Law Enforcement Access to Cloud Data

Law enforcement authorities need to access data in the cloud. As more data is stored in or generated by our use of cloud services, law enforcement authorities increasingly need to cooperate with cloud providers to obtain this evidential data. Obtaining data that is either at rest or in transit raises numerous forensic challenges for law enforcement.

Forensic Challenges in the Cloud

There are four key areas where these forensic challenges arise:

  1. Multiplicity. Data held by cloud providers is often replicated within the cloud for many reasons. These copies may be stored in different jurisdictions, which means that a cloud provider may be able to choose to retrieve the data from multiple locations to disclose to law enforcement authorities.
  2. Distributed storage. Cloud providers often use techniques known as sharding or partitioning to store and transmit the data in fragments. When responding to a law enforcement request for data, the cloud provider retrieves the data through its systems which logically link and reassemble the data on demand. This means that data may be stored or transmitted through many different jurisdictions in pieces with no single data location being identifiable prior to reassembly for the user retrieving the data.
  3. Protected data. A user may use encryption to ensure data security. Cloud providers may also encrypt data and transmission.
  4. Identity. It can be difficult to establish an adequate forensic link between the evidential data, the virtual identity of the user and the real world identity of the user. Likewise, it can be difficult to identify a user’s real world location.

These challenges also highlight the inability to establish the location of the data often referred to as the loss of location. Where the data is stored in fragments across multiple jurisdictions, it may be possible to consider the location of the data to be the place where the data is reassembled. Loss of location problems have led many states to ignore this factor as a jurisdictional trigger.

Most jurisdictions differentiate between subscriber information, traffic data (or other non-content data), and content data, and the legal processes required for law enforcement to obtain those different types of data.

Subscriber informationThe least privacy intrusive.
Any data held by service providers that relates to the type of service, the subscribers identity and contact information, billing information, and any equipment installed by the service provider.
Traffic dataConsidered to be more privacy intrusive.
Traffic data is the data about a communication. It can include the origin and the destination of a communication, it’s route, time, date, size, duration, and type of service. Sometimes people refer to this as the envelope data.
Content dataConsidered to be the most privacy intrusive.
Content data is the content of the communication. Be that an email, message, webpage, social network friend request, and so on.

Extraterritorial Jurisdiction

When law enforcement authorities exercise their power to compel the disclosure or production of evidence, they are usually confined to the territory of the state. This has led some states to find ways to exercise otherwise-territorially confined law enforcement powers to obtain data from Cloud providers. In relation to Cloud computing, there are two main categories of assertions of jurisdiction by states that have an extraterritorial effect. Both of these examples of extraterritorial jurisdiction involve domestic territorial links to the service provider without regard to the location of the data itself, now the location of the data itself is now far less relevant.

The Belgium ModelA state exercises jurisdiction over a non-domestic Cloud provider offering services in the state’s territory.
This does not exert extraterritorial jurisdiction, but with extraterritorial effect.
The US ModelA state exercises jurisdiction over a domestic Cloud provider who stores or processes the relevant data outside the state’s territory.

Voluntary and Mandatory Assistant

Generally, we can consider Cloud service provider disclosures of data to law enforcement under one of these four scenarios:

  1. Voluntary disclosure – proactively
  2. Voluntary disclosure with a legal framework – reactively
    • The legal framework offers either a defense or immunity shield for the service provider from potential liability relating to that disclosure.
  3. Mandatory disclosure through liability – proactive obligation
  4. Mandatory disclosure through request

Mutual Legal Assistance

Mutual legal assistance measures involve states cooperating with one another to obtain evidence. They can avoid the problems associated with unilateral extraterritorial state action. These measures can be formalized in Mutual Legal Assistance Treaty or be included in ad hoc arrangements such as diplomatic assistance through informal channels.

Some countries have tried to find solutions to avoid the slow MLAT process without the use of cooperation. Besides the unilateral extension of jurisdiction, the data localization laws are also an attractive solution for some countries. Data localization laws often require at least a copy of the data of a country’s residents to be stored within the territory of the country.

Mutual Recognition

Under European Union law, the principle of mutual recognition allows member states to make requests for digital evidence located in another member state using their own domestic legal procedures. The recipient member state is then expected to treat the production order on a nondiscriminatory basis as if it were their own.

Mutual Trust

Mutual trust allow law enforcement in one state to send production orders directly to Cloud providers in partner countries. Cloud providers can then disclose that data directly back to the issuing state without the need for mediation through an authority in a state where the provider is located. Examples of mutual trust mechanisms are the US CLOUD Act, the e-Evidence proposals in EU.

The CLOUD Act sets up the framework for bilateral agreements with qualified foreign governments whose laws and domestic procedures respect human rights and the rule of law. In essence, the US trusts these qualified foreign governments to send production orders in accordance with their own laws directly to US-based Cloud providers.

The e-Evidence proposals are similar to the CLOUD Act but only limited in EU. They allow the authorities in one Member State to issue production orders directly to service providers in another Member State.

Conflicts for Service Providers

Providing services to the global markets can can subject the Cloud service providers to the laws of multiple jurisdictions. This will result in both concurrent claims to jurisdiction and potential conflicts of laws, for instance when cloud providers are compelled to disclose data according to the laws of one state, but blocked from disclosing the same data by the laws of a different state. These jurisdictional conflicts are part of the cost of doing business for cloud service providers.

The blocking statute will often be a data protection law such as the GDPR, the GDPR issues will arise in several scenarios:

  1. Data is transferred between public authorities in EU member states.
    • Cloud providers only processing data in response to a request from their domestic law enforcement authorities.
  2. Data is transferred between an EU member state and an authority outside the EEA.
    • Cloud providers only processing data in response to a request from their domestic law enforcement authorities.
  3. Disclosure of data between competent authorities and cloud service providers in respect to European Investigation Order and e-Evidence proposals.
    • Cloud service provider may be established outside the EU, so will be subject to the laws of the jurisdiction where it is established, but nonetheless subject to the jurisdiction of the EU by offering services in the EU. So the Cloud service provider may have concurrent legal obligations that can give rise to a conflict.
  4. Transfer of personal data for commercial purposes between a controller or processor in the EEA to a controller or processor in the US.

Competition Law

The notion of competitive markets refers to an environment in which firms must continuously compete with one another for sales in the form of goods and services that are superior to that of their rivals, it is expected that firms provide new, better, and less expensive goods and services, and consumers will have more choices and fairer prices.

A market is contestable when there is freedom of entry and exit into the market. The number of existing firms is not relevant, but rather the ease of market entry. These factors could make a market more or less contestable. In a less contestable market, they usually stop new / small firms from entering the market:

  1. Sunk costs – non-recoverable fixed costs
  2. Economies of scale – decline of incremental cost of creating additional units as the scale of production increases.
  3. Advertising and brand loyalty
  4. Vertical integration – a strategy that expands the production and distribution roles of a company within a supply chain of a particular industry
  5. Skilled labor
  6. Network effects
    • Direct network effects arise when users value a service more where there are higher numbers of other users.
    • Indirect network effects occur when an increasing number of one type of end-users, such as a consumer, raises the value of the network to another group of end-users such as vendors.
  7. Intellectual property

These notions is equally applicable to the cloud computing market, so there are competition law applies to the provision of cloud computing services, trying to promote market competition and to prevent or regulate anti-competition behavior in cloud services markets. Competition laws normally address four types of conduct:

  1. Anti-competitive agreements (e.g. fixing price)
  2. Abusive behavior by firms that have a dominant position
  3. Mergers (such as takeovers and joint ventures)
  4. Financial support from governments (such as subsidies or tax breaks)

Given the nature and complexity of this market, cloud computing offers some challenges to the application of traditional competition rules.

Under the European law, a firm is dominant if it has a market share of at least 40%. The mere possession of market power is not bad in itself. What is prohibited is to abuse a dominant position. Because of the lack of current or potential competition, the dominant firm is free to significantly increase prices, to influence prices to exclude competition, or to keep its profits very high. These different ways can be divided into two main groups:

  1. Exploitative conducts – enable the firm to increase its profits by exploiting consumers directly.
  2. Exclusionary conducts – aim at excluding or removing competitors from the market.

Market, Undertakings and Market Power

Defining market is the first step in the application of competition law. If the market is mistakenly defined too narrowly or too broadly, it will not be possible to correctly ascertain the dominance of firms. In defining the relevant market, two key aspects are considered:

  1. The product or services – what things are being bought an sold
  2. Geographical dimensions – area in which undertakings are involved in the supply chain

Beside, we also need to consider:

  1. Demand substitution. The Small/Significant Non-transitory Increase Price (SSNIP) test is usually used to access demand substitution. If following a 5% or 10% increase in product A, the average consumer will switch to product B. Then both product A and B belong in the same relevant product market.
  2. Supply substitution. Whether a supplier of product A can switch production and begin manufacturing product B in the short term, without incurring additional costs.

Competition law seeks to regulate undertakings that have market power. Under European case law, the concept of undertaking is broadly encompasses every entity engaged in an economic activity, regardless of the legal status and the way in which it is financed. Market power is referred to as the strength of a firm on a particular market. In competition analysis, market power is determined by

  1. The structure of the market
  2. The number of competitors
  3. Market shares

If an undertaking is able to restrict competition, suppress innovation, reduce the quality of goods or services, or raise prices over a period in a profitable manner, then that undertaking has good market power.

Anti-Competitive Agreements

Anti-competitive agreements can be either horizontal between competitors or vertical between suppliers and their clients. These agreements, like cartel agreements which usually involve price fixing and market sharing, will infringe European competition law. This conspiracy negatively impacts the market because it is reducing choice, eroding trust in markets, and eliminating competitors who are not part of the cartel but are willing to offer new ideas or efficiencies. If an agreement contains restrictive or anti-competitive clauses, the parties need to provide convincing arguments and evidence that the agreement has pro-competitive benefits.

The prohibition of anti-competitive agreements and abuses of dominant position which operate ex-post, as a sanction for unlawful past actions.

Merger Control

A merger means two or more companies join forces to move forward as a single new entity, while an acquisition means one company purchases another outright. Two terms are often used interchangeably. Mergers are structured in different ways:

HorizontalThe merging companies are in direct competition and operate at the same level of the value chain in the market.
VerticalThe merging parties are not direct competitors and operate at a different level of the value chain in the industry.
ConglomerateThe merging parties operate in completely different markets.

Merger policy is an ex-ante control usually carried out by competition authorities, whose purpose is to assess potential mergers and acquisitions and prohibit those that will likely reduce competition. Merger control is ex-ante. Following its assessment, the relevant authority will typically do one of three things: prohibit the merger, or approve the merger, or approve the merger subject to certain conditions.

Interoperability and portability of computing systems and software is essential to avoid lock-in and is being used as a remedy to competition concerns in European competition law investigations like mergers and acquisitions as well as abuse of dominance cases.


The international income tax framework regulates the way taxing rights are allocated among different countries. The allocation of taxing rights is based on the doctrine of economic allegiance, which requires a connecting factor between a taxpayer and a country. Countries can assert jurisdiction to tax on the basis of either taxpayer residency or source of income.

Tax ResidencyA country has the right to tax the worldwide income of its residents.
It can also tax non-residents, but only for income sourced in that country.
Source of incomeUsually the source country has the first right to tax the sourced income.
While the residence country has only a secondary right to tax that same income, having also the obligation to eliminate double taxation.

Digital Tax Policy Initiatives

The modern global economy is characterized by three new phenomena:

  1. Reliance on intangible assets
  2. The importance of data
  3. Cross jurisdictional scale without mass (mass referring to a firm’s physical presence)

All these phenomena pose serious challenges which mainly relate to the nexus rule and profit allocation rule.

Nexus rulesDetermine where taxes should be paid, based on physical presence.
Profit allocation rules Determine what portion of profits should be taxed by application of the arm’s length principle.

In response to these challenges, policy organizations and countries started introducing and adopting different approaches on how to tax the digital economy.

Double Taxation

The application of residence and source-based taxation by different countries can create overlaps over items of income, and result in so-called double taxation. As a response, double tax treaties emerged to allocate taxing rights between residence and source countries. Most tax treaties use either the OECD or the UN Model Tax Conventions as a basis for negotiation.

OECD ModelUsually used by developed countries.
UN ModelUsually used by developing countries.
This model allocates more taxing rights to source countries to protect the tax base of developing economies, which rely more heavily on foreign investment.

The classification and assignment of sources entail two step:

  1. The classification of income into one of the categories defined by the treaty. For example: business income and royalties.
  2. The distribution of taxing rights between the contracting states granting either exclusive or shared taxation:
    • Business income – taxable exclusively by the country of residence, unless the enterprise carries on business in another country through a permanent establishment. PE is a threshold, measuring the minimum physical presence required in the source country for this country to exercise taxing rights.
    • Royalties – The source country has the first right to tax royalty payments by way of a withholding tax, which is a tax on the gross amount paid. The residence country retains the residual right to tax royalty income and has the obligation to provide relief from double taxation.

The reliance of digital business models on intangible assets and their ability to access markets remotely with no physical presence there, creates difficulties in deciding which country should have the right to tax and how much tax they are entitled to impose.

Tax Treatment

Payments for the use of hardware will in general give rise to services income and be taxed as business profits. However, if some criteria are met, the use of hardware might be treated as a lease or rental.

Payments received in exchange for the provision of software, depending on the nature of the rights transferred, may be classified as:

Classified as
When there is a transfer of full ownership of the rights and the copyright, the transaction may qualify as a sale of copyright.Business profits, or capital gains
When the transferor retains ownership of the copyright, but grants the transferee the right to do things, which only a copyright holder would be entitled to do.Royalties
Where the licensor transfers only the right to use the copyrighted program or content.Business profits (OECD model)
Royalties (UN model)

SaaS transactions do not entail the transfer of a copy of the software to the customer’s hardware devices. The payments will not be for the right to use a copyright, but for a service provided through the use of a copyright. The payments should therefore be generally classified as business income and taxed in the country where the cloud provider is resident. However, under some tax treaties, mostly those based on the UN model, SaaS transactions could be classified as royalties or fees for technical services, and will be taxed in the source country by way of a withholding tax.

PaaS is in a similar way to SaaS, the platform is run in the providers infrastructure, while the customer has limited control over the operating and storage systems. Payments should be thus classified as business income and taxed in the country where the provider is resident.

When it comes to IaaS transactions, what is of particular relevance for tax classification purposes is who has access to the server capacity. Is it exclusive use (private cloud computing) or is it the provision of services supplied (public cloud computing)?

Classified as
Public cloud computing
Customers do not possess the servers, nor do them have control or full authority over the servers.
Business income
Private cloud computing
The servers are for the customers exclusive use.

However, in practice, most cloud computing contracts are mixed contracts, encompassing multiple services that could fall under any of the three service models. If one of the services provided constitutes the principal purpose of the contract, while the other services are only of an ancillary or largely unimportant character, the tax treatment of the principal service should be applied to the whole payment.

If it is difficult to identify the principal element in a contract and apply unified taxation, the break down rule applies, which means that different parts of a single payment could be classified and taxed differently. This could as a result require that part of the payment is taxed in the residence country while the other in the source country by way of withholding tax.

Permanent Establishment in Server Jurisdiction

It is important to identify whether a PE exists in a jurisdiction. In the case where cloud services are classified as business income, this income will be taxed in the jurisdiction where the cloud provider is resident unless there is a PE in the source jurisdiction, to which cloud income can be attributable.

In order to identify the existence of a PE, the first step is to identify the jurisdiction where physical servers are located. Physical servers have to fulfill three requirements:

  1. Place of business – the physical servers could function within a physical location.
  2. Fixed – for a sufficient period of time in a way that gives this place of business a certain degree of permanency.
  3. At the cloud provider’s disposal – through which business functions are performed.

Second, the firm must pass the economic substance test, i.e. the ownership and operation of the servers constitutes a core part of the cloud provider’s services to its customers, in other words, the use of servers is not a preparatory or auxiliary activity. Now a PE will therefore typically be created in the jurisdiction where servers are located.

Once the PE exists, the next step is to allocate profits to that PE, based on the functions performed, assets used and risks assumed by the cloud provider. Usually, only a small part of the overall cloud provider profits would be attributable to a PE.

Permanent Establishment in Customer Jurisdiction

Cloud providers usually have local representatives in the customer jurisdiction to provide customer support and conduct sales and marketing activities. There are 3 scenarios under which a PE might be created.

  1. Anti-fragmentation rule – when the functions performed by different local representatives are complementary and part of a cohesive business operation, any auxiliary activities cannot be separated from core activities to avoid creating a PE.
  2. Local representatives might constitute agency PEs if they play the principal role leading to the conclusion of cloud contracts.
  3. In arrangements where the local representatives conclude contracts with customers in their own name, also called commissionaire arrangements, an agency PE is created if the local representative is working for the provider and not acting on its own capacity.

My Certificate

For more on Cloud Computing: Law Enforcement, Competition and Tax, please refer to the wonderful course here

Related Quick Recap

I am Kesler Zhu, thank you for visiting my website. Check out more course reviews at

Don't forget to sign up newsletter, don't miss any chance to learn.

Or share what you've learned with friends!