We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
11 January 2021
Cloud computing has increasingly become a dominant model for computer and IT service, with the majority of businesses worldwide using computing resources and storing data in the Cloud. However, despite the ease of use and convenience of cloud computing, moving data and services into the Cloud raises several legal issues for both cloud computing providers and users. This article highlights some of the issues and questions relating to IP rights raised by cloud computing.
Generally, 'cloud computing' is the remote delivery of computing services and resources to a client. Data is stored and/or processed remotely from the client, on infrastructure that is generally called the 'Cloud'. The client can access this infrastructure remotely, usually over the Internet. Importantly, the client (eg, a personal computer) does not have to perform any of the data storage or processing that now occurs in the Cloud, significantly reducing the hardware, software and security requirements of the client device.
The actual implementation of cloud computing systems can vary greatly. Example cloud computing service models include:
Generally, SaaS models allow clients to access and use software applications over the Internet, rather than storing and running the applications locally. PaaS models provide access to a computing platform (eg, Microsoft Windows) on which applications may be run or developed. IaaS models provide access to computer infrastructure on demand (eg, data storage, networking and computing resources).
One of the advantages of cloud computing is that individuals and businesses can avoid the costs of buying, installing and maintaining sophisticated hardware and software. Instead, this infrastructure is handled by the cloud provider remotely. However, this means that it is not clear where the cloud provider's hardware and software is physically located or where the client's data is physically stored.
For example, services may be sold to a client in one particular jurisdiction, but that client's data may be stored and processed at one or multiple locations in the same or other jurisdictions. The client may have no knowledge of where the data is stored or processed. Data may be stored redundantly in multiple locations and jurisdictions and may be fragmented in storage. Data may even be stored in different countries at different times. Various aspects of data processing may also occur in different jurisdictions.
The amorphous nature of cloud computing makes determining how the law will apply – or even what law will apply – a challenge. Because IP rights are territorial and a single cloud computing service can touch multiple jurisdictions, it is unclear in many instances what IP laws will apply in the cloud computing environment.
Patents are inherently jurisdictional: they confer rights only in the country in which the patent is granted. For example, a Canadian patent grants the patentee the exclusive right to make, use and sell an invention for the term of the patent. However, it does not grant any of these rights in any other country. This poses a challenge for cloud computing systems that extend across international borders.
The multi-jurisdictional nature of cloud computing, and the amorphous nature of the Cloud, give rise to a number of possible complications for patent owners or licensees trying to assert their patent rights against potential infringers.
Uncertainty over jurisdictional scope of infringement
As a general principle, infringement of a patent requires meeting every element of a claimed system or process. However, technology implemented in the Cloud may be spread over multiple jurisdictions. This presents a potential challenge for patent owners: is the test for infringement satisfied if some of the claimed elements are met in a different country?
There are doctrines in the Canadian jurisprudence which could provide a basis for finding infringement where part of a claim is satisfied outside Canada. However, Canadian law on the issue has not been settled and, in any event, is likely to be highly fact dependent.
Jurisdictional issues also present uncertainty for clearing patent risks. Just as cloud-implemented technology may touch multiple jurisdictions, there is also the potential to attract liability in multiple jurisdictions. The law of each jurisdiction will need to be considered. For example, if a system is patented and used in the United States, infringement of the US patents may occur even if a part of the infringing system is located elsewhere (eg, in Canada).(1)
Ultimately, patent owners would be well served to recognise that cloud computing puts a wider range of jurisdictional possibilities into play and should be sure to construct portfolios that include rights wherever they may be needed.
Similarly, businesses should take a broad view when assessing risks and should consider all jurisdictional possibilities.
Multiple components operated by different parties
Cloud computing systems may include multiple components, each operated by a different party. For example, servers storing data may be owned and operated by one company, while system components relaying or processing data retrieved from those servers may be owned and operated by another company. These components may be contracted out to yet another company, which might then use those components to service end users. Because in this scenario different parties are responsible for providing different aspects of the system, it may be that no single party infringes all of the elements of a patented invention. Instead, the elements of the invention may be divided between two or more parties. The Patent Act does not provide for divided infringement and the issue has not been considered by Canadian courts.
To some extent, this can be addressed by careful crafting of patent rights – applicants should avoid claiming inventions in such a way as to permit elements to be easily separated and should be creative in claiming inventions from multiple perspectives to ensure robust coverage.
Difficulty in detecting infringement
Cloud computing also presents challenges in detecting infringement. By their nature, cloud systems often obscure or abstract some technical detail. For example, the client of a cloud computing service may not know where or exactly how its data is stored or processed. It also may not be possible for the client to reverse engineer the service – at the client end – to detect infringement. Further, a service provider's infrastructure may not be publicly accessible in a manner that allows for efficient detection of patent infringement.
Instead of the whole cloud computing system or its server-side elements, a service provider may consider whether any client-side elements of the system are eligible for patent protection. Activities at the client-side may be more localised and readily detectible. It may thus be easier for the patentee to assert its rights over its client-side elements.
However, when obtaining patent protection for client-side elements of a cloud computing system, parties should keep in mind who the potential infringer would be. It may not be in a company's best interest to assert patent rights against the users of a cloud computing service, since that may alienate those users from ever becoming customers.
Alternatively, if the proper elements can be proved, a service provider may be liable for inducing its users to infringe.
The decentralised nature of cloud storage may complicate copyright issues.
Copyright laws vary from jurisdiction to jurisdiction. What constitutes copyright infringement in one country may not in another. This complicates the question of whether copyright has been infringed when data is stored in multiple locations. Typically, the location of a work is easily identifiable. However, the work's location may be more difficult to identify in a cloud computing environment. It can thus be unclear which jurisdiction's copyright laws apply and whether there has been copyright infringement under those laws.
Another issue relating to copyright is whether cloud storage service providers can even be held liable for copyright infringement. Canadian jurisprudence has held that an internet service provider acting as an intermediary for communication is shielded from liability by the Copyright Act(2) so long as the service provider is not itself engaging in acts relating to the content of the communication. In other words, the Copyright Act shields an internet service provider from liability so long as it merely provides a conduit for information communicated by others. However, it is unclear whether cloud storage providers necessarily meet this requirement (ie, whether cloud storage providers are merely intermediaries or conduits). Therefore, Canadian copyright law is currently unclear on whether cloud storage providers may be shielded from liability for copyright infringement.
An additional complication relates to licensing of rights. Jurisdictional limits of licensing need to be taken into account, such that licences are secured for all jurisdictions where data or software may be used.
Another concern relating to cloud storage is the protection of private and confidential data, such as trade secrets. Before uploading confidential data to the cloud, a user should consider what type of duty of confidentiality is owed to it by the cloud storage service provider. For example, does that duty of confidentiality extend to subcontractors utilised by the service provider? Under what circumstances can the user's data be accessed or disclosed by the service provider? A further complication exists when the user is a business and its data includes private data of its clients or end users. In such cases, the business will need to carefully consider privacy legislation that may apply and whether the cloud service agreement is sufficient to satisfy obligations under such legislation.
Cloud computing can offer compelling cost and operational and strategic benefits, but creates legal uncertainty and raises complex IP issues, some of which remain unresolved in Canadian law. Businesses making use of cloud technologies, whether as users or as part of their own offerings, should consider and plan for such issues. Likewise, all IP owners should recognise the ubiquity of cloud technologies and ensure that their IP assets and agreements are crafted to adequately address the uncertainty and jurisdictional scope associated with cloud computing.
For further information on this topic please contact Patrick M Roszell or Robert Baker at Smart & Biggar by telephone (+1 416 593 5514) or email (firstname.lastname@example.org or email@example.com). The Smart & Biggar website can be accessed at www.smartbiggar.ca.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.