Applying ‘safe harbour principle’ to cloud service providers

By Wang Yaxi and Xiang Li, Yuanhe Partners

With the development of internet technologies, the types of online services have become increasingly diversified. In the face of the new technologies, the traditional “safe harbour principle” is encountering challenges. In reason years, the question of how the safe harbour principle is to apply in the cloud service environment has drawn wide-ranging attention. This column proposes to look at this issue in the light of the Alibaba Cloud case.

What category of “online service” do cloud services fall under?

Wang Yaxi
Yuanhe Partners

The term “safe harbour principle” means that when an online service provider provides online services to service recipients, if a service recipient uses the network to commit infringement, the online service provider may, under specific conditions, be exempt from liability for damages. The main provisions in Chinese legislation that reflect the safe harbour principle are articles 20 to 23 of the Regulations for the Protection of the Right of Communication Over Information Networks and article 36 of the Tort Liability Law.

The safe harbour principle applies to online service providers, but the term “online service provider” is not expressly defined in Chinese legislation. The Regulations for the Protection of the Right of Communication Over Information Networks provide for only four types of online services, namely automatic access/automatic transmission, automatic caching, information storage space services, and search link services. Article 36 of the Tort Liability Law addresses all torts that occur in cyberspace, without defining the types of online service providers.

Xiang Li
Yuanhe Partners

As the relationship between the Regulations for the Protection of the Right of Communication Over Information Networks and the Tort Liability Law is that of a special law to a general law, the regulations apply on a priority basis in dispute cases involving the right of communication over information networks, and there is no provision specifying that the Tort Liability Law is applicable.

The term “cloud service” means an online service provided using cloud computing as the core. Technically speaking, the cloud service model covers multiple levels of services, from hardware/facilities to software. More specifically, it includes the software as a service (SaaS) model, the platform as a service (PaaS) model, and the infrastructure as a service (IaaS) model. In a specific case, the first issue is determining whether the online service provided by the cloud service provider falls within the scope provided for by the Regulations for the Protection of the Right of Communication Over Information Networks.

In Beijing, Ledong Zhuoyue Science and Technology Co Ltd v Alibaba Cloud Computing Co Ltd, a dispute involving the infringement of the right to communicate a work over an information network (the Alibaba Cloud case), the cloud server lease services provided by Alibaba Cloud are online services provided to online users to access the internet, create websites or create online apps.

The court found that the cloud server leasing services fell into the category of low-level network technology services, and did not fall into the same business procedures and technical level as information storage space services, and so did not fall into the “information storage space services” specified in article 22 of the regulations, nor did it fall into the categories of automatic access, automatic transmission or automatic caching services. Accordingly, the regulations did not apply, and the Tort Liability Law was directly applicable instead.

What necessary measures is a cloud service provider required to take?

The core of the safe harbour principle is that the online service provider is not liable for damages if it promptly takes down infringing information after receiving an infringement notice, and accordingly it is usually also known as the “notice and takedown rule”. However, the effective application scenario for the notice and takedown rule is preconditioned on the information storage space service, or search link service, being able to determine the address where the infringing content is stored.

Under a cloud service scenario, the notice and takedown rule faces the challenge of incapacity, the main reasons being: (1) the infringing content being stored in distributed computers, not a fixed local computer or remote server, makes it impossible to obtain the specific URL; and (2) a cloud service provider, being as it is subject to cybersecurity or confidentiality requirements, is unable to access the infringing content without the user’s authorization. Accordingly, if a cloud service provider is compelled to take down the infringing content, the burden on online service providers may be unreasonably increased, harming the interests of online users.

The notice and takedown rule reflected in the Protection of the Right of Communication Over Information Networks is a system arrangement made to address specific types of online services. Article 36 of the Tort Liability Law specifies that where a network user uses online services to commit a tortious act, the injured party has the right to notify the online service provider to take such necessary measures as take-down, blocking, severance of the links, etc.

If the online service provider fails to promptly take the necessary measure after receipt of the notice, it will bear joint and several liability with the network user for the additional injury caused. The above-mentioned “necessary measures” need not be limited to take-down, masking or severance of links.

Taking the Alibaba Cloud case as an example, the court held that Alibaba Cloud was in no position to directly control the software systems running, and the specific information content stored, on the cloud servers, so technically it could not take such measures as “take-down, masking or severance of the links” against the specific information content. Accordingly, for Alibaba Cloud, forwarding the complaint notice received from the rights holder to the relevant cloud server lessee could be construed as a necessary measure and satisfies the conditions for exemption of liability.

From this it can be seen that the scope of “necessary measures” in a cloud service scenario is open-ended, and needs to be comprehensively determined in light of the nature of the right that is infringed, the specific circumstances of the infringement and the technical conditions and capabilities of the online service provider.

Wang Yaxi and Xiang Li are partners at Yuenhe Partners

Yuanhe Partners
58F, Fortune Financial Center (FFC)
5 Dongsanhuan Zhonglu, Chaoyang District
Beijing 100020, China
Tel: +86 10 5733 2388
Fax: +86 10 5733 2399
[email protected]
[email protected]