Beruflich Dokumente
Kultur Dokumente
Chris Reed
Information is the life blood of any modern enterprise, so much so that information is
often one of the enterprise’s most valuable assets. Enterprises think of this
information as belonging to them, or in simple terms that they “own” it. Increasingly,
private individuals are using computing technology to generate information on a scale
which would previously have been unimaginable. They, too, think of this information
as belonging to them.
The essence of cloud computing (see part 1 below for more detail) is that a customer
(who might be a business enterprise, or equally a consumer user) entrusts its own
digital information, together with that of third parties, to the cloud computing service
provider. The customer then uses technology and information in the cloud, made
available by the provider, to create further information. All this happens online, using
technology which is outside the control of the customer. Inevitably, ownership rights
are affected.
*
Professor of Electronic Commerce Law, Queen Mary University of London School of Law, Centre
for Commercial Law Studies.
My thanks are due to my colleague Professor Christopher Millard for his helpful comments on the draft
of this paper.
>
We gratefully acknowledge the generous financial support from Microsoft which has made this
project possible..
1
See e.g. Oxford v Moss [1979] 68 Cr App. R 183.
2
This paper does not discuss the privacy issues, which are addressed in other papers from the project.
3. How does the allocation of ownership in the terms of service of the major
cloud computing providers deal with these issues?
This paper deals with some initial aspects of the first two of these questions; further
aspects, and the third question, will be examined in later versions of the paper.
The analysis in this paper concentrates on business use of cloud computing services in
order to produce the clearest possible analysis of the state of information ownership
which subsists under the law, prior to any modification of that position by terms of
service and other contracts. For this reason, reference to consumer use is largely
absent. This should not be taken to mean that consumer use of the Cloud is
unimportant – on the contrary, the vast majority of cloud computing is, at the time of
writing, undertaken by consumer users. Consumer use will be examined at a later
stage for two reasons:
Readers should therefore be aware that this paper is very much an exploratory work,
and that the gaps in its coverage are to be filled at a later date.
Cloud Computing refers to both the applications delivered as services over the
Internet and the hardware and systems software in the datacenters that provide
those services. The services themselves have long been referred to as Software as
a Service (SaaS). The datacenter hardware and software is what we will call a
Cloud. When a Cloud is made available in a pay-as-you-go manner to the general
public, we call it a Public Cloud; the service being sold is Utility Computing. We
use the term Private Cloud to refer to internal datacenters of a business or other
organization, not made available to the general public. Thus, Cloud Computing is
the sum of SaaS and Utility Computing, but does not include Private Clouds.
This definition should be seen as illustrative only. Business models in this area are
constantly evolving, and our Legal Aspects of Cloud Computing Research Project is
working on a definition which more closely models the legal relationships which are
created within cloud computing. As an example, Private Clouds is a broader concept
than suggested here, and the legal aspects of Private Clouds provided by a third party
will certainly receive attention as part of the project.
This paper concentrates on two characteristics which are common to all varieties of
cloud computing:
• The user of the service (the “customer”) stores its information on computer
systems operated by the service provider, accessing those systems via the
internet.
3
Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy Katz, Andy Konwinski,
Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia, “Above the Clouds: A
Berkeley View of Cloud Computing” Technical Report No. UCB/EECS-2009-28 (10 February 2009) p
1, available from http://radlab.cs.berkeley.edu/.
3
The workings of the service are simply described:
• At EOC’s building, the customer’s letter is typed up and sent out, and the
wax cylinder blanked for re-use or the customer’s handwritten note
discarded. A copy of the sent letter is filed along with the received letter in
EOC’s capacious basement.
4
aspect as physical property. 4 However, they would surely agree that EOC
is obliged to use the documents only for the customer’s purposes, not to
disclose their contents to others, and to hand them over to the customer if
the service relationship ends. For all practical purposes, the customer
would expect to have de facto control over use of the documents, and EOC
would expect this also.
These expectations arise from three areas of law which we believe will also be
fundamental to cloud computing relationships: physical property law, the law of
confidence, and contract law.
It is noteworthy that, in our 1930s experiment, the law of copyright plays almost no
part. No doubt, were EOC to begin copying customer documents and disseminating
copies to outsiders, lawsuits based on copyright would be issued. As between the
customer and EOC, however, copyright would play little part in the question of
information ownership.
Once we fast forward to the 21st century and look at real cloud computing
relationships, it immediately becomes clear that the law’s allocation of ownership
rights (in the broad sense explained above) does not necessarily match the
expectations which the parties would have if physical documents were at issue. This is
because copyright comes to the fore, and alters the balance of ownership. It is,
however, our contention that the expectations, of customers at least, are likely to be
the same as in our thought experiment. The remainder of this paper analyses the
ownership position, and explains the legal mechanisms which can be used to ensure
that the parties’ ownership expectations are met.
As a simplifying assumption, this paper will assume that all the information in which
we are interested is placed in the Cloud either by the service provider or by the
customer. This assumption may not always be true, either because the provider has
adopted a corporate structure under which related companies provide parts of the
4
This question would only be important if EOC ceased trading, for example due to insolvency, or if the
relationship ended as a result of a dispute between the customer and EOC, as part of which EOC
refused to hand over these documents.
5
service 5 or because the provider permits third parties to use its Cloud as a platform to
provide information services direct to the customer. However, all these entities will be
placing information in the provider’s Cloud by virtue of their legal relationship with
the provider, and it is not a gross over-simplification to treat that information (for the
purposes of this paper) as being placed in the Cloud by the provider. As we shall see,
it does not affect the analysis.
5
See e.g. Google Terms of Service para. 4.1, http://www.google.com/accounts/TOS.
6
It is worth noting that this is not necessarily true for consumer users. As examples, many millions of
sound recording files are shared on a daily basis via consumer cloud sites, as are the more than two
billion photographs that are uploaded every month on Facebook. Even if the initial ownership of these
files is theoretically ascertainable, in practice the complex norms of information sharing among
6
to assert that the expectation of all parties is that the mere fact of placing the
information in the Cloud should not alter its ownership status.
For the purpose of analysing ownership, this information can be further sub-divided
into two categories:
• Information generated by a third party and placed in the Cloud via the
provider or customer.
consumers mean that in practice their initial ownership is not ascertainable. We will return to this issue
in future versions of the paper.
7
3.2 Information generated in the Cloud
The question who owns the information generated within the Cloud is more complex,
as the diagram below illustrates.
The main purpose of the cloud computing relationship is to enable the customer to use
the cloud technology to process information and thus generate outputs. However, in
doing so the customer may also generate know how or trade secrets, which are not set
out in any particular information output but reside in the data structures or processes
which the customer establishes through its use of the Cloud. 7 Thus in addition to the
discrete information outputs, we are also interested in the information which can be
derived or deduced from how the customer uses the Cloud.
• All cloud computing service providers will collect information about the
operation of their systems and service for management purposes. Much of
this information will amount to know how or trade secrets belonging to the
provider.
• Customers will need to be billed for their use of the service, and thus the
provider will collect billing data which will certainly incorporate
information about the customer’s activities.
7
For example the customer might devise an innovative method of doing business, implemented wholly
or partly within the Cloud, and this would certainly be protected as confidential information or a trade
secret and in some jurisdictions might even be patentable.
8
• Providers will also generate and store metadata 8 about the data
relationships between the customer’s data and applications and any
provider or third party applications or data. The purpose of producing this
information is both to enable or enhance the customer’s use of the service,
and also for the provider’s own management purposes.
• Finally, and most controversially, data mining 9 tools are available which
would allow the provider to trawl through customer information, either
individually or on a collective basis, and thereby generate new and
potentially valuable information. As a hypothetical example, a service
provider with a number of motor insurers as customers could mine their
data to extract information on the accident rates and types for different
makes and models of vehicle.
The main distinction here must be based on the purpose for which the provider
generates information. Ownership and control issues are more pressing in relation to
information which the provider collects in order to exploit that information
commercially, at least where the exploitation involves the disclosure of the
information to others. Information generated for the provider’s own internal purposes
is likely to be less controversial, though it must be recognised the provider might
subsequently decide that this information could also be exploited. Indeed, data mining
tools are sufficiently sophisticated that a provider might usefully include its internal
data together with customer data, in order to extract even more valuable information
from the mining process.
It should also be noted here that there is a third category of information generated in
the Cloud. This is information produced collaboratively between users, using tools
made available by the service provider and in some circumstances collaborating also
with the service provider or with third party information providers. Because the
majority of such collaborative generation is carried out by consumers, this issue will
be examined in a later version of the paper.
8
Metadata presents known privacy risks, and thus in many countries telecoms service providers are
limited in the metadata they can collect – see e.g. Directive 2002/58/EC of the European Parliament
and of the Council of 12 July 2002 concerning the processing of personal data and the protection of
privacy in the electronic communications sector, OJ L201/37 31 July 2002 Arts. 6 and 9. It is not
suggested in this paper that ownership rights are in need to regulation of this kind, but as part 6 below
demonstrates there are real risks to confidentiality which might not be adequately addressed through
contract, e.g. in the case of consumers. This point will form an element of future work on this topic.
9
See e.g. Jiawei Han & Micheline Kamber, Data Mining: concepts and techniques (2nd ed. Morgan
Kaufmann, San Francisco 2006).
9
so in most jurisdictions it is unlikely that any question of personal property rights
arises. 10 Instead, we must look for ownership rights in three areas of law.
The first is intellectual property. IP rights are the main kind of property right which
might subsist in this information. This paper will concentrate on copyright and, in the
EU, database right as the rights most likely to be relevant. 11
National copyright laws across the world recognise that copyright subsists in works in
digital form, but differ in their conceptions of what constitutes a work. English law,
and the law of those countries whose law derives from England, protects all works 12
where sufficient labour, skill or judgment has been used in their creation. 13 There is
no requirement for creativity per se, but information will not be protected if its
creation required minimal effort 14 or if what is created is too minimal to be
recognised as a work. 15
Civil law countries, which protect authors’ rights rather than copyright, tend to
demand a minimum level of creativity to qualify for protection. Germany is perhaps
the clearest example, requiring there to be a creative step (Gestaltungshöhe) to
distinguish a work from mere information. 16 Prior to the EU Software Directive 17 the
German courts had held that some types of software (such as operating systems) were
10
Whether information can constitute personal property is still, to some extent, an open question.
English law seems clear that it can not – Oxford v Moss, n 1 above, St Albans City and District Council
v International Computers Ltd [1996] 4 All ER 481. Ken Moon, “The nature of computer programs:
tangible? goods? personal property? intellectual property?” (2009) EIPR 396 suggests that the French
Civil Code has the potential to recognise personal property rights in intangibles whereas German law
does not, and also reviews the diverse US tax law decisions on this question.
For the purposes of this article we assume that national courts are unlikely to recognise personal
property rights in digital information, though it would obviously be sensible for cloud computing terms
of use to recognise the possibility that a court might do so at some future date.
11
Trade mark and patent rights may also subsist, but are less likely to be infringed by use of the
information in a cloud computing environment. The comments below about the role of contract in
relation to copyright apply equally to these rights.
12
With the exception of databases in England – Copyright, Designs and Patents Act 1988 s. 3(1)(a) as
amended by Copyright and Rights in Databases Regulations 1997 SI 1997/3032 reg. 5.
13
Ladbroke (Football) Ltd v William Hill (Football) Ltd. [1964] 1 WLR 273. A similar view is taken in
many other common law jurisdictions – see e.g. Desktop Marketing Systems Pty Ltd v. Telstra
Corporation Limited [2002] FCAFC 112 (Federal Court of Australia).
14
GA Cramp & Sons Ltd. V. Frank Smythson Ltd. [1944] AC 329.
15
See e.g. Exxon Corporation v. Exxon Insurance Consultants International Ltd. [1982] Ch 119 (no
copyright in the word “Exxon”), Hitachi Ltd. v. Zafar Auto & Filter House [1997] FSR 50, 58
(Copyright Board, Karachi, Pakistan; no copyright in the word “Hitachi”).
16
Brombeer Muster, BGH decision of 27 January 1983, 1983 GRUR 377.
17
Directive 91/250/EEC on the legal protection of computer programs, OJ L 122/42, 17 May 1991,
which requires a computer program to be the author’s “own intellectual creation” to qualify for
protection by copyright (art. 1(3)).
10
functional, rather than creative, and were thus not protected by author’s right. 18 This
is still likely to be the position for purely functional information such as data tables.
Although a common law jurisdiction, US Federal law has rejected the “sweat of the
brow” test found in English law, and now requires a minimal level of creativity for
copyright protection. 19 However, the level of creativity required is lower than, for
example, Germany. 20
If the applicable law is that of an EU Member State then information in the form of a
database receives sui generic protection under the Database Directive. 21 For a
database 22 to qualify for this protection there must have been “qualitatively and/or
quantitatively a substantial investment in either the obtaining, verification or
presentation of the contents”. 23 If so, the maker of the database has the right “to
prevent extraction and/or re-utilization of the whole or of a substantial part, evaluated
qualitatively and/or quantitatively, of the contents of that database”. 24 Protection lasts
for 10 years from first making the database available to the public or 15 years from its
creation, whichever is the shorter. 25
From this we can conclude that much of the information placed in the Cloud will be
protected by copyright or database right, though not necessarily all. The owner of
these IP rights will be the authors, or more likely the employers or assignees of
authors. Customer and provider will continue to own the IP rights in the information
they upload, subject to any contractual terms to the contrary; third party software
houses and database proprietors will similarly retain their pre-existing IP rights; and
so-on.
The second field of law which is relevant is that relating to the protection of
confidential information or trade secrets. The international consensus on a minimum
level of protection is set out in Art. 39(2) of the Agreement on Trade-Related Aspects
of Intellectual Property Rights (TRIPS Agreement), which provides that protection
must be given to information which:
18
Inkasso-Programm, BGH decision of 9 May 1985, 1986 IIC 681; Betriebssystem, BGH decision of 4
October 1990, 1991 IIC 723.
19
Feist Publications Inc. v. Rural Telephone Service Company, Inc. 499 US 340 (1990).
20
BellSouth Advertising & Publishing Corp v Donnelly Information Publishing Inc. 933 F 2d 952 (11th
Cir. 1991) (holding that copyright subsists in Yellow Pages telephone directories because of the
minimal creativity in devising the business categories under which listings are set out).
21
OJ L77, 27 March 1996 p. 20.
22
‘“Database” shall mean a collection of independent works, data or other materials arranged in a
systematic or methodical way and capable of being individually accessed by electronic or other means.’
Directive 96/9 on the legal protection of databases OJ L77, 27 March 1996 p. 20 art. 1(2).
23
Art. 7(1).
24
Art. 7(1), subject to the lawful user’s rights (Art. 8(1)).
25
Art. 10.
11
(a) is secret in the sense that it is not, as a body or in the precise configuration
and assembly of its components, generally known among or readily accessible
to persons within the circles that normally deal with the kind of information in
question;
(c) has been subject to reasonable steps under the circumstances, by the person
lawfully in control of the information, to keep it secret.
Much of the information in the Cloud, whether protected by IP rights or not, will be of
a confidential nature. So long as those involved in the cloud computing relationship
accept that they owe obligations of confidence to the owner of that information, the
owner will have a remedy against actual or anticipated unauthorised disclosure. Such
an obligation can arise because the information is imparted in circumstances where
the recipient would expect to be obliged to maintain confidence 27 , but is most
conveniently created by means of contractual terms. The continued maintenance of
confidence in the information is important because once the information becomes
known outside the confidential relationship it loses its protection 28 except, to some
extent, as against a wrongful discloser in breach of confidence. 29
26
Coco v A.N. Clark (Engineers) Ltd [1969] RPC 41.
27
See e.g. Saltman Engineering v Campbell (1948) 65 RPC 203.
28
See e.g. Attorney-General v Guardian Newspapers Ltd (No. 2) [1990] 1 AC 109, Public Systems Inc.
v Towry and Adams (Ala 1991) 587 So.2d 969 (Alabama, US).
29
Seager v Copydex [1967] RPC 349.
30
As ever, consumer use of cloud computing is likely to raise additional complexities because of the
very different norms prevailing in the user community. For business use there is typically a one-to-one
relationship between customer and provider, under which it is usually clear whether the provider has a
duty to maintain confidentiality.
However, in a service used predominately by consumers, such as Facebook, the user often maintains a
one-to-many relationship with “friends”, network members and others. Here the nature of the
provider’s confidentiality obligations is less obvious, because of the more open nature of the relations
between users. This will require further work to elucidate.
12
Finally, contract law plays a critical role in determining ownership rights through the
terms of service for the cloud computing relationship. For information generated
outside the Cloud, this contract can clarify the copyright and confidentiality
relationships in three ways:
• Acknowledging the IP rights that the various players own, and thus
preventing any question of implied licences 31 or equitable assignments of
IP rights arising.
• Granting to the players the licences of IP rights which are necessary for the
cloud computing relationship to operate. The customer will be using
software and data whose IP rights are owned by the provider or a third
party, and unlicensed use of that technology will infringe. Similarly, the
provider will be processing information in which the customer owns IP
rights, and will also require a licence.
Where third party software or data is made available, the rights owner is
likely to have licensed it to the provider on terms which place restrictions
on its use. The customer needs to be made aware of those restrictions to
avoid the risk of infringement, by both the customer and the provider, and
the terms of service are an obvious place for this to be done.
All this information is likely to be confidential to the customer, and so the analysis of
the law of confidence in part 4 above applies equally here. There is likely to be little
significant difference based on the location where the information was generated.
31
The difficulty with implied licences is that, although the court’s analysis of the implied terms is
derived from the nature of the relationship between the parties, this analysis is carried out after the
event. By definition the court would not be asked to determine the licence terms if the parties had a
common understanding of the permitted uses within that relationship, and so one of them is certain to
be disappointed – see e.g. the Australian decision in Trumpet Software Pty Ltd v OzEmail Pty Ltd
[1996] 34 IPR 481 (Federal Court of Australia).
32
As an example, a provider may receive demands for access to information under law enforcement or
anti-terrorist legislation. Whether the provider intends to co-operate voluntarily or require a court order,
and how far the provider will inform the customer of the demand, are matters which could be explained
in the service terms.
13
For IP rights, however, the type of information and the place of generation can have a
substantial impact. For the sake of simplicity we assume the customer is resident in
England – the nature of the difficulties faced by a customer located in a different
jurisdiction should become apparent from this analysis.
Copyright comes into existence when the work is created, which under
English law is when it is recorded. 34 However, the use of cloud computing
makes it uncertain where the work was created. The recording may have
taken place on one of the provider’s servers, which might well be located
outside England, or might have been produced and recorded initially on a
mobile device used by one of the customer’s employees outside England.
It seems likely that most jurisdictions will take the position that a work is
created when it is first recorded 35 , and if so the question precisely where
the human author or creator was located will not affect whether copyright
subsists in the report 36 though it might be relevant for other purposes. 37
• At first sight the IP rights in the database seem equally clear. The maker is
an English corporation, and if the database is recorded on a server located
in an EU Member State there is no question that valid database right
subsists. What, though, if the server is located in the US?
33
Copyright, Designs and Patents Act 1988 s. 11(2) for England. It seems universal that employers
own the economics rights in works created in the course of employment, though the position for moral
rights may vary.
34
Copyright, Designs and Patents Act 1988 s. 3(2).
35
For example, this is the position in the US under 17 USC §101 (definition of “created”).
36
The national treatment provisions of the Berne Convention depend on a work having a “country of
origin” in a Convention member state. If a work is unpublished, or first published outside the Berne
Union (this might arise if the work is created on a server in a non-Berne country), the country of origin
is that of which the author is a national and thus the place of recording is immaterial for the question
whether copyright subsists – Berne Convention art. 5(4)(c).
37
For example, the place of creation might be in a jurisdiction which imposes formalities requirements
on works created in the jurisdiction. A similar point arose recently in Moben v 335 LLC (unreported, D
Delaware 6 October 2009). A graphic work had been uploaded to a server in Germany, from which it
immediately became accessible world-wide. The defendant was sued in the US and argued that this
amounted to first publication in the US, which would prevent the action from being brought until the
plaintiff had registered copyright in the work in the US. The court held that first publication had
occurred on the server to which the work was uploaded, i.e. in Germany. If the relevant criterion had
been whether the work was created in the US, it seems likely that the court would have adopted the
same approach and held that its creation occurred in Germany.
14
The database consists of factual information, and unless there is some
creativity in its structure the effect of the US Supreme Court decision in
Feist 38 is that the database is not protected by copyright under US law. For
database right to subsist 39 , the Database Directive would have to be
interpreted to mean either:
b. That the place where the “making” occurs is not legally relevant, the
question being whether the maker is a national of or is habitually
resident in an EU Member State as required by Art. 11(1) & (2). This
approach would produce somewhat unexpected consequences – for
example, a UK national who had been resident in China for several
years and created a database there would benefit from database right if
unauthorised extraction or reutilisation occurred in an EU country. The
wording of Art. 11(3) could suggest that this was not the intended
interpretation, but Art. 11(3) applies only to mutual recognition of
equivalent rights granted by third countries and so the geographical
wording could be confined to that subsection only.
Unless and until this point comes before the courts, there must be
uncertainty whether a database recorded on a non-EU server attracts any
database right protection, and thus whether its maker has any IP rights at
all.
38
See note 19 above.
39
It is worth noting that if database right subsisted, this would give the customer a remedy in respect of
any acts of unauthorised extraction or reutilisation which took place in an EU Member State, but would
not of course give any remedy against these acts occurring in the US where there is no database right.
40
[1985] FSR 306.
15
example the customer will merely have adjusted the software settings to
determine the dates on which reports should be produced and what
information they should contain, and thereafter the software will keep
producing reports until the settings are changed. This input to the process
is so minimal that a court might find it hard to identify the element of
labour, skill or effort which English law requires for authorship
Contract law is, unfortunately, of little use in resolving these uncertainties. The terms
of service could state that certain categories of information produced by the customer
are protected by copyright or database right, but this would not actually confer these
IP rights if, as a matter of law, they did not subsist in the information. Such a contract
term would, of course, be binding as between provider and customer, but its legal
effect would be uncertain. The applicable law might treat this term as a promise to
treat the customer’s information as if the stated IP rights subsisted, in which case a
provider who did not do so would be in breach of contract. Alternatively the term
might merely act as an estoppel, preventing the provider from denying that the IP
rights subsisted, and this might not be enough to give the customer a right of action
against the provider.41
Contract could clarify matters, though only as between customer and provider, if the
terms of service were drafted so as to replicate the desired IP rights as contractual
obligations. 42 Such a contract would be complex to draft and would probably need to
be individually negotiated for each customer/provider relationship.
41
For example, even if the contract stated that the provider acknowledged that database right subsisted
in the customer’s databases, this would not give the customer any claim if the provider’s unauthorised
extraction and reutilisation took place on a non-EU server.
42
The jurisdictional problems when considering infringement of IP rights are complex and uncertain –
see Paul Edward Geller, “Rethinking the Berne-plus framework: from conflicts of laws to copyright
reform” (2009) EIPR 391.
16
6. Information generated in the Cloud by the provider
6.1 Generation for the provider’s internal purposes
Information generated by the provider for its own internal purposes, such as billing or
management of its Cloud, will belong to the provider in the same manner that
information generated by the customer belongs to the customer. The analysis in part 5
above thus applies equally here. If the provider’s Cloud spans multiple jurisdictions,
the same uncertainties about subsistence of IP rights are likely to arise.
In any event it is likely that the service provider will use the service terms to obtain all
the licences from the customer which are necessary for the operation of the service,
and so the primary concern of both parties in respect of this information is likely to be
preventing unauthorised disclosure.
In order to produce this derived information the provider will need to process
customer information, and information it has collected based on customer activities.
Clearly, if there are any contractual restrictions on doing so the provider will need to
comply with those obligations. If the provider is acting within the terms of its
contracts with customers, the laws of confidence and copyright come into play.
The law of confidence imposes on the provider a duty not to disclose that information
in breach of confidence. Potentially it also goes further, requiring the provider to
observe:
17
…the broad principle of equity that he who has received information in
confidence shall not take unfair advantage of it.43
Clearly the provider intends to benefit from the derived information, but does this
amount to unfair use of customers’ confidential information? The case law on this
point is unhelpful because the alleged breaches in those cases have all fallen into three
classes: disclosure to a third party; use of the information to compete with the
confider; or use to make a profit which could have been made by the confider. 44 The
cloud computing service provider’s activities in creating and exploiting derived
information fall into none of these.
It seems to us that there are two arguments which might be advanced in favour of the
proposition that this conduct takes unfair advantage. The first is based on
concealment; if the provider does not inform the customer that its information will be
used in this way, that failure amounts to unfair conduct in the context of the
confidential relationship. The weakness of this argument is that in a commercial
relationship confidential information is regularly shared, but without commensurate
disclosure by the parties about their business plans and how they intend to use that
information. Confidentiality clauses in commercial contracts concentrate on the
preservation of confidentiality against third parties, and do not normally restrain the
recipient’s use of that information to conduct its own business activities. The
argument might perhaps be more persuasive in the case of a consumer customer,
whose expectations are likely to be different from a commercial customer and will be
formed by the disclosures of the provider as to what uses will be made of the
customer’s confidential information. The second argument is based on the quasi-
proprietary nature of confidential information. A bailee of personal property who uses
it for his own purposes, particularly to make a profit, might reasonably expect to
require the bailor’s consent to do so, and the same should be true for confidential
information. This argument suggests that the profits derived from exploiting derived
information are somehow separate from the business of providing services to
customers. It is far more likely that the cost of the cloud computing service is
calculated on the basis that profits will be made from derived information, and thus
the customer already receives a benefit from that activity in that the provider’s service
charges are lower than they would otherwise have been.
All that can be concluded from this discussion is that there is real uncertainty as to
whether a customer can use the law of confidence to prevent the provider creating
derived information. The most obvious way to resolve this uncertainty is via the
service terms – if the customer consents to this activity, there can be no suggestion
that the provider is in breach of its obligations of confidentiality.
The position in respect of the customer’s IP rights (analysed in part 5 above) is much
simpler. The provider will need to copy data at least temporarily in the course of
processing for its data mining and related activities, and thus to the extent that the
43
Seager v Copydex Ltd [1967] 2 All E.R. 415, 417 per Lord Denning.
44
For a useful review of the cases see Robert Flannigan, “The (fiduciary) duty of fidelity” [2008] LQR
274.
18
customer owns copyright in that information the provider needs a licence to copy it.
The provider will certainly have an implied licence to copy for the purposes of
providing the service, but reliance on such an implied licence to copy for other
purposes will be dangerous as the scope of the implied licence cannot be determined
until a court addresses the matter. We anticipate that a provider who wishes to create
derived data will take an appropriate licence in the terms of service.
If the provider has no licence, the jurisdiction in which the copying takes place
becomes important. As we have seen in part 5, some types of information will attract
copyright in one jurisdiction but not others. The applicable law for the purposes of
infringement is the law of the jurisdiction where copying occurs and not of the
jurisdiction in which the information was created, based on the national treatment
provisions of the Berne Convention and WIPO Copyright Treaty.
If the generation of derived data by the provider for the purpose of exploitation does
not infringe the customer’s ownership rights, then the only further limitation on its use
and exploitation is the obligation to preserve the customer’s confidentiality and trade
secrets. It is assumed in this paper that no cloud computing service provider would
deliberately exploit information which identified its customers, as this would be
commercial suicide once the fact became known. This section therefore addresses the
exploitation of anonymised derived information.
45
This principle is established in a long line of cases running from Scott v Stanford (1866-67) LR 3 Eq
718 to Independent Television Publications Limited & The British Broadcasting Corporation v Time
Out Limited [1984] FSR 64.
46
The test for substantiality differs from the copyright test. If the part is not quantitatively substantial
as a proportion of the whole, the qualitative test is not how important or commercially valuable the part
is, but whether it represents a substantial proportion of the investment in making the database - British
Horseracing Board Ltd and Others v William Hill Organization Ltd, Case C-203/02 9th November
2004 paras 71-2.
47
British Horseracing Board Ltd and Others v William Hill Organization Ltd, Case C-203/02 9th
November 2004 para 74.
19
If it is not possible to discover from the derived information the identity of the
customer or any other person to whom a confidentiality obligation is owed 48 , then
there is little risk of a breach of confidentiality. The only danger might be that the
derived information enabled a third party to discover confidential business or
technical processes and re-use them. This danger is likely to be obviated if, as seems
likely, providers derive information from their customer information as a collective
entity, rather than on the basis of each individual customer.
This paper has attempted to analyse the ownership position where there is no contract
between the provider and customer, or where the contract does not deal with the
particular ownership issue. As noted at several points, however, it is likely that the
terms of service of cloud computing providers deal with some of these issues already.
The next stage of this research will therefore be to analyse those terms to identify how
far the issues raised in this paper are resolved through contract.
48
This might include the customer’s employees, clients or trading partners, as examples.
49
Paul Ohm, “Broken Promises of Privacy: responding to the surprising failure of anonymization”
(forthcoming 57 UCLA Review), available via
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006.
50
Weld-Blundell v Stephens [1919] 1 KB 520.
51
The T.J. Hooper (1932) 60 F 2d 737 (ship-to-shore radio).
20
A second, and fundamentally important, issue to be investigated is the position of
consumer users of cloud computing. 52 The information ownership rights of
consumers will be affected by any contractual terms which reduce the ownership
rights which they would otherwise have enjoyed by virtue of law. Cloud computing
contracts with consumers will inevitably be contracts of adhesion, rather than
individually negotiated, and consumer protection laws will affect the ability of service
providers to modify the consumer’s rights through contract. Consumer ownership
rights will also be greatly affected by the very different ways in which consumers use
cloud computing services, and the complex norms of the user community as to what
use may be made of the information accessible via the Cloud.
52
The expanded version of this paper will discuss the position of consumers’ information rights in
detail. Further papers are planned as part of the Project, in which the wider consumer issues will be
discussed and service provider terms will be analysed in depth.
21