Queen Mary University of London, School of Law

Legal Studies Research Paper No. 45/2010

Information “Ownership” in the Cloud

Chris Reed

Electronic copy available at: http://ssrn.com/abstract=1562461

Information “Ownership” in the Cloud
Chris Reed *

CCLS Legal Aspects of Cloud Computing Research Project >

Information is the life blood of any modern enterprise, so much so that information is
often one of the enterprise’s most valuable assets. Enterprises think of this
information as belonging to them, or in simple terms that they “own” it. Increasingly,
private individuals are using computing technology to generate information on a scale
which would previously have been unimaginable. They, too, think of this information
as belonging to them.

Of course, this assumption of ownership is not strictly accurate. Information in digital

form is generally not any kind of personal property unless it is recorded on a physical
object, in which case property rights relate to that physical object and not the
information itself. 1 However, information is subject to a combination of the laws of
intellectual property, confidence, privacy 2 and contract, among others, and the
composite effect of these laws gives the enterprise a level of control over its
information which is very similar to owning physical property. For convenience, this
will be referred to in this paper as ownership of the information, while recognising
that the term may not be strictly accurate.

The essence of cloud computing (see part 1 below for more detail) is that a customer
(who might be a business enterprise, or equally a consumer user) entrusts its own
digital information, together with that of third parties, to the cloud computing service
provider. The customer then uses technology and information in the cloud, made
available by the provider, to create further information. All this happens online, using
technology which is outside the control of the customer. Inevitably, ownership rights
are affected.

The research addresses three questions:

1. What are the expectations of those involved in a cloud computing relationship

about information ownership, and how closely does the current legal
framework match those expectations?

*
Professor of Electronic Commerce Law, Queen Mary University of London School of Law, Centre
for Commercial Law Studies.

My thanks are due to my colleague Professor Christopher Millard for his helpful comments on the draft
of this paper.
>
We gratefully acknowledge the generous financial support from Microsoft which has made this
project possible..
1
See e.g. Oxford v Moss [1979] 68 Cr App. R 183.
2
This paper does not discuss the privacy issues, which are addressed in other papers from the project.

Electronic copy available at: http://ssrn.com/abstract=1562461

 2. Does cloud computing generate new types of information, and if so how is that
information owned?

3. How does the allocation of ownership in the terms of service of the major
cloud computing providers deal with these issues?

This paper deals with some initial aspects of the first two of these questions; further
aspects, and the third question, will be examined in later versions of the paper.

The analysis in this paper concentrates on business use of cloud computing services in
order to produce the clearest possible analysis of the state of information ownership
which subsists under the law, prior to any modification of that position by terms of
service and other contracts. For this reason, reference to consumer use is largely
absent. This should not be taken to mean that consumer use of the Cloud is
unimportant – on the contrary, the vast majority of cloud computing is, at the time of
writing, undertaken by consumer users. Consumer use will be examined at a later
stage for two reasons:

• The initial ownership position, in the absence of contract terms modifying

ownership rights, is likely to be broadly similar for both business and
consumer users. However, the potential uses of cloud computing by
businesses are rather simpler than those which consumers undertake, and
thus concentrating on business use permits the analysis to be more easily
understood.

• The actual ownership rights of consumer users depend to a large extent on

the terms of their contracts with cloud computing service providers, and on
their express and implied agreements with other information owners and
users. A detailed exposition of consumer ownership of information must
therefore necessarily be delayed until an analysis of service provider terms
has been undertaken.

Readers should therefore be aware that this paper is very much an exploratory work,
and that the gaps in its coverage are to be filled at a later date.

1. Introducing the Cloud

Cloud computing comes in many forms, and encompasses a wide range of
technologies and services. A useful description of the core elements of cloud
computing is found in a recent research paper from the UC Berkeley Reliable
Adaptive Distributed Systems Laboratory:

Cloud Computing refers to both the applications delivered as services over the
Internet and the hardware and systems software in the datacenters that provide
those services. The services themselves have long been referred to as Software as
a Service (SaaS). The datacenter hardware and software is what we will call a
Cloud. When a Cloud is made available in a pay-as-you-go manner to the general
public, we call it a Public Cloud; the service being sold is Utility Computing. We
use the term Private Cloud to refer to internal datacenters of a business or other
organization, not made available to the general public. Thus, Cloud Computing is
the sum of SaaS and Utility Computing, but does not include Private Clouds.

Electronic copy available at: http://ssrn.com/abstract=1562461

 People can be users or providers of SaaS, or users or providers of Utility
Computing. 3

This definition should be seen as illustrative only. Business models in this area are
constantly evolving, and our Legal Aspects of Cloud Computing Research Project is
working on a definition which more closely models the legal relationships which are
created within cloud computing. As an example, Private Clouds is a broader concept
than suggested here, and the legal aspects of Private Clouds provided by a third party
will certainly receive attention as part of the project.

This paper concentrates on two characteristics which are common to all varieties of
cloud computing:

• The user of the service (the “customer”) stores its information on computer
systems operated by the service provider, accessing those systems via the
internet.

• Customers process data, and thus create new information, using

applications and data made available by providers, again via the internet.

2. A 1930s thought experiment

A useful starting point for our examination of the problems of information ownership
might be to determine the expectations of the parties, and in particular of customers,
as to this matter. However, the wide range of cloud computing services means that
selecting any one of them for analysis is likely to encompass features which are not
shared with other services.

For this reason, we begin with a thought experiment, in which we invent a

conceptually similar service which operates only on hard copy documents. From that
experiment we deduce the probable expectations of the parties as to information
ownership, and then bring our deductions forward in time to apply them to cloud
computing.

2.1 The Efficient Office Corporation

Our experiment is set in the 1930s, to ensure that it remains untainted by any flavour
of digital computing technology. The service provider is the Efficient Office
Corporation (EOC), which has noticed that all the businesses in its city use at least
half of their premises to house staff whose function is to process and store documents,
rather than to carry out the core activities of those businesses. EOC’s aim is to provide
document processing and storage as a service, allowing businesses to reduce their
payroll count and either move to smaller premises or expand their business in existing
premises.

3
Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy Katz, Andy Konwinski,
Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia, “Above the Clouds: A
Berkeley View of Cloud Computing” Technical Report No. UCB/EECS-2009-28 (10 February 2009) p
1, available from http://radlab.cs.berkeley.edu/.

3
The workings of the service are simply described:

• Suppose a letter is received by a customer which requires a reply. The

customer dictates a response onto a modern, high-tech wax recording
cylinder or writes it on paper. Then it is collected, along with the received
letter, by one of EOC’s staff of messenger boys who race around the city
on foot, bicycle and motorbike.

• At EOC’s building, the customer’s letter is typed up and sent out, and the
wax cylinder blanked for re-use or the customer’s handwritten note
discarded. A copy of the sent letter is filed along with the received letter in
EOC’s capacious basement.

• If financial information is involved, perhaps because the received letter

contains an invoice, EOC’s accounts department performs any necessary
calculations via its skilled mechanical computer operators and records the
information in the customer’s accounts ledgers which are also stored in the
basement.

• If the customer needs access to the information stored by EOC then a

telephone call will bring a messenger boy carrying a paper copy of the
information, which can be discarded once the customer has used the
information.

• Regular reports are made to the customer on matters such as payments to

be made, management accounts etc, and corporate documentation is
generated at the appropriate times without the customer needing to request
it.

2.2 Expectations about information ownership

If we asked EOC and its customers who owned the information which is processed,
generated and stored in the course of the service, it is likely that there would be a clear
consensus on most matters even if the service contract was silent on this point:

• Documents received by the customer, and then entrusted to EOC for

processing and safekeeping, would clearly be owned by the customer.
EOC’s role is merely to keep these documents safe, and deal with them as
instructed by the customer.

• Documents sent out by EOC on the customer’s behalf clearly belong to

their addressee as physical property. The intellectual property rights in
their contents will belong to the customer as author, rather than to EOC
whose role has been merely to produce them according to the customer’s
instructions.

• Documents generated by EOC as part of the service, such as copies of sent

letters, accounting records and the like, are more problematic. The parties
might need to ask their legal advisers who owns the documents in their

4
 aspect as physical property. 4 However, they would surely agree that EOC
is obliged to use the documents only for the customer’s purposes, not to
disclose their contents to others, and to hand them over to the customer if
the service relationship ends. For all practical purposes, the customer
would expect to have de facto control over use of the documents, and EOC
would expect this also.

• Information produced by EOC for its own purposes, such as records of

collection and sending via its messenger boys, probably used for billing
and general management purposes, would clearly belong to EOC.
However, the customer would expect, and EOC would acknowledge, that
much of this information is confidential to the customer, and should not be
disclosed if the customer can be identified.

These expectations arise from three areas of law which we believe will also be
fundamental to cloud computing relationships: physical property law, the law of
confidence, and contract law.

It is noteworthy that, in our 1930s experiment, the law of copyright plays almost no
part. No doubt, were EOC to begin copying customer documents and disseminating
copies to outsiders, lawsuits based on copyright would be issued. As between the
customer and EOC, however, copyright would play little part in the question of
information ownership.

Once we fast forward to the 21st century and look at real cloud computing
relationships, it immediately becomes clear that the law’s allocation of ownership
rights (in the broad sense explained above) does not necessarily match the
expectations which the parties would have if physical documents were at issue. This is
because copyright comes to the fore, and alters the balance of ownership. It is,
however, our contention that the expectations, of customers at least, are likely to be
the same as in our thought experiment. The remainder of this paper analyses the
ownership position, and explains the legal mechanisms which can be used to ensure
that the parties’ ownership expectations are met.

3. Information flows in the Cloud

Before a legal analysis can be undertaken it is necessary to identify the information
whose ownership is at issue. This is a difficult matter in the Cloud, because its very
nature means that information is constantly being added and removed or modified,
and new information is being generated.

As a simplifying assumption, this paper will assume that all the information in which
we are interested is placed in the Cloud either by the service provider or by the
customer. This assumption may not always be true, either because the provider has
adopted a corporate structure under which related companies provide parts of the

4
This question would only be important if EOC ceased trading, for example due to insolvency, or if the
relationship ended as a result of a dispute between the customer and EOC, as part of which EOC
refused to hand over these documents.

5
service 5 or because the provider permits third parties to use its Cloud as a platform to
provide information services direct to the customer. However, all these entities will be
placing information in the provider’s Cloud by virtue of their legal relationship with
the provider, and it is not a gross over-simplification to treat that information (for the
purposes of this paper) as being placed in the Cloud by the provider. As we shall see,
it does not affect the analysis.

A conceptual map of the information flows in the provider/customer relationship

might look something like this:

Although this map is apparently complex, it can be further simplified as follows.

3.1 Information generated outside the Cloud

Much of the information at issue is generated outside the Cloud, and thus already has
an established ownership status before it is placed in the Cloud. 6 It seems reasonable

5
See e.g. Google Terms of Service para. 4.1, http://www.google.com/accounts/TOS.
6
It is worth noting that this is not necessarily true for consumer users. As examples, many millions of
sound recording files are shared on a daily basis via consumer cloud sites, as are the more than two
billion photographs that are uploaded every month on Facebook. Even if the initial ownership of these
files is theoretically ascertainable, in practice the complex norms of information sharing among

6
to assert that the expectation of all parties is that the mere fact of placing the
information in the Cloud should not alter its ownership status.

For the purpose of analysing ownership, this information can be further sub-divided
into two categories:

• Information generated by a party to the Cloud relationship, either the

customer or the provider.

• Information generated by a third party and placed in the Cloud via the
provider or customer.

As we will see in part 4.1 below, it is comparatively easy to determine ownership

rights in this class of information.

consumers mean that in practice their initial ownership is not ascertainable. We will return to this issue
in future versions of the paper.

7
3.2 Information generated in the Cloud
The question who owns the information generated within the Cloud is more complex,
as the diagram below illustrates.

The main purpose of the cloud computing relationship is to enable the customer to use
the cloud technology to process information and thus generate outputs. However, in
doing so the customer may also generate know how or trade secrets, which are not set
out in any particular information output but reside in the data structures or processes
which the customer establishes through its use of the Cloud. 7 Thus in addition to the
discrete information outputs, we are also interested in the information which can be
derived or deduced from how the customer uses the Cloud.

The provider, too, will be generating information of various different types:

• All cloud computing service providers will collect information about the
operation of their systems and service for management purposes. Much of
this information will amount to know how or trade secrets belonging to the
provider.

• Customers will need to be billed for their use of the service, and thus the
provider will collect billing data which will certainly incorporate
information about the customer’s activities.

7
For example the customer might devise an innovative method of doing business, implemented wholly
or partly within the Cloud, and this would certainly be protected as confidential information or a trade
secret and in some jurisdictions might even be patentable.

8
 • Providers will also generate and store metadata 8 about the data
relationships between the customer’s data and applications and any
provider or third party applications or data. The purpose of producing this
information is both to enable or enhance the customer’s use of the service,
and also for the provider’s own management purposes.

• Finally, and most controversially, data mining 9 tools are available which
would allow the provider to trawl through customer information, either
individually or on a collective basis, and thereby generate new and
potentially valuable information. As a hypothetical example, a service
provider with a number of motor insurers as customers could mine their
data to extract information on the accident rates and types for different
makes and models of vehicle.

The main distinction here must be based on the purpose for which the provider
generates information. Ownership and control issues are more pressing in relation to
information which the provider collects in order to exploit that information
commercially, at least where the exploitation involves the disclosure of the
information to others. Information generated for the provider’s own internal purposes
is likely to be less controversial, though it must be recognised the provider might
subsequently decide that this information could also be exploited. Indeed, data mining
tools are sufficiently sophisticated that a provider might usefully include its internal
data together with customer data, in order to extract even more valuable information
from the mining process.

It should also be noted here that there is a third category of information generated in
the Cloud. This is information produced collaboratively between users, using tools
made available by the service provider and in some circumstances collaborating also
with the service provider or with third party information providers. Because the
majority of such collaborative generation is carried out by consumers, this issue will
be examined in a later version of the paper.

4. Ownership of information generated outside the

Cloud
As noted above, information generated outside the Cloud will already have an
established ownership status. Unlike our 1930s thought experiment, this information
is placed in the Cloud in purely digital form, rather than on some physical carrier, and

8
Metadata presents known privacy risks, and thus in many countries telecoms service providers are
limited in the metadata they can collect – see e.g. Directive 2002/58/EC of the European Parliament
and of the Council of 12 July 2002 concerning the processing of personal data and the protection of
privacy in the electronic communications sector, OJ L201/37 31 July 2002 Arts. 6 and 9. It is not
suggested in this paper that ownership rights are in need to regulation of this kind, but as part 6 below
demonstrates there are real risks to confidentiality which might not be adequately addressed through
contract, e.g. in the case of consumers. This point will form an element of future work on this topic.
9
See e.g. Jiawei Han & Micheline Kamber, Data Mining: concepts and techniques (2nd ed. Morgan
Kaufmann, San Francisco 2006).

9
so in most jurisdictions it is unlikely that any question of personal property rights
arises. 10 Instead, we must look for ownership rights in three areas of law.

The first is intellectual property. IP rights are the main kind of property right which
might subsist in this information. This paper will concentrate on copyright and, in the
EU, database right as the rights most likely to be relevant. 11

National copyright laws across the world recognise that copyright subsists in works in
digital form, but differ in their conceptions of what constitutes a work. English law,
and the law of those countries whose law derives from England, protects all works 12
where sufficient labour, skill or judgment has been used in their creation. 13 There is
no requirement for creativity per se, but information will not be protected if its
creation required minimal effort 14 or if what is created is too minimal to be
recognised as a work. 15

Civil law countries, which protect authors’ rights rather than copyright, tend to
demand a minimum level of creativity to qualify for protection. Germany is perhaps
the clearest example, requiring there to be a creative step (Gestaltungshöhe) to
distinguish a work from mere information. 16 Prior to the EU Software Directive 17 the
German courts had held that some types of software (such as operating systems) were

10
Whether information can constitute personal property is still, to some extent, an open question.
English law seems clear that it can not – Oxford v Moss, n 1 above, St Albans City and District Council
v International Computers Ltd [1996] 4 All ER 481. Ken Moon, “The nature of computer programs:
tangible? goods? personal property? intellectual property?” (2009) EIPR 396 suggests that the French
Civil Code has the potential to recognise personal property rights in intangibles whereas German law
does not, and also reviews the diverse US tax law decisions on this question.

For the purposes of this article we assume that national courts are unlikely to recognise personal
property rights in digital information, though it would obviously be sensible for cloud computing terms
of use to recognise the possibility that a court might do so at some future date.
11
Trade mark and patent rights may also subsist, but are less likely to be infringed by use of the
information in a cloud computing environment. The comments below about the role of contract in
relation to copyright apply equally to these rights.
12
With the exception of databases in England – Copyright, Designs and Patents Act 1988 s. 3(1)(a) as
amended by Copyright and Rights in Databases Regulations 1997 SI 1997/3032 reg. 5.
13
Ladbroke (Football) Ltd v William Hill (Football) Ltd. [1964] 1 WLR 273. A similar view is taken in
many other common law jurisdictions – see e.g. Desktop Marketing Systems Pty Ltd v. Telstra
Corporation Limited [2002] FCAFC 112 (Federal Court of Australia).
14
GA Cramp & Sons Ltd. V. Frank Smythson Ltd. [1944] AC 329.
15
See e.g. Exxon Corporation v. Exxon Insurance Consultants International Ltd. [1982] Ch 119 (no
copyright in the word “Exxon”), Hitachi Ltd. v. Zafar Auto & Filter House [1997] FSR 50, 58
(Copyright Board, Karachi, Pakistan; no copyright in the word “Hitachi”).
16
Brombeer Muster, BGH decision of 27 January 1983, 1983 GRUR 377.
17
Directive 91/250/EEC on the legal protection of computer programs, OJ L 122/42, 17 May 1991,
which requires a computer program to be the author’s “own intellectual creation” to qualify for
protection by copyright (art. 1(3)).

10
functional, rather than creative, and were thus not protected by author’s right. 18 This
is still likely to be the position for purely functional information such as data tables.
Although a common law jurisdiction, US Federal law has rejected the “sweat of the
brow” test found in English law, and now requires a minimal level of creativity for
copyright protection. 19 However, the level of creativity required is lower than, for
example, Germany. 20

If the applicable law is that of an EU Member State then information in the form of a
database receives sui generic protection under the Database Directive. 21 For a
database 22 to qualify for this protection there must have been “qualitatively and/or
quantitatively a substantial investment in either the obtaining, verification or
presentation of the contents”. 23 If so, the maker of the database has the right “to
prevent extraction and/or re-utilization of the whole or of a substantial part, evaluated
qualitatively and/or quantitatively, of the contents of that database”. 24 Protection lasts
for 10 years from first making the database available to the public or 15 years from its
creation, whichever is the shorter. 25

From this we can conclude that much of the information placed in the Cloud will be
protected by copyright or database right, though not necessarily all. The owner of
these IP rights will be the authors, or more likely the employers or assignees of
authors. Customer and provider will continue to own the IP rights in the information
they upload, subject to any contractual terms to the contrary; third party software
houses and database proprietors will similarly retain their pre-existing IP rights; and
so-on.

The second field of law which is relevant is that relating to the protection of
confidential information or trade secrets. The international consensus on a minimum
level of protection is set out in Art. 39(2) of the Agreement on Trade-Related Aspects
of Intellectual Property Rights (TRIPS Agreement), which provides that protection
must be given to information which:

18
Inkasso-Programm, BGH decision of 9 May 1985, 1986 IIC 681; Betriebssystem, BGH decision of 4
October 1990, 1991 IIC 723.
19
Feist Publications Inc. v. Rural Telephone Service Company, Inc. 499 US 340 (1990).
20
BellSouth Advertising & Publishing Corp v Donnelly Information Publishing Inc. 933 F 2d 952 (11th
Cir. 1991) (holding that copyright subsists in Yellow Pages telephone directories because of the
minimal creativity in devising the business categories under which listings are set out).
21
OJ L77, 27 March 1996 p. 20.
22
‘“Database” shall mean a collection of independent works, data or other materials arranged in a
systematic or methodical way and capable of being individually accessed by electronic or other means.’
Directive 96/9 on the legal protection of databases OJ L77, 27 March 1996 p. 20 art. 1(2).
23
Art. 7(1).
24
Art. 7(1), subject to the lawful user’s rights (Art. 8(1)).
25
Art. 10.

11
 (a) is secret in the sense that it is not, as a body or in the precise configuration
and assembly of its components, generally known among or readily accessible
to persons within the circles that normally deal with the kind of information in
question;

(b) has commercial value because it is secret; and

(c) has been subject to reasonable steps under the circumstances, by the person
lawfully in control of the information, to keep it secret.

Many jurisdictions, including England, also protect non-commercial information

which is confidential in nature and has been disclosed subject to an obligation of
confidence, express or implied. 26

Much of the information in the Cloud, whether protected by IP rights or not, will be of
a confidential nature. So long as those involved in the cloud computing relationship
accept that they owe obligations of confidence to the owner of that information, the
owner will have a remedy against actual or anticipated unauthorised disclosure. Such
an obligation can arise because the information is imparted in circumstances where
the recipient would expect to be obliged to maintain confidence 27 , but is most
conveniently created by means of contractual terms. The continued maintenance of
confidence in the information is important because once the information becomes
known outside the confidential relationship it loses its protection 28 except, to some
extent, as against a wrongful discloser in breach of confidence. 29

As with IP rights, an owner’s rights of confidentiality will not be affected by placing

the information in the Cloud so long as the provider, and any others who thereby have
access to the information, are under an obligation to maintain its confidence. The
nature of cloud computing relationships would seem to suggest that the service
provider impliedly undertakes to maintain confidence in the customer’s information,
and this may be stated expressly in the terms of service. 30

26
Coco v A.N. Clark (Engineers) Ltd [1969] RPC 41.
27
See e.g. Saltman Engineering v Campbell (1948) 65 RPC 203.
28
See e.g. Attorney-General v Guardian Newspapers Ltd (No. 2) [1990] 1 AC 109, Public Systems Inc.
v Towry and Adams (Ala 1991) 587 So.2d 969 (Alabama, US).
29
Seager v Copydex [1967] RPC 349.
30
As ever, consumer use of cloud computing is likely to raise additional complexities because of the
very different norms prevailing in the user community. For business use there is typically a one-to-one
relationship between customer and provider, under which it is usually clear whether the provider has a
duty to maintain confidentiality.

However, in a service used predominately by consumers, such as Facebook, the user often maintains a
one-to-many relationship with “friends”, network members and others. Here the nature of the
provider’s confidentiality obligations is less obvious, because of the more open nature of the relations
between users. This will require further work to elucidate.

12
Finally, contract law plays a critical role in determining ownership rights through the
terms of service for the cloud computing relationship. For information generated
outside the Cloud, this contract can clarify the copyright and confidentiality
relationships in three ways:

• Acknowledging the IP rights that the various players own, and thus
preventing any question of implied licences 31 or equitable assignments of
IP rights arising.

• Granting to the players the licences of IP rights which are necessary for the
cloud computing relationship to operate. The customer will be using
software and data whose IP rights are owned by the provider or a third
party, and unlicensed use of that technology will infringe. Similarly, the
provider will be processing information in which the customer owns IP
rights, and will also require a licence.

Where third party software or data is made available, the rights owner is
likely to have licensed it to the provider on terms which place restrictions
on its use. The customer needs to be made aware of those restrictions to
avoid the risk of infringement, by both the customer and the provider, and
the terms of service are an obvious place for this to be done.

• Defining the obligations of confidentiality which each player owes to the

others, including any limitations on those obligations 32 and agreeing the
confidentiality position once the relationship terminates.

5. Information generated in the Cloud by the customer

Ownership of the information which the customer generates through use of the Cloud
will depend on both the type of information and, to some extent, on where it was
generated. This is most easily explained by examining three different types of output:
a written report; a database of numerical information about stock prices; and an
automated financial management report produced by accounting software running in
the Cloud.

All this information is likely to be confidential to the customer, and so the analysis of
the law of confidence in part 4 above applies equally here. There is likely to be little
significant difference based on the location where the information was generated.

31
The difficulty with implied licences is that, although the court’s analysis of the implied terms is
derived from the nature of the relationship between the parties, this analysis is carried out after the
event. By definition the court would not be asked to determine the licence terms if the parties had a
common understanding of the permitted uses within that relationship, and so one of them is certain to
be disappointed – see e.g. the Australian decision in Trumpet Software Pty Ltd v OzEmail Pty Ltd
[1996] 34 IPR 481 (Federal Court of Australia).
32
As an example, a provider may receive demands for access to information under law enforcement or
anti-terrorist legislation. Whether the provider intends to co-operate voluntarily or require a court order,
and how far the provider will inform the customer of the demand, are matters which could be explained
in the service terms.

13
For IP rights, however, the type of information and the place of generation can have a
substantial impact. For the sake of simplicity we assume the customer is resident in
England – the nature of the difficulties faced by a customer located in a different
jurisdiction should become apparent from this analysis.

• The written report will certainly be protected by copyright. The authors,

employees of the customer, are writing in England (a Berne Convention
signatory). Thus the report qualifies for copyright protection as a literary
work in all Berne Convention countries. The authors are employees of the
customer, and thus the customer will normally own copyright in the
report. 33

Copyright comes into existence when the work is created, which under
English law is when it is recorded. 34 However, the use of cloud computing
makes it uncertain where the work was created. The recording may have
taken place on one of the provider’s servers, which might well be located
outside England, or might have been produced and recorded initially on a
mobile device used by one of the customer’s employees outside England.
It seems likely that most jurisdictions will take the position that a work is
created when it is first recorded 35 , and if so the question precisely where
the human author or creator was located will not affect whether copyright
subsists in the report 36 though it might be relevant for other purposes. 37

• At first sight the IP rights in the database seem equally clear. The maker is
an English corporation, and if the database is recorded on a server located
in an EU Member State there is no question that valid database right
subsists. What, though, if the server is located in the US?

33
Copyright, Designs and Patents Act 1988 s. 11(2) for England. It seems universal that employers
own the economics rights in works created in the course of employment, though the position for moral
rights may vary.
34
Copyright, Designs and Patents Act 1988 s. 3(2).
35
For example, this is the position in the US under 17 USC §101 (definition of “created”).
36
The national treatment provisions of the Berne Convention depend on a work having a “country of
origin” in a Convention member state. If a work is unpublished, or first published outside the Berne
Union (this might arise if the work is created on a server in a non-Berne country), the country of origin
is that of which the author is a national and thus the place of recording is immaterial for the question
whether copyright subsists – Berne Convention art. 5(4)(c).
37
For example, the place of creation might be in a jurisdiction which imposes formalities requirements
on works created in the jurisdiction. A similar point arose recently in Moben v 335 LLC (unreported, D
Delaware 6 October 2009). A graphic work had been uploaded to a server in Germany, from which it
immediately became accessible world-wide. The defendant was sued in the US and argued that this
amounted to first publication in the US, which would prevent the action from being brought until the
plaintiff had registered copyright in the work in the US. The court held that first publication had
occurred on the server to which the work was uploaded, i.e. in Germany. If the relevant criterion had
been whether the work was created in the US, it seems likely that the court would have adopted the
same approach and held that its creation occurred in Germany.

14
 The database consists of factual information, and unless there is some
creativity in its structure the effect of the US Supreme Court decision in
Feist 38 is that the database is not protected by copyright under US law. For
database right to subsist 39 , the Database Directive would have to be
interpreted to mean either:

a. That “making” occurs where the maker is physically located,

irrespective of the geographical location where recording of the
database takes place. The wording of Art. 11(3), which refers to
databases “made in third countries”, suggests that “making” has a
geographical location. However, it does not help to decide whether the
location is the place of the maker or the place of recording (and at the
date the Directive was enacted it is unlikely that the legislators
envisaged that these two places might be different).

b. That the place where the “making” occurs is not legally relevant, the
question being whether the maker is a national of or is habitually
resident in an EU Member State as required by Art. 11(1) & (2). This
approach would produce somewhat unexpected consequences – for
example, a UK national who had been resident in China for several
years and created a database there would benefit from database right if
unauthorised extraction or reutilisation occurred in an EU country. The
wording of Art. 11(3) could suggest that this was not the intended
interpretation, but Art. 11(3) applies only to mutual recognition of
equivalent rights granted by third countries and so the geographical
wording could be confined to that subsection only.

Unless and until this point comes before the courts, there must be
uncertainty whether a database recorded on a non-EU server attracts any
database right protection, and thus whether its maker has any IP rights at
all.

• The automated financial management report again raises complex

geographical and jurisdictional issues because there is no international
consensus whether such reports attract IP rights. English law would
certainly protect the report as a literary work. Most likely it would be
treated as a work of authorship, on the basis that the English customer was
using the accounting software as a tool to create the report. This reasoning
was adopted in Express Newspapers plc v Liverpool Daily Post & Echo
plc, 40 where the court decided that grids of letters for use in prize draws
were authored by the programmer who wrote the software to produce the
grids. However, in that case the author actually wrote the software – in our

38
See note 19 above.
39
It is worth noting that if database right subsisted, this would give the customer a remedy in respect of
any acts of unauthorised extraction or reutilisation which took place in an EU Member State, but would
not of course give any remedy against these acts occurring in the US where there is no database right.
40
[1985] FSR 306.

15
 example the customer will merely have adjusted the software settings to
determine the dates on which reports should be produced and what
information they should contain, and thereafter the software will keep
producing reports until the settings are changed. This input to the process
is so minimal that a court might find it hard to identify the element of
labour, skill or effort which English law requires for authorship

If so, English law would still protect the report as a “computer-generated

work” under s. 9(3) of the Copyright, Designs and Patents Act 1988. The
author would be “the person by whom the arrangements necessary for the
creation of the work are undertaken.” Although the provider has made
many of the necessary arrangements, by providing access to the Cloud and
making the software available, it seems to us that an English court would
identify the customer’s actions in configuring the software as the final, and
thus the necessary step, though this point has not yet come before the
courts.

Most jurisdictions have no concept of computer-generated work, and thus

the question whether copyright subsists in the report will depend on the
local courts’ view as to whether the customer is the author, merely using
the software as a tool. Even if this constitutes authorship in a particular
jurisdiction, the report might still not attract copyright because it is
insufficiently creative to constitute a work (see the discussion in part 4
above).

Contract law is, unfortunately, of little use in resolving these uncertainties. The terms
of service could state that certain categories of information produced by the customer
are protected by copyright or database right, but this would not actually confer these
IP rights if, as a matter of law, they did not subsist in the information. Such a contract
term would, of course, be binding as between provider and customer, but its legal
effect would be uncertain. The applicable law might treat this term as a promise to
treat the customer’s information as if the stated IP rights subsisted, in which case a
provider who did not do so would be in breach of contract. Alternatively the term
might merely act as an estoppel, preventing the provider from denying that the IP
rights subsisted, and this might not be enough to give the customer a right of action
against the provider.41

Contract could clarify matters, though only as between customer and provider, if the
terms of service were drafted so as to replicate the desired IP rights as contractual
obligations. 42 Such a contract would be complex to draft and would probably need to
be individually negotiated for each customer/provider relationship.

41
For example, even if the contract stated that the provider acknowledged that database right subsisted
in the customer’s databases, this would not give the customer any claim if the provider’s unauthorised
extraction and reutilisation took place on a non-EU server.
42
The jurisdictional problems when considering infringement of IP rights are complex and uncertain –
see Paul Edward Geller, “Rethinking the Berne-plus framework: from conflicts of laws to copyright
reform” (2009) EIPR 391.

16
6. Information generated in the Cloud by the provider
6.1 Generation for the provider’s internal purposes
Information generated by the provider for its own internal purposes, such as billing or
management of its Cloud, will belong to the provider in the same manner that
information generated by the customer belongs to the customer. The analysis in part 5
above thus applies equally here. If the provider’s Cloud spans multiple jurisdictions,
the same uncertainties about subsistence of IP rights are likely to arise.

An additional complication arises because much of this provider information relates

to the customer’s information and activities, and as we have already seen that
information is likely to be subject to an obligation of confidence. If the provider-
generated information is used only for the provider’s internal purposes there is no
question of breach of this obligation. The primary obligation is against disclosure, and
to the extent that the applicable law imposes restrictions on the provider using that
information for its own purposes, a licence to do so would surely be implied because
the use of this information is necessary for the effective operation of the cloud
computing relationship with the customer.

In any event it is likely that the service provider will use the service terms to obtain all
the licences from the customer which are necessary for the operation of the service,
and so the primary concern of both parties in respect of this information is likely to be
preventing unauthorised disclosure.

6.2 Exploitation of derived information

As we have seen above, the service provider will generate information for its internal
purposes which is derived from the customer’s information and activities. We have
also noted that the provider has the ability to use data mining and other tools to extract
further information from its collection of customer data. This raises two questions:
will the production of such information infringe the customer’s ownership rights, and
does the customer have any control over the use of this information, in particular any
commercial exploitation?

6.2.1 The customer’s rights

In order to produce this derived information the provider will need to process
customer information, and information it has collected based on customer activities.
Clearly, if there are any contractual restrictions on doing so the provider will need to
comply with those obligations. If the provider is acting within the terms of its
contracts with customers, the laws of confidence and copyright come into play.

The law of confidence imposes on the provider a duty not to disclose that information
in breach of confidence. Potentially it also goes further, requiring the provider to
observe:

17
 …the broad principle of equity that he who has received information in
confidence shall not take unfair advantage of it.43

Clearly the provider intends to benefit from the derived information, but does this
amount to unfair use of customers’ confidential information? The case law on this
point is unhelpful because the alleged breaches in those cases have all fallen into three
classes: disclosure to a third party; use of the information to compete with the
confider; or use to make a profit which could have been made by the confider. 44 The
cloud computing service provider’s activities in creating and exploiting derived
information fall into none of these.

It seems to us that there are two arguments which might be advanced in favour of the
proposition that this conduct takes unfair advantage. The first is based on
concealment; if the provider does not inform the customer that its information will be
used in this way, that failure amounts to unfair conduct in the context of the
confidential relationship. The weakness of this argument is that in a commercial
relationship confidential information is regularly shared, but without commensurate
disclosure by the parties about their business plans and how they intend to use that
information. Confidentiality clauses in commercial contracts concentrate on the
preservation of confidentiality against third parties, and do not normally restrain the
recipient’s use of that information to conduct its own business activities. The
argument might perhaps be more persuasive in the case of a consumer customer,
whose expectations are likely to be different from a commercial customer and will be
formed by the disclosures of the provider as to what uses will be made of the
customer’s confidential information. The second argument is based on the quasi-
proprietary nature of confidential information. A bailee of personal property who uses
it for his own purposes, particularly to make a profit, might reasonably expect to
require the bailor’s consent to do so, and the same should be true for confidential
information. This argument suggests that the profits derived from exploiting derived
information are somehow separate from the business of providing services to
customers. It is far more likely that the cost of the cloud computing service is
calculated on the basis that profits will be made from derived information, and thus
the customer already receives a benefit from that activity in that the provider’s service
charges are lower than they would otherwise have been.

All that can be concluded from this discussion is that there is real uncertainty as to
whether a customer can use the law of confidence to prevent the provider creating
derived information. The most obvious way to resolve this uncertainty is via the
service terms – if the customer consents to this activity, there can be no suggestion
that the provider is in breach of its obligations of confidentiality.

The position in respect of the customer’s IP rights (analysed in part 5 above) is much
simpler. The provider will need to copy data at least temporarily in the course of
processing for its data mining and related activities, and thus to the extent that the

43
Seager v Copydex Ltd [1967] 2 All E.R. 415, 417 per Lord Denning.
44
For a useful review of the cases see Robert Flannigan, “The (fiduciary) duty of fidelity” [2008] LQR
274.

18
customer owns copyright in that information the provider needs a licence to copy it.
The provider will certainly have an implied licence to copy for the purposes of
providing the service, but reliance on such an implied licence to copy for other
purposes will be dangerous as the scope of the implied licence cannot be determined
until a court addresses the matter. We anticipate that a provider who wishes to create
derived data will take an appropriate licence in the terms of service.

If the provider has no licence, the jurisdiction in which the copying takes place
becomes important. As we have seen in part 5, some types of information will attract
copyright in one jurisdiction but not others. The applicable law for the purposes of
infringement is the law of the jurisdiction where copying occurs and not of the
jurisdiction in which the information was created, based on the national treatment
provisions of the Berne Convention and WIPO Copyright Treaty.

If derived information is created without a licence to do so for the purpose of

exploitation, exploiting the derived information will be an infringement if the
information contains a substantial part of the customer’s copyright information. This
is so even if that customer information forms only a very small part of the derived
information as a whole – the test is the substantiality of what is copied, not of its
relation to the new work which incorporates that information. 45 .

So far as database right is concerned, a licence will similarly be required for

extraction or reutilisation of a substantial part 46 of the database if this occurs in a
jurisdiction where database right subsists. However, it has been held by the European
Court of Justice that the mere consultation of a database does not infringe database
right. 47 The provider will thus only infringe if a copy of the whole or a substantial part
is made for use by the data mining tools, or if a substantial part of the contents of the
database is reutilised in the derived information.

6.2.2 Limits on use and exploitation

If the generation of derived data by the provider for the purpose of exploitation does
not infringe the customer’s ownership rights, then the only further limitation on its use
and exploitation is the obligation to preserve the customer’s confidentiality and trade
secrets. It is assumed in this paper that no cloud computing service provider would
deliberately exploit information which identified its customers, as this would be
commercial suicide once the fact became known. This section therefore addresses the
exploitation of anonymised derived information.

45
This principle is established in a long line of cases running from Scott v Stanford (1866-67) LR 3 Eq
718 to Independent Television Publications Limited & The British Broadcasting Corporation v Time
Out Limited [1984] FSR 64.
46
The test for substantiality differs from the copyright test. If the part is not quantitatively substantial
as a proportion of the whole, the qualitative test is not how important or commercially valuable the part
is, but whether it represents a substantial proportion of the investment in making the database - British
Horseracing Board Ltd and Others v William Hill Organization Ltd, Case C-203/02 9th November
2004 paras 71-2.
47
British Horseracing Board Ltd and Others v William Hill Organization Ltd, Case C-203/02 9th
November 2004 para 74.

19
If it is not possible to discover from the derived information the identity of the
customer or any other person to whom a confidentiality obligation is owed 48 , then
there is little risk of a breach of confidentiality. The only danger might be that the
derived information enabled a third party to discover confidential business or
technical processes and re-use them. This danger is likely to be obviated if, as seems
likely, providers derive information from their customer information as a collective
entity, rather than on the basis of each individual customer.

However, anonymisation of data is not a complete safeguard against confidentiality

breaches. In a recent paper Paul Ohm has alerted lawyers to advances in
reidentification science, which uses the recombination of separate databases to build
connections between items of data and thereby identify the person to whom they
relate. 49 A service provider’s obligation is probably only to take reasonable care to
preserve confidentiality 50 and not absolute, and so the provider will have fulfilled this
obligation if the derived information can not, in the light of the state of technology at
the time, foreseeably identify the customer via the use of reidentification technology.
However, a wise provider will need to keep alert to new developments in
reidentification, as a failure to adapt to new technologies can also amount to a failure
to take reasonable care. 51

7. Conclusions and next steps

We have seen in this paper that the cloud computing relationship results in a
patchwork of ownership rights, shared between the customer and the provider. Those
rights derive from three areas of law – copyright, confidentiality and contract – which
interact in complex ways to grant, modify or remove various aspects of ownership. It
should by now be apparent that the patchwork is to some extent at odds with the likely
expectations of both customers and service providers, and is at many points unclear as
to the precise nature of ownership rights and who can exercise them. At least as far as
business customers are concerned, appropriately drafted contracts appear to be the
most effective mechanism to establish an appropriate scheme of ownership rights.

This paper has attempted to analyse the ownership position where there is no contract
between the provider and customer, or where the contract does not deal with the
particular ownership issue. As noted at several points, however, it is likely that the
terms of service of cloud computing providers deal with some of these issues already.
The next stage of this research will therefore be to analyse those terms to identify how
far the issues raised in this paper are resolved through contract.

48
This might include the customer’s employees, clients or trading partners, as examples.
49
Paul Ohm, “Broken Promises of Privacy: responding to the surprising failure of anonymization”
(forthcoming 57 UCLA Review), available via
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006.
50
Weld-Blundell v Stephens [1919] 1 KB 520.
51
The T.J. Hooper (1932) 60 F 2d 737 (ship-to-shore radio).

20
A second, and fundamentally important, issue to be investigated is the position of
consumer users of cloud computing. 52 The information ownership rights of
consumers will be affected by any contractual terms which reduce the ownership
rights which they would otherwise have enjoyed by virtue of law. Cloud computing
contracts with consumers will inevitably be contracts of adhesion, rather than
individually negotiated, and consumer protection laws will affect the ability of service
providers to modify the consumer’s rights through contract. Consumer ownership
rights will also be greatly affected by the very different ways in which consumers use
cloud computing services, and the complex norms of the user community as to what
use may be made of the information accessible via the Cloud.

Chris Reed, November 2009

52
The expanded version of this paper will discuss the position of consumers’ information rights in
detail. Further papers are planned as part of the Project, in which the wider consumer issues will be
discussed and service provider terms will be analysed in depth.

21