The evolution of cloud computing technologies has gained considerable momentum in recent years and the launch of new products such as the Apple iCloud and Google Cloud Connect generate increasing media interest. In common with many competition authorities around the world, the European Commission is seeking to protect competition in this area and has recently launched a public consultation on cloud computing, further to its digital agenda.[1]
For the purposes of this article, cloud computing will be broadly defined as the remote provision of computational or data storage services on demand through a network, typically the Internet. In other words, cloud computing enables secure access to software applications (eg e-mail, word processing, games) and data (eg pictures, contacts, documents) on demand from a display terminal/device (eg desktop, smartphone or tablet) without that terminal (or local network that it connects to) having to store any of the applications or data.
This broad definition includes the three key types of cloud services; software as a service (‘SaaS’), infrastructure as a service (‘IaaS’) and platform as a service (‘PaaS’). SaaS is effectively the retail service to the customer, which may be a business seeking to have its software application and data management needs met remotely, or a consumer, such as a social networking site user. IaaS is an upstream service, comprising the application hosting and data storage needed to enable the SaaS to be provided. Whilst PaaS comprises the provision of the tools needed to develop bespoke cloud services.
If the competitive conditions are right, cloud services should expand markets, promote innovation, benefit consumers, lower entry barriers and generate economic efficiencies. The efficiency benefits of pooling computational services are self-evident – why store, develop, update and protect software applications on your terminal device when all this can be done centrally and accessed securely? Analogies have been made to the development of electricity utilities, relieving the historic burden on householders and businesses of generating their own heat and power. The European Commission also points to benefits to SMEs[2] and electricity savings of up to 80% in computing activity as a result of cloud services.[3]
Cloud computing does, however, present a potential headache for competition law enforcement. Competition concerns are emerging as the use of cloud technologies enter the mainstream and some providers acquire market power and the ability to abuse that power. Similarly, public procurement decisions risk distorting competition by raising barriers to cloud services.
This article seeks to explore how some of the challenges posed by cloud computing might be overcome, in the light of competition law and cases and public procurement principles.
The principal competition concerns discussed below are lock-in effects and restrictions on interoperability and data portability. These restrictions make it difficult for cloud users to switch to the services of a competing provider thus enabling the dominant operator to reinforce its market power and/or leverage onto new markets.
Lock-in
An example of a lock-in restriction is a contractual provision with the object or effect of locking customers into a particular cloud service.
Lock-in effects can result in inefficient outcomes, particularly where they impede ‘as efficient’ competitors from winning customers from established cloud service providers.
Service level agreements (‘SLAs’) or Terms and Conditions between cloud service providers and personal or business customers for the provision of cloud services may contain lock-in provisions. Typical examples include:
- a minimum contractual term in the absence of termination rights
- a penalty clause payable for termination or breach
- data retention clauses, specifying that data uploaded into the cloud becomes the property of the cloud service provider, or that the provider has the right to exercise a lien over the data if the customer is in breach of the SLA.
Certain of these contractual provisions may be subject to other areas of law such as unfair contract terms legislation[4] and data protection law.[5] However, the application of these rules may be constrained by factors such as the law of the contract and location of the data.
By contrast, competition law has a wider territorial application, in that it can be invoked in jurisdictions where the effects occur. In the EU at least, the supremacy of EU law also gives it precedence over national legal rules.
Under competition law, the validity of lock-in clauses may, however, depend on the market power of the cloud service provider. If the cloud service provider is dominant, clauses with a lock-in object or effect are likely to constitute an abuse of its dominant position[6] in the absence of an objective justification for the clause (such as a minimum contract period required to allow set up and migration costs to be recovered).
In the case of non-dominant undertakings, only contracts between undertakings (B2B contracts), as opposed to agreements between undertakings and end-consumers (B2C contracts), are subject to competition law.[7] Therefore, a non-dominant cloud service provider’s business dealing with consumers will fall outside the scope of competition law even if it harms consumers. This reflects the primary goal of competition law, being the protection of the process of competition as opposed to the protection of consumers. Competition law generally assumes that non-dominant undertakings lack the incentive and ability to successfully exclude competitors or exploit consumers (save where they collude with competitors to do so).
As for B2B contracts implemented by non-dominant cloud service providers, these may breach competition law where their effects are appreciable and not justified by reference to countervailing consumer or pro-competitive benefits. This allows for a competition law assessment to take place and, in theory, for an efficient pro competitive market to be established.
The main recourse against lock-in clauses imposed by non-dominant cloud service providers on consumers may therefore be to rely on consumer protection legislation. While these consumer protection norms may be helpful in individual cases, they are unlikely to offer a comprehensive solution to market failures and facilitate competition.[8]
There is scope for competition authorities to address failures in consumer markets using market investigation powers. In the UK, the Office of Fair Trading (OFT) has the power to conduct a market study under the Enterprise Act 2002. This can result in recommendations to Government to change policy or regulations, encouraging businesses to self-regulate, taking enforcement action under the competition or consumer protection rules or making a market investigation reference to the Competition Commission. As seen in the investigation into the multi billion pounds payment protection insurance (PPI) industry, the Competition Commission then has wide powers to determine whether any feature of the market prevents, restricts or distorts competition and, if so, to order that remedial action should be taken. In the case of the PPI market, remedial measures included a prohibition on selling PPI at the point of sale of the credit product.[9]
However, the PPI market study was launched by the OFT in April 2006 and the final order was adopted nearly five years later. This is an eternity in relation to fast-moving Internet markets. While these powers may be helpful in enabling competition authorities to bring pressure to bear on cloud providers, they may not be the most suitable for regulating cloud markets.
Leveraging abuses
A key competition concern for cloud services is that a dominant undertaking in market A may have the incentive and ability to leverage itself onto market B and exclude competitors, leading to market distortion and inefficiency. The available strategies may include interoperability restrictions, bundling or tying.
These and other leveraging strategies, such as margin squeeze and refusal of access, have been used notably in the telecommunications sector by incumbent network operators to fight off competition from rival operators or service providers as markets have been liberalised. The European Commission has been regulating this sector for 20 years with a combination of competition based legislation and competition enforcement action.[10] Its most recent initiatives focus on securing widespread fast broadband access and net neutrality. The initiatives taken in the telecommunications sector not only provide a set of useful precedents but are also essential to the success of cloud services given their dependence on ubiquitous always-on Internet connection.[11]
Interoperability
The interoperability concern arises due to the interdependence of technologies and their need to talk to each other or interoperate. Any attempt to frustrate this interoperability by, for example, withholding interface information can have an exclusionary effect and constitute an abuse.
Interoperability in the ICT sector also emerged as a competition issue as far back as the 1980s, with the IBM case.[12] In this case, Article 86 (now Article 102 TFEU) infringement proceedings were brought against IBM by the European Commission. At the time, IBM was said to hold a dominant position in the supply of central processing units (CPUs) and operating systems, the two key components of its System/370. IBM was alleged to have abused its dominance by (inter alia) (i) failing to supply other manufacturers in sufficient time with the technical information needed to permit competitive products to be used with System/370 (‘interface information’); (ii) not offering System/370 CPUs without a capacity of main memory included in the price (‘memory bundling’) and (iii) not offering System/370 CPUs without the basic software included in the price (‘software bundling’). A settlement was reached with the Commission whereby IBM agreed to make available interface data to enable competitors to interconnect their systems and networks and to unbundle its offering.
Decades after IBM, interoperability continues to be an issue of central importance under EU law. In the Microsoft[13] case, the Court of First Instance (now the General Court) confirmed the 2004 infringement decision by the European Commission[14] against Microsoft for failing to supply interoperability information to its competitors (and tying the Windows client PC operating system with Windows Media Player). The background to the dispute originated with a complaint by Sun Microsystems to the European Commission in 1998. The complaint concerned Microsoft’s refusal to provide Sun with the information and technology necessary to allow it to operate its server operating systems with the Windows client PC operating system. The ruling confirmed that Microsoft had abused its dominance (over client operating systems) and a record fine of €497m was imposed.
In addition to conduct cases, interoperability has a prevalent role in EU decisional practice concerning mergers. The Intel/McAffee[15] merger was cleared on the basis of interoperability undertakings provided by the parties. Due to the complementary nature of the software and hardware products and services provided by the merging parties, there was no significant competitive overlap but the conglomerate effects were considered. There was concern by the European Commission that the merger would result in the tying of McAffee’s security solutions and Intel’s CPUs or chipsets, and the lack of interoperability of CPUs or chipsets with security solutions competing with those of McAffee. The interoperability undertakings provided by the parties consisted of: (i) guaranteeing the access of interoperability information to vendors of rival security solutions; (ii) committing not to actively impede other security solutions from running on Intel’s CPUs or chipsets; and (iii) committing not to hamper the performance of McAffee’s security solutions on CPUs or chipsets manufactured by Intel’s competitors.
A more recent merger in the cloud computing sector is the much publicised acquisition of Skype by Microsoft. Given the global impact of the transaction and Skype’s position as the leading provider of voice and video calls over the Internet, the acquisition was subject to merger approval in a number of jurisdictions. However, at the time of going to print, imminent and unconditional approval by the European Commission was expected.
Microsoft aims to gain a foothold in the social networking sector and to gain an advantage by integrating Skype’s communication technologies with its existing products and services, such as Xbox game consoles, Windows Smartphones and videoconferencing services aimed at businesses. At the same time, statements made by Steve Ballmer,[16] CEO of Microsoft, guarantee that Skype will remain available on competing platforms, such as Apple iPhones and iPads, as well as Google’s Android Operating System. In addition to seeking to appease competition regulators, the commercial basis for not restricting rival platforms may be that the value of Skype rests on the breadth of its coverage. Limiting interoperability and accessibility would ultimately restrict Skype’s network effects,[17] its value and, ultimately, Microsoft’s commercial interest and long-term strategy. So this is an example where the solution required by competition law should marry well with enhancing shareholder value.
Another example of how interoperability is relevant in the cloud computing sector is the recent request by Google to Apple to approve the use of a mobile version of the Google+ application (a ‘native app’) on iPhones and iPads and gain access to the App Store.[18] The launch of Google+ by Google seeks to challenge Facebook’s domination of the social networking sector. In addition to its network effects,[19] Facebook’s popularity has been strengthened by its applications for smartphones and tablets. As a result, in order to compete in the social networking sector, the Google+ application will need to be fully available on most platforms, and certainly on Apple’s iPhone and iPads, the market leaders. However, Apple, a competitor of Google in the mobile device operating platform sector,[20] maintains a strict control over its App Store platform and is reported to have blocked applications by Google to its App Store in the past. Apple ultimately approved the Google+ application, possibly in order to avoid competition law problems. However, the issue highlights how limitations on interoperability can be used to leverage power from one market to another and hinder market entry or expansion by competitors.
Data portability
Limiting data portability is another means of locking customers into a cloud computing service, foreclosing markets and creating barriers to entry to the detriment of consumers and competition.
The data retention clause referred to above is a contractual means of limiting portability. Another example is where technical incompatibility limits the ability to migrate data from one service to another. For example, it is technically impossible to transfer uploaded pictures or personal details directly from Facebook to another social networking site.
The issue of data portability has generally been examined by the European Commission from a consumer perspective under data protection law due to the privacy implications, the uneven bargaining power between consumers and providers and perhaps the difficulty in proving dominance. For these reasons, it has been argued that consumer protection law, as opposed to competition law, is best suited to dealing with data portability issues.[21]
However, imposing limitations on data portability may fall within the scope of competition law where dominance can be established and in B2B situations. Enforcement by competition authorities may provide a more coercive solution to data portability restrictions, where these result in market distortion or foreclosure. Alternatively, market based EU legislation similar to that adopted in the telecommunications sector relating to number portability may be an effective alternative to relying on the data protection rules.[22]
Public procurement
Cloud service providers, as well as other ICT providers, can gain market share by winning large government contracts further to a tender process. There is a risk that providers with a ‘closed’ platform which does not interoperate with other platforms can establish market power in this way if allowed to by government buyers. The public procurement rules[23] help ensure fair competition between providers to the public sector (and utilities) in the EU by requiring that public contracts over designated thresholds are subject to a transparent and non-discriminatory tender process.
There are specific provisions on technical specifications designed to avoid barriers to competition in public markets.[24] Technical specifications refer in this context to those requirements specified by the public body in the tender process that are required for the performance of the contract.
The rules state that technical specifications must not have the effect of creating unjustified obstacles to the opening up of public procurement to competition. The UK Cabinet Office has issued a Procurement Policy Note on the use of open standards when specifying ICT requirements.[25] This specifies that government departments should ensure that they include open standards in their ICT procurement specifications unless there are clear business reasons why this is inappropriate. It is stated that Government assets should be interoperable and open for re-use and ‘open’ is controversially defined to envisage royalty free licensing of any intellectual property. This seems to go beyond the FRAND based licensing requirements imposed, for example, under EU competition law. Public procurement law therefore clearly has a significant role in avoiding interoperability restrictions in relation to cloud services provided to Government bodies.[26]
A further concern is that, in practice, certain government departments in the UK have proved reluctant, in setting technical specifications for public ICT tenders, to accept cloud based data storage solutions. There is a view that certain kinds of data should be stored and protected in the UK, rather than in the ether of the Internet cloud or more specifically in server warehouses in some other jurisdiction. This may provide a justification for restrictive specifications in certain limited circumstances, based on national security concerns, but it would be wholly inconsistent with the public procurement rules and the ICT PPN to suggest that this practice should be widely implemented by government departments. Some further guidance may be needed on this in due course as it is a potential concern for the evolution of competition in the cloud sector.
Conclusion
Competition law can be used to combat abusive market practices that harm consumers or distort the process of competition in the cloud computing sector. However, at least in relation to B2C arrangements, competition law will be largely ineffective unless the provider is dominant in a relevant market. This is a significant weakness in relation to the fast-moving cloud computing sector. Lock-in effects imposed by non-dominant undertakings or limitations on interoperability and data portability may escape the application of competition law but nevertheless lead to market foreclosure.
A possible answer may consist of the passing of regulations and guidelines which are specific to the cloud computing sector and apply either irrespective of an undertaking’s market power or at a lower threshold than that of dominance. The EU telecommunications sector is subject to specific norms enforced by national sector regulators[27] which envisage more onerous obligations (relating for example to access and interconnection) where an operator has ‘significant market power’, a threshold which is easier to meet than dominance.
Another solution may consist of strengthening consumer protection regulations, in cases where contractual provisions or the conduct of undertakings have the object or effect of locking customers into a cloud service, possibly with more coercive direct enforcement powers being granted to competition authorities.[28]
There may be counterarguments to an interventionist solution. Cloud computing technologies are evolving rapidly and the market is generally competitive and dynamic. As a result, there is a danger that regulation may result in unintended consequences and stifle technological innovation and development. Key participants to the recent eG8 forum in Paris, such as Facebook founder Mark Zuckerberg and Google CEO Eric Schmidt, criticised the ‘over-regulation’ of the Internet and the ICT industry as a whole. Their arguments are supported by the fact that the Internet has brought many technological advances and technologies are changing at a faster rate than governments can foresee; therefore, over-regulation may result in adverse and unexpected consequences in the long term.
Another argument against regulation is that market forces act as a counterbalance to the abuses referred to above. For example, undertakings that adopt closed technologies by limiting interoperability or data portability risk harming their own commercial interest in the long term, as was the case with Apple’s near demise during the 1990s as a result of the rising popularity of Microsoft’s more open DOS and Windows operating systems. Another example is the emerging trend of cloud customers safeguarding against limitations to data portability and lock-in effects. As the market matures, sophisticated cloud customers are beginning to question their ability to migrate from one cloud service to another or to prepare a back-up plan in case their service is disrupted.
These arguments against regulation are valid. However, the emerging socio-economic importance of cloud computing and the risks of allowing competition to be frustrated may justify some more measured intervention by sectoral regulators and competition authorities.
Simon Taylor is a Partner at Wragge & Co LLP. Lucas Bornico is an Associate at CMS Cameron McKenna LLP
[1] See Public Consultation on Cloud Computing European Commission at http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=cloudcomputing. See also European Commission Communication – A Digital Agenda for Europe, COM(2010) 245 final, 26.08.2010.
[2] For instance, cloud computing technologies may allow SMEs to lower capital and operational expenses as it reduces the need to invest in expensive local servers. Moreover, cloud computing services could be paid for on an ‘on-demand’ or ‘as-you-go’ basis.
[3] Commission SPEECH/09/336, Vivianne Reding, ‘Digital Europe – Europe’s Fast Track to Economic Recovery’, Lisbon Council, Brussels, 9 July 2009.
[4] For example, in the UK, the Supply of Goods and Services Act (SGSA) 1982 or the Unfair Contract Terms Act (UCTA) 1977.
[5] In the UK, the Data Protection Act 1998.
[6] Article 102 Treaty on the Functioning of the European Union (TFEU) and the Chapter II Prohibition under the Competition Act 1998
[7] Article 101 TFEU and the Chapter I Prohibition under the Competition Act 1998.
[8] In the UK, the OFT does take action to enforce consumer legislation. For example, the OFT brought successful High Court proceedings in February 2008 against the estate agent Foxtons in relation to unfair terms in management agreements with private landlords. This has had a beneficial knock-on effect in relation to the whole market.
[9] See Competition Commission press release of 24 March 2011, PPI-CC Publishes Final Order.
[10] See for example Directive 2002/21/EC of 7 March 2002 on a common regulatory framework for electronic communications networks and services, Official Journal of the European Union L 108/33 of 24.4.2002; Deutsche Telekom AG v European Commission (C-280/08 P), {2010] 5 CMLR 27.
[11] See Cumulus congestus, special feature on cloud computing by Magnus Franklin in mlex magazine, October-December 2011.
[12] XIVth Report on Competition Policy (1984) points 94 and 95.
[13] See Case T-201/04.
[14] Commission Decision of 24 March 2004, Case COMP/C-3/37.792 (OJ 2007 L 32, p.23).
[15] See M. 5984 – Intel/McAfee, 26 .01.2011.
[16] See Microsoft in $8.5m Skype Gamble, R. Waters, T. Bradshaw and M. Palmer, Financial Times, 10 May 2011.
[17] For a discussion on network effects in the cloud computing sector, see Ensuring Competition in the Clouds: The Role of Competition Law? I. Walden and L. Da Correggio, SSRN, 2011.
[18] See Apple to decide on Google+ app, BBC News, 8 July 2011.
[19] Idem.
[20] Google’s Android operating system for smartphones and tables could be considered a competitor of Apple’s platform for iPhones and iPads.
[21] See Ensuring Competition in the Clouds: The Role of Competition Law? I. Walden and L. Da Correggio, SSRN, 2011.
[22] See Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ L337/11, 18.12.2009).
[23] See Directive 2004/18/EC of the European Parliament and of the Council of 31 March 2004, OJ L 134, 30.04.2004; p.14 as implemented in the United Kingdom by the Public Contracts Regulations 2006.
[24] See Regulation 9 of the Public Contracts Regulations 2006.
[25] Action Note 3/11 31 January 2011.
[26] See Ensuring Competition in the Clouds: The Role of Competition Law? I. Walden and L. Da Correggio, SSRN, 2011.
[27] In the UK, Ofcom is the sectoral regulator entrusted with a regulatory mandate in the telecoms sector, as well as competition powers which are concurrent with those of the OFT.
[28] See the OFT’s Enforcement of Consumer Protection legislation, Guidance on Part 8 of the Enterprise Act on www.oft.gov.uk.