Territoriality in the age of cloud computing and data storage
31 October 2022
Protection of most intellectual property assets is territorial.
This means IP rights created or registered in a certain jurisdiction will only be protected in that jurisdiction, subject to its own IP laws.
Enter the age of cloud computing and data storage whose nature involves cross-border data transfer or data in transit in many jurisdictions. These innovations are disruptors. And as industry disruptors, they have been blurring national boundaries, giving rise to questions on territoriality. With these issues staring IP rights owners, lawyers and attorneys in the face, it’s like stepping into, well, new territory.
But first, let’s be clear. Data privacy is multi-territorial. This means the processing of personal data of a data subject from one jurisdiction could be subject to the data privacy laws of another jurisdiction, depending on the nature of the processing activity.
Gautam K.M., associate partner at Krishnamurthy & Co. in Bengaluru, also noted that a dynamic interpretation of territoriality is required.
“The interpretation of the concepts of territoriality has to be dynamic enough to cover the scope of the reciprocal protections granted under the Berne Convention for the Protection of Literary and Artistic Works, 1886 read with the TRIPS Agreement, 1995,” said Gautam, “as these international laws address and cover a rather dynamic territory vis-à-vis the traditional boundaries of a country whereby ensuring that the owners of copyright enjoy protection even under the laws of other countries.”
“These treaties would impose on member countries the obligation to reciprocally protect and enforce rights that may originate from another member state. In terms of wrongs and infringing acts that are committed, the principle of territoriality would apply in so far as these wrongful acts are committed in jurisdiction. However, there are exceptions. For example, the territoriality principle may be clarified in the situation where a country’s private international law rules may permit its courts to treat a foreign IP infringement to be a justiciable issue,” added Stanley Lai, partner and head of the IP practice at Allen & Gledhill in Singapore.
With cloud computing now in our midst, especially with business enterprises’ much-needed digital transformation, a non-negotiable move brought about by the pandemic, what are the ramifications? What is this new digital territory like and how does the concept of territoriality fit in it?
“With modern-day technology, it becomes even more important, as an individual’s IP is not confined to use in their respective country of residence or the country in which they have sought registration and protection of their IP rights. An entity carrying on business in one country can have all their data stored in cloud servers located in another country,” Gautam said.
In India, most data collected by ecommerce portals, social media platforms and search engines are stored outside India because their servers are located outside the country.
“Since data or information can be dispersed, shared and stored on various servers and/or clouds, conventional concepts of territoriality could not be strictly applied. In such a situation, IP violations will go unchecked if the traditional concepts of territoriality are adhered to,” Gautam explained.
Data storage in the cloud comes with technical and legal issues. Among these are issues concerning control over data, security of data and information stored in cloud.
“If an infringement occurs, it gives rise to the question and challenge of which national laws apply and to what extent,” added Nont Horayangura, a partner at Baker McKenzie in Bangkok. “While the owner of the database may have IP rights or ownership to commercially exploit data hosted on the cloud, they also need to comply with other applicable laws, for example data privacy laws with regard to the processing of personal data or trade secret law for trade secret information contained in that particular database.”
“The fact that payment for services is made and transaction concluded from a particular country, though digitally, the user of the service would invoke jurisdiction of the country where the contract was signed,” countered Ranjan Narula, managing partner at RNA, Technology and IP Attorneys in Gurugram. “However, it still brings up multiple issues considering the cloud service provider may claim that he is not incorporated in the country where his services are available, therefore, not submit to the jurisdiction of the court or courts.”
With different countries having varying degrees of infrastructure, accessibility issues also present challenges.
“Cloud computing and data computing certainly bring up novel challenges because of the spread-our nature of the internet and cloud data,” said Guo Cai, a partner at Jin Mao in Shanghai.
In addition to the challenges enumerated above, Cai mentioned the anonymity of identity as another. “It is easy to hide one’s identity in the context of cloud computing and thus more challenging to identify the accurate party to take action against,” she explained.
Another is diversity of identity. This means there could be multiple parties involved in the process of data transmission, making it difficult to rightly identify the concerned party.
The problem of uncertainty of locality also arises. “Due to the frequent involvement of virtual private networks (VPNs) and server side rendering (SSR), especially in China, cloud computing makes it more difficult to confirm the exact locality of parties and infringements concerned,” said Xie Ruiqiang, also a partner at Jin Mao in Shanghai.
Narula added: “With cloud services available in different jurisdictions, it has the potential to attract liability in the multiple jurisdictions. Furthermore, jurisdictional issues for clearing patent risks can be unpredictable. As the cloud implemented technology touches multiple jurisdictions, it has the potential to attract liability in the multiple jurisdictions over patent infringement.”
Cloud computing and data storage: Have laws, regulations and policies caught up?
Do IP, data privacy and protection laws in their jurisdictions adequately address these challenges in territoriality?
At the legislative level, China launched the PRC Data Security Law in June 2021 to highlight the need to secure sovereignty in the internet space. “To achieve this goal, China protects data with different security measures according to classification of data. In addition, there is heightened supervision of cross-border movement of key data,” said Ruiqiang.
In the same year, China also launched the Rules on Counteracting Unjustified Extra-territorial Application of Foreign Legislation and Other Measures, which provides legal basis for Chinese entities to refuse certain data provision requests from other countries.
Meanwhile, India does not have a stand-alone personal data protection law or regulation to protect personal data and information shared or received in a verbal, written or electronic form.
Not yet, anyway. Currently, the government is in the process of framing a comprehensive data protection legislation, expected to be introduced in early 2023.
For the meantime, data protection is afforded by a mix of statutes, rules and guidelines. One of these is the Information Technology Act, 2000 (IT Act) amended by the Information Technology Amendment Act, 2008, read with the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011.
Section 72 of the IT Act is among its relevant portions, which provides that: any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such electronic record, book, register, correspondence, information, document or other material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs100,000, (US$1,230) or with both.
“Section 75 mandates that provisions of this act shall also apply to an offence/contravention committed outside India by any person if the conduct constituting an offence involves a computer/computer network located in India,” said Narula.
Another is Section 1(2) of the IT Act, 2000, which addresses infringements and breaches amidst the changing concept of territoriality. The section reads: “It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention thereunder committed outside India by any person.”
“In India, the concept of data territoriality in terms of data storage is not covered under the India data privacy laws,” added Gautam. “However, the concept of territoriality has been rooted in international IP law since its inception. As per this principle, IP rights must be conferred to the territory where they are granted. While this concept/principle was developed with the intention of allowing countries to develop and promote their own economic needs and goals, it is important that the said concept be read together with international laws such as the Berne Convention for the Protection of Literary and Artistic Works, 1886 read with the Agreement TRIPS, 1995,” he said, re-emphasizing his earlier statement.
There is another development brewing in India. With much of the data gathered by ecommerce sites, social media platforms and search engines stored in locations outside the country, the government is now initiating policy reforms. The aim: to attract investment from these companies to enable them to store data within India.
For example, the Reserve Bank of India requires payment system providers authorized or approved by the bank to store all of their data in India, rather than outside India. Data processing may be undertaken outside, but storage must be done only in India post processing. Plus, the data should include the complete end-to-end transaction details.
In Thailand, the question highlights a problem area.
“The application of existing IP and data protection laws in the context of cloud computing and data storage may not be fully working out since there is no practical guidance for the digitalization era at the moment,” said Horayangura. “Also, there are certain issues from an enforcement point of view, such as how to prove the location of the infringement or illegal action committed on the cloud or how the local authorities will cross-jurisdictionally enforce the laws.”
Territoriality issues: What else can be done?
But surely, something or some other things can be done to address these challenges in territoriality.
For Horayangura, a more practical guidance or interpretation of the laws in the digitalization era from authorities will offer a solution.
For Narula, harmonization of the law is needed. He cited the global tax deal on digital transactions, which was agreed upon by 136 countries. Under the deal, countries will be able to collect more taxes from top-tier multinational companies based on their sales made within the jurisdiction. The international tax deal, he affirmed, is a good example of cooperation on issues that impact further development and diffusion of cloud technology.
Having a contract is also key.
“The cloud service providers and users should always be bound by contractual obligations for use of the cloud computing and data storage by identifying important issues under the contract, such as choice of law and court, parties’ liabilities and indemnifications,” said Horayangura.
“We also have to be mindful of contractual arrangements and binding corporate rules that may regulate cross-border transfers of data and information, and these are separately enforced in personam,” he said, “regardless of a cloud or other data storage component.”
Lai maintains, however, that it is still possible to assess and identify a lex causae or the law governing the case of a particular substantive obligation and breach.
“Where cloud computing and data storage are concerned, the applicable national law(s) may be derived from server locations and other storage locations. With cloud computing, servers are still not dispensed with. Where data and information are collected and received, regardless of storage, it would not be difficult to isolate the applicable law or statutory provision that would govern,” he explained.
Navigating the “territoriality” legalities of IP, data privacy and protection in the era of cloud computing and data storage is like stepping into new territory. Or is it?
- Espie Angelica A. de Leon