Clarice Castro*, Chris Reed** and Ruy de Queiroz†


We examine some important issues and concepts of the Consumer Protection Code (in Portuguese, CDC) and the difficulties of applying them to cloud computing contracts offered in Brazil. The main conclusion is that the Brazilian current consumer law offers important difficulties in relation to the interpretation of some concepts, such as the concept of “remuneration” present in the definition of “service”. By raising a discussion on the legislative lacunae in relation to a new reality present in cloud transactions involving consumers that use free cloud services for both personal and later professional interests, i.e. “prosumers”, the paper aims to offer suggestions which can help the legislators or even judges to overcome the risks of leaving this cloud computing sector far from the protective rules of a consumer rights’ code.

Cite as: C Castro, C Reed and R de Queiroz, “On The Applicability of the Consumer Protection Code to Cloud Computing Transactions in Brazil”, (2013) 10:4 SCRIPTed 458

Download PDF
DOI: 10.2966/scrip.100413.458

© Clarice Castro, Chris Reed and Ruy de Queiroz 2013

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

1. Introduction

Information Technology (IT) industries are rapidly growing all around the world and cloud computing is possibly one of the hottest emergent segments of the IT industry. For example, Google launched Google Music: a music service for the Android platform. This service allows consumers to purchase individual songs or albums which are delivered to the cloud, and from there they can be streamed to multiple devices.1

This sort of arrangement might, however, entail certain problems when consumers are acquiring, downloading or streaming data via the cloud. Such problems include: digital content or services which do not work, or a lack of interoperability with the advertised equipment; and a failure to meet legitimate consumer expectations due to a lack of pre-contractual information.

The online transactions are usually made via “web-wrap”, “browse-wrap” or “click-wrap” and are available on the web provider’s online platform. These standard form contracts, that are usually submitted to the users to be accepted with a single click, represent the vast majority of cloud agreements. Under their terms and conditions providers usually protect themselves very well, but consumers have to face the risks that are inherent to contract terms that are not negotiated and may, therefore, be unfavourable to them.

Undoubtedly, some legal concerns that affect cloud computing have also been controversial in the context of e-commerce for many decades. However, these issues have intensified within the complex cloud context. There is, for example, the highly contentious issue of how to classify cloud computing transactions in different legal fields. Traditional consumer law was designed for the analogue world and even the legal rules designed for the electronic contracts classify all transactions either as a product or service. Within that dichotomy it is claimed that cloud computing agreements that involve the provision of a pure service are considered service contracts. However, when the cloud transactions involve the supply of digital content this label might be inadequate. It may thus be necessary to accept a third sui generis category which entails some special legal treatment. In the UK the June 2013 draft of the Consumer Rights Bill sought to clarify the law in relation to goods, services and digital content supplied under a contract, and did eventually take the approach of classifying digital content as a sui generis category.2

Indeed, this is one of many examples of the new legal challenges which cloud technology has created over time and which traditional consumer law does not cope with adequately. In this new scenario, which is by no means static, consumer law cannot wholly protect digital consumers and providers and give certainty to their relationship. It is nonetheless imperative for the development of this digital economy that both online providers and customers have certainty and security of rights acquired through business made via cloud computing platforms.

Cloud-originated services, as Helberger and Mak note:

challenge the applicability of general rules that are used to assess the fairness, social desirability and lawfulness of cloud contracts (e.g. in consumer and contract law, but also in copyright law, data protection law and telecommunications law). This is particularly true to the extent that these laws are based on principles of tangibility, territoriality and control, principles that are per definition alien to cloud services.3
In order to reconcile these challenges, or minimise some of the concerns related to consumer law, governments, international agencies and academic experts, within and outside Europe, have been studying the effects of this digital technological market and its legal consequences. Their reports and studies4, drafted proposal of law5, and new legislation6, aim to give consumers of electronic transactions the ability to maintain their basic rights as the vulnerable party in the online consumption relationship. It also gives the providers the ability to understand their rights and obligations, avoiding ambiguous or complex laws that may cause expensive and disruptive litigations.

Of course this new digital domain where consumers can store information or digital content, and use software to stream videos, music and play games via cloud computing has different facets as it can also be the manifestation of cultural and artistic values of the society. Indeed related problems that arose in relation to central issues of the so-called information age, such as copyright, tax law and telecommunication law have already been the subject of recent legal and regulatory adaptations at a European and even global scale. However these fields are outside the scope of this research.

The paper seeks to delve further into some academic analysis through a practical approach examining some important issues and concepts of the Consumer Protection Code (in Portuguese, CDC) and the difficulties of applying them to cloud computing contracts offered in Brazil.

2. The Consumer Protection Code in Brazil

The Brazilian Consumer Protection Code – Law n° 8.078 – is dated from 11 September 1990. It is federal legislation which creates a comprehensive bill of rights for consumers and represents the birth of the concept of a consumer relationship in Brazil. Designed specifically to protect vulnerable interests, insofar as a relationship of consumption is found (following the definition set out in the Code), it is the first legislation to recognise the vulnerable position of consumers.

Article 1 states that it is a law of public order and social interest. This means that the CDC norms possess a cogent nature of obligatory observance, coercive execution, and imperative nature. They cannot be contracted out of regardless of the parties’ wishes.7

The CDC represents huge progress in the search for justice and a fair balance between suppliers and consumers and is considered an innovative legal code. However, its avant-garde position does not automatically guarantee its applicability to cloud transactions as some of its concepts fail to keep pace with the changes of this technology.

It is noteworthy that although, from 15 March 2013, Decree n º 7.962 was edited in order to adapt the CDC to some e-commerce issues, not all of the needs of digital consumers in relation to digital content and some models of cloud transactions have been covered.

Article 1 of the recent Decree states that:

This Decree regulates Law n° 8.078, of 11 September 1990, to deal with contracting in e-commerce, encompassing the following aspects:

  1. I.clear information in relation to product, service and provider

  2. II.easier access to consumers

  3. III.the right of withdrawal.

The Decree considers some important aspects of digital consumer rights such as general information requirements and the right to withdraw, both of which were applied to the digital content market in the EU through the 2011 Consumer Rights Directive (CRD)8 and the proposed Common European Sales Law (CESL)9. The Decree, however, has some serious shortcomings as it does not take into consideration the evolution of the concepts of “consumer” and “service” which are extremely relevant to the context of e-commerce and cloud computing transactions in particular. It also maintains the dichotomy between product and service which, although currently does not weaken consumer rights in Brazil, may in the future be unhelpful for the evolving digital content market.

In this context, this paper seeks to answer the following questions:

– Can the current CDC legal framework – with its general rules related to goods and/or the supply of services – be applied to cloud computing transactions?

– If the CDC is not applicable, which amendments to the current legislation would be necessary to better fit cloud computing transactions?

In order to answer these questions it is first essential to examine the nature of cloud computing transactions. This involves investigating whether when the consumer uses a cloud infrastructure, a cloud platform or a software as a service sourced from a provider a transaction should be classified as a service, a good, or something sui generis. Depending on the classification of each transaction different legal rules present in the CDC will be applied.

These CDC questions are particularly important since, in spite of the increasing interest in cloud computing transactions, many parties of the consumer relationship still do not understand the concepts and the description of these different cloud models and their relation to emerging digital consumer rights. They do not know if the transactions that their businesses engage in are governable by the CDC. If not, then the consumer (in particular) will not receive the same level of rights and remedies designed under this special regulation.

It will be argued that current consumer law provides some difficulties in relation to the interpretation of some concepts, such as the concept of “remuneration” which is present in the definition of “service”. Those definitions may represent a barrier to the applicability of the Brazilian Consumer Protection Code to these transactions, to which legislation must soon respond. This article will also discuss the legislative lacunae in relation to a new reality present in cloud transactions: consumers that use free cloud services for both personal and later professional interests – “prosumers”. As it turns out, “prosumers” represent a significant proportion of the participants in cloud transactions. Finally, it aims to offer possible suggestions which could possibly help the legislators, or even judges, to overcome the risks of leaving this cloud computing sector far from the protective rules of a consumer rights’ code.

3. Cloud Computing: Legal Categorisation: Goods, Services or Sui Generis Category?

There are many legal issues and implications regarding the categorisation of cloud computing as a good, service, or sui generis category. The categorisation is not only relevant in the field of contracts and digital consumer law but also in relation to taxing cloud transactions amongst other areas.

As far as consumer law is concerned, both in Europe and Brazil, it is worth noting that it is still crucial to determine if a transaction involves a good or service considering that all consumer laws are based on these two categories and different legal consequences apply to consumer protection depending on the category. In fact in the majority of the European Union Member States, national laws offer much stronger rights and remedies to purchasers of goods whereas the consumers of services enjoy significantly fewer robust rights.10

In Brazil, although the CDC offers almost the same rights and remedies, the consumer contracts are still established on this dual categorisation of goods or services. Indeed in relation to legal protection one category is not a priori more appealing than the other. Therefore, there is no interest in Brazil in prioritising one category over the other. However, it is necessary to discuss the CDC’s definition of goods and services in order to analyse whether cloud computing contracts fit within a category at all as the consumer contract may in fact concern neither a good nor a service. If cloud transactions do not fit either category, consumer protection laws will not be applied to them. Therefore, the end-user of the cloud service will be deprived of the protection granted by this special Code that came about to precisely address the needs of the vulnerable party of the consumption relationship.

It should be noted that this differentiation is also very significant not only in relation to cloud computing services but also in regard to digital content contracts, namely, whether it is considered a service, a good or a mixture of both. Helberger, Loos and Guibault suggest11 that a substantial number of EU Member States have started to apply the rules of consumer sales law either directly or by analogy in situations in which digital content is contained on a tangible medium. In this context the classification of digital content as goods or services tends to become less relevant as newly developed legal instruments such as the CRD and the CESL proposal are likely to overcome the distinction of service and good by introducing tailor-made rules for digital content.12 However the differences in the national judges’ interpretation in each case demonstrate the great uncertainty in this area. In addition in the CRD the digital content is still regulated in two ways depending on whether it is in a tangible medium or not. Furthermore CESL, which overcomes the dichotomy by considering it a sui generis category, is still only a proposal for a Regulation and not a legislative source.13

Last, but not least, cloud computing services are, from the consumers’ perspective, different from e-commerce services because through e-commerce transactions consumers are normally buying something which they consider a “product” and therefore like a good. This would include downloaded apps due to the Brazilian law’s broad approach concerning what constitutes goods. Consequently those consumers expect some absolute quality standards.

However if the object of cloud computing contracts is to deliver services and if the cloud service is also, legally, a pure service, then all that the consumer gets is a promise of reasonable care and skill. There is no absolute quality standard such as satisfactory quality or fitness for purpose. The two problems that are not yet addressed by consumer law are thus: (a) that the cloud service provider’s obligations do not match the consumer’s expectations, and; (b) that the consumer will not be able to assess whether the service provider is in breach because consumers have no knowledge about what constitutes reasonable care and skill.

As an example, Flickr and Photobucket are both cloud applications for storing photos. If the service provider loses all the photos it would be obvious that the service was not fit for purpose and thus this situation would amount to a breach of contract if the service is treated analogously to goods. However, it would be far from obvious that the loss was caused by a lack of care and skill which is the relevant obligation if this is a service contract. It is clear that the distinction still matters.

3.1 Could a cloud computing offering be categorised as a good?

In order to answer this question it is first of all critical to analyse some definitions of goods before later examining the nature of the cloud computing transaction when the consumer uses a cloud infrastructure (IaaS), a cloud platform (PaaS) or software as a service (SaaS).

In consumer regulations that define “goods” as “tangible movable items”, as is found in a large number of European Union Member States and Article 2 (3) of the Consumer Rights Directive,14 the tangibility requirement demands that a physical item should be the subject matter of the contract. Usually any cloud computing offering is essentially intangible. Therefore this category is theoretically inapplicable to cloud transactions.

Due to the different nature of cloud computing services it would be possible, for instance, to envisage that a SaaS could be considered a “good” when providing customers with something such as a travel booking or a word processing application as it offers a single ascertainable application or product. However, the principal feature of these software applications via cloud computing is still the fact that they are being performed in an online cloud through intangible means.

When the consumer regulations go further and also demand, as in the concept of sales of goods, the “transfer of possession or ownership of goods”, the likelihood of a SaaS being considered as a “good” is even more remote. This is because the consumer never becomes the owner or possessor of the software; its code remains on the cloud server, and the consumer merely issues instructions to the software and receives the results. It is noteworthy that even when some code is occasionally downloaded to run on a consumer’s browser (as for example occurs in JavaScript in many AJAX applications) that code is made available simply to facilitate communication between the user and service provider. Thus the core element of the contract – the thing the consumer requests, whether service, goods or digital content – is performed on and is constantly being delivered by the cloud server.

Cunningham and Reed put forward a very compelling argument against considering SaaS as a “good”. They assert that:

Arguably, SaaS aspects of cloud computing involve the use of software applications. No transfer of ownership is implied, expressly or otherwise, nor is it suggested that the use of service implies any type of licence. It would thus be difficult to argue that SaaS provision is the provision of a good, in particular because it confers no right to use a particular version or build of the software. For example the terms for using Google Docs state:

We are constantly changing and improving our Services. We may add or remove functionalities or features, and we may suspend or stop a Service altogether.

And the terms for Microsoft’s Windows Live provide:

We continuously work to improve the service and may change the service in that respect at any time and for any reason.

If what is to be provided under the contract is constantly changing, that is very hard to reconcile with treating the supply as one of goods.15

Indeed, it is exactly what is happening to the “app” industry. When someone uses an app they no longer merely expect to download one static “product”. Apps continually keep updating to fix bugs and provide new functions. App providers are almost bound to do so in order to retain a customer’s interest and to stay up-to-date with latest technology. If an app is unsatisfactory at doing so consumers will move to find different apps that are more efficient at providing new functionality. From this perspective apps (wherever they are downloaded from) are a service, not goods, because the content is not fixed but changes at the supplier’s whim. It becomes clear that the very nature of SaaS argues against its categorisation as a good.

Some authors claim that cloud computing is a mixed contract as it is composed of a license which is offered as a service contract. The ever-changing nature derives from the fact that what the consumer receives is essentially a wide license agreement which is concomitantly offered as a service contract.16

As far as the IaaS is concerned it is true that the computing infrastructure offered may either give access to (physical) hardware provided by the cloud provider or to an application which is also more “ascertained”. However, once again, the very definition of cloud computing involves the provision of a service to use, for example by way of data storage, the remote computing infrastructure, otherwise it would not be characterised as a cloud computing contract.

In case clients have access to a particular machine without requiring any other maintenance or “bridging” service by the provider the contract would simply be for a “rent” or “lease” of the hardware space. Thus it would probably lack the crucial characteristics of the cloud transactions, such as elasticity and scalability, which characterise this sort of transaction. It is important to note that shared use of computing resources is the very essence of cloud computing and shared use is not readily compatible with transfer of ownership or possession.

Now, recalling that the cloud platform service PaaS is the set of tools and services offered by the provider remotely and is designed to make coding and deploying the applications more efficient, again the central feature of the cloud transaction is a service and not a product.

It is worth noticing that there are several directories offering cloud “products”. However even when the term “product” is used technically what is being offered is the delivery of digital content or data, computing, and infrastructure (such as storage capacity) as a service to a heterogeneous community of end-recipients. Clearly these offerings have to be developed by specialised companies which produce the cloud applications that provide the digital service or content. Note that the main source of revenue for the companies that develop the cloud offerings comes from the subscription of cloud “products”/services.

Further, the cloud products/applications may use a PaaS or an IaaS as the base, making it dependent on other cloud providers. For example, FinancialForce is a full SaaS international accounting application delivered on a subscription basis and developed on the cloud computing platform (PaaS): Again cloud services are also provided in those cases.

It is accepted that in some circumstances it is not easy to understand if a cloud transaction should be considered as a good or service. In the cloud transactions whereby, for example, Dropbox, Google, IBM or Amazon offer specialised document storage it may seem like a provision of a product when in fact when they store data they provide the software and the full functionality to enable the user to have access to content and/or a service. In reality cloud computing can hardly offer a unitary product without services which enable the consumer to use or access it when needed.

This difficulty mutatis mutandis is not new, even in traditional contract law in the “analogue world”. Ortiz and Viscasillas remind us that:

Distinguishing sales contracts from services contracts is not always simple. For example, a work contract may include a party providing materials for the construction, as well as the necessary labour. Most legal systems consider a contract to be a service or work contract when the buyer (owner) provides all or a substantial part of the materials. When the seller (contractor) provides work, services and materials the contract may be classified as a sale, work, a mixed contract, or a sui generis contract. These mixed contracts are called by different names – Obra (Spain); appalto or dópera (Italy); louage dóuvrage or déentreprise (France and Switzerland); empreitada (Portugal); and works and materials (UK).18

In any event when a transaction involves the provision of materials and goods it is, most of the time, not considered as a sales contract but as an employment, mixed, or sui generis contract and, in Brazil, can be even classified as “empreitada”.

In the Brazilian context it is important to emphasise that Article 3 (1) of the CDC defines “goods” as “anything, movable or immovable, material or immaterial.”19 Indeed this definition is very progressive in the sense that it dispensed with these requirements of materiality and ‘movability’ even before the commercial Internet existed. Being so vague it would ultimately admit all kinds of things. Due to this one can argue that it would be possible that a SaaS, when providing customers with the aforementioned travel booking or a word processing application involving the use of software could be considered as a good under such a liberal definition. However, even if the Brazilian CDC definition of goods does not require tangibility or transfer of ownership it is crucial to remind ourselves of Cunningham and Reed’s argument whereby: “If what is to be provided under the contract is constantly changing, then it is very hard to reconcile with treating the supply as one of goods.”20 Case law in this area is effectively non-existent in Brazil, but in our view the Brazilian courts will find it difficult to classify cloud services as goods for precisely these reasons.

Therefore, the general conclusion in regards to this question is that the definitions of goods, both in general and in the CDC, do not fit the nature of cloud computing transactions; either as SaaS, PaaS or IaaS.

3.2 On the Characterisation of Cloud Computing as a Service

The large amount of literature that has been published shows that the idea of cloud computing is based on providing or delivering users a service. For instance, Goundar states that it refers to both the applications delivered as services over the Internet and the hardware and software systems that provide services in the datacentres.21 Marston describes it is as an information technology service model where computing services are delivered on-demand to customers over a network in a self-service fashion, independent of device and location.22

Likewise, Newton describes cloud computing as a service highlighting its function as, essentially, a utility model of computing:

Cloud computing involves the delivery of computing facilities as a service over the internet, with access to shared resources (like computer and data centres) located in different locations, and perhaps ultimately controlled by different entities. It is intended to be a kind of “utility” model of computing, where the user can buy computing capacity as he needs it, without infrastructure costs of purchasing and implementing a system specifically for himself.

At the heart of the model is the idea that hardware and software will be provided remotely as a service, on an as-needed basis.23
It is worth mentioning that Article 2 of the E-Commerce Directive24 considers an information society service as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

In addition, the Directive considers information society services” as inclusive of a wide range of economic activities which take place on-line. These activities can, in particular, consist of: selling goods on-line; services giving rise to on-line contracting, and, insofar as they represent an economic activity, services which are not remunerated by those who receive them such as those offering on-line information or commercial communications or those providing tools allowing for search, access and retrieval of data; services consisting of the transmission of information via a communication network, in providing access to a communication network, or in hosting information provided by a recipient of the service; and finally services which are transmitted point to point such as video-on-demand or the provision of commercial communications by electronic mail.

In fact, the “information society service” definition provided by the E-commerce Directive is comprehensive in relation to cloud computing and clearly places it within services because, as the European Commission recently suggested, the concept of the cloud is linked with those of IaaS, PaaS, SaaS and “collectively *aaS (Everything as a Service) all of which imply a service-oriented architecture”.25

Cunningham and Reed provide evidence, and note:

Annex V of the Directive also provides an indicative list of services not covered and, in outlining services not provided “by electronic means”, it lists off line services such as the distribution of CD Roms or software on diskettes. All this would lead one to accept the argument that SaaS – it being the area of cloud computing most capable of being labelled a good – is in fact a service. 26

Finally, Sluijs, Larouche and Sauter state that:

Cloud computing in essence is an IT service, for which there is no explicit regulation on a pan-European level. Nonetheless, we identify three European legal regimes that are potentially relevant to the concerns set out above: EU competition law; EU electronic communications regulation; and EU electronic commerce regulation.

electronic commerce regulation arguably is where cloud computing finds its regulatory home”—i.e. a European regulatory regime that clearly includes cloud computing within its ambit.27
It is worth underlining that in Brazil the necessity to properly categorise cloud computing transactions began in 2012 in the area of taxation when Proposal (PLP) 171/2012 was put forward by Congressman Carlos Bezerra.28 This PLP proposes that the “Tax over Services of Any Nature” (in Portuguese ISS) should be applied to cloud computing services. The author of the Bill affirmed it is necessary to define which tax applies to cloud computing transactions as currently there is some dispute between applying a services tax or goods tax (known in Brazil as ICMS).

The draft Bill states:

cloud computing consists in the offer of services, over the internet, such as storage of data or use of software, without requiring knowledge of the consumer of the physical location and configuration of the system which offers the service. The minimum requirement is a compatible computer with resources available over the internet. 29

In spite of this disagreement the draft Bill captures an important aspect of this technology – it considers cloud computing as a service. It is a consumer-oriented definition of cloud. The definition is certainly not perfect however as it emphasises aspects such as the “minimum requirement is a compatible computer” when in fact, now the cloud service can be “offered”, for example, through apps, smartphones or tablets. Nonetheless, at least it recognises that this technology demands special attention from the legal regulators in Brazil.

Article 3 (2) of the Brazilian CDC defines service as:

any activity supplied in a market of consumption, for remuneration, including those of banking, financial, credit and security nature, excluding those that derive from employment relations.30

This definition needs some considerations.

Technically speaking cloud computing is the supply or delivery of services, such as cloud application services (SaaS); cloud platform services (PaaS) where a set of tools and services are offered to make these coding and deploying applications work; or cloud infrastructure services where hardware and software powers all servers, storage, networks or operating systems (IaaS).

Also, as Buyya, Broberg and Goscinski claim:

In addition to raw computing and storage, cloud computing providers usually offer a broad range of software services. They also include APIs and development tools that allow developers to build seamlessly scalable applications upon their services.31

However, in cloud computing transactions the user should be granted rights of access to programmes running on a supplier’s website or a third party server without downloading it and, as a result, receives the requested service. Obviously this cloud computing technology is not envisaged in the CDC bearing in mind the extensive variety of applications and different kinds of services now available via cloud. Besides, the definition just mentions “any activity supplied” without considering the “access” that has been given to the user which is essential for the provision of the different cloud services. In fact the wording may even concentrate on the activity (data processing for SaaS, storage etc for IaaS, and so on). This is a better approach than asking whether the technology itself is what is provided under the contract, or even access to the technology. The consumer/user has no interest at all in the technology itself (an apparent SaaS could in fact be a load of human abacus users) but is only concerned in the results obtained. Additionally, these distinctions, when the cloud involves purely services, in terms of the consumers, providers and even the judge’s perspective, are not perceptive at all. For this reason, to make the CDC applicable to this technology, in the interest of legal certainty for both consumers and providers, it is suggested that all action related to those cloud services should be considered a “supply” within the meaning of this Code.

The description of services such as banking, financial, credit and security is definitively an extensive one and satisfies the different sectors that the cloud transactions may involve and the exclusion of employment relations does not create any difficulties in applying the law.

On the other hand the requirement of “remuneration” present in the definition of service in the CDC and its judicial interpretation in Brazil may avoid the applicability of the Code in some kinds of cloud computing transactions. The current debate in fact focuses upon whether cloud computing situations will fall within the scope of the Code when the service provided is free as some judges either in the first instance courts or in the high courts interpret this requirement of remuneration as only including direct remuneration.

Indeed a large number of cloud services are apparently offered for free. However, “free” here simply means that the consumer does not pay money to the provider. Instead the users confer a benefit on the provider by offering their personal data that is valuable for the providers for different commercial purposes. Previously this would have been considered a straightforward gratuitous relationship. Currently, consumers are often aware that the use of free Internet services brings with it a high probability that their data (or the results of processing their data) will be sold. That means that, paradoxically, they might expect the provider to receive some sort of remuneration for the service offered and will enter the agreement with full knowledge of those circumstances. In those situations users might expect even more robust protection due to the power that providers have over their information, and the lack of accountability therein, coupled with economic recompense.

Different court decisions have discussed this matter in Brazil. The recent High Court of São Paulo case of Google Brasil Internet Ltda. v Mr. Adriano Schincariol, highlighted precisely the applicability of consumer law to this relationship. Google argued that the issue should not be disciplined under consumer law. The High Court held that it was indeed a relationship that would be disciplined by consumer law, following academic opinion and persuasive previous court decisions by the equivalent of the Court of Appeal. It affirmed that the electronic character did not undermine the underlying relationship between consumer and provider. The Court highlighted that the fact that the service provided was not charged for did not weaken the relationship of consumption as the requirement for remuneration present in Article 3 of the Code should be interpreted extensively to include indirect gains by the provider. They state that an internet service provider perfectly fits within the definition of a supplier within the CDC.32
A further decision ruled on the applicability of the Code to online situations. In 2011 a tort case was brought against Orkut in relation to image protection. Once again the defendant argued against the applicability of the CDC to this relationship as there was no remuneration. The Court however decided that the Code was applicable despite the lack of direct remuneration to the provider. It held that the application of the concept of remuneration allows wider interpretation in favour of the consumer in order to encompass indirect remuneration in which the defendant does not receive money from the claimant but from third parties that use different services, such as advertising. The court stated they were following a persuasive precedent from Superior Tribunal de Justiça (STJ) (Court of Appeal) and regional high courts. The provider was found to be under strict liability for the offences committed by users.33
Judge Rodrigo Marques Silva Lima in 2013, in dealing with a similar case once again against Google Brasil Internet Ltda., also stated that gratuity of the service does not undermine the relationship of consumption as the term remuneration includes hidden consideration, or an indirect remuneration, for the service.34
There are several decisions that reach the opposite understanding. Two cases that were decided in favour of Orkut by the High Court of Rio Grande do Sul are examples of such conclusion. The first of these was a tort case that dealt with the creation of a fake online profile. The CDC was considered inapplicable through the rationale that even though Orkut could generically be considered to be providing a service it does not fit within the stricter definition of service (which includes ‘remuneration’) required by consumer law. In the second case the Court clearly stated that the absence of remuneration as a form of consideration for the service provided by Orkut meant a relationship of consumption was not created as it did not fit the remuneration requirement of § 2º, Article 3 of the Consumer Protection Code. The relationship was found instead to be governed by the Civil Code.35

Although the Brazilian 2002 Civil Code softens the individualistic and formalistic tendencies of the previous 1916 Civil Code the application of it brings some difference in treatment. Two examples are worthy of notice. Article 18 of the CDC a priori allows consumer to claim for defects even if they were not hidden at the point of purchase, while the 2002 Civil Code only allows claiming for hidden defects. The right of withdrawal also has a different treatment in the two Codes. The CDC allows a right of withdrawal even in the absence of any defect as long as the contract was not concluded at the provider’s establishment/office. This proves particularly useful in the context of e-contracts as they are never concluded at the provider’s office.

Despite the fact that recent decisions uphold the existence of indirect remuneration, the facts that some decisions still do not recognise indirect remuneration and traders/providers still continue to raise the argument, are symptomatic of uncertainty – the argument is still found worthy by lawyers.

Hence while some free cloud computing services are within the scope of this definition, if the judge understands that the indirect payment does not fit within this requirement, the cloud services that are provided without charge may not be covered. Therefore, the ambiguity of this judicial interpretation of remuneration creates a significant level of uncertainty to the consumers who are in fact mostly conscious of this problem when using the service.

It is thus necessary to have some firmer legislative clarification or an adaption of the article to include indirect remuneration in order to create finality and legal certainty in the matter.

3.3 Cloud Computing as a Sui Generis Category

Cloud computing could alternatively be considered a third sui generis category distinct from both goods and services. Such a category is already recognised by the Common European Sales Law (CESL) and by the Consumer Rights Directive (CRD). It is clear that in the context of the CRD this sui generis category applies merely in transactions that involve the supply of digital content. 36 It should be recognised that digital content is difficult to define. One of the problems is that not all of the production and distribution of digital information or data can be considered digital content. The proposed CESL also follows the approach that a sui generis regime is necessary for digital content contracts. However, according to the CESL definition of digital content only a small proportion of cloud computing transactions can qualify as a contract for the supply of digital content.37 Therefore it appears that cloud computing generally leans towards the category of services. 38

The 2012 Consultation on the supply of goods, services and digital content conducted by the UK Department for Business Innovation & Skills (BIS)39 provides a number of helpful illustrations of what can be considered as a contract for the supply of digital content: when a consumer buys an e-book and can access it from the cloud server for example the provider supplies digital content to the user and as such it can be considered a contract for the supply of digital content. However if a consumer uploads and stores their own digital content on the cloud and shares this digital content with others, e.g. Photobox or Facebook, this service is for the storage of the consumer’s digital content and is characterised as a service contract.40

It is important to clarify that cloud transactions which involve the supply of digital content, and which therefore belong to this sui generis category, are beyond the scope of this paper.

4. Other Issues Relevant to the Applicability of Brazilian Consumer Protection Code to Cloud Transactions

This section aims to present an overview of the definitions of consumer and trader present in the Brazilian Consumer Protection Code. It will analyse whether the existing rules and concepts are flexible enough to fit models of cloud computing transactions.

4.1 Characterisation as consumer

Article 2 of the CDC defines consumer as:

every natural or legal person who acquires or uses products or services as a final addressee.41

The single paragraph of Article 2 states that:

a group of people, although indeterminable, who have intervened in consumption relationships is similar to a consumer.42

Article 2 of the CDC, if read literally, protects a consumer as both natural and legal persons when goods and services are acquired by them or supplied to them, insofar as they are the end recipient of the goods or services. It also considers consumers as a collective comprising all people that took part in a consumer relationship.

Specifically in Brazil a legal entity can in theory assume the status of consumer, insofar as they are the final addressees of the product or service. This attribution is not based on the size of the enterprise but is defined based upon the use destined to the object of the contract.43 Again, in theory, a consumer relationship under Brazilian legislation can thus include not only Business-to-Consumer (B2C) but also Business-to-Business (B2B) transactions.

There is nonetheless a great divergence in the case law as to the application of this provision. The disagreement concerns the expression “final addressee”. Those who believe in the ‘finalistic’ stream consider that any transaction that is loosely related to the trade or business of a company can hardly be destined to a “final addressee” even if that transaction is not instrumental to trade. The “maximalist” stream accepts that a company can be a consumer so long as the specific transaction does not concern objects which are subject to further trade, even if that transaction loosely benefits the overall business affairs of the company. Finally, the “mitigated finalism” stream takes into consideration the power balance between two companies. Instead of focusing on the object of the transaction judges analyse whether one company is in a vulnerable position. If so it can constitute as a consumer. 44

This distinction between the situations in which companies can be considered a consumer brings peculiar problems to the digital environment, especially in the cloud landscape. Using the same platform or software for business and private activities is becoming more and more common. This is particularly the case at the starting stages of an enterprise and in small enterprises with both a low number of employees and a high degree of informality. A common example is a cloud application such as an email provider. It is feasible that traders may use the same account to handle personal correspondence and also business queries. Facebook is also particularly apt as a platform for such mixed uses. Some customers utilise it as a tool for the promotion of events or business opportunities through their own private profile which also handles mostly private communication. This consumer, who mixes the same online space and tools to handle both private and business affairs, is known as “prosumer” – a combination of producer (or professional) and consumer. 45

As Pessers states: “classification had now become more than a matter of words: it determines whether someone is entitled to enhanced protection or rather subject to stricter regulation”.46 If a legal problem arises within the ambit of a “prosumer” relationship, would profit-generating events vitiate consumer status? This issue must be analysed in different ways depending on the rules for inclusion as a consumer under different systems.

In Brazil the “prosumer” would have to face the challenge of falling within the interpretation of “final addressee”. As previously discussed proving that would depend on the school of thought followed by the sitting court. On a restrictive “finalist” interpretation any connection to business purposes might vitiate the relationship whereas under a more liberal “maximalist” interpretation the most relevant aspect would merely be the end use of the service subject to the contract; namely whether that use could characterise the recipient as a final addressee. Under that reading it might be easier to prove that the relationship is indeed a consumer relationship. Finally, under the “mitigated finalism” theory the mixed purpose might even be irrelevant as what would be analysed would in fact be the power symmetry between the parties. In that case the fact that the contract might have partly been concluded for business purposes seems irrelevant so long as there is an element of vulnerability.

It seems that there are existing means to include mixed purpose contracts within the current definition of consumer, but that this depends on judicial interpretation. That naturally creates a great deal of uncertainty as similar cases may not be treated alike. The understanding of first instance judges or state courts will have the power to either include or exclude cases from consumer law protection. This current position is precarious and unsatisfactory as it significantly undermines legal certainty. We suggest it is imperative to obtain some sort of legislative clarification. Something seemingly as inoffensive as the concept of “final addressee” can have huge implications in cloud transactions. One might suggest that these mixed purpose contracts are marginal and we exaggerate the possible implications of this uncertainty. However, as Pessers suggests, the demarcation between personal and work spaces which is characteristic of the analogue age (as opposed to digital age) is falling apart. We increasingly use the same online environment to deal with many different facets of our lives. In this context a situation that was previously marginal becomes common and the disruptive potential of current uncertainties grows exponentially.

4.2 Characterisation as trader

Article 3 defines trader as:

Every natural or legal person, public or private, national or international, as well as unincorporated entities which develop activities of production, assembling, creation, construction, transformation, import, export, distribution or commercialisation of products or offering of services. 47

Considering that the trader’s definition in the perspective of the CDC is extensive – encompassing any natural or legal person, public or private, national or international, unincorporated entity who develops activities which fall within their trade, commercial or professional activity, or offers services – the cloud provider certainly falls within the scope of this Code.

5. Conclusion

In summary, and for the sake of answering the issue related to the applicability of the CDC to cloud transactions, some conclusions must be borne in mind:

  • .The above remarks show that cloud computing is generally a service.

  • .The current consumer definition of “service” in the CDC (“any activity supplied in a market of consumption”) if interpreted extensively, is wide enough to include the types of cloud models that purely involve service. Also the term “supply” may be sufficient for the comprehension of these activities for the consumer, provider, and from the judicial perspective. Additionally, considering that the court’s decisions in Brazil already interpret the online transactions supplied by providers such as Google or Orkut as the “supply of services”, the maintenance of this categorisation for the cloud computing will be very helpful in reducing uncertainty for digital consumer law.

  • .Difficulties in the interpretation of the term “remuneration” within the definition of “service” in the court decisions in Brazil, may represent the inapplicability of CDC to the cloud transactions that are free of charge, such as Gmail and Google Docs. This is very serious considering that some of these cloud services will fall outside the CDC and as a result instead will be governed by the Civil Code or Commercial Code which does not offer the same level of rights and remedies to digital consumers. A legislative decree should be passed admitting the acceptability of indirect remuneration in the definition of “service”.

  • .The definition of “consumer” should be clarified through a legislative decree to admit mixed purpose transactions in certain circumstances, otherwise many cloud transactions would fall outside the ambit of protection in the CDC.

  • .The protection given to goods and services are almost identical in Brazilian consumer legislation. However we should guarantee cloud transactions fall within one of these categories in order to ensure consumer law protection for cloud transactions.

* Lecturer, Catholic University of Pernambuco, PhD candidate, Federal University of Pernambuco (UFPE), Recife, Brazil. Visiting PhD Student, 2011/2012, CCLS, School of Law, Queen Mary University of London. Research supported by CAPES (BEX5946/11-5).

** Professor of Electronic Commerce Law, CCLS, School of Law, Queen Mary University of London.

Associate Professor, Centre of Informatics, Federal University of Pernambuco (UFPE), Recife, Brazil.

1 See Organisation for Economic Co-operation and Development (OECD), Directorate for Science, Technology and Industry Committee on Consumer Policy, “Report on Protecting and Empowering Consumers in the Purchase of Digital Content Products” DSTI/CP (2011) 25/FINAL.

2 See the UK draft of a Consumer Rights Bill, available at…protectionconsumers/…/consumerbill-of-rights (accessed 8 Aug 2013). Since July, 2012, the Department for Business Innovation & Skills (BIS) in the UK, seeking to protect consumers from faulty digital content, among other objectives, opened a Consultation that was entitled “Enhancing Consumer Confidence By Clarifying Consumer Law, Consultation on the supply of goods, services and digital content” available at (accessed 20 Sept 2012). The draft of the Consumer Rights Bill was based on this Consultation.

3 N Helberger and C Mak, “Toward Identifying Safe and Fair Contract Terms and Conditions for Consumers and Small Firms Using Cloud Computing Services – an Agenda”, (2012) Working Paper Centre for the Study of European Contract Law (CSECL) and the Institute for Information Law (IViR), University of Amsterdam.

4 At the European level, initiatives related to cloud computing and consumers, see Policy Department Economic and Scientific Policy, A Fielder et al, “Cloud Computing. Study for the European Parliament’s Committee on Internal Market and Consumer Protection” (2012) IP/A/IMCO/ST/2011-1 and the European Commission, “Unleashing the Potential of Cloud Computing in Europe”, COM (2012) (Communication), 529 final. On international and national agency reports, see Organisation for Economic Co-operation and Development (OECD) Report on “Protecting and Empowering Consumers in the Purchase of Digital Content Products” (2011) DSTI/CP 25/FINAL; “Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America. Retreat on Cloud Computing’ (2010) available at (accessed 10 April 2012); and Union des Consummateurs, “Canadian Perspectives on Cloud Computing and Consumers” (2011) available at (accessed 6 Sept 2013). On the studies particularly related to digital content and consumer law, see “Analysis of the applicable legal framework and suggestions for the contours of a model system of consumer protection in relation to digital content contract”, Final Report – “Comparative analysis, Law & Economics analysis, assessment and development of recommendations for possible future rules on digital content contracts”, M. Loos et al (2011) and “Comparative analysis of the applicable legal frameworks and suggestions for the contours of a model system of consumer protection in relation to digital content services”, Report 1: Country Reports, University of Amsterdam. Also, a study entitled “Digital Content Services for Consumers: Assessment of Problems Experienced by Consumers – LOT 1”, (2011) Europe Economics and commissioned by the European Commission. An overview of the consumer rights in ‘digital products’ commissioned by the UK Government for Business, Innovation & Skills was produced by Professor Robert Bradgate “Consumer rights in digital products” (2010). Some other relevant material in this area includes Hans-W Micklitz, “Do Consumers and Business Need a New Architecture of Consumer Law? A Thought-Provoking Impulse”, European University Institute, Florence, Department of Law, EUI Working Paper Law 2012/23; M Loos et al, “The Regulation of Digital Content Contracts in the Optional Instrument of Contract Law’ (2011) 6 European Review of Private Law 729-758.

5 See European Commission’s proposal for a Regulation on a Common European Sales Law – Proposal of 11 October 2011, COM(2011) 635 final (CESL).

6 See Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights (Consumer Rights Directive or CRD).

7 See J C Almeida, A Proteção Jurídica do Consumidor (2ª ed, São Paulo: Editora Saraiva, 2000).

8 CRD, see note 6 above.

9 CESL, see note 5 above.

See a further discussion on this aspect on M Schmidt-Kessel, “The application of the Consumer Rights Directive to digital content”, Directorate General for Internal Policies, January 2011, IP/A/IMCO /NT/2010-17, 15; N Helberger et al, Digital Consumers and the Law Towards a Cohesive European Framework Law (The Netherlands: Kluwer Law International, 2013) and in relation to the UK situation, the UK draft of a Consumer Rights Bill, see note 2.

11 N. Helberger, M. Loos, L. Guibault et al, “Digital Content Contracts for Consumers” (2012) 36 Journal of Consumer Policy. 37-57, at 43 available at (accessed 10 Nov 2013).

12 Ibid, at 42-4.

13 For a detailed account of how far the CESL would be applicable to some cloud computing transactions that involve the supply of digital content, see C Castro, C Reed, and R De Queiroz, “On the Applicability of the Common European Sales Law to Some Models of Cloud Computing Services” (2013), available at

14 Article 2 (3) CRD – “Goods” means any tangible movable items, with the exception of items sold by way of execution or otherwise by authority of law; water, gas and electricity shall be considered as goods within the meaning of this Directive where they are put up for sale in a limited volume or set quantity.

15 A Cunningham and C Reed, “Caveat Consumer? – Consumer Protection and Cloud Computing – Part 1” (2013) Queen Mary University of London, School of Law Legal Studies Research Paper nº 130/2013, available at, at 26-27.

16 See Alessandro Mantelero, who argues that cloud computing has characteristics of both service and license contracts altogether. In Italian, he says: “Sotto il profilo della qualificazione giuridica del contratto, gli accordi su cui si basa l’erogazione dei servizi di cloud computing hanno natura di contratti misti, in cui coesistono elementi riconducibili all’appalto di servizi ed al contratto di licenza” in A Mantelero, “Il Contratto per L’Erogazione Alle Imprese di Servizi di Cloud Computing” (2012) 4-5 Contratto e Impresa 1216-1222, at 1217.

17 See Misra, “Product Cloud or Service Cloud? Know The Difference” (Information Week, 29 April 2010) available at (accessed 12 March 2012).

18 R Ortiz and P Viscasillas, “The scope of the Common European Sales Law: B2B, goods, digital content and services” (2012) Vol 11 [ Iss 3] Journal of International Trade Law & Policy 241-242, at 247 .

19 CDC – Art. 3º § 1º – Produto é qualquer bem, móvel ou imóvel, material ou imaterial.

20 A Cunningham and C Reed, see note 14 above, at 27.

21 S Goundar, “Cloud Computing: Opportunities and Issues for Developing Countries” (2011) available at (accessed 25 April 2011).

22 Marston et al, “Cloud Computing: The Business Perspective” (2009) available at (accessed 5 April 2012).

23 J Newton, “System Supply Contract” in C Reed (ed), Computer Law, (7th ed, Oxford: Oxford University Press, 2011) 3-60, at 55-56 .

24 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’). The E-Commerce Directive under its Article 2 defines information society as above mentioned within the meaning of Article 1 (2) of 98/34/EC, as amended by Directive 98/48/EC.

25 Commission of the European Communities, Information Society & Media Directorate-General, Software & Service Architectures, Infrastructures and Engineering Unit, Expert Group Report “The Future Of Cloud Computing, Opportunities for European Cloud Computing Beyond 2010”, K Jeffery and B Neidecker-Lutz (eds) and L Schubert (Rapporteur), (2010), available at (accessed 29 October 2013), at 2.

26 A Cunningham and C Reed, see note 14 above, at 27.

27 J P Sluijs, P Larouche and W Sauter, “Cloud Computing in the EU Policy Sphere (15 Aug 2011). TILEC Discussion Paper No. 2011-036 available at (accessed 25 April 2012), at 14 and 34.

28 Câmara dos Deputados PLP 171/2012 available at (accessed 3 June 2013).

29 Ibid.

30 CDC – Art. 3º § 2º – Serviço é qualquer atividade fornecida no mercado de consumo, mediante remuneração, inclusive as de natureza bancária, financeira, de crédito e securitária, salvo as decorrentes das relações de caráter trabalhista.

31 R Buyya, J Broberg and A Goscinski (eds), Cloud computing: principles and paradigms (Melbourne: Wiley, John Wiley & Sons, 2011), at 33.

32 Apelação Cível nº 9094205-87.2008.8.26.0000, Segunda Câmara de Direito Privado, Tribunal de Justiça de São Paulo. Desembargador Relator: Neves Amorim. Data do julgamento: 20/03/2012.

33 Apelação Cível nº 7004.

0602773, Nona Câmara Cível, Tribunal de Justiça do Rio Grande do Sul. Desembargador Relator: Leonel Pires Ohlweiler. Data do julgamento: 25/05/2011.

34 Processo nº 200.2011.039.206-1, Tribunal de Justiça da Paraíba, 11ª Vara Cível da Comarca de João Pessoa, Juiz Rodrigo Marques Silva Lima.

35 The cases mentioned above are: Apelação Cível nº 70034673319, Nona Câmara Cível, Tribunal de Justiça do Rio Grande do Sul. Desembargador Relator: Tasso Caubi Soares Delabary. Data do julgamento: 21/07/2010 and Apelação Cível nº 70027619519, Quinta Câmara Cível, Tribunal de Justiça do Rio Grande do Sul. Desembargador Relator: Romeu Marques Ribeiro Filho. Data do julgamento: 11/03/2009.

36 The Consumer Rights Directive (CRD) describes digital content in Article 2(11) as ‘data which are produced and supplied in digital form’, specifying in Recital 19 (preamble) that if digital content is supplied on a tangible medium, it should be considered as goods within the meaning of this Directive. On the other hand, contracts for digital content which is not supplied on a tangible medium should be classified, for the purpose of the Directive, neither as sales contracts nor as service contracts, belonging to a sui generis category.

37 C Castro, C Reed and R de Queiroz, see note 12 above.

38 A Cunningham and C Reed, see note 14 above.

39Enhancing Consumer Confidence By Clarifying Consumer Law”, see note 2 above.

40 C Castro, C Reed and R de Queiroz, see note 12 above, at 11.

41 CDC – Art. 2º – Consumidor é toda pessoa física ou jurídica que adquire ou utiliza produto ou serviço como destinatário final.

42 CDC – Parágrafo único Art. 2º – Equipara-se a consumidor a coletividade de pessoas, ainda que indetermináveis, que haja intervindo nas relações de consumo.

43 Regarding the evolution of the definition of consumer and the possibility of Small and Medium Enterprises receiving special protection from unfair terms in England, see Bradshaw, Millard, and Walden, when they state that : “It should not be assumed that Small and Medium Enterprises (SMEs) are devoid of protection from unfair terms. In Kingsway Hall Hotel v Red Sky IT (Hounslow) [2010] EWHC 965 (TCC) HHJ Toulmin held that elements of an IT services contract between a non-specialist business customer and a specialist provider contracting on its standard terms could, despite it being a business-to-business agreement, be held to be unfair and unenforceable. Although this case did not involve a Cloud service contract, the terms in question were typical of those found when surveying the T&C of Cloud providers.” In S Bradshaw, C Millard and I Walden, “Contracts for clouds: comparison and analysis of the Terms and Conditions of cloud computing services”, (2011), Queen Mary School of Law Legal Studies Research Paper No. 63/2010 available at SSRN: or (accessed 2 October 2010), at 16.

44 See B Miragem, Curso de Direito do Consumidor (2a. ed, São Paulo: Editora Revista dos Tribunais, 2010); A H Benjamin, C Marques and L Bessa, Manual de Direito do Consumidor (5ª ed, São Paulo: Revista dos Tribunais, 2013); R Nunes, Curso de Direito do Consumidor (5ª ed, São Paulo: Editora Saraiva, 2010); J G Filomeno, Manual de Direitos do Consumidor (11ª ed, São Paulo: Editora Atlas, 2012).

45 The term “prosumer” here demands an explanation since in academic circles it has two meanings. Its original usage described a person who acted as both content producer and consumer, irrespective of whether business activities were involved. For this reason, some scholars still consider the “prosumer” as an active “user” of services such as blogging or social networking sites, rather than the passive “consumer” of e.g. a television programme. Recently it has acquired the connotation of a person who uses online content and services for mixed professional and consumer purposes. Additionally, Pessers claims that, “The difficulty of defining the ‘prosumer’ already appears from his hybrid name that holds the middle between the terms ‘consumer’, ‘producer’ and, as scholars have suggested, ‘professional’ as well. While ‘consumer’ and ‘producer’ may be perceived as antonyms, the qualification ‘professional’ seems to be the odd one out.” He goes further explaining that, “The term was originally used by Toffler as a contraction of ‘consumer’ and ‘producer’”. He recommends to see A Toffler, The Third Wave (New York: Bantam Books, 1980). L Pessers, “Somewhere between ´B’ and ´C´: The Legal Status of the ´Prosumer´ in European Consumer Law” in N Helberger et al, Digital Consumers and the Law Towards a Cohesive European Framework Law (The Netherlands: Kluwer Law International, 2013), at ch 3, at 41.

46 L Pessers, ‘Somewhere between ´B’ and ´C´: The Legal Status of the ´Prosumer´ in European Consumer Law´, ibid, at 42.

47 CDC – Art. 2º – Fornecedor é toda pessoa física ou jurídica, pública ou privada, nacional ou estrangeira, bem como os entes despersonalizados que desenvolvem atividades de produção, montagem, criação, construção transformação importação exportação distribuição ou comercialização de produtos ou prestação de serviços.

On The Applicability of the Consumer Protection Code to Cloud Computing Transactions in Brazil

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.