Such a global/cross-border service as cloud computing (CC) with customers from all-around the world faces a significant challenge when it comes to identification of applicable consumer protection laws and regulations. There are no globally applicable and binding rules with respect to CC services. Therefore, together with gradual sophistication of CC services the CC industry introduced the CIF1 Code of Practice which presented standardisation with respect to information that has to be reviled to customers prior to conclusion of the service contract. Although, this still did not provide solution for several other consumer protection related issues, because it is just a soft law aimed to provide guidelines for the business best practice, inter alia, towards potential users of CC service.
The definition of the ‘consumer’ is the first major issue. Who is entitled to special protection of consumers? This question can be answered differently under different jurisdictions; however, generally consumers are defined as natural persons who act outside of their business capacity. It might be worth to point out, that most of the contracts concluded between the CSPs and their customers still do not make any difference between consumers and commercial users. Even though, many end users of cloud services are consumers who are entitled to a higher level of legal protection when entering into such contracts.
Most of the CSPs tend to select the law and jurisdiction of their principal place of business as applicable law in relation to service contracts with their users2, thus the consumers’ rights are calibrated accordingly in the Terms of Service (ToS). Yet, such compulsory selection of law within non-negotiable agreements – typical for CC services – may become easily void under the domestic law of the user (qualifying as a consumer under its domestic law). Nevertheless, most providers recognise the necessity to adjust their ToS to regional legislation (EU versus US) and therefore acknowledge in the ToS the consumer’s domestic forum for dispute resolution.
CSPs try to exclude or limit liability as much as possible. Although, there is an understandable reason for liability limitation for certain cases, the general exclusion of such liability (without reasonable cause) makes these provisions of ToS void under, for example, European Union’s jurisdiction. As a result, CSPs open themselves to a major risk to become liable without limits for damages caused to European consumers. Especially in those cases, where the CSP denies any warranty regarding the quality of the service and expressly excludes any implied warranties that the service is fit for purpose. In the European Union there are warranty minimums based on expectations of the average consumer that have to be granted to consumers with respect any marketed service or product. Therefore, at the current stage, where the CC market is still evolving and does not have fix standards well known by the non-tech savvy consumers, the communication towards the potential users is crucial to tune the expectations in line with possibilities and business models of CC services. This way they can shape the expectations for reasonable and fair contractual terms on behalf of the consumers and competent authorities.
2 QMUL Cloud Project
Source: Cloud Computing Law – Edited by Christopher Millard (2013)