Blog: Q&A: cloud computing law in United Kingdom – Lexology

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

Not specifically, other than in the Network and Information Systems Regulations 2018, although it is clear that English consumer, commercial, regulatory and competition law is intended to apply to cloud service providers. It is anticipated that the proposed framework for regulation of ‘critical third parties’ will likely include reference to cloud service providers (and specific cloud service providers are likely to be designated ‘critical third parties’ by the Treasury or relevant regulator). 

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Yes, in respect of cybersecurity and resilience and cyber incident reporting. The Network and Information Systems (NIS) Regulations 2018, which implement the EU NIS Directive (2016/1148/EU), specifically govern ‘cloud computing services’ meaning ‘digital services that enables access to a scalable and elastic pool of shareable computing resources’ (Regulation 1(2)).

Cloud service providers (CSPs) that fall within the definition of a ‘relevant digital service provider’ (RDSP) must, broadly stated, take appropriate and proportionate technical and organisational measures to prevent and minimise the impact of cyber incidents and related risks to their system. The regulations deal with any incident that has an impact on a service, where that impact produces a significant disruptive effect (and while this includes cybersecurity incidents, it also extends to non-cyber events that have an impact on systems, such as power supply interruption or flooding). RDSPs are also required to notify the UK Information Commissioner’s Office (ICO), the regulator for these purposes, of any incident that has a substantial impact on the provision of the cloud services within 72 hours. The ICO has a range of enforcement powers, including the right to issue financial penalties for material contraventions, up to a maximum of £17 million. RDSPs were required to register with the ICO by 1 November 2018. There are exceptions for, among others, small or micro-businesses. To be subject to the NIS for UK regulatory purposes, a CSP must have a head office in the UK (or a nominated representative), more than 50 staff and a turnover or balance sheet of more than €10 million. Note that these regulations are under review, following a government consultation in January 2022 on improving the UK’s cyber resilience. The government is considering expanding the scope of digital services regulated by the NIS Regulations to include managed services (so that providers of digital managed services are subject to the same duties as other digital service providers).

The ICO has issued a detailed and helpful guide to the NIS Regulations, which all CSPs operating in the UK should consult as a first step. The Guide includes pointers to the cloud services to be governed by the regulations. The guide states that platform-as-a-service and infrastructure-as-a-service models will be covered, but that software-as-a-service will only be regulated to the extent that the service is ‘scalable and elastic’ and fulfils a business-to-business function. The UK National Cyber Security Centre’s guidance (updated in April 2022) should be consulted.

The UK’s National Security and Investment Act 2021 may restrict parties acquiring shareholdings in CSPs, where this has a potential impact on the UK’s national security. Therefore, transactions involving the acquisition of cloud businesses should be scrutinised carefully, as failure to comply with the notification requirements required by the National Security and Investment Act could amount to criminal and civil offences and the transaction will be void.

The Treasury has issued a policy statement on the introduction of additional regulations to govern ‘critical third parties’ who provide services/functions to financial services firms and financial market infrastructure firms. In this, it specifically identifies third-party cloud-based computing services as a risk issue for the financial services sector, given the increasing reliance of this sector on cloud and other third-party providers (and the concentration in the provision of critical services by one third party to multiple firms). Entities that are designated as ‘critical’ will be subject to direct regulatory oversight of the UK’s financial regulators and subject to requirements to provide certain information to regulators as well as becoming subject to enforcement action. It is anticipated this regime will likely see the major cloud service providers in the UK subject to designation as ‘critical’ third parties. The Bank of England has now issued a discussion paper for consultation on the additional measures needed to manage systemic reliance on these third parties.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

In the UK, as business-to-consumer (B2C) and business-to-business (B2B) IT services, cloud computing services will, depending on the scope of the services and the circumstances and context of their supply, be subject to the legislation and regulation that apply to all similar IT services. Given the breadth and complexity of the cloud computing business in the UK, other participants in the provision of elements of cloud infrastructure and in the cloud supply chain may be subject to that legislation and regulation, too, for example, a communications service provider supplying a transmission service enabling the CSP to communicate with a cloud customer or the provider of cloud servers to a CSP.

As such (and with applicable B2C cloud computing consumer protection measures and data protection law), the following are likely to apply to cloud computing (or elements of it) in the UK:

 

The EU’s Digital Services Act (in force in early 2024) may affect the ways in which UK based service providers offer digital services to EU-based customers. The UK’s Online Safety Bill may also affect how cloud service providers interact with their customers or users.

The above is not an exhaustive list, and readers should also consider other areas covered by UK legislation and regulation, including those relating to intellectual property rights, insolvency, consumer protection and employment law.

Apart from legal and regulatory enactments, particularly in the context of cloud computing, readers should be aware of various international law enforcement measures under treaties and applicable EU measures that are likely to be relevant. These generally relate to cybercrime, criminal investigations and enforcement, and inter-state mutual legal assistance in criminal matters. Examples are:

 

Although beyond the scope of this section, readers will be aware of the extraterritorial impact of the USA PATRIOT Act on cloud services, as well as the impact of the US CLOUD Act.

To give readers a complete view, the same rules and principles (including as to liability) that apply to consumer and commercial technology-related services contracts under the three UK jurisdictions (England and Wales, Scotland and Northern Ireland) will apply to cloud computing contracts, subject to the scope of the services and the circumstances and context of their supply.

Although it is not legislation or public regulation, for the reasons given below, the Cloud Industry Forum’s Code of Practice for Cloud Service Providers (CIF Code) is relevant. Its stated purpose is ‘to bring greater transparency and trust to doing business in the cloud’. The CIF Code could influence the choice of CSP by potential customers, whether consumers or commercial organisations. CSPs claiming compliance with the CIF Code and the right to use CIF certification may, for validated infringement, face sanctions by CIF, including publication of the CIF’s findings on its website and press releases. So while the CIF Code does not have any public legal effect, it may be normative to the conduct of CSPs and it may influence the choice of CSP by commercial end users and consumers, as well as the public’s view of certain CSPs, especially those who have contravened the CIF Code.

Finally, the role of the UK Advertising Standards Authority (ASA) is important in the fast-growing cloud services market. The ASA’s role is to ensure that all advertisements are ‘legal, decent, honest and truthful’. The ASA publishes codes that it administers and under which it hears and rules on complaints. ASA rulings are published weekly and are ‘a transparent record of what is and isn’t acceptable’ in advertising. The rulings can remain on the ASA’s website for five years. Though ASA rulings do not have any legal effect, an adverse ruling may have a significant commercial impact, especially if a business is seen to be disregarding rules designed to protect consumers. And, as a last resort, if advertisers persistently break the ASA codes and are unwilling to change their practices, the ASA states that it can and does refer those advertisers to enforcement agencies that do have legally enforceable powers and the ability to impose legal sanctions for further action (eg, UK Trading Standards or the communications regulator Ofcom). It is worth noting that the ASA has considered several specific cloud computing-related advertisements and found against the advertisers.

In April 2021, the UK government established the Digital Markets Unit (DMU), which will oversee a new regulatory regime for digital firms. This has been operating in shadow form within the Competition and Markets Authority (CMA) on a non-statutory basis, conducting preparatory work. The UK government is consulting on its powers and will legislate when parliamentary time allows (legislation could be expected by the end of 2022 according to the Queen’s Speech). The unit is supported in its work by the Digital Regulation Cooperation Forum, which is comprised of the CMA, Ofcom, the ICO and the Financial Conduct Authority.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

For laws and regulations, the consequences of breach range from contractual unenforceability and civil enforcement remedies to criminal and regulatory fines, penalties and other sanctions. In some situations, company directors and senior executives may face personal sanctions. 

The UK’s proposals for designated critical third parties will see financial regulators given enhanced powers to make rules relating to the provision of critical services, gather relevant information from critical third parties, and take formal action (including enforcement) where needed.  The rule-making power is likely to comprise the right to set minimum resilience standards that critical third parties will be directly required to meet, as well as requiring the third parties to take part in a range of targeted forms of resilience testing, to assess whether these standards were being complied with.  The enhanced investigatory powers will allow regulators to request information directly, commission an independent skilled person to report on the service, require production of documents and enter the service provider’s premises under warrant.  Sanctions will include the power to direct critical third parties from taking or refraining from taking specific actions; and enforcement powers including a power to publicise failings, and (as a last resort) to prohibit a critical third party from providing future services, or continuing to provide services to firms.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

For B2C cloud computing arrangements, the following main consumer protection measures will apply.

 

These now constitute ‘Retained EU law’ and will therefore form part of English law unless and until the UK government legislates further in this area. Together these cover matters including distance selling, the provision of certain information to consumers, marketing and marketing claims, onerous and unfair contract terms and how they are presented, cancellation rights, cooling-off periods, choice of law and venue for consumer litigation (eg, standard terms seeking to impose compulsory arbitration against consumers may be regarded as unfair terms CRA 2015, Schedule 2, 20(a)).

Other legislation includes:

 

Together these regulate B2C credit terms, including any form of ‘financial accommodation’, and specify certain contract terms and restrictions (including sanctions, including legal unenforceability except by court order), the provision of certain kinds of information, the format of that information, cooling-off periods and termination processes.

The above are not exhaustive lists.

The CMA, the UK’s primary competition and consumer authority, has historically taken a close interest in B2C cloud storage contracts, in particular to see if consumers are being fairly treated when saving and storing their content online. The CMA was concerned that some CSPs were using contract terms and practices that could breach consumer protection law (‘An open letter to cloud storage providers on complying with consumer law’, May 2016). The upshot was that several of the leading B2C cloud storage providers, including Amazon, Apple and Microsoft, voluntarily modified their terms for the benefit of UK consumers. You can find a list of all of the consumer outcomes secured by the CMA and relating to Cloud Storage here.

Following the end of the transition period, we are starting to see UK and EU consumer regimes diverge, which will have an impact on UK traders selling to EU consumers. The United Kingdom has now revoked the Consumer Protection Cooperation Regulation (the CPC Regulation), which facilitates cooperation between EU enforcement authorities. UK consumers are also no longer able to use the EU’s online dispute resolution platform to resolve disputes arising from cross-border B2C transactions with the help of an approved dispute resolution body. However, certain amendments made as a result of the CPC Regulation to English law (and which have been retained) grant enforcement authorities greater powers to intervene in the digital sphere. So the CMA has a new power to apply to the High Court for an online interface order or an interim online interface order where the CMA believes there has been an infringement of consumer law in the UK.

While the United Kingdom is not required to implement the most recent EU consumer law reforms, UK traders selling to EU consumers will still be affected by the new rules, which impose more stringent penalties for non-compliance with consumer protection law, with fines linked to turnover.  The UK government consulted on reforms in July 2021, and in its April 2022 response indicated that it is focusing on: (1) tackling subscription traps (by requiring reminders before a contract auto-renews, information reminders about end of a free trial period and specific exit methods); (2) preventing posting of fake reviews online and fairness in online transactions; and (3) strengthening prepayment protections for consumers. The CMA will be empowered to enforce the new rules and issue turnover-based fines for non-compliance. It will also retain its power to seek criminal enforcement through the courts for the most serious breaches of consumer law. These changes may affect some cloud provider subscription payment models.

Changes proposed to the UK data protection regime and proposals relevant to fintech and digital health may be relevant to cloud service providers.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

The extent (if any) to which UK industry sectoral regulation may apply to cloud computing will require knowledge and examination of sector-specific legislation, regulations, guidance and regulatory and statutory codes of conduct. In the United Kingdom, with the exception of the NIS Regulations and the following examples, at the time of writing, there is no regulation that applies specifically or directly to cloud computing as such. This will change when the Treasury’s proposed rules on critical third parties come into force. Where regulation is found to apply to a cloud computing project, the approval, licence or consent – or at least the informal go-ahead – of a regulator may be required. Common sense and best practice dictate that, where applicable, the regulated entity should consult its regulator as soon as practicable and as fully as possible. This should also be of concern to a CSP expecting to enter a cloud arrangement with a regulated customer.

 

UK financial services

The risks posed to operational resilience by cloud computing has been specifically addressed in the UK financial services sector. Operational resilience has long been a cross-sector priority. Building on a joint discussion paper in 2018 (DP 18/4), the FCA, Bank of England and PRA published a shared policy summary and package of publications (FCA CP19/32 and PRA CP19/29) aimed at strengthening operational resilience in the sector. In March 2021, the FCA released PS 21/3 and the PRA released PS6/21. These documents provide feedback on the consultations and contain the regulators’ final policies. They came into force on 31 March 2022. The operational resilience of critical third-party providers has also been a key focus. In July 2016, the FCA issued finalised guidance for firms outsourcing to the ‘cloud’ and other third-party IT services: FG16/5. It reflects the European Banking Authority’s (EBA) ‘Guidelines on Outsourcing Arrangements’ and was amended in light of Brexit. The PRA’s December 2019 consultation (CP 30/19) aimed to deliver on the commitment to ‘facilitate greater resilience and adoption of the cloud and other new technologies’ set out in the Bank of England’s response to the Future of Finance report. It led to the development of the PRA’s March 2021 supervisory statement (SS 2/21), setting out its expectations as to how PRA-regulated firms should manage outsourcing and third-party risk management, with the express aim of facilitating ‘greater resilience and adoption of the cloud and other new technologies’.

The increasing reliance in the sector on critical third parties (CTPs) has gained increasing prominence, as highlighted by the Bank of England’s Financial Policy Summary and Record of the Financial Policy Committee  Meeting on 23 September 2021. On 14 April 2022, the Bank of England published three consultation papers targeting outsourcing and third-party risk management, building on some of the themes developed in the Bank’s September 2021 Letter to Recognised Payment System Operators (RPSOs) and Specified Service Providers (SSPs) in relation to material outsourcing to the public cloud. HM Treasury released a policy statement in June 2022, setting out its intention to create a framework for the designation and regulatory oversight of CTPs. This was followed by a Bank of England discussion paper that is seeking feedback on proposed measures for regulation of CTPs.

 

Broader regulatory context

The PRA regulates banks, building societies, credit unions, insurers and major investment firms. The FCA regulates the business conduct of all financial services organisations within its statutory jurisdiction, including those prudentially supervised by the PRA (dual-regulated firms). Some outsource providers (including CSPs) are authorised and regulated in their own right. The FCA Handbook and PRA Rulebook are the main sources of prudential and operational regulation governing outsourcing by financial services firms in the UK. For FCA-regulated firms, the key provisions on outsourcing are in Chapter 8 of the of the Senior Management Arrangements, Systems and Controls sourcebook (SYSC 8), in conjunction with the general obligation under SYSC 4.1.1. The PRA rules are codified in its Outsourcing chapter.

The PRA and FCA rules are complex and their application will depend on the nature of the firm, its authorisations and the activities it performs and/or outsources. There are also specific outsourcing-related obligations on insurance and reinsurance companies under the Solvency II Directive (2009/138/EC) and related subordinate rules and guidelines, including, in particular, Commission Delegated Regulation (EU) 2015/35 supplementing Solvency II, and, for firms in other sectors, in the Markets in Financial Instruments Directive (MiFID) II (2014/65/ EU) and related subordinate rules and guidelines, including, in particular, Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II, as they form part of retained EU law in the UK.

The detailed rules governing outsourcing are beyond the scope of this section. In essence, the rules should be regarded as providing sensible outsourcing practice, having regard to risk affecting the conduct of regulated business and reflecting the interests of businesses, the market and consumers. They also reflect increased scrutiny, where the function being outsourced is considered critical or important.

Some key themes appear consistently across the various sources of rules and guidance:

  • proportionality – systems and controls must be reasonable and proportionate given the nature and purpose of the outsourcing;
  • risk – undue additional operational risk must be identified and avoided;
  • critical importance – the greater the critical importance, the higher the risk;
  • complexity – the complexity of the outsourced functions is relevant to assessing risk and implementing appropriate systems and controls;
  • control – outsourcing must not be allowed to impair internal controls or effective oversight;
  • responsibility – it is not possible to discharge regulatory obligations or delegate managerial or oversight responsibility by outsourcing;
  • data security – a risk-based approach to data storage, security and privacy is necessary especially where data is going to be transferred across international boundaries; and
  • governance – clear expectations exist for senior personnel to have understood and assessed the risks created by outsourcing, particularly where critical functions are concerned, and to have taken steps to mitigate them.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

There is no specialist insolvency regime for cloud computing. The primary UK insolvency regime is set out in the Insolvency Act 1986 and the Insolvency (England and Wales) Rules 2016 (both as amended). PwC’s Business Recovery Services has produced a guide to the UK insolvency regime.

The rules that govern the insolvency of a CSP or a cloud customer, as well as those governing how corporate insolvencies are managed and disposed of, are complex. Experience in the UK has shown just how difficult it can be for cloud customers when a CSP suffers financial distress and insolvency. In early 2013, UK CSP 2e2 went into administration and subsequently liquidation. As a result, UK CSP customers are advised to consider carefully:

  • the selection of their CSP;
  • ongoing monitoring of the financial robustness of the CSP; and
  • the terms of their cloud service contracts, including:
    • ownership of the customer’s tangible and intangible assets;
    • exit arrangements; and
    • data migration where the CSP suffers financial distress or insolvency.

 

In addition, CSPs and other IT providers operating in the UK need to be aware of legislation that could severely restrict their ability to withdraw service from insolvent customers, terminate supply contracts or demand higher payments for continuity of supply. The legislation overrides conflicting terms in a supply contract (see sections 233 and 233A of the Insolvency Act 1986 (IA86) (as amended by the Insolvency (Protection of Essential Supplies) Order 2015)). The amendments introduced by the 2015 Order ensure that, like utility services, ‘communication services’ and other IT supplies are treated as essential supplies. ‘IT supplies’ include a ‘supply of goods and services [. . .] for the purpose of enabling or facilitating anything to be done by electronic means’, specifically including computer hardware and software; information, advice and technical assistance in connection with the use of information technology; data storage and processing; and website hosting – in other words, they are wide enough to cover cloud computing services.

The regime prevents suppliers of ‘essential supplies’ (ie, water, electricity, gas, communication services and other IT supplies) from requiring payment of pre-insolvency charges as a condition of continuing to provide supplies in specified formal insolvency situations. In addition, where a customer enters either administration or a company voluntary arrangement, the regime locks the CSP into the pre-insolvency contract (subject to certain safeguards) to prevent the CSP from terminating supply, terminating the contract or increasing prices. In the event that a company enters into insolvency proceedings other than administration or a CVA, then the provision of any supply of goods and services to said company may also now be ‘protected’ by section 233B of IA86 (as amended by the Corporate Insolvency and Governance Act 2020) by restricting the ability of said supplier to terminate the supply contract. This means that contracts need to be carefully reviewed to see which provisions apply in the event a customer enters insolvency.

However, the protections for customers of essential supplies do not apply to contracts for the supply of goods and services where either the company or the supplier is involved in financial services (which include situations where the company or supplier is an insurer, bank, electronic money institution, investment bank or investment firm, payment institution, operator of payment systems or a recognised investment exchange). In practice, this means that financial services firms and their creditors or suppliers can continue to terminate contracts, as they see fit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s