Cloud Service Providers (CSPs) are relatively new intermediaries acting as “service providers” within the meaning of the Directive 2000/31/EC (i.e. any natural or legal person providing an information society service). They are commonly intended as the suppliers of the virtualized technical infrastructures where digital contents can be stored, distributed or communicated to the public and where computing resources can be shared between a number of clients. Thus, CSPs are usually not involved into responsibilities for illicit activities conducted through their means, since their role is considered merely passive in providing the technical infrastructure used by the clients.
It is worth noting that in some recent EU case law (see CJEU, C-265/16, V-CAST case) and in the process of approval of the a new EU Copyright Directive in the Digital Single Market (see the draft text approved last September by the European Parliament here and our comments here and here) are emerging signs of evolutions in the categorization of the CSPs, with a distinction between “active” CSPs and “passive” CSPs. This process seems not different from what has already happened in the context of the categorization of hosting service providers, where an higher level of responsibility is requested to those providers which play an “active” role (see our previous posts here, here and here).
Definition of Cloud Service Providers
Since there is no legal definition of CSPs available at EU level, the notion of CSP has to be reconstructed in different sources of law, at national and international level (see here). In the Italian legal system AgID – Agenzia per l’Italia Digitale introduced (see here) a legal definition of Cloud as “a set of remote technical resources utilized as virtual resources for memorization and elaboration in the context of a service”. According to this definition, the main features of the Cloud are that: (a) it entails a set of technical resources that are remotely available (this means essentially via online connection); (b) the resources are considered as virtual resources (this means only for their overall processing capacity and not as the sum of single hardware and software); (c) the resources are used for offering specific services (this means that there is a clear distinction between the services offered and the equipment used for providing such services).
There are some differences between this definition and other definitions available at international level. According to the NIST, the US National Institute of Standards and Technologies, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” According to the EU Communication on the European Cloud Initiative dated 19th April 2016– COM (2016) 178, “the Cloud can be understood as the combination of three interdependent elements: the data infrastructures which store and manage data; the high-bandwidth networks which transport data; and the ever more powerful computers which can be used to process the data.”
The NIST definition is more oriented to describe functional aspects of Cloud and the advantages in terms of accessibility and modularity of Cloud services, while the EU Commission definition focuses on structural and network aspects of Cloud. The AgID definition sounds pretty generic and does not mention some peculiar features of Cloud, such as the share of resources, the access on demand, the minimal management effort, the connection with high-bandwidth networks; the absence of such features entails that a wider variety of services can be considered Cloud services under the AgID Rules, even if they do not necessarily have some peculiar features of Cloud services.
The V-Cast case and the distinction between “active” and “passive” Cloud Service Providers
In the recent EU case law between V-Cast and RTI, the CJEU has ruled on a video-recording service of TV broadcasts through Cloud storage. The main result of this judgment of the Court is that V-Cast video-recording service has been found illicit in light of the Infosoc Directive. More in detail, the Court ruled that the Infosoc Directive, in particular Article 5(2)(b) thereof, must be interpreted as precluding national legislation which permits a commercial undertaking to provide private individuals with a Cloud service for the remote recording of private copies of works protected by copyright, by means of a computer system, by actively involving itself in the recording, without the rightholder’s consent. An interesting aspect of this decision seems to be the distinction drawn by the Court between “active” and “passive” Cloud Service Providers. Indeed, by describing the conditions under which the active CSP can be found liable, the Court seems implicitly enucleating also the conditions under which the passive CSP cannot be considered liable.
V-Cast is a company incorporated in the UK which makes available to its customers via the Internet a video-recording system, in storage space within the Cloud, for terrestrial programmes of the Italian broadcaster RTI, among others. The user selects a programme on the V-Cast website, which includes all the programming from the television channels covered by the V-Cast service. The user can specify either a certain programme or a time slot. The system operated by V-Cast then picks up the television signal using its own antennas and records the time slot for the selected programme in the Cloud data storage space indicated by the user. The storage space in the Cloud is purchased by the user from another provider.
More in detail, according to the CJEU under Article 5(2)(b) of the Directive 2001/29/CE, Member States may provide for exceptions or limitations to the reproduction right in respect of reproductions on any medium made by a natural person for private use and for ends that are neither directly nor indirectly commercial. Moreover, Article 5(5) of this Directive states that the exceptions and limitations provided for, inter alia, in Article 5(2) of the Directive will only be applied in certain special cases which do not conflict with a normal exploitation of the work or other subject matter and do not unreasonably prejudice the legitimate interests of the rightsholder.
The Court has clarified that, in order to apply the exception for private copying, it is not necessary that the technical means used for reproduction purposes are directly available to the private users but they can be provided also by third party operators. The core element to figure out the correct legal interpretation is the type of activity offered by V-Cast to its users. In the Court’s opinion, such activity cannot be considered as a mere supply of Cloud storage, also because the storage itself is not provided by V-Cast but by another provided on behalf of V-Cast. V-Cast was offering a more comprehensive service, inclusive of the (unauthorized) access to the RTI broadcasts over DTT, their reproduction and conversion into another format for distribution over the Internet and their storage, on user’s request, in a Cloud storage service for subsequent access by users.
The service offered by V-Cast does not amount only to a violation of the reproduction right, since no private copying exception is applicable to such service, but can also be considered illicit according to Article 3 of the Directive 2001/29/CE, which prohibits any unauthorized communication to the public, including the making available of a protected work or subject matter, given that, as is apparent from recital 23 of the Directive, the right of communication of works to the public should be understood in a broad sense covering any transmission or retransmission of a work to the public by wire or wireless means, including broadcasting.
Even if the Court’s judgment is very specific and tailor-made for the V-Cast service, it is also interesting to understand what can be arguable reading this judgment a contrario. The mere provision of Cloud storage services of audio-visual contents, with reproductions made on individual requests of end-users, could be considered, at certain conditions, covered by the private copying exception since: (i) it is not a necessary requisite the fact that the users possess the reproduction means or equipment, given that such reproduction can be made also via means or equipment made available by third-party operators (§ 35 of the judgment); (ii) the provider which merely organizes the reproduction on behalf of the users could be considered within the limits of the private copying exception, where the provider does not play an active role and does not interfere with other exclusive rights, such as the communication to the public (§ 37-38 of the judgment).
The proposal of amendments to the EU Copyright Directive: the role of passive CSPs
The distinction between active and passive CSPs is part of the discussions around the proposal of a new Copyright Directive in the Digital Single Market, at least according to the Amendments to such Directive adopted by the European Parliament on 12 September 2018. With the Amendment 143 for introducing a new Recital 37 a, the European Parliament has proposed to introduce the definition of an Online Content Sharing Service Provider, which should encompass those Providers the main purposes of which is to store and give access to the public or to stream significant amounts of copyright protected content uploaded / made available by its users, and that optimise content, and promote for profit making purposes, including amongst others displaying, tagging, curating, sequencing, the uploaded works or other subject-matter, irrespective of the means used therefor, and therefore act in an active way.
The definition of Online Content Sharing Service Provider is relevant also because such Providers should not benefit from the liability exemption provided for in Article 14 of Directive 2000/31/EC (i.e. the safe harbour provision for hosting providers). What is relevant for excluding certain providers from the safe harbour regime is the fact that certain providers play an active role, in different ways (but mainly with an intervention aimed at creating added value in the supply of user generated contents), since the safe harbour regime was originally thought for mere technical service providers (in Recital 32 of the E-Commerce Directive is made clear that the role of the ISP which can enjoy limitations to liability “… is of a mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored”).
In its proposal of amendments, the European Parliament has expressly mentioned that also “Providers of cloud services for individual use which do not provide direct access to the public … should not be considered online content sharing service providers within the meaning of this Directive”. This provision, if approved, should be for the benefit of mere Cloud storage services, such as Dropbox o iCloud, where the request of reproduction is made by the private users and also the access to the stored contents is limited to the users with an account associated to those stored contents. This approach seems not far from the conclusions of the CJEU in the V-Cast case, at least considering what are the features of an active CSP in the opinion of the Court, and is the clear sign of the emerging distinction from a legal standpoint between active and passive Cloud Service Providers.
CJEU – Judgment of the Court (Third Chamber) of 29 November 2017; VCAST Limited v RTI SpA; ECLI:EU:C:2017:913
Amendments adopted by the European Parliament on 12 September 2018 on the proposal for a directive of the European Parliament and of the Council on copyright in the Digital Single Market (COM(2016)0593 – C8-0383/2016 – 2016/0280(COD))