Cloud computing has, so far, no clear definition. The physical difficulty in storing huge amount of data and recurring data breaches have impelled the development of a system wherein the information is not stored in the physical hardware but in cyberspace called cloud. It provides three types of services – (SaaS) Software as a Service, IaaS (Infrastructure as a Service) and PaaS (Platform as a service).
Iaas generally provide service to network architects. Here, the Cloud Service Providers (CSPs) provide infrastructures like storage, communication, firewalls and IP addresses thereby creating an environment where the platform developers can install and run a program. Amazon web service is one example that provides IaaS.
PaaS sets out a platform for the application developers to develop services and application without actually buying the physical hardware and software. Google App Engine provide platform for various companies to develop applications.
SaaS generally aimed at end users, is accessed through internet. Here, the user is not concerned about its installation and maintenance. Consumer pays only for the usage. Gmail, Microsoft 365 are all services utilised in the form of SaaS.
Laws on Cloud computing in USA, EU and India
In European Union, EU Software Directive and EU Copyrights Directive govern copyrights laws on cloud computing. Former recognises software as a literary work. EU Copyrights Directive provides copyright holder the exclusive right to reproduce, distribute and communicate the work to the public.
In USA, the laws on cloud are envisaged in S.109 of the Copyright Act 1976. The copyright owner has exclusive right to ‘distribute copies…to public and others by way of transfer of ownership…’. In the context of Internet, this means transfer of files from one computer to another. The Act of Stored Communication, 1986 and Health Insurance Probability and Accountability Act are two other legislations that deal with storing personal information within a cloud.
In India, laws on cloud computing are still growing. The Copyright Act, 1957 recognise data stored in electronic form as literary work. While the Information Technology Act, 2000 deals with electronic governance and electronic records, the Information Technology (Reasonable Practices) Rules, 2011 entails rules on storage of sensitive personal information in cyberspace.
Cloud Computing, Copyrights and European law
Here, the copyright violation mainly concerns online storage lockers for content uploaded by users. In Newzbin’s case of United Kindgom, Newzbin Ltd was liable for providing hyperlinks in their webpage to download movies from other websites; there exist a close relationship between primary infringer and authoriser. Arguments were raised as to charge them as secondary infringer as they did not obtain license from the rightful copyright owner. In such situation the CSPs are obliged to follow “notice and take down” procedure. In Google Ad words case, CJEU held that the CSPs should play a neutral role and ensuring knowledge about data stored.
In 2012, Pirate Bay Bit Torrents founders were prosecuted by Swedish Government as primary infringer for encouraging copyrights violations. Similarly, Google was also sued for publishing digitalised books for free without the permission of the copyright holders of various publishing houses.
One of the most prominent services provided by the CSPs is SaaS. Many software companies are engaged in the business of providing cloud services to companies and other consumers. However, this poses various challenges. SaaS is believed to be the most efficient means to curb software piracy. This is because it is easy to track down the violators when data stored in cloud is being hacked compared to the difficulty of police force to seize bootlegged CDs in every nook and cranny. However, the problems of “black clouds” and “grey clouds” remain unanswered. Black cloud is presence of pirated SaaS. Grey cloud arises when a consumer (a Company) buys a license legally and then sells to members of company and even to outsiders.
Direct infringement can be levelled against CSPs only if they partook directly in the violation. Management and storage of data does not imply abetment to breach of copyrighted files,thus making the threshold to determine direct liability a high one and was pronounced so by the US Court in ‘Religious Technology Center v. Netcom Communication’. The plaintiff merely has to establish that the CSP is more than a ‘mere passive conduit’ for storage. But studies and reports suggest that storing data as SaaS is the best available method to counter software piracy. Enhanced protection of data and information from grey and black clouds are also the need of the hour.