Getting The Deal Through logo
Getting The Deal Through

Global overview

Mark Lewis

Bryan Cave Leighton Paisner LLP

Tuesday 13 November 2018

It took from November 2009 to September 2011 and 15 drafts for the US National Institute of Standards and Technology (NIST) to produce its final  definition of cloud computing. (For the short story of that journey, see, and for the final version of the definition, see The NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology, Peter Mell and Timothy Grance, Special Publication 800-145 It was worth the wait, because the NIST definition remains de facto the definitive universal statement of what cloud computing is.

By the way, in the time it took the NIST to produce 15 drafts and release a final version of the world’s favourite cloud computing definition, the global public cloud services market had grown from US$58.6 billion to US$92.97 billion – by an astonishing 58.65 per cent.

Arranged over just one and a half pages, the NIST’s definition of cloud computing is:

a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

For the purposes of Getting The Deal Through – Cloud Computing, we can look up the five essential characteristics at our leisure. Of more immediacy are the three service models: software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS). And we need instantly to refer to the four deployment models: private cloud, community cloud, public cloud and hybrid cloud. That is because one of the first challenges, when answering the questions outlined below, is to tell readers which of the cloud deployment models we mean.

In general, what most people mean when they refer generically to cloud computing is the third deployment model, which is most often seen as the archetypal cloud, ie, the public cloud:

the cloud infrastructure . . . provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organisation, or some combination of them. It exists on the premises of the cloud provider. (NIST definition, page 3)

It is the cloud model for which the most extensive claims are made in this computing model: utility, multi-client, location neutral, almost infinitely scalable and pay-per-use (see ‘Essential Characteristics’, NIST definition, page 2).

But migrating from ‘traditional’ computing models to the public cloud has real challenges: chief information officers (CIOs) and chief risk officers (CROs) worry about, among others, security, compliance with data protection and privacy laws, data residency, service resilience and portability of data on termination of cloud arrangements. So, to avail themselves of some of the benefits of the archetypal cloud, organisations have deployed instead the hybrid cloud: an infrastructure composed of ‘two or more distinct cloud infrastructures (private, community or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability (eg, cloud bursting for load balancing between clouds)’. (NIST definition, page 3.)

This is not without its challenges, but it reflects a more measured approach. Organisations that are even more concerned about risk and compliance (eg, regulated financial services firms), but that want some of the benefits of the computing model, are likely to deploy a private cloud, which is ‘provisioned for exclusive use by a single organisation comprising multiple consumers (eg, business units). It may be owned, managed and operated by the organisation, a third party, or some combination of them, and it may exist on or off premises’. (NIST definition, page 3.) Alternatively, in a community of common interests, for example within local government, health and law enforcement communities, they may deploy a community cloud:

provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (eg, mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. (NIST definition, page 3)

As the community cloud shares the characteristic of ‘exclusive use’ with the private cloud deployment model, we may treat it as a variant of the private cloud for the purposes of this work.

So, we observe that the four deployment models are currently in use, but to varying degrees. For the reasons given below, in our analysis of how cloud computing has been adopted in the countries covered by this work, we need to address the deployment models as a composite of cloud computing, and as virtually interchangeable. Besides, finding data to compare and contrast the adoption of each of the deployment models (and for that matter each of the service models) – that will for the most part be freely available to our readership, while also being authoritative – is a real challenge. And it does not help that, in their endeavours, law and policymakers and regulators have not generally – yet – seen the need to distinguish precisely between the cloud deployment models and service models.

However, where we can do so within the limitations of our allotted space, we try to identify the characteristics of a deployment model that may be relevant to our analysis. Take, for example, the question concerning labour and employment law considerations applicable to the cloud. And in particular, whether the EU Acquired Rights Directive (ARD) and EU member state legislation implementing it will apply to a cloud migration. If that legislation does apply, it will transfer staff automatically on their existing terms of employment to the cloud service provider (CSP) where their employer is migrating some or all in-house IT functions to the cloud. And this will almost certainly extinguish the financial case for the cloud migration. In considering whether there is an ARD transfer of an undertaking, it may well make a difference that the migration is to a public cloud (where you might struggle to discern the transfer of an undertaking, because the ‘before and after’ activities are so different), rather than to a private cloud (which could have many characteristics of an outsourcing, to which the ARD has been held to apply). Or will it? Readers with business interests in the EU will have to decide for themselves – alerted to the possibility by this work and, one hopes, properly advised.

For the reasons given above, it is mostly beyond the scope of this work to differentiate precisely or at all between and focus on each of SaaS, PaaS and IaaS.

Accordingly, in this work we attempt to cover the broadest possible spectrum of cloud computing adoption, including (mostly interchangeably) the public, hybrid and private cloud deployment models and the service models, all in a business-to-business (B2B) context, but recognising that business-to-consumer (B2C )arrangements will also be of interest to many of our readers, mainly because of consumer protection regulation. For each contributing country, this approach will, naturally, be somewhat different, depending on the size and state of development of cloud computing in its local market, as well as local market, contractual, legal and regulatory conditions.

Our survey starts with the market in each of the countries covered and examines what kinds of cloud computing transactions take place and which of the global and local cloud providers are active in that country, as well as the cloud services the latter provide.

Next, we address how well-established cloud computing is, including by its market size, referring to data and studies that are publicly available.

How active is central or regional government in the development of cloud? Are there specific, cloud-friendly policies? How are those policies implemented – by fiscal or customs incentives or development grants, or other means? And what other government initiatives apply?

We turn next to the core of this work: law, regulation, contract and market practice. We address the following questions for each country.

  • Is cloud computing specifically recognised and provided for in the local legal system and, if so, how?
  • Is there any legislation or regulation that directly and specifically prohibits, restricts or otherwise governs cloud computing?
  • What legislation or regulation indirectly prohibits, restricts or otherwise regulates cloud computing?
  • What are the consequences of breach of those laws and regulations?
  • Recognising the importance of B2C cloud adoption, what local consumer protection measures apply to cloud computing?
  • Knowing that cloud – especially public cloud – may pose real challenges in certain sectors, for example, financial services and health, what (if any) sector-specific legislation or regulation applies?
  • Public and private sector organisations around the world worry about – and some have already had to cope with – what happens when a CSP becomes insolvent. What insolvency laws will apply in those situations?
  • Almost all surveys of CIOs, CROs and other business leaders around the world highlight their continuing concern about data security in the cloud, as well as whether and how they continue to comply with data protection and privacy regulation in migrating to the cloud – especially with the coming into operation of the EU General Data Protection Regulation in May 2018. So, we identify the principal data protection or privacy legislation applicable to cloud computing.

We turn next to what I have found to be the most challenging set of questions to answer. After outlining what forms of cloud computing contract are usually adopted, we analyse as far as we can from publicly available sources, the typical key terms of B2B public cloud computing contracts in local markets.

It is clear that cloud computing will – if not now, then in the near term – have a significant impact in the workplace, so we identify labour and employment law considerations that apply.

Because much of the developed world and many emerging economies are becoming increasingly concerned about how to tax online and digital products and services, especially where supplies cross borders and will be made from IT product and services providers without a permanent establishment in their target markets, we outline the direct and indirect taxation rules that apply to the establishment and operation of CSPs and their customer transactions.

Finally, we identify recent notable cases as well as commercial, administrative or regulatory decisions or actions that have directly involved cloud computing as a business model. And we close with a survey of updates and trends as far as they can be discerned.

With a new and fast-developing area like cloud computing, we must keep our questions under review for future editions. And it follows that our answers to those questions will change over time. Of course, law and regulation will change, as will contract and market practice. As with the first edition, we will be happy to consider your comments and contributions and, as far as practicable, take account of them in future editions. Contact me at if you wish to make comments or suggestions for the next edition.

The country contributors and I very much hope that you will find this  edition of Getting The Deal Through – Cloud Computing both stimulating and useful, and a worthwhile addition to this series.

Back to Cloud Computing

Follow Getting the Deal Through for the latest updates on law and regulation worldwide

Follow us on LinkedIn