Jusletter IT

Cloud Data: Quick to Anger and Hard to Resolve

  • Author: Daniel Ronzani
  • Category: News
  • Region: Switzerland
  • Field of law: Cloud-Computing
  • Citation: Daniel Ronzani, Cloud Data: Quick to Anger and Hard to Resolve, in: Jusletter IT 21 September 2017
[1]
Imagine you have outsourced your (business) data, e.g. customer base, production data or inventory, into the cloud. And imagine you do not have a copy of that data and the agreement you have with your cloud provider does not – for whatever reason – regulate the retransition of your data upon expiration or termination of the cloud service. How can you obtain a copy of (what you might believe is) «your» data?
[2]

The main legal problem with (raw) data is that our law does not foresee the concept of data ownership.1 (Raw) Data are neither chattel (tangible asset)2 nor conventional intellectual property rights3.

[3]
Assuming that you cannot agree with your cloud service provider on the terms of a (paid or free of charge) retransition of the data, and you therefore are in a technical lock-in, the following legal remedies might support your retransition claim:
[4]

First, assuming that the retransition of data from the cloud provider to you is merely an unimportant contractual point, or else you would have regulated it from the beginning4, the missing terms on retransition could be viewed as an unintended omission. In the event of failure to reach agreement on such unimportant terms, the court must determine them with due regard to the nature of the transaction (art. 2 (2) and 18 (1) CO5). An omission must be completed by construing the hypothetical will of the contracting parties.6

[5]

Presumably the court would rule that the cloud provider is obligated to return the data to you in a portable and interoperable manner (i.e. in an open and not proprietary form, e.g. CSV7 format), albeit not necessarily free of charge. So you might be required to pay an additional fee for the retransition of the data because if you had regulated it from the beginning in the cloud agreement, the cloud provider might have either increased the recurring service fee to include the retransition effort or added a one-time charge for the retransition service.

[6]

Second, assuming the cloud provider agrees to a retransition of data but – taking advantage of your technical lock-in – charges a high retransition fee, the cloud provider might be in breach of antitrust law. According to art. 7 (2) (c) CartA8 dominant entities behave unlawfully if they, by abusing their position in the market, hinder other entities from starting or continuing to compete, or disadvantage trading partners, among others, by, for instance, imposing unfair prices or other unfair conditions of trade.

[7]

An entity is dominant, if it is able to behave to an appreciable extent independently of the other participants in the market, i.e. competitors, suppliers or consumers. The intention of the legislator was to introduce thereby the notion of relative market dominance. An entity is relatively market dominant if it has a superior market position in relation to entities which are dependent of it.9 In applying this principle to the cloud data, the cloud provider has relative market dominance due to the lock-in effect. Thus charging a high price for the retransition might be unlawful under the CartA.

[8]

Third, if the cloud agreement is based on simple agency contract law10, pursuant to art. 400 CO the agent is obligated, at any time upon the principal’s request, to give an account of his agency activities and to restitute anything received for whatever reason as a result of such activities. This means that the agent must return everything that it received from the principal itself or that has been created in the execution of the mandate.11 The accounting of information must be timely, correct and complete.12 Whether renouncing the right to restitution is legal or not, is debated controversially in doctrine. According to the Swiss Federal Court renouncing the right to restitution is permissible.13 The restitution cannot be made dependent of conditions14 and must remain free of charge15.

[9]
Hence, under mandate law the cloud provider is obligated to retransition immediately upon first demand and free of charge the data you uploaded to, or that was generated on your behalf during the term of the cloud service on, the cloud provider’s server(s).
[10]

Finally, pursuant to data protection law16 any person may request information from the controller of a data file as to whether data concerning her is being processed. The controller of a data file must notify the data subject, among others, of all available data concerning the subject in the data file. The information must normally be provided in writing, in the form of a printout or a photocopy, and is free of charge.

[11]

Art. 8 FADP might seem a quick solution for restituting your data. The problem, however, is that the information right provided by the FADP is limited to personal data, i.e. information relating to an identified or identifiable (natural or legal) person. It does not relate to the data of your customers and other information you might have uploaded to the service provider’s cloud. An information request under art. 8 FADP will result in a pile of paper relating to your personal data only.

[12]
In any case it is advisable to request the retransition shortly before or at the expiration or termination of the cloud service agreement. The obligation to restitute might be valid for 10 years but once the data has been (irretrievably) deleted from the service provider’s servers the data is gone and you might end up with a monetary damage claim (if at all) but not the (valuable) data.

Daniel Ronzani

  1. 1 Similarly, energy is not tangible, which is why the Criminal Act (SR 311.0) penalizes the unlawful abstraction of energy in a separate article (142).
  2. 2 Art. 713 Civil Code (CC; SR 210).
  3. 3 Copyright Act (CopA; SR 231.1), Trademark Protection Act (TmPA; SR 232.11), Designs Act (DesA; SR 232.12), Patents Act (PatA; SR 232.14).
  4. 4 If you did not regulate a material point, the agreement might be invalid in its entirety.
  5. 5 Code of Obligations (CO; SR 220).
  6. 6 Claire Huguenin/Tina Huber-Purtschert, in: Jolanta Kren Kostkiewicz/Stephan Wolf/Marc Amstutz/Roland Fankhauser (eds.), OR Kommentar Schweizerisches Obligationenrecht, 3. ed., Zurich 2016, recital 30.
  7. 7 Comma-separated values store tabular data in plain text.
  8. 8 Cartel Act (CartA; SR 251).
  9. 9 Dispatch of the Federal Council of 7 November 2001 regarding Amendments of the Cartel Act, p. 2033 (01.071).
  10. 10 Art. 394 et seq. CO.
  11. 11 Roland Bühler, in: Kren Kostkiewicz/Wolf/Amstutz/Fankhauser (note 6), recital 4.
  12. 12 Rolf H. Weber, in: Heinrich Honsell/Nedim Peter Vogt/Wolfgang Wiegand (eds.), Art. 1–529 OR. Obligationenrecht I. Basler Kommentar, 6. ed., Basel 2015, art. 400 recital 4.
  13. 13 FCD 132 III 460, cons. 4.2.
  14. 14 Rolf H. Weber, in: Honsell/Vogt/Wiegand (note12), art. 400 recital 18.
  15. 15 Yaniv Benhamou/Laurent Tran, Circulation des biens numériques: de la commercialisation à la portabilité, sic! 2016, p. 571, p. 585.
  16. 16 Art. 8 of the Federal Act Data Protection (FADP; SR 235.1).