Cloud computing, as an emerging technology, brings about new aspects to business models especially in terms of preservation and protection of funds and resources. On that sense, cloud computing is one of the main tools to re-form commerce and commercial entities in this globalizing world.[1] Hence, it is very important to comprehend the legal infrastructure of this emerging technology. In this post, we aim to provide some basic information about cloud computing and the legal character of cloud computing agreements under Turkish Law.
I. Cloud Computing
Cloud computing is the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. From this aspect, cloud computing is a service, not a product.
II. Cloud Computing Service Models
Cloud computing services are mainly divided into three categories: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).
a. Infrastructure-as-a-Service (IaaS): are online services that provide data storage and various network infrastructure like physical computing resources, location, data partitioning, scaling, security, backup, etc. Instead of having to purchase hardware and set up their own IT systems, users can purchase IaaS.
b. Platform-as-a-Service (PaaS): With this service model, the environment required for the development of new applications is provided as a service.[2] In general, with the PaaS service model, Cloud Computing service providers can provide important services related to the development ecosystem to application developers. PaaS service provider; design and build application development, application environment, complementary services and infrastructures (session management, authentication, version management, scalability). Notable examples of PaaS include Google Apps Engine and salesforce.com.
c. Software-as-a-Service (SaaS): It is defined as the operation of common resources and software through a database to support multiple end-users at the same time. SaaS provides services which are appealing end-user and business such as e-mail, office automation system, document sharing, customer management software, to the relevant people.[3] Gmail, Microsoft Office, and Adobe are the best-known examples of the SaaS service model.
III. Cloud Computing Agreement and its Legal Character
Cloud computing agreement is a legal relationship and a contract between the “service provider” and the “user”. However, it is a contract type that is not specially regulated under Turkish Law.
In this context, determining the legal character of cloud computing agreements is important in terms of determining the scope of legal liabilities and the provisions to be applied in case of problems related to these contracts. Below, certain types of contracts which are regulated in the Turkish Code of Obligations numbered 6098 (“TCO”), namely, the service contract (TCO art. 393) and bailment contract (TCO art. 561) will be evaluated and then it will be examined which contract type the cloud computing agreements fall under.
a. Service Contract
As per Article 393 and following the TCO, service contract is the contract where the employee undertakes to work for a certain or non-specified period in the service of the employer and the employer undertakes to pay the employee based on the time or work done. The three main elements of the service contracts are; (i) providing services, (ii) the salary and (iii) the commitment.
Although cloud computing agreements include the liabilities of the employee and two main elements of the service contracts, which are providing services and paying salary, cloud computing agreements lack the element of the commitment of the service contracts. Accordingly, despite the fact that an overlayed technological service framework is being provided, it will not be proper to characterize cloud computing agreements as a “service contract”.
b. Bailment Contract
In Turkish law, general storage agreement is regulated under article 561 and following of the TCO. A bailment contract is a contract in which the bailee undertakes to keep a chattel entrusted to him by the bailor in a safe place. A bailment contract arises when the bailor, who transfers the physical possession of a chattel to the bailee who subsequently has possession of the property for safekeeping, and agrees to restitute the chattel whenever the bailor demands. A bailment contract is a consensual contract which is concluded by the mutual consent of the contracting parties without the formality of delivery of the chattel. However, unless the chattel is delivered, the bailee shall not be liable for safekeeping.[4]
Despite terms of bailment contracts that can be applied to cloud computing agreements, bailment contracts regulated under Article 561 of the TCO fails to satisfy all characteristics of cloud computing agreement. As a matter of fact, in bailment contract under which the protection of a property in a safe place is ensured, even if the concept of property is interpreted to cover the data stored in the cloud, this regulation within the scope of TCO is not legally capable of meeting the needs arising from the cloud computing agreements.
Besides, in some cases, it may be necessary to apply various contractual provisions to the cloud computing agreements such as lease agreement, work agreement, and proxy agreement.
In conclusion, cloud computing agreements might be characterized as sui generis contracts, containing some of the elements of service contracts and bailment contracts among others. Hence, cloud computing agreements may be described as mixed contracts where the characteristics of more than one contract type come together with the will of the parties.[5]
IV. Points to take into Consideration on Cloud Computing Agreements
Cloud computing agreements should include the following in particular:
a. Liability: Occasionally, the cloud computing service can be received by end-users through sub-service providers. In such cases, the direct or indirect liability relationship between the cloud provider and the sub-service providers must be determined. Where cloud computing agreements are drafted as a model contract or general transaction condition, irresponsibility agreements are encountered that eliminate or limit the liability of service providers. However, these provisions can be deemed null and void as per Article 115 and 116 of TCO.
b. Risk and Liability Insurance: Due to the nature of cloud computing services, there are always risks such as system failure, slowdown, performance loss or loss of data. In such cases, responsibility comes into play. For example, if the system infrastructure fails due to a slight defect behavior and data is lost, the contractual provision that the service provider will not be liable will be null and void as described above. As a precaution against such situations, liability insurances can be made especially by service providers in accordance with Article 1472 of Turkish Commercial Code No. 6102 (“TCC”).
c. Protection of Personal Data and Data Transfer: The security of data stored under the cloud computing agreement is one of the key issues in the field of cloud computing. At this point, it is necessary to consider and discuss in detail the consent of the data transfer to the service providers and data centers, the consent of the data processing, the conditions for the transfer of data to the authorities. In this context, while drafting cloud computing agreements, it is essential to act in accordance with the Law on Protection of Personal Data No. 6698. In addition, in case one of the parties to this contract is a company, the authority of board members and auditors to access the data should be carefully evaluated in particular under the “supervision of joint-stock companies” regulated in Article 401 of TCC and drafted in contract accordingly.
d. Confidentiality: Confidentiality provisions that exist in many types of contracts are of particular importance for cloud computing agreements.
e. Applicable Law: In cloud computing agreements; data storage, the backup center, service provider center, residence addresses of the parties are often found in more than one country. In many instances, even where the data is stored is not located in a single country, data belonging to a single user may be scattered across centers in multiple countries. Therefore, it is very important to decide on the applicable law in the cloud computing agreements, the majority of which have an element of foreignness.
V. Conclusion
In this post, we aimed to provide a general evaluation of legal aspects of cloud computing under Turkish Law, especially for startups and software companies. In a cloud computing agreement, which is a sui generis contract type, especially personal data protection, data security, liability, confidentiality, and applicable law are of great importance. We recommend that you consider the legal aspects of the subject before using this service system which can provide you with a great cost and time-saving in your venture or investment.
[1] J. BUGHIN, M. CHUI / J. MANYIKA, Clouds, big data, and smart assets: Ten tech-enabled business trends to watch, (McKinsey Quarterly, 2010) p. 75-86.
[2] Turgay HENKOĞLU / Özgür KÜLCÜ, Bilgi Erişim Platformu Olarak Bulut Bilişim: Riskler ve Hukuksal Koşullar Üzerine Bir İnceleme (Bilgi Dünyası, 2013) p. 65.
[3] HENKOĞLU / KÜLCÜ, p. 65
[4] Nazif KAÇAK, Emsal İçtihatlarla Borçlar Kanunu, (Ankara: Adalet Yayınevi, 2002), p. 36.
[5] Cevdet YAVUZ, Borçlar Hukuku Dersleri (Özel Hükümler), (İstanbul: 2012), p. 11-13
* This article was first published in Turkish Law Blog.
Last Update: 10 February 2020
For more information: info@yonet.av.tr
This article is provided by YÖNET Attorneys at Law to keep its clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The information is not intended as legal advice or legal opinion and should not be construed as such.