LEGAL CONCERNS ARISING FROM THE USE OF CLOUD TECHNOLOGIES by Allan Paul Jackson Submitted in partial fulfilment of the requirements for the degree Doctor of Laws in the Department of Private Law Faculty of Law UNIVERSITY OF PRETORIA Supervisor: Prof SJ Cornelius October 2017 Copyright © 2017 This document may not be copied, cited or distributed without the prior permission of the author Declaration of Originality I, the undersigned, do hereby declare that this thesis, which I submit for the degree of Doctor of Laws in the Faculty of Law at the University of Pretoria, is my own work and has not previously been submitted for a degree at any other university. I have as best possible, correctly cited and acknowledged all my sources. SIGNED: ALLAN PAUL JACKSON DATE: SUPERVISOR: PROFESSOR STEVE CORNELIUS DATE: ii Plagiarism Agreement University of Pretoria Plagiarism policy agreement The University of Pretoria places great emphasis upon integrity and ethical conduct in the preparation of all written work submitted for academic evaluation. While academic staff teaches you about referencing techniques and how to avoid plagiarism, you too have a responsibility in this regard. If you are at any stage uncertain as to what is required, you should speak to your lecturer before any written work is submitted. You are guilty of plagiarism if you copy something from another author’s work (e.g. a book, an article or a website) without acknowledging the source and pass it off as your own. In effect, you are stealing something that belongs to someone else. This is not only the case when you copy work word-for-word (verbatim), but also when you submit someone else’s work in a slightly altered form (paraphrase) or use a line of argument without acknowledging it. You are not allowed to use work previously produced by another student. You are also not allowed to let anybody copy your work with the intention of passing if off as his/her work. Students who commit plagiarism will not be given any credit for plagiarised work. The matter may also be referred to the Disciplinary Committee (Students) for a ruling. Plagiarism is regarded as a serious contravention of the University’s rules and can lead to expulsion from the University. The declaration which follows must accompany all written work submitted while you are a student of the University of Pretoria. No written work will be accepted unless the declaration has been completed and attached. Full names of candidate: ALLAN PAUL JACKSON Student number: U 15365990 Date: 14 NOVEMBER 2017 Declaration 1. I understand what plagiarism is and am aware of the University’s policy in this regard. Signature of candidate: Signature of supervisor: iii Summary THE LEGAL CONCERNS APPLICABLE TO CLOUD TECHNOLOGIES by Allan Paul Jackson Supervisor: Professor S.J. Cornelius Department: Private Law University: Pretoria Degree: Doctorate of Law The thesis is a study of the Legal concerns arising from the use of cloud technologies. During the research a multi-disciplinary and comparative research methodology was used. The study examines the emerging legal questions about the issues and challenges of cloud- based technologies. It attempts to tackle the various issues experienced such as data security, personal data protection, intellectual property protection, as well as understanding where the cloud platforms, storage and database centres are located or hosted and the possible legal implications therof. International sources from disciplines such as the computer sciences, regulators and legal practitioners, who have all presented critical responses to the growing challenges posed by the cloud and how the cloud is regulated, were used. By doing so the legal implications of jurisdiction, information ownership and issues of regulatory control, competition and cross- border data flow regulation were scrutinised. The thesis is targeted to assist legal practitioners, academics and regulators by presenting a wider realistic view of the issues and challenges being faced. The results provide a first step 0 towards addressing the legal concerns arising from the use of cloud technologies and help drive the transformation of the legislation applicable for cloud technologies. Acknowledgements I am indebted to all the authors of the research material used in this thesis and would like to thank them. I gratefully acknowledge their research, work, comments and opinions, which have provided me with the basis for the preparation of this thesis. I gratefully acknowledge the use of material from legal cases, products and companies. To present the best possible information, I felt it was relevant to the problem to use the cases, products, or businesses with which the reader would be most familiar. If there is any similarity of the writing in this thesis to those of others, I do not attempt to take anything away from those works. However, I only wish to provide a broader perspective on the overall subject matter. I also do not intend to represent any of the facts of any case or situation used. Finally, I wish to acknowledge the invaluable guidance, insights and support provided by my supervisor, Professor S.J. Cornelius. 1 Contents Declaration of Originality ........................................................................................................ii Plagiarism Agreement ........................................................................................................... iii Summary .............................................................................................................................. 0 Acknowledgements ............................................................................................................... 1 Abbreviations ........................................................................................................................ 8 1. Introduction ................................................................................................................. 11 Problem Statement ............................................................................................... 11 Legal Questions .................................................................................................... 13 Assumptions ......................................................................................................... 14 Motivation ............................................................................................................. 15 Methodology and Approach .................................................................................. 15 2. Cloud Technical Description ........................................................................................ 17 Introduction ........................................................................................................... 17 How Cloud Computing Works ............................................................................... 19 2.2.1. The view of SaaS ........................................................................................... 20 2.2.2. The view of PaaS ........................................................................................... 21 2.2.3. The view of IaaS ............................................................................................ 23 2.2.1. Cloud Computing, Definitions and Features ................................................... 24 Advantages and Benefits of the Cloud .................................................................. 26 Obstacles in the Confidence of Cloud ................................................................... 26 Conclusion ............................................................................................................ 28 3. General Legal Safeguards ........................................................................................... 30 Introduction ........................................................................................................... 30 National Information Security Directive ................................................................. 32 Cloud Access by Foreign and National Governments ........................................... 32 Data Protection and Data Flows ............................................................................ 33 Intellectual Property and Related Issues ............................................................... 36 Governing Boundaries of Cloud Contracts ............................................................ 37 2 Risk Assessment and Management ...................................................................... 38 Conclusion ............................................................................................................ 39 4. Cloud Safeguards and Legal Framework .................................................................... 40 Introduction ........................................................................................................... 40 Available Regulatory Instruments .......................................................................... 41 Sector-specific Regulation .................................................................................... 43 4.3.1. Interoperability and Data Portability ............................................................... 43 4.3.2. Network Neutrality ......................................................................................... 45 4.3.3. Vertical Integration ......................................................................................... 46 4.3.4. Electronic Commerce ..................................................................................... 47 Conclusion ............................................................................................................ 50 5. Competition Law ......................................................................................................... 51 Introduction ........................................................................................................... 51 Market Definitions ................................................................................................. 51 International Interpretation of Market Definition ..................................................... 52 Interoperability and Data Portability ...................................................................... 53 Vertical Integration ................................................................................................ 55 Restrictive Agreements ......................................................................................... 56 Abusive Market Behaviour .................................................................................... 57 A South African Perspective of Abusive Market Behaviour ................................... 63 Conclusion ............................................................................................................ 66 6. Cloud Data Protection Regulation ............................................................................... 67 Introduction ........................................................................................................... 67 Cloud Service and Deployment Models ................................................................ 67 Cloud Concerns for Data Protection Authorities .................................................... 68 General Data Protection Standards ...................................................................... 70 Cloud Business Model Challenges ........................................................................ 74 6.5.1. Outsourcing ................................................................................................... 74 6.5.2. Cloud Cross-border Data Flows ..................................................................... 76 3 6.5.3. Third-party Contractor Agreements ................................................................ 80 6.5.4. Standard Offering .......................................................................................... 81 Conclusion ............................................................................................................ 83 7. International Law and the Cloud .................................................................................. 84 Introduction ........................................................................................................... 84 Cloud Jurisdiction - Cloud Border-crossing ........................................................... 85 Jurisdiction ............................................................................................................ 86 Private International Law....................................................................................... 88 Court of Jurisdiction .............................................................................................. 89 Forum Selection .................................................................................................... 89 Default Rules and Applicable Law Determination .................................................. 91 Conflict of the Rules of Law .................................................................................. 92 Substantive International Obligations .................................................................... 95 Conclusion ........................................................................................................ 96 8. Cloud Cross-border Data Flow .................................................................................... 98 Introduction ........................................................................................................... 98 Framework for Data Protection in the EU .............................................................. 99 8.2.1. Definition of Personal Data ............................................................................ 99 8.2.2. Anonymisation, What is it? ........................................................................... 100 8.2.3. Pseudonymisation, What is it? ..................................................................... 101 8.2.4. Definition of Processing ............................................................................... 104 EU Personal Data Transfers ............................................................................... 104 EU Personal Data Transfers from the EU to the USA ......................................... 105 EU Law – Requirements for Transferring Personal Data ..................................... 106 8.5.1. Personal Data Transfers to a Representative Processor .............................. 108 8.5.2. Information Policies...................................................................................... 109 8.5.3. Disclosure to Third Parties ........................................................................... 110 Conclusion .......................................................................................................... 112 9. Personal Data in the Cloud and Re-identification ...................................................... 114 4 Introduction ......................................................................................................... 114 The Ever-changing Legal Landscape of Personal Data ...................................... 116 What is Data Anonymisation when all Data is Considered Personal? ................. 120 Anonymous versus Anonymised Data. ................................................................ 121 The Deliberation over Anonymised Data ............................................................. 123 Data Aggregation and Combination for Re-identification ..................................... 128 Conclusion .......................................................................................................... 131 10. Traversing the Cloud .............................................................................................. 133 Introduction ..................................................................................................... 133 Innovative Methods for De-identified Personal Data ........................................ 135 Data Quality and Quantity ............................................................................... 136 Risk Assessment of the Disclosure and Reuse of Data ................................... 137 Accountability .................................................................................................. 138 Conclusion ...................................................................................................... 139 11. Cloud Borders, Territorial Locations, and Private International Law ........................ 141 Introduction ..................................................................................................... 141 Competent Court ............................................................................................. 141 Applicable Law and Territorial Location Determination .................................... 144 Territorial Location Determination – Intent Evidence ....................................... 146 Territorial Location Determination of Users ...................................................... 148 Conclusion ...................................................................................................... 149 12. Cloud Data, Ownership Rights of Information in the Cloud ..................................... 150 Introduction ..................................................................................................... 150 Ownership ....................................................................................................... 150 Uploading Data in the Cloud ............................................................................ 152 Data and Information Produced in the Cloud ................................................... 159 Cloud Information Control ................................................................................ 163 Cloud Accountability ........................................................................................ 165 Cloud Communal Customs .............................................................................. 170 5 13. Copyright in the Cloud ............................................................................................ 173 Introduction ..................................................................................................... 173 Advantages of Cloud ....................................................................................... 173 Cloud Approach and Policy in Key Countries .................................................. 175 Cloud User’s Copyright Liabilities .................................................................... 176 Traditional Copyright Law and Statutory Exemption of Private Reproductions . 179 Exceptions under Digital Copyright Law .......................................................... 180 Conclusion ...................................................................................................... 181 14. Cloud Service Providers Copyright Liability ............................................................ 183 Introduction ..................................................................................................... 183 What Is Safe Harbour Legislation? .................................................................. 183 The United States Free Trade Agreement and Safe Harbour Laws ................. 184 Recent Case Law on Safe Harbour in the USA ............................................... 186 Safe Harbour in South Africa ........................................................................... 187 Conclusion ...................................................................................................... 188 15. Copyright Gap ........................................................................................................ 189 Introduction ..................................................................................................... 189 Industry Concerns and the Gaps in Copyright Law .......................................... 189 The Fair Use Solution ...................................................................................... 190 ‘Fair Use' and Why? ........................................................................................ 191 Conclusion ...................................................................................................... 193 16. License Agreements and Distribution ..................................................................... 194 Introduction ..................................................................................................... 194 The Frequent Challenges of Determining Terms ............................................. 196 Cloud Contract Terms ..................................................................................... 199 Cloud License Utilisation Features .................................................................. 200 Service Commitments ..................................................................................... 203 Quality Protection of Services .......................................................................... 205 Control Rights of the Client .............................................................................. 208 6