Grid and Cloud Computing as a Tool to Transform European Economy: Legal Considerations Davide Maria Parrilli Legal researcher Interdisciplinary Centre for Law and ICT (ICRI), K.U.Leuven Institute for Broadband Technology (IBBT) [a] Sint-Michielstraat 6, B-3000 Leuven, Belgium [t] +32 16 32 07 87 [f] +32 16 32 54 38 [e] davide.parrilli@law.kuleuven.be Synopsis: The paper assesses how legal instruments and tools can facilitate or impede the development of Grid/Cloud technology and service providers in Europe. Particular attention will be paid to the effects that the applicable legal framework has directly on these providers and on the trust-generating mechanism within the community of potential users of Grid and Cloud computing services. Introduction Grid and Cloud computing are very promising technologies that may undoubtedly change the way many companies operate. It is remarkable, in fact, that they create new offers on the providers’ side and, conversely, new needs on the users’ side. In other words, Grid and Cloud technologies are potentially able to transform networks, through the interconnection of dispersed resources located in different geographical places, services and lives. The transformation of services supplied by ICT providers imply the advent and consolidation of software as a service (hereinafter SaaS) [1], resource as a service (hereinafter RaaS), virtual hardware, etc: these are all examples of the phenomenon of dematerialisation and virtualisation of physical items that involve to a great extent hardware that often, in fact, is provided as a service. Transformation of lives means that companies and consumers are expected to become familiar with the idea that their data are not stored in-house, but ‘in the Grid’ or ‘in the Cloud’, i.e. in the dispersed servers of the provider. The current developments in the field of Grid and Cloud computing are (maybe) paving the way to the personal computer of the future, composed just of a monitor, a keyboard, a mouse and an internet connection. Potentially, in fact, all data traditionally stored in the hard disk of the computer can be retrieved online from the portal of the Grid or Cloud provider. The scope of this paper is to assess whether or not, from the legal point of view, it is feasible that these innovations continue in reality or, to the contrary, whether the development of Grid and Cloud computing is expected to slow down or to stop. Actually, in fact, Grid and Cloud market is still a niche one1, although the investments made by private companies and public institutions, mainly in Europe and in the United States, allow analysts to be optimistic about the future of these technologies. The legal perspective is pivotal in order to assess the future of Grid and Cloud computing and of their providers since the applicable legal framework is not neutral in facilitating or limiting that expansion of businesses and innovations [1]. Legal aspects, in fact, can be seen as forces that, often very subtly, deploy their effects on markets and businesses, acting as barriers or enablers. In the next pages some selected legal forces will be taken into consideration and their impact on some research questions will be investigated. The first question is if, and to what extent, the 1 Stanoevska, K., Parrilli, D.M., Thanos, G. BEinGRID: Development of Business Models for the Grid Industry. LNCS 5206, Aug. 2008. 1 applicable legal framework can stimulate the starting up and growing of Grid/Cloud technology providers and of Grid/Cloud-based service providers (e.s. SaaS, RaaS, etc). Furthermore, the paper will investigate whether or not such a legal framework can stimulate companies and individuals to become users of Grid/Cloud technologies, to store their data ‘in the Grid’ or ‘in the Cloud’, to use software as services from remote locations, etc. The focus of this paper is definitely European, i.e. it will take into consideration the development of European Grid/Cloud providers and suppliers of Grid/Cloud-based services and, conversely, the adoption of these technologies and services by European customers. At the same time, attention will be paid to the applicable European legal sources and, when useful, to national laws of European and non-European countries. This paper presents the research performed and the results achieved by the author in the framework of the FP6 EU-funded IST project BEinGRID (IST5-034702) 2 . This project, in which the author acts as legal consultant, is focused on a considerable number (25) of real business experiments, which are pilot cases of implementation of Grid-based businesses by European companies and research centres. In this sense BEinGRID provides an excellent framework to evaluate the trends of Grid (and Cloud) markets in Europe. Transforming economies: how to stimulate technology and service providers? As said above, the applicable legal framework, i.e. ‘the Law’, is not neutral in stimulating or impeding that businesses using new technologies, like Grid and Cloud computing, are successful. The first aspect to analyse regards the possibility for European companies to successfully run businesses as technology provider or as service provider. The former is the entity that supplies Grid or Cloud resources, on top of which it is possible to provide services, developed and stored ‘in the Grid’ or ‘in the Cloud’ (i.e. using those resources) and delivered to the clients online. A company can act as technology provider and service provider at the same time. However it is imaginable that a certain amount of smaller enterprises enter the market of Grid/Cloud-based service providers, following the few big international players that have already made the first steps. The investments needed to start up a business as service provider are undoubtedly lower than those required to create, manage and update a Grid or Cloud infrastructure. Actually in Europe the majority of Grids/Clouds are basically owned by academic institutions 3, while this is not the case in point in the United States, where there exist commercial Grids and Clouds4. With this respect Europe is called to fill this gap. However, some legal forces, which will be analysed below, render this task more cumbersome for European companies that are willing to enter the market of Grid/Cloud technology providers. Things are partially different for Grid/Cloud-based service providers, where Europe plays a notable role. However, this market is still limited and also in this sense its development is affected by the applicable legal framework. The legal forces hereto analysed affect the chances (for both technology and service providers) to enter the market, the possibilities to be successful by reducing the compliance costs, and the risks to exit from the market. Chances – Software Patentability Chances to enter a market are undoubtedly linked to the protection that a company can have for the innovations it develops [2]. In the course of the project BEinGRID the issue of software patentability arose several times, since it potentially affects the success and profitability of a service provider. The applicable European legal framework, namely the European Patent 2 www.beingrid.eu and www.gridipedia.eu. http://www.gridipedia.eu/grid-infrastructures.html (last retrieved 18 June 2009). 4 http://www.gridipedia.eu/cloudservicesproducts.html and http://www.gridipedia.eu/grid_technology_ organizations.html (last retrieved 18 June 2009). 3 2 Convention of 19735, follows a twofold approach: from one point of view, hardware is patentable, and therefore innovations as regards the structure of Grid/Cloud systems are protectable [2]. Conversely, software delivered through a Grid/Cloud infrastructure, typically based on the SaaS paradigm (and the same applies for RaaS and virtual hardware resources), are in principle (as far as they are considered computer programs ‘as such’) not patentable in Europe, as highlighted also by the case law of the Boards of Appeal of the European Patent Organisation [2]. The situation is different in the United States, where software patentability is not a priori excluded6. This could allow one to say that American software houses are in a more competitive position in comparison with European companies, thus they have better opportunities to enter (and above all to survive and make profits) the SaaS market. Given the fact that a software can be patentable in the United States but not in Europe means also that an American company can compete in the European market but not vice versa. More generally, it is extremely cumbersome to state which one of the two potential solutions (software patentability vs. software unpatentability) is better. Both of them have advantages and disadvantages: to the ends of this paper it must be highlighted that software unpatentability may stimulate software houses to improve existing computer programs and to deliver them as a service together with additional functionalities. In this sense, access to the market should be easier for small enterprises that otherwise would not have many chances. At the same time, lack of patent protections may reduce the growth of companies that are already in the market. In other words, a definite solution cannot be reached, but nevertheless it is important that the competent political and jurisdictional authorities are aware that software unpatentability is not the only possible way and that it may be challenged. Compliance costs – European VAT Value Added Tax (VAT) is one of the most relevant tools used by providers of electronic services in order to offer better prices to their customers. The applicable European legal source, the socalled VAT Directive of 2006 7 , provides for a special regime applicable to services provided through electronic means: with this respect, Grid/Cloud-based SaaS, RaaS or other applications are surely electronic supplied services [3]. In business to business (B2B) transactions, if the provider is an EU-based business, the place of taxation is the customer’s Member State (and the same applies if the provider is based outside the EU). To make an example, if a German (or American) SaaS provider supplies the software to a Belgian business, Belgian VAT will be due. In case of export of services from a European company to a business located outside the EU, no VAT is due. Things are different in business to consumer (B2C) scenarios. In this case, if a European company (or a not-European company with a fixed establishment, e.g. a subsidiary, in the EU) provides Grid/Cloud-based services to a European consumer, the place of taxation will be the supplier’s Member State. In practice this means that suppliers of electronic services have the incentive to open an establishment, from where (to tax purposes) the services are provided to consumers, in a country with a lower VAT rate, in order to offer cheaper services [3]. Many companies, in fact, moved to Luxembourg in order to take advantage of the rate of 15 % (the lowest in the EU) pursuant to the national applicable legislation. An example will clarify the issue: if a provider of SaaS established in Luxembourg sells its services to a consumer who lives in Sweden (where a rate of 25 % applies) for 100 euro per month plus VAT, the final price for the customer will be 115 euro. If, conversely, Swedish VAT should apply, the consumer would pay 125 euro for the same service. 5 Convention on the Grant of European Patents (European Patent Convention) of 5 October 1973, available at http://www.epo.org/patents/law/legal-texts/html/epc/1973/e/ma1.html. 6 See United States Patent and Trademark Office. Manual of Patent Examining Procedure (MPEP). July 2008. Available at http://www.uspto.gov/web/offices/pac/mpep/. 7 Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax [OJ L 347, 11.12.2006, pp. 1-118]. 3 This is exactly what will happen as from 2015 when the reforms introduced by the VAT package of 2008 will enter into force. Pursuant to this package, and more precisely Directive 2008/8/EC8, in fact, the place of taxation in case of provision of electronic services to consumers will be the co-called ‘Member State of Identification’, at the rate of the customer’s Member State. In other words, every European provider will have to register for VAT purposes in one Member State of the EU (as now not-European providers are required to do) and the applicable rate will be that set forth by the State of the consumer. The practical consequences for businesses are that they have to consider the place of establishment of every single consumer and apply the corresponding VAT rate. This poses, of course, practical problems, since there are no methods to locate the establishment of the consumer with no margins for mistakes and, from a different perspective, administrative costs for e-providers will dramatically increase [3]. Furthermore, for many customers that buy online services provided by companies located in Luxembourg or other countries, the price for these services will increase and this may potentially affect the willingness of these consumers to shop on the Internet. In other words, the European lawmaker made a real counter-reform aimed to make more difficult the life for many providers of electronic services (especially those located in Luxembourg) and to increase their costs and burdens (wherever they are established). This may have of course a negative impact on existing and/or future Grid/Cloud technology and service providers. Risks – Bankruptcy and Liabilities All companies face risks with the potential consequence not to be competitive any more and to go out of the market. The same applies to Grid/Cloud technology and service providers, which may incur in bankruptcy proceedings if they are not able to pay their creditors and to be profitable. It would go beyond the scope of this paper to analyse the bankruptcy proceedings from a European and comparative perspective. Nevertheless, it must be said that these proceedings are usually severe and they are aimed to protect creditors more than to offer new possibilities to the entrepreneurs and investors that failed in their venture 9. The possibility to fail when entering new and difficult markets is undoubtedly relatively high and the fear to be bankrupted may potentially prevent many people to start a business (this applies especially to people willing to start up a small company providing e-services). Another risk for technology and service providers is the possibility to be sentenced to compensate the damages suffered by customers if the services are not performed as promised in the agreement with the client. As it will be showed in the next paragraph, pursuant to the applicable European legal framework, these risks can be dramatically reduced by virtue of a contract in B2B transactions. Transforming lives: how to stimulate the adoption of Grid and Cloud-based solutions by users? In the previous paragraphs it was assessed which legal forces may directly act as barriers or enablers to investors willing to start up profitable Grid/Cloud-based businesses (technology providers and service providers). Special attention has been paid to the topics of software patentability, VAT treatment of the services provided online and the risks linked to the bankruptcy of the company. In other words, one side of the market (that of the providers) has been analysed from the legal point of view. It is now pivotal to assess which juridical forces are likely to affect the customers’ side, i.e. to what extent the applicable European legal framework limits or enhances the adoption of Grid/Cloud technologies by customers. Both businesses and consumers, in fact, are expected to trust Grid/Cloud technology and service providers and to renounce, to a variable 8 Council Directive 2008/8/EC of 12 February 2008 amending Directive 2006/112/EC as regards the place of supply of services [OJ L 44, 20.2.2008, pp. 11-22]. 9 With this regard see the very interesting contribution of Lee, S., Peng, M.W., Barney, J.B. Bankruptcy Law and Entrepreneurship Development: A Real Options Perspective. Academy of Management Review, 32(1), 2007. 4 extent, to the direct control of their data, files, information etc that are stored or processed ‘in the Grid’ or ‘in the Cloud’. If customers are reluctant to accept this fact the Grid/Cloud market does not have many possibilities to take off and pave the way to the abovementioned ‘personal computer of the future’. This issue regards computer scientists but also lawyers and policymakers that have the pivotal role to found the trust of customers towards providers on solid grounds. In other words, the trust that clients currently have towards Grid/Cloud providers is basically market-driven, i.e. it is based on the reputation of these suppliers and on the legitimate expectation that they will respect their promises. This means that special attention must be paid to the contractual obligations of the providers: basically they assure, typically in a Service Level Agreement (hereinafter SLA), that a certain level of availability and quality of services (QoS) will be respected. At the same time, they will tend to protect themselves limiting as much as possible their liabilities and the possibilities for the customer to ask for compensation if the obligations of the provider are not respected or, in a worse scenario, if the data stored and/or processed by the supplier get lost or corrupted due to security failures. The experience gained as legal consultant of the project BEinGRID allows the author of this paper to state that in the great majority of SLAs entered into by (American, but also European) Grid/Cloud technology and service providers the customer is in a very weak position, in the sense that basically the provider is never contractually liable10. The situation as defined pursuant to the applicable European legal framework can be summarised as follows. First of all, it is necessary to separate two categories of customers: consumers and businesses. The former are all those that operate outside their trade or profession for purely personal purposes (with this regard the European Court of Justice stated very clearly that companies and professionals cannot be considered as consumers 11). European legislation assures a certain level of protection to consumers, so that: The SLA (or other contract that regulates the provision of Grid/Cloud services) shall be regulated by the law of the country where the consumer has his habitual residence if, basically, the provider addresses this country through his website/portal. Furthermore, the parties can state that another law (e.g. of a not-European State) will govern the contract, but consumer protection rules of the country of residence of the consumer apply. These principles are set forth by the Rome I Regulation 12 (applicable as from 17 December 200913). Pursuant to other applicable legal sources (e.g. Directive 93/13/EC 14), the provisions in the agreement that are too unbalanced in favour of the provider are invalid (e.g. clauses that exclude legal rights of the consumer in case of non performance of the contractual obligations by the provider; clauses that allow the provider to unilaterally modify or terminate the agreement; etc). The consumer can sue the provider in the court of his country of domicile or of the country where the provider is domiciled (basically where the supplier has his headquarter or principal place of business); at the same time the consumer can be sued only in the courts of the state where the consumer himself is domiciled. These rules are of strict 10 See Leff, A., Rayfield, J., Dias, D.M. Service-Level Agreements and Commercial Grids. IEEE Internet Computing, July/Aug. 2003, available at http://ieeexplore.ieee.org/ielx5/4236/ 27339/01215659.pdf? arnumber=1215659 (retrieved 25/2/2009). 11 The European Court of Justice, in the case C-269/05 Francesco Beniscasa v. Dentalkit S.r.l. [ECR 1997, I-3767], decided that consumer contracts concern only agreements whose aim is to satisfy the private consumption needs of an individual, supposed to be the weakest party. 12 Regulation (EC) No 593/2008 of the European Parliament and the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I) ]OJ L177, 4.7.2008, pp. 6-16]. 13 Until 17 December 2009 Rome Convention of 1980 will apply [OJ L266, 9.10.1980, pp. 1-19]. 14 Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts [OJ L95, 21.4.1993, pp. 29-34]. 5 applicability and basically cannot be derogated by the parties, unless in some specific cases. The relevant legal source is Regulation 44/200115. As regards B2B transactions, things are dramatically different, so that the provider can limit his contractual liability and it can be agreed that the competent court will be that of the place where the supplier is domiciled. In practice this means that very often the customer will not be able to get any compensation for the damages he suffered from the infringement of the contractual obligations of the Grid/Cloud provider, also in case of security failures (with the consequence that the costumers’ data got lost or damaged)16. Precisely for these reasons many businesses are extremely reluctant to store data and information ‘in the Grid’ or ‘in the Cloud’, and the same applies for services that are provided from remote locations and that require that these data and information are processed ‘in the Grid’ or ‘in the Cloud’. Honestly, from the legal point of view, it is not possible to say that these companies that prefer to act in ‘traditional’ ways and to keep their data under their direct control are completely wrong and irrational. The risk may be more or less low, but the problematic issue is that there is no legal protection in case of problems, security failures, etc. It is therefore highly advisable that the European lawmaker takes into consideration this issue and analyses whether or not it is fair that businesses do not have adequate protection when dealing with technology and service providers. This point is even more urgent if one considers that very often the customer does not negotiate the content of the SLA he enters into, since this agreement is basically drafted unilaterally by the provider. Conclusion The experience of the project BEinGRID shows very clearly that Grid and Cloud computing are very promising and that they are potential tools to transform the European software and hardware market. The era of applications, resources, computing capacity, etc supplied as a service from remote locations in a flexible and scalable way is definitely open [1]. Its further development depends also on some legal aspects that may impede that this process continues and that European technology and service providers play a pivotal role at global level. In lights of the considerations expressed above, we can say that it is probably the time to rethink and reshape the notions of software patentability without ideological influences. At the same time, it is advisable that the European lawmaker amends the VAT regime applicable to B2C provisions of e-services and that the criterion that the place of taxation is the supplier’s Member State is preferred and re-adopted. As regards risks faced by the Grid/Cloud providers, it was assessed that the applicable legal framework should free potential entrepreneurs from the fear to be bankrupted, in other words it is necessary to harmonise protection of creditors with creation of new companies, i.e. with innovation and more jobs. Furthermore, creating trust which is based on solid legal grounds is absolutely important. This may happen through both traditional legal ways (amendment of existing legislation aimed to improve the level of protection for customers in B2B transactions) or through so-called instruments of ‘soft law’ or best practices. In particular, a good idea would be that of creating a label for technology and service providers that use fair contractual provisions in their SLAs, so that companies can easily recognize the trustable suppliers. This would also stimulate a race to the top by all players in the market in order to keep or increase their market share. An independent authority should be in charge of analyzing which providers deserve this label and the 15 Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters [OJ L12, 16.1.2001, pp. 1-23]. 16 See Wild, C., Weinstein, S., Riefa, C. Council Regulation (EC) 44/2001 and Internet Consumer Contracts: Some Thoughts on Article 15 and the Futility of Applying “In the Box” Conflict of Law Rules to the “Out of Box” Borderless World. International Review of Law, Computers & Technology, 19(1), 2005. See also Berliri, M. Jurisdiction and the Internet, and European Regulation 44 of 2001. Woodley, S. (ed.) E-Commerce: Law and Jurisdiction. 2002. 6 task of (European and national) public institutions would be that of implementing, promoting and disseminating the system and the corresponding good practices. References 1. Parrilli, D.M., Stanoevska, K., Thanos, G., Software as a Service (SaaS) Through a Grid Network: Business and Legal Implications and Challenges. Cunningham, P. and Cunningham, M. (eds.) Collaboration and the Knowledge Economy. Nov. 2008. 2. Parrilli, D.M.: Software Patentability in a Grid Environment. Sept. 2008. Available at SSRN: http://ssrn.com/abstract=1275227. 3. Parrilli, D.M.: European VAT and Electronically Supplied Services. Sept. 2008. Available at SSRN: http://ssrn.com/abstract=1261822. 7