At the risk of raining on the EU's cloud parade, the European Commission's recently unveiled report, “Unleashing the Potential of Cloud Computing in Europe”, also threatens to unleash a legal storm of international regulatory ordeals, multi-jurisdictional issues, privacy and security battles, and commercial liability. Alas, that is the price of technological ambition: one is always waiting for the requisite law to load.
The EU plans to leverage the potential of cloud computing across public and private sectors into a golden “digital single market” economy, including a GDP boost of 957 billion euros and 3.8 million jobs by 2020. The report addresses outstanding concerns, clarifies policy and regulatory aspects of the strategy, and sets key actions to assert Europe's future as a “world cloud computing powerhouse”. Whether one approves or disapproves, those in technology, regulatory, and business law would do well to prepare for likely squalls ahead.
First, the strategy involves “cutting through the jungle of standards”—a 27-nation-jungle with all manner of cloud-inhibiting flora, including differing legal frameworks, inconsistent criteria, uncertain jurisdiction, and lack of clear standards. The EC plans to respond with an overarching regime in which cloud providers may obtain certification to reassure clients that they meet set standards of, e.g., interoperability, data portability, and security, and adhere to all relevant laws. Here, problems may arise where ideal cloud standards like seamless transborder accessibility clash with existing legal standards such as transborder data flow restrictions.
Second, there are jurisdictional landscapes abroad to contend with. Conflict of laws figures large in a cloud computing future. Europe will have to collaborate with other countries on issues such as law enforcement, cybercrime, intellectual property, and competition; and vice versa. Take Canada, for instance. Morguard first established transjurisdictional enforcement: one province's court may enforce and recognize judgement from another province if there is a “real and substantial connection between the wrongdoing and the jurisdiction”. Beals extended this test to foreign jurisdictions, which Disney applied to enforce a New York copyright decision against an Ontario movie-downloading website. Imagine the complications if, for example, a Vancouver start-up using a Melbourne cloud provider with servers in Berlin were found to have violated (famously strict) German privacy laws. (Conversely, Accusearch confirmed that the Privacy Commissioner of Canada has jurisdiction over foreign businesses or websites if there is a real and substantial connection to Canada and the subject matter is within the office's purview.)
Despite PIPEDA having brought Canada's privacy laws up to European snuff, further harmonization with the United States may put Canada's privileged position at risk, with the EC laser-focused on building certainty and trust in cloud computing. The EU zone is well known for its healthy wariness of the Patriot Act, though some have deemed these fears redundant in light of Canadian similarities. This becomes especially significant now that EU data protection laws will no longer arise piecemeal from general directives, but from uniformly enforced regulations.
Third, the EC seems to place much faith in the power of contracts to assuage worries. Emphasizing “safe and fair contract terms and conditions” as a key goal, the report proposes to create a model contract of standard terms and conditions that certification-seeking cloud businesses can emulate, addressing conditions such as data access, stewardship, control, usage, portability, liability, disclosure, preservation, and reversibility; service upgrades,downtime, and continuity; and termination of services. Many of these terms, according to the report, are currently missing from typical “take it or leave it” cloud service contracts (known as service-level agreements), making for one-sided bargains.
Considering the stakes (another key goal is aggressively driving public sector cloud usage in the form ofeGovernment services), these contracts are bound to undergo intense scrutiny and sprout new jurisprudence before anything may be considered “standard”. Combined with conflicts of law and potential tort liability (if, for example, cloud computing became such an integral part of civil society that cloud providers were found to owe some form of fiduciary duty), suffice it to say that private law's future in the clouds looks bright.
Of course, there is always the possibility that cloud computing will lead to nothing particularly new in law. In fact, Mark MacCarthy, Vice President Public Policy of the Software & Information Industry Association, believes that “there is no need for special privacy, security, intellectual property or consumer protection rules that apply just to cloud computing. Generalized rules, indeed, globally interoperable rules, are best suited to the global, borderless nature of cloud computing.” Most available legal tools needed to achieve such a state of affairs, however, are currently neither globally interoperable nor borderless. Regardless, one thing is certain: if the EC gets its way, it won't be too long before users across Europe find themselves living on cloud 9.0.
Cynthia Khoo is a JD Candidate at the University of Victoria.