In July 2014, the International Organization for Standardization (“ISO”) and International Electrotechnical Commission (“IEC”) published ISO/IEC 27018 (ISO 27018), a code of practice that sets forth standards and guidelines pertaining to the protection of data consisting of “personally identifiable information” processed by public cloud service providers.
ISO/IEC 27018 is the first International Standard that focuses on protection of personal data in the cloud. Although only a few months old, the new standard should finally give cloud users confidence that their service provider is well-placed to keep data private and secure.
ISO/IEC 27018 specifies certain minimum types of security measures that cloud providers should adopt, if applicable, including encryption and access controls. The cloud standard also requires cloud providers to implement security awareness policies and make relevant staff aware of the potential consequences (for staff, the cloud provider and the customer) of breaching privacy and security rules.
As the first-ever standard that deals with the protection of personal data for the cloud, ISO/IEC 27018 has the following key objectives:
ISO/IEC 27018 provides a practical basis to induce confidence in the cloud industry. At the same time, the public cloud industry will have clear guidance in order to meet some of the legal and regulatory concerns of its clients.
ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect “personally identifiable information” in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of “personally identifiable information” which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as “personally identifiable information” processors via cloud computing under contract to other organizations.
The guidelines in ISO/IEC 27018:2014 might also be relevant to organizations acting as “personally identifiable information” controllers; however, “personally identifiable information” controllers can be subject to additional “personally identifiable information” protection legislation, regulations and obligations, not applying to “personally identifiable information” processors. ISO/IEC 27018:2014 is not intended to cover such additional obligations.
As a guiding principle, ISO/IEC 27018 standards and guidelines facilitate the retention by the cloud service customer of authority to determine the scope of any use and handling of its “personally identifiable information”. The following controls and implementation guidelines set forth in ISO/IEC 27018 as generally applicable to cloud service providers processing “personally identifiable information”:
Since 1937, when the first Code of Advertising Practice was issued, ICC has produced, and successively revised, global sets of ethical rules, covering all main marketing disciplines. The ICC Code of Direct Selling forms part of that comprehensive ICC normative system.
In 2006 many of the marketing codes were consolidated into one document, the Consolidated ICC Code of Advertising and Marketing Communication Practice, revised in 2011. As direct selling is primarily a method of distribution, the Direct Selling Code remains a stand-alone document; however, by reference it is clearly linked to the Consolidated Code, which is the recognized global reference point for responsible marketing communications.
The ICC Code of Direct Selling was first published in 1978 and followed the already then well-established ICC policy of promoting high standards of ethics in marketing via self-regulatory codes, intended to complement the existing frameworks of national and international law.
Like its predecessor (2007), this edition has been developed in close co-operation with the World Federation of Direct Selling Associations (WFDSA). That has ensured the Code is based on the best available expertise, and kept apace with changes in practice and direct selling techniques. The WFDSA has also adopted a world code of conduct applicable exclusively to members of direct selling associations. There is conformity in substance between the ICC Code and the industry code. The ICC Code is to be followed by all involved in direct selling.
Direct selling, as defined by the ICC Code, “refers to the selling of products directly to consumers, generally in their homes or the homes of others, at their workplace and other places away from permanent retail locations, where the direct seller may explain or demonstrate products.”
The Direct Selling Code is an instrument for self-discipline, but may also be used by the courts as a reference document within the framework of applicable legislation. The ICC Code is also able to fill in the gap in countries which have not created direct selling laws.
The Direct Selling Code spells out responsible conduct towards consumers, such as the credo not to exploit a consumer’s age, that product demonstrations should be complete with regard to price and also covers recruitment practices in the direct selling industry.
Recent changes include a section on referral selling stipulating that consumers should not be induced to make a purchase based on the assumption of a reduced price for customer referrals. The ICC Code also requires that direct selling companies communicate the contents of the Code with their direct sellers and that compliance with the standards of the Code should be a condition for membership in the company’s distribution system. In keeping with the principle of truthfulness, the ICC Code specifies that “descriptions, claims, illustrations or other elements relating to verifiable facts should be capable of substantiation.”
Hungarian law authorises Hungarian companies to convert, but does not allow a company governed by the law of another Member State to convert to a Hungarian company.
The Italian company Vale Costruzioni S.r.l. was incorporated and added to the commercial register in Rome in 2000. On 3 February 2006, that company applied to be deleted from that register as it wished to transfer its seat and business to Hungary, and to discontinue business in Italy. On 13 February 2006, the company was removed from the Italian commercial register, in which it was noted that ‘the company had moved to Hungary.
Once the company had been removed from the register, the director of Vale Costruzioni S.r.l. and another natural person incorporated Vale Építési Kft. The representative of Vale Építési Kft. requested a Hungarian commercial court to register the company in the Hungarian commercial register, together with an entry stating that Vale Costruzioni S.r.l. was the predecessor in law of Vale Építési kft. However, that application was rejected by the commercial court on the ground that a company which was incorporated and registered in Italy could not transfer its seat to Hungary and could not be registered in the Hungarian commercial register as the predecessor in law of a Hungarian company.
The Legfelsőbb Bíróság (i.e.: Supreme Court, Hungary), which has to adjudicate on the application to register Vale Építési Kft., asks the Court of Justice whether Hungarian legislation which enables Hungarian companies to convert but prohibits companies established in another Member State from converting to Hungarian companies is compatible with the principle of the freedom of establishment. In that regard, the Hungarian court seeks to determine whether, when registering a company in the commercial register, a Member State may refuse to register the predecessor of that company which originates in another Member State.
In its Judgment in Case C-378/10 VALE Építési Kft. the Court of Justice of the European Union notes that, in the absence of a uniform definition of companies in EU law, companies exist only by virtue of the national legislation which determines their incorporation and functioning. Thus, in the context of cross-border company conversions, the host Member State may determine the national law applicable to such operations and apply the provisions of its national law on the conversion of national companies that govern the incorporation and functioning of companies.
However, the Court of Justice points out that national legislation in this area cannot escape the principle of the freedom of establishment from the outset and, as a result, national provisions which prohibit companies from another Member State from converting, while authorising national companies to do so, must be examined in light of that principle.
In that regard, the Court finds that, by providing only for conversion of companies which already have their seat in Hungary, the Hungarian national legislation at issue, treats, in a general manner, companies differently according to whether the conversion is domestic or of a cross-border nature.
However, since such a difference in treatment is likely to deter companies which have their seat in another Member State from exercising the freedom of establishment, it amounts to an unjustified restriction on the exercise of that freedom.
Moreover, the Court notes, firstly, that the implementation of a cross-border conversion requires the consecutive application of two national laws to that legal operation. Secondly, the Court states that specific rules capable of substituting national provisions cannot be inferred from Articles 49 TFEU and 54 TFEU. In such circumstances, national provisions must be applied in compliance with the principles of equivalence and effectiveness designed to ensure the protection of the rights which individuals acquire under EU law.
Consequently, the Court finds, firstly, that the application by Hungary of the provisions of its national law on domestic conversions governing the incorporation and functioning of companies, such as the requirements to draw up lists of assets and liabilities and property inventories, cannot be called into question.
Secondly, where a Member State requires, in the context of a domestic conversion, strict legal and economic continuity between the predecessor company which applied to be converted and the converted successor company, such a requirement may also be imposed in the context of a cross-border conversion.
However, the Court finds, thirdly, that EU law precludes the authorities of a Member State from refusing to record in its commercial register, in the case of cross-border conversions, the company of the Member State of origin as the predecessor in law of the converted company, if such a record is made of the predecessor company in the case of domestic conversions.
Finally, the Court answers that, when examining a company’s application for registration, the authorities of the host Member State are required to take due account of documents obtained from the authorities of the Member State of origin certifying that, when it ceased to operate in the Member State of origin, that company did in fact comply with the national legislation of that Member State.
On 12 September 2011, the International Chamber of Commerce (ICC) has launched a revised version of its Rules of Arbitration with the aim of better serving the existing and future needs of businesses and governments engaged in international commerce and investment.
The new ICC Arbitration Rules (the “Rules”) will come into force on 1 January 2012 and take into account current requirements and developments in arbitration practice and procedure, as well as developments in information technology, since they were last revised in 1998.
The revision process began in 2008 and was undertaken by a small drafting committee of up to 20 members, supported by a wider task force of 202 members and a consultation process with ICC national committees around the world and the ICC Commission on Arbitration. The new Rules were approved in Mexico City by the ICC World Council on 11 June 2011.
Additions to the Rules include provisions to address disputes involving:
Other amendments have also been made to ensure that the arbitral process is conducted in an expeditious and cost-effective manner.
Unless parties stipulate otherwise, the new ICC Arbitration Rules will automatically apply to all arbitrations under the auspices of the International Chamber of Commerce commenced after 1 January 2012, save for the emergency arbitrator provisions.
In answer to the growing demand for a more holistic approach to dispute resolution techniques, the new Rules are published in a booklet that also includes the ICC ADR Rules, which provide for mediation and other forms of amicable dispute resolution. Both sets of Rules define a structured, institutional framework intended to ensure transparency, efficiency and fairness in the dispute resolution process while allowing parties to exercise their choice over many aspects of procedure.
The Governing Council of UNIDROIT at its 90th session formally adopted on 10 May 2011 the third edition of the Principles of International Commercial Contracts (“UNIDROIT Principles 2010″).
The UNIDROIT Principles 2010 contain new provisions on restitution, illegality, plurality of obligors and obligees, and conditions, while with respect to the text of the 2004 edition the only significant changes made relate to the Comments to Article 1.4.
The new edition of the UNIDROIT Principles consists of 211 Articles (as opposed to the 120 Articles of the 1994 edition and the 185 Articles of the 2004 edition) structured as follows: Preamble (unchanged); Chapter 1: General provisions (unchanged); Chapter 2, Section 1: Formation (unchanged), Section 2: Authority of agents (unchanged); Chapter 3, Section 1: General provisions (containing former Articles 3.1 (amended), 3.2, 3.3 and 3.19 (amended)), Section 2: Ground for avoidance (containing former Articles 3.4 to 3.16, 3.17 (amended), 3.18 and 3.20, and a new Article 3.2.15), Section 3: Illegality (new); Chapter 4: Interpretation (unchanged); Chapter 5, Section 1: Content (unchanged), Section 2: Third Party Rights (unchanged), Section 3: Conditions (new); Chapter 6, Section 1: Performance in general (unchanged), Section 2: Hardship (unchanged); Chapter 7, Section 1: Non-performance in general (unchanged), Section 2: Right to performance (unchanged), Section 3: Termination (containing former Articles 7.3.1 to 7.3.5, 7.3.6 (amended) and a new Article 7.3.7), Section 4: Damages (unchanged); Chapter 8: Set-off (unchanged); Chapter 9, Section 1: Assignment of rights (unchanged), Section 2: Transfer of obligations (unchanged), Section 3: Assignment of contracts (unchanged); Chapter 10: Limitation periods (unchanged); Chapter 11, Section 1: Plurality of obligors (new), Section 2: Plurality of obligees (new).
Cloud computing relates to IT services and resources – including infrastructure, platforms and software – which can be provided to customers via the internet, rather than by on-site installations of IT hardware and software (for a technical definition of cloud computing see National Institute of Standards and Technology).
Cloud computing allow companies to benefit of financial savings, share of costs with the other customers on the same cloud, and efficiency while their IT infrastructure is constantly upgraded and updated by the cloud computing provider.
Notwithstanding such benefits, cloud computing shall be duly considered in light of the risks involved in it such as – among others – security, performance, service availability, contractual remedies and supplier stability.
From an International Law perspective the key difference between traditional IT outsourcing and cloud computing is “where” the data resides or is processed as data may be dispersed across and stored in multiple data centers all over the world. Moreover, the use of a cloud platform can result in multiple copies of such data being stored in different locations. This is true even for a “private cloud” that is run by a single customer.
In fact, corporate customers shall consider that cloud computing is vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm the relevant systems. Data centers may be located in areas with a high risk of major earthquakes or may be subject to break-ins, sabotage, and intentional acts of vandalism, and to potential disruptions if the operators of these facilities have financial difficulties.
Above all, systems are not fully redundant, and disaster recovery planning cannot account for all eventualities.
In addition, cloud computing products and services are highly technical and complex and may contain errors or vulnerabilities. Any errors or vulnerabilities in such products or services, or damage to or failure of such systems, could result in interruptions in the services, which could reduce revenues and profits, or damage the corporate brand. Finally, internet, technology, and media companies own large numbers of patents, copyrights, trademarks, and trade secrets and frequently enter into litigation based on allegations of infringement or other violations of intellectual property rights related to the cloud.
In light of the above, as corporate customer explore cloud computing as IT outsourcing strategy, there are several legal issues that shall be carefully considered. Implications of outsourced data handling, contract terms and conditions, intellectual property rights and proper insurance coverage are among others the key elements to be addressed from an International Law perspective. Therefore, the carry out of a due diligence of the proposed cloud vendor is a crucial risk mitigation step.
Among others, the following key issues shall be addressed:
The European Court of Justice in its Judgment in Joined Cases C-585/08 and C-144/09 Peter Pammer v Reederei Karl Schlüter GmbH & Co. KG and Hotel Alpenhof GesmbH v Oliver Heller explains the rules of jurisdiction in European Union law that are applicable to consumer contracts, in relation to services offered on the internet.
The European Union regulation on jurisdiction in civil and commercial matters (see Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters) provides that actions against a person domiciled in a Member State must, as a general rule, be brought in the courts of that State. It also provides that cases resulting from a contractual relationship may be decided by the courts for the place of performance of the contractual obligation. In the case of consumer contracts, however, rules protecting the consumer apply. If the trader “directs its activities” to the Member State in which the consumer is domiciled, the consumer can bring proceedings before the courts of the Member State of his domicile and he can be sued only in that Member State.
In its judgment, the Court states that mere use of a website by a trader in order to engage in trade does not in itself mean that its activity is “directed to” other Member States, which would trigger application of the protective rules of jurisdiction in the regulation. The Court holds that, in order for those rules to be applicable in relation to consumers from other Member States, the trader must have manifested its intention to establish commercial relations with such consumers.
In order to determine whether a trader whose activity is presented on its website or on that of an intermediary can be considered to be “directing” its activity to the Member State of the consumer’s domicile, within the meaning of Article 15(1)(c) of Regulation No 44/2001, it should be ascertained whether, before the conclusion of any contract with the consumer, it is apparent from those websites and the trader’s overall activity that the trader was envisaging doing business with consumers domiciled in one or more Member States, including the Member State of that consumer’s domicile, in the sense that it was minded to conclude a contract with them.
In this context, the Court considers what evidence can demonstrate that the trader was envisaging doing business with consumers domiciled in other Member States. Such evidence includes clear expressions of the trader’s intention to solicit the custom of those consumers, for example when it offers its services or its goods in several Member States designated by name or when it pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers domiciled in those various Member States.
Nevertheless, other less patent items of evidence, possibly in combination with one another, are also capable of demonstrating the existence of an activity “directed to” the Member State of the consumer’s domicile. These include: the international nature of the activity at issue, such as certain tourist activities; mention of telephone numbers with the international code; use of a top-level domain name other than that of the Member State in which the trader is established, for example “.de”, or use of neutral top-level domain names such as “.com” or “.eu”; the description of itineraries from one or more other Member States to the place where the service is provided; and mention of an international clientele composed of customers domiciled in various Member States, in particular by presentation of accounts written by such customers. Likewise, if the website permits consumers to use a language or a currency other than that generally used in the trader’s Member State, this can also constitute evidence demonstrating cross-border activity of the trader.
On the other hand, the mere accessibility of the trader’s website in the Member State in which the consumer is domiciled is insufficient. The same is true of mention of an email address and of other contact details, or of use of a language or a currency which are the language and/or currency generally used in the Member State in which the trader is established.
On 25 June 2010, the United Nations Commission on International Trade Law adopted the revised UNCITRAL Arbitration Rules (the “Rules”).
The original UNCITRAL Arbitration Rules were adopted in 1976 and have been used for the settlement of a broad range of disputes, including disputes between private commercial parties where no arbitral institution is involved, investor-State disputes, State-to-State disputes and commercial disputes administered by arbitral institutions.
The revision is aimed at enhancing the efficiency of arbitration under the Rules and does not alter the original structure of the text, its spirit or drafting style.
The Rules, as revised, include more provisions dealing with, among others, multiple parties arbitration and joinder, liability, and a procedure to object to experts appointed by the arbitral tribunal. A number of innovative features contained in the Rules aim to enhance procedural efficiency, including revised procedures for the replacement of an arbitrator, the requirement for reasonableness of costs and a review mechanism regarding the costs of arbitration. The Rules also include more detailed provisions on interim measures.
The Rules will take effect from 15 August 2010 and will be presumed to apply to all arbitration agreements referring to UNCITRAL arbitration concluded after that date, unless the parties have agreed otherwise.