Market overviewKinds of transaction
What kinds of cloud computing transactions take place in your jurisdiction?
The official statistics define ‘cloud computing’ as the IT services used on the internet to access a software, processing power or a storage capacity and that include all the following characteristics:
- to be delivered from IT servers operated by service providers;
- to be easily increased or decreased;
- once installed, to enable use without the need for human contact with the provider; and
- to be payable either by the user or depending on the capacity used or to be prepaid.
These services may include connections via a virtual private network (VPN) (https://www.insee.fr/fr/statistiques/3856105?sommaire).
The different varieties of cloud computing services covered by this definition are offered in France. In 2018, the services the most frequently used were infrastructure-as-a-service (IaaS, according to the NIST typology), mainly in the form of file storage (27,002 companies out of the reportedly 35,280 using cloud computing services). Software-as-a-service (SaaS) was also very frequently used by businesses (mainly for messaging services; otherwise, for office automation software, customer relationship management and accounting software), just as much as database hosting (in the platform-as-a-service (PaaS) category) (Insee, TIC 2018 enquiry, TAB08: Use of cloud computing services by internet).
Furthermore, according to the same statistical enquiry, in 2018 the businesses that purchase cloud computing services on shared IT servers (public cloud) are almost as numerous as those requesting servers exclusively reserved for their needs (private cloud).Active global providers
Who are the global international cloud providers active in your jurisdiction?
Amazon Web Services enjoys a dominant position in France like elsewhere, and the other principal global providers, Microsoft Azure and Google Cloud Platform, are also very active (www.lesechos.fr/tech-medias/hightech/google-cloud-sera-aussi-gros-quamazon-web-services-dans-deux-ans-1030266). Numerous other international players commercialise their services directly or indirectly in the country (eg, IBM, Rackspace, Oracle, NTT, Salesforce, Alibaba, Tencent) (https://www.zdnet.fr/actualites/top-2019-des-fournisseurs-de-cloud-aws-azure-gcp-ibm-sur-l-hybride-et-salesforce-domine-le-saas-39880577.htm).Active local providers
Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?
While the principal global providers are dominant players on the market for both the software-, platform- and infrastructure-as-a-service activities, in France this market includes pure players such as OVH and Outscale (IaaS and PaaS) as well as providers integrating both public and private cloud services offerings such as Atos, Orange, Capgemini and Sopra Steria (www.usinenouvelle.com/article/atos-tire-30-de-son-chiffre-d-affaires-2018-du-digital-pas-assez-pour-dynamiser-sa-croissance/). As there are numerous providers active in France, some of them can be found among the members of the EuroCloud association (www.eurocloud.fr/adherents/) (SaaS, PaaS) or of the Cloud Infrastructure Services Providers in Europe association (CISPE: https://cispe.cloud/publicregister) (IaaS).Market size
How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?
According to the official statistics (see question 1), 19 per cent of French companies with at least 10 employees were using cloud computing services in 2018.
The research firm Markess published a barometer estimating the size of the French cloud computing market to be nearly €12 billion in 2019, representing a growth of 20 per cent over the previous year (www.usinenouvelle.com/article/le-cloud-en-france-un-pactole-de-12-milliards-d-euros-en-2019.N862810).Impact studies
Are data and studies on the impact of cloud computing in your jurisdiction publicly available?
Numerous analyses and official studies are regularly undertaken on the digital sector in France including, more specifically, on cloud computing services. The INSEE statistics (www.insee.fr) and the analyses of the Ministry of Economy and Finance (www.entreprises.gouv.fr/observatoire-du-numerique/usages) are the most prominent ones.
The administration is particularly focused on the modus operandi for the different forms of cloud computing and publishes its works for the needs of the public bodies (for example, www.entreprises.gouv.fr/numerique/guide-du-cloud-computing-et-des-datacenters).
Ad hoc analyses are undertaken by professional organisations such as EuroCloud (www.eurocloud.fr), which includes 200 service providers on the cloud market, or Syntec Numérique, which represents digital service companies, software publishers and technology consultancy companies (www.syntec-numerique.fr). On the side of users, associations such as Cigref (www.cigref.fr) or software user clubs such as SAP’s (www.usf.fr) also publish such analyses.
PolicyEncouragement of cloud computing
Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?
Successive governments express concern about the security of data originating from their administrations and other public bodies. In 2012, the government encouraged the creation of two data hosting providers, Cloudwatt and Numergy, to enable data storage on national territory, out of reach of foreign legislations and extraterritorial access by foreign governments (‘sovereign cloud’). Yet, this initiative was short-lived as major public customers prefer major classic players (for example, the national railways, the city council of Paris, the Ministry of Defence - see www.lesechos.fr/idees-debats/cercle/le-secteur-public-a-besoin-dun-cloud-souverain; www.zdnet.fr/actualites/, microsoft-et-ministere-de-la-defense-le-debat-sur-le-contrat-open-bar-fait-son-retour/).
Beyond such concerns for data security, cloud computing is one of the hot topics in every new government economic development plan (eg, ‘Nouvelle France Industrielle’, 2013; ‘Grand plan d’Investissement’, 2017…).Incentives
Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?
Although not limited to such operations, various financial funding and tax benefits may help support investments in cloud computing activities.
Specifically, financial funding for innovation and loans may be granted in the context of the Investment Plan for Europe (the Juncker Plan) and of the ‘FrenchTech’ programme in support of start-ups. These programmes are managed by the public agencies usually in charge of financing the economy, the Deposits and Consignments Fund (www.caissedesdepots.fr/developper-le-numerique-sur-le-territoire) and BPIFrance (www.bpifrance.fr/A-la-une/Actualites/Systancia-securise-les-applications-dans-le-cloud-35047).
Preferential tax benefits such as the tax credit on research and development costs, the tax exemption for innovative new companies or the tax credit for innovation expenses may also be called upon under their own terms.
Legislation and regulationRecognition of concept
Is cloud computing specifically recognised and provided for in your legal system? If so, how?
The concept of cloud computing has been acknowledged by the official texts since 2010, when the terminology commission in charge of establishing the official definition of new terms in the French language defined ‘cloud computing’ (that is, a ‘means of processing client data, the exploitation of which is made via internet, in the form of services provided by a service provider’) and provided an official translation in the French language.
For the purpose of implementing the EU directive on Network and Information System Security of 9 July 2016, the French legislator enacted in February 2018 a statutory definition of the ‘cloud computing service’ (that is, ‘a digital service that enables access to a set of flexible and variable IT resources that may be shared’). This service is classified among the ‘digital services’, along with online platforms and search engines, for which the providers are obliged to comply with certain security obligations (see question 9).Governing legislation
Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?
The Law No. 2018-133 dated 26 February 2018 transposed Directive No. 2016/1148 of the European Parliament and the Council dated 6 July 2016, which aims to meet a uniform high level of security for the networks and information systems set up in the EU (NIS).
This law obliges digital services providers (including cloud computing providers) to identify the risks that affect their networks and information systems’ security and to take the technical and organisational measures necessary for managing these risks, to guarantee the continuity of their services.
These providers must notify the National Cybersecurity Agency (ANSSI) of any incident that has a significant impact on the provision of their services. Upon the Prime Minister’s initiative, they may be subject to compliance and security controls, which will be made by the same agency. When they offer their services in the EU but are located in a third-party state, such providers must designate a representative in a member state.
Further to the adoption of the General Data Protection Regulation (GDPR) (see question 15), the EU enacted on 14 November 2018 Regulation No. 2018/1807, which establishes a framework for the free flow of non-personal data within the EU. Specifically, this text prohibits member states from requiring the localisation on their territory of the processing of data that is neither personal data nor ‘inextricably linked’ to personal data. Exceptions are allowed only if based on public safety grounds and balanced accordingly and must be reported to the EU Commission by 30 May 2021. These provisions will concern, in particular, the use of cloud computing services by state administrations and other public bodies, whose data are currently considered as ‘public archives’ and must not be exported out of the territory (Heritage Code, article L111-7).
What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?Posts and Electronic Communications Code (CPCE) (telecom operators)
Under the existing EU ‘telecom package,’ services relating to digital ‘content’ provided online (eg, online platforms, search engines, site hosting, portal management, edition of online content, etc) are distinguished from telecommunication services, which concern the ‘container’. Telecommunication operators are governed by their own provisions which, historically, have been more burdensome than those applicable to cloud and other digital services providers, for instance, as regards internet neutrality (governed by EU Regulation No. 2015/2120 dated 25 November 2015), personal data protection, confidentiality of correspondence, neutrality in respect of messages content or access to emergency numbers. Yet, in practice, the boundaries between services are not as obvious. For instance, the main digital services providers set up cache servers in the operators’ networks in order to bring their content closer to end customers. Accordingly, about 50 per cent of the incoming traffic to internet access providers originate from the four main content providers - Google, Netﬂix, Akamai, Facebook (Regulatory Authority for Telecommunications (ARCEP), 2019 Report). It was not until recently that the European Court of Justice itself had to determine whether Skype should be considered as a telecommunication service and fall within the telecommunication regulatory regime (ECJ, No. C142-18, Skype Communications Sarl v IBPT, 5 June 2019).
The forthcoming EU Electronic Communications Code (due to be transposed by the member states by 21 December 2020) attempts to restore fairer competition conditions. It will cover the existing telecommunications services but also ‘interpersonal communications services’, regardless of whether users connect through publicly assigned numbering resources or otherwise. Voice over IP and messaging SaaS services such as Skype, WhatsApp, Wechat or Facebook Messenger should, therefore, fall within the scope of the regulated services.
On another note, the CPCE defines and regulates a service category which combines both telecom and cloud computing aspects, the ‘electronic safe’. The purpose of this service is the receipt, storage, removal and transmission of data and electronic documents in conditions that must retain their integrity and exactitude of origin (article L.103). The providers of these services must set up the security measures necessary to meet these conditions and to ensure the traceability of the operations made on the data and documents. They must set up a technical file to provide proof of their adherence to the legal requirements.Defence Code (Fundamental Operators)
Since the law of military programming No. 2013-1168 dated 18 September 2013, the Defence Code submits a specific category of players, the infrastructures and systems of which are strategic for the country, designated as Fundamental Operators (OIV), to specific rules concerning the security of their information systems (article L1332-6-1 et seq). Each OIV is obliged to provide a map of its information system, ensure that it is homologated and establish a security policy for its system. The OIVs must inform the Prime Minister of the incidents affecting the functioning or security of their information systems. They must enable the ANSSI to carry out audits and must set up any security measures requested by the latter. Such obligations require the service agreements to be adapted, including those that they may enter into with digital service providers for cloud computing.General tax code (clients)
All companies are obliged to retain the documents on which the French tax authorities have a right of communication, enquiry and control. The documents in question must be kept for at least six years (Tax Procedure Code, article L102 B). In this context, the use of a cloud computing service to store invoices must meet the various conditions concerning the terms of conservation of the documents and the countries of location of the storage servers (Tax Procedure Code, article L102 C). The invoices issued or received by a company must remain accessible from its principal establishment or registered office in France, regardless of the country of storage. The French tax authorities must be informed of the location of storage of the invoices.
Furthermore, when an accounting department works with automated systems (including SaaS), the tax authorities’ right of control applies to all the information, data and software processing that are used to establish the results and statements for the tax authorities, as well as the documentation relating to the analysis, programming and the performance of IT processing (Tax Procedure Code, articles L13, IV and L47 A,II).
For such a purpose, the tax authority may set up its own IT processing on the company’s equipment. Furthermore, since 2014, all companies must communicate their online accounting to the tax authorities according to the required standards (Fichier des Ecritures Comptables). Finally, the tax authority may, after court authorisation, launch a search and seizure procedure, including the seizure of data hosted on IT servers. The location abroad of the servers concerned does not constitute an excuse (Paris Court of Appeal, order dated 31 August 2012).Others
Other examples may be found in a variety of texts, including the second version of the European Payment Services Directive (PSD2), which entered into force in January 2018 and makes strong authentication mandatory for payments over €30.
Furthermore, cloud computing transactions are indirectly governed by sector-specific legislation or regulations, as discussed in question 13, as well as by data protection and privacy legislation applicable to any kind of personal data processing, as discussed in question 15.
More generally, all regulations governing business-to-business (B2B) relations apply to transactions between cloud computing service providers and businesses. For instance, the French Law No. 2016-1691 on transparency, fight against corruption and modernisation of the economy of 9 December 2016 (Sapin II Law) requires large businesses to take measures to prevent and detect acts of corruption and subornation. Cloud computing records will be key to demonstrating compliance.Breach of laws
What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?
The Law No. 2018-133 dated 26 February 2018 (see question 9) sanctions the directors of digital service providers to a fine of €100,000 when they prevent audit and security operations from being carried out in accordance with the law, and a fine of €75,000 when they do not comply with security measures that they have been formally required to take as a result of such an audit. If they fail to declare an incident or disclose information to the public as legally required, these directors may be subject to a fine of €50,000.
The Posts and Electronic Communications Code sanctions operators and their agents to a one-year prison sentence and a fine of €75,000 for failure to delete or ensure the anonymity of any data relating to communications or for not retaining technical communication data in accordance with the legal requirements (article L39-3) (see question 10). Furthermore, those who offer a connection to the public enabling an online communication via an internet access, including for free, are required to comply with the provisions applicable to telecoms operators, including to register themselves with the competent regulatory authority (ARCEP). Accordingly, they are subject to the same sanctions as telecoms operators (article L34-1).
The Defence Code sanctions directors of the OIVs to a fine of €150,000 if they fail to set up a protection plan, to accomplish works they have scheduled or to carry out the works requested following an audit, or otherwise fail to comply with their legal obligations (article L1332-7). These sanctions may be multiplied fivefold for the operators as legal persons.Consumer protection measures
What consumer protection measures apply to cloud computing in your jurisdiction?
With regard to consumers, the cloud computing service providers are obliged to respect the provisions of the Consumer Code. This code regulates the entire relationship with a client, from the obligation to provide pre-contractual information (article L111-1 et seq), the process for entering into an online contract (article L121-16), the prohibition or regulation of commercial practices and abusive clauses, the provision of guarantees, through to the terms for terminating such contracts.
The pre-contractual information must be provided in a legible and understandable manner and a written confirmation of the contract must be provided as well (article L221-5). Insofar as the request for cloud computing services usually implies immediate use, the usual right of withdrawal that lasts for 14 days will most often not apply (article L121-21-8 1°). Finally, the consumers benefit from a right of portability of their personal data within the conditions of the GDPR (see question 15).Sector-specific legislation
Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.
A number of sector-specific legislation or regulations that do not specifically target cloud computing transactions actually apply indirectly thereto. In regulated sectors (eg, healthcare, banking, etc), regulations or recommendations in this respect are usually issued by the authority in charge of the sector. The following provides only a few examples.General Security Referential (public sector)
Since Decree No. 2010-112 dated 2 February 2010, the state administrations, local authorities and other administrative bodies must guarantee the security of the information systems that they are using to provide the users with online services (for example, the payment of criminal fees for minor offences) and to correspond with them electronically. For such purpose, they must respect a general security referential, which defines the rules and best practices to be followed, and terms such as certification, official approval or security audits (www.ssi.gouv.fr/entreprise/reglementation/confiance-numerique/le-referentiel-general-de-securite-rgs/). This general referential indirectly applies to the service providers used by the administration, including for cloud computing services.
In this context, the ANSSI adopted a referential of specific requirements for cloud computing service providers called ‘SecNumCloud’. The last version of this document was published on 11 June 2018 (www.ssi.gouv.fr/uploads/2014/12/secnumcloud_referentiel_v3.1 _anssi.pdf). It covers the various types of cloud computing services: the software delivered as online services, the infrastructures (offices and data centres) and the operating, management and operational procedures of the providers. This label is considered as much more demanding than others such as ISO 27000. So far, one provider is a ‘qualified service provider’ for cloud computing services under this referential (Oodrive). As at July 2019, six other certification applications were in progress (https://www.ssi.gouv.fr/liste-produits-et-services-qualifies).Heritage Code (public sector)
The Heritage Code defines the legal regime for the archives of the state and other public bodies in general. It sets obligations for their safekeeping, which may only be outsourced if the provider is approved and if the archives are kept on French territory (article R212-23).French Public Health Code (health sector)
Article L1111-8 of the French Public Health Code requires that health data hosting providers implement specific safeguards, fulfil certain commitments and be certified. Failure to meet the requirements defined by the public health agency (ASIP Santé) is sanctioned by a fine of €45,000 (and three years’ imprisonment (article L1115-1)).Order dated 3 November 2014 of the French Finance Ministry relating to the internal control of companies in the banking sector and others (financial sector)
The French Supervisory and Regulatory Control Body (ACPR), which is in charge of preserving the stability of the financial system and protecting the customers, insurance policyholders, members and beneficiaries of the businesses under its control, clarified in 2013 that cloud computing services should comply with the rules governing the outsourcing of banking activities. These rules are now set forth in an Order of 3 November 2014. Among other requirements, this text provides that the relevant businesses must remain able to terminate at any time the outsourcing services they use without this affecting the continuity or quality of the services they provide.
More recently, the European Banking Authority issued ‘Recommendations on outsourcing to cloud service providers’ which address five key areas: the security of data and systems, the location of data and data processing, access and audit rights, chain sub-processing, and contingency plans and exit strategies (www.eba.europa.eu). These recommendations must be applied by the national authorities (eg, the ACPR) to the relevant businesses.Inter-professional Agreement dated 3 October 2016 concerning the obligation to seek continued exploitation relating to cinematographic and audio-visual works (cinema sector).
In the cinema industry, a trade agreement provides for the film producers’ duty to ensure the conservation of the works used to create movies, so as to guarantee that such works are recorded in digital formats that enable their availability online. This agreement has been made mandatory by government decree. In furtherance thereof, a trade association, the Technical Superior Board of Image and Sound, has issued technical recommendations concerning, among others, the material conditions for the conservation of works under the contracts concluded with service providers (www.cst.fr: CST-RT043-2017-12-18-12h02.pdf).Insolvency laws
Outline the insolvency laws that apply generally or specifically in relation to cloud computing.
The French Commercial Code provides the rules applicable to the insolvency of companies. No specific provision applies to cloud computing service providers, even though the consequences of their insolvency could be severe on consumers and professionals alike.
Therefore, appropriate precautions against the loss of data due to such situations should be incorporated into the contractual provisions governing the services, particularly with regard to reversibility and pricing.
Data protection/privacy legislation and regulationPrincipal applicable legislation
Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.
The processing of personal data is subject to the GDPR of 27 April 2016. This text has been supplemented by national legislation (Ordonnance No. 2018-1125 of 12 December 2018 amending the Law No. 78-17 of 6 January 1978 on information technology, files and freedoms; Decree No. 2019-536 of 29 May 2019). The main data protection rules applicable to cloud computing services delivered in France are the same as in the other EU member states (which was the main reason for enacting a regulation under EU legislation). The following aspects may be noteworthy.Data controller and data processor
In most cases, a cloud computing service provider will be considered as a ‘data processor’ (ie, as acting pursuant to and under the instructions of its client). The client will, in turn, be considered as the ‘data controller’ (ie, the party who determines the purposes and means of the data processing (GDPR, articles 4 and 28)).
Consequently, obligations pertaining to the relations with the concerned individuals (‘data subjects’) will continue prima facie to be assumed by the clients. This concerns, in particular, the requirement for the individuals’ consent to the data processing; the duty to minimise data collection to the types of data actually necessary; the duty to keep data up-to-date and for no longer than is necessary to fulfil the processing’s purposes; the duty to ensure the security and confidentiality of the data against unauthorised or unlawful processing and against accidental loss, destruction or damage; the duty to respond to individuals’ requests to correct, delete or transfer their data. On the other hand, insofar as they qualify as data processors, the service providers will be responsible mainly for the implementation of technical and organisational measures that ensure a level of security appropriate to the risks inherent to the data processing. Their obligations in this respect are detailed in question 19.
However, it must be emphasised that the GDPR expressly provides that the parties to a service contract may be considered as joint data controllers. In a market where certain types of cloud computing services are dominated by a few service providers, this clarification is intended to correct some imbalances inherent in adhesion contracts (see question 16).Cross-border transfers
Under the GDPR, personal data may be transferred out of the EU only if adequate safeguards are implemented (article 44 et seq). This requirement also applies to cloud services directed at individuals residing in France but based on servers located outside the EU. Thus, the use of servers outside the EU is not prohibited per se, but it is regulated, with a view to granting individuals the same protection as within the EU. Furthermore, data is considered as being transferred to any given country as soon as access to such data is technically possible from such country. To locate the servers within the EU is, therefore, not sufficient to determine that data is not processed abroad and that a cross-border transfer is not taking place. Similarly, one may not consider that cloud services based on servers located in France are per se compliant, if the data controller does not ensure that ‘sufficient guarantees’ are provided by the cloud computing service provider.Individuals’ rights
In the event that the cloud computing service provider proposes to transfer personal data out of the EU, the data subjects must be informed not only that their personal data is processed by a data processor, but also that it is transferred outside the EU (GDPR, articles 13 and 14). In the event that the service provider is faced with a security breach, it must notify its client without delay and notify the persons whose data is involved. Also, the service provider will have to enable ‘data portability’ (ie, to enable its client to deliver the personal data upon request to the relevant data subjects, in a structured, commonly used and machine-readable format), and to transmit such data to another controller without any impediment (article 20).
The French data protection authority (CNIL) issued recommendations on cloud computing services in 2012 (www.cnil.fr: Recommandations_pour_les_entreprises_qui_envisagent_de_souscrire_a des_services_de_Cloud.pdf). Although they need to be updated with the GDPR, these recommendations provide useful guidance on how to implement data protection in agreements.
Cloud computing contractsTypes of contract
What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?
Cloud computing offerings are characterised by a multitude of contract documents, which for most providers include, as a minimum:
- the general conditions;
- the conditions specific to the given service;
- a service-level agreement defining the key performance indicators and the quality and service level commitments;
- an ‘acceptable use policy’ specifying the lawful conditions for use of the service.
These documents are multiplied according to the requirements of each service, which results in the service providers presenting comprehensive and complex catalogues.
These standard documents are generally recent and are regularly updated. The entry into force of the GDPR on 25 May 2018 (see questions 15 and 19) requires significant adaptations, just like Order No. 2016-131 dated 10 February 2016 reforming the French law of contracts (with its ratification Act No. 2018-287 of 20 April 2018). Among various provisions aimed at sustaining contractual justice, the new contract law indeed provides that a contract that includes a set of non-negotiable clauses that are predefined by one of the parties constitutes an ‘adhesion contract’.
In such a contract, a clause will be considered as non-existent where it causes a significant imbalance between the parties’ rights and obligations. In the event of any doubt, an adhesion contract will be interpreted against the party that proposed the contract. Comparisons may be made with the abusive clauses regime which protects consumers in business-to-consumer contracts.
This new statutory regime may help alleviate certain one-sided provisions that thrive in standard cloud computing contracts and help introduce more balance in favour of customers, as will be seen in the following questions. Such a reassessment remains contingent, however, on the application of French law to the contract.Typical terms for governing law
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?Governing law and dispute resolution
Standard contracts always include a clause defining the applicable law and which court has jurisdiction. The service providers thereby submit their contracts to the law and courts of the state where their establishment is located. Often, they have an establishment in the European Union. In France, their contracts are therefore often subject to the law and jurisdiction of a member state of the EU.Enforceability
The public cloud contracts do not offer much opportunity for negotiation. As a consequence, the enforceability of their provisions is not necessarily guaranteed under the law - for example, in regard to the consent given by the client on standard documents that prove to be inaccessible or that allegedly should evolve without his or her express approval.
The clients frequently request the right to audit how the services are carried out in order to verify the services compliance with the provider’s commitments, in particular with regard to security. The GDPR provides for this right (article 28.3). Since, in practice, it is difficult and costly for the providers to continuously accommodate the auditors sent by the clients, the providers try to obtain certifications (eg, ISO 27000) and propose in their clauses to communicate their own audit reports in order to limit the need for the clients to carry out additional verifications.Typical terms of service
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?Flexibility
Flexibility is a key component of cloud computing contracts. The hosting services are generally invoiced on the basis of the resources granted to the client (eg, number of servers, CPUs, etc). Agreements usually offer the possibility to cease both use and payment of the resources at short notice. Clients may add services or increase their capacity through online portals without the need to sign contract amendments. Flexibility is also reflected in the contract duration, which may run by the month, thereby enabling the clients to include the costs in their operating expenses.Acceptable use
A cloud computing contract generally includes clauses to define limitations of use of the service by the client and its employees (often grouped together in an ‘acceptable use policy’ appendix). Usual clauses prohibit:
- use beyond the client’s internal business purposes;
- use violating third parties’ intellectual property rights; and
- use for unlawful purposes, including to harass, defame or abuse third parties or to post obscene, violent or discriminatory content.
Although cloud computing services are often presented as being ‘content neutral’ and customers’ data considered as protected by confidentiality, service providers reserve the right to enquire about suspicious use and to suspend access and to put an end to the service in the event whereby the client’s data would appear to infringe upon the restrictions of use.
This reflects the increasingly stringent legal constraints to ensure that the internet players assume responsibility for the online content. For example, an employer must ensure that his or her internet access is not used by his or her employees to replicate or disseminate works protected by copyright (article 336-3 of the French Intellectual Property Code). This indirectly concerns the cloud computing service provider working for such employer.Typical terms covering data protection
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?Confidentiality
The terms and conditions covering data and confidentiality in contracts subject to French law are similar to those found under other laws. By way of principle, cloud service providers undertake to protect the confidentiality of their clients’ data. Access to such data is granted to their employees on a ‘need-to-know-only’ basis, insofar as required to deliver the services. Reference is often made to the employees’ individual confidentiality commitment, which is required by the GDPR and will usually be provided for in labour contracts.
Unlike pure players, which focus their services on the provision of infrastructure or storage for clients’ data and purport to be ‘content agnostic’, cloud service providers that provide software or other value added services often seek to gain a right to access and use customers’ data with a view to building up ‘big data’ pools on their own. This will often be provided for through a clause enabling such use for the purpose of ‘improving the services’ or ‘customising the customer’s experience’ of the service. Such purpose often covers targeted advertising.
In such circumstances, the confidentiality of clients’ and individuals’ data may be jeopardised. For example, in July 2016, the CNIL noticed that through the processing of users’ data for Windows applications, Microsoft was obtaining information on all the applications downloaded and installed by the users as well as the time spent on each application, which was not necessary for providing the service. Furthermore, an advert ID was activated by default upon the installation of Windows 10, which enabled Microsoft to follow the user’s browsing and to target the advertisements without the latter’s prior consent. The corrections requested by the CNIL have since been made.
The confidentiality clauses also show their limits in front of legislation requiring the service providers to disclose users’ data to their governmental authorities (eg, US Patriot Act and US Cloud Act). The GDPR meets this type of situation by requesting the providers to inform their clients beforehand on the legal obligations of communication that may apply and prohibit them from deferring to such requests if they are not based on a mutual legal assistance treaty or similar (GDPR, articles 28 and 48). To date, many clauses still need to be more specific on this issue.Location of data and data processing
In this context, numerous services attempt to reassure clients by guaranteeing that the data will only be stored in their country of residence or elsewhere in the European Union. The clauses often provide that the client may or will be informed of any modification of the location or country of storage. Under the GDPR, the client’s approval as data controller is required and must be given prior to such modifications. It must be restated that this consent is necessary for any kind of data transfer, however: this is not limited to the country where data is stored, but applies to all the countries in which access to the data is possible.
When the cloud computing provider acts solely as a data processor within the meaning of the GDPR (ie, does not define the aims and means of the data processing), the GDPR requires that its agreement with the data controller specifically define certain obligations (article 28), including for the provider:
- to process the client’s personal data only on documented instructions from the controller, including with regard to cross-border transfers;
- to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Such measures may include, as appropriate:
- pseudonymisation and data encryption;
- ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- maintaining the provider’s ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- regularly testing and evaluating the effectiveness of the measures taken to ensure the security of the processing; and
- to engage sub-processors only with the client’s prior authorisation and to have them subject to the same data protection requirements.
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?Service levels and warranties
The stakes of the cloud computing contracts reside in the characterisation of the providers’ obligations, with the well-known contrast under French law between the best-efforts obligation (for example, ‘the service provider will use reasonable efforts to provide the services with the level of diligence and competence that could reasonably be expected for services of a such nature and of a complexity substantially similar to that of the services’) and the performance obligation (‘the provider guarantees the continuous availability of the service during business hours’). In general, the service provider contracts avoid guaranteeing the availability and performance of their services or formulate service levels and exceptions (eg, planned maintenance, minimum downtime, etc) that enable a large degree of latitude.
The challenge for the cloud computing service providers is indeed to offer a service that is ready to use and works ‘end-to-end’, whereas, in practice, they do not master the production chain which begins at their servers through to their clients’ workstations. The cloud providers are rarely telecom operators and do not operate the internet connections. Furthermore, SaaS providers rarely own their data centres and, accordingly, are dependent on hosting providers. The IaaS and PaaS providers are, in practice, the ones actually in control of the service levels concerning the availability, reliability and quality of the cloud computing services. For these reasons, the service-level agreements are often sanctioned by a notion of ‘service credit’, which allegedly compensates for a default in the service with an extension of its duration.Liability
As the cloud computing services market is dominated by a few global infrastructure and platform providers, the liability clauses significantly restrict their indemnification commitments. The liability cap in the event of a loss of client data is frequently fixed at the level of the monthly instalment paid by the client although, under French law, any clause that nullifies the debtor’s essential obligation will be considered void (New French Civil Code, article 1170).
With regard to the damages applicable in the event of non-compliance with the GDPR, a client may request a guarantee from its cloud computing provider insofar as the latter acted as a ‘sub-contractor’ and failed to comply with his or her regulatory obligations specific to sub-contractors or with the instructions received from his or her client in this regard (article 82).Typical terms covering IP rights
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?
The terms and conditions governing intellectual property rights (IPRs) in contracts subject to French law are similar to those found in contracts subject to other laws: typically, each party remains the sole rights holder on all the IPRs applicable to its materials, that is, the software programs it provides via the services, as regards the service provider, and the data and third-party software programs stored in the cloud and used by the client, as regards the latter.
Licence rights are granted by each party to the other insofar as necessary for the other party’s supply or use of the services, as applicable. Customisation is not typical of standard services such as IaaS and PaaS, but should this arise in the form of copyrighted work (eg, specific developments), the service provider will, in general, grant licence rights and avoid any IPR assignment to the client.
In the same vein, cloud computing contracts require each party to indemnify the other against any infringement claims from third parties. Often, the service providers’ standard terms and conditions will entitle them to terminate their services in cases where the client is found to infringe third-party rights.Typical terms covering termination
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?Term and termination
Cloud computing contracts are usually entered into for a fixed term, typically from one month to one year. This duration may be extended or renewed, expressly or tacitly, but the client does not necessarily benefit from a renewal guarantee. In this regard, the new French law of contracts sets forth that no party may impose the renewal of a contract (Civil Code, article 1212). Therefore, attention should be paid to the notice period and the terms of renewal.
More traditionally, the termination clauses provide an exit right for each party in the event of non-compliance by the other party. In non-negotiated contracts, it will be difficult for the client to use such clauses as a credible threat against non-compliance relating to the service level or quality of the service provision.Reversibility
At the end of a cloud computing service, the client must recuperate its assets (ie, programs and data). As they are standard , the reversibility of the IaaS and PaaS services does not require the transfer of know-how and knowledge specific to the provider. Nonetheless, assistance from the latter is often available as an option.
However, the specificities of a program implemented on the cloud (eg, specific developments and settings according to the client’s business rules, etc) and data formats set up by the provider (sometimes proprietary or using variants of the existing standards) may result in a lockout of the client. The reproduction of the existing solution or the system’s output available for data migration may also pose a problem. Despite their multitude, contractual documents are often lacking specifications and commitments in this regard (see question 26).
The entry into force of the GDPR should encourage the emergence of more adapted stipulations, as this text obliges data controllers to enable data portability (see question 15). The clients could use this as guidance to address the practical issues raised by reversibility situations. In any case, healthy competition between several providers and services remains the most effective tool in order to avoid harmful dependence.Employment law considerations
Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.
In cases where activities are transferred from one company to another, the Labour Code will govern the transfer of employment contracts (articles L1224-1 and L1224-2). A contract for the supply of private cloud computing services may be part of or may follow such a transfer of personnel from the client to the service provider. However, it will usually rather be considered as an outsourcing contract. In general, cloud computing contracts per se are indeed not understood to involve a transfer of personnel by the client. This is reflected in the statutory definitions of cloud computing (see questions 8 and 9), which do not refer to such an element.
TaxationApplicable tax rules
Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.
The cloud computing service providers are currently subject solely to the standard corporate tax, at 33.33 per cent. This rate should progressively diminish to reach 25 per cent in 2022.
Nonetheless, as cloud computing providers may exercise an activity in a country without any human and material resources and, accordingly, may be considered as not having a ‘fixed establishment’ in the country, French corporate tax does not apply equally to all the providers of the sector that sell services in France. The judgment rejecting the taxation of Google Ireland Limited imposed by the French tax authorities is a relevant example (Paris Administrative Court, Google, 12 July 2017). This situation should evolve in the coming years with the progressive modification of the applicable international rules, including the redefinition of the notion of fixed establishment and the creation of a tax specific to cross-border digital services. Pending the adoption of such a tax treaty by the OECD members, the French government has decided to impose a tax on digital services providers with digital revenues in excess of €750 million internationally and €25 million nationally, based on their turnover and amounting to 3 per cent thereof. In the summer of 2019, the French government declared at the G-7 meeting that France will adhere to the new tax regime to be defined by the OECD in respect of digital activities, once the member states converge on a global consensus, and that the government will subsequently unwind the French digital tax and refund the overpaid amount to the tech companies, if any.Indirect taxes
Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.
The French General Tax Code classifies the cloud computing services in the category of ‘electronic service provisions’ (appendix 3, article 98 C, c). These services are subject to the standard VAT rate (20 per cent).
The application of VAT to cloud computing services is complex, as the location of the provider’s taxation varies depending on whether the client is itself liable to charge VAT (the location is then his or her establishment in France) or not (the location of taxation is the place where the beneficiary of the services is established, at his or her domicile or habitual residence, including abroad) (article 259 et seq).
Whether they are established in the EU or not, the service providers may follow a special tax regime for clients that are not VAT collectors, which provides a mini one-stop-shop mechanism to liquidate VAT owed in the various member states of the EU.
Recent casesNotable cases
Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.Paris Administrative Court, Google, 12 July 2017
Even though the French administration focused on the search engine activity and the income gained from the advertising services invoiced by Google to its French clients (AdWords), the discharge by the Administrative Court of the tax reassessments requested in terms of corporate tax, withholding tax, VAT and various contributions could also apply to cloud computing services (see question 25). This litigation shows the significant challenges inherent in the business model of international cloud computing service providers (http://paris.tribunal-administratif.fr/Actualites-du-Tribunal/Communiques-de-presse/La-societe-irlandaise-Google-Ireland-Limited-GIL-n-est-pas-imposable-en-France-sur-la-periode-de-2005-a-2010).Versailles Court of Appeal, 19 May 2015, No. 14/08016
In the context of an objection procedure against the registration of a trademark ‘CLOUD CUBE’, the Versailles Court of Appeal judged that the term ‘CLOUD’ can be readily understood by the consumer as referring to the expression ‘cloud computing’ and, consequently, that it already shows the destination of a certain number of products and services. Accordingly, it cannot be considered to be distinctive. The dismissal for the registration of the trademark was being requested by the holder of a prior trademark ‘+ LE CUBE’ and was upheld by the court.CNIL, Google LLC, 21 January 2019, No. SAN - 2019-001
Upon verification of the data processing relating to the use of the Android operating system on mobile phones, including the creation of a Google account, the CNIL observed that the information on the processing of advertising customisation was excessively disseminated in separate documents and, therefore, not easily accessible to users. As a consequence, the regulatory authority determined that the consent on which Google relies for this processing is not obtained validly with regard to the law of 6 January 1978 on data processing and freedoms and the GDPR. In light of the data processing operations and the number of persons concerned, the CNIL considered that the lack of transparency as well as the lack of valid consent constituted substantial breaches of privacy and run counter to the legitimate aspirations of individuals wishing to retain control of their data. It ordered Google LLC to pay a fine of €50 million.
Update and trendsKey developments of the past year
What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?Key developments of the past year27 What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?
Although the pressure of software publishers on their customers to shift their office automation and other software applications to the cloud is maximal (eg, Office365 and OneDrive) and raises questions about the concentration of the cloud computing market onto a few global players, a yearly enquiry by CyberArk’s Global Advanced Threat Landscape Report shows that privileged access is the biggest cloud security issue: ‘The risks created by the lack of clarity about who is responsible for security in the cloud are compounded by a general failure by organisations to secure privileged access in these environments’, according to Adam Bosnian, executive vice president, global business development. Only 47 per cent of organisations reportedly currently have an access management and security strategy in place for cloud and workload infrastructure (https://www.cyberark.com/press/global-advanced-threat-landscape-2019-focus-on-cloud/).