IP Cases & Commentary – Details
3 December 2012
Poor Visibility With a Chance of Pain - The Need to Protect IP in the Cloud
Whilst 'cloud computing' is – appropriately enough – a nebulous term, it can be generally understood to mean 'the use by a customer of remote and centralized computing facilities provided by a third party host'.
The benefits of such facilities to the customer include immediate access to large computing resources with less need for in-house training and investment, and also a flexible scaling of resources in response to rapidly fluctuating demand.
In these difficult economic times it also shifts investment risks onto the host service provider, and means for the customer that computing infrastructure and its management can become an operational expense rather than a capital investment, freeing up hard-to-borrow capital for other purposes.
Unsurprisingly therefore the market for cloud solutions is growing rapidly.
However, some of the legal practices governing these services remain immature, and so in this article we outline several issues relevant to intellectual property (IP) that can consequently arise in this still developing industry.
IP flow into the cloud
The figure below is a simplified diagram of typical IP flow in the cloud. In addition to their own IP (processes, data and know-how), customers using the cloud typically also licence-in third party software and services, and may facilitate the creation and/or importation of IP by their own users. Similarly the host may bring their own processes, data and know-how to the cloud, and may similarly licence in third party tools and services such as analytics software and operating systems.
Most of this IP will already have a well established ownership status. The mere act of placing a process or information in the cloud should not in itself be expected to alter this status, although commonly the host will require a limited licence from the customer, to publish or republish some customer data for the purposes of providing a relevant cloud service.
However, there are several issues to consider with the transfer of IP into the cloud.
Issue 1 - third party licenses
The first issue is the limitations found in third party licences, whether for software or more general patented technology. These licences typically restrict how or where a technology can be used, which can conflict with the distributed and multi-jurisdictional nature of many cloud services.
Depending on how a licence is written, it may simply not extend to the cloud at all. Conversely, many licences do not specifically exclude cloud usage but may have geographical restrictions, such as use exclusively in the UK, which the customer cannot easily comply with once the technology is implemented on the host's cloud. Similarly, limits on concurrent uses of a software licence may in some circumstances be difficult for a customer to monitor or enforce in a cloud system.
Hence the customer needs to consider their ability to comply with existing licences when deploying third party technology in the cloud. In addition, both customers and hosts should consider notifying other parties in the cloud of any restrictions on use of software that they introduce. Clearly it is also advisable to seek indemnification from any party in the cloud supplying licenced information or technology for your use, in case they are acting ultra vires.
Issue 2 - liability for content
The second issue is the extent to which the customer and the host are liable for IP in content uploaded by users. This is a broad issue and the conditions for liability vary from country to country. However the overarching theme is whether the service provider (which may be the cloud host or customer, depending on the circumstance) knows about the content at issue. Hence 17 USC 512(c) (DCMA) for the US, and Section 97A of the Copyright Design and Patents Act 1988 for the UK, provide some protection for service providers unwittingly storing user content that infringes copyright.
Hence in addition to customers having clear terms and conditions for their users relating to the nature of uploaded material, at least the host should have adequate monitoring, access and take-down mechanisms in place in order to respond to infringement notifications. Meanwhile, the customer should ensure that the host's takedown mechanisms are proportionate and limited to the offending content or user, and will not unduly affect their own operations.
Issue 3 - Disclosure
A third issue with transferring IP to the cloud is disclosure. The customer is effectively entrusting valuable information and know-how to a third party. However, a recent survey of cloud service providers suggests that there is considerable variability in how hosts treat customer data, with some only disclosing data in response to a court order, whilst others in essence state that they have no duty of confidentiality at all and that it is up to the user to protect their own data, for example through encryption.
Bearing in mind that several forms of IP protection have novelty and/or diligence requirements, it is therefore clearly important for a customer to ensure that a prospective host has a confidentiality policy that meets their needs.
IP flow from the cloud
Referring back to the figure, new information and possibly new processes may also be generated for both the host and customer as a consequence of operations in the cloud, and hence potentially valuable IP may be generated in the cloud itself that each party will want to retain control of. However, unlike IP flowing into the cloud, the ownership of this data may be more difficult to establish.
For example, whilst a host may reasonably monitor a customer's activities for billing purposes, a host should not be able to mine their customer's own data (or vice-versa) in order to sell that information or its derivatives to competitors or service comparison sites.
For such information (and indeed for information flowing into the cloud), automatic rights that may provide some protection include copyright, database rights, and trade secret rights.
Whilst all major states protect copyright in digital works, different states have different definitions of what a work is. For example, English law has a pragmatic 'sweat of the brow' test that is likely to cover any data records of value in the cloud. Meanwhile in civil law countries like Germany, an emphasis on protection of the author requires a level of creativity to distinguish a copyrightable work from mere information. The US similarly has a creativity threshold, albeit one lower than in Germany.
The EU database right, meanwhile, "prevents extraction and/or re-utilisation of the whole or a substantial part of the contents of that database" and lasts between 10 and 15 years. The qualification for the right is similar to the English 'sweat of the brow' principle but sets a higher threshold, requiring "a substantial investment in either obtaining, verifying or presenting the contents".
Hence where your data is stored in the cloud may have a significant impact on the protection available.
Arguably the UK has some of the best protection, having the lowest bar to copyright protection whist also benefitting from the availability of EU database rights.
Finally, customer's trade secrets are entitled to a minimum level of protection under Art 39(2) of the TRIPS agreement, but only provided that reasonable steps are taken by the person in control of the information to keep it secret. This reinforces the need for a customer to carefully check the confidentiality obligations of the provider in any cloud agreement.
If things go wrong
In addition to checking for a sensible end-of -agreement exit strategy regarding data transfer and retention, it is worth noting that in the same survey of cloud service providers1, only 2 out of 30 agreements offered to be bound by the jurisdiction of the customer's choice. Perhaps unsurprisingly, 15 chose Californian state law, whilst 8 chose UK law – reflecting the UK's lead in cloud services in Europe, and perhaps also the similarity of its common law approach to that found in the US. Clearly this can also have a significant effect on the customer's available rights and prospective litigation costs.
Steps to take
Most of the above issues can be resolved with a well framed IP agreement between the customer and the host – or where the host has fixed terms for cost and service reasons, they can be mitigated by appropriate agreements with third parties and the customer's own users.
D Young & Co's dispute resolution and legal team are ideally positioned to assist with such agreements, and can be contacted directly or through your usual D Young & Co colleague.
It is important to consider your IP needs before signing on the dotted line, in particular in relation to geography, third party rights and disclosure.
For customers, they should choose a cloud host that best fits these needs. For hosts, as the cloud becomes increasingly commoditised, their ability to meet customer IP needs will become a more important factor differentiating them from the competition.