At the risk of raining on the EU's cloud parade, the European Commission's recently unveiled report, “”, also threatens to unleash a legal storm of international regulatory ordeals,multi-jurisdictionalissues, privacy and security battles, and commercial liability. Alas, that is the price of technological ambition: one is always waiting for the requisite law to load.
The EU plans to leverage theDzinto a golden “digital single market” economy, including a GDP boost of 957 billion euros and 3.8 million jobs by 2020. The report addresses outstanding concerns, clarifies policy and regulatory aspects of the strategy, and sets key actions to assert Europe's future as a “world cloud computing powerhouse”. Whether oneǰ, those in technology, regulatory, and business law would do well to prepare for likely squalls ahead.
First, the strategy involves “cutting through the jungle of standards”—a 27-nation-jungle with all manner of cloud-inhibiting flora, including differing legal frameworks, inconsistent criteria, uncertain jurisdiction, and lack of clear standards. The EC plans to respond with an overarching regime in which cloud providers may obtain certification to reassure clients that they meet set standards of, e.g., interoperability, data portability, and security, and adhere to all relevant laws. Here, problems may arise where ideal cloud standards like seamless transborder accessibility clash with existing legal standards such as transborder data flow restrictions.
Second, there are jurisdictional landscapes abroad to contend with. Conflict of laws figures large in a cloud computing future. Europe will have to collaborate with other countries on issues such as law enforcement, cybercrime,, and competition; and vice versa.Take Canada, for instance.first established transjurisdictional enforcement: one province's court may enforce and recognize judgement from another province if there is a “real and substantial connection between the wrongdoing and the jurisdiction”.extended this test to foreign jurisdictions, whichapplied to enforce a New 91ɫ copyright decision against an Ontario movie-downloading website. Imagine the complications if, for example, a Vancouver start-up using a Melbourne cloud provider with servers in Berlin were found to have violated () German privacy laws. (Conversely,confirmed that the Privacy Commissioner of Canada has jurisdiction over foreign businesses or websites if there is a real and substantial connection to Canada and the subject matter is within the office's purview.)
Despitehaving brought Canada's privacy laws, furtherwith the United States may put Canada's privileged position at risk, with the EC laser-focused on building certainty and trust in cloud computing. The EU zone is well known for itsof the,though some have deemed these fearsin light of.This becomes especially significant now that EUwill no longer arise piecemeal from general, but from uniformly enforced.
Third, the EC seems to place much faith in the power of contracts to assuage worries. Emphasizing “safe and fair contract terms and conditions” as a key goal, the report proposes to create a model contract of standard terms and conditions that certification-seeking cloud businesses can emulate, addressing conditions such as data access, stewardship, control, usage, portability, liability, disclosure, preservation, and reversibility; service upgrades,, and continuity; and termination of services.Many of these terms, according to the report, are currently missing from typical “take it or leave it” cloud service contracts (known as), making for one-sided bargains.
Considering the stakes (another key goal is aggressively drivingin the form ofservices), these contracts are bound to undergo intense scrutiny and sprout new jurisprudence before anything may be considered “standard”. Combined with conflicts of law and potential tort liability (if, for example, cloud computing became such an integral part of civil society that cloud providers were found to owe some form of fiduciary duty), suffice it to say that private law's future in the clouds looks bright.
Of course, there is always the possibility that cloud computing will lead to nothing particularly new in law. In fact,, Vice President Public Policy of the Software & Information Industry Association, believes that “there is no need for special privacy, security, intellectual property or consumer protection rules that apply just to cloud computing. Generalized rules, indeed, globally interoperable rules, are best suited to the global, borderless nature of cloud computing.” Most available legal tools needed to achieve such a state of affairs, however, are currently neither globally interoperable nor borderless. Regardless, one thing iscertain: if the EC gets its way, it won't be too long before users across Europe find themselves living on cloud 9.0.
Cynthia Khoo is a JD Candidate at the University of Victoria.
