The IT sector has overcome worldwide depression. Much of the industry's optimistic outlook results from the rise of cloud computing services. With all sorts of data being transferred to and from the cloud, cloud computing services necessarily require telecommunications links. This gives rise to the question whether cloud computing is subject to national telecommunications regulations, and if so, the regulatory requirements that providers must obey. As the German example shows, this very much depends on the actual configuration of the respective service.
Might cloud services be considered a telecommunications service?
Since 2004 (as a result of implementing the Authorization Directive 2002/20/EC), German law no longer requires telecommunications service providers or network operators to hold a license. Nevertheless, they still need to notify the telecoms regulator – BNetzA (Bundesnetzagentur) – when taking up their service. It is thus decisive whether the respective cloud computing service qualifies as a "telecommunications service" within the meaning of German law. Legally defined as the "conveyance of signals over a telecommunications network", such telecommunications service is generally what the EU Framework Directive (2002/21/EC) refers to as an electronic communications service. Moreover, in order to trigger the notification requirement under German law, the telecommunications service must be offered "to the public", i.e. to an undefined number of potential customers (as opposed to a closed shop offering).
Communication as a Service (CaaS) can include a variety of diverse communication services including e-mail, VoIP and IM. Obviously, the build-up of every single communication process – such as establishing a VoIP connection or an audio/video conference – is a "transmission of signals over a telecommunications network" and thus a telecommunications service within the meaning of German law. And as a general commercial offering, these services are also provided "to the public".
However, this still does not mean that every CaaS service must necessarily be notified under German telecoms law. A CaaS service may rather be split into the (notifiable) part of handling the actual signal transmission, and the (not notifiable) part of providing applications that facilitate communications. As long as the CaaS provider is not himself involved in the actual signal conveyance (but relies on third party providers in this respect, also without reselling their services), it will not become subject to German telecommunications regulation. The level of regulatory exposure is thus also a matter of shaping a particular service – and of drafting the respective agreements.
Other cloud computing services
Users need a reliable Internet connection to get into the cloud. Communication is thus not only an issue with CaaS, but effectively with any cloud computing service. Whereas providing Internet connectivity on the one hand and offering cloud-based resources on the other are technically two different products, they may not be perceived as such by the end customer, e.g. in the event of service interruptions. Cloud service providers may therefore feel a commercial need to expand their offer beyond the actual cloud product – by reselling the connectivity element as well in a bundled offer. From this angle, a cloud computing provider may then still become subject to telecoms regulation even if the actual cloud service is not a telecommunications service within the meaning of the law.
Moreover, cloud services (by definition) rely on decentralized IT resources such as application servers or storage media. These resources need to be connected among themselves, and/or with additional resources that function as back-up capacity in the event of server outages. While this is for the most part just an internal process to manage the relevant IT resources, the data transmission between different server locations will not be a service that the cloud computing provider offers "to the public", and therefore this alone will not be sufficient to trigger a notification requirement under German telecoms law. But if a provider specifically markets the redundancy feature of its service, this may in fact be seen as providing a telecommunications service to the public.
To the extent a cloud computing service meets the notification requirements as outlined above, it must be registered with the German telecoms regulator even if the service provider is not located abroad. German telecoms law already applies if the service is (also) aimed at German customers, i.e. with no physical presence of the provider in Germany.
Failing to comply with this requirement may trigger a fine of up to EUR 10,000. The registration as such is rather a formality. Using a BNetzA form, the provider must provide its company details as well as a description of the respective service. It must be submitted immediately after launching the service. Any subsequent changes to the service or the provider's details must then again be reported.
Other telecoms regulatory requirements
If a cloud computing service qualifies as a regulated telecommunications service within the meaning of German law, it not only needs to be registered with BNetzA as described above. Moreover, a number of further regulatory requirements apply.
German telecoms law provides for extensive consumer protection rules that apply to providers of telecommunications services to the public. Therefore, if a CaaS offering needs to be registered with BNetzA, it must also comply with these obligations. In particular, these require transparency of the provider's pricing and other service conditions. Also, the provider must offer an itemized bill and comply with certain other billing requirements. In this respect, it must be noted that a "consumer" within the meaning of these German requirements is not only an end user, but in fact every contractual partner of the CaaS provider. These requirements therefore apply not only in a B2C context, but also to B2B relations. Infringements may lead to damage claims and to competitors seeking restraining orders.
Secrecy of telecommunications
The secrecy of telecommunications is a fundamental principle of German law. Accordingly, a telecommunications service provider must not have knowledge of the contents of the actual communication that is running over its system, unless and to the extent such knowledge is actually required to technically provide the service. This obligation addresses not only those service providers that meet the registration criteria as explained above, but it is even broader and comprises also companies that only contribute to providing a regulated service. This may in fact apply to CaaS providers where the actual communications service is rendered by a third party provider, but the CaaS provider handles (only) the signalling data that is required to establish and terminate a connection. Here again, the level of regulation therefore depends on the specific configuration of the service.
Finally, sector-specific telecommunications law provides for a number of public safety rules. On the one hand, these ensure the security of telecommunications, and on the other allow government enforcement authorities to access certain communications infrastructures, e.g. for criminal prosecution purposes. In this respect, providers of telecommunications services, as well as those who contribute to providing such services, must take all necessary measures to protect the secrecy of telecommunications and the integrity of communications and data processing systems. Inter alia, this also means that emergency call functionalities must be supported. Again, this may address CaaS providers even if they do not themselves offer a regulated service but only enable a third party provider to do so. Also, as operators of telecommunications facilities (e.g., switching devices), providers of cloud computing services would be required to provide for a security policy that needs to be filed with BNetzA. The obligation to provide information access to government enforcement authorities, however, only applies to regulated telecommunications services that meet the requirements for a BNetzA notification (see above).
In essence, cloud computing is about providing online access to software and hardware resources. As such, cloud computing services are not necessarily within the scope of sector-specific telecommunications law, but they are in any event closely linked to the use of telecommunications infrastructures and services. This is particularly the case with CaaS, i.e. with the provision of integrated communications solutions from the cloud. Telecommunications regulations such as notification requirements, but also customer protection and public safety obligations must thus be taken into account when reaching out for the cloud.