Further to our article on cloud computing specific legal issues, on this article we focus on the jurisdictional and law issues. Very often the customers of providers of cloud computing services are located in different jurisdictions from those of the providers. This raises some interesting jurisdiction and applicable law issues either (i) because additional laws may apply, as well as the law referred to in the particular contract, as in the case of data protection where Directive 95/46/EC has its own rules on applicable law and jurisdiction or (ii) where the parties have not expressly chosen an applicable law and jurisdiction.

In this case the following will apply:  

1) The Rome Convention 1980 and the new Rome I apply to contractual obligations where there is no express choice of law. In this case, the contract will be governed in accordance with the law of the country in which the party who will perform obligations characteristic of the contract has its habitual residence or central administration.  In particular, Rome I provides that a contract for the provision of services shall be governed by the law of the country where the service provider has its habitual residence or central administration. For the cloud computing service provider, this will mean the law of the place in which the service provider locates its servers. 

2) Rome II applies to non-contractual obligations arising in civil and commercial matters between parties. Subject to a number of defined exceptions (including unfair competition, Intellectual Property infringement, product liability and other circumstances where a specific deviation is defined), the law applicable to these obligations will be the law of the country in which the damage occurs or is likely to occur.  

As with contractual obligations, parties to a cloud computing contract may sidestep Rome II rules (concerning choice of law) by agreeing contractually on the law that will govern their non-contractual obligations. Take care during cross-border dealings to ensure that foreign law does not give rise to unexpected and binding non-contractual obligations (for example, duties of good faith in negotiations which do not exist under English law). If the contract is formed on suppliers standard non-negotiable terms and conditions, the choice of governing law for non-contractual obligations may be ineffective.

This is because this right of choice  applies to agreements that are freely negotiated. Although the meaning of "freely negotiated" has not been defined in Rome II, its requirement creates uncertainty over whether a governing law clause in standard form agreements that covers a non-contractual obligation will be effective. Under the Brussels Regulation (which largely follows the form of the Brussels Convention 1968 and Lugano Convention 1988), a person domiciled in a contracting state may be sued in the courts of another contracting state where a contractual obligation is owed.

A service provider based in the EU can be sued in all the jurisdictions in which it provides services to its customers. The Brussels Regulation also provides for mutual recognition and enforcement of judgments. However, where the service provider is based outside the EU, jurisdiction will depend on the relevant rules of court relating to service of proceedings on the service provider outside the jurisdiction. 

Customers often take the view that the cloud-computing contract should be governed by their local law as this is the legal system of which they have greatest knowledge. However, this will be difficult to negotiate. Further, it may not always be the best position. If the service provider does not have a sizeable presence in the customer's jurisdiction then any court order that might be obtained will be difficult to enforce in the service provider's jurisdiction. This applies particularly between EU customers and US service providers and where there is a need to obtain emergency remedies against a service provider, for example, if the customer considers that its data has been misused by the service provider. In these circumstances, obtaining emergency remedies will generally be more straightforward if the governing law of the contract is the local law of the service provider. 

Where the customer is a multi-national corporate, additional jurisdictional issues arise, including: 

1. Intellectual property licensing: does the service provider have the right to grant sub-licences to all the territories in which the customer operates?
2. Local law: e-mails sent using the cloud-computing service from an overseas country are likely to be subject to the local defamation law of that overseas country.
3. Conflict of laws: Where the laws of various jurisdictions may well apply to a particular cloud computing contract and it does not specify the governing law or applicable jurisdiction, these matters will be determined by private international law (known as conflict of laws). The private international law is based on the concept of localisation (that is, where in the physical world a particular element of a transaction occurred). Within the context of cloud computing contracts, adopting the place of performance for the purposes of localisation will mean where the service is performed by software operating automatically or where performance occurs on a server located in a jurisdiction different to that which the website (through which the cloud computing service's customers request the service) is stored.
4. Encryption regulation: Where encryption mechanisms are used as part of the cloud computing service's applications, the export of encryption software from the US needs to be carefully monitored to ensure that the rules relating to that export are complied with, as the sanctions for non-compliance can be significant.