Sie sind auf Seite 1von 22
Queen Mary University of London, School of Law Legal Studies Research Paper No. 45/2010 Information

Queen Mary University of London, School of Law Legal Studies Research Paper No. 45/2010

Information “Ownership” in the Cloud

Chris Reed

Electronic copy available at: http://ssrn.com/abstract=1562461

Information “Ownership” in the Cloud

Chris Reed *

CCLS Legal Aspects of Cloud Computing Research Project

Information is the life blood of any modern enterprise, so much so that information is often one of the enterprise’s most valuable assets. Enterprises think of this information as belonging to them, or in simple terms that they “own” it. Increasingly, private individuals are using computing technology to generate information on a scale which would previously have been unimaginable. They, too, think of this information as belonging to them.

Of course, this assumption of ownership is not strictly accurate. Information in digital form is generally not any kind of personal property unless it is recorded on a physical object, in which case property rights relate to that physical object and not the information itself. 1 However, information is subject to a combination of the laws of intellectual property, confidence, privacy 2 and contract, among others, and the composite effect of these laws gives the enterprise a level of control over its information which is very similar to owning physical property. For convenience, this will be referred to in this paper as ownership of the information, while recognising that the term may not be strictly accurate.

The essence of cloud computing (see part 1 below for more detail) is that a customer (who might be a business enterprise, or equally a consumer user) entrusts its own digital information, together with that of third parties, to the cloud computing service provider. The customer then uses technology and information in the cloud, made available by the provider, to create further information. All this happens online, using technology which is outside the control of the customer. Inevitably, ownership rights are affected.

The research addresses three questions:

1. What are the expectations of those involved in a cloud computing relationship about information ownership, and how closely does the current legal framework match those expectations?

* Professor of Electronic Commerce Law, Queen Mary University of London School of Law, Centre for Commercial Law Studies.

My thanks are due to my colleague Professor Christopher Millard for his helpful comments on the draft of this paper.

We gratefully acknowledge the generous financial support from Microsoft which has made this project possible

1 See e.g. Oxford v Moss [1979] 68 Cr App. R 183.

2 This paper does not discuss the privacy issues, which are addressed in other papers from the project.

1

Electronic copy available at: http://ssrn.com/abstract=1562461

2.

Does cloud computing generate new types of information, and if so how is that information owned?

3. How does the allocation of ownership in the terms of service of the major cloud computing providers deal with these issues?

This paper deals with some initial aspects of the first two of these questions; further aspects, and the third question, will be examined in later versions of the paper.

The analysis in this paper concentrates on business use of cloud computing services in order to produce the clearest possible analysis of the state of information ownership which subsists under the law, prior to any modification of that position by terms of service and other contracts. For this reason, reference to consumer use is largely absent. This should not be taken to mean that consumer use of the Cloud is unimportant – on the contrary, the vast majority of cloud computing is, at the time of writing, undertaken by consumer users. Consumer use will be examined at a later stage for two reasons:

The initial ownership position, in the absence of contract terms modifying ownership rights, is likely to be broadly similar for both business and consumer users. However, the potential uses of cloud computing by businesses are rather simpler than those which consumers undertake, and thus concentrating on business use permits the analysis to be more easily understood.

The actual ownership rights of consumer users depend to a large extent on the terms of their contracts with cloud computing service providers, and on their express and implied agreements with other information owners and users. A detailed exposition of consumer ownership of information must therefore necessarily be delayed until an analysis of service provider terms has been undertaken.

Readers should therefore be aware that this paper is very much an exploratory work, and that the gaps in its coverage are to be filled at a later date.

1. Introducing the Cloud

Cloud computing comes in many forms, and encompasses a wide range of technologies and services. A useful description of the core elements of cloud computing is found in a recent research paper from the UC Berkeley Reliable Adaptive Distributed Systems Laboratory:

Cloud Computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the datacenters that provide those services. The services themselves have long been referred to as Software as a Service (SaaS). The datacenter hardware and software is what we will call a Cloud. When a Cloud is made available in a pay-as-you-go manner to the general public, we call it a Public Cloud; the service being sold is Utility Computing. We use the term Private Cloud to refer to internal datacenters of a business or other organization, not made available to the general public. Thus, Cloud Computing is the sum of SaaS and Utility Computing, but does not include Private Clouds.

2

Electronic copy available at: http://ssrn.com/abstract=1562461

People can be users or providers of SaaS, or users or providers of Utility Computing. 3

This definition should be seen as illustrative only. Business models in this area are constantly evolving, and our Legal Aspects of Cloud Computing Research Project is working on a definition which more closely models the legal relationships which are created within cloud computing. As an example, Private Clouds is a broader concept than suggested here, and the legal aspects of Private Clouds provided by a third party will certainly receive attention as part of the project.

This paper concentrates on two characteristics which are common to all varieties of cloud computing:

The user of the service (the “customer”) stores its information on computer systems operated by the service provider, accessing those systems via the internet.

Customers process data, and thus create new information, using applications and data made available by providers, again via the internet.

2. A 1930s thought experiment

A useful starting point for our examination of the problems of information ownership might be to determine the expectations of the parties, and in particular of customers, as to this matter. However, the wide range of cloud computing services means that selecting any one of them for analysis is likely to encompass features which are not shared with other services.

For this reason, we begin with a thought experiment, in which we invent a conceptually similar service which operates only on hard copy documents. From that experiment we deduce the probable expectations of the parties as to information ownership, and then bring our deductions forward in time to apply them to cloud computing.

2.1 The Efficient Office Corporation

Our experiment is set in the 1930s, to ensure that it remains untainted by any flavour of digital computing technology. The service provider is the Efficient Office Corporation (EOC), which has noticed that all the businesses in its city use at least half of their premises to house staff whose function is to process and store documents, rather than to carry out the core activities of those businesses. EOC’s aim is to provide document processing and storage as a service, allowing businesses to reduce their payroll count and either move to smaller premises or expand their business in existing premises.

3 Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy Katz, Andy Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia, “Above the Clouds: A Berkeley View of Cloud Computing” Technical Report No. UCB/EECS-2009-28 (10 February 2009) p 1, available from http://radlab.cs.berkeley.edu/.

3

The workings of the service are simply described:

Suppose a letter is received by a customer which requires a reply. The customer dictates a response onto a modern, high-tech wax recording cylinder or writes it on paper. Then it is collected, along with the received letter, by one of EOC’s staff of messenger boys who race around the city on foot, bicycle and motorbike.

At EOC’s building, the customer’s letter is typed up and sent out, and the wax cylinder blanked for re-use or the customer’s handwritten note discarded. A copy of the sent letter is filed along with the received letter in EOC’s capacious basement.

If financial information is involved, perhaps because the received letter contains an invoice, EOC’s accounts department performs any necessary calculations via its skilled mechanical computer operators and records the information in the customer’s accounts ledgers which are also stored in the basement.

If the customer needs access to the information stored by EOC then a telephone call will bring a messenger boy carrying a paper copy of the information, which can be discarded once the customer has used the information.

Regular reports are made to the customer on matters such as payments to be made, management accounts etc, and corporate documentation is generated at the appropriate times without the customer needing to request it.

2.2 Expectations about information ownership

If we asked EOC and its customers who owned the information which is processed, generated and stored in the course of the service, it is likely that there would be a clear consensus on most matters even if the service contract was silent on this point:

Documents received by the customer, and then entrusted to EOC for processing and safekeeping, would clearly be owned by the customer. EOC’s role is merely to keep these documents safe, and deal with them as instructed by the customer.

Documents sent out by EOC on the customer’s behalf clearly belong to their addressee as physical property. The intellectual property rights in their contents will belong to the customer as author, rather than to EOC whose role has been merely to produce them according to the customer’s instructions.

Documents generated by EOC as part of the service, such as copies of sent letters, accounting records and the like, are more problematic. The parties might need to ask their legal advisers who owns the documents in their

4

aspect as physical property. 4 However, they would surely agree that EOC is obliged to use the documents only for the customer’s purposes, not to disclose their contents to others, and to hand them over to the customer if the service relationship ends. For all practical purposes, the customer would expect to have de facto control over use of the documents, and EOC would expect this also.

Information produced by EOC for its own purposes, such as records of collection and sending via its messenger boys, probably used for billing and general management purposes, would clearly belong to EOC. However, the customer would expect, and EOC would acknowledge, that much of this information is confidential to the customer, and should not be disclosed if the customer can be identified.

These expectations arise from three areas of law which we believe will also be fundamental to cloud computing relationships: physical property law, the law of confidence, and contract law.

It is noteworthy that, in our 1930s experiment, the law of copyright plays almost no part. No doubt, were EOC to begin copying customer documents and disseminating copies to outsiders, lawsuits based on copyright would be issued. As between the customer and EOC, however, copyright would play little part in the question of information ownership.

Once we fast forward to the 21 st century and look at real cloud computing relationships, it immediately becomes clear that the law’s allocation of ownership rights (in the broad sense explained above) does not necessarily match the expectations which the parties would have if physical documents were at issue. This is because copyright comes to the fore, and alters the balance of ownership. It is, however, our contention that the expectations, of customers at least, are likely to be the same as in our thought experiment. The remainder of this paper analyses the ownership position, and explains the legal mechanisms which can be used to ensure that the parties’ ownership expectations are met.

3. Information flows in the Cloud

Before a legal analysis can be undertaken it is necessary to identify the information whose ownership is at issue. This is a difficult matter in the Cloud, because its very nature means that information is constantly being added and removed or modified, and new information is being generated.

As a simplifying assumption, this paper will assume that all the information in which we are interested is placed in the Cloud either by the service provider or by the customer. This assumption may not always be true, either because the provider has adopted a corporate structure under which related companies provide parts of the

4 This question would only be important if EOC ceased trading, for example due to insolvency, or if the relationship ended as a result of a dispute between the customer and EOC, as part of which EOC refused to hand over these documents.

5

service 5 or because the provider permits third parties to use its Cloud as a platform to provide information services direct to the customer. However, all these entities will be placing information in the provider’s Cloud by virtue of their legal relationship with the provider, and it is not a gross over-simplification to treat that information (for the purposes of this paper) as being placed in the Cloud by the provider. As we shall see, it does not affect the analysis.

A conceptual map of the information flows in the provider/customer relationship

might look something like this:

relationship might look something like this: Although this map is apparently complex, it can be further

Although this map is apparently complex, it can be further simplified as follows.

3.1 Information generated outside the Cloud

Much of the information at issue is generated outside the Cloud, and thus already has

an established ownership status before it is placed in the Cloud. 6 It seems reasonable

5 See e.g. Google Terms of Service para. 4.1, http://www.google.com/accounts/TOS.

6 It is worth noting that this is not necessarily true for consumer users. As examples, many millions of sound recording files are shared on a daily basis via consumer cloud sites, as are the more than two billion photographs that are uploaded every month on Facebook. Even if the initial ownership of these files is theoretically ascertainable, in practice the complex norms of information sharing among

6

to assert that the expectation of all parties is that the mere fact of placing the information in the Cloud should not alter its ownership status.

in the Cloud should not alter its ownership status. For the purpose of analysing ownership, this

For the purpose of analysing ownership, this information can be further sub-divided into two categories:

Information generated by a party to the Cloud relationship, either the customer or the provider.

Information generated by a third party and placed in the Cloud via the provider or customer.

As we will see in part 4.1 below, it is comparatively easy to determine ownership rights in this class of information.

3.2

Information generated in the Cloud

The question who owns the information generated within the Cloud is more complex, as the diagram below illustrates.

Cloud is more complex, as the diagram below illustrates. The main purpose of the cloud computing

The main purpose of the cloud computing relationship is to enable the customer to use the cloud technology to process information and thus generate outputs. However, in doing so the customer may also generate know how or trade secrets, which are not set out in any particular information output but reside in the data structures or processes which the customer establishes through its use of the Cloud. 7 Thus in addition to the discrete information outputs, we are also interested in the information which can be derived or deduced from how the customer uses the Cloud.

The provider, too, will be generating information of various different types:

All cloud computing service providers will collect information about the operation of their systems and service for management purposes. Much of this information will amount to know how or trade secrets belonging to the provider.

Customers will need to be billed for their use of the service, and thus the provider will collect billing data which will certainly incorporate information about the customer’s activities.

7 For example the customer might devise an innovative method of doing business, implemented wholly or partly within the Cloud, and this would certainly be protected as confidential information or a trade secret and in some jurisdictions might even be patentable.

8

Providers will also generate and store metadata 8 about the data relationships between the customer’s data and applications and any provider or third party applications or data. The purpose of producing this information is both to enable or enhance the customer’s use of the service, and also for the provider’s own management purposes.

Finally, and most controversially, data mining 9 tools are available which would allow the provider to trawl through customer information, either individually or on a collective basis, and thereby generate new and potentially valuable information. As a hypothetical example, a service provider with a number of motor insurers as customers could mine their data to extract information on the accident rates and types for different makes and models of vehicle.

The main distinction here must be based on the purpose for which the provider generates information. Ownership and control issues are more pressing in relation to information which the provider collects in order to exploit that information commercially, at least where the exploitation involves the disclosure of the information to others. Information generated for the provider’s own internal purposes is likely to be less controversial, though it must be recognised the provider might subsequently decide that this information could also be exploited. Indeed, data mining tools are sufficiently sophisticated that a provider might usefully include its internal data together with customer data, in order to extract even more valuable information from the mining process.

It should also be noted here that there is a third category of information generated in the Cloud. This is information produced collaboratively between users, using tools made available by the service provider and in some circumstances collaborating also with the service provider or with third party information providers. Because the majority of such collaborative generation is carried out by consumers, this issue will be examined in a later version of the paper.

4. Ownership of information generated outside the Cloud

As noted above, information generated outside the Cloud will already have an established ownership status. Unlike our 1930s thought experiment, this information is placed in the Cloud in purely digital form, rather than on some physical carrier, and

8 Metadata presents known privacy risks, and thus in many countries telecoms service providers are limited in the metadata they can collect – see e.g. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L201/37 31 July 2002 Arts. 6 and 9. It is not suggested in this paper that ownership rights are in need to regulation of this kind, but as part 6 below demonstrates there are real risks to confidentiality which might not be adequately addressed through contract, e.g. in the case of consumers. This point will form an element of future work on this topic.

9 See e.g. Jiawei Han & Micheline Kamber, Data Mining: concepts and techniques (2 nd ed. Morgan Kaufmann, San Francisco 2006).

9

so in most jurisdictions it is unlikely that any question of personal property rights arises. 10 Instead, we must look for ownership rights in three areas of law.

The first is intellectual property. IP rights are the main kind of property right which might subsist in this information. This paper will concentrate on copyright and, in the EU, database right as the rights most likely to be relevant. 11

National copyright laws across the world recognise that copyright subsists in works in digital form, but differ in their conceptions of what constitutes a work. English law, and the law of those countries whose law derives from England, protects all works 12 where sufficient labour, skill or judgment has been used in their creation. 13 There is no requirement for creativity per se, but information will not be protected if its creation required minimal effort 14 or if what is created is too minimal to be recognised as a work. 15

Civil law countries, which protect authors’ rights rather than copyright, tend to demand a minimum level of creativity to qualify for protection. Germany is perhaps the clearest example, requiring there to be a creative step (Gestaltungshöhe) to distinguish a work from mere information. 16 Prior to the EU Software Directive 17 the German courts had held that some types of software (such as operating systems) were

10 Whether information can constitute personal property is still, to some extent, an open question. English law seems clear that it can not – Oxford v Moss, n 1 above, St Albans City and District Council v International Computers Ltd [1996] 4 All ER 481. Ken Moon, “The nature of computer programs:

tangible? goods? personal property? intellectual property?” (2009) EIPR 396 suggests that the French Civil Code has the potential to recognise personal property rights in intangibles whereas German law does not, and also reviews the diverse US tax law decisions on this question.

For the purposes of this article we assume that national courts are unlikely to recognise personal property rights in digital information, though it would obviously be sensible for cloud computing terms of use to recognise the possibility that a court might do so at some future date.

11 Trade mark and patent rights may also subsist, but are less likely to be infringed by use of the information in a cloud computing environment. The comments below about the role of contract in relation to copyright apply equally to these rights.

12 With the exception of databases in England – Copyright, Designs and Patents Act 1988 s. 3(1)(a) as amended by Copyright and Rights in Databases Regulations 1997 SI 1997/3032 reg. 5.

13 Ladbroke (Football) Ltd v William Hill (Football) Ltd. [1964] 1 WLR 273. A similar view is taken in many other common law jurisdictions – see e.g. Desktop Marketing Systems Pty Ltd v. Telstra Corporation Limited [2002] FCAFC 112 (Federal Court of Australia).

14 GA Cramp & Sons Ltd. V. Frank Smythson Ltd. [1944] AC 329.

15 See e.g. Exxon Corporation v. Exxon Insurance Consultants International Ltd. [1982] Ch 119 (no copyright in the word “Exxon”), Hitachi Ltd. v. Zafar Auto & Filter House [1997] FSR 50, 58 (Copyright Board, Karachi, Pakistan; no copyright in the word “Hitachi”).

16 Brombeer Muster, BGH decision of 27 January 1983, 1983 GRUR 377.

17 Directive 91/250/EEC on the legal protection of computer programs, OJ L 122/42, 17 May 1991, which requires a computer program to be the author’s “own intellectual creation” to qualify for protection by copyright (art. 1(3)).

10

functional, rather than creative, and were thus not protected by author’s right. 18 This is still likely to be the position for purely functional information such as data tables. Although a common law jurisdiction, US Federal law has rejected the “sweat of the brow” test found in English law, and now requires a minimal level of creativity for copyright protection. 19 However, the level of creativity required is lower than, for example, Germany. 20

If the applicable law is that of an EU Member State then information in the form of a database receives sui generic protection under the Database Directive. 21 For a database 22 to qualify for this protection there must have been “qualitatively and/or quantitatively a substantial investment in either the obtaining, verification or presentation of the contents”. 23 If so, the maker of the database has the right “to prevent extraction and/or re-utilization of the whole or of a substantial part, evaluated qualitatively and/or quantitatively, of the contents of that database”. 24 Protection lasts for 10 years from first making the database available to the public or 15 years from its creation, whichever is the shorter. 25

From this we can conclude that much of the information placed in the Cloud will be protected by copyright or database right, though not necessarily all. The owner of these IP rights will be the authors, or more likely the employers or assignees of authors. Customer and provider will continue to own the IP rights in the information they upload, subject to any contractual terms to the contrary; third party software houses and database proprietors will similarly retain their pre-existing IP rights; and so-on.

The second field of law which is relevant is that relating to the protection of confidential information or trade secrets. The international consensus on a minimum level of protection is set out in Art. 39(2) of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement), which provides that protection must be given to information which:

18 Inkasso-Programm, BGH decision of 9 May 1985, 1986 IIC 681; Betriebssystem, BGH decision of 4 October 1990, 1991 IIC 723.

19 Feist Publications Inc. v. Rural Telephone Service Company, Inc. 499 US 340 (1990).

20 BellSouth Advertising & Publishing Corp v Donnelly Information Publishing Inc. 933 F 2d 952 (11th Cir. 1991) (holding that copyright subsists in Yellow Pages telephone directories because of the minimal creativity in devising the business categories under which listings are set out).

21 OJ L77, 27 March 1996 p. 20.

22 ‘“Database” shall mean a collection of independent works, data or other materials arranged in a systematic or methodical way and capable of being individually accessed by electronic or other means.’ Directive 96/9 on the legal protection of databases OJ L77, 27 March 1996 p. 20 art. 1(2).

23 Art. 7(1).

24 Art. 7(1), subject to the lawful user’s rights (Art. 8(1)).

25 Art. 10.

11

(a) is secret in the sense that it is not, as a body or in the precise configuration

and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in

question;

(b)

has commercial value because it is secret; and

(c)

has been subject to reasonable steps under the circumstances, by the person

lawfully in control of the information, to keep it secret.

Many jurisdictions, including England, also protect non-commercial information which is confidential in nature and has been disclosed subject to an obligation of confidence, express or implied. 26

Much of the information in the Cloud, whether protected by IP rights or not, will be of a confidential nature. So long as those involved in the cloud computing relationship accept that they owe obligations of confidence to the owner of that information, the owner will have a remedy against actual or anticipated unauthorised disclosure. Such an obligation can arise because the information is imparted in circumstances where the recipient would expect to be obliged to maintain confidence 27 , but is most conveniently created by means of contractual terms. The continued maintenance of confidence in the information is important because once the information becomes known outside the confidential relationship it loses its protection 28 except, to some extent, as against a wrongful discloser in breach of confidence. 29

As with IP rights, an owner’s rights of confidentiality will not be affected by placing the information in the Cloud so long as the provider, and any others who thereby have access to the information, are under an obligation to maintain its confidence. The nature of cloud computing relationships would seem to suggest that the service provider impliedly undertakes to maintain confidence in the customer’s information, and this may be stated expressly in the terms of service. 30

26 Coco v A.N. Clark (Engineers) Ltd [1969] RPC 41.

27 See e.g. Saltman Engineering v Campbell (1948) 65 RPC 203.

28 See e.g. Attorney-General v Guardian Newspapers Ltd (No. 2) [1990] 1 AC 109, Public Systems Inc. v Towry and Adams (Ala 1991) 587 So.2d 969 (Alabama, US).

29 Seager v Copydex [1967] RPC 349.

30 As ever, consumer use of cloud computing is likely to raise additional complexities because of the very different norms prevailing in the user community. For business use there is typically a one-to-one relationship between customer and provider, under which it is usually clear whether the provider has a duty to maintain confidentiality.

However, in a service used predominately by consumers, such as Facebook, the user often maintains a one-to-many relationship with “friends”, network members and others. Here the nature of the provider’s confidentiality obligations is less obvious, because of the more open nature of the relations between users. This will require further work to elucidate.

12

Finally, contract law plays a critical role in determining ownership rights through the terms of service for the cloud computing relationship. For information generated outside the Cloud, this contract can clarify the copyright and confidentiality relationships in three ways:

Acknowledging the IP rights that the various players own, and thus preventing any question of implied licences 31 or equitable assignments of IP rights arising.

Granting to the players the licences of IP rights which are necessary for the cloud computing relationship to operate. The customer will be using software and data whose IP rights are owned by the provider or a third party, and unlicensed use of that technology will infringe. Similarly, the provider will be processing information in which the customer owns IP rights, and will also require a licence.

Where third party software or data is made available, the rights owner is likely to have licensed it to the provider on terms which place restrictions on its use. The customer needs to be made aware of those restrictions to avoid the risk of infringement, by both the customer and the provider, and the terms of service are an obvious place for this to be done.

Defining the obligations of confidentiality which each player owes to the others, including any limitations on those obligations 32 and agreeing the confidentiality position once the relationship terminates.

5. Information generated in the Cloud by the customer

Ownership of the information which the customer generates through use of the Cloud will depend on both the type of information and, to some extent, on where it was generated. This is most easily explained by examining three different types of output:

a written report; a database of numerical information about stock prices; and an automated financial management report produced by accounting software running in the Cloud.

All this information is likely to be confidential to the customer, and so the analysis of the law of confidence in part 4 above applies equally here. There is likely to be little significant difference based on the location where the information was generated.

31 The difficulty with implied licences is that, although the court’s analysis of the implied terms is derived from the nature of the relationship between the parties, this analysis is carried out after the event. By definition the court would not be asked to determine the licence terms if the parties had a common understanding of the permitted uses within that relationship, and so one of them is certain to be disappointed – see e.g. the Australian decision in Trumpet Software Pty Ltd v OzEmail Pty Ltd [1996] 34 IPR 481 (Federal Court of Australia).

32 As an example, a provider may receive demands for access to information under law enforcement or anti-terrorist legislation. Whether the provider intends to co-operate voluntarily or require a court order, and how far the provider will inform the customer of the demand, are matters which could be explained in the service terms.

13

For IP rights, however, the type of information and the place of generation can have a substantial impact. For the sake of simplicity we assume the customer is resident in England – the nature of the difficulties faced by a customer located in a different jurisdiction should become apparent from this analysis.

The written report will certainly be protected by copyright. The authors, employees of the customer, are writing in England (a Berne Convention signatory). Thus the report qualifies for copyright protection as a literary work in all Berne Convention countries. The authors are employees of the customer, and thus the customer will normally own copyright in the report. 33

Copyright comes into existence when the work is created, which under English law is when it is recorded. 34 However, the use of cloud computing makes it uncertain where the work was created. The recording may have taken place on one of the provider’s servers, which might well be located outside England, or might have been produced and recorded initially on a mobile device used by one of the customer’s employees outside England. It seems likely that most jurisdictions will take the position that a work is created when it is first recorded 35 , and if so the question precisely where the human author or creator was located will not affect whether copyright subsists in the report 36 though it might be relevant for other purposes. 37

At first sight the IP rights in the database seem equally clear. The maker is an English corporation, and if the database is recorded on a server located in an EU Member State there is no question that valid database right subsists. What, though, if the server is located in the US?

33 Copyright, Designs and Patents Act 1988 s. 11(2) for England. It seems universal that employers own the economics rights in works created in the course of employment, though the position for moral rights may vary.

34 Copyright, Designs and Patents Act 1988 s. 3(2).

35 For example, this is the position in the US under 17 USC §101 (definition of “created”).

36 The national treatment provisions of the Berne Convention depend on a work having a “country of origin” in a Convention member state. If a work is unpublished, or first published outside the Berne Union (this might arise if the work is created on a server in a non-Berne country), the country of origin is that of which the author is a national and thus the place of recording is immaterial for the question whether copyright subsists – Berne Convention art. 5(4)(c).

37 For example, the place of creation might be in a jurisdiction which imposes formalities requirements on works created in the jurisdiction. A similar point arose recently in Moben v 335 LLC (unreported, D Delaware 6 October 2009). A graphic work had been uploaded to a server in Germany, from which it immediately became accessible world-wide. The defendant was sued in the US and argued that this amounted to first publication in the US, which would prevent the action from being brought until the plaintiff had registered copyright in the work in the US. The court held that first publication had occurred on the server to which the work was uploaded, i.e. in Germany. If the relevant criterion had been whether the work was created in the US, it seems likely that the court would have adopted the same approach and held that its creation occurred in Germany.

14

The database consists of factual information, and unless there is some creativity in its structure the effect of the US Supreme Court decision in Feist 38 is that the database is not protected by copyright under US law. For database right to subsist 39 , the Database Directive would have to be interpreted to mean either:

a. That “making” occurs where the maker is physically located, irrespective of the geographical location where recording of the database takes place. The wording of Art. 11(3), which refers to databases “made in third countries”, suggests that “making” has a geographical location. However, it does not help to decide whether the location is the place of the maker or the place of recording (and at the date the Directive was enacted it is unlikely that the legislators envisaged that these two places might be different).

b. That the place where the “making” occurs is not legally relevant, the question being whether the maker is a national of or is habitually resident in an EU Member State as required by Art. 11(1) & (2). This approach would produce somewhat unexpected consequences – for example, a UK national who had been resident in China for several years and created a database there would benefit from database right if unauthorised extraction or reutilisation occurred in an EU country. The wording of Art. 11(3) could suggest that this was not the intended interpretation, but Art. 11(3) applies only to mutual recognition of equivalent rights granted by third countries and so the geographical wording could be confined to that subsection only.

Unless and until this point comes before the courts, there must be

uncertainty whether a database recorded on a non-EU server attracts any database right protection, and thus whether its maker has any IP rights at

all.

The automated financial management report again raises complex geographical and jurisdictional issues because there is no international consensus whether such reports attract IP rights. English law would certainly protect the report as a literary work. Most likely it would be treated as a work of authorship, on the basis that the English customer was using the accounting software as a tool to create the report. This reasoning was adopted in Express Newspapers plc v Liverpool Daily Post & Echo plc, 40 where the court decided that grids of letters for use in prize draws were authored by the programmer who wrote the software to produce the grids. However, in that case the author actually wrote the software – in our

38 See note 19 above.

39 It is worth noting that if database right subsisted, this would give the customer a remedy in respect of any acts of unauthorised extraction or reutilisation which took place in an EU Member State, but would not of course give any remedy against these acts occurring in the US where there is no database right.

40 [1985] FSR 306.

15

example the customer will merely have adjusted the software settings to determine the dates on which reports should be produced and what information they should contain, and thereafter the software will keep producing reports until the settings are changed. This input to the process is so minimal that a court might find it hard to identify the element of labour, skill or effort which English law requires for authorship

If so, English law would still protect the report as a “computer-generated work” under s. 9(3) of the Copyright, Designs and Patents Act 1988. The author would be “the person by whom the arrangements necessary for the creation of the work are undertaken.” Although the provider has made many of the necessary arrangements, by providing access to the Cloud and making the software available, it seems to us that an English court would identify the customer’s actions in configuring the software as the final, and thus the necessary step, though this point has not yet come before the courts.

Most jurisdictions have no concept of computer-generated work, and thus the question whether copyright subsists in the report will depend on the local courts’ view as to whether the customer is the author, merely using the software as a tool. Even if this constitutes authorship in a particular jurisdiction, the report might still not attract copyright because it is insufficiently creative to constitute a work (see the discussion in part 4 above).

Contract law is, unfortunately, of little use in resolving these uncertainties. The terms of service could state that certain categories of information produced by the customer are protected by copyright or database right, but this would not actually confer these IP rights if, as a matter of law, they did not subsist in the information. Such a contract term would, of course, be binding as between provider and customer, but its legal effect would be uncertain. The applicable law might treat this term as a promise to treat the customer’s information as if the stated IP rights subsisted, in which case a provider who did not do so would be in breach of contract. Alternatively the term might merely act as an estoppel, preventing the provider from denying that the IP rights subsisted, and this might not be enough to give the customer a right of action against the provider. 41

Contract could clarify matters, though only as between customer and provider, if the terms of service were drafted so as to replicate the desired IP rights as contractual obligations. 42 Such a contract would be complex to draft and would probably need to be individually negotiated for each customer/provider relationship.

41 For example, even if the contract stated that the provider acknowledged that database right subsisted in the customer’s databases, this would not give the customer any claim if the provider’s unauthorised extraction and reutilisation took place on a non-EU server.

42 The jurisdictional problems when considering infringement of IP rights are complex and uncertain – see Paul Edward Geller, “Rethinking the Berne-plus framework: from conflicts of laws to copyright reform” (2009) EIPR 391.

16

6.

Information generated in the Cloud by the provider

6.1 Generation for the provider’s internal purposes

Information generated by the provider for its own internal purposes, such as billing or management of its Cloud, will belong to the provider in the same manner that information generated by the customer belongs to the customer. The analysis in part 5 above thus applies equally here. If the provider’s Cloud spans multiple jurisdictions, the same uncertainties about subsistence of IP rights are likely to arise.

An additional complication arises because much of this provider information relates to the customer’s information and activities, and as we have already seen that information is likely to be subject to an obligation of confidence. If the provider- generated information is used only for the provider’s internal purposes there is no question of breach of this obligation. The primary obligation is against disclosure, and to the extent that the applicable law imposes restrictions on the provider using that information for its own purposes, a licence to do so would surely be implied because the use of this information is necessary for the effective operation of the cloud computing relationship with the customer.

In any event it is likely that the service provider will use the service terms to obtain all the licences from the customer which are necessary for the operation of the service, and so the primary concern of both parties in respect of this information is likely to be preventing unauthorised disclosure.

6.2 Exploitation of derived information

As we have seen above, the service provider will generate information for its internal purposes which is derived from the customer’s information and activities. We have also noted that the provider has the ability to use data mining and other tools to extract further information from its collection of customer data. This raises two questions:

will the production of such information infringe the customer’s ownership rights, and does the customer have any control over the use of this information, in particular any commercial exploitation?

6.2.1 The customer’s rights

In order to produce this derived information the provider will need to process customer information, and information it has collected based on customer activities. Clearly, if there are any contractual restrictions on doing so the provider will need to comply with those obligations. If the provider is acting within the terms of its contracts with customers, the laws of confidence and copyright come into play.

The law of confidence imposes on the provider a duty not to disclose that information in breach of confidence. Potentially it also goes further, requiring the provider to observe:

17

…the broad principle of equity that he who has received information in confidence shall not take unfair advantage of it. 43

Clearly the provider intends to benefit from the derived information, but does this amount to unfair use of customers’ confidential information? The case law on this point is unhelpful because the alleged breaches in those cases have all fallen into three classes: disclosure to a third party; use of the information to compete with the confider; or use to make a profit which could have been made by the confider. 44 The cloud computing service provider’s activities in creating and exploiting derived information fall into none of these.

It seems to us that there are two arguments which might be advanced in favour of the proposition that this conduct takes unfair advantage. The first is based on concealment; if the provider does not inform the customer that its information will be used in this way, that failure amounts to unfair conduct in the context of the confidential relationship. The weakness of this argument is that in a commercial relationship confidential information is regularly shared, but without commensurate disclosure by the parties about their business plans and how they intend to use that information. Confidentiality clauses in commercial contracts concentrate on the preservation of confidentiality against third parties, and do not normally restrain the recipient’s use of that information to conduct its own business activities. The argument might perhaps be more persuasive in the case of a consumer customer, whose expectations are likely to be different from a commercial customer and will be formed by the disclosures of the provider as to what uses will be made of the customer’s confidential information. The second argument is based on the quasi- proprietary nature of confidential information. A bailee of personal property who uses it for his own purposes, particularly to make a profit, might reasonably expect to require the bailor’s consent to do so, and the same should be true for confidential information. This argument suggests that the profits derived from exploiting derived information are somehow separate from the business of providing services to customers. It is far more likely that the cost of the cloud computing service is calculated on the basis that profits will be made from derived information, and thus the customer already receives a benefit from that activity in that the provider’s service charges are lower than they would otherwise have been.

All that can be concluded from this discussion is that there is real uncertainty as to whether a customer can use the law of confidence to prevent the provider creating derived information. The most obvious way to resolve this uncertainty is via the service terms – if the customer consents to this activity, there can be no suggestion that the provider is in breach of its obligations of confidentiality.

The position in respect of the customer’s IP rights (analysed in part 5 above) is much simpler. The provider will need to copy data at least temporarily in the course of processing for its data mining and related activities, and thus to the extent that the

43 Seager v Copydex Ltd [1967] 2 All E.R. 415, 417 per Lord Denning.

44 For a useful review of the cases see Robert Flannigan, “The (fiduciary) duty of fidelity” [2008] LQR

274.

18

customer owns copyright in that information the provider needs a licence to copy it. The provider will certainly have an implied licence to copy for the purposes of providing the service, but reliance on such an implied licence to copy for other purposes will be dangerous as the scope of the implied licence cannot be determined until a court addresses the matter. We anticipate that a provider who wishes to create derived data will take an appropriate licence in the terms of service.

If the provider has no licence, the jurisdiction in which the copying takes place becomes important. As we have seen in part 5, some types of information will attract copyright in one jurisdiction but not others. The applicable law for the purposes of infringement is the law of the jurisdiction where copying occurs and not of the jurisdiction in which the information was created, based on the national treatment provisions of the Berne Convention and WIPO Copyright Treaty.

If derived information is created without a licence to do so for the purpose of exploitation, exploiting the derived information will be an infringement if the information contains a substantial part of the customer’s copyright information. This is so even if that customer information forms only a very small part of the derived information as a whole – the test is the substantiality of what is copied, not of its relation to the new work which incorporates that information. 45 .

So far as database right is concerned, a licence will similarly be required for extraction or reutilisation of a substantial part 46 of the database if this occurs in a jurisdiction where database right subsists. However, it has been held by the European Court of Justice that the mere consultation of a database does not infringe database right. 47 The provider will thus only infringe if a copy of the whole or a substantial part is made for use by the data mining tools, or if a substantial part of the contents of the database is reutilised in the derived information.

6.2.2 Limits on use and exploitation

If the generation of derived data by the provider for the purpose of exploitation does not infringe the customer’s ownership rights, then the only further limitation on its use and exploitation is the obligation to preserve the customer’s confidentiality and trade secrets. It is assumed in this paper that no cloud computing service provider would deliberately exploit information which identified its customers, as this would be commercial suicide once the fact became known. This section therefore addresses the exploitation of anonymised derived information.

45 This principle is established in a long line of cases running from Scott v Stanford (1866-67) LR 3 Eq 718 to Independent Television Publications Limited & The British Broadcasting Corporation v Time Out Limited [1984] FSR 64.

46 The test for substantiality differs from the copyright test. If the part is not quantitatively substantial as a proportion of the whole, the qualitative test is not how important or commercially valuable the part is, but whether it represents a substantial proportion of the investment in making the database - British Horseracing Board Ltd and Others v William Hill Organization Ltd, Case C-203/02 9th November 2004 paras 71-2.

47 British Horseracing Board Ltd and Others v William Hill Organization Ltd, Case C-203/02 9th November 2004 para 74.

19

If it is not possible to discover from the derived information the identity of the customer or any other person to whom a confidentiality obligation is owed 48 , then there is little risk of a breach of confidentiality. The only danger might be that the derived information enabled a third party to discover confidential business or technical processes and re-use them. This danger is likely to be obviated if, as seems likely, providers derive information from their customer information as a collective entity, rather than on the basis of each individual customer.

However, anonymisation of data is not a complete safeguard against confidentiality breaches. In a recent paper Paul Ohm has alerted lawyers to advances in reidentification science, which uses the recombination of separate databases to build connections between items of data and thereby identify the person to whom they relate. 49 A service provider’s obligation is probably only to take reasonable care to preserve confidentiality 50 and not absolute, and so the provider will have fulfilled this obligation if the derived information can not, in the light of the state of technology at the time, foreseeably identify the customer via the use of reidentification technology. However, a wise provider will need to keep alert to new developments in reidentification, as a failure to adapt to new technologies can also amount to a failure to take reasonable care. 51

7. Conclusions and next steps

We have seen in this paper that the cloud computing relationship results in a patchwork of ownership rights, shared between the customer and the provider. Those rights derive from three areas of law – copyright, confidentiality and contract – which interact in complex ways to grant, modify or remove various aspects of ownership. It should by now be apparent that the patchwork is to some extent at odds with the likely expectations of both customers and service providers, and is at many points unclear as to the precise nature of ownership rights and who can exercise them. At least as far as business customers are concerned, appropriately drafted contracts appear to be the most effective mechanism to establish an appropriate scheme of ownership rights.

This paper has attempted to analyse the ownership position where there is no contract between the provider and customer, or where the contract does not deal with the particular ownership issue. As noted at several points, however, it is likely that the terms of service of cloud computing providers deal with some of these issues already. The next stage of this research will therefore be to analyse those terms to identify how far the issues raised in this paper are resolved through contract.

48 This might include the customer’s employees, clients or trading partners, as examples.

49 Paul Ohm, “Broken Promises of Privacy: responding to the surprising failure of anonymization” (forthcoming 57 UCLA Review), available via

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006.

50 Weld-Blundell v Stephens [1919] 1 KB 520.

51 The T.J. Hooper (1932) 60 F 2d 737 (ship-to-shore radio).

20

A second, and fundamentally important, issue to be investigated is the position of consumer users of cloud computing. 52 The information ownership rights of consumers will be affected by any contractual terms which reduce the ownership rights which they would otherwise have enjoyed by virtue of law. Cloud computing contracts with consumers will inevitably be contracts of adhesion, rather than individually negotiated, and consumer protection laws will affect the ability of service providers to modify the consumer’s rights through contract. Consumer ownership rights will also be greatly affected by the very different ways in which consumers use cloud computing services, and the complex norms of the user community as to what use may be made of the information accessible via the Cloud.

Chris Reed, November 2009

52 The expanded version of this paper will discuss the position of consumers’ information rights in detail. Further papers are planned as part of the Project, in which the wider consumer issues will be discussed and service provider terms will be analysed in depth.

21