Use the Lexology Getting the Deal Through tool to compare the answers in this article with those from other jurisdictions.

Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

With regard to public, hybrid and private cloud models: the public cloud usage in Belgian companies has grown in the period from 2012 to 2016, from 6 per cent to 12 per cent. (source: Cloudmakelaar, http://

cloudmakelaar.be/2016/12/meer-dan-de-helft-van-belgische-bedrijfsvestigingen-gebruikt-cloud-applicaties). Hybrid clouds are also used, although no exact numbers are available for this specific category.

In the public sector, a notable community cloud project is the development of the ‘G-cloud’. This is a voluntary cloud service for all public sectors and services to centralise public governance in a single cloud. The G-cloud is a hybrid cloud, with the possibility of offering infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS). For the development and functioning of the G-cloud, the government uses private cloud providers, such as IBM, Microsoft and Oracle.

Of the companies that use cloud services (see question 4), the following percentages apply. Storage cloud services are the most used cloud service employed by Belgian companies (66.2 per cent). Next to storage services, e-mail services through the cloud are also strongly represented in the Belgian economy (57.2 per cent). With regard to SaaS, software tools for managing finance and accounting (44.1 per cent in 2015), standard office software (29.7 per cent in 2015), and customer relationship management (CRM) (32.8 per cent in 2015) are commonly used in Belgium. Regarding IaaS the most used applications are hosting services for company databases (48.6 per cent), processing power for proprietary company software (31.8 per cent).

Cloud computing services are mostly used in the human resources (HR) and banking sectors. In HR, cloud solutions are often offered by social secretariats such as Partena, Attentia, SD Worx, Xerius and Securex.

Regarding notable cloud transactions, the Belgian bank Belfius relies on the company Genesys to provide workforce management tools, which stem from cloud-based solutions.

Another notable cloud transaction was announced in 2013. IBM signed an agreement with Belgian bank Dexia and several major financial institutions in Europe to build and manage their IT infrastructure (source: IBM and Dexia, www.dexia.com/EN/journalist/press_releases/Documents/20131206_PR_IBM_DEXIA_agreement.EN.pdf). An IBM company called Innovative Solutions for Finance (ISFF). An IBM company called Innovative Solutions for Finance (ISFF) was designated for this, and sourcing contracts for a total value of US$1.3 billion over seven years were signed. IBM agreed to implement a cloud infrastructure to expand ISFF services into new markets and optimise its existing information technology management.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

  • Amazon;
  • Google (Gmail, Google Drive, Google Docs, Google+, search engine);
  • HP;
  • IBM;
  • LaCie;
  • Microsoft;
  • NetApp;
  • Oracle; and
  • Zenith.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

  • Acerta (SaaS for payroll and other HR services);
  • Adc Antwerp (tier 3 data centre);
  • ADMB (SaaS for payroll and other HR services);
  • Amplidata (storage facilities);
  • Arxus (hosting services);
  • Attentia (SaaS for payroll and other HR services);
  • Calligo (IaaS, SaaS, PaaS);
  • Combell (hosting services);
  • CRM-Warehouse (cloud integrators);
  • First Served (hosting services);
  • Groep S (SaaS, PaaS for payroll and other HR services);
  • Impro Biz (implementation of salesforce CRM);
  • Informat (SaaS for school administration);
  • Isabel (SaaS for e-banking);
  • LCL (tier 3 data centre);
  • Nucleus (cloud hosting services);
  • Partena (SaaS for payroll and other HR services);
  • Protime (SaaS for workforce management);
  • Proximus (XaaS private, public or hybrid cloud services);
  • SAAS45 Channel (SaaS);
  • SaaSForce (cloud services distributor - SaaS);
  • SAP (PaaS for app development);
  • SD Worx (SaaS for payroll and other HR services);
  • Securex (SaaS for payroll and other HR services);
  • Systemat (local cloud integrator);
  • Telenet (PaaS);
  • UnifiedPost (Saas);
  • Xaop (system integration in the cloud); and
  • ZapFi (OTT Wi-Fi cloud platform).

(Cloudmakelaar, http://cloudmakelaar.be/wp-content/uploads/2017/12/CSP-catalog-2017_v2.pdf).

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

In Belgium, 28.5 per cent of the enterprises use cloud computing services. This figure has risen by 7.2 per cent over the past two years. The use of cloud computing services varies strongly in Belgium depending on the size of the enterprise: 64 per cent of larger companies (ie, 250 employees or more) use cloud computing services in Belgium, while only 25.1 per cent of smaller companies (ie, 10 to 249 employees) use cloud computing services (source: Christiaens, www.christiaens.net/

nl/nieuws/cloud-computing-in-belgie-cijfers).

However, the growth of cloud computing has largely stagnated, as shown by reports from 2017. Without differentiating between large or small enterprises, about 56 per cent of corporate establishments in Belgium use cloud applications (source: Belgium Cloud, http://belgiumcloud.com/2016/09/16/de-belgium-cloud-barometer). This is a slight increase compared with 2016 (52 per cent). Meanwhile, one out of seven applications (in other words, 14 per cent of the applications used by enterprises) is an application that runs in the cloud, which is again a slight increase compared to 2016 (one out of eight, or 12.5 per cent of the applications used) (source: Belgium Cloud, http://belgiumcloud.com/2016/09/16/de-belgium-cloud-barometer).

Furthermore, the use of cloud computing differs greatly from region to region in Belgium. A 2017 study conducted by Computer Profile shows that cloud penetration in the Flanders region totalled 64 per cent, followed by the Brussels region with 54 per cent. Lastly, the Wallonia region only counts a penetration rate of 30 per cent (source: Belgium Cloud, http://belgiumcloud.com/2017/12/23/belgium-cloud-barometer-editie-2017/). A 2015 report by cloud service provider Aspex shows that the familiarity rate of SMEs with the cloud is high in Brussels (with 53 per cent of respondents claiming familiarity with cloud computing) while Flanders and Wallonia have low familiarity rates of 20 per cent and 26 per cent, respectively (source: Aspex, http://blog.aspex.be/nl/zijn-er-nog-belgen-in-de-cloud).

These regional differences continue in the types of cloud-based solutions, as can be noticed in the same Aspex report. Concerning the use of SaaS, Brussels sports an impressive number of 52 per cent, closely followed by Flanders with 43 per cent. Wallonia limps behind with 27 per cent of respondents claiming the use of SaaS. The same reasoning continues for IaaS, although the numbers greatly differ. Brussels leads the pack with 51 per cent. Flanders, however, sees a huge drop in percentage with only 31 per cent. Wallonia is hot on its heels with 28 per cent of respondents claiming to use IaaS solutions.

With regard to individual cloud computing use, a study of the information society in Belgium has been conducted. This research shows that, of all Belgian individuals that have used the internet over the past three months, 36.9 per cent have used cloud storage facilities (in 2016) (source: FPS Economy, http://economie.fgov.be/nl/binaries/Barometer_van_de_informatiemaatschappij_2017_tcm325-284038.pdf).

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

The Belgian FPS Economy has published several studies on the impact of cloud computing in Belgium - for example, the ‘Barometer van de informatiemaatschappij 2017’ (source: http://economie.fgov.be/nl/binaries/Barometer_van_de_informatiemaatschappij_2017_tcm325-284038.pdf) and ‘Cloudcomputing - een kans voor de Belgische Economie’ (source: https://economie.fgov.be/sites/default/files/Files/Publications/files/20130730-Cloud-computing-NL.pdf). There are other studies or barometers conducted by non-governmental actors such as Computer Profile or IT companies such as Christiaens. It should also be noted that cloud computing communities such as Belgium Cloud bring out reports about the state of cloud computing in Belgium from time to time.

At present, there are no studies on the impact of cloud computing on more traditional forms of IT outsourcing and other IT transactions conducted in Belgium. Only a 2016 study conducted by Computer Profile stated that the growth of cloud services and hosted services is at the expense of on-premises solutions, without further data or statistics. More research is necessary to establish the exact impact of cloud services on the traditional IT sector in Belgium.

Policy

Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

Yes, through the creation of, among others, Digital Belgium. This action plan establishes a long-term vision for the digital economy in Belgium and aims to place Belgium in the top three of the European Digital Economy and Society Index by 2020. Additional goals are the creation of 1,000 new enterprises and 50,000 new jobs across all sectors, also by 2020 (source: Digital Belgium, http://digitalbelgium.be/en).

Wallonia attempts to attract big players such as Microsoft and Google through attractive research grants and further investigation into subsidising (done by AWEX). As a consequence, Google has built its first data centre outside of the US in Mons (Wallonia) in 2015 (source: Wallonia, www.wallonia.be/en/news/google-inaugurates-second-data-center-mons).

In the public sector, a notable government initiative is the community cloud project ‘G-cloud’. This is a voluntary cloud service for all public sectors and services to centralize public governance in a single cloud. The G-cloud is a hybrid cloud, with the possibility of offering IaaS, PaaS and SaaS. For the development and functioning of the G-cloud, the government uses private cloud providers, such as IBM, Microsoft and Oracle (source: G-Cloud, www.gcloud.belgium.be/nl/index.html).

Incentives

Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

The Microsoft Innovation Centre (MIC) Flanders aims to stimulate the development of Information and Communication Technology in the Flanders region. One of their programs is a Microsoft Azure Developer Camp. Here, companies can discover the possibilities of developing an app in the cloud through Microsoft Azure with the goal of improving, strengthening or changing their corporate projects and methods (source: Microsoft, https://mva.microsoft.com/en-US/training-courses/transforming-it-infrastructure-services-with-azure-at-microsoft-18474?l=PqWWJPMVF_1612263987).

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

A study on cloud computing by the FPS Finances (available at https://economie.fgov.be/sites/default/files/Files/Publications/files/20130730-Cloud-computing-NL.pdf) found that, at present, Belgian law does not contain specific regulations on cloud computing. Thus, there is currently no specific recognition of cloud computing as a commercial, technological or operational concept in the Belgian legal system. However, this might change in the near future with the transposition of the NIS Directive (see below). For the moment, reference should be made to contract law, to specific rules on data protection (see question 15) and to the system of liability of data storage service providers (see question 10).

It is also worth mentioning that in the financial sector, the National Bank of Belgium (NBB) has described cloud computing in its communication of 9 October 2012 as an on-demand service model for provision of IT services, mostly based upon virtualisation and internet techniques. The NBB also refers in the same communication to a special publication of the US National Institute of Standards and Technology on the NIST definition of cloud computing (available at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf).

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

There is currently no legislation or regulation applicable to cloud computing in Belgium which directly and specifically prohibits, restricts, or otherwise governs cloud computing.

However, it should be noted that the European Directive (EU) 2016/1148 on security of network and information systems (NIS Directive) defines the notion of ‘cloud computing service’ for the first time. Pursuant to article 4(19) of the NIS Directive, a cloud computing service is a digital service that enables access to a scalable and elastic pool of shareable computing resources.

The NIS Directive was adopted by the European Parliament on 6 July 2016, but has not yet been transposed into Belgian legislation. However, on 13 July 2018, the Cabinet, acting on a proposal from Prime Minister Charles Michel and Minister of Security and Home Affairs Jan Jambon, approved a preliminary draft law establishing a framework for the security of network and information systems of general interest for public security. (source: Presscenter, http://www.presscenter.org/nl/pressrelease/20180713/kader-voor-de-beveiliging-van-netwerk-en-informatiesystemen-voor-de-openbare-v). Currently, the Belgian Law of 1 July 2011 on the security and protection of critical infrastructures does not mention cloud computing services.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

In contrast to the previous question, there is Belgian legislation applicable to cloud computing services that may indirectly prohibit, restrict or otherwise govern cloud computing services.

This kind of legislation includes, first of all, legislation on data protection, such as the European General Data Protection Regulation (GDPR) which is directly applicable since 25 May 2018. A cloud provider will typically act as a processor of personal data, which means that a data protection agreement has to be concluded.

Also, legislation on outsourcing in the financial sector in the Law of 11 March 2018 (replacing the Law of 21 December 2009) on the statute and supervision of payment institutions and the institutions for electronic currencies, the access to the company of the payment services provider and the activity of issuance of electronic money and the access to payment systems, may affect cloud computing services. In this regard, cloud computing services are subject to the same principles as traditional outsourcing in the financial sector. However, cloud computing is not directly addressed by the Law of 11 March 2018, but the NBB stated in its communication of 9 October 2012 that cloud computing is considered as a type of outsourcing.

The same communication of the NBB states that the circulars dealing with outsourcing, which establish rules on good practices, will remain applicable. Subsequently, the communication states that, in principle, there is no prior authorisation by the NBB required for outsourcing (in contrast to De Nederlandsche Bank (DNB) in the Netherlands: see www.dnb.nl/nieuws/dnb-nieuwsbrieven/nieuwsbrief-banken/nieuwsbrief-banken-februari-2015/dnb319119.jsp). Nevertheless, the NBB emphasises that it should be informed in advance on how these rules on good practices will be applied in practice (see circular PPB 2004/5 on healthy management practices in outsourcing by credit institutions and investment companies, issued by the Belgian Banking, Finance and Insurance Commission on 22 June 2004, available at www.nbb.be/doc/cp/nl/ki/circ/pdf/ppb_2004_5_circular.pdf, and circular PPB 2006/1 CPA on healthy management practices in outsourcing by insurance companies, issued by the Belgian Banking, Finance and Insurance Commission on 6 February 2006, available at www.nbb.be/doc/cp/nl/vo/circ/pdf/ppb_2006_1_cpa_circular.pdf).

The Belgian Civil Code contains provisions on service contracts (article 1779 ff). These provisions may be relevant for cloud computing services. Other relevant legislation is to be found in the Belgian Code of Economic Law, which contains provisions on distance contracts (Book VI and Book XIV) and information society services, which also contains provisions on the liability of data storage service providers (Book XII).

Article XII.19 of the Code of Economic Law states that where an information society service is provided that consists of the storage of information provided by a recipient of the service, the service provider is not liable for the information stored at the request of a recipient of the service, on the condition that the provider does not have actual knowledge of illegal activity or information and, as regards damage claims, is not aware of facts or circumstances from which the illegal activity or information is apparent; or the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information, provided that he or she immediately communicates this to the Public Prosecutor.

Additionally, criminal law provisions in the Belgian Criminal Code and the Code of Criminal Proceedings may also indirectly prohibit, restrict or otherwise govern cloud computing services in Belgium. This includes, for example, a provision on the search in computer systems which can be extended to a computer system or a part thereof that is located in another place other than the place where the search takes place (article 39-bis, article 88-ter and 88-quater).

It should also be noted that other Belgian legislation may, whether or not implicitly, require that certain data remains within the jurisdiction of Belgium, such as article 14 of the Law of 8 August 1983 establishing a National Register of natural persons. However, with regard to the free flow of data across member states within the European Union, the legality or applicability of this kind of data localisation legislation may be uncertain in the future.

Other legislation worth mentioning is the Belgian Income Tax Code (article 315) and the Law of 13 June 2005 on electronic communications, which contains provisions i.a. on the principles applicable to the confidentiality of communications.

In the health sector, the Coordinated law of 10 July 2008 on hospitals and other care facilities was amended in such a way that it does not anymore indirectly prohibit the use of cloud computing services by hospitals. Article 20 section 1 of the Coordinated law of 10 July 2008 now states that the patient file must be kept ‘by’ the hospital, and no longer ‘in’ the hospital. After that, the FPS Public Health has drafted guidelines on this matter which were approved by the Belgian Privacy Commission (the Belgian Data Protection Authority) in Opinion 04/2015 of 25 February 2015 (available at www.privacycommission.be/sites/privacycommission/files/documents/advies_04_2015.pdf).

The Belgian eIDAS law, implementing the eIDAS Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market, may also have indirect consequences for cloud computing in Belgium. It governs, in particular, electronic archiving, which can be very relevant for cloud computing, but it contains also rules on electronic registered mail, electronic seals, electronic signatures, websites authentication, trust service providers and electronic identification schemes.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

The consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing depend on the law that was infringed upon.

The GDPR contains some penal provisions in articles 83-84 meaning that member states should give data protection authorities, such as the Belgian Data Protection Authority (replacing the Belgian Privacy Commission), the competence to impose administrative fines on non-compliant companies.

In the financial sector, payment institutions are subject to supervision by the NBB, and the NBB may, in certain cases, withdraw the licence of a payment institution. That could be the case with the violation of circulars about outsourcing.

Regarding distance contracts and information society services, it is worth mentioning that the Belgian Code of Economic Law contains a Book XV on legal enforcement.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

As regards consumer protection measures applicable to B2C cloud computing services in Belgium, it should be noted that cloud computing contracts are generally concluded over the internet, which means that those contracts are distance contracts.

The European Directive 2011/83/EU on consumer rights (the Consumer Rights Directive) establishes rules on distance selling, which is transposed into Belgian legislation. The transposition of the provisions of the Capital Requirements Directive can be found in Book VI of the Belgian Code of Economic Law. These provisions may also be applicable to cloud contracts. Consequently, in some cases, the right of withdrawal for 14 days may have to be taken into account for the conclusion of certain cloud computing contracts. However, in some cases, the right of withdrawal related to service contracts may be excluded (article VI.53 Code of Economic Law).

The European Regulation (EU) 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels I-bis) states that a consumer may bring proceedings against the Cloud Service Provider (CSP) to a contract either in the courts of the member state in which the CSP is domiciled or, regardless of the domicile of the CSP, in the courts for the place where the consumer is domiciled. The Belgian Code of International Private Law of 16 July 2004 is in accordance with this Brussels I-bis Regulation.

Pursuant to the European Regulation (EC) 593/2008 on the law applicable to contractual obligations (Rome I), a B2C cloud computing contract will be governed by the law of the country where the consumer has his or her habitual residence, provided that the CSP pursues his or her commercial or professional activities in the country where the consumer has his or her habitual residence, or by any means, directs such activities to that country or to several countries including that country, and the cloud computing contract falls within the scope of such activities.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

In the public sector, the Law of 21 August 2008 established the eHealth platform in Belgium. One of the tasks assigned to the eHealth platform is to check whether software packages for managing electronic patient files comply with the established ICT-related functional and technical standards, specifications, and to identify these software packages. Cloud service providers have to comply with certain requirements, such as security and privacy standards.

In Opinion 04/2015 of 25 February 2015, the Belgian Privacy Commission also stated that the choice for a community or private cloud does not necessarily provide more safeguards than a public cloud in terms of a better protection of personal data. Regardless of the type of cloud, the focus should be on effective data protection safeguards, according to the Privacy Commission.

In the financial sector, the implementation of the European Directive 2014/65/EU on markets in financial instruments (the MiFiD Directive) has led to some operational requirements with respect to investment firms and regulated markets, which also affect their ability to employ subcontracting or outsourcing services, including for ICT services such as cloud computing (see above).

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

On 1 May 2018, new insolvency legislation entered into force in Belgium. A new Book XX was added to the Belgian Code of Economic Law. A CSP can be declared bankrupt by the commercial court if three conditions are met, namely: the CSP is engaged in commercial activities, the CSP has suspended payments to its creditors, and is no longer creditworthy, and so the CSP will continue not to meet its obligations to creditors. If those three conditions are met, the CSP will formally be declared bankrupt by a bankruptcy judgment of the commercial court.

With regard to the fate of contracts concluded before the date of the bankruptcy (which are not terminated by the judgment declaring the bankruptcy), Book XX article 139 provides that the insolvency administrator may terminate those contracts unilaterally when the management of the estate necessarily requires this and that such a decision may not affect the rights in rem of third parties against the estate. The contracts are not automatically terminated unless a termination clause explicitly states so.

The bankruptcy judgment is published in the Belgian State Gazette, as well as in two regional papers. The judgment appoints the insolvency administrator (the receiver), who will perform his or her duties under the general supervision of a supervisory judge, and the judgment also provides the term for creditors to declare their claims to the insolvency administrator and the court (with a maximum period of 30 days). This declaration is necessary for all creditors who wish to assert claims against the CSP.

Subsequently, the insolvency administrator has to decide in due time whether to continue performing the valid cloud computing contracts. The customer can demand the insolvency administrator to decide on whether to perform the contract, and if the insolvency administrator does not decide within 15 days from the date of that demand, the cloud computing contract is considered terminated.

It is also worth mentioning that there is a ranking of the claims that are duly declared. All estate debts and creditors having the benefit of security interest and privileges will be satisfied first. Then the remaining assets of the CSP will be distributed by the insolvency administrator among the unsecured creditors, who rank pari passu.

The termination of the bankruptcy procedure can only be ordered by the court at the request of the insolvency administrator.

Traditionally, source code escrow agreements are used to protect software licensees against the bankruptcy of licensors. It is generally considered, however, that this practice is less interesting in the framework of SaaS contracts. In some circumstances, it can still be helpful to obtain the source code, if it is possible to deploy the software on a different system than the system provided by the SaaS CSP. In such a case, it is possible that stored data must be migrated as well.

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

The Belgian Privacy Act of 8 December 1992 (as subsequently amended and further implemented by the Royal Decree of 13 February 2001), which was the transposition into national law of the European Data Protection Directive 95/46/EC, will be replaced by a new Privacy Act. At the time of writing, the text of the new Privacy Act has been adopted in the second reading (source: www.dekamer.be/FLWB/PDF/54/3126/54K3126007.pdf). The main source of privacy legislation applicable to cloud computing services in Belgium is the GDPR supplemented by the Belgian Privacy Act. Other EU instruments may also have an impact, such as the European Directive 2002/21/EC (Framework Directive) and Directive 2002/58/EC (ePrivacy Directive).

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

Cloud computing contracts can be focused on the processing of data residing in the cloud, or can be regarded as contracts of the SaaS category, involving the online operation of applications of all kind, including more and more business-critical applications such as enterprise resource planning programmes and supply chain and logistics management, asset management and asset maintenance, workflow management, human resources, among others.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

B2B public cloud computing contracts are often made by international service providers, who include governing law and jurisdiction of their home state, or may include international arbitration. Belgian service providers often include an arbitration clause indicating specialized Belgian arbitration forums as competent for claims. Some contracts contain dispute resolution clauses that set forth an escalation of disputes up to the level of the executive board of the parties, and if this does not result in a positive outcome, then arbitration, court procedures, or mediation by an external third person are possibilities. With respect to enforceability, salvation clauses normally foresee that clauses that would be invalid or unenforceable, will be automatically adapted in a way that remains as close as possible to the intended meaning of the relevant clause.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

If implementation services are involved, a separate price is foreseen for the implementation service, and this will be paid according to milestones, where the acceptance of the delivered service will oblige the customer to pay the relevant price. The operational cloud service is typically paid as a subscription, with annual, trimestral or monthly payments, typically paid up front. The price can be based on the allowed number of users or the used volume or number of transactions. The cloud contracts normally include an acceptable use policy, providing suspension and possibly even termination of the contract if the use policy is not respected.

Because the cloud service is often a one-to-many relationship, the service provider is practically obliged to include a variation clause in the contract, enabling him or her to modify the service unilaterally when this is needed in order to provide an acceptable service. In order to balance the rights of the customer, such clause will provide a termination right of the customer with an acceptable notice period if he or she does not agree, especially when the cost of the service is increased or certain functionalities are lost.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Cloud contracts will contain a description of the data centre, the communication lines and the security provisions protecting the communication and safety of the data. Data are usually located in a data centre provided by the service provider or by one of his or her suppliers. Customers that are well aware of the risks will ask for service levels that are included in a service-level agreement (SLA) with clear levels and financial sanctions (credits). Regarding data security, the service provider will usually provide encryption and access management, authorisation methods; more and more the compliance with industry standards is demonstrated through certificates.

When personal data is involved, the requirements will at least allow compliance with the legal and sectorial standards for data protection. In that case, customers require a warranty that data remain located in servers in the EU territory. If data must be transferred to, or used from, third countries such as the US, the European compliance measures must be respected. Notification of data breaches is not yet a common clause, but will become more and more of a requirement under the influence of the GDPR, and as general awareness about the risk of breaches on privacy is increased.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

Every cloud contract contains some kind of limitation of liability for any damage caused by the service; liability for consequential and other indirect damages are usually excluded and direct damages are usually limited (often referring to the fee paid for the service as the limitation for damage in the aggregate).

Damage caused by intentional fault or fraud cannot be limited nor excluded by law. Although the possible liabilities of the customer are often considered as less likely, many contracts will balance the customer’s liability in a similar way. Indemnities are usually provided as a safe harmless clause when a customer is confronted with a claim of a third party for infringement of its intellectual property rights. The customer can be liable for infringement on third party’s rights based on infringing applications provided by the service provider, and in that case the service provider will take control of legal proceedings or negotiations and will not hold the customer liable for damages.

In the direct relationship between a data controller and his or her customer, liability for breach of the data protection rules cannot be limited. Similarly, when the customer has a direct claim against a data processor (eg, the CSP) based on a breach of these rules, his or her liability cannot be limited. It is, however, accepted that between a data controller and his or her CSP (acting as data processor), the liability can be limited even for damage caused by breach of the data protection rules.

SLAs are becoming a normal standard of cloud contracts, guaranteeing the availability of the service, timely response of a helpdesk and performance levels. The levels can be negotiated by the customer unless the service is standard for many customers: in which case, the SLA is a take-it or leave-it matter. SLAs are not always sanctioned by financial penalties; however, financial service credits are increasingly applied when the service levels are not met by the provider.

A normal cloud contract should contain clear explanation and warranties regarding business continuity and disaster recovery (eg, through replication of data or applications to spare servers); specific key performance indicators can be set forth to cover maximum loss of data packages and the time needed to be up again after a shutdown. Damages for loss of data are often excluded as damage compensation.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

The intellectual property rights of the applications involved in SaaS agreements or similar contracts remain with the provider of the cloud service; this is usually the case for developed interfaces and specific adaptations as well. Data and other content that is created by the customer usually belongs to the customer. Most contracts contain a provision that warrants the return of data after the termination of a cloud contract.

When the cloud service is endangered because of infringement of third-party rights by the applications of the service provider, the contract clauses usually state that the service provider has the right to apply the appropriate remedy chosen by him or her, such as the adaptation or replacement of infringing code, and if that is not feasible, the termination of the contract with a partial refund of any upfront payment of fees. Damage compensation is usually excluded or at least limited.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

B2B cloud computing contracts usually have a rather short applicability period (typically of one year, automatically renewable unless terminated by either party before the anniversary date of the contract). If an important investment was involved, such a contract can be agreed for three years, but usually not longer.

Termination for no cause will always take a notice period into consideration that is sufficient for both parties to find an alternative contract partner. Termination for cause, on the other hand, is foreseen in case of material breach, usually after a grace period of one month, and in cases of bankruptcy and insolvency procedures.

The retention and return of data is of utmost importance in case of termination and is usually foreseen, although any assistance with data migration can be subject to an additional payment. The service provider will usually not provide a retention right for himself or herself, unless in case of non-payment of service fees where it might be used as a pressure mechanism

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

In some cases, outsourcing of a company’s IT department may be seen as the transition of a corporate entity. In that case, the provisions of collective labour agreement No. 32-bis could be applicable (available at www.cnt-nar.be/CAO-COORD/cao-032-bis.pdf)

Taxation

Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

There are no specific fiscal rules that apply to the establishment and operation of cloud computing companies in Belgium. Instead, the same taxation regime as for other digital service providers - and indeed, for companies in general - is maintained. Important in the context of cloud computing, however, is that these rules may require that data is held at all times within the jurisdiction of Belgium. Two separate regimes must be differentiated.

Article 60 of the VAT Code discusses record-keeping concerning invoices and equivalent documents (such as credit notes) for any taxpayer (meaning both natural and legal persons). Documents can be stored wherever the taxpayer wishes, yet they must be made available whenever the tax administration so requests. If the storage does not guarantee complete and online access, then mandatorily the invoices must be stored in Belgium. At all times, and regardless of the format, the authenticity, integrity and legibility of the invoices must be ensured.

Article 315 of the Income Tax Code also applies to all taxpayers and determines that accounting books and support documents of accounting entries must be kept on record if they can help determine the amount of taxable income. They must be kept at the disposal of the tax administration in the office, agency, branch or other professional or private premises of the taxpayer where they have been kept, prepared or sent. Subject to an exception that may be granted, the books and records may be kept in another place, provided that immediate access to the books and records can be granted or that such documents can be provided on short notice in case of unannounced control.

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

The VAT imposed on cloud computing services follows the standard Belgian tariff of 21 per cent for goods and services that do not fall under the exhaustively determined categories of goods and services which have a reduced tariff of 12 per cent or 6 per cent. Cloud computing services also do not fall within the limited category of goods and services that are exempted from VAT. More information on the place of the provision of electronic services to persons who are not liable to VAT can be found here: https://financien.belgium.be/sites/default/files/downloads/electronic-services-en.pdf.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

Announced in 2013 - but still ongoing - is the already mentioned IBM agreement with several major European financial institutions to build and manage their IT infrastructure through ISFF, which was designated for this (see question 1). The total value of the deal amounts to US$1.3 billion over seven years. IBM will set up a cloud infrastructure so that ISFF can expand services into new markets and optimise its information technology management. In April 2018, IBM and Belfius announced a multi-million euro extension of their existing technology services agreement until the end of 2023.

Arguably the most important and notable case of cloud computing within Belgium was the establishment of the G-cloud. As noted before, this is a community cloud project initiated by the government. G-cloud is a voluntary cloud service for all public sectors and services to centralise public governance in a single cloud. Furthermore, it is a hybrid cloud, with the possibility of offering IaaS, PaaS and SaaS. For the development and functioning, the government uses private cloud providers such as IBM, Microsoft and Oracle (source: G-cloud, www.gcloud.belgium.be/nl/index.html).

Update and trends

Update and trends

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

Belgium is sometimes considered too complex to attract large outside investment. The myriad administrative and fiscal regulations that differ in the separate regions means that investors must have a thorough understanding of the institutional structure of Belgium. Also, the Belgian taxation regime on energy entails a large cost for potential cloud computing providers if they construct large and energy-consuming data centres. Moreover, the supply of energy has sometimes been uncertain in Belgium.

Legal uncertainty is a significant deterrent for companies in any sector, and this is most certainly the case in Belgium for the cloud computing sector. As the answers to some of the previous questions have shown, there is no specific legal regime for cloud computing in any facet of its operation. This needs to change if Belgium seriously wants enterprises to fully commit to cloud services as a business practice. Another uphill battle is the uncertainty that many companies have with regard to the security of data on the cloud, especially when the data concerned is sensitive or confidential. Finally, more knowledge of Belgian IT services across all regions would be welcome, so that the understanding of cloud computing can be improved.

We are not aware of any draft laws or legislative initiatives specific to cloud computing that are being developed in Belgium.