Cloud Service Providers (CSPs) can be liable for copyright infringements either directly or indirectly. The focus of this post will be on indirect or contributory liability arising out of copyright infringements done by users particularly in the context of using IaaS (Infrastructure as a Service) and SaaS (Software as a Service), and how safe harbour principles that generally applies to ISPs can be extended as a form of exception to CSPs.
It is evident from the words of Steve Jobs that cloud computing has significantly altered the ways in which information is collected, stored and exchanged over in a computer system or network environment. Akin to most disruptive technologies of this nature, cloud computing (hereinafter referred to as CC) delivers risks and opportunities to all stakeholders who are part of the internet infrastructure. The disruptive nature of cloud infrastructure is due to its decentralised character where storage or processing facilities no longer need to be owned by a user, as a distributed network of servers can be leased to perform the same functions without additional cost or expertise.
The reformatory computing solutions introduced in cloud platforms includes SaaS (Software as a Service), IaaS (Infrastructure as a Service) and PaaS (Platform as a Service), which raises different questions of content liability. In comparison to PaaS, IaaS and SaaS which delivers computing solutions to the end-user, is frequently confronted with the issue of infringing content that is uploaded by the said user often without the knowledge of the cloud service provider (hereinafter referred to as CSP).
Thus, the regulatory framework has been shaped to accommodate these risks arising out of disrupting technologies particularly in the context of content industry. From the rise of video recording equipment to MP3 file formats to web services that offer free streaming, there has been a constant historic struggle to strike a balance between the interest of copyright holders and the right of the public to receive and impart information. Cloud computing has been the recent addition into this age-old tussle which has become a prominent issue given the de-territorial nature of cloud infrastructure. While efforts have been made to ascertain which rules apply to a cloud platform, the judicial interpretations remains meagre and open-ended as can be noted in the case of Football Dataco Ltd. V Sportsradar GmbH & Anor. This case dealt with the European Union’s sui generis database right and what is interesting to observe was how processing of copyrighted content on a server based outside the jurisdiction of the UK was interpreted to be subject to the UK Copyrights Act. Although the issue of jurisdiction and judicial competence is beyond the scope of this paper, what is interesting to note is that the Court’s observation on the question of reutilisation provides intriguing insight as to how CSPs can no longer be exempted based on territorial limitations.
Accordingly, CSPs can be held liable either directly or indirectly for infringement of copyrights. They can be held primarily liable for actively engaging in infringement of copyrights on their own volitional conduct or bear secondary liability by facilitating infringing conduct of the end user. Therefore, this paper seek to analyse the secondary liability of CSPs specifically in the context of SaaS and IaaS deployment models in the US and EU framework based on selected case law. The paper will explore the provisions of safe harbour principles stipulated by the US Digital Millennium Copyrights Act (DMCA) of 1998 and EU Directive 2000/31/EC on Electronic Commerce and ascertain how the said provisions can be applied in the case of CSPs. Finally, the paper will conclude with a a general analysis of applying the said principles for CSPs and what other measures are necessary to ensure innovative technologies like cloud services are not inhibited due to too rigid copyright rules.
The National Institute of Standards and Technology (NIST) provides a list of elements that characterises cloud computing, which includes, on-demand self-service, resource pooling, extensive network access, elasticity and measured service. For the purpose of this discussion on secondary liability for copyright infringement by CPSs, what is most relevant are the elements of on-demand self-service and network access. On-demand services are defined as the capability for end-user to store and summon information to and from the cloud server without the need of any human interaction within the CSP. Network access facilitate this self-service by allowing users to access the content stored on a cloud platform based virtually anywhere in the world. The cumulative effect of the above elements therefore relates to the very root of the question of liability for infringing content. From the network access point of view, it facilitates the end-user’s capacity to access the content whether it is legal or otherwise. On the other hand, absence of human interaction in on-demand self-service questions the degree of liability on the part of the CSP for automated processing. However, the secondary liability can be further analysed in terms of the relationship between CSP and the end-user and the technical make-up of the cloud service in question.
The relationship between CSP and the end-user is governed mainly by the Terms of Service agreed between the said parties. Generally, the end-user is vested with the responsibility to ensure adherence to copyright laws during the course of its usage of the cloud service. Accordingly, the user has primary responsibility to ensure that the content shared on the cloud servers does not breach copyrighted works. Therefore, any violation of the said terms could lead to cessation of the cloud service. The basis for the above provisions is that works that are copyrighted outside the cloud, does not lose its protected status despite being uploaded to serves even based outside its original jurisdiction. Therefore, the test here is whether the CSP engaged in ‘volitional conduct’ and not merely facilitated but actively engaged in the act of infringement. Therefore, in the absence of actual knowledge on the part of the CSP it would be difficult to assume liability for the illegal conduct of the user.
Therefore, in the absence of verifying the legality of the content by default, processing of copyrighted content may raise liability for infringing reproduction rights and to some extent communication rights. Although, this issue has not yet fallen under judicial scrutiny, it can be reasonably construed that depending on the extent of the extraction and nature processing of the copyrighted content in question, it can be perceived as a form of derivative based on the original work thus imputing primary liability on the CSP. On the contrary it can also be argued that meta-data generated on the cloud assumes a sui-generis protection independent of the copyrighted content placed by the end-user. However, it would be difficult to reconcile the interest of CSP in this context given the imminent commercial value of the meta-data as they facilitate the CSP to customise its services to the customer and promote advertisements that fits the profile of the user. Therefore, liability can be assumed in this regard, as courts have consistently held that no exception can be claimed when a derivative or copy of an original work has an evident economic value.
Another method of disclaiming liability is through the architecture of the cloud platform in question. Generally in SaaS and Iaas models, the end-user has limited discretion to control the platform of his choosing as the interaction is governed by the CSP-controlled user-interface. Therefore, it has been opined that “the user interface is law” as it controls and decides the ways the end-user is entitled to interact with the content, regardless of their legal status. The hash-tagging mechanism in Dropbox for example prevents sharing documents that contain the same hashtag although the CSP does not engage in proactive monitoring of all content stored. Therefore, a sound copyright-friendly architecture would elevate any looming primary liability for the CSP.
However, there can be instances where the very technical makeup of the cloud infrastructure could impute liability for infringements. As recently observed by the US Supreme Court in the case concerning Aereo, a cloud-based application that allows recording of live TV-streams, “if there is ‘substantial similarity’ between the services offered by the CSP and cable companies, the ‘behind the scenes’ technical differences did not differentiate Aereo from the latter.” Accordingly, even if the very code of the cloud service is meant to be copyright-friendly that imputes primary liability towards the end-user, it is submitted that courts may opt to view these platforms analogous to traditional communication/broadcasting entities thereby imputing direct liability to the CSPs. This in fact amounts to mere ‘guilt by resemblance’. The repercussions of such approach from business point of view will be discussed below.
Accordingly, it is important for any jurisdiction to iron out rigidities in the law in order to accommodate innovative technologies as cloud computing. Therefore, in the face of looming liability suits, it will enable CSPs to formulate their business models around any available exemptions provided under the copyright framework. The WIPO Treaty of 1996 requires signatories to provide immunity for ISP liability for infringements by their subscribers. In line with this directive, the DCMA of 1998 stipulates safe harbour provisions for Online Service Providers, a term which invites broad interpretation.
In the context of IaaS and SaaS solutions, the CSP can claim protection based on having actual knowledge of the infringement, response to that knowledge, absence of direct financial benefit and compliance with notice and take down provisions. The DMCA does not mandates CSPs to actively monitor its services to ensure compliance. It is to be noted that the safe harbour provisions act in addition to any defence the CSPs may have against primary infringement of its users. For example Veoh was a service akin to YouTube which employed a SaaS model. End-users were able to interact through a browser and processing of data taking place on the Veoh cloud servers and Veoh was sued for infringements by its users. However, provisions of section 512 of DMCA was interpreted to qualify Veoh under the safe-harbour provisions for both storage and processing of infringing content placed by its subscribers. A similar finding had been made in the Viacom-YouTube litigation where safe-harbour for secondary liability was granted due to lack of actual knowledge on the part of YouTube.
However, the US Supreme Court in the recent case of Aereo observed a different approach which creates ambiguity in the application of the aforesaid provision. Although the case revolved on the issue of public performance as opposed to storage and processing that were addressed in the previous cases, Court observed a substantial similarity between the cloud service and traditional broadcaster. Therefore, future of cloud storage, even it is essentially private use, would come under scrutiny if courts proceed to make analogies with traditional means of copying or broadcasting which will adversely affect innovative start-ups in the making.
The EU E-Commerce Directive on the other hand also recognises certain safe-harbour provisions akin to the US model which includes an actual-knowledge component, compliance to notice-and-takedown procedure and having no general obligation to monitor. In the Google AdWords case the CJEU held that it is essential for a service provider to perform a neutral role that is only technical and passive indicating a lack of knowledge as to the content it holds in order to qualify under the given exemption. Whilst Court reiterated that Article 15 precludes any requirement for active monitoring in this case and further in the case of Netlog, there is insufficient clarity as to what connotes the said ‘neutral role’.
For example, in the case of L’Oreal v EBay, although it primarily dealt with operator of an online marketplace, CJEU imputed the concept of ‘diligent economic operator responsibility’ in addition to the requirement of having actual knowledge or active control of the data thus stored by the end-user to qualify for safe-harbour provision.
As observed before, a CSP specifically under IaaS and Saas models permits CSP-controlled interface that essentially assumes control over how the information is processed through its platform. Furthermore, it was further discussed above the question of meta-data that is generated based on the content placed by the end-user regardless of its legal status. Therefore, it is submitted based on the line of thinking of the L’Oreal case, processing content by IaaS and SaaS infrastructure and further processing of meta-data would invariably fall under the definition of having active control of the data and implicit knowledge. Further, if the notion of diligent economic operator is to become a deciding factor in the application of the exemption under Article 14 would essentially mean that CSPs will have to place active monitoring operations in place regardless of the provisions under Article 15.
Accordingly, the landscape for liability for CSPs remains unsettled on both sides of the Atlantic despite the explicit exemptions stipulated under the respective legislations. However, it is submitted that the cases analysed above refer to specific questions of law and none has directly dealt with the issue of CSPs operating IaaS and SaaS models that generate meta-data, and where technical makeup would differ from that of Aereo. Whilst this maybe perceived a positive side note, it cannot be overlooked that the legal clarity is essential in view of the proliferating cloud industry and tech start-ups based on these cloud deployment models.
In light of the uncertainties that prevail, a legislative reform that addresses these ambiguities in a manner that balances rights and interests of authors, end users and CSPs is essential. While reiterating the importance of staying technology neutral in copyright legal reforms, a reasonable balance must be struck between the said neutrality and certainty of the law. It is relevant to recall that historically, disruptive technologies has been eventually dealt with legislative measures, for example the exemptions granted to ISPs. As certainty of the legal landscape is an intrinsic component for development of businesses, there is a need for recognition of the transformative nature of CSPs.
However, as technology progresses, it must be borne that online service providers no longer remain neutral. They employ sophisticated methods to optimise the services they offer to the end-user which ranges from data-mining techniques to profiling to artificial intelligence modules. While most these techniques contain a commercial component, it is becoming increasing difficult to characterise CSPs to be neutral in their dealings with the content placed by the end-user nor to argue they lack knowledge as knowledge can be implied based on the control they exercise on the content of the end-user. However, on the other hand, sophistication of technology should not hinder innovation either. It is time to revisit the exemptions introduced a decade ago in order to take cognisance of the growth in the tech-industry’s capacities that did not exist when the above provisions were drafted.
 J. McKendrick, 10 Quotes on Cloud Computing that Really Say It All, Forbes, Mar. 24, 2013, http://www.forbes.com/sites/joemckendrick/2013/03/24/10-quotes-on-cloud-computing-that-really-say-it-all/#6ba9e2212102. (Accessed 20.05.2016)
 D.I. Brainbridge, Intellectual Property, 890, 8th ed. (2010)
 Case C-173/11 Football Dataco Ltd. V Sportsradar GmbH & Anor ECR 2012
 J.C. Ginsburg, E. Treppoz, International copyright law US and EU perspectives 557 (Edward Elgar, 2015)
 G. Tian, Cloud computing and copyright, A. Cheung, R.H. Weber (Ed.), Privacy and legal issues in cloud computing 169 (2015)
 P. Mell and T. Grance, The NIST definition of cloud computing recommendations of the national institute of standards and technology special publication 800-145 (2012), http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf. (Accessed 18.05.2016)
 M. Melzer, Copyright Enforcement in the Cloud, 21 Fordham Intell. Prop. Media & Ent. LJ 403 (2011) 407
 “You’re responsible for your conduct, Your Stuff and you must comply with our Acceptable Use Policy. Content in the Services may be protected by others’ intellectual property rights. Please don’t copy, upload, download or share content unless you have the right to do so.” – Terms (Dropbox Mar. 4, 2016), https://www.dropbox.com/privacy#terms. (Accessed 18.05.2016)
 C. Reed, Information in the cloud: ownership, control and accountability, A. Cheung, R.H. Weber (Ed.), Privacy and legal issues in cloud computing 139 (Edward Elgar, 2015)
 Paris Tribunal de Grande Instance, November 10 2008, NT1 Wizzgo (Case 08/58864); J. McNamee, The response of European digital rights to: The European commission’s green paper on the online distribution of audiovisual works November 2011 (2012), http://ec.europa.eu/internal_market/consultations/2011/audiovisual/registered-organisation/edri_en.pdf. pp3.7 (Accessed 17.05.2016)
 P. De Filippi, M.S. Vieira, The commodification of information commons: the case of cloud computing, 16 Columbia Sci. & Tech. L. Rev. 102 (2014) 133
 P. De Filippi, Law of the cloud: on the supremacy of the user interface over copyright law, 2(3) Internet Policy Review (2013), http://policyreview.info/articles/analysis/law-cloud-supremacy-user-interface-over-copyright-law. (Accessed 16.05.2016)
 ABC et al v Aereo Inc. 573 U.S. (2014)
 M. Horten, The Aereo dilemma and copyright in the cloud, 3(4) Internet Policy Review (2013), http://policyreview.info/articles/analysis/aereo-dilemma-and-copyright-cloud. (Accessed 16.05.2016)
 Section 512(c)
 UMG Recordings Inc. v Veoh Networks Inc., 620 F. Supp. 2d 1081, 1092 (C.D. Cal 2008)
 Viacom International Inc., v Youtube Inc., 718 F. Supp. 2d 514, 529 (S.D.N.Y. 2010)
 Article 15
 Joined cases of Google France SARL v Centre national de recherché en relations humaines (CNRRH) SARL and Others (C-238/08), Google France SARL v Viaticum SA and Luteciel SARL (C-237/08) and Google France SARL and Google Inc. v Louis Vuitton Malletier SA (C-236/08)
 Allen & Overy LLP, Intellectual property in the cloud (2013), http://www.allenovery.com/SiteCollectionDocuments/Intellectual_property_in_the_cloud_May_2013.PDF. (Accessed 15.04.2016)