Cloud / Hosting Providers Beware? An Unintended Consequence of the P2B Regulation

March 26, 2020

The P2B Regulation, as it’s popularly known, will apply throughout the EU from 12 July 2020. That’s during the Brexit transition period, so the UK has to implement it too.

Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services, to give it its full name, aims to improve fairness and transparency for EU-established “business users” who use “online intermediation services” (platforms) to offer goods or services to EU-located individual consumers. (It extends to search engines too, but this article won’t discuss them.) It doesn’t matter where in the world the platform is based so here we have yet another EU law with broad extraterritorial scope. It’s irrelevant whether the transactions with consumers involve monetary payment or not, or whether they’re concluded partly offline. And the Regulation benefits EU business users whether they’re sole traders, firms or companies – even large companies.

The P2B Regulation seeks to improve fairness and transparency by requiring platforms (with some exceptions or exemptions) to provide business users with:

  • certain information in their standard terms (which must be in plain, intelligible language), including on any access to data1 (personal or not) provided for or generated by use of the platform, on the ranking of goods/services (for example in search results), and naming 2 mediators;
  • certain information if restricting, suspending or terminating services to any business user, and at least 30 day’s notice of termination (with exceptions);
  • minimum2 notice before changing their terms (whereupon the user has an absolute right to terminate its contract, regardless of the type of change, as long as it’s substantive), again with exceptions; and
  • a free and fair complaints handling system for business users (not just consumers), including publishing reports on the system’s functioning at least annually.

Non-compliant platform terms are null and void – and that includes planned changes to terms where the correct amount of notice has not been given to business users via a “durable medium”. Other enforcement measures, such as for not having a compliant complaints system for business users, or not including the required information in platform terms, are yet to be set by individual Member States  but they must (as usual with EU legislation) be “effective, proportionate and dissuasive”. And, despite platforms having to provide for complaints handling and mediation, both business users and platforms are still entitled to commence litigation anytime. Furthermore, certain representative bodies for business users, or public bodies set up for that purpose in Member States, can also take enforcement action against platforms to stop or prevent infringement of the Regulation.

So, how could this Regulation affect cloud service providers or web hosting providers? The Commission had previously made it clear, and Recital 11 confirms, that the main platforms targeted are online e-commerce market places (such as Amazon Marketplace) including collaborative ones on which business users are active, online software applications services such as application stores (such as  Apple App Store and Google Play Store for Android), and online social media services – irrespective of the technology used to provide such services (including services provided by voice assistant technology). Background documents3 also mention online travel and hospitality platforms like online travel agencies, fare aggregators or metasearch engines. Online payment services are however specifically excluded, and online advertising tools and advertising exchanges were also ultimately excluded. However, the cloud industry doesn’t seem to have engaged much in relation to this legislation, possibly because they thought that cloud wouldn’t be in scope (see below).

There are some indications that the Commission may not have intended cloud/hosting providers to be caught, or at least did not consider that they could be caught, by its broad definition of “online intermediary services”. The Regulation itself does not mention cloud at all, or indeed IaaS, PaaS or SaaS. Annex 1 to the EY study for the Commission on contractual relationships between online platforms and their professional users lists 185 platforms examined with regard to the availability of their terms and their relevance for professional users but, while the list includes Amazon Marketplace and Kindle and other App Stores, the Amazon Web Services (AWS) cloud service was not named, nor any other IaaS/PaaS cloud services such as the offerings from Google or Microsoft. Azure was mentioned only as “Microsoft Azure Market Place” in relation to “Mobile / digital software application stores”. A qualitative analysis of the Commission’s 2015 Public Consultation on the Regulatory Environment for Platforms, regarding the (then far wider) proposed definition of “online platform”, included the statement: “Various other suggestions for what should be included: …cloud services”, implying that, to respondents at least, even that broad definition was not meant to include cloud. In a Commission terms and conditions workshop, cloud was mentioned only in the context of standard terms sometimes containing ‘bundling’ clauses prescribing use of certain auxiliary services such as a specific data cloud to store content. The Commission’s Impact Assessment does mention, among out-of-scope services, “Non-platform businesses (i.e. without the element of intermediation)… cloud services” – yet it acknowledged cloud services can have intermediation elements, for example. its Annexes mention “B2B intermediary platforms such as cloud app stores for professional clients”

A 2016 Commission Communication on the European Cloud Initiative stated that “The European Cloud Initiative will be complemented by further action under the Digital Single Market strategy covering cloud contracts for business users…” A 2018 EY study (but published only in late 2019) for the Commission on the Economic Detriment to Small and Medium-Sized Enterprises Arising from Unfair and Unbalanced Cloud Computing Contracts found costs and inefficiencies arising from “contract-related cloud computing problems”. Yet, the Commission’s late 2019 cloud computing brochure4 mentions cloud contracts only in relation to self-regulatory initiatives on standardising service level agreements (SLAs), translating data portability codes of conduct into model contract clauses, and the regulatory compliance of contracts between cloud providers and financial institutions; while its European Cloud Initiative page doesn’t mention contracts at all. Perhaps the Commission is still planning legislate on cloud contracts more generally, but has not done so yet – or perhaps it considers that the P2B Regulation now addresses the main issues with cloud contracts! Its intentions here are far from clear.

Be that as it may, let’s consider the actual wording of the “online intermediation services” definition (Art.2(2)). As we all know, the underlying legislative intention is supposed to be important in EU legislation, but when has that ever stopped regulators or courts from interpreting legislation in whatever way they choose?5 

This definition reads as follows: 

“services which meet all of the following requirements:

(a) they constitute information society services within the meaning of point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;

(b) they allow business users to offer goods or services to consumers, with a view to facilitating the initiating of direct transactions between those business users and consumers, irrespective of where those transactions are ultimately concluded;

(c) they are provided to business users on the basis of contractual relationships between the provider of those services and business users which offer goods or services to consumers”.

Cloud and hosting providers are clearly information society services (online services) with contracts between the provider and the business user who signs up for the service. The uncertainty is (b) above: “allow business users to offer goods or services to consumers, with a view to facilitating the initiating of direct transactions between those business users and consumers, irrespective of where those transactions are ultimately concluded”. In particular, “with a view to” suggests intention, but whose intention is meant to be involved here – business users’, or providers’?

Recital 10 suggests the latter: 

“In particular, the services should consist of information society services, which are characterised by the fact that they aim to facilitate the initiating of direct transactions between business users and consumers, irrespective of whether the transactions are ultimately concluded online, on the online portal of the provider of online intermediation services in question or that of the business user, offline or in fact not at all, meaning that there should be no requirement for any contractual relationship between the business users and consumers as a precondition for online intermediation services falling within the scope of this Regulation. The mere inclusion of a service of a marginal character only should not be seen as making the aim of a website or service the facilitation of transactions within the meaning of online intermediation services.”

So, a service is only an online intermediation service if the provider behind it aims to facilitate direct transactions between business users of the service and consumers. But what if the provider has no specific aims regarding the use of its service, leaving it up its customer to decide how to use the service? In particular, with web hosting services (cloud or not), it’s for customers to determine what the customer want to use the website for: perhaps an informational or placeholder website or an e-commerce website. Similarly, customers are free to choose to use cloud services, particularly IaaS and PaaS, to provide SaaS services or mobile apps to consumers (or to host consumer e-commerce websites).

Now, one might think that a purpose-neutral, flexible service, whose exact use by a customer depends on what the customer does with it,6 should not be considered to be “aimed” at facilitating transactions between the customer and consumers. The provider doesn’t know, without checking specifically, what each particular customer does with its service. However, one might also think that a cloud provider whose service is used to process personal data doesn’t know that it’s hosting or crunching personal data, as it’s up to the customer as to what data it wishes to process using the service, so the provider shouldn’t be treated as a processor for data protection law purposes.7 But cloud providers have given up on that battle, and generally offer terms for compliance in relation to any personal data processing on an “if” or “to the extent” basis. Providers’ knowledge and intention don’t seem to be relevant to EU regulators.8 

It’s a pity that the Regulation’s wording was not clearer here. Contrast that with the UK Finance Bill 2020, providing for a 2% digital services tax from 1 April 2020 targeting, among other sectors, “online marketplaces”, where under Clause 42(5):

“Online marketplace” means an online service that meets the following conditions—”

(a) the main purpose, or one of the main purposes, of the service is to facilitate the sale by users of particular things [services, goods or other property], and

(b) the service enables users to sell particular things to other users, or to advertise or otherwise offer particular things for sale to other users).

Note the reference to “main purpose”, which is unfortunately lacking from the P2B Regulation’s definition of online intermediation services (perhaps the Regulation could have been drafted to read “primarily aimed at” or “primarily with a view to”).

Therefore, there could be a risk of online services being treated as “online intermediation services” if they’re:

  • web hosting services used by EU business users to host e-commerce websites offering goods/services to EU consumers, or
  • IaaS or PaaS services used by EU business users to host:

       – e-commerce websites offering goods/services to EU consumers, or

       – SaaS services or apps offered to EU consumers.
Issues about cloud contract terms being too one-sided, and cloud providers having too much negotiating power compared with their customers, have often been raised in the past.9 

So it’s not inconceivable that such an EU business user might seek to claim that a hosting or cloud provider’s new terms are void altogether because insufficient notice was given of updated terms for major features changes. Or try to terminate its contract earlier than it might be entitled to otherwise based solely on updated terms being proposed by the provider. Or allege that the provider has not put in place a complaints handling system or named 2 mediators, perhaps to contest the restriction, suspension or termination of its service, and indeed contest their service’s termination or restriction  on the basis that the required statement of reasons wasn’t provided or the required notice period wasn’t respected. Representative organisations such as SME industry bodies, or relevant Member State public bodies, could also try to litigate against cloud or hosting providers to stop or prohibit non-compliance with the Regulation, arguing that such providers’ services are in scope.

Hosting and cloud providers will, of course, argue that their services are not caught by the Regulation as they are purpose-neutral, dependent on the customer’s choice, and accordingly are not “with a view to” or “aimed” at facilitating transactions between their EU business users and EU consumers. But much will depend on the provider’s approach and risk appetite. Many cloud/hosting providers do already give more than 30 days’ notice of changes to their terms. But it will cost time and money to implement the Regulation’s requirements in full: providers would need to consider, for example,  in what situations longer notice may be needed for terms updates, how to compile data access information, how to set up compliant complaints systems for business users, how to update policies/processes for terminating/suspending business users and more.. Without knowing the detailed national enforcement regimes (still to be implemented) some such providers may decide to take the risk and ignore the Regulation altogether. Only time will tell…

NOTES

1 Note that the P2B Regulation does not force providers to give access to such data, only to be transparent about the extent to which they have or give such access, technical or contractual, to business users or third parties.

2 The difficulty is that while 15 days is the minimum, longer notice must be given if “reasonable and proportionate” in the circumstances, such as where the proposed changes require business users to make technical or commercial adaptations to comply, for example by requiring them to make significant technical adjustments to their goods or services.

3 E.g. the Impact Assessment for the proposed Regulation.

4 See also https://ec.europa.eu/digital-single-market/en/cloud 

5 If I may cite my own book, take for example the General Data Protection Regulation’s international transfers restriction, inherited from the Data Protection Directive – under which the legislative intention of that restriction, as explicitly stated by the Commission, was to prevent controllers from circumventing data protection laws by using third country processors. How its application has since expanded! Hon, Data Localization Laws & Practice (Edward Elgar 2017), 2.3.2.

6 And not the hosting or cloud provider generally, except in negative ways – i.e. by specifying in their terms what the service should not be used for e.g. infringing third party intellectual property rights, other illegality etc.

7 Hon, Millard & Walden, The problem of ‘personal data’ in cloud computing: what information is regulated?—the cloud of unknowing, International Data Privacy Law, Volume 1, Issue 4, November 2011, Pages 211–228.

8 Take the European Data Protection Board’s extreme example 20 in its Guidelines on Territorial Scope 3/2018. If a US company’s app is available to and used by EU individuals (and monitors their behaviour), and the company uses a US cloud provider, according to the EDPB the US cloud provider as processor is itself directly subject to the GDPR as its processing is “related to” the company’s monitoring of EU individuals! Again, the cloud provider’s knowledge/intention regarding the use of its services for personal data, and indeed whether its US customer was using its service to provide an app to EU individuals, has been totally ignored.

9 See Bradshaw, Millard & Walden, “Chapter 3 Standard Contracts for Cloud Services” and Hon, Millard & Walden, “Chapter 4 Negotiated Contracts for Cloud Services” in Millard (ed), Cloud Computing Law (OUP 2013), including cloud customer problems with providers’ termination rights (e.g. for breach of acceptable use policies or AUPs – 5.7.2) and providers’ unilateral right to change terms, service features etc (5.8).

——————————–

Dr W Kuan Hon is a Director at Fieldfisher but has other hats too. Views expressed are personal to her and should not necessarily be attributed to any organisation with whom she may be associated.