On the Applicability of the Common European Sales Law to some Models of Cloud Computing Services

On the Applicability of the Common European Sales Law to some Models of Cloud Computing Services

Clarice Castro [1], Chris Reed [2] and Ruy de Queiroz [3]

Cite as: Castro, C., Reed, C. & de Queiroz R., "On the Applicability of the Common European Sales Law to some Models of Cloud Computing Services", European Journal of Law and Technology, Vol. 4, No. 3, 2013.

Abstract

The draft Regulation on a Common European Sales Law (CESL) proposes the introduction of a sui generis regime for the implied terms in contracts for the supply of digital content. The question which this article explores is how far that regime might extend to cloud computing contracts with an EU element.

Because CESL is an opt-in law, those who draft the terms for cloud contracts (almost always cloud service providers) will only choose to adopt the CESL regime if it has advantages over choosing a single national law. There are many potential advantages, in particular the reduction of uncertainty whether a choice of law is valid, and what the implied terms might be under that national law. Additionally, there would be no need to localise contracts for those countries where a different choice of national law risks being invalid. But these advantages will only be achieved in reality if CESL makes adequate provision for cloud transactions.

Unfortunately the CESL's definition of digital content is simultaneously both too vague, and too specific. It is vague because it relies on concepts like "supply" and "access" whose definitions are themselves not clear, and excludes "mixed purpose" contracts. Thus there is real uncertainty how far cloud services which make available streamed content can fall within the definition, and whether a bundle of services which, for example, includes both digital content together with the tools to generate new content therefrom, might be excluded as being mixed purpose. The definition is too specific because it concentrates on the method of delivery, rather than the nature of the content and the purpose for which it is made available. If the content made available falls outside the definition, then the choice of CESL is invalid and there is no choice of law at all - the worst possible result!

Our proposed solution is to recognise that technical certainty is unachievable in a field of activity which is changing so rapidly. Mixed purpose contracts should not be excluded, and instead the test should be whether the primary purpose of the contract is to supply digital content. "Supply" should be left undefined in technical terms, but instead defined in terms of the ability of the customer to use the content in a similar way to which the customer could use goods. The vagueness thus deliberately introduced could be clarified by means of regularly updated guidelines as to the meaning of "digital content". This might reduce the uncertainties to a level which would persuade cloud service providers to adopt CESL for their EU-related cloud contracts.

1. Introduction

Despite the importance of the growing digital economy market, where distribution and access of digital content has become an essential aspect of business and consumer life, until recently the regulation of digital content did not attract the attention of many countries. Although during the last few years an increasing amount of literature has become available on this matter [4] it is still evident that in the majority of European Union (EU) Member States there has been little or no revision of existing legislative measures to adapt them to the supply of digital content.

For this reason, there is a long-standing uncertainty in domestic law in EU Member States over the terms in contracts for the supply of digital content. Should these be treated like services, like goods, or something sui generis? Additionally, in more recent times the means of access to digital content involves, not only the tangible medium, but also download, stream or cloud computing. As digital content increasingly moves to the cloud, and thus ceases to be supplied on physical media, the uncertainty gets worse.

In October 2011, the European Commission published a proposal for a Regulation on a 'Common European Sales Law' (CESL). [5] The CESL aims to provide a new regime of contract law applicable in all 27 Member States, harmonising European sales law in the European Union (EU). The material scope of the proposed CESL includes three different kinds of contract; sale of goods, supply of digital content and provision of related services (or a combination of them). The explicit inclusion of provisions for the supply of digital content contracts arguably represents one of the major advances and the most innovative aspects of this new proposal.

This draft Regulation has implicitly paid attention to some of the issues that are important to the continuous development of cloud services and digital consumer protection. The proposed CESL follows the approach that a sui generis regime is necessary for digital content contracts. It abandons the good versus service categorisation, and tangible versus intangible dichotomy that have been presented in digital content contracts thus far. Therefore, without adopting these narrow classifications, it was able to extend the vast majority of rights and remedies applied for the sale of goods contract to the contract of supply of digital content.

However, CESL was met with strong opposition from various professional bodies in the United Kingdom, and also in Europe. [6] One objection that is indeed pertinent to the present study was raised, among others, by the Law Society of England and Wales, [7] which has challenged the applicability of CESL to some cloud services.

In this paper we argue that CESL can be applicable to some types of cloud service which involve the supply of digital content. We question, though, whether the cloud service providers will be persuaded to adopt this optional instrument in their cross-border cloud transactions. We contend that it will be chosen by the providers only if it reduces uncertainty to their cloud contracts.

We begin by reviewing some key concepts related to cloud computing services to determine the different types of services available. Given the optional nature of the CESL we then analyse the motivations for a cloud computing provider to adopt this legal framework. Next, we examine the problem of vagueness of some of the concepts such as 'goods', 'digital content', 'supply of digital content' and 'related services' in Article 2 of the Regulation. Subsequently, the article offers a critical view of the possibility of applying the CESL to some cloud computing services, when a supply of digital content takes place. Later, it points out some of the difficulties related to the uncertainties present in the CESL which, if not fixed, will not attract the adoption of the CESL to cloud services providers. Finally, it briefly suggests some ways to fix these problems.

2. Key aspects of cloud computing

Currently there are many definitions of cloud computing. One which is commonly cited is provided by the United States Government's National Institute of Standards and Technologies (NIST), as follows:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. [8]

Some cloud computing definitions concentrate on the delivery and the provision of services. For instance, Goundar states that it refers to both the applications delivered as services over the Internet and the hardware and software systems that provide services in the datacentres. [9]

Jeremy Newton describes cloud computing as a service, essentially highlighting its function as a utility model of computing:

Cloud computing involves the delivery of computing facilities as a service over the internet, with access to shared resources (like computer and data centres) located in different locations, and perhaps ultimately controlled by different entities. It is intended to be a kind of 'utility' model of computing, where the user can buy computing capacity as he needs it, without infrastructure costs of purchasing and implementing a system specifically for himself. At the heart of the model is the idea that hardware and software will be provided remotely as a service. [10]

In general, there are three types of services for users: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). When cloud computing takes the form of SaaS, it refers to applications that are designed for end-users, delivered over the web, which provide functionality akin to an end-user application. [11] Some examples include Facebook, [12] MySpace [13] and GoogleDocs. [14] However, a set of tools and services is required to code and deploy those applications in an efficient way. Hence, PaaS is the environment for developing, maintaining and evolving scalable applications. PaaS describes a computing platform that is rented or delivered as an integrated solution or service through an Internet connection. These services offer remote access to development platforms for software. Google App Engine [15] and Force.com [16] are typical examples.

IaaS delivers computer infrastructure on an outsourced basis to support enterprise operations. Typically, it provides hardware, storage, servers and data centre space or network components, although it may also include software. Therefore, the consumer uses fundamental computing resources, such as processing power, data storage, networking components or middleware that is available through an IaaS. These services offer remote computing and storage services. Some examples include: Amazon Web Service (AWS), [17] and SQL Azure. [18]

Further, the cloud applications may use a PaaS or an IaaS as the base, making it dependent on other cloud providers. For example, FinancialForce is a full SaaS application delivered on a subscription basis and developed on salesforce.com's cloud computing platform (PaaS), Force.com. [19]

Given the importance of the cloud computing economy, it is worth investigating the motivation for cloud service providers to adopt the optional CESL legal framework for the cloud computing transactions when it involves the supply of digital content.

3. Why might cloud service providers adopt the CESL?

According to the Preamble of the CESL, among the major obstacles in business-to-consumer (B2C) and in business-to-business (B2B) transactions in Europe is dealing with the increased legal complexity in cross-border trade and with multiple national contract laws having different characteristics. Therefore, the Proposal, in principle, does not intend to interfere with national contract law as it is only applied to cross-border agreements. It may be used for B2C or for B2B contracts. However, if all the parties are traders, one must be a small or medium-sized enterprise (SME). [20] These cross-border agreements involve parties located in different countries at the time of the contracting, in which at least one is a Member State. It is worth mentioning that the Preamble of the CESL states that the proposal 'does not discriminate against parties from third countries who could also choose to apply the CESL as long as one party to the contract is established in a Member State'.

For the purpose of this paper, the most relevant aspect of the Regulation to be discussed is its optional nature and the possibility of its adoption by the service providers. According to Article 3 it only applies when the parties agree that this new instrument will rule their contracts. If the parties on a voluntary basis agree on CESL, it will replace the parties' national law.

Some critique has been expressed regarding this opt-in solution chosen by the Commission. [21] Ole Lando draws some attention to the fact that opt-in models have not been used much in B2B transactions. He suggests that the CESL may suffer the same fate. Among other reasons for that, the traders will only adopt the CESL if they can induce their contract parties abroad to opt into this instrument. However, it will be difficult as their trader parties may be hesitant to use a new legal regime which has not been tested over some period of time. [22]

As far as cloud computing transactions are concerned, some scepticism has to be expressed in relation to the optional nature of B2C or B2SME agreements. The CESL proposes default terms for the supply of digital content. These terms are voluntary, and for B2C/B2SME transactions, the decision on what terms to use will always be made by the cloud service provider because these are necessarily standard form contracts. No business can successfully manage a set of low value contracts whose terms are all different, and in any event the low fees charged for these types of cloud computing service cannot support the costs of negotiating terms.

So why should a cloud service provider adopt the CESL for its standard terms? This question is particularly relevant for cloud service providers located outside the EU but dealing with EU customers, and indeed the majority of the major cloud service providers are US corporations or divisions of US corporations.

So far as dealings with business customers is concerned, there are no real advantages to choosing CESL. Choice of law and jurisdiction clauses are normally valid and enforceable in B2B contracts, and as the service provider's standard terms will normally be written on the basis of its home country law, a choice of that law is appropriate and sensible.

However, this is not true for B2C dealings with EU residents. In such dealings a choice of law other than that of the customer's state of residence is likely to be unenforceable, or at best only partially effective. [23] In these circumstances, choosing CESL as the applicable law has two potential advantages.

The first is a reduction of uncertainty to the provider about its non-excludable obligations under the applicable law. Few national laws contain a definitive statement of the obligations of a provider of online services and content, and thus there is a real risk that the courts will invent standard terms for digital content supplied via the cloud. This has already happened for software in the UK case of International Computers Ltd. (ICL) v St Albans City, [24] and there is no way to predict what the courts might invent.

Secondly, considerable simplification may be obtained with the adoption of the CESL in the cross-border transaction since the cloud service providers will only need to produce one set of standard terms for B2C dealings throughout the EU. The alternative is for the provider to adapt its standard contracts to the different consumer mandatory rules in every country, a costly and time-consuming exercise.

However, although the CESL is certainly capable of applying to some cloud offerings, it does not apply to all cloud commercial activities. Hence, a comprehensive analysis is necessary to define the scenarios where the cloud transactions can be governable by the CESL. In the next section this investigation will be provided.

4. Which cloud computing transactions are capable of governance by the CESL?

The critical questions to be answered in the present section relate to whether some cloud computing transactions are capable of governance by the CESL and which models of cloud services could be framed as a contract for the supply of digital content under it. In order to clarify these challenges, it is necessary to begin reviewing some of the key definitions listed in Article 2 of the Regulation, namely, 'goods', 'sales contracts', 'digital content', 'supply of digital content' and 'related services'. Concomitantly, an investigation on which models of cloud services are capable of governance by the CESL will be made according to this new Proposal. Lastly, it shows some difficulties for the application of CESL to some kinds of SaaS, PaaS and IaaS.

Article 2(h) of the Regulation identifies 'goods' with 'tangible movable items'. It is commonplace that 'tangibility' means something that can be touched and has a physical presence. Any cloud transaction is predominantly intangible. Therefore, it falls outside the definition of 'goods' established by CESL. In consequence, considering that a 'sales contract' as defined in the first part of Article 2 (k) of the CESL also involves the transfer of the ownership of the goods from the trader to the buyer, the rules relating to 'sales contracts' are not applicable to cloud transactions. Even if digital content were classified as goods, the transference of ownership of digital content usually does not occur in cloud transactions. [25]

Furthermore, 'sales contracts' also require that '… the buyer pays or undertakes to pay the price thereof…' It is worth noting that some cloud services are complimentary, i.e. they are advertised as being free of charge, such as gmail, googledocs and so on. Although service providers benefit in new ways from these contracts, such as the access to personal data of the customer that can be used for trader advertisements or for later purchase of other services, these supposedly gratuitous cloud services would not be acceptable under the definition of 'sales contract' under the CESL.

For these reasons, cloud computing services fall outside the definitions of 'goods' and of 'sales contract' accepted by CESL.

CESL defines digital content in Article 2 (j) as:

data which are produced and supplied in digital form, whether or not according to the buyer's specifications, including video, audio, picture or written digital content, digital games, software and digital content which makes it possible to personalise existing hardware or software.

Within the definition of the 'contract for the supply of digital content' in Article 5 we find some further description of digital content:

The Common European Sales Law may be used for:

(b) contracts for the supply of digital content whether or not supplied on a tangible medium which can be stored, processed or accessed, and re-used by the user, irrespective of whether the digital content is supplied in exchange for the payment of a price.

These definitions are finally complemented by the explanatory text in Recital 17:

In order to reflect the increasing importance of the digital economy, the scope of the Common European Sales Law should also cover contracts for the supply of digital content. The transfer of digital content for storage, processing or access, and repeated use, such as a music download, has been growing rapidly and holds a great potential for further growth but is still surrounded by a considerable degree of legal diversity and uncertainty. The Common European Sales Law should therefore cover the supply of digital content irrespective of whether or not that content is supplied on a tangible medium.

Firstly, it is worth underlining that the proposed CESL solves the problematic issue related to digital content being classified strictly either as a product or as a service. Indeed, Article 2 (j) concedes digital content as any 'data which are produced and supplied in digital form, whether or not according to the buyer's specifications'. Hence it acknowledges that digital content can be produced and supplied either as a standard item, which is similar to a good, or according to the buyer's specification, thus a custom made item, which would normally be classified by the law as a service.

Secondly, the problem of tangibility, which makes existing legal distinctions between goods and services so problematic in the digital world, is clearly eliminated in Article 5 (b). This is supplemented by Recital 17, when it says that CESL, 'should therefore cover the supply of digital content irrespective of whether or not that content is supplied on a tangible medium'. As a result, CESL may be used for contracts for the supply of digital content whether or not supplied on a tangible medium in the same way.

In spite of these innovations, the CESL definition of digital content is unnecessarily vague, and therefore somewhat confusing. This has critical effects for the applicability of CESL in those cloud transactions which involve the supply of digital content in particular. And, as noted earlier, if these uncertainties in the CESL definitions are maintained, as far as cloud services are concerned, this new instrument is doomed to fail.

One of the tricky questions concerns the lack of a definition for the term 'access' when Article 2 (j) is defining digital content. Digital content is 'data which are produced and supplied in digital form', and some commentators interpret the word 'supply' to mean that the customer must actually receive a copy of the content in its entirety, rather than simply being permitted to use it remotely. It is for this reason that Ortiz and Viscasillas suggest that the definition, if read literally, would immediately exclude SaaS and other cloud computing services. For them, the first part of Article 2 (j) should include 'data which are produced, supplied or made available in digital form', or '… list cloud computing expressly in the definition or implicitly by stating that digital content includes applications that are hosted by the business and that are made available to the consumer over the network' [26] (bold letters added).

Nevertheless, as far as this criticism is concerned, we have a different opinion. The definitions offered in Article 2 (j) and Article 5 (b), complemented by Recital 17, need to be read together and systematically as it gives a solution to the lack of defined terms in Article 2 (j). Note that in Article 5 (b), the legislator explicitly complements the definition of Article 2 (j), applying the law to 'contracts for the supply of digital content whether or not supplied on a tangible medium which can be stored, processed or accessed...'. In addition, Recital 17 refers to: 'The transfer of digital content for storage, processing or access…' (bold letters added). In other words, the term 'access' included in Article 5 (b) is enough to admit some SaaS services that are made available to users through their access over the Internet, or even, for example, transactions where music files are stored on a remote server and users access them.

However, it seems pertinent to highlight that the problem of ambiguity in the digital content definition remains in relation to streaming. According to Article 5 (b), the supply of digital content involves the obligation of being '…stored, processed or accessed, and re-used by the user…' (bold letters added). Apparently, one of the requirements is that the digital content can be re-used and in the core of the notion of a stream it is clear that it is 'written to temporary storage and disappears after viewing.' [27] From a literal interpretation, where all the digital content is provided, transferred or accessed through a stream, CESL could not be applicable. Nevertheless, we would argue that Article 5 (b) needs to be interpreted as making a distinction between two types of digital content:

  1. Content made available in streaming form on a one-off basis e.g. a live webcast of a concert or sporting event.
  2. Content made available via streaming in such a way that the customer can access and use it multiple times, such as music service Spotify which allows its users to listen to the same track time and again.

For ease of reference we will refer to all these activities as 'consumption' of the content.

It is clear that according to Article 5 (b), the first category falls outside the scope of the Regulation. Streamed content like a live webcast can only be consumed immediately and in real time, and is not available for re-consumption on further occasions. However, our second category would include content which is only accessible via streaming, but which can be streamed as many times as the customer wants. We argue that content of this kind was intended to fall within the scope of the CESL, and that the wording of Articles 2 and 5 and Recital 17 suggests that it does so.

It seems to us that the CESL aims to apply sale of goods principles to digital content transactions which are 'like' the sale of goods. The test for similarity is the ability to use and reuse at will. [28] Article 2 (j) excludes a number of services, all of which are clearly not 'like' goods. These services are: (i) financial, including online banking; (ii) legal or financial advice provided in electronic form; (iii) electronic healthcare; (iv) electronic communications and networks, and associated facilities and services; (v) gambling; (vi) the creation of new digital content and the amendment of existing digital content by consumers or any other interaction with the creations of other users. Note that there is no blanket exclusion of cloud computing services. For this reason, we believe that at least those cloud computing services which offer re-consumption of digital content which is 'like' goods can, and should, fall within CESL. But of course, the fact that we need to make an argument to support this view indicates that there is uncertainty here.

A further source of uncertainty relates to the 'gratuitous' aspect of the supply of digital content indicated in Recital 18 of the proposed Regulation. Recital 18 provides that:

Digital content is often supplied not in exchange for a price but in combination with separate paid goods or services, involving a non-monetary consideration such as giving access to personal data or free of charge in the context of a marketing strategy based on the expectation that the consumer will purchase additional or more sophisticated digital content products at a later stage. In view of this specific market structure and of the fact that defects of the digital content provided may harm the economic interests of consumers irrespective of the conditions under which it has been provided, the availability of the Common European Sales Law should not depend on whether a price is paid for the specific digital content in question.

Article 5 (b) makes it clear that mere supply is enough to trigger the application of the CESL (if chosen by the parties) by specifying that it is irrelevant whether the content is paid for. This avoids the problem noted in the Recital that payment is often indirect. But the wording of Recital 18 creates doubt whether Article 5 (b) means what its apparently clear wording says. Does Recital 18 mean that contracts for the supply of digital content fall outside the definition if the supply is clearly non-commercial, in that there is no indirect payment?

The resolution of this doubt is found not in the definition but in Article 7 (1). This provides that

the CESL is only applicable to commercial supplies of digital content where the supplier is a trader. Hence, non-commercial supplies such as academic research papers hosted on a university website fall outside the scope of CESL. This would continue to be the case even if the university required users to sign a contract which benefited the university, e.g. by imposing copyright licensing obligations on users. This is because a university is not a trader in these circumstances, even though it is supplying digital content.

We now turn to the question of which cloud computing transactions can admit the supply of digital content according to the CESL provisions and are capable of governance by it. Thus, it is worth recalling the three types of cloud services: SaaS, PaaS and IaaS.

SaaSs are applications designed for end-users, delivered over the web, that run on the cloud. [29] Hence, the user or consumer should be granted, through an Internet connection, rights of storing, processing or access to software running on a supplier's website/third party server without downloading it, and as a result, receive digital information back. The question is whether that information amounts to digital content. This answer depends on what the software as a service does. If a SaaS takes content which is already on the cloud server and sends it to the user, this falls within the definition in the proposed Regulation, unless it is included in the exceptions (i)-(v) of Article 2 (j).

The recent Consultation on the supply of goods, services and digital content conducted by the UK Department for Business Innovation & Skills (BIS) [30] provides a number of helpful examples:

  1. When a consumer buys an e-book and can access it from the cloud server, the provider supplies digital content to the user and as such it can be considered a contract for the supply of digital content. Therefore, this SaaS may fall under CESL governance.
  2. However, if a consumer uploads and stores their own digital content on the cloud and shares this digital content with others e.g. Photobox or Facebook, this service is for the storage of the consumer's digital content, being characterised as a service contract. [31] Hence, it is outside the CESL governance as it does not involve the supply of digital content.
  3. Moreover, when the consumer uses the software to create new information, or modify some already existing, this 'user-created content (UCC)' falls within the last exception of Article 2 (j)(vi). Thus, this is not digital content according to CESL.

More difficult is the question whether the software element of the SaaS is itself digital content. Again, we argue that this depends on whether it is like 'goods'. If the user is granted unconstrained use of a named software package, this is very like the hiring of goods such as a car. Here the CESL should apply. If, though, all the user obtains is particular functionality, delivered by whatever means the service provider determines (so that the service provider could use entirely different software on consecutive days), this type of SaaS is clearly not goods-like. Writing a definition which captures the dividing line is difficult, perhaps even impossible. Fortunately the lack of a clear line is likely to be unimportant in practice, as service providers rarely explain what software they use for their B2C or B2SME offerings, concentrating instead on the functionality of the service.

At this point, we have to consider PaaS and IaaS. PaaS is the set of tools and services designed to make coding and deploying those applications quick and efficient while IaaS is the hardware and software that powers it all - servers, storage, networks and operating systems. Hence, pure PaaS or IaaS supplies will fall outside the provision of CESL, because no sale of goods or supply of digital content occurs. Admittedly both PaaS and IaaS are, from the user's perspective, 'data which are produced and supplied in digital form' (art 2(j), and so might consist of digital content. But these data are supplied for the purpose of the processing which the user is performing at that moment and not for re-use. Re-use is required by art 5 in order for the CESL to be applicable.

However, it is possible that a SaaS contract may include some linked use of a PaaS or IaaS. So, we need to analyse if this use might be 'related services' as defined in Article 2 (m) of CESL.

At first sight this issue appears unimportant, because the obligations imposed on a supplier of related services are no different in substance from those imposed by English law or most other national laws. But the problem is that the proposed Regulation excludes 'mixed-purpose' contracts from the scope of CESL in Art 6(1):

The Common European Sales Law may not be used for mixed-purpose contracts including any elements other than the sale of goods, the supply of digital content and the provision of related services within the meaning of Article 5.

This means that if the services included in a contract for the supply of digital content are not related services then the choice of CESL as the governing law is invalid. As a consequence the law of the contract would fall to be determined by the Rome I Regulation [32], and in the case of B2C contracts would almost certainly include large parts of the law of the consumer's country of habitual residence. [33] As the whole point of choosing CESL, so far as a cloud provider is concerned, is to avoid the problem of multiple applicable laws, any risk that the contract might be a mixed-purpose contract is a clear disincentive to choosing CESL.

Article 2(m) defines related services as:

any service related to goods or digital content, such as installation, maintenance, repair or any other processing, provided by the seller of the goods or the supplier of the digital content under the sales contract, the contract for the supply of digital content or a separate related service contract which was concluded at the same time as the sales contract or the contract for the supply of digital content …

and specifically excludes transport services, training services, telecommunications support services and financial services.

Recital 19 helps clarify the meaning of this definition by providing that the services must be 'directly and closely related' to the supply of digital content.

The effect of these provisions is drastically to reduce the range of SaaS provision to which CESL might apply. If the contract includes any services which eg allow the user to create content or share content he or she has created, this will be a mixed-purpose contract. Two examples might illustrate this.

Let us suppose that the service consists of a library of digital music, which the user can download or stream at will. This will be a supply of digital content. If the service provider allows the user to tag the music with labels which reflect the user's interests, and to create playlists of favourite tunes, these additional services will be related services because they are designed to help the user find and access the music he or she wants, and are thus directly and closely related to the supply of the content.

However, suppose the provider goes further and offers tools which the user can use to create a database of his or her listening and share that database with other users. This additional service is not so closely related to the actual supply of the digital content to the user, and thus creates the risk that it becomes a mixed-purpose contract. If so, the choice of CESL is invalid, and the default rules of Rome I apply.

In summary, for the sake of answering how the use of CESL would reduce uncertainty to the cloud service providers, some important conclusions must be borne in mind:

  1. The CESL is certainly capable of applying to some, but not all, cloud services. Pure IaaS and PaaS supplies will fall outside the CESL. However, it is capable of governing those SaaS supplies which provide the customer with repeatable access to content or specified software packages, in which case linked use of PaaS and IaaS will also be covered as 'related services'.
  2. Those SaaS supplies which are obviously services, in that they allow the user to store, generate, modify or communicate their own content, fall outside the scope of CESL. Conversely, SaaS supplies which give the user access to content produced by others, and which can be consumed at will, clearly fall within the CESL. This is helpful in reducing uncertainty.
  3. However, there is real debate over how far an SaaS which does no more than stream content will fall within CESL. We believe that streaming of a live activity cannot qualify as digital content, whereas content which can be accessed by streaming repeatedly should fall within the definition. We are unsure whether recorded content which can be accessed by streaming once only does, or should, meet the definition. And we cannot be certain that our view on this matter would be accepted by the courts. This uncertainty is definitively troubling.
  4. The exclusion of mixed-purpose contracts from the scope of CESL is particularly problematic because it creates the risk that an invalid choice of law has been made, thus leading to the unwanted situation that each consumer's national law applies.

5. Conclusions

Overall the effect of CESL is potentially positive. However, the above conclusions show that in relation to the applicability of the CESL to some cloud services, there is too high a degree of uncertainty. Therefore, CESL will not be adopted for the standard terms of cloud providers until these uncertainties are fixed.

Undoubtedly, many other difficulties which already exist in CESL, such as the mandatory rules that are in favour of consumers and the imposition of more liability to the traders than they want to accept, need to be overcome in order to attract the cloud service providers to choose to have their contract governed by the CESL. Thus, if the providers recognise that some of the concepts proposed in CESL are vague, and this will not benefit the applicability of CESL in their cloud contracts, under no circumstances they will be persuaded to adopt it. Not even the possibility to avoid the risk that the courts can create standard terms for digital content supplied via the cloud can help.

The standard approach to this problem is to attempt to redraft the law to remove as many uncertainties as possible. But we do not think this will work. The drafters of the CESL have attempted to define the scope of CESL very precisely, and as we have demonstrated above this attempt does not succeed in capturing the subtleties of digital content supplied via cloud computing. Even if CESL were redrafted by cloud computing experts, the nature and scope of services provided by cloud computing is changing so rapidly that any redraft would itself soon cease to match reality.

The alternative, and somewhat radical, approach would be to accept that there is an inevitable vagueness in any law which regulates the supply of digital content, and to embrace that vagueness by removing those attempts at creating certainty which in fact reduce it. In our view there are two changes to CESL which would vastly improve its ability to be used for digital content contracts.

The first is to remove the provision about mixed-purpose contracts. 'Pure' supplies of digital content are likely to become increasingly rare, as online suppliers (particularly via the cloud) try to enhance and differentiate their offerings by bundling in attractive services. The test for the application of CESL should not be whether the contract is one 'for' the supply of digital content, but whether the main or primary purpose of the contract is such a supply.

Secondly, the attempt to define what amounts to a 'supply' of digital content should be abandoned, except in the most general terms. Many of the problems we have noted above come from that definition. If the purpose of CESL is to introduce supplier's obligations which are analogous to those which would subsist if goods were supplied, then why not make the drafting reflect this aim? The transaction would then be a supply of digital content if the customer received similar abilities to use the content as he or she would have received if what had been supplied had been goods. Of course, such a vague definition would leave many difficult cases to the court's discretion, but we have shown that the current attempt to be precise leaves equally as much to be decided by litigation.

Deliberately introducing vagueness in this way can be successful if the law is supplemented by appropriate, and regularly updated, guidelines as to how it should be applied to specific examples. Courts have shown themselves increasingly willing to take account of non-binding guidelines, particularly if they are produced by experts in the field and reflect or influence the mutual understanding of the parties to a transaction.

A revision of the CESL along these lines might be just enough to persuade cloud providers to adopt it for their standard terms. For US suppliers CESL is less favourable than US State law, but these suppliers are now aware that a choice of their home state law is almost certainly ineffective to exclude the protections which the national law of EU states confers on consumers. A single governing law for all cloud transactions with EU consumers might prove an attractive alternative, so long as it is clear when that choice is valid and providers can understand, at least in broad terms, the obligations that the law imposes on them.



[1] Visiting PhD Student, 2011/2012, CCLS, School of Law, Queen Mary University of London and PhD candidate, Federal University of Pernambuco.

[2] Professor of Electronic Commerce Law, CCLS, School of Law, Queen Mary University of London. His work on this paper was undertaken as part of the Queen Mary Cloud Legal Project, whose generous sponsorship by Microsoft is gratefully acknowledged.

[3] Associate Professor, Federal University of Pernambuco.

[4] See the 'Analysis of the applicable legal framework and suggestions for the contours of a model system of consumer protection in relation to digital content contract', Final Report - Comparative analysis, Law & Economics analysis, assessment and development of recommendations for possible future rules on digital content contracts', by Marco Loos et al (2011) and 'Comparative analysis of the applicable legal frameworks and suggestions for the contours of a model system of consumer protection in relation to digital content services', Report 1: Country Reports, University of Amsterdam. Also, an study entitled 'Digital Content Services for Consumers: Assessment of Problems Experienced by Consumers - LOT 1', by Europe Economics was commissioned by the European Commission in 2011. An overview of the consumer rights in 'digital products' commissioned by the UK Government for Business, Innovation & Skills was produced by Professor Robert Bradgate 'Consumer rights in digital products' (2010). In July, 2012, the Department for Business Innovation & Skills (BIS), in the UK seeking to protect consumers from faulty digital content, among other objectives, open a Consultation that was entitled 'Enhancing Consumer Confidence By Clarifying Consumer Law, Consultation on the supply of goods, services and digital content'.

[5] European Commission's proposal for a Regulation on a Common European Sales Law - Proposal of 11 October 2011, COM(2011) 635 final (CESL).

[6] In the United Kingdom, see the Law Society of England and Wales, the Law Society of Scotland, the Office of Fair Trading (OFT) and the Consumer Focus. In Europe, see the Bureau Européen des Unions des Consommateurs (BEUC).

[7] Law Society of England and Wales Response to UK Government Call for Evidence, Common European Sales Law, May 2012

< international.lawsociety.org.uk/.../The%20Law%20Society_> accessed 8 May 2012 . As far as software is concerned, Guy Wilmot and David Webster analysing the Instrument claim that as currently drafted the scope of the CESL will not apply even to 'software' which is supplied as an Internet or web-based service', in G Wilmot and D Webster, 'Common European Sales Law - Issues for IT Lawyers' (Society for Computers & Law - SCL, 06 January 2012) < http://www.scl.org/site.aspx?i=ar26502> accessed 28 May 2012.

[8] P Mell and T Grance, 'The NIST Definition of Cloud Computing' (Computing Security Resource Center 2009) < http://csrc.nist.gov/groups/SNS/cloud-computing/> accessed 2 December 2011. The final version definition of Cloud Computing by NIST (SP 800-145), published in 2011, is available at http://csrc.nist.gov/publications/PubsSPs.html#800-145.

[10] J Newton, 'System Supply Contract' in C Reed (ed), Computer Law (7th edn, Oxford University Press 2011).

[11] S Bradshaw, C Millard and I Walden, 'Contracts for clouds: comparison and analysis of the Terms and Conditions of cloud computing services', (2011) 19(3) Int J Law Info Tech, 187.

[12] < http://www.facebook.com/ > accessed 14 February 2012.

[13] < http://www.myspace.com/> accessed 14 February 2012.

[15] <http://code.google.com/appengine/> accessed 14 February 2012.

[16] < http://www.salesforce.com/platform/> accessed 14 February 2012.

[17] < http://aws.amazon.com/> accessed 14 February 2012.

[19] See Misra, 'Product Cloud Or Service Cloud? Know The Difference' (InformationWeek, 29 April 2010), < http://www.informationweek.com/news/cloud-computing/229202857> accessed 12 March 2012.

[20] However, Article 13 of the Regulation establishes that the EU Member States can decide whether it will also be applied to domestic contract and to contract where all the parties are traders, none of which is necessarily an SME.

[21] See the discussion in H Macqueen et al, 'Legislative Comment: The proposed common European sales law' (2012) 12 Scots Law Times 65 and in R Ortiz and P Viscasillas, 'The scope of the Common European Sales Law: B2B, goods, digital content and services' (2012) Vol 11 [ Iss 3] Journal of International Trade Law & Policy 241.

[22] O Lando, 'Comments and Questions Relating to the European Commission's Proposal for a Regulation on a Common European Sales Law' (2011) Vol 6 European Review of Private Law 717.

[23] See Chris Reed, Computer Law (7th ed, Oxford University Press, Oxford 2011) 91-99.

[24] [1996] 4 All ER 481, CA.

[25] In this respect, it is worth quoting Marco Loos et al: 'In the case of digital content contracts, ownership of the tangible medium on which the digital content is stored may be transferred, but the trader is typically not required to transfer the ownership of the digital content itself or, more specifically, of the intellectual property rights associated with the digital content. In contrast, the consumer is provided with a license to use the digital content.' in M Loos and others 'The Regulation of Digital Content Contracts in the Optional Instrument of Contract Law' [6-2011] European Review of Private Law 729.

[27] Digital Content Services for Consumers: Assessment of Problems Experienced by Consumers (Lot 1) Report 4: Final Report, London, 15 June 2011 < www.europe-economics.com/.../eahc_final_report_+_appendices.pdf > accessed 4 June 2012.

[28] It might be helpful to consider cars: a sale entitles me to unrestricted use for ever, a hiring entitles me to unrestricted use for the hire period, whereas if I take a taxi I get only a single use for the agreed journey (I cannot insist that the taxi driver waits and then drives me to a second destination, though I could of course negotiate this). We apply sales principles to the first two, but treat the taxi as a service.

[29] S Bradshaw, C Millard and I Walden, 'The Terms They Are A-Changin'... Watching Cloud Contracts Take Shape' (2011) number 7 Brookings Institution Issues in Technology Innovation.

[30] 'Enhancing Consumer Confidence By Clarifying Consumer Law, Consultation on the supply of goods, services and digital content, Department for Business Innovation & Skills (BIS) (July 2012) < http://www.bis.gov.uk> accessed 20 September 2012.

[31] ibid.

[32] Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I), OJ L177/6, 4 July 2008.

[33] Art 6.