This paper was presented at the Institute for Global Law and Policy 5th Conference (Harvard University, June 3 – 4, 2013)
What happens in the Cloud stays in the Cloud, or why the Cloud’s architecture should be transformed in ‘virtual territorial scope’ Gabriela Zanfir*
Abstract The most common used adjective for cloud computing is “ubiquitous”. This characteristic poses great challenges for law, which might find itself in the need to revise its fundamentals. Regulating a “model” of “ubiquitous network access” which relates to “a shared pool of computing resources” (the NIST definition of cloud computing) is perhaps the most challenging task for regulators worldwide since the appearance of the computer, both procedurally and substantially. Procedurally, because it significantly challenges concepts such as “territorial scope of the law” - what need is there for a territorial scope of a law when regulating a structure which is designed to be “abstracted”, in the sense that nobody knows “where things physically reside”1? Substantially, because the legal implications in connection with cloud computing services are complex and cannot be encompassed by one single branch of law, such as data protection law or competition law. This paper contextualizes the idea of a global legal regime for providing cloud computing services, on one hand by referring to the wider context of global governance and, on the other hand, by pointing out several solutions for such a regime to emerge.
Key words: cloud computing, data protection, global governance, territorial scope
* PhD candidate, Assistant Researcher, Faculty of Law, University of Craiova. This work was supported by the strategic grant POSDRU/CPP107/DMI1.5/S/78421, Project ID 78421 (2010), cofinanced by the European Social Fund—Investing in People, within the Sectoral Operational Programme Human Resources Development 2007–2013. The author would like to thank the participants to the Institute for Global Law and Policy 5th Conference (Harvard University, June 3 – 4, 2013) for their comments on a first draft of this paper. 1 Chris Witt, HIPPA v. the Cloud, Managed Care Outlook, August 15, 2011, p. 10.
1 Electronic copy available at: http://ssrn.com/abstract=2409006
1. Introduction 2. Global governance and technology 2.1 The place of cyberspace and its metaphors in the globalizing legal order The pluralist view of regulating cyberspace The cyberspace as place metaphor in judicial review 2.2 The new paradigms of regulation 3. What happens in the Cloud 3.1 Actors, roles and the scene of cloud computing 3.2 Some legal implications of providing cloud services Cloud services contracts in and about the cloud: main challenges 4. Global solutions for regulating cloud computing 4.1 Premises: clouds and extraterritorial jurisdiction 4.2 International cooperation: A treaty establishing fair practices in cloud computing 4.3 Global soft law for cloud computing – creating a Lex Nubia 5. Conclusion
1. Introduction A surprising metaphor2 (for an observer not familiarized with the alphabet of information technology) which best describes cloud computing is “electric power utility”. It has been explained that the trend currently faced in the IT world “is similar to what occurred about a century ago when factories, which used to generate their own electric power, realized that it was cheaper just plugging their machines into the newly formed electric power grid” 3. The same phenomenon occurs with the emergence of cloud computing: “we are experiencing a switch […] from in-house generated computing power into utility-supplied computing resources delivered 2
See generally on the concept of cognitive metaphors used in understanding cyberspace Dan Hunter, Cyberspace as Space, in Lorrie Faith Cranor, Steven S. Wildman (eds.) Rethinking Rights and Regulations. Institutional Responses to New Communications Technologies, MIT Press, 2003, p. 5 - 6. 3 Nicholas Carr, The Big Switch: Rewiring the World, from Edison to Google, W.W. Norton & Co., New York, 2008, apude William Voorsluys, James Broberg, Rajkumar Buyya, Introduction to Cloud Computing, in Rajkumar Buyya, James Broberg, Andrzej M. Goscinski (eds.), Cloud Computing. Principles and Paradigms, John Wiley & Sons, 2011, p. 5.
2 Electronic copy available at: http://ssrn.com/abstract=2409006
over the Internet as Web Services”4. Hence, computing services ranging from data storage and processing to software, such as email handling, are now available instantly, commitment-free and on-demand5, characterized by “pay as you go” payment models6. The most common used adjective to describe cloud computing is “ubiquitous”. This characteristic poses great challenges for law, which might find itself in the need to revise its fundamentals in order to be able to protect the interests of both legal and natural persons engaging in legal relationships related to cloud services. Before engaging in further analysis, it is important to highlight three characteristics of the context in which such a revision would operate. First, there are the general phenomena characterizing the contemporary world: the horizontal and apparent process of globalization of the legal sphere – which can take several forms, from judicial globalization7, to the globalization of jurisdiction8, and the vertical and subtle ongoing process of the creation of global governance, or pluralism9. At this stage, “while neither the figure of the state, nor the normative authority of formal sources of law have disappeared under the pressure of globalization, fundamental shifts have occurred in the international landscape, favoring the emergence of concurrent actors and law-makers, unsettling the territorial jurisdiction of states”10. On the vertical integrative level, it was noted that
4
William Voorsluys, James Broberg, Rajkumar Buyya, Introduction to Cloud Computing, in Rajkumar Buyya, James Broberg, Andrzej M. Goscinski (eds.), Cloud Computing. Principles and Paradigms, John Wiley & Sons, 2011, p. 5. 5 European Network and Information Society Agency (ENISA), Cloud Computing. Benefits, Risks and Recommendations for Information Security Report, November 2009, p. 4. 6 International Data Corporation (IDC), Quantitative Estimates of the Demand for Cloud Computing in Europe and the Likely Barriers to Up-take, SMART 2011/0045, D4 Final Report, July 13 th, 2012, p. 9. 7 See Anne-Marie Slaughter, Judicial Globalization, Virginia Journal of International Law, Vol. 40, 2000, pp. 11031124; Yuval Shany, No Longer a Weak Department of Power? Reflections on the Emergence of a New International Judiciary, European Journal of International Law, Vol. 20, No. 1, 2009, pp. 73-91. 8 See Paul Schiff Berman, The Globalization of Jurisdiction, University of Pennsylvania Law Review, Vol. 151, No. 2, 2002, pp. 311 – 529. 9 See Daniel Halberstam, Systems Pluralism and Institutional Pluralism in Constitutional Law: National, Supranational and Global Governance, in Matej Avbelj, Jan Komarek, Constitutional Pluralism in the European Union and Beyond, Hart Publishing, 2012, pp. 85-126; Daniel Halberstam, Local, Global and Plural Constitutionalism: Europe Meets the World, in Grainne de Burca, Joseph H. H. Weiler, The Worlds of European Constitutionalism, Cambridge University Press, 2011, pp. 150-202; Dieter Grimm, The Achievement of Constitutionalism and Its Prospects in a Changed World, in Petra Dobner, Martin Loughli (eds.), The Twilight of Constitutionalism, Oxford University Press, 2010; Jurgen Habermas, Does the Constitutionalization of International Law Still Have a Chance?, in Jurgen Habermas, The Divided West, Polity, 2006, pp. 115-194. 10 Horatia Muir Watt, Globalization and comparative law, in Mathias Reimann, Reinhard Zimmermann (eds.), The Oxford Handbook of Comparative Law, Oxford University Press, 2008, p. 582.
3
“[h]owever ambiguous the term ‘globalisation’ may be, among the few certainties is an acknowledgement of a growing incongruity between the political (i.e. the world of things that need to be ordered collectively in order to sustain society) and the state (i.e. the major institution for political decision making during modern times). And it is this incongruity that presents a serious challenge to the practices of constitutionalism”11. Second, there is the need of comprehending which is the most effective form of regulation and law enforcement on a global scale specifically with regard to technological developments, cyberspace and the Internet. It was underlined in the previous literature that “the regulation of technology faces a fundamental dilemma hitherto uncommon in the law. This is that, of its character, technology is normally global. Law, being the command of an organised community is traditionally tied to a particular geographical jurisdiction”12. The theoretical solutions proposed in the literature vary from the famous idea of Johnson and Post to create a sui generis jurisdiction for the cyberspace, as it cannot be governed by territorially based sovereigns13, to the equally famous theory of Lessig that code must regulate by itself the virtual world, while also being the sovereign of that world14. These debates are deepened by the fact that “each new technology has its own distinctive identity, […] [h]ence, even if we do not need to reinvent the regulatory wheel, we do need to refine our regulatory intelligence to bring it into alignment with the characteristics of each particular technology”15. Third, there is the widespread adoption of cloud computing services all over the world and in the widest possible range of fields16, and also the impact they have on macro-economies. In this respect, two International Data Corporation (IDC) reports show, for instance, that cloud
11
Petra Dobner, Martin Loughli, supra (n 9), p. xi. Michael Kirby, Regulating Technology by Law and Code, in Richard Brownsword, Karen Yeung (eds.), Regulating Technologies. Legal Futures, Regulatory Frames, and Technological Fixes, Hart Publishing, Oxford and Portland, Oregon, 2008, p. 382. 13 David R. Johnson, David G. Post, Law and Borders – The Rise of Law in Cyberspace, Stanford Law Review, Vol. 48, No. 5, May 1996, pp. 1367-1402. 14 Lawrence Lessig, Code. Version 2.0, Basic Books, New York, 2006. 15 Richard Brownsword, So What Does the World Need Now? Reflections on Regulating Technologies, in Richard Brownsword, Karen Yeung (eds.), supra (n 12), p. 30. 16 Recent examples of the widespread adoption of cloud services are depicted in Louis Columbus, 10 Ways Cloud Computing is Revolutionizing Manufacturing, Forbes.com, May 6, 2013, available online at http://onforb.es/10kEO5y, last accessed on June 24, 2013; and Michael Goodenough, Cloud Computing: Effectively Changing The Business Operation Model, Forbes.com, May 16, 2013, available online at http://onforb.es/11Hn5M0, last accessed on June 24, 2013. 12
4
computing could contribute up to 250 billion euro to EU GDP in 202017 and that US public IT cloud services revenue will grow from 18.5 billion dollar in 2011 to 43.2 billion in 201618. Hence, cloud computing already plays an important role in the economic functioning of societies, as well as in the development of private interactions. This is the general context in which the further analysis will be made. Its catalysts are two of the features of cloud infrastructure management: “storage virtualization” and “virtual networks”19, which define the “ubiquitousness” of cloud computing. The paper continues with describing in more detail the phenomenon of jurisdictional globalization, also in the context of Internet and new technologies, proposing the concept of pluralist regulation of cyberspace (2). It will further answer the question of “what happens in the cloud”, characterizing the main features of cloud computing services with a view towards identifying their legal implications (3). Solutions for regulating cloud computing with a global impact will be sought (4), followed by conclusions (5).
2. Global governance and technology The phenomenon of globalization facilitated “the explosion of governance beyond the state”20, or global governance. The world has witnessed in recent years “the proliferation of global governance regimes as well as the expansion (and expanded assertion) of powers of both old and new actors in the international arena”21, which “have to varying degrees taken on governance functions previously performed by states”22. Auby showed that, in its legal dimension, globalization is characterized by an evolution towards an increasing interdependence of systems, the increasing presence of transnational situations (and situations of extraterritoriality), the growing importance of non-state actors – among which there are also regulators, the development of networks as a contemporary characteristic of international governance, and the fact that all these phenomena have both a
17
IDC Report, 2012, supra (n 6). IDC, US Public IT Cloud Service by Industry Sector Report, November 2012. 19 William Voorsluys, James Broberg, Rajkumar Buyya, 2011, supra (n 4), p. 18-19. 20 Daniel Halberstam, supra, 2011 (n 9), p. 150. 21 Idem, p. 153. 22 Ibidem. 18
5
vertical and a horizontal dimension23. Auby concludes that “juridical” globalization is a challenge to the legal centrality of the state, to the territoriality of law, to the differentiation of national legal systems, and also to the classic structure of the international and national legal orders24. He also identifies three fundamental domains which “require great efforts of research” so that the legal system will function within the new globalized context: norms, competences and institutions25. When thinking of the “norms” dimension, one could look to Habermas and how he describes the new dynamic of the global scene referring to the inevitable need of the states for both regulation and coordination: “Nation-states can no longer secure the boundaries of their own territories, the vital necessities of their populations, and the material preconditions for the reproduction of their societies by their own efforts. In spatial, social, and material respects, nation-states encumber each other with the external effects of decisions that impinge on third parties who had no say in the decision-making process. Hence, states cannot escape the need for regulation and coordination in the expanding horizon of a world society that is increasingly self-programming, even at the cultural level”26.
With regard to the distribution of competences and the functioning of institutions, legal theory is preoccupied to settle the place of constitutionalism in the globalized context. Theories of local constitutionalism27, global constitutionalism28 and a middle ground between these two – pluralism29, have been developed to explain how a system of global governance can function, how can it gain legitimacy and efficiency. Pluralism has the allure of a compromise-solution, 23
Jean-Bernard Auby, La globalisation, le droit et l’État, 2e édition, LGDJ, 2010, p. 251. Idem, p. 252. 25 Ibidem. 26 Jurgen Habermas, supra, 2006 (n 9), p. 176. 27 See David S. Law, Mila Versteeg, The Evolution and Ideology of Global Constitutionalism, California Law Review, Vol. 99, 2011, p. 1163; Jack L. Goldsmith, Eric A. Posner, The Limits of International Law, Oxford University Press, 2005; Curtis A. Bradley, International Delegations, the Structural Constitution, and Non-Self Execution, Stanford Law Review, Vol. 55, 2003 (available online at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=369020, last accessed on June 24, 2013); Edward T. Swaine, The Constitutionality of International Delegations, Columbia Law Review, Vol. 104, No. 6, 2004, pp. 1492-1614. 28 See Larry Backer, From Constitution to Constitutionalism: A Global Framework for Legitimate Public Power Systems, Penn State Law Review, Vol. 113, No. 3, 2009, pp. 101-177; Samantha Besson, Human Rights, Institutional Duties and Cosmopolitan Responsibilities, Oxford Journal of Legal Studies, Vol. 23, No. 3, 2003, pp. 507-523; Thomas W. Pogge, Cosmopolitanism and Sovereignity, Ethics, Vol. 103, No. 1, 1992, pp. 48-75. 29 See Julio Baquero Cruz, The Legacy of the Maastricht-Urteil and the Pluralist Movement, European Law Journal, No. 14, 2008, pp. 389-420; Daniel Halberstam, supra, (n 9); 24
6
hence it is the most likely to be accepted. Halberstam explains that in his view pluralism rejects hierarchy and foundation and it presupposes two conditions: “first, a plurality of partially autonomous sites or institutions of public governance with mutually conflicting claims of authority; and second, mutually embedded openness within these sites or institutions with regard to each other’s claims of authority”30. Such a design of competences in a multilevel structure is similar to the one underlying the legal system of the European Union.
2.1 The place of cyberspace and its metaphors in the globalizing legal order
While the locus of constitutionalism in the globalized world remains unsettled, there is a field which is demanding rapid and efficient solutions since the mid 90’s: cyberspace and the technology which enables it. As it was bluntly put by Johnson and Post, “global computer-based communications cut across territorial borders, creating a new realm of human activity and undermining the feasibility – and legitimacy – of laws based on geographic boundaries”31. This fact significantly complicates the reality of legal globalization.
The pluralist view of regulating cyberspace Johnson and Post argued in 1995 that “a more legally significant, and satisfying, border for the law space of the Net consists of the screen and passwords that separate the tangible from the virtual world”32. In other words, they propose that Cyberspace to be considered as a distinct place, a distinct “newly defined” and “intangible” territory, where “fundamental activities of lawmaking – accommodating conflicting claims, defining property rights, establishing rules to guide conduct, enforcing those rules and resolving disputes – remain very much alive”33. They acknowledge, nevertheless, that “questions remain about who sets the rules and how they are enforced”, forwarding as a solution their belief that “the Net can develop its own effective legal institutions”34.
30
Daniel Halberstam, supra, 2011 (n 9) p. 163. David R. Johnson, David G. Post, supra (n 13), p. 1367. 32 Idem, p. 1378. 33 Idem, p. 1402. 34 Idem, p. 1387. 31
7
This view was later criticized, as it was considered that the two scholars “have severely underestimated the ability of territoriality based sovereigns to regulate cyberspace” 35 and that their conception of sovereignty as necessarily tied to physical power and territorial boundaries may be “overly simplistic”36. However, the fact remains that global computer-based communications cut across territorial borders. And the fact also remains that, as Zittrain explaines, each of the major problems of jurisdiction, from personal jurisdiction, to choice of law and enforcement, is “grounded in dilemmas arising from a global Internet cabined only by local laws” 37. Still, the idea Johnson and Post advocated for was not put into practice (until now), from reasons which were already outlined. To these, another reason could be added – the quasi-infinite material scope of the regulation within the cyber-territory. As the authors themselves observe, almost everything involving the transfer of information can be done online: education, healthcare, banking, the provision of intangible services, all forms of publishing, and even practice of law38. Conceiving cyberspace as a distinct territory for the purpose of global regulation must not entail the unidirectional regulation of “everything that happens online”, as the online world is as complex as the offline one, which cannot possibly be regulated by one single law, or even by one limited set of laws. A concept of pluralism in regulating the new territory of cyberspace would aid the purpose of effectiveness of regulatory endeavors. The pluralist regulation of cyberspace must be characterized by two main features: first, a substantive and procedural division of the material scope of regulating cyberspace and, second, the effective acknowledgement that, while it can be viewed as a distinct territory, cyberspace is interconnected with the real world. The libertarian premises of creating a body of law applicable to a generic concept of “Internet activities” were based on a digital divide between offline and online that less and less exists39, the Internet being less a conceptually separate space with few direct links to non-Internet life and institutions, and more a ubiquitous tool40. 35
Paul Schiff Berman, supra (n 8), p. 371. Ibidem. 37 Jonathan Zittrain, Be Careful What You Ask For: Reconciling a Global Internet and Local Law, in Adam Thierer, Wayne Crews (eds.), Who Rules the Net?, Cato Institute, 2003, p. 8. 38 David Johnson, David Post, supra, (n 13), p. 1377. 39 Jonathan Zittrain, supra, (n 37), p. 8. 40 Ibidem. 36
8
The cyberspace as place metaphor in judicial review
The need for cyberspace to be treated as a distinct realm and for regulatory endeavors of the cyberspace to be articulated with a view to its sui generis form of existence remains evident. Proceeding differently would most probably cost the classic ideas of human rights, property or even justice itself. For instance, Hunter pointed out that “courts (in the US - n) have rushed to resurrect the late, largely unlamented, tort of trespass to chattels, and apply it to the new cyberspace arena”41, which led to surprising results, such as the one in the Intel v Hamidi42 case. In this case, the California courts have extended the principle to prohibit regular email sent to a corporation that has requested that the email not be sent, and applied the approach of the earlier trespass to chattels cases to this new scenario43, arguing that “Hamidi was enjoined from trespassing onto Intel’s private property”44. This approach of courts to consider a literal equivalence between space and cyberspace transcends borders and significantly different legal systems. For instance, a Romanian Court of Appeal, in a case concerning as well freedom of speech45, considered that Facebook is a “public space” and upheld a sanction issued by the National Council of Fight against Discrimination against a member of the public administration who wrote on his Facebook wall “Arbeit macht frei” addressing protesters during widespread protests in 2012 against the government and its austerity measures, his message being published by mass-media. The Court held that “Facebook cannot be equivalent, with regard to the control of the content of broadcasted messages, with electronic mail. The claimant’s personal profile on Facebook, even if it is accessible only to his friends – and thus to a small number of persons, is still public, any of his friends being able to share the information posted there. […] Using the Arbeit macht frei expression in a public environment […] undoubtedly provokes its association with feelings of contempt, repudiation,
41
Dan Hunter, supra, (n 2), p. 13. 114 Cal. Rptr. 2d 244, 250 (C.A.1. 2001). 43 See the commentary of Dan Hunter on the merits of Intel v Hamidi case, in Dan Hunter, supra, (n 2), p. 15-16. 44 114 Cal. Rptr. 2d 244, 250 (C.A.1. 2001), apude Dan Hunter, supra, (n 2), p. 16. 45 Curtea de Apel Târgu Mureş, Secţia a II-a Civilă de Contencions Administrativ şi Fiscal, Sentence No. 21 from January, 17, 2013. 42
9
and intolerance”46. Hence, this behavior, as interpreted by the Court, amounts to stating out loud that expression in a public plaza, where anyone could hear it. The idea that cyberspace is “space” for the purposes of applying the law is controversial. For instance, the cases in the US courts relying on the tort to trespass to chattel “struggle with the question of what exactly is the chattel in issue. At times, the courts suggest that the chattel is simply the computer, but more often it is a nonspecific combination of computer, bandwidth, capacity, processing power or network”47. Hence, the “chattel” can also be incorporeal. For instance, in the Romanian case, the “space” was represented by a webpage with user generated content. It was argued in the literature that courts “have shown a remarkable lack of sensitivity” 48 to the differences between the physical space and cyberspace. These differences stem from the fact that web sites are not “visited” per se by persons, who, in fact, “request for information to the provider of the Web site, and the provider sends back data: the Web page itself”49. Among the underlined differences between the two spaces which might have legal consequences are the fact that, while in the physical world, one can occupy one place at a time, on the Internet one (or her data) can be everywhere at once, the fact that physical stores have spatial constraints that limit the number of customers who can enter the store or that physical places exist in proximity to one another by contrast to cyber-places50. As such, blind application by the courts of the cyberspace as space metaphor to reach a particular result “obscures more than illumines”51: “The metaphor will serve its purpose only if we understand its limitations – the ways in which the Internet is not like the physical world”52.
2.2 The new paradigms of regulation One of the consequences of the axiom that “Internet is something else than the physical world” is that cyberspace manifests an original form of regulation: code. As Brownsword 46
Ibidem. Dan Hunter, supra, (n 2), p. 15. 48 Mark A. Lemley, Place and Cyberspace, in Lorrie Faith Cranor, Steven S. Wildman (eds.), supra, (n 2), p. 33. 49 Ibidem. 50 Idem, p. 32. 51 Idem, p. 42. 52 Ibidem. 47
10
explained, “regulators, in their efforts to regulate new technologies, would learn a great deal about the strengths and weaknesses of traditional regulatory instruments, but also would spot the potential of these emerging technologies as regulatory tools, supplementing and even supplanting traditional modes of regulation”53. The topos of “code as law” refers to the notion that increasingly, technology is intentionally being used in a normative way, thus influencing people’s behavior to an ever larger extent54. Reidenberg observed in 1998 that “[f]or the information infrastructure, default ground rules are just as essential for participants in the Information Society as Lex Mercatoria was to merchants hundreds of years ago”55, proposing the recognition of Lex Informatica. He saw this new body of rules as “a useful extra-legal instrument that may be used to achieve objectives that otherwise challenge conventional laws and attempts by governments to regulate across jurisdictional lines”56. The term Lex Informatica was coined on the premise that “technical solutions begin to illustrate that network technology itself imposes rules for the access to and use of information”57. According to Lessig, the invisible hand of cyberspace is building an architecture that will perfect control and make highly efficient regulation possible58. To illustrate instances of this new architecture, good examples are privacy by design, along with privacy enhancing technologies59 and digital rights management60. Lessig argues that “we can build, or architect, or code
53
Richard Brownsword, supra, (n 15), p. 25. Bert Jaap Koops, Criteria for Normative Technology. The Acceptability of ‘Code as Law’ in Light of Democractic and Constitutional Values, in Richard Brownsword, Karen Yeung (eds.), supra (n 12), p. 158. 55 Joel R. Reidenberg, Lex Informatica: The Formulation of Information Policy Rules Through Technology, Texas Law Review, Vol. 76, No. 3, 1998, p. 553. 56 Idem, p. 555. 57 Idem, p. 565. 58 Lawrence Lessig, supra, (n 14), p. 4. 59 See, for instance, Mark Langheinrich, Privacy by Design – Principles of Privacy-Aware Ubiquitous Systems, in Proceedings of the 3rd International Conference on Ubiquitous Computing, GA., Springer, London, 2001, pp. 273 – 291; Ann Cavoukian, Privacy by Design: Leadership, Methods and Results, in Serge Gutwirth, Ronald Leenes et al (eds.), European Data Protection: Coming of Age, Springer, 2013; “Privacy by design evolved from early efforts to express Fair Information Practice principles directly in the design and operation of information and communications technologies, resulting in Privacy Enhancing Technologies” (Cavoukian, p. 177). 60 See, for instance, Eberhard Becker, Willms Buhse, Dirk Günnewig, Nils Rump (eds), Digital Rights Management. Technological, Economic, Legal and Political Aspects, Springer, 2003; Timothy K. Armstrong, Digital Rights Management and the Process of Fair Use, Harvard Journal of Law and Technology, Vol. 20, 2006, pp. 49 – 121; Digital Rights Management systems were developed to protect IP rights and represent “technological protection measures, including rudimentary encryption systems, to control access to authorized media” (Armstrong, p. 60). 54
11
cyberspace to protect values that we believe are fundamental. Or we can build, or architect, or code cyberspace to allow those values to disappear. There is no middle ground. There is no choice that does not include some kind of building”61. With regard to the new paradigm of “programmed regulation”, the greatest challenge will be “to assure that essential liberties are preserved in this environment of perfect control”62. As Koops explains, a key difference between code and law is that “normative technology, both in its norm-enforcing and in its normestablishing form, influences how people can behave, while law influences how people should behave”63. Therefore, normative technology must be approached with caution so that it does not create democratic and constitutional imbalances. The new forms of embedded regulation are not the only regulatory shifts produced by technology which need to be accommodated by the legal system/s. While the malleability of cyberspace and its contradictory nature – in that a virtual, borderless, incorporeal and un-seeable entity hosts real life complex effects, have been creating jurisdictional and legal difficulties in the past decades, the fact remains that the focus of most national law is the territory of the nation64. In this respect, Kirby drew the conclusions of a valuable collection of essays regarding technology regulations, stating that “[b]y way of contrast, the focus of regulating technology must be the technology itself”65. In a conclusive remark, applying all the above considerations to cloud computing, a few hypotheses inevitably emerge. First, as a response to the challenge of the infinite material scope of a global regulation of cyberspace, in a cloud scenario it is easy to foresee that the rationae materiae purpose of such a regulation would be considerably limited. Cloud structures, even if complex, are organized structures of the cyberspace, whose architecture can be delimited in the infinite “ocean” of cyberspace. Moreover, unlike the endless possibility to exploit cyberspace, the kind of interactions that might have legal implications with regard to cloud computing can also presumably be anticipated so that establishing effective rules can prove to be possible – be it embedded rules or genuine norms. Second, as the most sensible conclusion regarding technology regulation is to forget about the borders of the nation states and focus on the technology itself, in
61
Lawrence Lessig, supra, (n 14), p. 6. Idem, p. 4. 63 Bert Jaap Koops, supra, (n 54), p. 159. 64 Michael Kirby, supra (n 12), p. 382. 65 Ibidem. 62
12
a cloud scenario such a focus would translate into converting the territorial scope of laws from the tangible world to a virtual territorial scope, following the lines of the “technology” itself – or simply the architecture of the cloud. The next part of the paper will test these hypotheses with what is an abstract exegesis, having as premises the characteristics of cloud computing revealed by both technical and legal literature. The exegesis is made from a legal perspective, hence the technical characterizations will be held to the minimum necessary to draw legal conclusions.
3. What happens in the Cloud
The cloud computing paradigm is based on the idea of delegating to the network the provision of almost all functionalities of present-day computer systems, from a high-availability and fast hardware infrastructure to complex applications tailored to user needs66. According to its most accepted definition, cloud computing is “a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”67. Elsewhere, cloud computing was defined as “software offerings where the application is executed in a web browser, via software code that is downloaded (as needed) from a remote server that also stores users’ files”68. According to another definition, cloud computing means “‘outsourcing’ computing functions traditionally controlled directly by a consumer – operating and maintaining hardware, installing and running software, storing data – to a third-party service via the Internet”69. Another relevant descriptive definition of cloud computing develops three guidelines: “Cloud computing provides flexible, location-independent access to computing 66
Valentina Casola, Raffaele Lettiero, Massimiliano Rak, Umberto Villano, Access Control in Cloud-on-Grid systems: The Perf – Cloud case study, in Serge Gutwirth, Yves Poullet, Paul de Hert, Ronald Leenes, Computers, Privacy and Data Protection: An Element of Choice, Springer, 2011, p. 427. 67 Peter Mell, Timothy Grance, The NIST Definition of Cloud Computing. National Institute of Standards and Technology (2011) available online at http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf, last accessed on June 24, 2013. 68 Christian Soghoian, Caught in the Cloud: Privacy, encryption and government back doors in the web 2.0 era, Journal on Telecomm. & High Tech. Law, Vol. 8, 2010, p. 364. 69 Nicole A. Ozer, Chris Conley, Cloud computing: storm warning for privacy, ACLU of Northern California 1, 2010.
13
resources that are quickly and seamlessly allocated or released in response to demand; services (especially infrastructure) are abstracted and typically virtualised, generally being allocated from a pool shared as a fungible resource with other customers; charging, where present, is commonly on an access basis, often in proportion to the resources used”70. In fact, 22 different definitions of cloud computing given in the literature were only compiled by Vaquero et al in a 2009 paper, their conclusion being that “Clouds are a large pool of easily usable and accessible virtualized resources (such as hardware, development platforms and/or services). These resources can be dynamically reconfigured to adjust to a variable load (scale), allowing also for an optimum resource utilization. This pool of resources is typically exploited by a pay per-use model in which guarantees are offered by the Infrastructure Provider by means of customized SLAs (Service Level Agreements – n)”71. Nevertheless, they acknowledged that “the Cloud concept is still changing and these definitions show how the Cloud is conceived today”72. While there are countless other definitions or mere descriptions of the cloud, there are a few common characteristics which emerge from the most notable ones: (i) pay-per-use (no ongoing commitment, utility prices); (ii) elastic capacity and the illusion of infinite resources; (iii) self-service interface; and (iv) resources that are abstracted or virtualised73. A question might arise about why there are so many different definitions of cloud computing in the academic literature. According to Schiappa’s theory of defining reality, definitions constitute a form of rhetorically induced social knowledge74. “That is, definitions are the result of a shared understanding of the world and are both the product of past persuasion and a resource for future persuasion”75. Schiappa explains that defining a thing for what it is, which 70
Simon Bradshaw, Christopher Millard, Ian Walden, Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services, Queen Mary School of Law Legal Studies Research Paper No 63, 2010, p. 6. 71 Luis M. Vaquero, Luis Rodero-Merino, Juan Caceres, Maik Lindner, A break in the clouds: towards a cloud definition, SIGCOMM Computer Communication Review, Vol. 39, No. 1, p. 51; See a critique of their definition in Katarina Stanoevska-Slabeva, Thomas Wozniak, Cloud Basics – An Introduction to Cloud Computing, in Katarina Stanoevska-Slabeva, Thomas Wozniak, Santi Ristol (eds.), Grid and Cloud Computing. A Business Perspective on Technology and Applications, Springer, 2010, p. 49. 72 Luis M. Vaquero et al, supra, (n 71), p. 51. 73 William Voorsluys, James Broberg, Rajkumar Buyya, supra (n 4), p. 4. 74 E. Schiappa, Defining Reality. Definitions and the Politics of Meaning, Southern Illinois University Press, 2003, p. 167. 75 Ibidem.
14
means identifying the unchanging essence or nature of things, encounters two overwhelming difficulties: “first, all we have access to are things-as-experienced (phenomena); things-inthemselves (noumena) are inaccessible; second, definitions are linguistic, and there is no way to escape the historical contingency of any particular definitional proposition”76. Schiappa concludes that instead of presuming to be able to identify metaphysical “essences” in definitions, we should acknowledge that definitions emphasize aspects of social realities that serve particular interests77. Therefore, the numerous definitions of cloud computing in the literature do not indicate that this new paradigm of providing computing services is more difficult to grasp than other products of technology are, but it most likely shows that society has not yet fully configured the interest or interests it has for cloud computing to fulfill. Nevertheless, Schiappa also observes that when definitions become part of law or public policy, they can have rather significant consequences 78. So it is indeed desirable that the features of cloud computing are profoundly debated in both technical and legal literature before they will be regulated. An important step forward towards a universal understanding of what a cloud is and how cloud computing services function is done by the International Organization for Standardization (ISO), which established a sub-committee to the IT committee in 2009 (JTC 1/SC 38), dedicated to the standardization of cloud computing. However, from a legal perspective, there is no interest of what a cloud is per se, but of what kind of interactions a cloud environment presupposes, interactions which are capable of producing legal effects. Which are the actors of cloud interactions? Which are the kinds of relationships they engage in? What happens in the cloud?
3.1 Actors, roles and the scene of cloud computing Described in simple terms, without the ambition of defining it, “cloud computing concerns the delivery of IT capabilities to external customers, or, from the perspective of a user, obtaining IT capabilities from an external provider, as a service in a pay-per-use manner and
76
Idem, p. 168. Idem, p. 169. 78 Idem, p. 167. 77
15
over the Internet”79. Its functioning model has two key characteristics: virtualization and scalability. Scalability refers to a dynamic adjustment of provisioned IT resources to variable load, e.g. increasing or decreasing number of users, required storage capacity or processing power80. Cloud computing abstracts from the underlying hardware and system software through virtualization – which is also considered to be the cornerstone technology for all cloud architectures. Besides abstraction, virtualization is also used for encapsulation81. The virtualized resources are provided through a defined abstracting interface82. On one hand, virtualization can take the form of “storage virtualization”, which presupposes abstracting logical storage from physical storage83. “By consolidating all available storage devices in a data center, it allows creating virtual disks independent from device and location”84. On the other hand, virtual networks allow creating an isolated network on top of a physical infrastructure independently from physical topology and locations85. Hence, the resources provided through cloud computing can include “servers, storage, and networking resources running in virtualized environments […], and the virtualized environment itself resides in a datacenter, which can be privately or publicly owned”86. In a few words, cloud computing can be summarized to IT as a service87, which means that the main legal paradigm which can framework cloud computing are the several legal fields incident to providing services, such as consumer protection and contract law. In addition to raw computing and storage, cloud computing providers usually offer a broad range of software
79
Katarina Stanoevska-Slabeva, Thomas Wozniak, Cloud Basics – An Introduction to Cloud Computing, in Katarina Stanoevska-Slabeva, Thomas Wozniak, Santi Ristol (eds.), Grid and Cloud Computing. A Business Perspective on Technology and Applications, Springer, 2010, p. 49. 80 Ibidem. 81 Ibidem. See also Ian Foster, Yong Zhao, Ioan Raicu, Shiyong Lu, Cloud Computing and Grid Computing 360Degree Compared, Grid Computing Environments Workshop (GCE’08), 2008, doi:10.1109/GCE.2008.4738445. 82 Ibidem. 83 William Voorsluys, James Broberg, Rajkumar Buyya, supra (n 4), p. 18-19. 84 Ibidem; 85 Idem, p. 19. 86 Mitch Tulloch with Microsoft Virtualization Teams, Understanding Microsoft Virtualization Solutions. From the desktop to the datacenter, 2nd edition, Microsoft Press, 2010. 87 Idem, p. 431.
16
services. They also include Application Programming Interfaces and development tools that allow developers to build seamlessly scalable applications upon their services88. According to the “Compendium of Cloud Computing Usage Scenarios and Use Cases” drafted by working group 3 of the ISO IT sub-committee89, the framework scenario of “cloud computing provision” has five stakeholders: consumer (cloud subscriber) – a person or organization that maintains a business relationship with, and uses the service from a cloud provider; user (cloud user) – uses one or more cloud services; provider (cloud provider) – delivers cloud services to its consumers; cloud administrator – performs the administer service activity, which includes the tasks to create a relationship with a service consumer and enable the consumer to use the service, to configure the infrastructure, tools, policies and processes needed to offer a service, to monitor the service to ensure that it meets the SLA offered to the consumer and to send notifications, usage data and billing information to the consumer; and cloud developer – responsible for the creation and functional maintenance of cloud services90. In a simpler manner, in the legal literature the actors of cloud scenarios were identified as Service Providers (SPs), Service Users (SUs or users), and Infrastructure Providers (IPs)91. With regard to their “roles” – SPs make services accessible to the users through Internet-based interfaces, while the IPs move computing resources from the SPs to themselves so the SPs can gain in flexibility and reduce costs, with the purpose of outsourcing the provision of the computing infrastructure92. Unlike in the typical outsourcing services scenarios, in the cloud “the quantity of IT resources procured by the customer may fluctuate over time, often rapidly and dynamically in response to demand. The customer will not normally, other than perhaps in broad geographical terms, be aware of where the service infrastructure is. For all but the largest government and enterprise agreements, the contract will probably be to a standard form and entered into via a routine online process”93.
88
William Voorsluys, James Broberg, Rajkumar Buyya, supra (n 4), p. 4. ISO/IEC JTC 1/SC 38/WG 3, Compendium of Cloud Computing Usage Scenarios and Use Cases, Standing Document 2, March 7, 2013 (the references in this paper to the Compendium are made to its content as it were on May 25, 2013). 90 Idem, p. 5. 91 Luis M. Vaquero, Luis Rodero-Merino, Juan Caceres, Maik Lindner, supra, (n 71), p. 50. 92 Ibidem. 93 Simon Bradshaw, Christopher Millard, Ian Walden, supra, (n 70), p. 3. 89
17
The “scene” in which the actors engage in their roles can be characterized from two points of view. First, there are the scalability and virtualization features already mentioned. Second, there are the three delivery models of cloud services: Infrastructure as a Service (IaaS), Platforms as a Service (PaaS) and Software as a Service (SaaS). IaaS offerings are computing resources such as processing or storage which can be obtained as a service94. Through virtualization, they are able to split, assign and dynamically resize these resources to build adhoc systems as demanded by customers, the SPs95. Platforms are an abstraction layer between the software applications (SaaS) and the virtualized infrastructure (IaaS); PaaS offerings are targeted at software developers96. SaaS is software that is owned, delivered and managed remotely by one or more providers and that is offered in a pay-per-use manner97. These are services of potential interest to a wide variety of users hosted in Cloud systems. SaaS is the most visible layer of cloud computing for end-users, because it is about the actual software applications that are accessed and used98. Thus, it was argued that by providing interfaces on all three levels, clouds address different types of customers: (i) end consumers, who mainly use the services of the SaaS layer over a Web browser and basic offerings of the IaaS layer as for example storage for data resulting from the usage of the SaaS layer; (ii) business customers that might access all three layers; (iii) developers and independent software vendors that develop applications that are supposed to be offered over the SaaS layer of a cloud, but in order to do that they directly use the PaaS layer and indirectly the IaaS layer99. Regardless of its service class, a cloud can be classified as public, private, community or hybrid100. In the private cloud, “the cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units)”101. In most cases, establishing a private cloud means restructuring an existing infrastructure by adding 94
Katarina Stanoevska-Slabeva, Thomas Wozniak, supra, (n 79), p. 52; “Examples are Amazon Web Services with its Elastic Computer Cloud (EC2) for processing and Simple Storage Service (S3) for storage and Joyent who provide a highly scalable on-demand infrastructure for running Web sites and rich Web applications” (p. 52). 95 Luis M. Vaquero, Luis Rodero-Merino, Juan Caceres, Maik Lindner, supra, (n 71), p. 51. 96 Katarina Stanoevska-Slabeva, Thomas Wozniak, supra, (n 79), p. 53. Example: Google Apps Engine. 97 Idem, p. 53. 98 Luis M. Vaquero, Luis Rodero-Merino, Juan Caceres, Maik Lindner, supra, (n 71), p. 51. 99 Katarina Stanoevska-Slabeva, Thomas Wozniak, supra, (n 79), p. 55. 100 William Voorsluys, James Broberg, Rajkumar Buyya, supra, (n 4), p. 15. 101 NIST, supra, (n 67).
18
virtualization and cloud-like interfaces. This allows users to interact with the local data center while experiencing the same advantages of public clouds, most notably self-service interface, privileged access to virtual servers, and per-usage metering and billing102. In the community cloud, the infrastructure “is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations)”103. The infrastructure for the public cloud “is provisioned for open use by the general public” and “it exists on the premises of the cloud provider”104. Finally, the hybrid cloud “is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability”105.
3.2 Some legal implications of providing cloud services From the cloud service providers’ point of view, “in a cloud-computing scenario, the user isn’t concerned about where the virtual servers, storage or networking resource are actually located; all he cares about is that he can quickly access a resource when he needs it. For example, when he needs a new virtual server for his department, he doesn’t care whether the virtual server is running in a Hyper-V server (a Microsoft virtual server product - n) down the hall, in a nearby building, or in a datacenter halfway across the continent. He also doesn’t care whether the Hyper-V server is owned and maintained by the company he works for, a partner organization, or a public hosting provider”106. In reality, the user will care where the server hosting virtual servers is located, he will care where the cloud service provider is located, and he will also most definitely care whether the server and the datacenter are owned by his employer or whether they belong to a public cloud, because all of these represent connecting elements with the jurisdictional territory of a legal system. And the user will need a legal system to protect his private information, his copyright, the security of his data and so forth. But on which legal system can he rely, assuming
102
William Voorsluys, James Broberg, Rajkumar Buyya, supra, (n 4), p. 16. NIST, supra, (n 67). 104 Ibidem. 105 Ibidem. 106 Mitch Tulloch with Microsoft Virtualization Teams, supra, (n 86), p. 431-432 103
19
he will know all the location details of the cloud scenario? What happens if the spatial connecting elements, to which the user’s nationality can be added, point to several states and the laws of those states are conflicting? In fact, several risks of a legal nature have been identified in relation to cloud computing services, such as: how data provided to a cloud computing service provider will be used by that SP; how such data will be disclosed by the cloud computing operator, and subsequently used by third parties; the security of the data provided; the legality (under the consumer’s local law) of using cloud computing products; disruptions of the cloud computing service; getting locked into a contractual arrangement that does not cater for the consumer’s future needs; and violating privacy laws by the use of cloud computing products107. In addition, there are also risks relating to the IP rights over the data stored in the cloud, to the identification of the liable party when damages occur (taking into account that there are several actors providing different service layers in a cloud structure and that locating the place where the damage occurred is virtually impossible) and so forth. Hence, the fields of law that have been identified to be incumbent on cloud computing services are consumer protection law108, privacy law109, competition law110, IP law111, and contract law112. There are also arguments brought towards the relevance of environmental law upon providing cloud services113.
107
Dan Svantesson, Roger Clarke, Privacy and Consumer Risks in Cloud Computing, Computer Law & Security Review 26, 2010, p. 391. 108 Dan Svantesson, Roger Clarke, Privacy and Consumer Risks in Cloud Computing, Computer Law & Security Review 26, 2010. 109 Joep Ruiter, Martijn Warnier, Privacy Regulations for Cloud Computing: Compliance and Implementation in Theory and Practice, in Serge Gutwirth, Yves Poullet, Paul de Hert, Ronald Leenes, supra, (n 66), pp. 361 - 376; Yves Poullet, Jean-Marc Van Gyseghem, Jean-Philippe Moiny, Jacques Gérard, Claire Gayrel, Data Protection in the Clouds, in Serge Gutwirth, Yves Poullet, Paul de Hert, Ronald Leenes, supra, (n 66), pp. 377 – 411; W. K. Hon, Christopher Millard, Ian Walden, The Problem of 'Personal Data' in Cloud Computing - What Information is Regulated? The Cloud of Unknowing, part 1, Queen Mary University of London, School of Law, Legal Research Paper 29, 2011; Samson Yoseph Esayas, A walk in the cloud and cloudy it remains: The challenges and prospects of “processing” and “transferring” personal data, Computer Law and Security Review No. 28, 2012. 110 Randal C. Picker, Competition and Privacy in Web 2.0 and the Cloud, U of Chicago Law & Economics Olin Working Paper no. 414 (2nd series), June 2008, available online at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1151985 (last accessed on June 24, 2013); Jasper P. Slujis, Pierre Larouche, Wolf Sauter, Cloud Computing in the EU Policy sphere, TILEC Discussion Paper, DP 2011-036. 111 Szilvia Varadi, Atilla Kertesz, Michael Parkin, The necessity of legally compliant data management in European cloud architectures, Computer Law and Security Review No. 28, 2012. 112 Simon Bradshaw, Christopher Millard, Ian Walden, Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services, Queen Mary School of Law Legal Studies Research Paper No
20
Cloud services contracts: main challenges
Irrespective of the substantive legal rules susceptible to be applied to legal relationships emerging from cloud computing scenarios, the provision of cloud services always rely on a contractual relationship between the service provider and the user. A contract between a cloud provider and a customer is likely to be different from an agreement between a provider of a different technology (not based on dispersed resources) and a client114. There are several significant reasons for this. First, cloud computing contracts essentially create a framework in which the user has access to infinitely scalable and flexible IT capabilities according to his needs115, the quantity of IT resources procured by the customer fluctuating over time, often rapidly and dynamically in response to demand116. Moreover, the customer will not normally, other than perhaps in broad geographical terms, be aware of where the service infrastructure is117. The greatest challenge remains, however, the fact that for all but the largest government and enterprise agreements, the contracts will probably be a standard form and entered into via a routine online process118. The provision of cloud services could be regulated not only by a contract, but also by a group of contracts119. These agreements will govern the specific ‘position’ of each party in the relationship – duties, liabilities, remedies of each contractor will be stated in the agreement and each party will be bound to respect the obligations contained there120. According to Parilli, the
63, 2010; Dan J. B. Svantesson, Data protection in cloud computing - The Swedish perspective, Computer Law and Security Review No. 28, 2012. 113 Benno Barnitzke, Marcello Corrales, Andrew Donoghue, Nikolaus Forgo, Andy Lawrence, Cloud Legal Guidelines (Part I), WP 7.2, OPTIMIS project, public deliverable submitted on November 30, 2010 (available through the Digital Commons Network). 114 Davide M. Parrilli, Legal Issues in Grid and Cloud Computing, in Katarina Stanoevska-Slabeva, Thomas Wozniak, Santi Ristol (eds.), supra, (n 71), p. 97. 115 European Commission, COM(2012) 529 final, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Unleashing the Potential of Cloud Computing in Europe, Brussels, September 27, 2012, p. 11. 116 Simon Bradshaw, Christopher Millard, Ian Walden, supra, (n 70), p. 3. 117 Ibidem. 118 Ibidem. 119 Davide M. Parilli, supra, (n 112), p. 99. 120 Ibidem.
21
agreement that plays a pivotal role in cloud scenarios is the SLA – Service Level Agreement121. SLAs are a common way to formally specify the exact conditions (both functional and nonfunctional) under which services are or should be delivered122 and they are relevant from a legal perspective because they also provide for the process for compensating costumers if the actual service falls short of the specified conditions123. All other clauses regarding liability, warranties, confidentiality, etc. may be included in another contract (that can be called, for instance, the Customer Agreement), and this is often the case in point with big international cloud computing and storage capacity providers124. In practice, the cloud provider and the customer can concentrate all the provisions that will govern their relationship in the SLA or enter into more than one agreement125. It is a general rule that the customer should read very carefully the clauses on liability and above all those regarding limitation of liability, for the fact that in practice the supplier can be in the position to decide if and to what extent it is convenient for him not to respect his contractual obligations without the risk of having to pay damages126. This rule is all the more important for users of public cloud services, who usually are in the position to accept the imposed Terms and Conditions (T&Cs) of the service provider or simply deny themselves the use of the service. After analyzing several T&C agreements for cloud services, Bradshaw et al reached the conclusion that T&C documents came in a number of forms, from relatively short and simple, to lengthy, complex and split over several documents127. Besides the SLAs, they also identified Terms of Service agreements (ToS), Acceptable Use Policy (AUP) and Privacy Policies. ToS entails the overall relationship between the customer and provider. It usually includes legal clauses such as choice of law and disclaimers128. An example of ToS clauses which are likely to raise disputes are some of the stipulations within the Google ToS. For instance: 121
Ibidem. Jens Happe, Wolfgang Theilmann, Andrew Edmonds, Keven T. Kearney, A Reference Architecture for MultiLevel SLA Management, in Philipp Wieder, Joe M. Butler, Wolfgang Theilmann, Ramin Yahyapour, Service Level Agreements for Cloud Computing, Springer, 2011, p. 14. 123 Simon Bradshaw, Christopher Millard, Ian Walden, supra, (n 70), p. 14. 124 Davide M. Parilli, supra, (n 112), p. 99. 125 Ibidem. 126 Idem, p. 109. 127 Simon Bradshaw, Christopher Millard, Ian Walden, supra, (n 70), p. 14. 128 Ibidem. 122
22
“When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps)”.
This fragment of the Google ToS also applies, for instance, to Google Docs (now called Google Drive), which is a type of cloud service – SaaS, provided for free to users all over the world. As put by Svantesson and Clarke, “this far-reaching provision may perhaps surprise some users”129. It is indeed surprising, as it conflicts with the prerogatives of a copyright owner over her work, taking into account that the ToS is provided in a “take-it-or-leave-it” form and is not subject to negotiation. Moreover, contrary, for instance, to the EU approach to the choice of law and the choice of forum in consumer contracts, users of Google Drive are informed that their contract with Google “is governed by the laws of the State of California”, and that the courts within the county of Santa Clara, California, will have exclusive jurisdiction130. Other types of agreements identified to be a part of cloud contracts are the AUP – which entails the permitted, or forbidden, uses of the service131 and the Privacy Policy – which describes the provider’s approach to using and protecting the customer’s personal information132. Privacy is, in fact, one of the biggest challenges that cloud services presuppose, as it could bring the cloud computing scenario under the regime of protecting fundamental human rights. For instance, the right to private life and the right to the protection of personal data are recognized fundamental rights in the European Union, being distinctively enshrined in the Charter of Fundamental Rights of the European Union133. In fact, the strict European regime of protecting personal data, at least theoretically, has a great impact on providing cloud services.
129
Dan Svantesson, Roger Clarke, supra, (n 105), p. 396. Ibidem. 131 Simon Bradshaw, Christopher Millard, Ian Walden, supra, (n 70), p. 14. 132 Ibidem. 133 Art. 7 of the Charter enshrines the right to respect for private and family life and art. 8 of the Charter enshrines the right to the protection of personal data. 130
23
This happens because art. 25 of the Directive 95/46134 states that Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after the transfer may take place only if the third country in question ensures “an adequate level of protection”. This requirement already had a global impact by facilitating the creation of rules of personal data processing sharing similar values as the ones enshrined in the European data protection Directive135. On the other hand, it was argued that this type of provision severely limits the circumstances and manner in which transborder cloud computing can be used, as it necessitates that the users of cloud computing products are able to ascertain the cloud’s geographical location136, and in cloud scenarios pinning the data to one geographical location seems highly improbable. Combining the jurisdictional provisions of Directive 95/46137 with the provisions on data exports may mean that a cloud provider with no establishment in the European Economic Area (EEA) may nevertheless be subject to the EU data export regime when attempting to transfer data back from the EEA to its place of establishment or some other location outside the EEA, even if the data were originally collected outside the EEA and relate to non-EEA individuals138. The European data protection regime entails severe conditions for the processing of personal data to be legal. For instance, it permits profiling only in limited situations139, it allows the data subject to object to the processing140 and it requires the data controller to process data only if it is justified by one of the six lawful bases for processing141. Such protective rules of the personal data of the EU citizens will not be able to follow the data in the cloud as long as “[g]lobal cloud providers wish to be able to seamlessly move and replicate data between their 134
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 135 See in this respect Michael D. Birnhack, The EU Data Protection Directive: An engine of a global regime, Computer Law and Security Report, No. 24, 2008. 136 Dan Svantesson, Roger Clarke, supra, (n 105), p. 393. 137 See art. 4(1)(c) of the directive, which establishes that its provisions apply not only to processing in the context of an EU establishment but also where a data controller based outside the EU is using ‘equipment’ or ‘means’ such as a cookie on the user’s computer, or is using an EEA data centre or EEA provider. (W. Kuan Hon, Christopher Millard, Data Export in Cloud Computing – How can Personal Data be Transferred outside the EEA? The Cloud of Unknowing, Part 4, Queen Mary University of London, School of Law Legal Studies Research Paper, No. 85, 2011, p. 6). 138 W. Kuan Hon, Christopher Millard, supra, (n 135), p. 6. 139 See art. 15 of Directive 95/46. 140 See art. 14 of Directive 95/46. 141 See art. 6 of Directive 95/46.
24
servers, in order to take advantage of lightly-loaded servers in different time zones, the availability of cheap power (especially fluctuating renewable resources), and to improve performance and resilience�142. However, before measuring the impact of the European personal data protection law upon cloud services, it must be taken into account that individual users are only one category of possible cloud customers and that European data protection law only applies to the processing of personal information of natural persons and not to the private information of legal persons143. It is considered in the legal literature that cloud services customers belong to three broad classes: consumers, small/medium enterprises and Corporate/Public Administration144. Admittedly, SMEs, corporations and public administration institutions as well could use the cloud to store or process personal data of their own consumers, employees or citizens. These complex relationships might raise problems with regard to establishing liability and responsibility in case of a data breach, as in such situations the data controller is the cloud customer, and the cloud service provider is a data processor, according to the EU data protection regime. And it will often happen that the data controller has no control upon the means of processing of the data processor, nor upon its security measures. This is one of the reasons why liability clauses are very important in cloud contracts. In addition, personal information is protected as long as it is not anonymized145. As far as clouds sometimes operate with encrypted data, such data could be considered as being anonymized in relation to all the parties that do not have access to the encryption key. Hence, the scope of European data protection law is limited by the rules of exclusively protecting natural persons and non-anonymized data. However, loss of data and its exposure to unauthorized third parties is capable to bring important prejudices to legal persons. One of the solutions to protect them in the case of a breach, at least under the jurisdiction of the EU, is to extend the data protection regime to legal persons as well146. Another view is to focus on security requirements
142
European Parliament, Directorate General for Internal Policies, Policy Department A: Economic and Scientific Policy, Cloud Computing, study, IP/A/IMCO/ST/2011-18, May 2012. 143 See art. 1 (1) of Directive 95/46. 144 Simon Bradshaw, Christopher Millard, Ian Walden, supra, (n 70), p. 8. 145 In order for the personal information to be protected, it must refer to an identified or identifiable person (see art. 2 a) of Directive 95/46). 146 See, in this respect, Joep Ruiter, Martijn Warnier, supra, (n 107), p. 388.
25
for the cloud, which protects all the data stored or transferred through the cloud, irrespective of its owner. A distinct challenge of the cloud computing environment, related, nevertheless, to a certain private sphere of the customer, is the question of protecting trade secrets in the cloud. This issue must be analyzed under IP law. And it is one of the challenges that already enjoy a global regime under art. 39(2) of the TRIPS agreement147. According to this provision, “Natural and legal persons shall have the possibility of preventing information lawfully within their control from being disclosed to, acquired by, or used by others without their consent in a manner contrary to honest commercial practice so long as such information: (a) is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of in-formation in question; (b) has commercial value because it is secret; and (c) has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret”. Unauthorized access to both personal data and trade secrets could be resolved under security measures in cloud infrastructures. SLAs usually include a security clause, “which is of fundamental importance as it will commit the provider to a certain level of security in order to protect the information and data supplied by the customer and to prevent harmful components from being delivered to the customers’ computers”148. Other clauses from SLAs for providing cloud services are related to availability – which indicates the percentage of time, usually a monthly basis, in which the cloud service supplied by the provider will be available; performance – its objective is to assure the achievement of commonly accepted computing, storage, and network element performance capabilities according to the class of hardware and bandwidths installed; fees – which regulates the prices the customer will pay to the provider of cloud services; support services – they are particularly important for the client in order to minimize damages, and intellectual property rights - the clause will state that every party keeps its intellectual property rights over the service provided, any technology or software supplied and any content or data sent or shared149. However, it was 147
The World Trade Organisation Agreement on Trade-Related Aspects of Intellectual Property Rights, negotiated at the end of the Uruguay Round in 1994. 148 Davide M. Parilli, supra, (n 112), p. 100. 149 Idem, p. 100-103.
26
previously showed in this paper that, especially when the cloud services are provided for free to users and under “take-it-or-leave-it” general terms and conditions, some prerogatives specific to the IP rights of the user are exercised by the cloud service provider (see the Google ToS). Last, “it is extremely advisable that the contract states expressly which law is applicable to it, in order to avoid potential problems linked to the interpretation of the applicable legal sources (that may be, in some circumstances, rather obscure)”150. After this general introduction into the environment of cloud services, one can conclude that it generates rather unstable legal relationships. According to an official report of the European Commission, the reason why cloud service providers use complex contracts or service level agreements with extensive disclaimers is the complexity and uncertainty of the legal framework for cloud services providers151. The next section of the paper will look into a few possible solutions for the creation of a legal regime for cloud services suited to its ubiquitous nature.
4. Global solutions for regulating cloud computing
4.1 Premises: clouds and extraterritorial jurisdiction
Jurisdiction is the term that describes the limits of legal competence of a State or other regulatory authority (such as the European Community) to make, apply and enforce rules of conduct upon persons152. As it is often the case in the globalized world, states claim to prescribe rules for persons in other states due to the ever present trans-border nature of legal relationships and incidents. However, such claims encroach upon the rights of the state where those persons are based to exercise jurisdiction over those within its territory153. In the event of such conflicts, the best view is that it is necessary for there to be some clear connecting factor, of a kind whose use is approved by international law, between the legislating state and the conduct that it seeks to
150
Idem, p. 104. European Commission, COM(2012) 529 final, supra, (n 113), p. 11. 152 Vaughan Lowe, Jurisdiction, in Malcolm D. Evans (ed.), International Law, Oxford University Press, New York, 2003, p. 329. 153 Idem, p. 336. 151
27
regulate154. The two main linking points recognized by international law are governed by the principle of territoriality and the principle of nationality. The territorial principle is a corollary of the sovereignity of a state over its territory. That sovereignity entails the right of the state to prescribe the laws that set the boundaries of the public order of the state155. Territorial jurisdiction can be subjective - the exercise of prescriptive jurisdiction by a state in circumstances where it applies its law to an incident which is initiated within its territory but completed outside its territory, or objective - the exercise of prescriptive jurisdiction by a state in circumstances where it applies its law to an incident that is completed within its territory, even though it was initiated outside its territory156. Another instance of the territorial principle is the effects doctrine. According to it, for instance, in the event of a violation of a state’s data protection or privacy laws, the state seeking to extend jurisdiction would argue that the harm suffered was an “effect” of the violation, even if that act was committed wholly outside of the state’s territory157. The effects doctrine is controversial158. However, if it were to be applied in cloud scenarios, it could lead to insurmountable legal uncertainty for the cloud service providers, which would equally be exposed to all legal systems, considering that the breakdown of their main servers’ infrastructure could have effects simultaneously everywhere. Going back to the virtualization feature of cloud computing and the possibility of the infrastructure layers of the same cloud to have their roots in classic servers placed in several locations throughout the world and also in virtual servers hosted by the classic servers, the idea of considering territoriality a connecting link in order to apply national laws to certain incidents in the cloud, such as data breaches, seems irrelevant. According to the nationality principle, states have an undisputed right to extend the application of their laws to their citizens wherever they may be159. If this principle were to be effective in cloud scenarios, then again the risks of legal uncertainty of the CSPs would be extraordinary, as they will be exposed to the legal systems of all their individual costumers
154
Ibidem. Ibidem. 156 Idem, p. 338. 157 Vineeth Narayanan, Harnessing the Cloud: International Law Implications of Cloud-Computing, Chicago Journal of International Law, winter 2012; 12, 2, p. 794-795. 158 See Vaughan Lowe, supra, (n 150), p. 339; “on a closer inspection it is clear that such laws are usually applied only in circumstances where there is some element of intraterritorial conduct”. 159 Vaughan Lowe, supra, (n 150), p. 342. 155
28
which will likely have significantly different rules. The example of protection of personal data is again useful, as it is differently regulated throughout the world. Another principle which justifies extraterritorial jurisdiction is the protective principle, according to which when essential interests of the state are at stake, states need to, and will, act in order to preserve themselves160. As such, states that use the protective principle to extend jurisdiction to CSPs must argue that those extraterritorial activities threaten vital economic or security interests of the state161. This kind of threats are of an extraordinary nature and do not apply to the usual course of providing cloud services. Moreover, the protective principle envisages the protection of the state, not of costumers, consumers, users, parties to contracts etc. Last, according to the universal jurisdiction principle, some crimes are so heinous that every state has a legitimate interest in their repression162. In practice, there are two strands running together to make up the universal principle: either heinous crimes, such as genocide, crimes against humanity, war crimes; or crimes that are serious and which might otherwise go unpunished, such as piracy163. Such exceptional situations are virtually impossible to happen with regard to the provision of cloud services. In conclusion, all the extraterritorial jurisdiction scenarios presuppose serious barriers against legal certainty and, ultimately, efficiency of protecting the interests and rights of the “actors” of cloud computing.
4.2 International cooperation: A treaty establishing fair practices in cloud computing
The first and most desirable solution to meet the legal challenges posed by cloud computing is the negotiation and signing of an international Treaty establishing fair practices in cloud computing (TFPCC). A similar idea was already proposed by Narayanan in 2012. He argued that “international cooperation for cloud-computing regulation may come in the form of an agreement to harmonize data protection laws”164. The analysis of what happens in the cloud, detailed in Part 3 of this paper, shows that personal data protection is only one of several legal
160
Idem, p. 342. Vineeth Narayanan, supra, (n 155), p. 801. 162 Vaughan Lowe, supra, (n 150), p. 343. 163 Ibidem. 164 Vineeth Narayanan, supra, (n 155), p. 804. 161
29
issues incumbent on cloud services agreements. A TFPCC-type of international convention must entail, at least, -
besides issues relating to the protection of personal data and privacy,
-
rules regarding applicable law,
-
express provisions for the protection of consumers in order to establish a balance of power,
-
accountability rules of the CSPs,
-
security rules,
-
interoperability rules (such as setting conditions for data portability in order to avoid user lock-in),
-
quality of service rules,
-
types of protection of the content processed inside the cloud, including IP rights,
-
customizable SLAs,
-
and also a transparency principle (with regard to the physical location of the classic servers, the methods employed to provide cloud services, third parties access to data etc.)
The list remains open. Minimum standards can be taken into account so that the ratification of such a treaty would not be rejected by some states which perhaps would like a more liberal, non-regulatory approach for the provision of cloud services. But even these countries must recognize that a phenomenon with such an important global impact must be made subject to at least a minimum set of rules so that order, legal certainty and also the rights of the parties of cloud computing contracts will not become an illusion. The World Trade Organization could be the “host” international organization to mediate the adoption of a TFPCC. If the WTO will prove to be too traditional for such an approach, than a whole new world organization could indeed be the answer, as Narayanan suggested: “International cooperation over cloud-computing could be achieved through an international organization specifically dedicated to regulating this type of activity”. However, he was still referring only to the data protection regulation, stating that “there are very few analogies to this kind of arrangement and there are none of the scale that might be necessary to regulate data protection effectively across many different countries”. In fact, especially with regard to data protection, this is not the case, as an international convention which is open for accession to all the countries in the world already exists, and it
30
provides for a high level of protection of the person whose data are processed: Convention 108 of the Council of Europe165, adopted in 1981. Art. 23 of the Convention allows “accession by non-member States”, referring to non-member States of the Council of Europe. Uruguay became the first non-European country to accede to the Convention, on April 12, 2013, becoming the 45th Party to the Convention. The date for the entering into force of the Convention for Uruguay is August 1, 2013166. Moreover, Morocco has officially received the invitation to accede to the Convention on January 30, 2013, following a letter expressing the interest of the Kingdom of Morocco to be invited to become a Party to several Council of Europe conventions, including Convention 108. The 1981 personal data protection convention of the Council of Europe is currently undergoing a process of modernization, and it is already argued that modernizing its provisions will facilitate a globalization of the European data protection regime in its own right, not only due to its influence167. As negotiations for the new clauses under the Convention develop, some parties actually invoke the cloud to influence the drafting of the new provisions. For instance, Spain has raised the problem that “the current wording draft seems to provide a specific rule regarding the scope of the Convention considering applicable the law of the place where the data are or where they have been originated from”168. Spain considers the two criteria irrelevant to determine the applicability of a Party’s law, arguing that “if a data controller chooses a cloud services provider and therefore decides that the data should be transferred from one provider to a new one, both 165
Convention for the Protection of Individuals with regard to automatic processing of personal data. The Convention was opened for signature on 28 January 1981 and was the first legally binding international instrument in the data protection field. Under this Convention, the parties are required to take the necessary steps in their domestic legislation to apply the principles it lays down in order to ensure respect in their territory for the fundamental human rights of all individuals with regard to processing of personal data (See the available information on http://www.coe.int/t/dghl/standardsetting/dataprotection/convention_en.asp, last accessed on May 25, 2013). 166 See the Council of Europe press release “Uruguay becomes the first non-European state to accede to personal data protection Convention 108”, available online at http://www.coe.int/t/dghl/standardsetting/dataprotection/News/Press-release-FINAL-Uruguay-revised_EN.pdf (last accessed on May 25, 2013). 167 See Graham Greenleaf, Modernizing Data Protection Convention 108: A safe basis for a global privacy treaty?, Computer Law and Security Review, Vol. 29, Issue 4, forthcoming July/August 2013. 168 The Consultative Committee Of The Convention For The Protection Of Individuals With Regard To Automatic Processing Of Personal Data [ETS No. 108], Modernisation of Convention 108: compilation of comments received, T-PD(2012)11 Mos, Strasbourg, Novemver 20, 2012, p. 18.
31
outside the controller’s territory the data “are not” necessarily in the jurisdiction of the controller, but that jurisdiction will actually be applied to the new transfer of data”169. As a preliminary conclusion, the question of personal data protection in the cloud on a global scene could be solved by the modernization of Convention 108 and the accession to it of countries all over the world. However, data protection is only one of the legal issues incumbent on cloud computing. As a lesson emerging from the global story of Convention 108, a solution for the cloud computing global regulation would be for the Council of Europe to take upon itself the task of drafting a cloud Convention in an open-accession regime. Modernizing current international agreements, so as to answer the global challenges of cloud computing, could be another viable solution in the absence of the will of states to enter a TFPCC-type convention. For instance the GATS treaty170 of the WTO has as general scope “measures by Members affecting trade in services”. As it was previously shown in this paper, cloud computing represents a new paradigm for providing computing services, and according to art. 3 (b) of GATS, the notion of “services” includes “any service in any sector except services supplied in the exercise of governmental authority”. However, GATS rules have as main objective to erase trade barriers between signatory members. In 1998, delegations at the WTO recognized that the Internet offers unseen possibilities for digital trade and that offline trade barriers should not be replicated online171, and they issued a declaration on global ecommerce172. The issue about trade in cloud services in the WTO is primarily discussed within the framework of this work programme for e-commerce under the Council for Trade in Services173. For instance, the USA presented a proposal for widening the framework of ecommerce and having a dialogue about cloud services in this context in autumn 2011174. However, it appears that there is yet no consensus as whether a general purpose GATS
169
Ibidem; Cloud related comments have also been submitted by the Czech Republic (p. 7) The General Agreement on Trade in Services, which entered into force in January 1995. 171 Sacha Wunsch-Vincent, Arno Hold, Towards coherent rules for digital trade: Building on efforts in multilateral versus preferential trade negotiations, in Mirra Burri, Thomas Cottier, Trade Governance in the Digital Age, Cambridge University Press, 2012, p. 180. 172 WTO, Ministerial Declaration on Global e-commerce, WT/MIN(98)/DEC/2, May 20, 1998. 173 Swedish National Board of Trade, How Borderless is the Cloud? An introduction to cloud computing and international trade, September 2012, p. 18, available online at http://www.wto.org/english/tratop_e/serv_e/wkshop_june13_e/how_borderless_cloud_e.pdf, last accessed on June 24, 2013. 174 Idem, p. 19. 170
32
regulatory discipline would adequately address e-commerce considerations or whether there is a need for an e-commerce specific discipline under GATS175. In a valuable endeavor, the Swedish National Board of Trade (NBT) created a report on the borderless nature of the cloud and the barriers in world trade that can emerge in cloud scenarios, identifying several such barriers: uncertainty regarding the applicable legal system, security in cloud computing, data protection and confidentiality legislation, Internet censorship, intellectual property rights issues, besides the traditional trade barriers176. The NBT also observed that, as cloud services encompass a number of different types of services, these may be located in different sectors in GATS, but can especially envision central sectors such as computer and related services, distribution, telecommunication and audio visual services177. Another contribution of the WTO to clear rules and liberalized trade in cloud computing can be developed under the TRIPS regime. An increased harmonization of intellectual property rules and licensing systems would undoubtedly be favorable for the majority of suppliers and customers of cloud services178. International harmonization through one binding instrument is the better solution for cloud computing because, on one hand, the cloud’s borderless nature makes it difficult to create an effective legal regime under several legal systems, and, on the other hand, cloud computing provisioning is tangent to several regulatory fields which need to be coordinated to create an effective and ordered regime. Nevertheless, in the absence of the will of states to engage in such a process on the international scene, the modernization and harmonization of rules regarding cloud computing under the several existing international instruments could also be a solution for the short to medium future. A third alternative, under the guise of soft-law, will be put forward for analysis in the next part.
175
See in this respect Sacha Wunsch-Vincent, Trade rules for the digital age, in GATS and the Regulation of International Trade in Services, Marion Panizzon, Nicole Pohl and Pierre SauvĂŠ (eds.), Cambridge University Press, 2008, p. 504. 176 See Swedish National Board of Trade, How Borderless is the Cloud? An introduction to cloud computing and international trade, September 2012. 177 Idem, p. 19. 178 Ibidem.
33
4.3 Global soft law for cloud computing – creating a Lex Nubia
The return to Lex Mercatoria has already been present in the academic discourse both in relation to the modern day globalization of jurisdiction in general179 and to the need of a global legal regime for cyberspace in particular180. Lex Mercatoria was developed during the Middle Ages, when itinerant merchants traveled across Europe to trade at fairs, markets, and sea ports; they needed some common ground rules to create a stable trading environment and to overcome the cultural, social, legal and political differences between them181. These rules were not artificially or instantly created but evolved from custom and usage or practices into a distinct body of law, which came to be known as Lex Mercatoria182. While customary practices may often be difficult to discern, their potential as a source of rules and regulations in a global medium such as cyberspace cannot be discounted, as commentators, legislators and jurists have already begun to identify certain implicit rules in the online world that have emerged as a result of customary practice and attendant social norms183. The global customary law approach already proved efficient in the sensitive area of private law, where global, or even regional harmonization is hampered by the national identity print that private law rules exhibit. For instance, it is generally acknowledged that the General Principles of European Contract Law, established as a non-binding set of rules in 1999, are now, together with the UNIDROIT principles of international contracts 184 an important part of a new lex mercatoria, both having exercised considerable influence on recent national codes and statutes185.
179
Paul Schiff Berman, supra, (n 8), p. 395-396. Joel R. Reidenberg, supra, 1998, (n 55), proposing a Lex Informatica; See also Warren B. Chick, ‘Customary internet-ional law’: Creating a bogy of customary law for cyberspace. Part 1: Developing rules transitioning custom into law, Computer Law & Security Review, No. 26, 2010, pp. 3-22. 181 Warren B. Chick, supra, (n 180), p. 16. 182 Ibidem. 183 Stuart Biegel, Beyond our control? Confronting the Limits of Our Legal System in the Age of Cyberspace, The MIT Press, 2001, p. 161. 184 At its 90th session the Governing Council of UNIDROIT adopted the third edition of the UNIDROIT Principles of International Commercial Contracts (“UNIDROIT Principles 2010”). For more information, see http://www.unidroit.org/english/principles/contracts/main.htm (last accessed on June 24, 2013). 185 Bas de Gaay Fortman, Human Rights as Regulae Iuris: An Inquiery into the Dialectics of Legality versus Legitimacy, European Review of Private Law, No. 2, 2012, p. 417. 180
34
One of the reasons why the choice to use customary international law to tackle sensitive areas is sensible is that it permits states to cooperate in the absence of formal written agreements by minimizing transactional costs associated with negotiating treaties186. A set of international “soft-law” principles for providing cloud computing services could be adopted by non-governmental fora, with mixed participation of specialists from both technical and legal backgrounds. Such a solution can be intertwined with consistent practices of cloud services providers, as long as such practices do not hamper human rights (e.g. the right to privacy, the general right to non-discrimination), and are generally acceptable by the majority of the legal systems. The mixture of practices and established “soft-law” principles is desirable as the nature of cloud computing does not have patience for customary rules to grow old. For instance, the law of the sea evolved through over five hundred years of customary practice, during which time states in general were not interested in reaching broad agreement on issues relating to international waters”187. Rules that emerge from customary practice remain controversial in any sense, and with regard to the online world, there has simply not been enough time for customary practice and social norms to “harden” into settled international doctrine188. This logic is most likely to also be applied to cloud computing. Practices and soft-law rules which could be developed into a Lex Nubia should enshrine both classical norms, such as the ones enumerated in Part 4.1 of this paper, and code, which could provide for privacy by design, interoperability, portability, security measures. A significant part of a Lex Nubia could be model contractual terms for providing cloud computing services. The principles of transparency and trust189 should also play an important part in this Lex Nubia. Such an approach is more than a punctual solution for regulating the emergence of IT as a service. It is also one representation of a solution to bring order into the globalized world. The choice to exercise “soft power” is one of the general solutions Habermas saw for the globalized world and its global governance. Referring to nation-states, he underlined that “the quicker they learn to direct their interests into the new channels of ‘governance without government’, the
186
Warren B. Chick, supra, (n 180), p. 17. Stuart Biegel, supra, (n 183), p. 185. 188 Ibidem. 189 For an introduction to the meaning of trust in providing cloud computing services, see P. Ryan, S. Falvey, Trust in the clouds, Computer Law and Security Review, No. 28, 2012, pp. 513-521. 187
35
sooner they will be able to replace the traditional forms of diplomatic pressure and military force with the exercise of ‘soft’ power”190.
5. Conclusion
Providing IT capabilities as a service represents a regulatory challenge. There are several reasons for this reality. First, there is the need for legal certainty in the cloud, for protecting the weaker part in cloud services transactions, but also for eliminating barriers to electronic trade. Second, the regulatory solutions which can meet these needs must be applied in a virtualized architecture. Virtualization stands at the essence of providing cloud computing services and virtualization has the capacity to fully disregard “geography”. Cloud computing is the perfect representation of technology being global. As Kirby pointed out, “of its character, technology is normally global” and “law, being the command of an organized community, is traditionally tied to a particular geographical jurisdiction”191. These two facts translate into a fundamental dilemma, which in practice will mean that this feature of technology “will make effective regulation by national law difficult, or even impossible”192. Hence, global regulatory solutions are bound to be effective. This paper argued that for cloud computing such solutions will have to consider the architecture of the cloud to represent the “borders of the territory” in which the norms should apply: the regulation of cloud computing should have a virtual territorial scope. The main purpose of this paper was to show that a national, or even regional approach to regulate cloud computing will prove to be ineffective. Subsequently, it also identified two possible forms in which a global law for the cloud could be put into practice: either a multipurpose international convention – like a treaty establishing fair practices in cloud computing, which will tackle the main legal issues incumbent in cloud scenarios, or the acknowledgment and further creation of a set of practices and soft-law rules, under the name of Lex Nubia, which is to be willingly accepted and applied by cloud service providers. In both contexts, several rules which could be enshrined in these regulatory instruments were pointed out, in an “open list” endeavor.
190
Jurgen Habermas, supra, 2006 (n 9), p. 176. Michael Kirby, supra (n 12), p. 382. 192 Ibidem. 191
36
Further research must be conducted in order to identify the exact type of rules needed to be applied to cloud scenarios. Both of the solutions have shortcomings, especially with regard to enforcement. The Lex Nubia also faces the challenge of complete lack of coercive force. As a general remark, both of the solutions must be conceptualized in the broader context of global governance. It is a general acknowledged fact that, regardless of the object of regulation and its enforcement, “although states still stand generally as intermediaries between the global and the local, governance beyond the state increasingly takes on a life of its own, shaping – if not coercively determining, local choices�193. Therefore, in terms of legitimacy and enforceability, a global law for the cloud should follow the general lines established in the context of global governance. This contextualization of a global regulatory endeavor for cloud computing is necessary. It shows that it is possible for a global law for the cloud to be put into practice, as an instance of the general phenomenon of global governance.
193
Daniel Halberstam, Local, Global and Plural Constitutionalism: Europe Meets the World, in Grainne de Burca, Joseph H. H. Weiler, The Worlds of European Constitutionalism, Cambridge University Press, 2011, p. 200.
37