adopted. Community clouds are also used, though apparently less All are active in the UK, including (as a small sample):
regularly. • Accenture;
As part of the UK’s cloud business ecosystem, there are cloud • Adobe;
service brokers (providers who aggregate several different cloud • AWS;
services to provide a unified offering to a customer) and cloud • Avaya;
exchanges (providers that offer direct connections between several • Cisco;
cloud platforms, enabling their customers access to and portability • Citrix;
among separate cloud platforms, without their data passing through • Dell EMC;
the internet). ‘Cloudbursting’ – in the context of the hybrid deployment • Dropbox;
model, with customers moving specific processes running in-house • Equinix;

www.lexology.com/gtdt 79
© Law Business Research 2019
 United Kingdom Bryan Cave Leighton Paisner LLP

• Facebook; Impact studies

• Google; 5 Are data and studies on the impact of cloud computing in
• Huawei; your jurisdiction publicly available?
• IBM;
• Interoute; Authoritative, specific, recent data on the true size and therefore impact
• Joyent; of cloud computing in the UK is hard to find. And such reports are not
• Kaspersky; in the author’s experience freely available to the general public, online
• Microsoft; or otherwise. See the three reports referred to under questions 1 and
• NetApp; 4. Of the three, the MarketsandMarkets report referred to above is
• Oracle; the most specific and authoritative by reference to the size of the UK
• Rackspace; cloud market generally, and by reference more specifically to the cloud
• Red Hat; service and deployment models.
• SalesForce;
• SAP; POLICY
• SAS;
• Skype; Encouragement of cloud computing
• Sungard; 6 Does government policy encourage the development of your
• Symantec; jurisdiction as a cloud computing centre for the domestic
• VMware; and market or to provide cloud services to foreign customers?
• Workday.
In short, yes. The policy manifests itself in various forms and initia-
(See www.cloudpro.co.uk/providers.) tives, but comprehensive coverage of them is beyond the scope of
this chapter.
Active local providers The starting point is the government’s policy paper, UK Digital
3 Name the local cloud providers established and active in Strategy 2017, published on 1 March 2017 by the responsible govern-
your jurisdiction. What cloud services do they provide? ment department, The Department for Digital, Culture, Media & Sport
(www.gov.uk/government/publications/uk-digital-strategy/uk-digital-
The following is a small, illustrative, selection by service segment. strategy). The stated core aim of the policy is ‘to create a world-leading
• server, storage and infrastructure: RedstoneConnect, ElasticHosts, digital economy that works for everyone. It is part of this government’s
Fasthosts, Flexiant, Memset, and VMhosts; Plan for Britain, strengthening our economy for the long term as we
• managed services: BT, Claranet, Colt, Interoute, iomart, IT Lab, take advantage of the opportunities that leaving the European Union
Nasstar, TIG and Webfusion; provides.’ (Ministerial foreword, page 2.)
• data backup and security: BT, Cloud Direct, iomart, IT Lab, Memset, There are seven elements to this policy, together with a framework
RedstoneConnect, TIG, UKFast, UK2 and Vodafone; for action:
• hosted desktop: Colt, Nasstar and Vodafone; and • connectivity – building world-class digital infrastructure for the UK;
• channel enablement, go-to-market, digitisation and CRM: BCSG • digital skills and inclusion – giving everyone access to the digital
and NewVoiceMedia. skills they need;
• the digital sectors – making the UK the best place to start and
(See www.computerweekly.com/tutorial/UK-hosted-desktop-cloud- grow a digital business;
providers; noting that this study was undertaken in 2010 and that it has • the wider economy – helping every British business become a
not been updated since.) For various cloud services mainly focused on digital business;
the UK public sector, there is UKCloud: https://ukcloud.com/. • a safe and secure cyberspace – making the UK the safest place in
the world to live and work online;
Market size • digital government – maintaining the UK government as a world
4 How well established is cloud computing? What is the size of leader in serving its citizens online; and
the cloud computing market in your jurisdiction? • data – unlocking the power of data in the UK economy and improving
confidence in its use. The paper affirmed the UK’s commitment to
See question 1 for the findings of Gartner and BSA|The Software implementing the General Data Protection Regulation (GDPR) by
Alliance. May 2018 (https://ico.org.uk/for-organisations/data-protection-
Research undertaken and provided to the author by reform/overview-of-the-gdpr). Accordingly, the Data Protection
MarketsandMarkets suggests that in 2019 the UK’s cloud computing Act 2018 came into force on 25 May 2018. The Act incorporates the
market will be worth £20.3 billion, rising to £22.8 billion in 2020 (a 12.3 GDPR into law in the UK and supplements its provisions.
per cent increase from 2019) and £35.1 billion by 2023 (a 73 per cent
rise from 2019): source, private research provided to the author by In April 2017, the Digital Economy Act 2017 was enacted to implement the
MarketsandMarkets in September 2019, based on primary interviews, government’s digital strategy (www.gov.uk/government/collections/
secondary literature and MarketsandMarkets analysis. digital-economy-bill-2016 and www.legislation.gov.uk/ukpga/2017/30/
According to the MarketsandMarkets report referred to above, in contents/enacted). It is clear from the UK’s digital strategy, the Digital
2020 the size of the UK’s cloud computing market by service model will Economy Act 2017 and examples of government support given directly
be as follows: SaaS £14.3 billion; PaaS £2.1 billion; and IaaS £6.4 billion. or indirectly to cloud computing and cloud-enabled organisations (see
The same MarketsandMarkets report forecasts that, in 2020, the question 7), that the policy and implementation framework embraces
size of the UK’s cloud computing market for the three main deploy- all the cloud service models and deployment models. And, as outlined
ment models will be as follows: private cloud £5.1 billion; public cloud in question 1, the UK government is a world leader in its deployment of
£10.9 billion; and hybrid cloud £6.8 billion. cloud computing through its Government Cloud First Policy.

80 Cloud Computing 2020

© Law Business Research 2019
Bryan Cave Leighton Paisner LLP United Kingdom

Incentives UK growth companies. One of TBBB’s partners, Notion Capital, invests

7 Are there fiscal or customs incentives, development grants in enterprise SaaS and other cloud computing businesses. In July 2015,
or other government incentives to promote cloud computing Notion Capital announced a US$120 million fund that would continue
operations in your jurisdiction? to invest in European business-to-business (B2B) high-growth SaaS
companies (british-business-bank.co.uk/british-business-bank.co.uk/
Yes. Although in most cases cloud computing is not specifically british-business-bank-partner-notion-capital-launches-new-fund/;
mentioned, and eligibility for fiscal benefits, funding and other incentives www.notioncapital.com/about/; and https://notion.vc/portfolio/filter/
will depend on specific criteria for particular applications and uses of ICT, sector/cloud-services/).
it is clear that the incentives do extend to cloud computing and individual
elements of it. LEGISLATION AND REGULATION
Broadly, these incentives are directed at start-ups and early-stage
companies as well as more mature technology companies. They gener- Recognition of concept
ally cover: tax incentives for the companies themselves as well as their 8 Is cloud computing specifically recognised and provided for
investors, grant funding, contributions towards running costs and start- in your legal system? If so, how?
up and later-stage corporate development loans.
Specifically, these incentives include the following as a representa- Except as mentioned in question 9, no, not specifically.
tive sample.
Governing legislation
The Seed Enterprise Investment Scheme 9 Does legislation or regulation directly and specifically
Offering tax efficient benefits to investors in return for investment in prohibit, restrict or otherwise govern cloud computing, in or
small and early stage start-up technology businesses in the UK (www. outside your jurisdiction?
seis.co.uk/about-seis).
Yes, in respect of cybersecurity and resilience and cyber incident
The Enterprise Investment Scheme reporting. The Network and Information Systems Regulations 2018
Also offering tax benefits to investors in technology companies (www.legislation.gov.uk/uksi/2018/506/pdfs/uksi_20180506_en.pdf),
(https://www.gov.uk/guidance/venture-capital-schemes-apply-for-the- which implement the NIS Directive (2016/1148/ EU), specifically
enterprise-investment-scheme). govern a ‘cloud computing service’, meaning ‘a digital service that
enables access to a scalable and elastic pool of shareable computing
R&D tax credits resources’: regulation 1(2). Cloud service providers (CSPs) who fall
Available for both small and medium-sized enterprises (SMEs) and within the definition of a ‘relevant digital service provider’ (RDSP)
larger companies (at different levels), tax credits for qualifying R&D, must, broadly stated, take appropriate and proportionate technical and
which may include subcontractor costs, supporting software and SaaS, organisational measures to prevent and minimise the impact of cyber
and some hardware costs: https://granttree.co.uk/tax-credits/#r&d-tax. incidents and related risks to their systems. RDSPs are also required to
notify within 72 hours the UK Information Commissioner’s Office (ICO,
The Patent Box the regulator for these purposes) of any incident that has a substantial
Enables SMEs and larger companies to apply a lower rate of UK impact on the provision of the cloud services. The ICO has a range of
Corporation Tax to profits earned after 1 April 2013 from their patented enforcement powers, including the right to issue financial penalties for
inventions (www.gov.uk/guidance/corporation-tax-the-patent-box). material contraventions, up to a maximum of £17 million. RDSPs were
required to register with the ICO by 1 November 2018. There are excep-
Innovation funding tions for, among others, small or micro businesses.
For innovative products, processes or services, funding of between The ICO has issued a detailed and helpful Guide to the NIS Regulations,
£25,000 and £10 million is available. Innovate UK runs funding compe- which as a first step all CSPs operating in the UK should consult:
titions for projects led by UK-based companies. As at July 2019, https://ico.org.uk/for-organisations/the-guide-to-nis/. Included in
competitions include the opportunity to apply for a share of up to £25 the Guide are pointers to the cloud services to be governed by the
million to deliver ’ambitious’ or disruptive R&D innovations that can Regulations. The Guide states that PaaS and IaaS service models will
make a significant impact on the UK economy, and the chance to obtain be covered, but that SaaS will only be regulated to the extent that the
loans for ‘game-changing’ innovations with strong commercial potential service is ‘scalable and elastic’ and B2B. Readers are also referred to
that will significantly improve the UK economy (www.gov.uk/guidance/ the UK National Cyber Security Centre’s guidance at: www.ncsc.gov.
innovation-apply-for-a-funding-award and https://apply-for-innovation- uk/guidance/introduction-nis-directive.
funding.service.gov.uk/competition/search).
10 What legislation or regulation may indirectly prohibit,
Regional growth funds restrict or otherwise govern cloud computing, in or outside
Grants and loans of up to £1 million are available through regional your jurisdiction?
growth funds (RGF) programmes, namely schemes run by national or
local organisations that have been awarded RGF funds to offer grants In the UK, as business-to-consumer (B2C) and B2B IT services, cloud
and loans to eligible businesses. The schemes have invested a total of computing services will – depending on the scope of the services
£2.6 billion in eligible businesses since the launch of the RGF in 2010. and the circumstances and context of their supply – be subject to
Each RGF programme will have specific criteria for applications (https:// the legislation and regulation that apply to all similar IT services.
www.gov.uk/guidance/understanding-the-regional-growth-fund). Given the breadth and complexity of the cloud computing business
ecosystem in the UK, other participants in the provision of elements
The British Business Bank and enterprise capital funds of cloud infrastructure and in the cloud supply chain may be subject
The British Business Bank (TBBB) invests alongside venture capital to that legislation and regulation, too, for example a communications
funds (partners) under a rolling programme. Funding is aimed at smaller service provider supplying a transmission service enabling the CSP to

www.lexology.com/gtdt 81
© Law Business Research 2019
 United Kingdom Bryan Cave Leighton Paisner LLP

communicate with a cloud customer, or the provider of cloud servers Providers (CIF Code) is relevant. Its stated purpose is ‘to bring greater
to a CSP. transparency and trust to doing business in the cloud’ – for an overview,
As such (and with applicable B2C cloud computing consumer- see www.cloudindustryforum.org/content/code-practice-cloud-service-
protection measures referred to under question 12 and data protection providers). The CIF Code could influence the choice of CSP by potential
law referred to under question 15), the following are likely to apply to customers, whether consumers or commercial organisations. CSPs
cloud computing (or elements of it) in the UK: claiming compliance with the CIF Code and the right to use CIF certifi-
• Digital Economy Act 2017 (www.legislation.gov.uk/ukpga/2017/30/ cation may, for validated infringement, face sanctions by CIF, including
contents/enacted – see question 6); publication of CIF’s findings on its website and press releases. So, while
• Investigatory Powers Act 2016 (as amended) (www.legislation.gov. the CIF Code does not have any public legal effect, it may be norma-
uk/ukpga/ 2016/25/contents/enacted – interception of communi- tive to the conduct of CSPs and it may influence the choice of CSP by
cations and retention of communications data, etc); commercial end users and consumers, as well as the public’s view of
• EU Dual-Use Regulation 2009, Council Regulation (EC) No 428/2009 certain CSPs – especially those who have contravened the CIF Code.
(and associated legal amendments) (www.gov.uk/guidance/ Finally, though it too is not legislation or public regulation, the
controls-on-dual-use-goods – regulates the export of dual-use role of the UK Advertising Standards Authority (ASA) is important in
technologies and software); the fast-growing cloud services market. The ASA’s role is to ensure
• Export Control Order 2008: www.legislation.gov.uk/ that all advertisements are ‘legal, decent, honest and truthful’ (www.
uksi/2008/3231/contents/made – controls on the export of mili- asa.org.uk/about-asa-and-cap.html). The ASA publishes codes that it
tary and certain other technologies and software; administers and under which it hears and rules on complaints. ASA
• Communications Act 2003 (www.legislation.gov.uk/ rulings are published weekly and are ‘a transparent record of what
ukpga/2003/21/contents – overall regulatory structure and is and isn’t acceptable’ in advertising. The rulings can remain on the
powers for communications and media in the UK, including the ASA website for five years (www.asa.org.uk/codes-and-rulings/rulings.
regulator, Ofcom); html.) Though ASA rulings do not have any legal effect, an adverse
• Export Control Act 2002 (www.legislation.gov.uk/ukpga/2002/28/ ruling may have significant commercial impact, especially if a business
contents – controls on the export of, among others, strategic is seen to be disregarding rules designed to protect consumers. And,
technologies); as a last resort, if advertisers persistently break the ASA codes and are
• Regulation of Investigatory Powers Act 2000 (www.legislation.gov. unwilling to change their practices, the ASA states that it can and does
uk/ukpga/2000/23/introduction – interception of communications refer those advertisers to enforcement agencies – who do have legally
and data retention, etc) as amended; and enforceable powers and the ability to impose legal sanctions – for
• Unfair Contract Terms Act 1977 (www.legislation.gov.uk/ further action, for example UK Trading Standards or Ofcom (the commu-
ukpga/1977 – makes unenforceable certain terms in B2B contracts nications regulator) (www.asa.org.uk/codes-and-rulings/sanctions.
that do not satisfy the requirements of ‘reasonableness’). html). It is worth noting that the ASA has in the past considered several
specific cloud computing-related advertisements and has found against
The above is not an exhaustive list, and readers should also consider advertisers (www.asa.org.uk/rulings/jdi-backup-ltd-a14-260786.html,
other areas covered by UK legislation and regulation, for example www.asa.org.uk/rulings/jdi-backup-ltd-a13-226451.html; www.asa.org.
regarding intellectual property rights and employment law, some of uk/rulings/jc-inc-a12-215093.html; www.asa.org.uk/rulings/uk-2-ltd-
which are covered below. a13-252423.html).
Apart from legal and regulatory enactments, particularly in
the context of cloud computing, readers should be aware of various Breach of laws
international law enforcement measures under treaty and applicable 11 What are the consequences for breach of the laws directly
EU measures that are likely to be relevant. These generally relate to or indirectly prohibiting, restricting or otherwise governing
cybercrime, criminal investigations and enforcement, and inter-state cloud computing?
mutual legal assistance in criminal matters (MLA). (See, for example:
the Council of Europe Convention on Cybercrime 2004, ETS No. 185 at For laws and regulations, the consequences of breach range from
www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185; contractual unenforceability and civil enforcement remedies to criminal
the Agreement on Mutual Legal Assistance between the United States of and regulatory fines, penalties and other sanctions. In some situations,
America and the European Union signed 25 June 2003 at ec.europa.eu/ company directors and senior executives may face personal sanctions.
world/agreements/prepareCreateTreatiesWorkspace/treatiesGeneral- (For the CIF Code and ASA codes, see question 10.)
Data.do?step=0&redirect=true&treatyId=5461&back=5441; and the UK’s
(then) proposed bilateral ratification of the Agreement on Mutual Legal Consumer protection measures
Assistance between the United States of America and the European 12 What consumer protection measures apply to cloud
Union signed 25 June 2003 at www.gov.uk/government/uploads/ computing in your jurisdiction?
system/uploads/attachment_data/file/238612/7613.pdf.)
Although beyond the scope of this section, readers will be aware For B2C cloud computing arrangements, the following main consumer
of the extraterritorial impact of the USA PATRIOT Act on cloud services protection measures will apply.
(www.wired.com/insights/2011/12/us-cloud). • the Electronic Commerce (EC Directive) Regulations 2002
To give readers a complete view, the same rules and principles (www.legislation.gov.uk/uksi/2002/2013/contents/made);
(including as to liability) that apply to consumer and commercial tech- • the Consumer Protection from Unfair Trading Regulations 2008
nology-related services contracts under the three UK jurisdictions (www.legislation.gov.uk/uksi/2008/1277/contents/made);
(England and Wales, Scotland, and Northern Ireland) will apply to cloud • the Consumer Contracts (Information, Cancellation and
computing contracts – again subject to the scope of the services and the Additional Charges) Regulations 2013 (www.legislation.gov.uk/
circumstances and context of their supply. uksi/2013/3134/contents/made); and
Although it is not legislation or public regulation, for the reasons • the Consumer Rights Act 2015 (www.legislation.gov.uk/
given below, the Cloud Industry Forum Code of Practice for Cloud Service ukpga/2015/15/contents/enacted).

82 Cloud Computing 2020

© Law Business Research 2019
Bryan Cave Leighton Paisner LLP United Kingdom

Together these cover matters including distance selling, the provision services’ (www.fca.org.uk/publications/finalised-guidance/fg16-5-
of certain information to consumers, marketing and marketing claims, guidance-firms-outsourcing-%E2%80%98cloud%E2%80%99-and-other-
onerous and unfair contract terms and how they are presented, cancel- third-party-it; www.fca.org.uk/publication/finalised-guidance/fg16-5.
lation rights, ‘cooling-off’ periods, choice of law and venue for consumer pdf (FCA Cloud Guidance)). In July 2018, the FCA Cloud Guidance was
litigation. modified as mentioned below. While some regulatory objectives are
Other legislation includes: issued by the FCA and the PRA as ‘guidance’ (as opposed to rules), it
• the Financial Services and Markets Act 2000 (www.legislation.gov. would be a foolhardy regulated financial services organisation that
uk/ukpga/2000/8/contents (FSMA)); disregarded such guidance or diluted it too far in application.
• the Financial Services and Markets Act 2000 (Regulated Activities) Before outlining the FCA Cloud Guidance, it must be put in its
Order 2001 (www.legislation.gov.uk/uksi/2001/544/contents/ sectoral regulatory context. When financial services organisations
made); and (firms) regulated under FSMA (see question 12) by the FCA and PRA
• the Consumer Credit Act 1974 (as amended) (www.legislation.gov. engage in any IT, business process or other outsourcing, they must have
uk/ukpga/1974/39). regard to and, if applicable, comply with, the regulatory guidance and
rules governing that outsourcing. The PRA supervises banks, insurance
Together these regulate B2C credit terms, including any form of ‘finan- companies, building societies, credit unions and certain large invest-
cial accommodation’, and specify certain contract terms and restrictions ment entities. The FCA regulates the conduct of business of all financial
(with sanctions, including legal unenforceability except by court order), services organisations within its statutory jurisdiction, including those
the provision of certain kinds of information, the format of that informa- prudentially supervised by the PRA. Some outsource providers (who,
tion, ‘cooling-off’ periods and termination processes. incidentally, are also CSPs) are themselves authorised and regulated
The above are not exhaustive lists. by the FCA.
The Competition and Markets Authority (CMA), the UK’s primary The PRA and FCA rules are complex and their application to
competition and consumer authority, has historically taken a close outsourcing will depend on the nature of the firm (the outsourcing
interest in B2C cloud storage contracts, in particular to see if consumers customer), the financial services and related activities to be outsourced,
are being fairly treated when saving and storing their content online. and the impact of the proposed outsourcing. The main rules and guid-
The CMA found that some CSPs were using contract terms and prac- ance governing outsourcing by regulated firms are contained in the FCA
tices that it was concerned could breach consumer protection law (‘An Handbook and PRA Rulebook. There is also more general FCA guid-
open letter to cloud storage providers on complying with consumer law’, ance on outsourcing to meet FSMA compliance. These are the main
May 2016, www.gov.uk/government/uploads/system/uploads/attach- sources of prudential and operational provisions regulating outsourcing
ment_data/file/526355/open-letter-cloud-storage-providers.pdf.) The by financial services firms and regulated outsource providers in the
upshot was that several of the leading B2C cloud storage providers, UK. There are also specific outsourcing-related obligations on insur-
including Amazon, Apple and Microsoft, voluntarily modified their terms ance and reinsurance companies under the Solvency II Directive
for the benefit of UK consumers (www.gov.uk/government/news/ (2009/138/EC) and related subordinate rules and guidelines (https://
cma-secures-better-deal-for-cloud-storage-users). eur-lex.europa.eu/legal-content/EN/TXT/?qid=1563889385175&uri=
CELEX:02009L0138-20190113 and https://www.bankofengland.co.uk/
Sector-specific legislation prudential-regulation/key-initiatives/solvency-ii).
13 Describe any sector-specific legislation or regulation that The detailed rules governing outsourcing under the PRA Rulebook,
applies to cloud computing transactions in your jurisdiction. FCA Handbook, Solvency II Directive and Solvency 2 Regulations 2015
are beyond the scope of this section. In essence, though, the rules
The extent (if any) to which UK industry sectoral regulation may apply provide for what should be regarded as sensible outsourcing practice,
to cloud computing will require knowledge and the examination of having regard to systemic risk, initial diligence and ongoing operational
sector-specific legislation, regulations, guidance and regulatory and risk affecting the conduct of regulated business and the interests of
statutory codes of conduct. In the UK – and with the exception of the NIS business and consumer end-customers, and the needs of the regulators
Regulations referred to in question 9 and the following example – at the to supervise and intervene if necessary (for a fuller statement, see the
time of writing this chapter there is no regulation that applies specifi- FCA Handbook, Systems and Controls (SYSC), chapters, 3, 4, 8, 13 and
cally or directly to cloud computing as such. Where regulation is found 14: www.handbook.fca.org.uk/handbook/SYSC/).
to apply to a cloud computing project, the approval, licence or consent The Markets in Financial Instruments Directive (MiFID) II (2014/65/
– or at least the informal go-ahead – of a regulator may be required. EU), which repealed and recast the MiFID Directive (2004/39/EC)
Common sense and best practice dictate that, where applicable, the and (largely) entered into force on 3 January 2018, together with the
regulated entity should consult its regulator as soon as practicable and Delegated Regulation (2017/565/EU) (commonly referred to as the
as fully as possible. This should also be of concern to a CSP expecting MiFID Organisation Regulation or the MiFID Org Regulation), imposes on
to enter a cloud arrangement with a regulated customer. regulated firms a wide range of conduct of business and organisational
Only in the UK financial services sector has cloud computing been requirements. These include requirements relating to outsourcing, as
specifically addressed. Operational resilience, including outsourcing to well as more general record keeping and business continuity issues.
the cloud, has been identified as a cross-sector priority in the Financial The FCA handbook was updated to reflect these requirements.
Conduct Authority (FCA),’s annual regulatory business plans for the The European Banking Authority (EBA) published finalised
past several years. The FCA, Bank of England and Prudential Regulation Guidelines on Outsourcing Arrangements (EBA Guidelines) on
Authority (PRA) issued a joint Discussion Paper (18/4) in July 2018 25 February 2019: https://eba.europa.eu/documents/10180/2551996/
on operational resilience, which stressed the importance of under- EBA+revised+Guidelines+on+outsourcing+arrangements. The EBA
standing and mapping important third party providers. Issues identified Guidelines apply from 30 September 2019, and firms must amend
in the Discussion Paper will be developed into joint policy proposals existing outsourcing arrangements to comply with the EBA Guidelines
later in 2019. by 31 December 2021. They apply to credit institutions and invest-
In July 2016, the FCA issued its finalised FG 16/5 – ‘Guidance ment firms, as well as to authorised payment institutions and e-money
for firms outsourcing to the ‘cloud’ and other third-party IT institutions.

www.lexology.com/gtdt 83
© Law Business Research 2019
 United Kingdom Bryan Cave Leighton Paisner LLP

The EBA Guidelines are divided into five sections, or Titles: (www.legislation.gov.uk/uksi/2011/99/contents/made and Payment
(I) Proportionality: group application and institutional protection Services Regulations 2009: www.legislation.gov.uk/uksi/2009/209/
schemes (setting out a principle of proportionality in application of contents/made; paragraph 3.6 FCA Cloud Guidance); and see also the
the EBA Guidelines, and requiring transparency within groups); (II) EBA Guidelines section 4, and paragraph 20 of the accompanying EBA
Assessment of outsourcing arrangements (defining ‘outsourcing’ Final Report. Overall, if the above kinds of functions are ‘outsourced’
and ‘critical or important’ functions); (III) Governance framework; to the cloud, firms in scope of the FCA Cloud Guidance will have more
(IV) Outsourcing process (setting out aspects to be included in an stringent duties with regard to management of operational risk in the
outsourcing agreement at a minimum for a critical or important func- transaction, as will CSPs in enabling firms to comply with their obli-
tion); and (V) Guidelines on outsourcing addressed to competent gations. In addition, firms must notify the FCA when entering into or
authorities. The governance framework in Title III requires: a holistic significantly changing material or critical cloud services arrangements
risk management framework, a written outsourcing policy, manage- (paragraph 3.7 FCA Cloud Guidance).
ment of conflicts, business continuity plans, internal audit and a In some cases, dual-regulated firms subject to the PRA’s preferred
register of information on all outsourcing agreements. EBA Guidelines resolution strategy will also have to consider resolution arrangements
on internal governance published in March 2018 should also be taken when entering into cloud services projects. These arrangements are
into account. designed to ensure continuity in distressed economic circumstances or
The EBA Guidelines replace the Committee of European Banking insolvency to ensure that ‘critical economic functions’ are maintained
Supervisors Guidelines on Outsourcing published in 2006, and incor- (paragraph 3.8 FCA Cloud Guidance and https://www.bankofengland.
porate the EBA Recommendations on Outsourcing to Cloud Service co.uk/financial-stability/resolution).
Providers (which were applicable from 1 July 2018). The FCA
Cloud Guidance was updated in July 2018, to confirm that the FCA Legal and regulatory considerations
Cloud Guidance does not apply to a bank, building society, desig- These include having a business case or rationale for the decision to
nated investment firm or IFPRU investment firm to whom the EBA outsource to the cloud and the use of one or more CSPs for the delivery
Recommendations are addressed: https://www.fca.org.uk/publica- of critical or important operational functions, or a material outsourcing;
tion/finalised-guidance/fg16-5.pdf. The FCA has confirmed that it will due diligence risk assessment of the proposed project; relative risks
keep its Cloud Guidance under review to assess what, if any, changes of each type of cloud service or deployment model (eg, private versus
are required, including as a result of Brexit. In the interests of space, public cloud); knowing where the CSP service and other relevant loca-
this section now focuses on the FCA Cloud Guidance. tions are situated; and the need to identify all service providers in the
The FCA Cloud Guidance is addressed to such firms (see previous cloud supply chain – to ensure that the regulatory requirements are
paragraph) ‘when outsourcing to the “cloud” and other third party IT met throughout the supply chain.
services’. As is evident from the FCA Cloud Guidance, for the FCA, not
only is cloud computing equivalent to outsourcing in its potential impact Risk management
on regulated firms, their operations and end-customers, but also it Including: conducting and documenting a risk assessment of the
sees the cloud ‘as encompassing a range of IT services provided in proposed cloud project; monitoring concentration risk, to avoid too
various formats over the Internet’ (paragraph 1.4 FCA Cloud Guidance). great a dependency on any one CSP; and understanding what action to
Accordingly, the FCA sees no distinction between private, public or take if the CSP failed.
hybrid cloud deployment (paragraph 1.4 FCA Cloud Guidance). And it
says that ‘[from] a regulatory perspective, the exact form of the service International standards
used does not, in itself, alter the regulatory obligations placed on firms’. Including: as part of due diligence, assessing the CSP’s adherence to
So, where a third party (including a CSP) delivers services on behalf of accepted international IT and service standards; and applying greater
a regulated firm, this is considered outsourcing. Firms therefore need standards of assurance when the functions concerned are critical or
to consider the relevant regulatory obligations and how they comply important or a material outsourcing.
with them.’ (Paragraph 3.3 FCA Cloud Guidance.)
The stated aim of the FCA Cloud Guidance is to facilitate adoption CSP oversight
of cloud computing in the regulated financial services sector, recog- Including: clarity about the allocation of responsibilities between the
nising the benefits of cloud computing and innovation in the sector. It firm and the CSP; the firm having an internal function responsible for
came about because firms and CSPs had told the FCA that they were the strategic and day-to-day management of the CSP; and ensuring
unsure about how to apply its Handbook outsourcing rules to the cloud: that the firm’s staff have sufficient skills and resources to oversee and
this uncertainty may have been acting ‘as a barrier to firms using the test the cloud services and properly manage an exit or migration from
cloud’ (paragraph 1.3 FCA Cloud Guidance). the existing CSP. In other words, this would mean firms having and
Apart from the regulated firms themselves, the FCA Cloud retaining specific cloud service management expertise.
Guidance is stated to be of interest to third-party IT providers, trade
associations and consumer groups, professional advisers and the audi- Data security
tors of regulated firms. Including: conducting a specific risk assessment; agreeing data resi-
In outline and focusing below on the most important aspects of the dency terms with the CSP, setting out contractually the locations
FCA Cloud Guidance for cloud computing, the regulated firm in scope of in which the firm’s data can be stored, processed and managed;
the FCA Cloud Guidance must have regard to the following. considering how the firm’s data will be segregated (for public cloud);
assessing the sensitivity of data and how the data will be transmitted,
Criticality or materiality of the cloud service stored and encrypted, where necessary – noting that encryption keys
Whether the function being processed under the cloud service is or other forms of authentication must be accessible to the FCA or PRA.
‘critical or important’ or ‘material’ and (for authorised payment insti-
tutions and authorised electronic money institutions) if it relates Data protection
to ‘important operational functions’. Each of these terms is defined Including: continuing compliance with data protection laws. Firms are,
in the FCA Handbook and the Electronic Money Regulations 2011 of course, required separately to comply with UK data protection law

84 Cloud Computing 2020

© Law Business Research 2019
Bryan Cave Leighton Paisner LLP United Kingdom

(now the GDPR, as supplemented by the Data Protection Act 2018). In Resolution
that sense, though the data protection laws are separate, the FCA Cloud This guidance will only apply to certain firms (see ‘Criticality or mate-
Guidance forms part of the firm’s compliance with its duties as a regu- riality of the cloud service’ above). In this context, the main aspect of
lated firm. Firms should consider the UK Information Commissioner’s the resolution and recovery arrangements and the Bank of England’s
guidance concerning the transmission of personal data outside the ‘stabilisation’ powers that will concern firms, CSPs and providers within
European Economic Area (EEA). the cloud supply chain is this: neither financial distress or insolvency
leading to resolution, nor the change of ownership or control of the firm
Effective access to data following that event, will enable the CSP or a cloud supply chain provider
‘Data’ is used here in its widest meaning. Firms should ensure that the to terminate the contract or the provision of cloud services. Moreover,
cloud computing arrangement has addressed the following: access for the CSP and its supply chain may have to provide the cloud services
the firm, their auditors, the regulators and other competent authorities to the resolution successor entity or firm for a transitional period. The
to the firm’s data; contractual ability for the regulators to contact the CSP (and by implication providers in its supply chain) must agree not to
CSP directly where the firm cannot for any reason disclose the data; delete, revoke or change the firm’s data in the case of resolution.
ensuring that the data is not stored in jurisdictions that may prevent
or inhibit effective access for UK regulators; geopolitical stability as Exit planning
it concerns the data; whether the CSP’s jurisdiction provides for data Including: firms having contractually documented exit plans and termi-
protection; the law enforcement provisions of the relevant jurisdiction nation assistance arrangements to ensure continuity, and these plans
or jurisdictions where data is to be processed, for example, whether being ‘fully tested’; firms understanding how they would migrate the
and how easily the authorities in the CSP’s jurisdiction may intervene cloud services to an alternative CSP and maintain business continuity;
in accessing the firm’s data. contractually requiring the CSP (and by implication its supply chain) to
cooperate fully with the firm and the incoming CSP to ensure a smooth
Access to business premises transition; the firm understanding how it could and would remove its
‘Premises’ here include head offices and operations centres, but not data from the CSP’s systems on exit.
necessarily data centres. The guidance includes: knowing which CSP The aim of the FCA Cloud Guidance is to help overcome the
or supply chain premises are relevant for the cloud services and barriers created by the perceived regulatory uncertainty in the adop-
effective oversight of them (the FCA recognising that CSPs may have tion of cloud computing by UK financial services firms. As the FCA says:
legitimate reasons for limiting access to some sites, eg, data centres); ‘We see no fundamental reason why cloud services (including public
providing for the unrestricted contractual and legal ability for the firm cloud services) cannot be implemented, with appropriate consideration,
or its auditors to request an onsite visit to the business premises – on in a manner that complies with our rules.’ (Paragraph 1.6 FCA Cloud
reasonable prior notice, except in the case of an emergency or crisis; Guidance.)
enabling visits by the financial services regulators or other competent The UK banking sector trade body, UK Finance, sponsored the
authorities as they deem necessary and required by law or regula- creation of a public cloud computing framework in February 2019.
tion, without any conditions being imposed; having the CSP commit The framework consists of 44 controls, with each control mapped to
contractually to cooperating with all reasonable requests of the regu- one of nine domains and one of 11 risks associated with the manage-
lators during such visits; affording the regulators the right to observe ment of cloud computing as a service. The controls are derived from
the provision of the cloud services to the firm or any of its affiliates analysis of UK Finance members’ control sets and in collaboration with
(although the regulators may commit to minimising disruption to the CSPs, cross-checked for compliance against various industry stand-
CSP’s operations). ards as well as the EBA Guidelines. My own experience and that of
my colleagues shows that, despite laudable efforts by the regulators
Relationship between service providers and industry bodies to help firms around financial services regulatory
Including: considering how the cloud supply chain is constructed and hurdles in adopting the cloud, there are still significant concerns about
operates; enabling the firm to review subcontracting and other supply the compatibility of cloud computing with regulatory compliance. In
chain arrangements to ensure that they facilitate the firm’s compliance February 2017, the British Bankers’ Association (now UK Finance), iden-
with its regulatory requirements, including security, effective access tified seven barriers to cloud adoption:
to data and business sites; understanding the roles of CSPs within • the regulatory approach to ‘important’ and ‘critical’ functions;
the supply chain; knowing how a CSP’s services will interface with the • supervision and oversight;
firm’s own systems or other necessary third-party systems (eg, agency • the risk framework;
banking arrangements for payments). • access to CSP sites and services by regulators;
• data residency;
Change management • termination; and
Including: ensuring that contractual and operational provision is made • data breaches and monitoring.
for changes to the cloud services; and establishing how changes will
be tested. Most of these concerns will be identifiable from the FCA Cloud Guidance
summarised above and look likely to remain of concern to the financial
Continuity and business planning services sector in the immediate future.
Including: providing contractually and operationally for appropriate
arrangements for the continuity of functions and the ability of the Insolvency laws
firm to meet its regulatory obligations in the event of an ‘unforeseen 14 Outline the insolvency laws that apply generally or
interruption’ of the cloud services; having a plan documenting the specifically in relation to cloud computing.
continuity, business interruption and recovery arrangements; regular
testing of the business continuity plan; and putting in place contractual There is no specialist insolvency regime for cloud computing. The primary
and operational measures to ensure regulatory access to data in an UK insolvency regime is set out in the Insolvency Act 1986 (www.legisla-
insolvency or other disruption of the cloud services. tion.gov.uk/ukpga/1986/45/contents) and the Insolvency (England and

www.lexology.com/gtdt 85
© Law Business Research 2019
 United Kingdom Bryan Cave Leighton Paisner LLP

Wales) Rules 2016 (www.legislation.gov.uk/uksi/2016/1024/contents/ following focuses on certain elements of the GDPR that are new to data
made) (both as amended). For an overall guide to the UK insolvency protection law or that have particular significance for cloud computing.
regime, see www.pwc.co.uk/assets/pdf/insolvency-in-brief.pdf. This outline is not, therefore, exhaustive. References below to articles
The rules that govern the insolvency of a CSP or a cloud customer, are to the articles of the GDPR.
as well as those governing how corporate insolvencies are managed
and disposed of, are complex. And experience in the UK has shown just Territorial scope
how difficult it can be for cloud customers when a CSP suffers financial The GDPR applies to the processing of personal data within the context
distress and insolvency. In early 2013, UK CSP 2e2 went into administra- of the activities of an establishment of a controller or processor in the
tion and subsequently liquidation (http://diginomica.com/2015/01/06/ EU, regardless of whether such processing takes place in the EU or
cios-worst-nightmare-cloud-provider-goes-bankrupt/). As a result, UK not. Clearly, the GDPR applies to the processing of personal data of
CSP customers are advised to consider carefully: a controller or processor in the EU; in addition, draft guidelines from
• the selection of their CSP; the European Data Protection Board at the time of writing indicate
• ongoing monitoring of the financial robustness of the CSP; and that ‘within the context of the activities’ is capable of a wider meaning
• the terms of their cloud service contracts, including ownership of depending on the context itself. This developing area will be of interest
the customer’s tangible and intangible assets, exit arrangements to CSPs. The GDPR will also apply to the processing of personal data
and data migration where the CSP suffers financial distress or of data subjects in the EU by data controllers and processors with no
insolvency. EU establishment where the processing relates to offering goods and
services (free or for payment) to EU data subjects, or to monitoring the
In addition, CSPs and other IT providers operating in the UK need to behaviour taking place in the EU of such data subjects (article 3(2)).
be aware of legislation that could severely restrict their ability to with- The GDPR applies, therefore, to CSPs (assuming them to be either
draw service from insolvent customers, terminate supply contracts processors or controllers) without sites in the EU, if they meet either
or demand higher payments for continuity of supply. The legislation or both of the above tests. Certain controllers or processors (including
overrides conflicting terms in a supply contract – see sections 233 CSPs) will have to appoint a local EU representative for legal enforce-
and 233A of the Insolvency Act 1986 (as amended by the Insolvency ment purposes (article 27).
(Protection of Essential Supplies) Order 2015 (www.legislation.gov.uk/
uksi/2015/989/article/2/made). The amendments introduced by the Data controllers
2015 Order ensure that, like utility services, ‘communication services’ Generally – though it should not always be assumed – in B2B cloud
and other IT supplies will now be treated as essential supplies. ‘IT computing the customer will be the controller, determining the
supplies’ include a ‘supply of goods and services . . . for the purpose purposes and means of the processing of personal data (article 4(7)).
of enabling or facilitating anything to be done by electronic means’, It will be in the interests of CSPs to ensure that this characterisation
specifically including computer hardware and software; information, continues under the GDPR, as ultimately the controller will be bound by
advice and technical assistance in connection with the use of informa- more stringent duties than the processor. The challenge in B2C cloud
tion technology; data storage and processing; and website hosting – in computing, especially for social media and network services, is how
other words, they are wide enough to cover cloud computing services. CSPs ensure that their standard public cloud contract terms maintain
The regime prevents suppliers of ‘essential supplies’ (water, consumer customers as controllers – if indeed the legislation applies
electricity, gas, communication services and other IT supplies) from to those consumer contracts at all.
requiring payment of pre-insolvency charges as a condition of contin- The controller, or cloud customer, will be primarily liable for
uing to provide supplies in specified formal insolvency situations. In lawful processing, including implementing appropriate technical and
addition, where a customer enters either administration or a company organisational measures to ensure, and be able to demonstrate, that
voluntary arrangement, the regime locks the CSP into the pre-insol- processing is performed in accordance with the GDPR, including
vency contract (subject to certain safeguards) to prevent the CSP from ongoing reviews and the updating of those measures (article 24(1)).
terminating supply, terminating the contract or increasing prices. Cloud customer-controllers must, therefore, be able to demonstrate
that processing performed on their behalf by CSPs is compliant, which
DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION in turn will mean having to satisfy themselves that CSP contract terms
facilitate the controller’s obligations.
Principal applicable legislation Controllers should only engage processors who provide sufficient
15 Identify the principal data protection or privacy legislation ‘guarantees’ to implement appropriate technical and organisational
applicable to cloud computing in your jurisdiction. measures in such a way that the processing will meet the require-
ments of the GDPR and ensure the rights of data subjects (article
The main data protection and privacy legislation in the UK comprises 28(1)). This raises important questions for cloud customer due dili-
the GDPR and the Data Protection Act 2018 (DPA). The DPA is the UK’s gence in appointing CSPs. In some cases, for example regulated
implementation of the GDPR; although the DPA also supplements the financial services firms deciding to engage CSPs for their operations,
GDPR in certain areas. It is the successor to the previous Data Protection this aspect of the decision will almost certainly have to be documented
Act 1998. The ICO issued, for organisations rather than members of the (see question 13).
public, specific guidance on the use of cloud computing. Although this The controller may refer to the adherence to approved codes
guidance has not yet been updated to reflect the DPA, the ICO states of conduct under article 40 or to approved certification mechanisms
that it ‘still considers the information useful’. At the time of writing, the under article 42 for the purpose of demonstrating compliance with its
ICO has confirmed that the guidance will be updated soon. GDPR obligations (for the current European Union Agency for Network
The following section outlines the likely and most direct impact on and Information Security (ENISA) framework see www.enisa.europa.
cloud computing in the UK of the GDPR and the DPA. eu/news/enisa-news/enisa-cloud-certification-schemes-metaframe-
General knowledge of the principles of the GDPR and the termi- work/). We should expect to see the development by CSP industry
nology used in that legislation is assumed. It is beyond the scope of organisations of cloud-specific codes of conduct and certification
this section fully to cover the contents and operation of the GDPR. The mechanisms, for example, the CIF Code referred to under question

86 Cloud Computing 2020

© Law Business Research 2019
Bryan Cave Leighton Paisner LLP United Kingdom

10; although such codes and certification mechanisms will have to be resilience of processing systems and services; the restoration and
approved. availability of data following ‘physical or technical’ incidents; and
Although article 28 is headed ‘Processor’, it is clear that some of regular security testing (article 32(1)). The economics of cloud
the obligations it imposes, for example, under article 28(1), are directed computing – especially in public cloud deployment models – are
to and will be the primary responsibility of controllers. And so it is with likely to be challenged by these requirements.
article 28(3), which requires not only for there to be a binding contract • Under article 33(2), the processor must notify the controller
between the controller and processor governing data processing, but ‘without undue delay’ after becoming aware of a personal data
also for that contract to stipulate a range of specific provisions (article breach. This must be seen in the context of the controller’s new
28(3)(a)–(h)), including, for example: that processing will only be in obligation to notify its supervisory authority – except for breaches
accordance with the controller’s documented instructions, including unlikely to compromise data subjects’ rights – without undue
with regard to third country data transfers; confidentiality undertakings delay and, where feasible, not later than 72 hours after becoming
by all those authorised to process the data; controls on the engage- aware of a data breach, including details surrounding the breach
ment of sub-processors (see below); and processor obligations to assist (article 33(1) and (3)). CSP processors are often therefore required
the controller in ensuring compliance under articles 32 to 36 regarding to support B2B customer controllers in breach management and
its obligations of data security, pseudonymisation and encryption, data notification, which will in turn need to be reflected in cloud arrange-
breaches and notifications, and data protection impact assessments. ments and contracts.
Cloud customers and CSPs must address these requirements in their
cloud computing contracts, whether on the CSP’s standard contract Sanctions and remedies
terms or otherwise. Article 28(8) provides that both regulators and Under the GDPR controllers and (as mentioned above) processors will
the European Commission may adopt standard contractual clauses be directly accountable and liable for non-compliance, both to data
(SCCs) covering the requirements of article 28(3); no such clauses subjects and regulators. The allocation of responsibility and liability
have been adopted by the European Commission or the Information for infringements as between cloud customers and CSPs has, there-
Commissioner’s Office to date. We should expect that any SCCs adopted fore, assumed even greater importance in B2B and B2C-related cloud
will be focused on compliance with the legislation’s requirements, and contracts – particularly because of the extent and scale of the GDPR
may not be suitable for CSPs or customers wishing to accommodate sanctions and remedies.
commercial issues in their drafting. Any person who has suffered ‘material or non-material’ damage
as a result of an infringement will have a right to receive compensation
Processors from the controller or processor (article 82(1)). Controllers will remain
As stated above, in B2B cloud computing, the CSP is usually likely to liable overall for such damage, while processors will only be liable
be – and to prefer to be – the entity processing personal data on behalf where they have not complied with the GDPR obligations specifically
of the controller, namely the processor: article 4(8). Among the changes directed to them or where they have acted outside or contrary to the
to data protection law made by the GDPR is that processors – hence lawful instructions of controllers (article 82(2)).
CSPs – are for the first time directly accountable for and liable to data Administrative fines will depend on the gravity of the
subjects and regulators for infringements. Aside from the need for a non-compliance (article 83(2) (a)–(k), 83(3)). There are two tiers of fine
binding contract between the controller and processor with its various for specified infringements: a lower level of up to €10 million or, in the
contractual stipulations (see above), additional requirements imposed case of businesses, up to 2 per cent of the preceding financial year’s
on processors will include the following. worldwide annual turnover, whichever is higher (article 83(4)); and
• Processors must not engage sub-processors without the control- an upper level of up to €20 million or, in the case of businesses, up to
ler’s prior specific or general written authorisation, including 4 per cent of the preceding financial year’s worldwide annual turnover,
changes to sub-processors after general written authorisation whichever is higher (article 83(5)).
has been given – so giving the controller the opportunity to object There are other processes and sanctions available for
to those changes: article 28(2). This could clearly have a material non-compliance under both the GDPR and the DPA, including audits,
impact on cloud supply chains and changes to them. Moreover, access rights, reprimands and administrative orders (article 58).
where a processor has engaged sub-processors, it must impose
by contract the same data protection requirements on those sub- Cross-border data transfers
processors as apply in the controller-processor ‘head’ contract, in These rules are dealt with in articles 44 to 50. As applied to cloud
particular to ensure that sub-processors provide sufficient ‘guar- computing and cloud supply chains, they are an important part of
antees’ to implement appropriate technical and organisational the GDPR’s regulation. Personal data transfers to recipients in ‘third
measures to meet the requirements of the GDPR. Processors will countries’ continue to be closely regulated, broadly to ensure that the
be liable to controllers for the acts and omissions of sub-proces- level of data protection for data subjects is not undermined (article 44).
sors (article 28(4)). Overall, the GDPR framework for such transfers is similar to that under
• Processors must keep a written or electronic record of all catego- the previous Data Protection Act 1998 and Data Protection Directive,
ries of processing activities undertaken for a controller (article with some useful new compliance measures, including the ability of
30(2)). There is an exemption for organisations employing fewer data exporters to demonstrate compliance through approved codes of
than 250 employees, with certain exceptions (article 30(5)). conduct and approved certification mechanisms (article 46(2)). Breach
• There is a specific requirement for processors to cooperate with of these provisions will be a non-compliance issue for which the upper
data protection supervisory authorities (article 31). tier of administrative fines can be imposed (see sanctions and remedies
• Another new set of obligations on processors relates to data above). Both controllers and processors will be liable to non-compliance
security and breach reporting. In their own right, processors proceedings.
must – having regard to the state of the art, costs, risk, etc – Uncertainty looms over the adequacy of the SCCs (also known
implement appropriate technical and organisational measures to as model clauses) approved by the European Commission as a means
ensure data security, including the pseudonymisation and encryp- of ensuring adequate protection of personal data when transferred to
tion of personal data; the confidentiality, integrity, availability and recipients in third countries. The Schrems II litigation (Facebook Ireland

www.lexology.com/gtdt 87
© Law Business Research 2019
 United Kingdom Bryan Cave Leighton Paisner LLP

& Schrems (Case C-311/18)) (Schrems II), the opening arguments of could in certain circumstances ultimately result in the legal ineffective-
which were heard in July 2019, concerns whether these clauses provide ness or unenforceability of certain contract terms and lead to regulatory
a sufficient degree of protection for personal data transferred to the US. intervention.
The SCCs are the most widely used international transfer mechanisms The answers to questions 17 to 22 are based on a review and
for personal data, meaning that a ruling by the Court of Justice of the knowledge of a limited, but meaningful, range of B2B public cloud
European Union (CJEU) invalidating the clauses would have a wide- service agreements (CSAs) and related documents proposed by the
ranging impact on businesses. The CJEU’s judgment is expected to be major international CSPs that are available from public resources.
handed down in early 2020. It is beyond the scope of this work to survey a much wider range of
such contracts or to segment them by deployment model, service
Privacy Shield model or specific cloud services within each service model. (Readers
Adopted by the European Commission in July 2016 (http://europa.eu/ are referred to the work of leading UK academics, including Cloud
rapid/press-release_IP-16-2461_en.htm), this applies to EU–US data Computing Law, Christopher Millard (ed), (Oxford University Press
transfers and is relevant for cloud computing in EU–US and related 2013), noting that, inevitably there will have been changes to CSA
trade. Microsoft claimed to be the first US CSP to appear on the US practice and terms since. I also wish to acknowledge the excellent
Department of Commerce’s list of Privacy Shield certified entities reports and other deliverables produced by the (now decommissioned)
(https://azure.microsoft.com/en-gb/blog/microsoft-cloud-is-first-csp- SLALOM Project teams, which I used to sense-check my own review
behind-the-privacy-shield/). At the time of writing, the Privacy Shield is of the CSAs referred to above. SLALOM documentation is recom-
also under threat, as the European Parliament has issued a resolution mended reading for this area and may be downloaded from the links
requesting that the European Commission suspend the Privacy Shield at: https://cordis.europa.eu/news/rcn/134076_en.html, using ‘slalom’
until such time as the USA can demonstrate full compliance with its as a search term.
terms and this mechanism is also susceptible as a result of the Schrems The answers below do not identify CSPs by name;: they reflect a
II litigation referred to above. composite, high-level, view of the CSAs and related materials reviewed.
Moreover, they do not attempt to assess the reasonableness, fairness
Access to EU personal data by third country governments or validity of the terms outlined. Here, I adopt the approach taken by the
In the light of the Snowden disclosures and the litigation that followed SLALOM Project team: readers will be aware that, in assessing these
them (eg, Microsoft v United States, No. 14-2985 (2d Cir. 2016) http:// matters, much will depend on the context of the service and deployment
law.justia.com/cases/federal/appellate-courts/ca2/14-2985/14-2985- and service model or models adopted, the relative bargaining strength
2016-07-14.html), it is worth noting that article 48 of the GDPR contains of the parties, the economic basis of the cloud arrangement, cost or
specific safeguards against third country governments’ access to EU no-cost, and whether it is a beta product or service, etc.
personal data. Any third country judgment or administrative decision The European Commission actively promotes the development
requiring a controller or processor to disclose EU personal data will only and use of fair standard cloud computing contracts and there will be
be enforceable if it is based on an international agreement, for example further developments under this initiative (see https://ec.europa.eu/
a mutual assistance treaty between that third country and the EU or digital-single-market/en/cloud-select-industry-group-service-level-
a member state. (See also question 10 on MLAs; and the Agreement agreements).
on Mutual Legal Assistance between the United States of America and Finally, the role of international standards will be ever more impor-
the European Union signed 25 June 2003 at http://ec.europa.eu/world/ tant as applied to cloud computing services, service level agreements
agreements/prepareCreateTreatiesWorkspace/treatiesGeneralData. (SLAs) and CSAs (see for cloud computing and distributed platforms
do?step=0&redirect=true&treatyId=5461&back=5441.) ISO/IEC JTC1 SC38, https://www.iso.org/committee/601355.html).

CLOUD COMPUTING CONTRACTS Typical terms for governing law

17 What are the typical terms of a B2B public cloud computing
Types of contract contract in your jurisdiction covering governing law,
16 What forms of cloud computing contract are usually adopted jurisdiction, enforceability and cross-border issues, and
in your jurisdiction, including cloud provider supply chains (if dispute resolution?
applicable)?
With limited exceptions, the governing law of the CSP’s home jurisdic-
It follows from the answer to question 1 that, in the UK, contracts cover tion or a chosen regional location will apply. For certain purposes, for
the full range of cloud service and deployment models and reflect the example, EU data protection SCCs, the choice of governing law and
UK’s large and sophisticated cloud business ecosystem, including CSP jurisdiction may be those of the customer’s location. Courts (rather
supply chains. than arbitral tribunals) competent in the CSP’s jurisdiction are most
One aspect of cloud contracting that tends to cause difficulties commonly chosen. US CSPs usually require all customers to commit
for cloud customers is where, as is typical, cloud contract formats are to compliance with applicable US export controls, sanctions and related
modular. This means that the provisions of the contract must be located laws and regulations.
from a combination of offline and online sets of terms or – more typi-
cally – from a combination of multiple online sets of terms, policies, Typical terms of service
etc, which users must access by clicking on different hypertext links. 18 What are the typical terms of a B2B public cloud computing
These sets of terms are then assembled and stipulated by the CSP to contract in your jurisdiction covering material terms, such
form the entire contract. In my experience, these formats and contract as commercial terms of service and acceptable use, and
processes make it difficult even for sophisticated corporate customers variation?
to ascertain the full extent of cloud contracts and, in some cases, to
determine what terms will govern them. In B2C contracts, and possibly Pricing and payment
where B2B cloud customers are negotiating on CSP standard terms Pricing will, of course, vary depending on the deployment and service
of business, this difficulty in ascertaining applicable contractual terms model offered, and whether the contract is formed on- or offline. Some

88 Cloud Computing 2020

© Law Business Research 2019
Bryan Cave Leighton Paisner LLP United Kingdom

CSPs reserve the right to vary charges for existing services. There • the application of technical and security features provided to the
are usually remedies for late payment, including interest and, in some customer to enable it to comply with the technical and organisa-
cases, the right for the CSP to suspend service for payment defaults. If tional measures required by the GDPR;
the customer defaults on payment when due, all CSAs reviewed entitle • deeming of ‘documented’ customer instructions to the CSP with
the CSP to terminate them (see question 22). regard to the CSP’s processing of customer data in accordance
with the GDPR;
Suspension of service by the CSP • confidentiality obligations of the CSP in relation to customer data;
It is common to see suspension rights in addition to specific termination • terms for the handling of data subject access requests;
rights (and sometimes for the same or overlapping triggering events). • detailed operational security provisions, including security breach
The most typical cause for suspension is where there has been a breach notification obligations on the CSP;
by the customer or an end user of the acceptable use policy (AUP – see • CSP data security certification and audits;
below), which will usually include the customer or an end user causing • provision for the transfer of personal data outside the EEA, with the
security risks to the cloud service, the CSP or other cloud service users, incorporation of the SCCs accordingly;
or infringing third-party rights. Suspension may be on notice or, where • the return or deletion of customer data on termination of the CSA;
urgent (as in the case of security risks), without notice. In some cases, • obligations relating to record keeping of all processing activities; and
the customer will remain liable to pay the charges during the suspen- • terms ensuring the processor’s cooperation with the relevant regu-
sion period, while service credits (see below) will not accrue. lator in the performance of their duties.

Acceptable use policy As at the time of writing, there have been no reported legal challenges
The CSAs of all the major CSPs contain an AUP: it has become one of emanating from the UK to CSP GDPR terms.
the defining features of CSAs in the UK as elsewhere. Readers will be
familiar with the standard terms of AUPs, which address conduct by Typical terms covering liability
both customers and their end users in using the cloud services, and will 20 What are the typical terms of a B2B public cloud computing
include prohibitions on: contract in your jurisdiction covering liability, warranties and
• illegal activities of any kind; provision of service?
• violation of any third-party rights;
• gaining or attempting to gain unauthorised access to any networks, Liability
systems, devices or data; Understandably, all CSAs contain limitations and exclusions of liability:
• unauthorised disruption of any networks, systems, devices or data; some are written from a US perspective, while others are localised.
• sending unsolicited messages or marketing; and The CSP’s liability is commonly limited (sometimes mutually) to the
• distributing malware. amount of charges paid by the customer – usually during the 12 months
preceding the event giving rise to liability. Liability caps of this kind
As stated above and under question 22, breach of the AUP may entitle are sometimes tiered by reference to different services, for example
the CSP to suspend or terminate the CSA – in some cases, the breach the greater of a specified monetary amount or the total charges paid,
of a single end user could result in suspension or termination. Other depending on the service.
CSAs contain indemnities for AUP breaches. Where the AUP has been Some CSAs exclude from this limitation the CSP’s liability for third-
breached, or the CSP suspects it has been breached by illegal conduct, party IPR infringements (whether under an indemnity or otherwise),
the CSP may report those activities to the authorities or interested third and for confidentiality and data protection breaches.
parties and reserve the right to cooperate with them. It is common for CSAs to exclude liability:
• in general for indirect, consequential, incidental, exemplary, puni-
Variation tive or special losses or damages (even if some of those kinds of
One of the more disquieting terms of CSAs in the UK as elsewhere is loss or damages are not recognised in the UK jurisdictions); and
that CSPs may without the customer’s consent vary cloud services, • for a range of specific losses, including loss of revenue, loss of
SLAs and other terms of the CSA – usually without any justification and profits, loss of customers or goodwill, loss of use of data, loss of
in some cases even without the obligation to notify customers before- anticipated savings, loss of the use of the cloud service, etc.
hand. Typically, when exercised, variation does not entitle the customer
to terminate the CSA. Some CSAs disclaim liability for unauthorised access to, and for loss
or destruction of, uploaded content and data. In other cases, CSAs will
Typical terms covering data protection acknowledge the CSP’s liability for content or data loss where the CSP
19 What are the typical terms of a B2B public cloud computing has failed to meet its own security obligations. Many CSAs require
contract in your jurisdiction covering data and confidentiality customers to take responsibility for making backup copies of their own
considerations? content and data or otherwise mitigating their own risks in using the
cloud service.
To reflect the entry into force of the GDPR, all the major CSPs operating
within, or providing services to, the EEA introduced detailed data protec- Warranties and provision of service
tion and processing terms for incorporation into their CSAs, in some Some CSAs contain a CSP warranty that it will deliver the services in
cases in separate addenda or supplements. accordance with the SLA or some other service description. Some CSAs
Typically, the GDPR-related terms include: state that cloud services are provided ‘as is’. Almost invariably, any other
• the allocation of processor and controller roles and functions express or implied warranties (eg, as to fitness for purpose, satisfactory
between the customer and the CSP, with the CSP as processor and quality, non-infringement) are disclaimed to the extent permitted by law.
with the right for the CSP to appoint sub-processors (subject to the Some CSPs specifically exclude any express or implied warranty that
customer’s right to object to the appointment of new sub-proces- the operation of the cloud service or software made available through it
sors and with concomitant sub-processor obligations); will be uninterrupted or error-free.

www.lexology.com/gtdt 89
© Law Business Research 2019
 United Kingdom Bryan Cave Leighton Paisner LLP

Also, typical of many CSAs is that customers will not be entitled to to contain force majeure provisions excusing the CSP’s performance in
claim for service unavailability for scheduled or unscheduled downtime such cases. This is a feature of CSAs in the UK, US and elsewhere (see
or other service interruptions. the useful report, Public Cloud Service Agreements: What to Expect
and What to Negotiate Version 2.0 produced by the US Cloud Standards
Indemnities Customer Council, www.cloud-council.org/deliverables/CSCC-Public-
It is common for the customer to have to indemnify the CSP against the Cloud-Service-Agreements-What-to-Expect-and-What-to-Negotiate.
customer’s and any end user’s: pdf, which may at the time of publication have been updated and avail-
• act or omission or use of the cloud service that infringes any third able online).
party’s rights; Usually, the customer is expected or obliged to make its own
• breaches of the CSA generally and the AUP specifically; backup arrangements to ensure continuity. Sometimes, CSAs will refer
• infringement of applicable law; to CSPs having their own disaster contingency plans for their data
• creation or use of uploaded content; and centres, using redundant processing and storage capacity to back up
• in each case where the act, omission, use, etc, gives rise to data held in those data centres, but without any contractually binding
claims, costs, losses, and so on. commitment to implement such plans.

Where there are detailed data processing provisions, including data Typical terms covering IP rights
transfer agreements (see question 19), some CSAs will provide for 21 What are the typical terms of a B2B public cloud computing
customer indemnification of the CSP against breach of data protection contract in your jurisdiction covering intellectual property
law caused by the customer or an end user. rights (IPR) ownership in content and the consequences of
For the CSPs’ obligations to indemnify or (quite commonly) to infringement of third-party rights?
defend the customer against third-party IPR infringement claims or
final judgments, see question 21. Typical terms are as follows.
• The customer usually warrants that it owns or has all necessary
Service availability, quality, service levels and service credits rights to use its content (eg, software, data) processed by the
Many B2B public cloud CSAs contain or incorporate by reference cloud service or to grant any licences to the CSP under the CSA,
specific SLAs as applicable to the service modules provided to the and that its content or end users’ use of the customer’s content
customer. (For an example of CSA service levels applied by the major will not breach the AUP (which may entitle the CSP to suspend or
CSPs (and some others), readers are referred to the SLALOM Project’s terminate the CSA).
documentation available from the links at: https://cordis.europa.eu/ • The customer retains IPR in the contents uploaded or created by
news/rcn/134076_en.html, using ‘slalom’ as a search term. it in using the cloud service. The CSP may use the contents to
The application of specified service credits is usually expressed provide the cloud service or to comply with regulatory or govern-
to be the sole and exclusive remedy for service-level breaches. Some mental directions or orders.
CSPs make specific claims or promises about their levels of service • The CSP may use without restriction any suggestions for improve-
and are willing to enable the customer to terminate the CSA for stipu- ments to the cloud service made by the customer, in some cases,
lated breaches of those service levels, subject to following mandated with an obligation to assign ownership in such suggestions
procedures for doing so, with repayment of any prepaid charges. Many to the CSP.
CSAs contain caps on the maximum amount of service credits allow- • The CSP reserves rights in all IPR relating to its cloud services,
able in a specified period. including IPR in the applications and infrastructure used in
Commonly, CSAs do not provide specific SLA breach reporting providing the services.
mechanisms, which would of course make monitoring and enforcing • If the cloud services are found, or understood by the CSP, to
the SLA or service credit regime difficult for the customer. In other situ- infringe any third-party IPR, the CSP may at its discretion, and
ations, customers are required, within stipulated deadlines, to follow usually as a preferred remedy, procure the necessary rights for
specified procedures to report the service level breaches, as well as customers to continue using the services, modify the services
providing details of them for verification by the CSP, who may retain so that they become non-infringing without any material loss of
the option of rejecting the customer’s claim. functionality, or provide equivalent services in substitution for
Some CSAs entitle the CSP unilaterally to vary the SLAs and the infringing services – or failing that, to terminate the cloud
service credits. services concerned. In some cases, instead of the above ‘work
It is usual for CSAs to exclude the operation of the SLA, where around’ language, the CSP will undertake to defend or indemnify
for example: the customer against the claims, costs, losses, etc, arising from
• there is a force majeure event; final judgments. Where CSAs are governed by the laws of a US
• the customer or an end user is in breach of the AUP or other terms jurisdiction, customers may find that the obligation to defend
of the CSA; does not include the obligation to indemnify – though this is, of
• the services have been lawfully suspended; course, to be determined under the relevant US jurisdiction if
• the service outage is attributable to technology not provided by validly chosen.
the CSP; and
• the CSP’s systems are down for maintenance. Typical terms covering termination
22 What are the typical terms of a B2B public cloud computing
See also question 20 under ‘Warranties’. contract in your jurisdiction covering termination?

Business continuity and disaster recovery CSAs may allow termination for convenience on specified notice for
In general, unless the CSP is providing a cloud-based business conti- both the customer and the CSP.
nuity service, CSAs do not contain any, or in any detail, business Either party will usually have a right to terminate for the (unrem-
continuity or disaster recovery terms – although it is typical for CSAs edied) material breach of the other, change of control of the other, or

90 Cloud Computing 2020

© Law Business Research 2019
Bryan Cave Leighton Paisner LLP United Kingdom

the insolvency of the other. There is often also a range of specific rights In the UK, the most relevant trigger for TUPE in the context of
of termination by the CSP, including: cloud computing will be where an in-house IT service ceases to be
• non-payment by the customer of due invoices; provided by the customer itself and is then provided by the CSP – or
• where the cloud service is dependent on third-party IPR (eg, soft- is migrated to another CSP after the initial cloud migration, or back to
ware) licences, when a relevant third-party licence expires or is the original customer, if it wishes to resume the IT service in-house.
terminated; This can constitute a service provision change under TUPE Regulation
• for a specified period of customer inactivity; 3(1)(b). The workforce (organised grouping) carrying on the activi-
• where the customer or an end user’s use of the cloud service ties liable to transfer must be based in Great Britain and the principal
presents a security risk to the CSP or any third party (typically purpose of that workforce must be to carry out those activities for the
contained in the AUP); customer. In broad terms this means they must be ‘essentially dedi-
• contravention of export and sanctions controls laws and regu- cated’ to the customer; although they may still do work for others
lations; and (TUPE Regulation 3(3); and see generally www.gov.uk/transfers-
• one or more (other) breaches of the AUP or any other term of the takeovers). More significantly for cloud computing arrangements, the
CSA by the customer or an end user. activities to be carried out by the CSP must be ‘fundamentally the
same’ as those undertaken previously by the customer’s staff (TUPE
The consequences of termination may include: Regulation 3(2A) www.legislation.gov.uk/uksi/2014/16/regulation/1/
• the customer’s obligation to cease using or to return any propri- made#regulation-1-2).
etary material (eg, software), or to destroy any content provided So, the threshold question in cloud computing migration is most
by the CSP; likely to be: will the activities to be undertaken by the CSP be ‘fundamen-
• that the CSP will not erase the customer’s data for a specified tally the same’ as those undertaken previously by the customer’s IT staff?
period after termination, and in some cases that the customer will This will come down to an analysis of fact and degree. One – and only
be entitled to retrieve its data (usually also subject to a charge one – factor will be a reduction in the volume or scope of work, which is
by the CSP); likely to be the case in migration from ‘traditional’ IT activities to the cloud
• where the CSP has terminated for cause, that the customer must (see Department for Education v Huke and another UKEAT/0080/12,
pay all unpaid charges for the remainder of the term; and https://www.bailii.org/uk/cases/UKEAT/2012/0080_12_1710.html;
• where the customer has terminated for cause, that the CSP will OCS Group UK Ltd v Jones and another https://www.bailii.org/uk/
refund any prepaid charges for the remainder of the term. cases/UKEAT/2009/0038_09_0408.html).
At first glance, IT activities or services migrated to, say, a public or
Employment law considerations hybrid cloud, from which the customer may then receive very different
23 Identify any labour and employment law considerations that cloud services (at least by reference to scope and possibly volume) to
apply specifically to cloud computing in your jurisdiction. the services or activities previously provided in-house, simply do not
intuitively look and feel ‘fundamentally the same’ in the cloud. And –
There are none that apply specifically to cloud computing. if they addressed the question at all – it would be understandable if
However, depending on the cloud deployment model or service the customer and CSP considered that the activities to be carried out
model adopted and the circumstances of the migration to cloud or by the CSP are not ‘fundamentally the same’ as the original in-house
the termination of the cloud service, cloud customers and CSPs IT activities, so that TUPE would not apply. This could be a very
should consider the application of the Transfer of Undertakings costly mistake.
(Protection of Employment) Regulations 2006 (www.legislation.gov. There will, of course, be other questions about which of the custom-
uk/uksi/2006/246/contents/made), as amended by (among others) er’s staff members and how many of its IT workforce are in scope for
the Collective Redundancies and Transfer of Undertakings (Protection TUPE, if it is likely to apply (see www.gov.uk/transfers-takeovers).
of Employment) (Amendment) Regulations 2014 (www.legislation. And it is worth reiterating that TUPE can apply equally to the
gov.uk/uksi/2014/16/regulation/1/made#regulation-1-2) (together, subsequent move by the customer from one CSP to another, or back
TUPE). TUPE implements in the UK the EU Acquired Rights Directive in-house to the customer, subject to the rules referred to above.
2001/23/EC (ARD). In cloud computing arrangements, it is quite likely that the CSP
The application of the ARD and TUPE to, and their effect on, will be based outside the UK or that the cloud services will be provided
outsourcing are now widely understood in relation to the UK, where the from an offshore location. If there is an assigned workforce based in
government has expanded TUPE’s application to outsourced services Great Britain, TUPE can apply to such arrangements, even if the service
with the intention that TUPE should generally apply to outsourcing is provided from offshore.
transactions. It is worth reiterating that TUPE is mandatory law: parties In outsourcing transactions, because the application of TUPE is
cannot ‘disapply’ or contract out of TUPE. so well settled in the UK, it has become customary for the customer
In broad terms, where TUPE does apply, it transfers automati- and outsource provider to provide specifically and in some detail in
cally by operation of law the staff from one organisation to another. the outsourcing contract for the legal, regulatory and financial impli-
Their terms and conditions of employment and continuity of service are cations of TUPE – allocating duties, risk, costs and liabilities between
preserved, and there are other procedural and substantive protections them. In public and hybrid cloud contracts, the issue is often simply not
for the staff before and after a ‘TUPE transfer’, for example protection considered and, therefore, is not provided for, most probably because
against dismissal and protection against changes to the transferring the parties do not expect that TUPE will apply to such cloud arrange-
staff’s terms and conditions of employment. There are also prescribed ments or because CSPs that are based outside the EU are unaware of
consultation processes before any transfer (see generally www.acas. the ARD and TUPE.
org.uk/index.aspx?articleid=1655). Accordingly, if TUPE applies to a For the reasons given above, neither CSPs nor their customers
cloud computing arrangement (in which one of the key drivers is cost- should assume that TUPE cannot or does not apply in relation to any of
reduction) the financial implications for both the cloud customer and the cloud deployment models or service models. They should at least
more particularly the CSP may be significant and could undermine the consider the question and take advice accordingly.
economics of the arrangement.

www.lexology.com/gtdt 91
© Law Business Research 2019
 United Kingdom Bryan Cave Leighton Paisner LLP

TAXATION economic substance. HMRC will consider various aspects of the struc-
ture, including the allocation of profits throughout the supply chain.
Applicable tax rules (See generally www.gov.uk/government/publications/diverted-profits-
24 Outline the taxation rules that apply to the establishment and tax-guidance.) Certain amendments were introduced in the Finance Act
operation of cloud computing companies in your jurisdiction. 2019, which took effect from 29 October 2018 (see https://www.gov.
uk/government/publications/diverted-profits-tax-changes/diverted-
Consideration of the tax treatment of cloud computing will gener- profits-tax-amendments) .
ally be more complex than in the case of ‘terrestrial’, in-country-only,
IT services. This is because tax authorities and businesses alike are Withholding taxes
grappling with the tax implications of cloud computing. The first step Withholding taxes may apply at the rate of 20 per cent to sales, services
required is to correctly classify the underlying transaction in order and (in broad terms) income derived from annual payments, patent
to ascertain the correct tax treatment. Individual elements within the royalties and certain other payments arising from the exercise of intel-
scope of, and transactions comprising, the cloud services will need to lectual property rights paid by a UK resident company to a non-UK
be analysed, in order to determine whether there is a transfer of prop- resident person who is not a corporate taxpayer, subject to reduction
erty to the customer (ie, a sale, lease or licence of tangible property). If under an applicable tax treaty. For example, withholding taxes may
there is no such transfer then it is necessary to consider the tax rules apply where in a CSP group structure, a non-UK, IPR-owning or licensor
in respect of the provision of services, assuming that the cloud services group company has put in place intra-group IPR licensing arrangements
are properly characterised as services (eg, data processing, an informa- and the UK-based group CSP is required to remit payments to the
tion service or a communications service). Consideration will also need non-UK licensor for the exploitation, licensing or distribution of that IPR.
to be given to the location of the CSP and its customers, to the source New legislation was enacted in the UK in 2016 to address the abuse of
of the payments, and also to whether the location of the servers from double taxation treaties in this context. (See, generally, http://taxsum-
which the services are provided can give rise to taxation. maries.pwc.com/ID/United-Kingdom-Corporate-Withholding-taxes.)
The approach to taxation will also depend on the operating model
of the supply chain of the cloud service, for example whether it is Offshore Receipts in respect of Intangible Property
intra-group or there are external providers in the supply chain and, Following a consultation, the UK government has introduced a new
if intra-group, whether the local CSP subsidiary performs sales and income tax charge on offshore receipts from intangible property (ORIP).
marketing functions for another group company or delivers the cloud From 6 April 2019, non-UK residents in certain (generally low-tax) juris-
services directly to local customers. (For an invaluable guide see Ernst dictions will be liable to UK income tax on their gross receipts from
& Young’s Worldwide Digital Tax Guide, www.ey.com/gl/en/services/ intangibles to the extent the IP enables, facilitates or promotes UK sales.
tax/ey-digital-tax-guide.) The aim is to ensure that businesses generating income from UK sales
The following is a high-level outline of the UK taxes that are likely to are not able to artificially achieve low effective tax rates by holding their IP
be most relevant to cloud computing operations and the income derived offshore (see: https://www.gov.uk/government/publications/offshore-
from them. Readers – both CSPs and cloud customers – should seek receipts-from-intangible-property/income-tax-offshore-receipts-in-
specific advice on direct tax questions relating to UK cloud operations respect-of-intangible-property). ORIP applies only if UK sales by the
and service arrangements. And for tax and other fiscal incentives avail- non-UK resident (and its connected persons) for a given tax year
able for cloud computing businesses in the UK, see questions 6 and 7. exceed £10m, but it applies whether or not the non-UK resident has any
presence in the UK. There are several exemptions that are currently
Corporation tax and permanent establishment (PE) available and the government has proposed additional exemptions in
A company resident in the UK is subject to tax on the whole of its world- draft regulations released recently.
wide profits wherever they arise. A non-resident company is liable to It is expected that the final regulations will be made available in
corporation tax on profits attributable to a trade carried on in the UK Autumn 2019 and that parts of the regulations will have retrospective
through a PE in the UK. In determining whether a PE exists, the UK effect (see https://www.gov.uk/government/consultations/draft-regu-
broadly adopts the OECD definition of PE. If a non-UK resident CSP has lations-offshore-receipts-in-respect-of-intangible-property). Businesses
a fixed place of business in the UK through which some or all of its will need to determine whether their IP enables, facilitates or promotes
business is conducted, or has an agent acting on its behalf, it may be UK sales, either directly or indirectly, and even through unrelated
treated as having a PE in the UK and may be liable to UK corporation parties. Taxpayers may find it difficult to trace through often complex
tax (currently 19 per cent but reducing to 17 per cent in April 2020). Will supply chains to determine whether their IP is supporting UK sales.
the presence of cloud servers in the UK be decisive in the determination
of a PE? The HM Revenue & Customs (HMRC) approach is that the mere Taxing the digital economy
presence of a server or servers will not of itself create a PE. However, if The UK government has announced that it will introduce a new Digital
the CSP is providing hosting services and the UK servers are essential Services Tax in April 2020. This will be introduced as an interim measure,
for that hosting, this may result in the existence of a PE. Ultimately, until a multilateral solution that is acceptable to the UK is adopted. The
whether a server will create a PE will depend on the functionality of the UK government has stated that it intends to disapply the tax once an
server or servers as well as the business activities in the UK. appropriate international solution is in place. The UK has focused on
‘user participation’. The government views user participation as being
UK diverted profits tax a key value driver for digital businesses and the legislation will target
Introduced in the Finance Act 2015 to counter the use of aggressive digital business models, where value is actually created as a result of
tax planning techniques by multinational enterprises to divert profits the active participation and engagement of UK users of digital plat-
from the UK, this tax is also known as the ‘Google tax’. It is charged forms. The business models that may be impacted by these proposals
at 25 per cent when a foreign company artificially avoids having a UK include online networks, social media platforms and search engines. To
taxable PE or when a UK company, or a foreign company with a UK the extent that these models are served by cloud computing services
PE, would benefit from a tax advantage (ie, a reduced UK tax liability) and CSPs, they are likely to be relevant to the cloud computing industry
through the use of group structures, entities or transactions that lack operating in, or targeting customers in, the UK.

92 Cloud Computing 2020

© Law Business Research 2019
Bryan Cave Leighton Paisner LLP United Kingdom

The digital services tax legislation will be introduced in the RECENT CASES
Finance Bill 2019-20 and will apply to revenue earned from 1 April 2020.
Businesses will become liable to the tax when the group’s worldwide Notable cases
revenues from in scope digital activities are more than £500 million and 26 Identify and give details of any notable cases, or commercial,
more than £25 million of these revenues are derived from UK users. private, administrative or regulatory determinations within
If the group’s revenues exceed these thresholds, its revenues derived the past three years in your jurisdiction that have directly
from UK users will be taxed at a rate of 2 per cent. The first £25 million involved cloud computing as a business model.
of the UK revenues would be exempt from the digital services tax (see
https://www.gov.uk/government/publications/introduction-of-the-new- Pippa Middleton and James Matthews v Person or persons
digital-services-tax/introduction-of-the-new-digital-services-tax). These unknown [2016] EWHC 2354 (QB)
thresholds mean that only the very largest multinationals will be caught, The iCloud account of the sister of the Duchess of Cambridge had been
so while CSPs may be involved with in-scope activities, the thresholds hacked, apparently resulting in the theft of some 3,000 images. Ms
may exclude them in practice. Middleton and her then fiancé, Mr Matthews, had successfully applied
for an interim privacy injunction against persons unknown to prevent
Indirect taxes the use, publication or disclosure of the stolen images. In this case,
25 Outline the indirect taxes imposed in your jurisdiction that they successfully applied for a continuation of the injunction and the
apply to the provision from within, or importing of cloud extension of its scope to cover material and information from the iCloud
computing services from outside, your jurisdiction. account other than images, because Ms Middleton had good reason to
believe that all the information in her iCloud account had been hacked,
Again, readers – both CSPs and cloud customers – are advised to seek not just her photographs. As reliance on iCloud and similar B2C storage
specific advice on indirect tax questions relating to UK cloud operations services grows even more widely, such cases are likely to become more
and service arrangements. frequent, especially where prominent personalities are involved.
The rules for applying value added tax (VAT) to electronically
supplied services differ depending on whether the CSP and its customers Skyscape Cloud Services Ltd v Sky Plc [2016] EWHC 1340 (IPEC)
are inside or outside the UK or the EU; whether the cloud services are Skyscape supplied cloud services to UK public sector organisations
for business or personal use; and if they are B2B supplies, whether they under the G-Cloud scheme (see question 1). Sky Plc is a well-known
are ‘used and enjoyed’ within the UK, elsewhere in the EU or outside it. UK provider of broadcast and communications services (including an
A UK CSP will be expected to register and be liable to charge email service) under the trademark ‘SKY’. Sky Plc claimed trademark
and account for VAT on the supply of cloud services delivered in the infringement against Skyscape, the CSP, which sought a declaration
UK. However, specific consideration should be given to CSP intra- of non-infringement (DNI) for its marks ‘SKYSCAPE’ and ‘SKYSCAPE
group arrangements, particularly the structure of, and transactions CLOUD SERVICES’ as applied to its cloud services. The court found
under, those arrangements. Non-UK principals are not expected to be that there was a likelihood that a significant part of the relevant public
VAT-registered. For B2B cloud transactions supplied in the UK by a UK and therefore the average consumer, seeing the sign SKYSCAPE used
CSP VAT at the standard rate of 20 per cent will generally be payable in for an email service, would confuse it with yet another service offered
respect of cloud services. Cloud customers will be expected to account by Sky Plc. The DNI was refused. This case is mentioned because
themselves for VAT on payments for services provided by non-UK based of the apparent popularity of the word ‘sky’ in the branding of cloud
CSPs – the cloud customer should act as if it is both the supplier and the services and the position of Sky Plc in the UK market, together with
customer: it charges itself the VAT and then, assuming that the service its registered SKY trademarks. In the result, Skyscape was rebranded
relates to VAT taxable supplies that it makes, it can claim the VAT back as UKCloud (see question 3, and for the background: www.thereg-
(so rendering the transaction VAT-neutral). In terms of the CSP, the ister.co.uk/2016/07/28/skyscape_now_uk_cloud/). Unless CSPs are
service is disregarded, and it does not need to account for any VAT. This willing to forgo the use of ‘sky’ in branding and marketing their cloud
is called the ‘reverse charge’, but is also known as a ‘tax shift’. services in the UK, cases of this kind will proliferate (see Sky Plc and
For B2C cloud transactions VAT at the standard rate of 20 per cent others v SkyKick UK Ltd and another [2018] EWHC 155 (Ch) http://
will generally be payable. A UK CSP will usually be registered and liable www.bailii.org/ew/cases/EWHC/Ch/2018/155.html; and also British
to charge and account for VAT on the supply of cloud services in the UK. Sky Broadcasting Group plc and others v Microsoft Corporation and
Non-UK CSPs providing cloud services to UK consumers should another [2013] EWHC 1826 (Ch) below). Similar disputes have arisen
particularly note that the VAT rules for digital services (eg, webhosting about the use of the word ‘cloud’. For example, in Massive Bionics v
services, internet-streaming services, database storage, supplies EUIPO, www.bailii.org/eu/cases/EUECJ/2017/T22316.html, the EU
of software and software update services, and other electronically General Court partially upheld an opposition by Apple to the registration
supplied services) do not follow the standard place of supply rules. of ‘Dricloud’ for cloud services by Massive Bionics on the basis that this
The services are treated as supplied in the ‘place of residence of the sign was similar overall to Apple’s own trademark ‘iCloud’ also covering
consumer’ (and not the place of residence of the supplier). VAT is, there- cloud services.
fore, payable, on, and CSPs are VAT-accountable for, supplies of digital
services to UK consumers, regardless of whether the CSPs are estab- Majekodunmi v City Facilities Management UK Ltd and others
lished in or outside the EU (www.gov.uk/government/publications/ [2015] UKEAT 0157_15_2509
vat-supplying-digital-services-to-private-consumers/vat-businesses- In this case, the UK Employment Appeal Tribunal (EAT) had to consider
supplying-digital-services-to-private-consumers). Accordingly, a CSP whether the claimant had validly served his notice of appeal when the
established and operating outside the EU that sells digital services to attachments containing his notice could only be accessed by a link to
UK consumers (and consumers in other EU member states) will be Dropbox, the cloud-based file-hosting service. The EAT rejected the
required either to register for VAT in each EU member state where it has claimant’s case, finding that sending a link to where a required docu-
customers and comply with all local VAT rules, or to register for the EU’s ment is located online is not ‘serving’ or ‘attaching’ that document.
VAT Mini One Stop Shop (MOSS) scheme in a single EU member state Although zip files are a valid form of service, in this case the EAT needed
(which should rationalise the VAT accounting requirements). the internet to access the zip file location in the cloud. The file had,

www.lexology.com/gtdt 93
© Law Business Research 2019
 United Kingdom Bryan Cave Leighton Paisner LLP

therefore, not ‘hit’ the EAT’s server as a standard attachment to an email

would. The EAT then had to decide whether the documents were effec-
tively ‘attached’ to the email purporting to serve the required notice. It
held that they were not, because all that had been provided was a link to
another location where the documents could be found – the documents
themselves had not actually been attached. This is a significant decision
for users of cloud-based file-hosting services such as Dropbox. The case
also contains an interesting legal consideration of the cloud storage and
transmission technologies used. It will be worth watching the develop- Mark Lewis
[email protected]
ment of court and tribunal rules in this regard.

British Sky Broadcasting Group plc and others v Microsoft Adelaide House
Corporation and another [2013] EWHC 1826 (Ch) London Bridge
The court ruled that Microsoft’s ‘SkyDrive’ mark for cloud storage London EC4R 9HA
services infringed British Sky Broadcasting’s ‘SKY’ UK and (EU) United Kingdom
Community trademarks. The court’s decision was influenced by the fact Tel: +44 203 400 1000
Fax: +44 203 400 1111
that consumers were unable to discern any Microsoft connection to
www.bclplaw.com
SkyDrive as a preloaded app on any device. This finding was supported
by evidence that 17 British Sky Broadcasting (Sky) customers had
contacted Sky’s helpline, because they assumed (in actual confusion)
that SkyDrive was a Sky-provided service. UPDATE AND TRENDS
Microsoft contested the validity of Sky’s UK SKY trademarks in
their application to ‘goods and services pertaining to cloud storage’. It Key developments of the past year
alleged that: 27 What are the main challenges facing cloud computing within,
from or to your jurisdiction? Are there any draft laws or
‘sky’ is a convenient and common word used by traders to describe legislative initiatives specific to cloud computing that are
or allude to a cloud storage system (be that system a good or being developed or are contemplated?
a service) such that (a) it is incapable of distinguishing a cloud
storage system of one undertaking from that of another, and (b) it None.
should be kept free for use by all traders offering such systems.
* The author would like to thank BCLP colleagues Faiza Bishi, Kate
Microsoft also claimed that the word ‘sky’ would be ‘recognized by the Brimsted, Sarah Buxton, Gillian Dennis, Daren Kemp, Sophie Taylor,
average consumer as descriptive of a characteristic of a cloud storage Adam Turner and Ash von Schwan for their assistance in writing
system, namely by indicating that the system is for the storage of data this chapter.
remotely, being notionally in ‘the cloud’ or ‘the sky’’. Microsoft’s chal-
lenge of invalidity was rejected.
Aside from the linguistic and symbolic connections between ‘sky’
and ‘the cloud’, the case is also interesting because of the judge’s tech-
nological comparison between broadband services and certain cloud
services. He said:

It seems to me that the evidence reveals that there is a close

connection between file storage, management and sharing soft-
ware and the provision of broadband services, including the
provision of email services . . . Not all data storage providers are
broadband providers but it seems to me that the evidence reveals
that a significant number of broadband providers also provide
data storage.

In 2014, Microsoft rebranded ‘SkyDrive’ as ‘OneDrive’ (www.techrepublic.

com/article/microsoft-renames-skydrive-to-more-confusing-onedrive-
amid-legal-complaint/).

94 Cloud Computing 2020

© Law Business Research 2019
United States
Amy Farris, Manita Rawat and Matthew Mousley*
Duane Morris

MARKET OVERVIEW Active local providers

3 Name the local cloud providers established and active in your
Kinds of transaction jurisdiction. What cloud services do they provide?
1 What kinds of cloud computing transactions take place in
your jurisdiction? Many of the ‘local’ cloud providers are the same as the global interna-
tional cloud providers listed above. Although some global international
All manner of cloud computing transactions take place in the United cloud providers, such as Alibaba, do not have headquarters in the US,
States, including public, hybrid and private cloud models and soft- they typically have data centres and other operations in the US.
ware-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and
platform-as-a-service (PaaS) models. There is a growing trend in both Market size
the private and public sectors to utilise cloud offerings not only for the 4 How well established is cloud computing? What is the size of
benefits of such offerings over legacy models, but out of necessity, as a the cloud computing market in your jurisdiction?
growing number of products and services procured by businesses and
governmental entities are being replaced by cloud-only offerings. Cloud computing is very well established in the US. According to some
The most common examples of public cloud offerings are service projections, worldwide spending on public cloud offerings alone – of
providers who provide software applications (ie, SaaS) and data which the US market constitutes a material portion – is expected to
storage to the general public. By comparison, the most popular private increase from US$67 billion in 2015 to US$162 billion in 2020. The US
cloud offerings are IaaS, which permits a customer to access IT infra- federal government is expected to exceed US$10 billion in spending for
structure services as a service, and PaaS, which can include a variety cloud computing by 2023.
of services from simple cloud-based applications to more sophisticated The largest players in public cloud offerings – particularly private
enterprise applications. As noted above, because cloud offerings have data storage – are Amazon Web Services, Microsoft, IBM, Google, and
begun largely to replace legacy offerings, in practice, most customers Oracle. See:
implement and integrate public and private cloud offerings to create a • www.zdnet.com/article/cloud-providers-ranking-2018-how-aws-
hybrid cloud environment. microsoft-google-cloud-platform-ibm-cloud-oracle-alibaba-stack/;
In addition to the considerable cloud offerings available to the • www.forbes.com/sites/louiscolumbus/2017/04/29/roundup-of-
private sector in the US, there are a number of notable government cloud-computing-forecasts-2017/#6eb471b931e8; and
platforms for cloud computing, including Amazon Web Services (AWS) • www.marketresearchmedia.com/?p=145.
GovCloud and Microsoft Azure Government. These platforms address
the specific regulatory and compliance requirements required by Impact studies
government agencies and customers, including adherence to the US 5 Are data and studies on the impact of cloud computing in your
International Traffic in Arms Regulations requirements. See: jurisdiction publicly available?
• http://fortune.com/2016/09/02/us-government-embraces-cloud/;
• www.wired.com/insights/2012/08/5-coolest-gov-cloud-projects/; There are many publicly available studies about the impact of cloud
https://aws.amazon.com/govcloud-us/; computing in the US. These studies indicate that the impact has been
• https://azure.microsoft.com/en-us/global-infrastructure/ considerable and will continue to grow over the next five years. For
government/; and instance, according to a cloud computing study by IDG Communications,
• https://www.cio.gov/. 73 per cent of 550 surveyed organisations had at least one application
or a portion of their computing infrastructure in the cloud; the average
Active global providers environment included 53 per cent non-cloud infrastructure and 23 per
2 Who are the global international cloud providers active in cent SaaS, 16 per cent IaaS, and 9 per cent PaaS resources; and more
your jurisdiction? than a third of respondents felt pressure to migrate 100 per cent to the
cloud (see www.idg.com/tools-for-marketers/2018-cloud-computing-
Generally speaking, all of them. The largest include AWS, Microsoft survey/ and www.infoworld.com/article/3297397/cloud-computing/
Azure, Google Cloud, IBM Cloud, and Salesforce.com; smaller cloud-computing-2018-how-enterprise-adoption-is-taking-shape.
providers (as measured by market share) include Rackspace, Oracle, html). As previously reported by Forbes, market intelligence firm IDC
NTT, Fujitsu, Alibaba and HP Enterprise. See www.zdnet.com/article/ has stated that cloud computing is growing at 4.5 times the rate of IT
cloud-providers-ranking-2018-how-aws-microsoft-google-cloud-plat- spending since 2009 and is expected to grow at more than six times
form-ibm-cloud-oracle-alibaba-stack/. the rate from 2015 to 2020 (www.salesforce.com/assets/pdf/misc/
IDC-salesforce-economy-study-2016.pdf).

www.lexology.com/gtdt 95
© Law Business Research 2019
 United States Duane Morris

As noted above, as cloud offerings are very rapidly becoming the Governing legislation
default, legacy offerings such as on-premises solutions and traditional 9 Does legislation or regulation directly and specifically
models of IT outsourcing are both less in demand and less available. prohibit, restrict or otherwise govern cloud computing, in or
outside your jurisdiction?
POLICY
We are not aware of any laws or regulations that ‘directly and specifi-
Encouragement of cloud computing cally prohibit, restrict or govern’ cloud computing. However, there are
6 Does government policy encourage the development of your numerous federal and state laws that indirectly impact cloud computing
jurisdiction as a cloud computing centre for the domestic services, as discussed further below.
market or to provide cloud services to foreign customers?
10 What legislation or regulation may indirectly prohibit,
Yes. Policy in this area tends to focus on moving government agencies restrict or otherwise govern cloud computing, in or outside
to cloud services. One example is the Cloud First Initiative, launched by your jurisdiction?
former US government CIO Vivek Kundra, which aimed to cut waste and
increase efficiencies within the US federal government’s technology While we are not aware of any laws or regulations specifically
services by reducing government IT expenditures by US$4 billion addressing cloud computing per se, there are numerous federal and
dollars over the next two years (www.wired.com/insights/2012/08/5- state laws that indirectly impact cloud computing services.
coolest-gov-cloud-projects/). As one result of this initiative, the General
Services Administration, the federal government’s procurement agency, State privacy laws
has developed a number of resources to assist government agencies Generalised data privacy and data breach notification laws in the US
in procuring cloud services (www.gsa.gov/portal/content/190333). are generally a matter of state law (as opposed to federal law). All
The current administration has continued these efforts by working to 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin
implement the Modernizing Government Technology Act, which has, as Islands now have specific breach notification laws (www.ncsl.org/
one of its goals, transitioning legacy IT systems to commercial cloud research/telecommunications-and-information-technology/secu-
computing platforms, particularly platforms serving more than one rity-breach-notification-laws.aspx). These laws differ in significant
covered agency with common requirements (www.whitehouse.gov/ respects as to how and when notification requirements are triggered,
wp-content/uploads/2017/11/M-18-12.pdf). And, in 2017, President and whether and how cloud computing is implemented in any given
Trump signed an Executive Order on cybersecurity mandating that scenario affects how these laws are applied to determine parties’
federal systems move to the cloud (www.geekwire.com/2017/ rights and obligations.
trump-cybersecurity-cloud/).
Federal privacy laws
Incentives There is no comprehensive US federal law regarding generalised
7 Are there fiscal or customs incentives, development grants data privacy or security or data breach notification. Instead, there are
or other government incentives to promote cloud computing various sectoral federal laws imposing regulation on data security for
operations in your jurisdiction? certain types of information, including information that is often stored
in the cloud.
In addition to the policies discussed generally above, certain develop- Certain US regulatory frameworks require data owners to ensure
ment and government grants and other incentives promote technological that their third-party service providers are capable of maintaining the
investment, which increasingly means cloud services as a default. For privacy and security of personal information entrusted to them. This
example, the US federal government’s Centers for Medicare & Medicaid is typically accomplished through the use of contractual provisions
Services established Medicare and Medicaid Electronic Health Record mandating particular security measures. Three federal privacy laws
(EHR) Incentive Programs to encourage eligible healthcare providers to that restrict the activities of service providers are the Health Insurance
adopt, implement, upgrade, and demonstrate meaningful use of certi- Portability and Accountability Act of 1996, Pub. L. 104-191; the Gramm-
fied EHR technology. The availability of these ‘meaningful use monies’ Leach-Bliley Act, Pub. L. 106-102, 113 Stat. 1338, codified in relevant part
has spurned a lot of spending on EHR systems, which nearly always at 15 U.S.C. §§6801-6809 and §§6821-6827; and the Family Educational
involve some cloud computing components. Rights and Privacy Act, 20 U.S.C. § 1232g; 34 CFR Part 99.

LEGISLATION AND REGULATION Health Insurance Portability and Accountability Act (HIPAA)
Under HIPAA’s Privacy Rule, an entity may not use or disclose protected
Recognition of concept health information (PHI) except as permitted or required by the Rule, or
8 Is cloud computing specifically recognised and provided for as authorised in writing by the individual affected. HIPAA’s Security Rule
in your legal system? If so, how? complements the Privacy Rule and deals specifically with Electronic
PHI. This Rule lays out three types of security safeguards required for
From a legal perspective, cloud computing is principally dealt with in compliance: administrative, physical and technical. The Rule identifies
commercial contracts and, therefore, governed by contract law, which various security standards for each of these types. Required specifica-
is generally a matter of state law (as opposed to federal law) in the US. tions must be adopted and administered as dictated by the Rule. The
Additionally, cloud computing implicates numerous federal and state HITECH Act provisions are also applicable as they have expanded and
laws drawn to specific related topics or issues, including data security enhanced HIPAA privacy and security rules.
laws, data breach and notification laws, data transfer laws and various Further, any HIPAA-covered entity would first have to negotiate
data-specific regulations, like those addressing the processing, storage and enter into a business associate agreement with a cloud provider
and use of healthcare information, financial transaction information and before the cloud provider could store records containing PHI in a cloud
other confidential information. These laws are addressed in more detail computing facility as such cloud providers would be ‘business associ-
in the sections below. ates’ under HIPAA. In some cases, HIPAA’s substantive requirements

96 Cloud Computing 2020

© Law Business Research 2019
Duane Morris United States

could conflict with the cloud provider’s operations or terms of service, of US$250,000 per violation and imprisonment up to 10 years for the
and a covered entity would risk a HIPAA violation by using such a intent to sell, transfer or use individually identifiable health information
provider to store or process PHI. for commercial advantage, personal gain or malicious harm. See:
• www.hhs.gov/hipaa/for-professionals/compliance-enforcement/
The Gramm-Leach-Bliley Act (GLBA) index.html; and
For entities subject to the GLBA, the use of a cloud provider would • www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/
be subject to similar restrictions. The GLBA’s Privacy and Safeguards index.html.
Rules restrict financial institutions from disclosing consumers’
nonpublic personal information to non-affiliated third parties. Any Consumer protection measures
such disclosures that are permitted under the GLBA are subject to 12 What consumer protection measures apply to cloud
numerous restrictions under both the Privacy Rule and Safeguards computing in your jurisdiction?
Rule. Pursuant to the Privacy Rule, prior to disclosing consumer
personal information to a service provider, a financial institution We are not aware of any consumer protection measures specific to cloud
must enter into a contract with the service provider prohibiting the computing, but general consumer protection measures could apply to
service provider from disclosing or using the information other than cloud computing products and services (eg, cooling-off periods, implied
to carry out the purposes for which the information was disclosed. warranties covering quality and performance, restrictions on excluding
Under the Safeguards Rule, prior to allowing a service provider access and limiting liability, dispute resolution and venue for proceedings in
to customer personal information, the financial institution must: (i) the consumer’s jurisdiction, governing law and other mandatory or
take reasonable steps to ensure that the service provider is capable overriding local laws for the benefit of the consumer). These protec-
of maintaining appropriate safeguards (ie, the entity must undertake tions are typically a matter of state (as opposed to federal) contract
appropriate due diligence with respect to the service provider’s data and consumer protection laws and enforcement actions and initiatives
security practices); and (ii) require the service provider by contract to of state attorneys general (ie, the chief lawyers and law enforcement
implement and maintain such safeguards. officers in each state) and vary from state to state.
At the federal level, consumer protection generally is handled by
Family Educational Rights and Privacy Act (FERPA) the Federal Trade Commission (FTC). The FTC has broad jurisdiction to
FERPA is a federal law that protects student personally identifying regulate unfair or deceptive acts or practices in or affecting commerce.
information collected by educational institutions and associated In the area of cloud computing, the FTC is most concerned with issues
vendors. These institutions must have the student’s consent prior to of privacy and security of consumer data.
disclosure of personal data, including grades, enrolment status or
billing information. FERPA does not prohibit the use of cloud computing Sector-specific legislation
solutions for the purpose of hosting education records; rather, FERPA 13 Describe any sector-specific legislation or regulation that
requires schools to use reasonable methods to ensure the security of applies to cloud computing transactions in your jurisdiction.
their IT solutions, which includes cloud providers.
As discussed in more detail above, relevant federal laws in particular
Also, although not a US law, the EU’s General Data Protection Regulation tend to be sector-specific: the GLBA and PCI DSS are relevant to the
is commonly interpreted to have a significant effect on the operations financial sector, HIPAA and HITECH are relevant to the healthcare
of US entities and interests, which effect often implicates use of cloud sector, and FERPA is relevant to the education sector.
computing resources to collect, process, and store personal infor-
mation (www.businesswire.com/news/home/20180815005111/en/ Insolvency laws
Gartner-Survey-Cloud-Computing-Remains-Top-Emerging). 14 Outline the insolvency laws that apply generally or
In addition to official laws and regulations, there are certain specifically in relation to cloud computing.
industry standards implicated by cloud computing that are so commonly
adopted and implemented that they are treated effectively as official We are not aware of any insolvency laws that apply specially to cloud
regulations would be in a commercial transaction. For example, the computing. In practice, the issues that typically arise in this context
Payment Card Industry Data Security Standard (PCI DSS), which is are whether and to what extent data held on third-party servers are
referenced as a standard by some state laws, was jointly developed ‘assets’ of a debtor subject to the automatic stay that generally halts
by payment card companies to simplify compliance for merchants and actions by creditors to collect debts from the debtor. For example,
payment processors. It has six core areas and 12 requirements that different questions arise when a cloud service provider files for bank-
cover best practices for, for example, perimeter security, data privacy ruptcy (eg, is third-party data held on its servers part of the bankruptcy
and layered security. As a practical matter, any cloud-based applica- estate or how does the third party who owns the data recover it) versus
tion that processes payment card transactions typically must comply when a data owner files for bankruptcy (eg, can a non-debtor cloud
with PCI DSS. service provider delete or alter the debtor’s data unilaterally or does it
need relief from the bankruptcy court to do so?).
Breach of laws
11 What are the consequences for breach of the laws directly DATA PROTECTION/PRIVACY LEGISLATION AND REGULATION
or indirectly prohibiting, restricting or otherwise governing
cloud computing? Principal applicable legislation
15 Identify the principal data protection or privacy legislation
Violation of the laws and regulations identified above are typically applicable to cloud computing in your jurisdiction.
addressed by fines and penalties, which can be significant, particularly
if tallied on a per violation basis across any appreciable volume of busi- As discussed above, at the federal level, data protection and privacy
ness. For example, violations of HIPAA’s data security provisions can legislation is addressed sectorally, by laws such as HIPAA, GLBA
range from US$100 per violation for an unknowing violation to fines and FERPA. Additionally, the Children’s Online Privacy Protection Act

www.lexology.com/gtdt 97
© Law Business Research 2019
 United States Duane Morris

is a federal law enforced by the FTC that governs the online collec- state’s laws under the circumstances, which would subvert the intent
tion of information from children under the age of 13. See www.ftc. of choosing the state’s law to apply. Also, it is common to include an
gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/ express statement that the UN Convention on Contracts does not apply,
childrens-online-privacy-protection-rule. usually because the parties are more familiar and comfortable with
State laws typically address data protection and privacy more US case law. As an alternative to the law of the state where one of
generally, with laws varying from state to state. As noted above, the parties is located, the parties may choose a neutral state’s law to
many states have data breach notification laws. Other relevant state apply. Common choices for a neutral state with significant commercial
laws include contract case law include New York and Delaware.
• the California Online Privacy Protection Act, Delaware Online
Privacy and Protection Act, and the Nevada online policy law, which, Jurisdiction
among other things, require online services to post a privacy policy; It is common practice in the US to choose a specific city or county
• the California Shine the Light law, which, among other things, located within the state that was chosen for the governing law as
addresses the practice of sharing personal information of having exclusive jurisdiction over a dispute relating to the contract.
consumers for marketing purposes;
• the Massachusetts Standards for the Protection of Personal Enforceability/cross-border issues
Information of Residents of the Commonwealth, which, among In cloud computing contracts, there are a number of cross-border
other things, provides security requirements for organisations that issues, particularly relating to data protection laws.
handle private data of payment card residents;
• Illinois and Texas laws governing the collection and use of biom- Dispute resolution
etric data; and Dispute resolution tends to include some mechanism for internal
• the Illinois Geolocation Privacy Protection Act. dispute resolution, which may be pro forma or more meaningful,
followed by either arbitration or litigation. Whether the parties agree
Additionally, the California legislature passed a broad digital privacy on arbitration or litigation depends on the parties’ experiences and
law in 2018 as the first US law approaching generalised data regulation preferences.
similar to that seen in the EU. This law is not set to go into effect until
January 2020 and is expected to be modified before then, but it is likely Typical terms of service
to significantly change the landscape for generalised data regulation in 18 What are the typical terms of a B2B public cloud computing
the US (www.nytimes.com/2018/06/28/technology/california-online- contract in your jurisdiction covering material terms, such
privacy-law.html). as commercial terms of service (price, payment, etc) and
acceptable use (AUP), and variation?
CLOUD COMPUTING CONTRACTS
Price/payment
Types of contract Typically there are subscription fees for the cloud service that are
16 What forms of cloud computing contract are usually adopted invoiced monthly. Certain professional services may be offered and
in your jurisdiction, including cloud provider supply chains (if are typically billed as a fixed fee or on a time and materials basis.
applicable)? Professional services could include implementation, integration,
training, support, enhanced maintenance (beyond that covered by the
Cloud computing contracts typically manifest in different forms and draw subscription fees), customisation or data analysis.
on different legacy contracts and precedents depending on the particular
vendor, offering and customer. For example, cloud computing contracts Audits
can resemble legacy software licence agreements, legacy managed Cloud agreements generally contain audit provisions to ensure compli-
services or hosting agreements, and limited purpose outsourcing agree- ance with billing or payment obligations. However, audits may also be
ments. As cloud services become more and more commoditised, cloud directed to other issues, such as regulatory and compliance, quality,
computing contracts are increasingly being presented by vendors as and security. The audit provision typically specifies parameters and
click-wrap agreements that are little- to non-negotiable agreements or limitations for the audit (eg, during business hours, once per year), use
as otherwise negotiable agreements that have significant portions that of a third-party professional, such as an accountant, confidentiality and
are designated as non-negotiable (eg, links to click-wrap maintenance, limited use of results of an audit.
warranty, service level, acceptable use and privacy terms).
Insurance
Typical terms for governing law Either party (most commonly the vendor) or, in some cases, both
17 What are the typical terms of a B2B public cloud computing parties may be required to obtain and maintain specified levels of
contract in your jurisdiction covering governing law, insurance during the term of the agreement (eg, commercial general
jurisdiction, enforceability and cross-border issues, and liability, errors and omissions) and cyber insurance that specifically
dispute resolution? covers a data breach. These provisions typically require the other
party to be provided with a certificate of insurance or the actual
Governing law policy (to confirm scope of coverage) and to be named as an addi-
It is common practice in the US to choose as the governing law of a tional insured.
B2B public cloud contract the law of the state where one of the parties
is located, typically the vendor (ie, where the party is headquartered Acceptable use
or has a principal place of business). The governing law provision typi- Typical acceptable use restrictions include:
cally also includes a specific statement that the named state’s choice of • personnel limitation can only be used by customer and customer’s
law principles should not apply. This statement is important because employees, and whether or not affiliates or subcontractors are
one state’s choice of law principles may mandate application of another included is negotiated;

98 Cloud Computing 2020

© Law Business Research 2019
Duane Morris United States

• maximum number of users; Data disclosure

• no reverse engineering; Data disclosure is typically limited only to employees or agents who
• internal business purposes only; have a ‘need to know’ for the purpose of the agreement and who have
• no modifying or creating derivative works; signed a confidentiality agreement or are bound by professional obliga-
• no interference with use of the platform by other users; tions of confidentiality.
• no testing the platform for vulnerabilities, regardless of motive; Disclosures may only be made if required by law (subpoena, court
• no use that infringes or violates the rights of third parties (eg, intel- order, etc) so long as the party that received the data provides notice to
lectual property or privacy rights); and cooperates with the party that disclosed the data to the receiving
• no use for an unlawful purpose; party so that the disclosing party can seek to fight the disclosure.
• no use to harass, defame or abuse a third party; and
• no posting of obscene, profane, sexually explicit, violent, threatening Location of servers and data
or discriminatory content. Customers typically want the data to stay in their jurisdiction (ie, stay
inside the US) and commonly vendors will not be able to move the loca-
Often the cloud provider will include as a remedy its ability to suspend or tion of servers or data without prior written approval from the customer.
terminate the service for any breach of the acceptable use restrictions.
Cross-border data transfers
Typical terms covering data protection There are numerous laws and mechanisms governing cross-border
19 What are the typical terms of a B2B public cloud computing data transfers. The most recent is the EU–US Privacy Shield.
contract in your jurisdiction covering data and confidentiality
considerations? Typical terms covering liability
20 What are the typical terms of a B2B public cloud computing
Data and confidentiality (generally) contract in your jurisdiction covering liability, warranties and
Most cloud computing contracts include mutual confidentiality provi- provision of service?
sions. The definition of confidential information is categorical, but
may include specific items each party wants to protect as confidential Representations and warranties
information (eg, the customer’s data). Obligations of confidentiality typi- Typical representations and warranties in a cloud computing contract
cally survive termination or expiration of the agreement, and it is not fall into three categories: ability to enter or perform the agreement
uncommon for this survival to have a sunset (eg, five years after termina- generally, service-related and software-related.
tion or expiration), with or without express carve-outs for trade secrets. The first category of representations and warranties is directed to
In recent practice, the US federal Defend Trade Secrets Act requires the parties stating that they have the ability to enter into the agreement,
certain language to be included in agreements to make clear that indi- they have all the rights necessary to grant the rights granted therein,
viduals may share confidential information with attorneys or with law they aren’t under any pre-existing agreement that would limit their
enforcement in connection with whistle-blowing activities. Because this ability to perform this agreement, they will not enter into any agreement
language must be included to preserve certain remedies in the event of that would limit their ability to perform this agreement, and they will
a trade secret claim later, this language is more and more often being comply with all applicable laws (including data breach notification laws).
added to agreements that include confidentiality provisions. The second category of representations and warranties target the
performance of services under the agreement. Generally, the vendor is
Data integrity required to represent and warrant that it will perform all services in a
Customers typically request an express statement that they own all their good and workmanlike manner, with qualified personnel having the skill
data and are only granting the cloud provider the right to access, use required of the industry, it will replace any unsatisfactory personnel (if
or manipulate the data as required to provide the cloud service. Cloud applicable) and re-perform any unsatisfactory services, and it will use its
providers often want to have rights to aggregate and use customers’ established, industry-standard methodologies to provide services. The
data; this is a point of negotiation in some cases. vendor may also expressly warrant that it will meet its service levels.
The third category of representations and warranties target the
Data preservation software components of the cloud service. Typically the vendor will
Customers typically want their data backed up by the cloud provider, represent and warrant that there is no malicious code or virus within
with visibility into the process and geography implicated by the back- the cloud software, and that the software itself (and use of it) does
up, and commitments (ie, warranties) regarding frequency, recovery not violate any third-party intellectual property right (eg, patents and
point objective, recovery time objective and periodic restoration testing. copyrights). Open source representations and warranties may be appro-
Typically, upon termination of the agreement, cloud providers are obli- priate or not depending on the offering.
gated to promptly return all data to the customer, in an agreed-upon
format (preferably a standard format) or to certify destruction in writing Limitation of liability
after return of the data and confirmation by the customer that the data The limitation of liability provision is closely connected to the indemni-
are accessible. fication provisions and addresses qualitative limits on type of damages
and quantitative limits on amount of damages. The limit on type of
Premises and data security damages typically excludes indirect, consequential, special, incidental
This can vary widely. For data centres, customers look for electrical and punitive damages and may expressly exclude lost revenues or
sources and generator backups, cooling, humidity and temperature profits, loss of use and loss of data. The limit on amount of damages
controls, internet connectivity, physical security (video cameras, locks can be set at a specific number or it can scale (eg, with reference to
and access badges, escorted visitors, security personnel stationed the amount paid or payable under the agreement (or some multiple
there), information security (firewalls, passwords, encryption, etc), main- thereof)) over a certain period of time. Typically, when the quantitative
tenance and redundancy. Usually require third-party security audits limitation of liability references amounts paid or payable over some
such as SOC2 or SOC3. period of time, there is also some reasonable floor to cover a significant

www.lexology.com/gtdt 99
© Law Business Research 2019
 United States Duane Morris

liability in the early part of the contract term when payments have not Typical terms covering IP rights
accrued sufficiently to cover such a liability. 21 What are the typical terms of a B2B public cloud computing
Often there are exceptions to the limitations of liability for specific contract in your jurisdiction covering intellectual property
items, such as breach of an obligation of confidentiality or data security rights (IPR) ownership in content and the consequences of
or privacy, indemnification obligations, misuse of intellectual property, infringement of third-party rights?
bodily injury (including death) and injury to personal or real property
(not unusual to see, but less likely to be relevant in a cloud computing IP ownership
agreement), fraud, gross negligence or wilful misconduct. The parties Typically, the cloud vendor owns the software underlying the cloud
typically will spend a lot of time negotiating the limit on liability excep- computing services and any software the vendor makes available for
tions. An alternative is to set a separate (often higher) limit for these direct use by the customer. The customer typically owns all its data and
items (rather than excepting them from any limitation of liability). provides a licence right to the cloud vendor to access and use the data
as needed to provide the service.
Indemnification If there is any development work or customisation work, the parties
The indemnification provision typically includes an obligation to typically negotiate ownership rights. Typically, the customer will own all
indemnify and hold the other party harmless for certain enumerated right, title, and interest in and to all work product created under the
circumstances. Often the indemnification provision includes an obliga- agreement specifically for the customer, and the vendor will name the
tion to defend, though this depends on the offering and the parties. customer as ‘the person for whom the work is prepared’ and designate
Indemnified parties are typically defined to include the parties to the work product as a ‘work made for hire’. The vendor should also
the agreement, their affiliates and their directors, officers, employees assign all of its right, title, and interest in and to such work product to
and successors. This list can be expanded to include subcontractors, the customer, in case any work product does not meet statutory require-
suppliers, and customers, under certain circumstances. ments to be a ‘work made for hire’, and provide further assurances
The items for which a party (typically the vendor, but in some from itself and its employees as necessary to vest ownership rights
circumstances the customer) has an indemnification obligation in cloud in customer. Typically, the vendor will also give a licence to any of its
computing contracts typically include: background technology that is used in the work product.
• breach of the agreement (or, more specifically, breach of a repre-
sentation or warranty); IP infringement
• IP infringement claims; As discussed above, IP infringement is typically addressed via a
• tort actions (ie, bodily injury, death or damage to personal prop- representation and warranty that there is no infringement or by an
erty) due to acts or omissions of a party; indemnification obligation for third-party IP infringement claims.
• fraud, gross negligence and wilful misconduct;
• breach of confidentiality; Typical terms covering termination
• breach of data security provisions or data breach; and 22 What are the typical terms of a B2B public cloud computing
• violation of law. contract in your jurisdiction covering termination?

Also addressed in the indemnification provision is the procedure for Termination for cause
obtaining indemnification, including terms for notice, cooperation and There is typically a mutual right of termination for cause (ie, for a mate-
the right to participate in the defence. rial breach of the agreement by the other party that has not been cured
for a certain period of time since notice of the material breach, eg, 30
Service-level agreements (SLAs) days). The parties may specifically identify certain breaches that are
SLAs typically address availability (uptime), latency, incident response deemed material breaches in order to forgo any dispute over materiality
times and work levels until resolution, and backup and restoration later. For example, the customer may seek an express termination right
procedures. if the vendor catastrophically fails to meet an availability SLA.
The single most common SLA is availability, and some vendors, if
they offer any SLAs, will offer only an availability SLA. It is common for a Termination for convenience
vendor to qualify an availability SLA with a commitment to use ‘commer- Often the customer will want a termination for convenience clause,
cially reasonable efforts’ to achieve a stated availability (though this which allows the customer to terminate the agreement at any time
is often objected to by the customer). The availability SLA commonly and for any reason, upon written notice to the vendor. A termination
has exclusions for scheduled and emergency maintenance and force for convenience right can greatly help to mitigate a customer’s risk in a
majeure events, and specific notice and reporting to customer in prepa- contract. Vendors very commonly object to a customer’s right to termi-
ration for downtime. Customers will want vendors to self-monitor and nate for convenience. Often, for a vendor to accept a customer’s right to
report compliance with SLAs to the customer, whereas the vendor will terminate for convenience, there is typically a liquidated damages term
want customers to have to monitor (or ‘feel’) and report suspected SLA (ie, an early termination fee). The amount of the fee varies.
failures to the vendor.
Often the remedy for a breach of an SLA will be limited to the Survival of terms
vendor providing a service credit to customers. The parties typically stipulate which provisions survive termination
of the agreement. Often, the parties want terms for confidentiality, IP
ownership, dispute resolution, limitations on liability and indemnifica-
tion to survive termination.

Transition services
The customer typically will seek some level of transition services upon
expiration or termination of the agreement, which typically includes an
extension of cloud services for a set time after termination, such as

100 Cloud Computing 2020

© Law Business Research 2019
Duane Morris United States

30–90 days, so that the customer will still have access to the cloud solu-
tion while it transitions to a replacement provider. Transition services
typically also include a provision that the vendor will cooperate as
necessary with the replacement provider in order to assist with the
transfer of the customer’s data and operations.

Effect of termination
The parties typically include in an ‘effect of termination’ provision terms
that require the return or deletion of all data and confidential informa- Amy Farris
[email protected]
tion of the other party, and transfer of all deliverables, whether complete
or in progress, from the vendor to the customer. Manita Rawat
[email protected]
Employment law considerations
Matthew Mousley
23 Identify any labour and employment law considerations that [email protected]
apply specifically to cloud computing in your jurisdiction.

30 South 17th Street

There is typically a provision that states that the parties are independent
Philadelphia, PA 19103-4196
contractors and not in an employment or joint venture relationship, with
United States
an express statement that neither party has the ability to bind the other
Tel: +1 215 979 1000
party. Less common is a provision that distinguishes between working
hours and non-working hours for non-exempt employees under the Fair 2475 Hanover Street
Labor Standards Act. Palo Alto
California, CA 94304
TAXATION United States
Tel: +1 650 847 4150
Applicable tax rules
24 Outline the taxation rules that apply to the establishment and www.duanemorris.com
operation of cloud computing companies in your jurisdiction.

In general, taxation is divided into income tax issues, gross receipt tax
issues and sales tax issues. As applied to taxation of cloud computing RECENT CASES
offerings, the nexus for each category of issues may be different, and
how to calculate the tax impact of a certain offering varies for the type Notable cases
of tax and the tax authority involved. For example, as a sales tax, a city 26 Identify and give details of any notable cases, or commercial,
such as Chicago might tax cloud usage depending on the type of usage private, administrative or regulatory determinations within
by classifying it as a remote taxable lease, whereas a city such as New the past three years in your jurisdiction that have directly
York might classify certain cloud usage as a non-taxable service, certain involved cloud computing as a business model.
cloud usage as a taxable remote lease and other cloud usage as a
taxable information service. The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) (H.R. 4943)
Some of the considerations that affect these issues include the was enacted on 23 March 2018. The CLOUD Act amends the Stored
ownership of intellectual property in the cloud; the locations of the Communications Act of 1986 (SCA) to allow federal law enforcement
vendor and the customer; different tax authority definitions applicable to compel US-based technology companies via warrant or subpoena to
to the cloud offering or the business model under which the offering provide requested data stored on servers regardless of whether the
is made; how much of the offering can be characterised as a service data are stored in the US or foreign jurisdictions.
versus tangible personal property; how much of the offering can be One of the motivating forces behind the CLOUD Act was United
characterised as software versus goods and services; and whether States v Microsoft Corp. In that case, federal law enforcement agents
implicated software is off-the-shelf versus customised. applied for a warrant requiring Microsoft to disclose all emails and
other information associated with the account of one of its customers.
Indirect taxes Microsoft resisted the warrant because the account’s email contents
25 Outline the indirect taxes imposed in your jurisdiction that were stored in its Dublin data centre. The district court held Microsoft
apply to the provision from within, or importing of cloud in civil contempt for refusing to comply with the warrant, but the appel-
computing services from outside, your jurisdiction. late court vacated the civil contempt. The case was on appeal to the
Supreme Court of the United States when the CLOUD Act was passed.
See question 24. With the enactment of the CLOUD Act, the government procured and
served a new warrant pursuant to the new law, which the parties agreed
replaced the original contested warrant. This replacement warrant
rendered the parties’ dispute moot, so the Court vacated the ruling on
review and remanded the case with instructions to dismiss. See United
States v Microsoft Corp, 138 S. Ct. 1186 (2018).
On 6 June 2018, IBM Corp and SAP SE announced plans to launch
an edition of the SAP Cloud Platform running on the IBM Cloud for
private cloud deployments. The companies said the collaboration
would help clients in regulated industries build new applications in the

www.lexology.com/gtdt 101
© Law Business Research 2019
 United States Duane Morris

cloud without jeopardising security and control (www.ibm.com/blogs/

cloud-computing/2018/06/06/ibm-sap-cloud-partnership/).
On 27 August 2018, Amazon and VMware introduced a version
of Amazon’s cloud-based database management software aimed at
companies that use on-premises data centres. Amazon and VMware
started working together on a combination of cloud and on-premises
technology in October 2016.

UPDATE AND TRENDS

Key developments of the past year

27 What are the main challenges facing cloud computing within,
from or to your jurisdiction? Are there any draft laws or
legislative initiatives specific to cloud computing that are
being developed or are contemplated?

None.

* The information in this chapter was correct as at October 2018.

102 Cloud Computing 2020

© Law Business Research 2019
Other titles available in this series
Acquisition Finance Distribution & Agency Investment Treaty Arbitration Real Estate
Advertising & Marketing Domains & Domain Names Islamic Finance & Markets Real Estate M&A
Agribusiness Dominance Joint Ventures Renewable Energy
Air Transport e-Commerce Labour & Employment Restructuring & Insolvency
Anti-Corruption Regulation Electricity Regulation Legal Privilege & Professional Right of Publicity
Anti-Money Laundering Energy Disputes Secrecy Risk & Compliance
Appeals Enforcement of Foreign Licensing Management
Arbitration Judgments Life Sciences Securities Finance
Art Law Environment & Climate Litigation Funding Securities Litigation
Asset Recovery Regulation Loans & Secured Financing Shareholder Activism &
Automotive Equity Derivatives M&A Litigation Engagement
Aviation Finance & Leasing Executive Compensation & Mediation Ship Finance
Aviation Liability Employee Benefits Merger Control Shipbuilding
Banking Regulation Financial Services Compliance Mining Shipping
Cartel Regulation Financial Services Litigation Oil Regulation Sovereign Immunity
Class Actions Fintech Patents Sports Law
Cloud Computing Foreign Investment Review Pensions & Retirement Plans State Aid
Commercial Contracts Franchise Pharmaceutical Antitrust Structured Finance &
Competition Compliance Fund Management Ports & Terminals Securitisation
Complex Commercial Gaming Private Antitrust Litigation Tax Controversy
Litigation Gas Regulation Private Banking & Wealth Tax on Inbound Investment
Construction Government Investigations Management Technology M&A
Copyright Government Relations Private Client Telecoms & Media
Corporate Governance Healthcare Enforcement & Private Equity Trade & Customs
Corporate Immigration Litigation Private M&A Trademarks
Corporate Reorganisations Healthcare M&A Product Liability Transfer Pricing
Cybersecurity High-Yield Debt Product Recall Vertical Agreements
Data Protection & Privacy Initial Public Offerings Project Finance
Debt Capital Markets Insurance & Reinsurance Public M&A
Defence & Security Insurance Litigation Public Procurement
Procurement Intellectual Property & Public-Private Partnerships
Dispute Resolution Antitrust Rail Transport

Also available digitally

lexology.com/gtdt

ISBN 978-1-83862-164-3

© Law Business Research 2019