1 Pós-Graduação em Ciência da Computação ON THE REGULATION OF CLOUD COMPUTING CONTRACTS Por CLARICE MARINHO MARTINS DE CASTRO Tese de Doutorado Universidade Federal de Pernambuco RECIFE, ABRIL/2014
2 UNIVERSIDADE FEDERAL DE PERNAMBUCO CENTRO DE INFORMÁTICA PÓS-GRADUAÇÃO EM CIÊNCIA DA COMPUTAÇÃO CLARICE MARINHO MARTINS DE CASTRO On the regulation of cloud computing contracts " ESTE TRABALHO FOI APRESENTADO À PÓS-GRADUAÇÃO EM CIÊNCIA DA COMPUTAÇÃO DO CENTRO DE INFORMÁTICA DA UNIVERSIDADE FEDERAL DE PERNAMBUCO COMO REQUISITO PARCIAL PARA OBTENÇÃO DO GRAU DE DOUTOR EM CIÊNCIA DA COMPUTAÇÃO. ORIENTADOR: Ruy José Guerra Barretto de Queiroz RECIFE, ABRIL/2014
3 Catalogação na fonte Bibliotecária Joana D Arc L. Salvador, CRB Castro, Clarice Marinho Martins de. On the regulation of cloud computing contracts / Clarice Marinho Martins de Castro. Recife: O Autor, p.: fig., tab. Orientador: Ruy José Guerra Barreto de Queiroz. Tese (Doutorado) - Universidade Federal de Pernambuco. CIN. Ciência da Computação, Inclui referências. 1. Computação em nuvem. 2. Direito eletrônico. 3. Contratos de computação em nuvem. 4. Código de defesa do consumidor. I. Queiroz, Ruy José Guerra Barreto de (orientador). II. Título. 004 (22. ed.) MEI
4 Tese de Doutorado apresentada por Clarice Marinho Martins de Castro à Pós Graduação em Ciência da Computação do Centro de Informática da Universidade Federal de Pernambuco, sob o título On the Regulation of Cloud Computing Contracts orientada pelo Prof. Ruy José Guerra Barretto de Queiroz e aprovada pela Banca Examinadora formada pelos professores: Prof. Carlos André Guimarães Ferraz Centro de Informática / UFPE Prof. Frederico Luiz Gonçalves Fernandes Centro de Informática / UFPE Profa. Fernanda Maria Ribeiro de Alencar Departamento de Eletrônica e Sistemas / UFPE Prof. Gustavo Ferreira Santos Centro de Ciências Jurídicas / UFPE Prof. Alexandre Freire Pimentel Departamento de Ciências Jurídicas / UNICAP Visto e permitida a impressão. Recife, 15 de abril de Profa. Edna Natividade da Silva Barros Coordenadora da Pós-Graduação em Ciência da Computação do Centro de Informática da Universidade Federal de Pernambuco.
5 Acknowledgements I wish to thank God for the love and perseverance that He has bestowed upon me throughout my life. I must thank the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES) for the scholarship awarded (Bex 5946/11-5) in order to conduct part of my doctoral research as a visiting graduate student at Queen Mary University of London (November 2011/January 2013). I owe a sincere debt of gratitude to my supervisor Professor Ruy José Guerra Barretto de Queiroz for his scientific advice and knowledge, guidance, efficiency and encouragement throughout my PhD. I am also thankful to Professor Chris Reed for sharing with me his extensive knowledge of Computer Law and insightful comments and suggestions for my research. I would like to thank all the professors that evaluated my thesis and made important contributions to it: Alexandre Freire Pimentel, Carlos André Guimarães Ferraz, Fernanda Alencar, Frederico Freitas, Gustavo Ferreira Santos and João Araújo. My sincere gratitude goes to Paulo Padovan for his generous support throughout my PhD research, for his stimulating discussions and suggestions that enriched this thesis. I need to express my gratitude to Jaelson, for motivating me to embark on this PhD at the Centre of Informatics at the Federal University of Pernambuco, and also my daughter Isabela for providing invaluable support in relation to the English academic writing. I would particularly like to thank Maria Letícia V. Coelho de Araújo, Beatriz Regina de Santana and Kate Hillier for the continuous and precious support that helped me complete this PhD. Finally, I would like to thank my uncle Paulo Emílio, my aunties Ana Francisca (Mana) and Socorro, Marly (Ia), and Sílvia, Luciana, Leonardo, Daniela, Eduardo,
6 Carlos Eduardo, Paula, Maria Eduarda, Luís Eduardo, Mauro and Francisco, for all of their love and support. This thesis is dedicated to Clara, Isabela, Armando, Jaelson, my mother and the memory of my father.
7 "All media of communication begin as links or bridges between people and things and end as substitutes for the things with which they had originally established new contact" Marshall McLuhan
8 Resumo A computação em nuvem encontra-se rapidamente se desenvolvendo e oferecendo inúmeras vantagens à indústria da Tecnologia da Informação (TI). Ela tem permitido a realização do antigo sonho da computação tornar-se uma utilidade. Todavia, esta realidade apresenta riscos e desafios em diferentes áreas, sobretudo no âmbito legal, e nos contratos de consumo em particular. Assim, considerando a complexidade da computação em nuvem, torna-se essencial a busca de um menor grau de incerteza na relação fornecedor-consumidor. A presente pesquisa tem por objetivo analisar e caracterizar as transações de computação em nuvem, tanto nos contratos de serviço, como nos contratos de fornecimento de conteúdo digital. Para tanto, esta tese examinará legislações de natureza internacional e nacional, bem como contratos, que poderão ser utilizados na regulamentação das atividades em nuvem no Brasil. De início, será realizada uma apreciação crítica quanto à possibilidade de aplicação da legislação relativa a um "Direito Europeu Comum de Compra" - denominada na língua inglesa de Common European Sales Law (CESL) - nos contratos de fornecimento de conteúdo digital realizados entre o Brasil e os Países Membros da União Européia. Em seguida, serão examinadas algumas regras gerais presentes no Código de Defesa do Consumidor brasileiro a fim de ser discutida a aplicabilidade do referido Código nos contratos de computação em nuvem. Por fim, serão estudados três contratos de computação em nuvem oferecidos pelo Google no Brasil com o objetivo de apontar os sérios riscos apresentados para os consumidores ao firmar tais acordos, bem como a adequação de tais instrumentos em face da legislação nacional. Palavras-chave: Computação em nuvem, Conteúdo digital, Contrato, Direito Comercial Europeu Comum, Código de Defesa do Consumidor.
9 Abstract The paradigm of cloud computing has been developing quickly and offers many new advantages to the information technology industry. It is turning the long-held dream of computing as a utility, into a reality. However, it also poses risks and challenges in different fields, especially in the legal area, that may affect the stakeholders of this market. Given the complexity of cloud computing, it is essential to assure that there is little uncertainty in the provider-consumer relationship. This research aims to analyse and characterise cloud computing transactions from a legal perspective, both as a service contract, and as a contract for the provision of digital content. Thus, in this thesis we examine international and national legislation, as well as contracts, which may govern the relationship between cloud stakeholders. Given the international and cross-border nature of the proposed Common European Sales Law (CESL), which may eventually be applied between Brazilian and European contracts, and due to the legal rules which it is based sharing some similarities to the civil law system in Brazil, we begin offering a critical view of the possibility of applying this proposal on a Common European Sales Law to some cloud computing transactions when they supply digital content. Next, we turn to examine whether the Brazilian Consumer Protection Code (CDC), with its existing general rules relating to goods and services, and some other definitions, could be broad enough to cover the necessities of cloud consumers in Brazil. Lastly, we examine the issue of regulating cloud computing through contract. In particular, we identify a set of key legal issues to be considered by consumers when entering into a cloud contract. In order to illustrate their importance, we perform a detailed evaluation of some Google cloud-based agreements to check if they are compatible with existing laws in Brazil. Keywords: Cloud Computing, Digital Content, Contract, Common European Sales Law, Brazilian Consumer Protection Code.
10 List of Tables Table 1 - Nature and type of cloud service offered by Google and target market. 133 Table 2 - Using our Services (Customer s Obligations; Intellectual Property Rights; Google s rights to scrutinize the content and to send communications to the users) Table 3 - Privacy and Copyright Protection Table 4 - Your Content in our Services (Rights over content and IPR) Table 5 - About Software in our Services Table 6 - Modifying and Terminating our Services Table 7 - Our Warranties and Disclaimers Table 8 - Liability of our Services Table 9 - Business users of our services Table 10 - About these Terms (Modification of the terms; choice of law and jurisdictions) Table 11 - Preamble Business Agreement: English version Table 12 - Clause 1.1 (first part) Both Agreements: Facilities (Data security, confidentiality and integrity) Table 13 - Clause 1.1 (second part) Both Agreements: Data transfer (Data transfer, store, process and location) Table 14 - Clause 1.2 Both Agreements: Modifications Table 15 - Clause 1.4 Business Agreement and Clause 1.4(a) Education Agreement: Ads Table 16 - Clause 2.1 Business Agreement and Clause 2.2 Education Agreement: Customer Obligations: compliance Table 17 - Clause 2.3 Both agreements: Customer Obligations: Customer Administration of the Services Table 18 - Clause 6 Business Agreement Clause 7 Education Agreement: Confidential Information Table 19 - Clause 7 Business Agreement Clause 8 Education Agreement: Intellectual Property Rights (IPR) and Brand Features Table 20 - Clause 8 Business Agreement Clause 9 Education Agreement: Publicity related to customer s name or brand feature
12 List of Acronyms and Abbreviations Abbreviations e.g. exempli gratia for example et al. et alii and others i.e. id est that is ibid ibidem in the same place (referring to a publication mentioned immediately earlier) Acronym AUP BIS UK B2B B2SME B2C CESL CRD CDC CLP CPC DMCA EU MS ICI IDC IPR ISS IaaS IT NIST PaaS SaaS RegCESL SLA SME T&C ToS UCC UGC WTO Acceptable Use Policy Department for Business, Innovation & Skills Business to Business Business to Small and Medium Enterprises Business to Consumer Common European Sales Law Consumer Rights Directive Consumer Protection Code Cloud Legal Project Civil Procedure Code Digital Millennium Copyright Act European Union Member States Information and Communication Industry International Data Corporation Intellectual Property Rights Tax over Services of Any Nature Information as a Service Information Technology United States National Institute of Standards and Technologies Platform as a Service Software as a Service Regulation of the Common European Sales Law Service Level Agreement Small and Medium Enterprises Terms and Conditions Terms of Service User created content User generated content World Trade Organization
13 Table of Legislation Brazil. Bill n 2126 of 24 August Bill n 171/2012 of 8 May Bill n 4099 of 12 December Bill n 5344 of 9 April Complementary Rule n 14 (14/IN01/DSIC/GSIP) of 30 January Decree Law n of 7 December 1940 (Penal Code) 46 Decree n of 16 May Decree n of 15 March Law n of 11 September Law n of 14 may Law n of 19 February Law n of 19 February Law n of 10 January 2002 (Civil Code) 22 Law n of 18 November Law n of 9 July Law n of 30 november Normative Instruction n 01 of 13 June European Commission Proposal for a Regulation on a Common European 20 Sales of 11 October 2011 (CESL) Council of European Communities. Directive 93/13/EEC of 5 April (Unfair Terms in Consumer Contracts) Directive 1999/44/EC of 25 May 1999 (Consumer Sales) 64 Directive 2000/31/EC of 17 July 2000 (E-commerce). 64 Directive 2011/83/EU of 25 October 2011 (Consumer Rights) 53 Regulation (EC) n No. 593/2008 of 17 June 2008 (Rome I) 85 UK Draft Consumer Bill of Rights of 12 June
14 Table of Contents Chapter 1 - Introduction Motivation Problem formulation Research objectives Contributions Publications Methodology Structure of the thesis...24 Chapter 2 - Key aspects of cloud computing Introduction Importance of the cloud computing industry Short history Key stakeholders in the cloud transactions Differences and similarities of cloud computing with other types of information technology services Definition and characteristics of cloud computing Main types of cloud computing (service model) Deployment models Conclusion...42 Chapter 3 - Legal background Introduction Currently laws and bills directly or indirectly related to cloud computing activities and digital content in Brazil Is consumer protection an anachronism in the digital world? Consumer Protection Code (CDC) in Brazil...51
15 3.5. Towards a definition and classification of digital content Defining digital content and understanding its types Classification of digital content as goods, services or a sui generis category Contracts for digital content classified by the permanent use of digital content, a limited period of time or as part of a service provided to the consumer Digital content: tangible or intangible Cloud computing contracts Conclusion...69 Chapter 4 - Regulation of some models of cloud computing transactions through an international legal instrument Introduction Why might cloud service providers adopt the CESL? Which cloud computing transactions are capable of governance by the CESL? Conclusion...88 Chapter 5 - Regulation of cloud computing transactions through a national law Introduction Definition of consumer and provider under the Brazilian Consumer Protection Code and some peculiarities in relation to it Characterisation as consumer The standard consumer The prosumer Characterisation as provider Cloud computing: legal categorisation according to the CDC: goods, services or sui generis category Could a cloud computing offering be categorised as a good?
17 7.1. Concluding remarks and contributions of the research Future research Bibliography Appendix 1 - Proposal for a Regulation of the European Parliament and of the Council on a Common European Sales Law Appendix 2 - Termos de Serviço do Google Appendix 3 - Contrato (on-line) do Google Apps for Business Appendix 4 - Contrato do Google Apps for Education Appendix 5 - Política de Privacidade Appendix 6 - Contrato de Nível de Serviço do Google Apps Appendix 7 - Google Apps Acceptable Use Policy
18 Chapter 1 Introduction 1.1. Motivation Digital technological development over recent decades has provoked a paradigm shift, and cloud computing technology has recently gained greater significance as a competitive element of the global Information and Communication Industry (ICI). The paradigm of cloud computing has been swiftly developing and offering regular new advantages to the information technology market. Cloud computing is said to be easy to consume and manage, to contract, to scale applications on demand and to improve cost efficiencies through any provider s web, at relatively low cost or even paid for in a non-monetary form. This impact is unquestionably present in many fields. Big or small companies and government institutions across the globe have started to move their data and many transactions into the cloud. Additionally, services such as Gmail, Hotmail or photo sharing, such as Flickr or social networking sites, like Facebook, are all cloud-based in nature. 1 This large market is represented not only by the provision of cloud-based transactions that, from the legal perspective, are considered just services, but also by the mass-market supply of digital content via some aspects of cloud computing, or more specifically, through the use of Digital Content as a Service. For example, Google launched Google Music, which is a music service for the Android platform. Consumers can purchase individual songs or albums, which can be streamed to multiple devices from the cloud. Sony Corporation Music is another cloud-based music streaming service, which enables its subscribers to store music for use in different Internet devices such as smartphones, games consoles or television sets. 2 1 European Commission, Unleashing the Potential of Cloud Computing in Europe, (Communication) COM (2012), 529 final. 2 See Organisation for Economic Co-operation and Development (OECD), Directorate for Science, Technology and Industry Committee on Consumer Policy, Report on Protecting and Empowering Consumers in the Purchase of Digital Content Products DSTI/CP (2011) 25/FINAL 19 March
19 However, with the evolution of cloud computing services in the years to come, these global transactions will raise more serious structural, commercial and legal concerns. Some of those concerns are related to issues such as data protection, data security, confidentiality of information and privacy, and intellectual property. Undoubtedly, some legal difficulties that affect cloud computing have been controversial in the context of e-commerce for many decades. Although these matters are not only cloud challenges, they have been intensified within the complex cloud context. In addition, as digital content moves to the cloud, and thus ceases to be supplied on physical media, the uncertainty grows. In any case, a longstanding ambiguity exists in the law regarding what terms should be present in cloud transactions, either when they supply digital content or when they provide only a service, and if they can be classified as a sale or a service contract or as sui generis. In this new dynamic scenario, we claim that consumer law has to wholly protect digital consumers and providers, giving certainty to their relationship. It is imperative for the development of this digital economy that both online providers and customers, particularly consumers, have certainty and security of rights acquired through business made via cloud computing platforms. In order to reconcile these challenges or minimise some of the concerns relating to consumer law, governments, international agencies and academic experts, within and outside Europe, Australia, Canada and United States, have been studying the effects of this digital technological market and its legal consequences. 17
20 Their reports and studies 3, drafted proposal of law 4 and new legislation 5 aim to give consumers of electronic transactions the ability to maintain their basic rights as the vulnerable party in the online consumption relationship. It also gives the providers the ability to understand their rights and obligations, avoiding ambiguous or complex laws that may lead to expensive and disruptive litigation Problem formulation Cloud computing is increasingly being used in business-to-consumer (B2C) and business-to-business (B2B) cross-border transactions, i.e. those that involve providers and consumers from different jurisdictions and diverse consumer protection legislation. Hence, it is of paramount importance to examine how these transactions can be regulated. This calls for an investigation to identify possible legal instruments that can involve parties located in different countries at the time of the contracting. 3 At the European level, initiatives related to cloud computing and consumers, see Policy Department Economic and Scientific Policy, A Fielder et al, Cloud Computing. Study for the European Parliament s Committee on Internal Market and Consumer Protection (2012) IP/A/IMCO/ST/ and the European Commission, Unleashing the Potential of Cloud Computing in Europe, COM (2012) (Communication), 529 final. On international and national agency reports, see Organisation for Economic Co-operation and Development (OECD) Report on Protecting and Empowering Consumers in the Purchase of Digital Content Products (2011) DSTI/CP 25/FINAL; Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America. Retreat on Cloud Computing (2010) available at (accessed 10 April 2012); and Union des Consummateurs, Canadian Perspectives on Cloud Computing and Consumers (2011) available at (accessed 6 Sept 2013). On the studies particularly related to digital content and consumer law, see Analysis of the applicable legal framework and suggestions for the contours of a model system of consumer protection in relation to digital content contract, Final Report Comparative analysis, Law & Economics analysis, assessment and development of recommendations for possible future rules on digital content contracts, M. Loos et al (2011) and Comparative analysis of the applicable legal frameworks and suggestions for the contours of a model system of consumer protection in relation to digital content services, Report 1: Country Reports, University of Amsterdam. Also, a study entitled Digital Content Services for Consumers: Assessment of Problems Experienced by Consumers LOT 1, (2011) Europe Economics and commissioned by the European Commission. An overview of the consumer rights in digital products commissioned by the UK Government for Business, Innovation & Skills was produced by Professor Robert Bradgate Consumer rights in digital products (2010). Some other relevant material in this area includes Hans-W Micklitz, Do Consumers and Business Need a New Architecture of Consumer Law? A Thought-Provoking Impulse, European University Institute, Florence, Department of Law, EUI Working Paper Law 2012/23; M Loos et al, The Regulation of Digital Content Contracts in the Optional Instrument of Contract Law (2011) 6 European Review of Private Law See European Commission s proposal for a Regulation on a Common European Sales Law - Proposal of 11 October 2011, COM(2011) 635 final (CESL). 5 See Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights (Consumer Rights Directive or CRD). 18
21 Needless to say, the United States has been the leader in providing cloud computing services, not just domestically, but also abroad. American companies tend to adopt American law in all their online agreements. For this reason, they do not comply with any consumer protection law in any other country. This circumstance is reflected in contracts that ordinarily include clauses written by the cloud providers that are abusive, unfair, illegal or at least unenforceable in many jurisdictions. In reality, as Kotz reports, in the United States each of the fifty states have its own contract law. 6 The country also favours deregulation and relies heavily on case law developments. Indeed, Brazilian consumer protection laws are much more similar to European than American laws. It is worth clarifying that many fundamental principles and rules of consumer protection are similar across Europe, Brazil and other countries that have adopted civil law systems. On the other hand, the contracts in the common law jurisdictions, mostly in the United States, are not so vulnerable to change or being challenged by contractual and consumer legislation. This extreme market dominance of a few North American cloud providers that apply their own contractual rules in their online transactions is not enough for consumers/customers to avoid receiving a proper level of guarantee in terms of consumer protection in countries like Brazil. In other words, if cloud providers and users do not enter into valid cloud contracts, the Civil or Consumer Codes will be applied by default. Further, even if valid cloud contracts exist, some of the national law, such as the Brazilian Consumer Protection Code (hereinafter CDC), due to its obligatory nature, remains applicable to the consumption relation. Hence, we concentrate on the analysis of the contractual and consumer European Community acquis, 7 where consumers are most adequately protected and the laws share the same goal as in Brazil: protecting the parties that are considered vulnerable or weaker. 6 See H Kotz, Contract Law in Europe and in the United States: Legal Unification in the Civil Law and the Common Law (2012) 27 The Tulane European and Civil Law Forum 1, 1. 7 Community acquis or acquis communautaire is the full set of the European Union s legislative, regulatory, judicial, and normative output, in J Pinder & S Usherwood, The European Union Introduction (Oxford University Press 2007). 19
22 We note that in October 2011, the Common European Sales Law (CESL) was proposed. It provides a new regime of contract law applicable to all European Union Member States. According to Article 4 of the Regulation, the cross-border contracts that may adopt CESL as its legal instrument can involve parties located in different countries at the time of contracting, whereby just one needs to be a European Member State. Therefore, if the CESL Proposal becomes law, it can be adopted by Brazil; either consumers or service providers. Moreover, the CESL was mainly drafted by German scholars and lawmakers, and the legal rules in which it is based, have many similarities to the civil law system adopted in Brazil; particularly, in the area of contract and consumer law. Thus, it is important to investigate under what circumstances the CESL can be applied to cloud computing transactions. This research may also help to shed some light onto the intricacies of digital content and cloud computing contracts when they are providing digital content. Another important issue that needs to be addressed is how consumers of cloud transactions could be protected against unfair or unconscionable contract terms and unfair or misleading practices on the part of cloud providers in Brazil. We argue that digital consumers deserve the same level of protection for their transactions as offered in other forms of commerce. Thus, it is important to investigate some legislation and contracts which may govern the relationship between cloud stakeholders. The 1988 Brazilian Constitution considers consumer protection laws as a tool to promote equality between contractual parties, assuming that this power is always unbalanced. It takes the approach that self-regulatory schemes alone cannot provide adequate protection to the consumer. As such, the CDC is the main instrument to protect the consumption relationship. Although little has been discussed and established in regard to digital consumer law per se, in relation to cloud-based transactions, we assume that soon this invasive market offered by multinational corporations needs to receive an adequate level of attention from the regulators in Brazil and from the courts when interpreting the Brazilian CDC. For 20
23 this reason, we need to examine the possibility of the current CDC legal framework with its general rules relating to the sale of goods and supply of services be applied to cloud computing transactions. Certainly, the most adopted regulation model for cloud computing is the contract. Cloud contracts are frequently accessible on the web provider s online platform via a standard form, to be accepted by user with a single click. Under these agreements, providers will usually try to fully protect themselves. As a consequence, consumers/customers have to face the risks that are inherent in contract terms that are not negotiated and may be unfavourable to them. Nevertheless, the clauses of these contracts may be legally contested on the basis of unfairness which produces a high level of uncertainty for cloud providers and consumers/customers. Hence, it is of fundamental importance to evaluate the main clauses of some cloud-based agreements in Brazil to identify the level of safety and fairness of these contractual terms and conditions under Brazilian legislation. Since the principal focus of this research is consumer law and the relationship consumers have with cloud computing transactions, the evaluation of those clauses should be made primarily according to the Brazilian CDC, and to a lesser extent, under the Civil Code (CC) and other specific legislation in Brazil. In summary, unclear and legally uncertain contracts between providers and consumers/customers justify the concerns of this research, i.e. the investigation of some international and national legislation and contracts which may govern the relationship between the cloud stakeholders, and which may reconcile disputes between them Research objectives This research aims to analyse and characterise cloud computing transactions from a legal perspective, both as a service contract, and also when it involves the supply of digital content. Henceforth, the thesis objectives now follow. 21