UNFAIR TERMS IN STANDARD CLOUD COMPUTING CONTRACTS
Master Thesis
by
Dimitar Dzhutev
Student at UvA,
European Private Law Master Programme e-mail: dimitar_dzhutev@abv.bg
Thesis supervisor: Prof. M. Hesselink
Date of submission: 03.07.2016
Amsterdam, The Netherlands 2016
Table of contents: 1. Introduction
2. What is cloud computing and what do contracts have to do with it?
2.1. Definition
2.2. Five unique characteristics
2.3. Service models
2.4. Delivery models
2.5. Pros & Cons
2.6. Legal classification of cloud computing contracts
3. Could some specific clauses in standard cloud computing contracts be assessed as “unfair” under the current European Union consumer law?
3.1. Setting the scene: Consumer protection in the EU
3.2. The “unfairness” test
3.3. Five examples
3.3.1. Jurisdiction and Applicable Law 3.3.2. Unilateral change of ToS
3.3.3. Warranty
3.3.4. Limitation of liability 3.3.5. Indemnification
4. Conclusion 5. Bibliography 6. Legislation 7. Case law 8. Annexes
9.1. Table 1 - Terms on Jurisdiction and applicable law 9.2. Table 2 – Terms on Change of ToS
9.3. Table 3 – Terms on Warranty
9.4. Table 4 – Terms on limitation of liability 9.5. Table 5 – Terms on Indemnification
LIST OT ABBREVIATIONS
AUP Acceptable use policy
B2B Business-to-Business
B2C Business to Consumer
Brussels I Brussels I Regulation Recast
CaaS Communication as a Service
CCCA Convention of the Choice of Court Agreements
CRD Consumer Rights Directive
CJEU The Court of Justice of the European Union
DaaS Data as a Service
EC European Commission
EU European Union
IaaS Infrastructure as a Service
MaaS Monitoring as a Service
MS Member State
NaaS Network as a Service
NIST National Institute of Standards and Technology, US Dep. of Commerce
OCA Obligations and Contracts Act, Bulgaria
PaaS Platform as a Service
Rome I Rome I Regulation
SaaS Software as a Service
SME Small and Medium Enterprises
ToS Terms of Services
UCTD Unfair Contract Terms Directive
UK United Kingdom
USA The Unites States of America
Abstract
The present paper aims to bring clarity in the notion of cloud computing and the legal classification of cloud computing contracts. It also has as an objective to address and elaborate the question whether there are unfair terms in standard cloud computing contracts from the perspective of users within the European Union.
For the purposes of the paper, the doctrinal method of legal research has been used. An empirical research has been carried out as well.
The results show that cloud computing contracts may generally fall within the scope of already existing categories of contracts, but they also may be regarded as sui generis. It is demonstrated that there is a number of contractual terms in standard cloud computing contracts that could be assessed as “unfair” under the current EU consumer protection law.
1. Introduction
If you use e-mail, virtual banking or make a search on Google, then you use cloud computing services. The latter is all around us. It concerns many aspects of our everyday life and we count on it more and more.
Cloud computing services are incredibly flexible, efficient and always on-demand. They help customers reduce the expenses for maintaining technical staff at companies and investing in expensive hardware and software, instead of focusing equity to business activities or private preferences12. Therefore, cloud computing makes life easier. It saves time and money, both in our professional and private life. Although cloud computing is not an entirely new phenomenon34, the growth of its size and importance have been overwhelming for the last decade.
1 Foster, N., “Navigating through the fog of cloud computing contracts”, The John Marshall Journal of
Information Technology and Privacy Law, vol. 30, issue 1, 2013, p. 14 [online]
2 Rohrmann, C., Cunha, J., “Some legal aspects of cloud computing contracts”, Journal of International
Commercial Law and Technology, vol. 10, no. 1, 2015, p. 38
3 Faber, D., “Oracle’s Ellison Nails Cloud Computing”, CNET (2008), [online]
4 European Commission, “Comparative study on cloud computing contracts”, Final Report, March
When one is willing to use any cloud computing service a contract is involved.5 It specifies a service, or a set of services, and regulates the entire
relationship between the service provider and the user, starting from the identification of the parties, going through the main features of the service, possible warranties, liabilities, to reach the dispute-solving clauses.
Global cloud computing companies usually offer users standard contracts. For them it is a way to reduce the expenses for legal aid. Another reason is that standard contracts would apply to anyone who wants to use those services. Therefore, negotiations are practically absent and providers save time out of it.6 They also save money by maintaining a minimal marketing staff, just because they do not need one to negotiate with every client. It is a bright example of the “Take it or leave it!” business model.
Cloud computing contracts come in different forms and shapes. One could find one general agreement or many smaller agreements, which concern only different specifics of the service, such as Terms of Service (ToS), Acceptable use policy (AUP), Privacy policy (PP) and Service level agreements (SLA). These different parts regulate specific relations and might be present when particular services and/or contracting parties are involved. However, those contracts consist of more or less the same provisions. They are drafted according to the law and the legal system of the state where the provider has its registered office or main administration7, which in the cases of global providers is usually the law of some states in the USA, such as California or New York.
In addition to the better knowledge of local laws, those providers apply the freedom to contract to its full extent and limit, or even exclude, any possible contractual liability they could bear.8 At the same time, cloud computing services are so attractive with their efficiency and effectiveness that customers are simply not interested in what the contract says.9 Therefore, nobody reads the terms10, which in
5 Gilbert, F. “Cloud service contracts may be fluffy”, Journal of Internet Law, vol. 14, no. 6, December
2010, p. 20
6 Kafeza, I., Kafeza, E. & Panas, E. “Contracts in cloud computing”, IEEE International Conference on
Cloud Computing for Emerging Markets, October 2014
7 see n.2 above, p. 43
8 Hon, W., Millard, C. & Walden, I., “Negotiating cloud contracts”, Stanford Technology Law Review,
vol. 16, no. 1, Fall 2012, p. 83, 94
9 see n.2 above, p. 41 10 Ibid
addition are often too long, full of technical and legal terms for most of the users to understand.11
That could cause problems when different legal systems and jurisdictions with high level of consumer protection are concerned. For example, within the European Union (EU) one could observe a collision between contracts, and some of their typical clauses, drafted in the light of the Anglo-American legal tradition, and their application in civil law systems, under which (the same) particular clauses would be regarded as unfair or invalid. In practice, that could lead to the unenforceability of the latter and legal uncertainty about users’ behaviour in cases of contractual breach from on side of the service provider. Therefore, a user could be uncertain where to bring a case or what would be the limit of liability pursued. Even more, that uncertainty could lead to undermining the user’s decision whether to start legal proceedings at all. Another problem that could arise from the uncertainty is related to further development of the cloud technologies within the EU and the impact on the business, which the European Commission considers as a priority with the ability to foster the EU economy. 12
Cloud providers offer their services within the European market mainly under standard contracts, which include some unfair (concerning consumers) terms. They come to the detriment of the European users who are forced to accept the proposed terms and conditions, as well as the service, “as it is”, applying the “take it or leave it” principle of negotiating.13 14 15 Those detrimental clauses would make it more difficult, or even impossible, for users to seek compensation from the service provider for breaching the contract. This would probably lead to losing trust in such technology and the economic effect it could bear would not be achieved.
The present work aims to bring clarity in the legal classification of cloud computing contract. It also has as an objective to address and elaborate the question whether there are unfair terms in standard cloud computing contracts from the perspective of consumers and law within the European Union.
11 Ibid
12 European Commission, “Unleashing the potential of Cloud Computing in Europe”, 27.09.2012, p. 2
[online] - the overall cumulative impact on GDP in Europe is estimated to EUR 957 Billion, and 3.8 million jobs by 2020
13 see n.4 above, p. 19 14 see n.8 above, p. 91 15 see n.2 above, p. 40-41
In the first part of this paper, it will be described what “cloud computing” is in general and what contracts have to do with it. The second part will examine whether some typical clauses in cloud computing contracts could be regarded as “unfair” under the current EU law. In the last section the main outcomes and findings will be summarised and the answer of the research question will be given.
For the purposes of the present thesis a doctrinal method of legal research will be used. It is chosen because it shows what the law is on the relevant issues. It concerns the analysis of the legal doctrine and how it has been developed and applied. It also brings systematic explanation of the rules governing the particular legal categories and the relationships between them.
For the purposes of the present work, an empirical research was conducted as well. The terms of services of nine companies16, as representatives of the biggest one hundred global cloud service providers17, have been examined and compared (see section 8). Additional empirical data was used as generated during surveys in 2010 and 201318.
Questions of jurisdiction, applicable law and possible development of EU law in the area of cloud computing services will not be discussed profoundly. However, some consideration of those aspects will be given, as far as it is required for the purpose of the present research.
2. What is cloud computing and what do contracts have to do with it?
2.1. Definition
Till today, there is no common legal definition of cloud computing within the EU. 19 Its relatively new computing model, characterised by fast development and multiple changing features, simply does not allow putting a fixed legal label on it. Therefore, its definitions may vary significantly among jurisdiction. Perhaps the shortest one is, as Gilbert describes it, a “Network of networks”. 2021 Others are
16 Microsoft Cloud, Adrive, IBM Cloud, iCloud by Apple, Google Drive, Dropbox, Amazon Web
Services, Oracle Web Services, Facebook, as they were all available online on 16.04.2016
17 [online via http://cloudtimes.org/top100/]
18 “The Queen Mary University London Cloud Legal Project”, Centre for Commercial Law Studies,
Queen Mary, University of London, [available online via http://www.cloudlegal.ccls.qmul.ac.uk/]
19 see n.4 above, p. 18 20 see n.5 above, p. 18
longer and much more precise. The National Institute of Standards and Technology with the US Department of Commerce (NIST), for example, describes the cloud computing as “a model for enabling convenient, ubiquitous, on-demand network access to a shared pool of configurable resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. 22 The European institutions have undertaken a similar descriptive approach in defining cloud computing. 2324
In essence, cloud computing is an information technology, which mainly focuses on the separation of, on the one hand, the underlying and decentralised infrastructure and, on the other, centralised virtual resources available and accessible over the Internet. This comes to say that conventional personal computers and computing devices in general (such as smartphones, tablets, netbooks, laptops, storage, etc.) could lose their value as programmable machines that carry out arithmetic or logical operations automatically, because their primary function has been transferred onto the services available online. 25
2.2. Five unique characteristics
Following the NIST definition of cloud computing, there are five unique characteristics that could be observed. 26
First, cloud computing is a web model and comes with a ubiquitous network access. One could access the resources through a wide range of platforms connected to the Internet. Access is granted from anywhere and from any device.
Second, cloud computing provides an on-demand self-service. A user could subscribe for or purchase a service, with specified parameters, only in a few minutes, entirely online, without any human intervention. If a user’s need changes over time, any subscription can be adapted accordingly in a couple of clicks.
21 See also Tasneem, F., “Electronic Contracts and Cloud Computing”, Journal of International
Commercial Law and Technology, vol. 9, No.2, 2014, p. 105
22 [online via http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf] 23 see n.19 above
24 European Commission, “Cloud Service Level Agreement Standartisation Guideline”, 24.06.2014, p.
10
25 Witte, D., “Privacy deleted: Is it too late to protect our privacy online?”, Journal of Internet Law,
vol. 17, no.7, January 2014, p. 20
Third, cloud computing services involve minimum or almost zero human resources. As mentioned above, a user can subscribe entirely online and without any human intervention.
Forth, that technology represents a pool of resources. Whatever one may need – storage, processing, software or virtual machines, it is available in the cloud. The different types of resources are dynamically assigned according to users’ demands. A user can purchase services and resources in any necessary quantity, whose availability is practically limitless.
Last but not least, all provided services are highly flexible. They can be controlled, monitored and reported on-line, often even without human intervention.
2.3. Service models
Cloud computing has three primary service models. In particular the Service models are as follows: Infrastructure as a Service (IaaS), Software as a service (SaaS) and Platform as a service (PaaS).
The first one (IaaS) provides users with basic computing resources such as storage, processing or network. The customers practically rent an existing physical resource according to their needs and can run their software on it. The providers still control the infrastructure and can adapt it. The customers have control only over limited components such as the network firewalls. A practical example is a case where a research institute in climate changes wants to apply a new weather forecast model, but needs an extremely powerful computer (a supercomputer) to make the calculations. As regular computers would need decades to complete the task, the institute could hire working hours from a cloud company that possesses such a device and let it calculate the necessary data only within a week.
Software as a service (SaaS) provides users with the possibility to use the functionality of specific programme software, which is controlled entirely by the service provider. There are, of course, some administrative functions that the customer can carry out. For example, companies that provide such services are Gmail, Apple, Google Apps, etc. It is also common companies to provide two types services simultaneously. For example Dropbox offers software and storage. The same goes for iCloud provided by Apple.
Platform as a service (PaaS) is targeted mainly towards users dealing in software development who need a particular and sustainable instrument for carrying out their projects. Therefore, customers use a bundle of infrastructure and software on the ground of which they create their inventions. Here the provider controls the platform entirely, whereas the customer has total control over the applications, the middleware27 and the operating system28. Amazon Web Services and IBM offer such services, for example.
Technology develops on leaps and bounds and some new categories of service models emerge as well. 29 Data as a service (DaaS) delivers data on demand over the Internet. Network as a service (NaaS) refers to hiring particular network and its capability to transfer (transport) data from one physical location to another. An example of this service is utilising satellite telecommunication time. Communication as a service (CaaS) deals with providing users with specific channels of communication, such as messaging or conferencing technologies. Monitoring as a service (MaaS) aims at facilitating the process of monitoring other services – on applications whether static within a particular system or available online. Due to the fact that almost every software component can be accessed over the Internet and used as a commodity, the idea of the “Everything” or “Anything” as a service (XaaS), meaning that there is huge variety of services that can be delivered over the Interenet, has also been widely accepted.
2.4. Delivery models
In a nutshell, cloud computing comes in four delivery models – Private, Public, Community and Hybrid. The Private cloud, as its name indicates, is a privately owned, operated and controlled data centre. 30 The Public cloud infrastructure is usually owned by one entity and is open to the public or large industries. 31 The services available vary but commonly serve the needs of the public and often have social functions. The Community cloud is usually possessed by a group of SMEs that shares common interests, preferences, ideas and necessities.
27 [online via https://en.wikipedia.org/wiki/Middleware ] 28 see n.5, above, p. 19
29 see n.4, above, p. 27 30 see n.1 above, p. 14 31 see n.5 above, p. 19
Under the umbrella of the community infrastructure each of its members has access to a shared pool of available online services with centralised management and maintenance. With hybrid clouds, there is a convergence between Public and Private clouds. The spine of the system is a centralised and standard infrastructure within which unique entities remain independent, and still bound by the joint system. This type of cloud architecture allows the system to balance between the particular needs of each entity and to relocate resources when and where needed.
2.5. Pros & Cons
There are many advantages of cloud computing, and the biggest one is its efficiency. Companies and consumers (hereinafter referred as “users” or “customers”) opt for cloud computing because it is a way of reducing cost. They do not need to invest in hardware and software or pay for technical staff maintenance. Instead, they can focus on core business activities, further development or in personal preferences. Cloud computing helps users to stay flexible and adapt more easily within a dynamically changing environment (business and social). Data can be accessed anywhere anytime, over the Internet and on a variety of platforms.
Cloud services are on-demand, as well. Therefore, even seasonal or cyclical businesses can hire precisely as many services and as much processing power as they need for a given period. 32 Issues, such as hardware maintenance and software update, are outsourced to the cloud service providers. Consequently, time and money can be much more effectively distributed.
Last but not least, cloud computing saves energy, as large data centres use technologies with lower power consumption than traditional data processing centres.33
On the downside, there are two main drawbacks of cloud computing. The first one is its high dependence on the Internet, which is crucial for the accessibility to a given service and its performance. Connection problems or interruptions can generate severe damages for cloud users because they will deprive them of the possibility to access and use a particular service. The second disadvantage is data security or the possibility of information leakage. 34 Although cloud computing companies make
32 see n.2 above, p. 38 33 Ibid
efforts to keep their servers safe, by sustaining complicated firewalls software and encrypted connections, security breaches are not uncommon. Such problems can have an adverse effect on users when their personal, confidential and/or private information is at stake. That, reflects poorly on the “prestige” of cloud companies and may even cause them significant damages due to “noisy” and multi-million litigations. 35
2.6. Legal classification of cloud computing contracts
From a legal point of view, cloud computing contracts can be determined as bilateral agreements between a cloud service provider and a user. In this regard, the intentions of the two contractual parties, on the one hand, to provide a service and, on the other, to use it, coincide. The whole relationship is then specified and regulated in one document, which consists of the specifications of the service, the rights and duties of the parties, the terms on contractual breach and liabilities that could follow out of it. As a result, cloud computing contracts do not seem to be a new phenomenon. Therefore, general rules of contract law, regardless the subject matter of the contract, do apply to them. 36 Despite this, cloud computing contracts are a relatively recent event37 compared to classical contractual relationships, such as sales and lease, and they bear some specific features, which differentiate them, at least to a certain point, from these classical examples.
Born in a digital era, cloud computing contracts usually come in a form of electronic agreement. The traditional form of a paper document has been abandoned almost in full because of efficiency and environmental reasons. Cloud computing contracts are in written form and consist of several different parts (as described below) or documents that the contractual parties agree upon, which in their entirety form a complete contract.
Therefore, one can find a “General Agreement” or “Terms of Service”, which regulate the fundamental features of the relationship between the service provider and the user, such as the indication of contracting parties, the counter-performance or consideration (if any), choice of forum and applicable law, contractual warranties and
35 see n.1 above, p. 19 36 see n.4 above, p. 27
liabilities. Also, it contains provisions focusing on potential future conflicts between the contractual parties. 38
“Privacy policy” is the part that deals with privacy issues and considers the provider’s policy of data control and personal information. 39
In the “Acceptable use policy,” the provider states its general policy towards its services. It also regulates what is considered as an appropriate usage on the side of the users, anything beyond which is prohibited by the provider.
Very often cloud providers offer a wide variety of services, which differ significantly from one another. Therefore the “Service level agreement” specifies the service at hand, its quality, how it will be delivered and its availability. 40
Cloud computing contracts are negotiable or non-negotiable (i.e. standard). The first type requires at least some degree of bargaining to have taken place between the contractual parties41, followed by an adaptation of terms and a bilateral agreement on that. However, global cloud computing providers offer their services by imposing their own standard contracts. This practice is advantageous for them and it helps to reduce the final price of the services.
One of the main reasons for this practice is the lack of bargaining power of the individual users or SME that are forced to accept the terms of the provider. 42 Except for large companies and public agencies, who can at least to a certain extent oppose the providers with their economic and social power, the average individuals cannot do so and their contracts do not become subject of any adaptation.43
Standard contracts might come in two different sub-categories. The first one is the “browsewrap” contract44, which applies to the provider-user’s relationship only
browsing through a website offering a cloud service. Google.com web search engine is the best example. The second sub-category is for the “clickwrap” contract.45 It comes to the user’s attention before using the service and provides for two possible choices: either “I agree” or “Cancel” (or “I don’t agree”). If choosing the latter the user will not be allowed to use the service and will probably be navigated out of the
38 Kesan, J., Hayes, C. & Bashir, M., “Cloud services, contract terms and legal rights”, Journal or
Internet Law, December 2013, p. 8
39 Ibid
40 see n.1 above, p. 19-20 41 see n.5 above, p. 20 42 see n.2 above, p. 40 43 see n.8 above, p. 83 44 see n.6 above, page 2 45 Ibid
website. Choosing the “I agree” button will grant access to the resources sought, by applying to the relationship given already drafted terms and conditions.
Cloud computing contract also differ with regards to whether a monetary consideration has been given in return of the service provided or not. There are two types – free of charge and paid contracts. In the case of the latter, the customer agrees to pay a service price and usually under a simple subscription the amount is due over a fixed period – weekly, monthly or yearly. There also might be free-trial periods, which are excluded from the subscription period. Interestingly enough, the cloud computing industry has no problem in collecting its fees because customers are granted access to the service only after having their consideration been verified and the payment received by the provider.
As far as the “free or charge” contracts are concerned, it is questionable how and whether they are really “free”. In the case of “free” services, it is very common that users “allow” their information to be used by the providers, which constitutes a “hidden charges”46. In that manner consumer do not pay in money but with their personal data.47 For example, Google states in its terms of use that when users upload,
submit, store or receive content to or through the services, they give Google and its affiliates and partners a worldwide licence to use, host, store, reproduce, modify, communicate, publish, publicly perform, publicly display and distribute such content. The user gives that right for the purpose of operating, promoting and improving Google’s services and the licence continues even if and after the user stops using the service.48 So, it is hard to deny that there is a significant consideration against the use
of the provided service, because the consumer’s information adds value not only to the provider company but also to its platform, social network or product in general.49
5051
46 Hoofnagle, J., & Whittington, J., “Free: Accounting for the costs of the Internet’s most popular
price”, UCLA Law Review, 2014, 61, p. 608-612
47 Loos, M. & Luzak, J., “Wanted: a bigger stick. On unfair terms in consumer contracts with online
service providers.”, Journal of Consumer Policy, 2016, vol. 39(1), p. 67
48 available online, at www.google.com/policies/terms/ (accessed 12.04.2016).
49 Cunningham, A., Reed, C., “Consumer protection in cloud environments ”, in Millard, C. (ed.),
“Cloud Computing Law”, Oxford University Press, 2015, p. 6
50 “Consumer Protection in Cloud Computing Services”, Recommendations for Best Practices from a
Consumer Federation of America, Retreat on Cloud Computing, 30.11.2010 [online]
51 Bradshaw, S., Millard, C. & Walden, I., “Contracts for clouds”, International Journal of Law and
The rules on some “nominate contracts”, which are regulated with regard to the subject matter of the contract, can be applicable to cloud contracts. 52 For example,
contracts on storage capacity and the infrastructure of software applications can explicitly be considered as service contracts. In cases when the service provider has agreed to carry out certain work for the customer, for example to customise the service additionally, the regulations on work contract might be applicable. When dealing with a PaaS model, the rules on lease contracts may be applicable because the service provider might be obliged to lease computer space or, in a case or IaaS, an entire infrastructure.
German scholars consider gratuitous cloud contracts (where users do not need to pay for the service) as loan agreements.53 In any case though, the rules on sale of goods should not be applicable to cloud computing as goods generally are defined as tangible movable items54 and in the case of cloud computing only services are at stake.
It appears that the legal classification of cloud computing contracts strongly depends on specific facts, mostly related to the different types of services being delivered. Therefore, it is reasonable to see this type of contracts as “sui generis” contracts, not regulated by the existing principles relating to named contracts, but which follow general principles of law” 55. Hence, for cloud computing contracts, the main source of right and obligations between the parties will be the contract itself, supported by the rules of general contract law.
European consumers enter into cloud contracts usually by means of distance communication.56 Therefore, those contracts can be classified as “distance contracts”,
as it has been done in art 2(7) of the Consumer Rights Directive.57 Consequently, consumer protection rules on the European level are also applicable to cloud computing B2C relationship, especially regarding services. Having in mind the mandatory nature of consumer protection rules, it is safe to say that it is very likely
52 see n.4 above, p. 27 53 Ibid, p. 28
54 Directive 1999/44/EC of the European Parliament and of the Council of 25 May 1999 on certain
aspects of the sale of consumer goods and associated guaranteed of 25 May 1999, OJ L 171, 7.7.1999, p. 12–16, art. 2b
55 see n.4 above, p. 29 56 Ibid
57 Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on
the cloud agreements to be under severe scrutiny, if consumer protection rules are enforced.58
3. Could some typical clauses in cloud computing contracts be regarded as unfair under the current EU law?
3.1. Setting the scene: Consumer protection in the EU
The European Union has been built around the idea of establishing an internal market, which “shall comprise an area without internal frontiers in which the free movement of goods, persons, services and capital is ensured”.59 Attention is given to the rights and interests of the consumers, who are provided with a high level of protection.60 Therefore, private individuals, who wish to purchase goods or services from the market and use them privately, can rely on a sound body of laws that aim to align the difference in bargaining powers between the seller or provider and the consumer.61
Two particular elements are paramount for the cloud computing services available in the EU market. The first one refers to the fact that consumer protection laws aim to ensure that standard contacts provide consumers with all the necessary information, before purchase or subscription of a service, which should be given in a clear and understandable manner, so that consumers are able to make a well-informed decision.62 The purpose is to counter the provider-consumer relationship and achieve
certain equilibrium. The second element provides for redressing any imbalance that may occur after the conclusion of the contract by imposing statutory implied terms or rendering unenforceability to unfair contractual terms.63
It can be concluded that there are two main concepts of consumer protection – ex-ante and ex-post. The first one is well observed in the Consumer Rights Directive (CRD), where the EU legislator imposes an obligation to the trader to provide the
58 see n. 47 above, p. 88
59 Treaty on the Functioning of the European Union, art.26, par 1 and 2 60 Ibid, art. 169, par. 1, in conjunction with art. 114, par. 1 and 3, and art. 26
61 see ECJ 03.09.2015, C-110/14 (Horațiu Ovidiu Costea v SC Volksbank România SA), par. 18 62 see n.49 above, p. 4
consumer with certain minimum information in a clear and comprehensive manner, prior the conclusion of the contract.64
An example for ex-post consumer protection legislation is the Unfair Contract Terms Directive (UCTD)65 that protects consumers from certain clauses and conditions implied in standard contracts. The directive introduces an unfairness test aiming to counter the equilibrium between the contractual parties. The test is a mechanism for reviewing non-individually negotiated contractual terms so that it could be determined whether they are unfair66 and therefore non-binding upon consumers.
Before considering the consumer protection legislation in the EU on some specific terms in standard cloud computing contracts, it is essential to define who is a “consumer”.
The typical definition of a consumer under EU law is contained in the UCTD, where the term refers to “any natural person who…is acting for purposes which are outside his trade, business or profession”.67 Interestingly enough, the CRD uses the same definition but goes slightly beyond its scope by adding “craft” as in the part of the professional activities that are excluded from the area of protection.68
Provided the above, there are two common core elements of those definitions. First, the consumer is a natural person. Second, he is acting outside his trade, business, craft or profession. As a result, any non-private-use activity carried out by a natural person puts him outside the scope of the protection provided by those directives.
However, people use the Internet in many different ways and it is not easy to make a distinction as to what constitutes a private use and what a business or professional one. For example, it is common to use free (and even paid) cloud services for activities that could be considered as two-fold. In those cases, it would be extremely unclear whether the natural person is using the services as a consumer or in the course of his business activities, or both simultaneously.69
64 Ibid, p. 5-8
65 Council Directive 93/13 of 5 April 1993 on unfair terms in consumer contracts, OJ L 095,
21.04.1993, p. 29-34
66 Tenreiro, M., “The Community Directive on Unfair Terms and National Legal Systems The Principle
of Good Faith and Remedies for Unfair Terms”, European Review of Private Law, 1995, vol. 3, p.
275-276
67 see n. 65 above, art. 2(b) 68 see n. 57 above, art. 2(1) 69 see n.49 above, p. 5
Some of the services provided by cloud giants like Google or Facebook can be used in both directions – private and professional, for publicity and advertising. It gets even more complicated with respect to start-ups. Their use of free cloud services is crucial from an economic perspective and usually, start-ups’ founders use personal (consumer) accounts for clearly business activities.70 This is a problem since law presumes that it is always clear who is acting as a consumer and ultimately benefits from the protective legislation, whereas in practice this is strongly questionable and often uncertain.71
The UCTD is not explicit on how that problem could be solved. However, the Directive is certain about the fact that there should be a contractual relationship between a seller or supplier and a consumer. At the same time, some clauses might have been drafted before the contract was concluded or, the contract could not even have been individually negotiated. It can be concluded that the only factor that has real significance, as to the capacity of the natural person entering into the contract, is the moment of its conclusion. As a result, when testing the capacity of the consumer, it is only necessary to investigate whether he has been acting as such at the moment of conclusion.
That approach brings some certainty in the business-to-consumer (B2C) relationship. In the area of procedural consumer law the Court of Justice of the European Union (CJEU) has adjudicated that in situations in which a consumer enters into a contract with a two-fold purpose, he could be protected only if the professional use of the goods or services has been negligible72.7374
Recent amendments to consumer legislation have changed that concept. Preamble 17 of the CRD states that “in the case of dual purpose contracts, where the contract is concluded for purposes partly within and partly outside the person’s trade and the trade purpose is so limited as not to be predominant in the overall context of the contract, that person should also be considered as a consumer”. This is a useful clarification, as often the cloud user will contract with a service provider in a dual
70 Ibid 71 Ibid, p. 6
72 see n. 47 above, p. 66
73 see ECJ 20.01.2005, C-464/01 (Johann Gruber v Bay Wa AG), par. 41 and 42 [online] 74 see n.61 above, par 17-22, 26
capacity, although it would still be difficult to ascertain when the trade purpose is so limited as not to be predominant.75
One more element of consumer protection on cloud services should be mentioned. It relates to the notion of “service contract”. As discussed, cloud contracts should be understood as service contracts because any transfer of ownership of goods (having been defined as tangible movable items) to the consumer (against a paid price) is not a part of the subject matter of that type of contracts.76 From the perspective of the CRD “service contract” is any contract under which the trader “supplies or undertakes to supply a service to the consumer and the consumer pays or undertakes to pay the price thereof’”.77 Therefore, the answer of the question whether the “free” cloud service contracts (as discussed above) are to be considered by a court of a MS as ones under which the consumer gives consideration (pay the price) will be crucial for applying the provisions of the CRD to that type of contracts.
On the other hand, the UCTD refers to all types of consumer contracts, regardless whether any consideration has been provided in exchange. Therefore, any consumer contract would fall within the scrutiny of the unfairness test set out in that directive. As this is a special legal instrument, with respect to the matter of unfairness in contractual clauses, its broader scope should be applied.78
3.2. The unfairness test
When discussing the unfairness of terms being part of standard cloud contracts, it is important to consider the special test introduced by the UCTD.79 It can
be said to consist of five steps.
First, the contract at stake must fall within the personal scope of the protection granted by the Directive, i.e. be a consumer contract80.
Second, the test does apply only to terms that have not been individually negotiated between the parties. As the Directive provides for, a term shall always be regarded as such where it has been drafted in advance and the consumer has not been
75 see n.49 above, p. 15
76 see n.56 above, art 2(5), in conjunction with art. 2(3). 77 Ibid, art 2(6).
78 European Commission’s Expert Group on Cloud Computing Contracts, “Unfair Contract terms in
Cloud Computing Service Contracts”, Discussion paper, 5 -6.03.2014, p. 1.
79 see n.65 above, art 3 80 see the discussion above
able to influence the substance of the term, particularly in the context of a pre-formulated standard contract.81 In line with cloud services, this would usually be the
case as providers predominantly offer their services through standard contracts82.83
Third, the term at stake must not cause a significant imbalance in the parties’ rights and obligations arising under the contract, meaning that the contract places the consumer in a less favourable legal situation than provided by the national law in force which would have been applied in the absence of any agreement between the parties84. There is also a presumption in the UCTD that the consumer is in a weaker position vis-à-vis the seller or supplier, with regard to his bargaining power and his level of knowledge.85 The Directive also makes a reference to the requirement of good faith by adding that the term at stake must not be used against it. Generally, “good faith” is a well-known concept in the civil law legal systems and the field of international trade. It requires from the contractual parties, in the course of negotiation and during the performance of the contract, to act in such a way so that the interest of the other party to be safeguarded and not harmed. However, in some legal systems, such as the English one, the concept of “good faith” is generally not recognised 86 87, or where it is, the matter concerns only specific contractual relationships88.
In a recent judgement the CJEU had the chance to give interpretation to the requirement of good faith and held that “in order to assess whether the imbalance contrary to the requirement of good faith, it must be determined whether the seller or supplier, dealing fairly and equitably with the consumer, could reasonably assume that the consumer would have agreed to the term concerned in individual contract negotiations.”89
81 see n.65 above, art 3(2) 82 see chapter one 83 see n.51 above, p.196
84 ECJ 14.03.2013, Case C-415/11 (Mohamed Aziz v Caixa d’Estalvis de Catalunya, Tarragona i
Manresa (Catalunyacaixa)), [online], par. 76
85 see n.61 above
86 See Lord Ackner in Walford v Miles [1992] 2 AC 128
87 See also, Bengham LJ in Interfoto Picture Library v Stiletto Visual Programmes Ltd [1989] QB 433 88 See Mr Justice Leggat in Yam Seng Pte Limited v International Trade Corporation Limited [2013]
EWHC 111, par. 124, 153 and 154
Fourth, the term at stake must not be detrimental to the consumer by causing him harm or damage, which could not have been reasonably foreseen at the moment of concluding the contract.90
Fifth, the test must be applied with regard to the moment of the contract’s conclusion, whereas any circumstances during the performance are irrelevant.91
It must be noted that core terms as to the subject matter of the contract and the adequacy of the price and remuneration, for the supplied services in exchange, are excluded from the scrutiny of the test, as long as they are drafted in plain intelligible language.92 Such clauses are those that lay down the essential obligations of the contract and as such characterise it.93
From a procedural point of view, there are several specifics related to the application of the unfairness test.
First, the real effect of European Directives can be achieved only when and as far as they have been transposed in the legislation of each and every MS. Thus the provisions of the Directives would become a part of the legislation of each MS. Consequently the only judicial body that will be able to apply the unfairness test will be a national court of a MS. It follows that it will be the national court that will have to decide whether a contractual term satisfies the requirement for being regarded as unfair under art. 3(1) of the UCTD. 949596
Second, the test has to be carried out ex officio.97 This comes to say two things. One, the national court is able to determine on its own motion whether a term of a contract before it is unfair when making its preliminary assessment on proceeding allowance to proceeding before national courts, regardless the procedural behaviour of the consumer, ie whether the consumer has raised the question of unfairness of certain contractual term. And two, the national court has the obligation to interpret the national law provisions in the light and purpose of the UCTD.98
90 see n.65 above, art 3 91 Ibid, art 4(1)
92 see n.65 above, art 4(2)
93 see ECJ 23.04.2015, C-96-14 (Jean Claude Van Hove v CNP Assurances SA) [online], par. 33 94 see ECJ 27.06.2000, Joint cases C240/98 to C-244/98, (Oceano Grupo Editorial SA), [online], par.
25
95 See ECJ 01.04.2004, C-237/02 (Freiburger Kommunalbauten GmbH Baugesellschaft & Co. KG v
Ludger and Ulrike Hofstetter), [online], par. 25
96 see ECJ 26.10.2005, C-168/05 (Elisa Maria Mostaza Claro v Centro Movil Milenium SL), [online],
par. 23
97 see n. 47 above, p. 88
Third, when conducting the test, the national court must consider all the circumstances of the case in question, attending the conclusion of the contract.99100
Last but not least, if a term were considered “unfair” after having applied the test then it would not be binding on the consumer.101102103104 This refers to the fact the court will be able to evaluate unfair terms of its own motion, ie to announce them invalid or simply treat them as not being part of the contract and therefore not grant them any effect.
For the sake of ease and clarity, the UCTD contains an indicative, non-exhaustive list of terms that may be regarded as unfair.105 However, the list differs from “black” or “grey” lists of unfair clauses. Those were introduced in art. 84 and 85 of CESL proposal106 and concern only the B2C relationships. Article 84 introduces the “black” list of contractual terms, which are always unfair and the opposite cannot be proved. Article 85 introduces the “grey” list of contractual terms, which are only presumed to be unfair therefore the opposite can be proved. In such cases the burden of proof is revised as the trader has the burden to prove the terms is not unfair. The CESL proposal was also designed as an uniform set of substantive contract law rules that had to be considered as a second contract law regime within the national law of each MS. As such, its provisions would have had direct horizontal effect, one that the UCTD has not. Moreover, with respect to the UCTD the unfairness of any contractual clause must be carried out by a national court of a MS applying the test explicitly as described in the Directive for each case and not by simply referring to the “black” or “grey” lists.
3.3. Five examples
In this part of the paper, five illustrative types of standard cloud computing contract terms will be investigated with regard to their potential unfairness in B2C
99 see n.65 above, art. 3
100 see n.106 above, par. 22; see 105, par. 22 101 see n.65 above, art. 6(1)
102 see n.61 above, par. 19 103 see n.104 above, par 26
104 see ECJ 26.04.2012, C-472/10 (Nemzeti Fogyasztovedelmi Hatosag v Invitel Tavkozlesi Zrt), par 40,
42
105 see 65 above, art. 3(3)
106 European Commission, Proposal for a “Regulation of the European Parliament and of the Council
contracts, i.e. terms dealing with jurisdiction and applicable law, allowing the unilateral change of the terms of service, warranties, exclusion and limitation of liability, and indemnification.
Before proceeding further, it is necessary to make some clarifications. For the purpose of the present paper, a survey has been conducted. The standard general agreements of nine of the biggest one hundred cloud computing companies in the world have been investigated. The main focus has been the provisions listed in the previous paragraph. The researched cloud service providers offer the same set of standard agreements worldwide, and in particular within the area of the EU. Additional data has been used as provided in the Queen Mary University London Cloud Legal Project.107
3.3.1. Jurisdiction and Applicable Law
It is common for global cloud service providers to include in their standard contracts terms the laws of a specific jurisdiction, typically the one of the place where providers have their centre of main activity or business.108 109 In many cases, providers point out a specific applicable law. Most commonly, it is again the law of the principal place of business of the provider. Of course, some providers specify different legal systems with regard to the customer’s location.110
In the present research, two-thirds of the investigated companies subject any possible dispute, arising out of the contracts, to a specific jurisdiction or court. For example, five of the investigated companies referred to the courts of Washington (MS Cloud), San Francisco (ADrive, Dropbox), San Mateo Country Court, California (Facebook) and Santa Clara California (Google Drive, Oracle Web Services).
More than half (five out of nine) specify the law of the State of California as the one to govern the entire contractual relationship. Only one third of the companies (IBM Cloud, Apple iCloud and Amazon Web Services) have no reference to any specific jurisdiction or applicable law.
107 see n.18 above 108 see n.49 above, p. 27 109 see n.51 above, p. 198 110 Ibid
It could also be seen that those jurisdiction clauses are indicated as exclusive on claims of customers against the provider, but some also include terms that give the provider choice of venue for claims against the customer.111
With respect to EU consumers, it is highly unlikely that those contractual provisions could be enforceable. From that perspective, there are three comments to be made.
First, with respect to the choice of court, there is one relevant private international law instrument – the Convention on the choice of court agreements (CCCA)112. However, it is inapplicable to matters related to consumer contracts, as they are explicitly excluded from its scope.113 Additionally, at the present moment, there are only two contracting parties of this convention – the EU and Mexico.
Second, with respect to the conflict of laws in matters related to jurisdiction in civil and commercial matters, there are two legal instruments relevant to EU consumers - the Lugano Convention114 and the Brussels I Regulation recast (Brussels I)115. The first one would apply to the cloud provider and a EU consumer only if the provider has its registered office in one of the contracting states of the convention116.
If the cloud provider has its registered office within the EU, then Brussels I would apply. Only the second will be discussed, since it is the European instrument on conflict of laws.
Generally, in cases arising from a consumer contract, the Brussels I will be applicable when the defendant is domiciled in a MS117, or where another provision gives jurisdiction to a court of a MS118. So contractual clauses for choice of
jurisdiction will be binding upon a EU consumer only when the conditions of art 17 or the Brussels I are fulfilled.119120
111 Ibid, p. 199
112 The Hague Convention on choice of court agreements, 2005, [online via www.hcch.net] 113 Ibid, art. 2, (1)a
114 Lugano Convention 2007, OJ EU 209, L 147/5
115 Regulation 1215/2012 of the European Parliament and the Council of 12.12.2012 on jurisdiction
and the recognition and enforcement of judgments in civil and commercial matters, OJ L 351, p 1-32
116 namely Iceland, Norway or Switzerland 117 see n.130 above, art 2
118 Ibid, art. 4, 16 and 17 119 Ibid
120 Moiny, J. “Cloud and jurisdiction: mind the borders” in Weber, R., Cheung, A. (ed.), “Privacy and
Legal Issues in Cloud Computing”, Elgar Law, Technology and Society, Edward Elgar Publishing,
If article 17 of Brussels I applies legal proceedings may be initiated against the consumer only in the courts of the MS in which the consumer is domiciled.121
Conversely, a consumer may bring a case against the service provider either in the MS where the latter is domiciled or where the consumer is domiciled.122 Therefore, a contractual term which derogates from the rules of Brussels I is contrary to the law. At the same time, such term would undoubtedly be unfair since the CJEU has ruled in Oceano123 that even domestic jurisdiction clauses were found unfair. 124125
From a European customer’s perspective and with respect to the applicable law to civil and commercial matters there is one relevant EU instrument – Rome I Regulation (Rome I)126. Article three thereof provides for freedom of parties to choose the law under which the contract shall be governed127. However, the provision of article 6128 limits its application, stipulating that such a choice could be made if it would not deprive the consumer of the “protection afforded to him by provisions that cannot be derogated from by agreement by virtue of the law, which, in the absence of choice, would have been applicable”, namely the law of the country where the consumer has his habitual residence.129
It is clear that such terms, implying particular applicable law, convenient for the cloud providers, could still be considered unfair under the UCTD, even if the term in itself has been validly incorporated in the contract by explicit consent by the consumer.130 Such a term would cause a significant imbalance in the parties’ rights and obligations arising under the contract generating an improper impression to the consumer that the law of his MS is irrelevant for the dispute. Therefore a EU consumer would be deprived of the possibility to defend himself in the MS where he is domiciled131 or from the opportunity to choose where to bring legal proceedings
121 see art 18, par 2 Brussels I Regulation recast 122 see art 18, par 1 Brussels I Regulation recast
123 see ECJ 27.06.2000, Joint cases C240/98 to C-244/98, (Oceano Grupo Editorial SA), [online] 124 see n. 47, p. 83
125 see also Rustad, M. & Onufrio M.V., “Reconceptualizing consumer terms of use for a globalized
knowledge economy”, University of Pennsylvania Journal of Business Law, 2012, vol. 14, p.
1126-1127
126 Regulation 593/2008 of the European Parliament and of the Council, 17.06.2008 on the law
applicable to contractual obligations, OJ 04.07.2008 L 6-16
127 see n.130 above, art 3 128 Ibid
129 Ibid, art 6.1 and art. 6.2 130 see n. 47 above, p. 85 131 Ibid, art 16.2
against the provider132. It would also be impossible for the consumer to rely on the law of the MS he is most familiar with and its legal protection. The consumer would be forced to travel long distances and bear the burden of legal fees in a presumably unknown judicial system. Additionally, since the UCTD applies, regardless the choice of law of a country outside the EU, if the contract has a close connection to the territory of the MS133, the indicative list in the Annex explicitly points out that such type of terms could be unfair. 134
3.3.2. Unilateral change of ToS
Only one company (DropBox), among the investigated ones, makes no indication of unilaterally changing the terms of service of its standard contracts. Eight of the nine companies studied reserve the right to do so. Among them, the procedure for doing that differs considerably. For example, IBM and Oracle, both reserve the right to revise their ToS at any time, without any notice to users. Google Drive warns its customers that they should regularly check the terms themselves as modifications may take place from time to time. Five of the companies (MS Cloud, ADrive, iCloud, Amazon Web Services and Facebook) will inform the users in case of changes in their general agreements and only Facebook provides preliminary “opportunity to review and comment” the changes before continuing to use the services.
However, in case the customer continues to use the service, his action will be considered as an acceptance of the new terms and they will bind him. If the user does not agree with the amendments, he should discontinue his use of the service (for example Google Drive) or the use of future developments and modifications of the service would be barred entirely (iCloud).
It is also true that the technical nature of cloud services requires permanent changing, especially considering the fast evolution of cloud computing as a whole.135 Changes in standard terms of service, therefore, come as a natural consequence of the technology and its features. However, when cloud providers extend that flexibility too much by imposing unilaterally new terms to consumers without giving a chance to negotiate, comment, discuss or cancel the contract, it would be unfair. Such act could
132 Ibid, art 16.1 133 see n.65 above, art 6
134 see n.65 above, art 3 and Annex 1(q) 135 see n.49 above, p. 30
be classified as causing a significant imbalance between the rights of the parties under the contract, because the provider would always be in a better legal position, having the possibility to change the terms of the contract unilaterally, often even without any notification.136 Without any doubt, this would be detrimental to the consumers being put in a situation of constant uncertainty about their rights.
Having in mind the provisions in the Annex of the UCTD, such terms would most probably be considered unfair.137 On the other side, when the provider reserves the right to alter the terms of the contract unilaterally but informs the consumer with reasonable notice and the latter is free to dissolve the contract, that type of contractual term would successfully pass the unfairness test and therefore would avoid any consequence of the unfairness sanctions138.
3.3.3. Warranty
The terms referring to the warranty, given by the cloud provider to the users on the performance of the service, are an area of significant commonality between all providers. 139 Although they sometimes significantly differ in length140 , all investigated standard agreements include such clauses. They aim to exclude any express or implied warranties that the service will be fit for purpose or merchantable. Generally, a cloud service is provided “as is”, or “as available” (For example, ADrive, IBM Cloud, Dropbox) and usually at the risk of the user (Microsoft cloud).
However, all nine providers make a reference to the applicable law to the contract, and the limitations that could impose on the total exclusion.141 It should also
be borne in mind that some providers do not make such a reference and continue to apply a full disclaimer, not considering any consumer protection law, which provides for statutorily imposed warranties. 142
The exclusion of any warranty on the service performance could result negatively in the consumer’s ability to require stable and reliable service. It could also be detrimental to the user, as it would make it impossible to seek compensation in
136 see n.51 above, p. 202 137 see n.65 above, Annex 1(j,k) 138 see n.65 above, Annex, 2(b), par 2 139 see n.51 above, p. 210
140 see n.49 above, p. 35 141 Ibid
case of in non-conformity or low quality. This considered together with pre-drafted character of warranty disclaimers and the weaker bargaining position of the consumer could be regarded as a significant imbalance in the contractual relationship. It is not surprising that under art. 1(b) of the Annex 1 with the UCTD terms which have the object of effect of “inappropriately excluding or limiting the rights of the consumer vis-à-vis the seller of supplier…in the event of total or partial non-performance or inadequate performance of the seller of supplier of any of the contractual obligations” are explicitly indicated as possibly unfair.143
3.3.4. Limitation of liability
All of the investigated companies seek to exclude in their standard contracts any liability for damages caused to customers, arising from the use of the provided service. Other researchers have also observed that trend.144145 The contractual clauses may differ in length and size but certainly have a common core. It consists of basically three different parts – exclusion of direct damages, indirect damages and limitation of damages, where it is not possible to achieve a full disclaimer of liability.
As observed by Bradshaw, direct liability is mainly understood as losses of hosted data.146 Many providers also exclude liability for damages caused by security breaches, data breach or loss, performance breach or inaccuracy of the service.147 However, some cloud providers make a reference to the fact that in different cases the applicable law often may not allow such exclusions, and therefore they foster the latter up to the greatest possible extent permitted by the applicable law (ADrive, Dropbox, IBM Cloud, Facebook). It is also noteworthy that providers within the EU are more inclined not to exclude any direct liability, and where it takes place in standard agreements, it is based on the concept of force majeure.148
However, with respect to consumers, in some EU jurisdictions there is a statutory duty to exercise reasonable care and skill (UK)149, whereas in others there is a legal obligation to act in the capacity of the good merchant (for example Bulgaria),
143 see n.65 above, Annex 1 (b), (m)(q) 144 see n.49 above, p. 35 145 see n.51 above, p 211 146 Ibid 147 Ibid 148 see n.49 above, p. 36 149 Ibid
where the service provider has the duty to provide a service of such a high quality that does not cause damages to the user150.
In the light of the above, some authors consider that such limitation of liability in circumstances beyond the remit of reasonable care and skill should not be regarded as unfair, especially when consumers are advised and assisted in taking precautions against such losses and undertaking backup arrangements.151 It is dubious though that such an approach would be accepted in civil law jurisdictions, because of the simultaneous application of the concept of good faith.
Disclaimers of indirect liability find a place in all the general agreements of all investigated providers.152 Any liability arising out of indirect, consequential or economic losses, including loss of profits, goodwill use or duty, is rejected. That comes to deny the compensation of any damage that could not have been reasonably foreseeable prior the conclusion of the contract. In addition, some providers (MS Cloud, iCloud, AWS and Facebook) deny indirect liability even in situations where they have been explicitly warned or advised of the possibility that some damage could occur.
Where liability cannot be excluded entirely, providers seek to limit it to the extent permitted by the applicable law. Some cloud companies set an aggregate liability, which is either in an absolute value or related to what has been paid for the use of the service for a specified period prior the damage has occurred. An example is Dropbox where any aggregate liability for all possible claims from one user in value above $20 shall be excluded.153 ADrive, Facebook, AWS also limit their liability up
to the amount that has been paid for the use of the service within twelve months prior the claims.
It appears that standard terms that aim at limiting any damage the consumer might suffer, including the damage arising from direct or indirect losses would be detrimental to the consumer. Such terms would also cause a significant imbalance in the contractual relationship between the provider and the consumer of the service, since his rights to take legal action or exercise any other legal remedy would be excluded or severely limited and hindered.154155
150 see Obligations and Contracts Act, Bulgaria, art. 82. 151 see n.49 above, p. 37
152 Ibid, p. 36
153 Facebook goes further and accepts total liability up to $100 154 see n.65 above, Annex, 1 (b, q)
However, there might be a case where cloud service providers may have good reasons for limiting their liability. Some relatively small for the sector providers may not afford to bear the burden of covering extensive consumer’s losses, especially when the service at stake has been provided without monetary payment. In that line of thinking, circumstances that could justify potential limitation of exclusion of contractual liability do exist. 156
3.3.5. Indemnification
Five of the nine companies investigated require from their service users to indemnify the provider and hold the latter “harmless… from and against any and all claims” resulting from the use of the service (only Google Drive refers to that in cases of business use). That comes to say that the user will have to indemnify the service provider for any damage the provider might suffer as a result of a claim that has been brought on the side of a third party against the provider. This has also been described in previous academic research.157 Four of the companies (MS Cloud, Dropbox, IBM
Cloud and iCloud) make no reference to such method of indemnification.
Interestingly, all the companies that require indemnification on the side of the users include in that hypothesis a wide variety of possible occasions leading to compensation, i.e. any and all claims, liabilities, damages, losses, expenses, including reasonable attorneys’ fees and costs.
From the perspective of the consumer, such terms are extremely burdensome, as he, despite having no influence on any possible third-party claimant, would be responsible for any claim and damage arising thereof, regardless hypothetical winning chances of the possible legal proceedings. However, it would be much more reasonable to accept specific indemnification terms where they are requested against intellectual property infringement or defamatory statements on the side of the consumer 158
The European legislator has undertaken precautionary measures to defend the interest of the consumers by explicitly including that type of standard terms in the
155 Wauters, E., Donoso, N. & Lievens, E., “Optimizing transparency for users in social networking
sites”, Journal of Policy, Regulation and Strategy for Telecommunications, Information and Media, 2014, vol. 16, issue 6, p. 16
156 see n.47 above, p. 79 157 see n.49 above, p.37 158 Ibid
