Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

The concept of ‘cloud computing’ has been recognised explicitly in the Belgian Act of 7 April 2019 on the security of network and information systems of public interest for the public safety. This Belgian Act implements Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

In both pieces of legislation, a ‘cloud computing service’ is defined in the same way, namely a digital service that enables access to a scalable and elastic pool of shareable computing resources.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Pursuant to the applicable NIS-legislation, a provider of cloud computing services is subject to a number of obligations:

  • The appointment of a data protection officer: a provider of cloud computing services is required to appoint a data protection officer.
  • (Security) measures: a provider of cloud computing services must (1) identify risks to the security of network and information systems that it uses to offer within the EU digital services and (2) take appropriate and proportionate technical and organisational measures to manage such risks. These measures must have regard to the technical state-of-the-art and must take into account several elements and the relevant risks. Furthermore, a provider of cloud computing services must appoint a single point of contact for its computer systems and inform the sectoral authority thereof.
  • Notification requirements: moreover, a provider of cloud computing services also has an obligation to notify without delay incidents with significant impact on the provision of the cloud computing services offered in the EU.
  • Exchange of information: a provider of cloud computing services and its subcontractors must limit the access to the information regarding the implementation of the NIS Act to those persons who need access to that information for their function with regard to this Act. Furthermore, subcontractors and its personnel need to be bound by professional secrecy with regard to the information regarding the implementation of the NIS Act.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

In addition to the applicability of the NIS-legislation, the provision of cloud computing services is indirectly governed by a set of EU and Belgian laws, including (1) the European General Data Protection Regulation (GDPR); (2) the Belgian Act of 11 March 2018 on outsourcing in the financial sector and circulars of the National Bank of Belgium (NBB); (3) the Belgian Civil Code; (4) the Belgian Code of Economic Law; (5) the Belgian Criminal Code and the Belgian Criminal Procedure Code; (6) the Belgian Telecommunications Act; and (7) the eIDAS Belgian Act of 21 July 2016.

First, the GDPR is directly applicable in the Belgian legal system since 25 May 2018. Consequently, any cloud provider – which typically acts as a processor of personal data – must abide by the rules set out by the GDPR and among others conclude a data processing agreement with the party to whom its cloud services are provided.

Second, the Belgian Act of 11 March 2018 on the statute and supervision of financial institutions could potentially impact the delivery of cloud computing services. While such services are not directly addressed by the Act, the National Bank of Belgium (NBB) stated that cloud computing services must be assimilated to outsourcing, and hence falls under the scope of the Act. This means in practice that cloud computing services are governed by similar principles as traditional outsourcing happening in the financial sectors (eg, the NBB can decide to impose several conditions or requirements so as to preserve the integrity of the financial services being outsourced). In 2019, the NBB for instance issued a new circular on outsourcing arrangements that applies to a wide number of financial institutions. With this circular, the NBB has fully integrated the European Bank Authority Guidelines on outsourcing arrangements of 25 February 2019 in its supervisory practices. To be compliant, financial institutions wishing to outsource part of their activities must, among other things, ensure that the outsourcing contract (including an outsourcing to the cloud) provides for a range of obligations and must submit a file to the regulator in certain circumstances. It is therefore crucial for each project to determine whether these specific rules apply. Similar obligations exist for (re-)insurance companies.

Third, as there are no contracting laws specifically tailored to cloud contracts in Belgium, general contract law as laid down in the Belgian Civil Code applies to cloud contracts. Contractual arrangements thus need to be relied on heavily to cover issues not dealt with under traditional contract law, or dealt with in a way that is not readily applicable to cloud computing.

Fourth, the Belgian Economic Law Code (BELC) indirectly applies to cloud computing services by application of different sections thereof. Book VI and Book XIV contain provisions on distance contracts, which may apply to cloud computing contracts. In addition, Book XII contains provisions on the liability of data storage service providers, such as article XII.19. This article states that where an information society service (eg cloud computing service) consists of the storage of information provided by a recipient of said service, the service provider will not be liable for the information being stored at the request of the recipient, provided that the service provider does not have actual knowledge of the illegal activity or information and, with regard to damage claims, the service provider is not aware of facts or circumstances from which the illegal activity or information is apparent; or the service provider acts promptly to remove or to disable access to the information, upon obtaining such knowledge or awareness, provided that he or she immediately communicates this to the competent public prosecutor.

A recent update of Book VI of the Belgian Code of Economic Law has been adopted on 4 April 2019 by the Belgian legislator regarding notably unfair B2B terms. In essence, the new Belgian Act prohibits: the abuse of economic dependence; (misleading and aggressive market practices between companies; and unfair terms in contracts. In the context of cloud agreements, the most relevant part pertains to unfair terms, in respect of which the Act foresees a black list (presumed to be unlawful without possibility of rebuttal) and a grey list (presumed to be unlawful until proven otherwise).

Fifth, the Belgian Criminal Code and the Belgian Criminal Procedure Code could potentially indirectly impact cloud computing services provided in Belgium. For instance, the search in computer systems can be extended to a computer system (or part thereof) which is located elsewhere than where the search takes place (source: articles 39-bis, 88-ter and 88-quater Belgian Criminal Procedure Code).

Sixth, the Belgian Act of 13 June 2005 on electronic communications only applies to ‘services consisting wholly or mainly in the conveyance of signals on electronic networks, including telecommunication services’. Content services, therefore, are not covered by this legislation. In the context of cloud computing, the applicability of this legislation will depend on the extent to which the cloud computing service focuses on the conveyance of signals. Where this framework applies, national regulatory authorities will have certain powers over the service provider and consumers will be afforded greater protection.

Finally, the European Union adopted on 23 July 2014 the eIDAS Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market. This Regulation has been complemented by the Belgian Act of 21 July 2016 implementing and complementing the eIDAS Regulation, which may also have indirect consequences on cloud computing services provided in Belgium. The scope of the Regulation and the Act are broad as they touch upon electronic archiving, electronic registered mail, electronic seals, electronic signatures, website authentication, trust service providers and electronic identification schemes.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

The consequences and sanctions for breaching the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing for obvious reasons vary based on the concerned law:

  • with GDPR-related infringements, administrative and criminal sanctions may be imposed;
  • as for the financial sector, the National Bank of Belgium (NBB) supervises financial institutions and ensures their compliance with NBB’s circulars. If a financial institution is to infringe NBB’s circulars on outsourcing, the NBB may eventually decide to withdraw the institution’s licenses to operate;
  • within the Belgian Code of Economic Law, Book XV is entirely dedicated to enforcement. For instance, unfair B2B or B2C terms may be declared null and void. In addition, in B2C relationships, unfair terms related sanctions are harsh and might entail heavy fines.
  • breaches of the Belgian Criminal (Procedure) Code may – for obvious reasons – lead to criminal sanctions;
  • breaches of the Belgian Act on electronic communications may amongst other lead to criminal fines; and
  • breaches of the eIDAS Belgian Act may lead to the prohibition of the service provider to further offer his or her services, the obligation to inform its clients about the said prohibition, as well as fines.
Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

In B2C contractual relationships, Book VI of the Belgian Code of Economic Law brings into effect the European Directive 2011/83/EU on consumer rights. Therefore, the prohibition of abusive clauses and other consumers’ rights (such as the right of withdrawal, subject to limitations) need to be taken into account by cloud computing service providers when concluding contracts with consumers.

In relation to competent courts, the European Regulation (EU) 1215/2012 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters (Brussels Ibis) stipulates that a consumer may bring proceedings against his or her contracting party either in the courts of the member states in which the contracting party is established or, regardless of such domicile, in the courts where the consumer is domiciled.

In addition, the European Regulation (EC) 593/2008 on the law applicable to contractual obligations (Rome I) specifies that, in a B2C contractual relationship, the contract will be governed by the law of the country where the consumer has his or her habitual residence, provided that (1) the professional contracting party pursues its commercial or professional activities in the country where the consumer has his or her habitual residence, or by any means, directs such activities to that country or to several countries including that country; and (2) the contract (in the case of the cloud computing contract) falls within the scope of such activities.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

We have identified the following sector-specific legislation that could be relevant:

  • Financial sector: the Belgian Act of 11 March 2018 on the statute and supervision of payment institutions and the Circulars of the National Bank of Belgium on outsourcing (including cloud computing);
  • Telecoms sector: the Belgian Act of 13 June 2005 on electronic communications; and
  • Essential services or digital services sector: the Belgian Act of 7 April 2019 on the security of network and information systems of public interest for the public safety.
Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

The applicable legislation is Book XX ‘Insolvency of undertakings’ of the Belgian Code of Economic Law. Any debtor (including a cloud computing service provider) can be declared bankrupt by the court if: the service provider has consistently ceased to pay its debts when they fall due; and the service provider no longer has the trust of its creditors.

The court will appoint a bankruptcy administrator charged with the administration and liquidation of the bankruptcy estate and the distribution of the proceeds. Creditors are notified of the bankruptcy order by publication thereof in the Belgian State Gazette.

In this context, customers of a bankrupted cloud computing service provider may see their contracts terminated either because the contract foresees that bankruptcy is a cause of termination; or because the bankruptcy administrator terminates those contracts due to the fact that the management of the estate so requires and that his or her decision does not affect the rights in rem of third parties against the estate. Counterparties of the bankrupt entity may also ask the bankruptcy administrator to take a decision within a 15-day period and can consider the contract terminated if they do have not received a timely answer.

Creditors ideally file their claims in the bankruptcy register by the date provided for in the bankruptcy judgment and in any event no later than one year after the date of the said judgment.

Creditors who do not file their claim in time lose their right to participate in any distribution and lose any priority to which they may have been entitled. In that respect, creditors will then be ranked based on the nature of the estate debts (eg, security interest and privileges versus unsecured creditors). Once all the privileged creditors have been satisfied, the remaining assets are distributed among the unsecured creditors, who should all be considered as equal (ie, no ranking applicable among them).

Additionally, the Belgian Companies Code contains provisions applicable to the liquidation, either as a result of a decision to that effect by the general assembly (voluntary) or an order from the court (judicial). A liquidator will be appointed to manage the liquidation of the company. Unsecured creditors and creditors with a general privilege on all assets lose their enforcement rights, except to the extent that the enforcement would not prejudice other creditors or the proper course of the liquidation. Secured creditors in principle do not lose their enforcement rights. Unlike bankruptcy, the liquidation of the company does not automatically terminate existing contracts and the liquidator does not have the power to terminate it unless the contract would provide otherwise.

Apart from the two aforementioned insolvency proceedings (ie, bankruptcy and liquidation), which are both aimed at liquidating the company, the Belgian Code of Economic Law provides there are number of restructuring options. Most notably, a company whose continuity is being jeopardised can ask the courts for protection against its creditors to negotiate a debt restructuring agreement with a group (two or more) of its creditors (judicial reorganisation through an amicable settlement), prepare a reorganisation plan that will be put to vote to and be, provided it is approved, binding on all of its creditors (judicial reorganisation through a collective settlement) or transfer all or part of its activities (judicial reorganisation through a transfer of assets under court supervision). In both case, the opening of the judicial reorganisation proceedings does not automatically terminate the contract and any contractual clause to the contrary, providing that the judicial reorganisation proceedings entitle the other party to terminate the contract, will be ineffective.