Cloud Computing Across International Borders—Challenges to Traditional Jurisdiction

CC image courtesy of Pexels

By Bradley Cho*


“Cloud computing,” a term that first gained prominence around the mid-2000s when companies such as Google and Amazon began to offer information storage and processing services on remote servers accessible through the internet, is the hottest buzzword in today’s digital society.[1]  The United States National Institute of Standards and Technology defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources . . . that can be rapidly provisioned and released with minimal management effort or service provider interaction.”[2]  Popular cloud services used by the public include products such as Dropbox, iCloud, and Google Docs, which enable the sharing of data files from anywhere, on any device, with potentially anyone in the world.[3]  Cloud computing has revolutionized the way businesses handle IT technology.  By eliminating the need to constantly purchase and update the latest software and devices, companies today enjoy greater cost savings, accessibility, and reliability than ever before.[4]  Revenue from cloud computing is expected to grow from $40.7 billion in 2011 to over $240 billion by 2020.[5]

However, along with these benefits, cloud computing has significantly muddied the traditional concepts of sovereign jurisdiction across international borders as much of these transactions occur entirely in the virtual world.[6]  For example, it is entirely possible that a French company can allocate server space physically located in Ukraine, remotely managed by a team of Indian IT specialists, to a business incorporated in Austin, Texas.  The software that interlinks all of these parties may have been developed in Japan, and then used by consumers in virtually every country across the globe.  The very word “cloud” reflects not only the ubiquity, but the ephemerality of such information and services—subject to creation, modification, deletion across public, hybrid, and private servers by anyone at any given time.[7]

Domestically, cloud jurisdiction’s problem in the legal sphere is only recently beginning to receive popular public attention due to taxation issues.  In the United States, at least 45 California cities have recently placed controversial taxes by using laws historically intended for utilities such as water and electricity on streaming services such as Netflix, Spotify, and Hulu.[8]  A similar tax plan enacted by the city of Chicago is facing challenges from taxpayers in court.[9]  In virtually all of these instances, the servers that store actual data are not physically located in these jurisdictions, and it is not even clear whether these service revenues can be characterized as rentals, royalties, or services.[10]  In the international sphere, the United States generally only taxes nonresidents on income generated within its borders under the Internal Revenue Code, when “effectively connected with a U.S. trade or business.”[11]  As scholars such as Orly Mazur have noted, reliance on traditional federal income tax principles in the international cloud computing arena has created significant uncertainty, compliance burdens, and liability risks, with the possibility of “double taxation or complete non-taxation of cloud income.”[12]

Beyond taxation issues, even more vexing for authorities is the potential use of cloud computing technology for large scale illegal activities such as the unauthorized sharing of copyrighted materials.  Traditionally, authorities seeking to prevent illegal file-sharing on older peer-to-peer (P2P) platforms have focused on obtaining law enforcement cooperation in countries where such servers were located to shut them down.[13]  However, the increasing decentralization of data centers and actors in cloud computing technology have made cross-border prosecution increasingly time-consuming and expensive.

A notorious ongoing example is the U.S. government’s effort to dismantle Megaupload—once one of the most popular cloud based file-sharing platforms in the world—and prosecute its founder Kim Dotcom for allegedly “facilitating and encouraging the copying and sharing of pirated material” worth hundreds of millions of dollars.[14]  Megaupload was founded in 2005 as a Hong Kong company run out of New Zealand by German and Finnish dual-citizen Kim Dotcom, with over 50 million users at its peak from across the globe.[15]  The United States Department of Justice spearheaded the two-year investigation, in conjunction with authorities from Canada, Australia, Hong Kong, Philippines, and numerous other European countries.[16]  Although Dotcom was arrested in 2012, two New Zealand Supreme Court cases and over ten procedural delays have so far prevented his extradition to the United States.[17]  For the purposes of extradition, bilateral treaties require that crimes be committed within United States territory.[18]  There is strong disagreement among legal authorities as to whether the United States has jurisdiction over the Megaupload case simply by the virtue that some of the company’s many international servers were leased in the United States, where much of were used for legitimate purposes such as personal file storage.[19]  Some commenters have called on the government to simply settle the Megaupload case, citing its enormous drain on public resources.[20]

Intensifying regulation and prosecution is not the catch-all solution to meeting the many future challenges of cloud computing.  This only encourages the migration of cloud servers away from the United States to more lenient jurisdictions such as Sweden, where popular piracy websites such as The Pirate Bay have survived more than a decade of legal challenges due to hospitable local legislation and judicial leniency.[21]  Furthermore, due to the increasingly lucrative market for cloud computing businesses, countries today have strong incentives to become so called “data havens”[22]—where weaker information security laws operate much in the vein of notorious Swiss and Cayman Island tax havens in today’s financial sector.  Unfavorable precedent in cloud computing cases such as Megaupload may chill international demand for “US-based cloud computing services such as Microsoft Azure, Amazon Web Services, Rackspace or Google AppEngine.”[23]  Online storage customers may also become increasingly wary of utilizing services that may be shuttered overnight in the event of a prosecution bust.

In an era where many petabytes of data are transferred and stored daily, it is clear that existing laws are inadequate for the growing universe of cloud computing.  Jerry-rigging traditional legal principles to fit international IT services creates considerable uncertainty, compliance burdens, and liability risks for both businesses and consumers.[24]  Federal attention is warranted to clarify and update statutes and policies to reflect the realities of the modern information industry.  Furthermore, the United States must work with other countries to achieve greater consensus on these issues.

*Bradley Cho is a J.D. candidate at Cornell Law School where he is a Cornell International Law Journal Associate. He holds a Bachelor’s Degree from Yale University.

[1] Interview by Danny Sullivan with Eric Schmidt, CEO, Google (Aug. 9, 2006), available at

[2] See, Peter Mell & Tim Grance, U.S. Dep’t of Commerce, Nat’l Inst. of Standards & Tech. The NIST Definition of Cloud Computing 1, 2 (Sept. 2011),

[3] Chenda Ngak, What is cloud computing? Amazon, Google Drive, iCloud, Dropbox explained, CBS News (Aug. 10, 2012, 3:17 PM),

[4] Orly Mazur, Taxing the Cloud, 103 Calif. L. Rev. 1, 3 (2015).

[5] See, Richard Rubin & Juliann Francis, Hey (Hey), You (You), Stop Taxing My Cloud, Bloomberg Businessweek (Aug. 25, 2011),


[6] See generally, Damon C. Andrews, & John M. Newman, Personal Jurisdiction and Choice of Law in the Cloud, 73 Md. L. Rev. 313 (2013) (discussing the development of jurisdiction and choice of law in the cloud).

[7] See generally, Lothar Determann, What Happens in the Cloud: Software as a Service and Copyrights, 29 Berkeley Tech. L.J., 1096 (2015).

[8] Carter Evans, “Netflix tax” may be coming soon to your bill, CBS News (Nov. 24, 2016, 7:11 PM),

[9] Cheryl Corley, Chicago’s ‘Cloud Tax’ Raises The Cost Of Streaming Videos, NPR (Jul. 10, 2015, 5:06 AM),

[10] See Mazur, supra note 4, at 27 (discussing several plausible alternatives for how current rules apply to cloud-related income).

[11] I.R.C. § 871(b) (West 2014).

[12] See Mazur, supra note 4, at 4.

[13] See Niels Schaumann, Copyright Infringement and Peer-to-Peer Technology, 28 Wm. Mitchell L. Rev. 1001, 1020 (2002).

[14] United States v. Dotcom, et al., E.D. Va ,Criminal No. 1:12-CR-3, Superseding Indictment, Dkt. 34.

[15] Dara Kerr, MegaUpload substitutes show spikes in traffic since shutdown, CNET Mag (Jan. 26, 2012, 5:28 PM),

[16] William Welch, The megalife of Kim Dotcom, USA Today (Jan. 30, 2012, 11:24 AM),

[17] Australian Associated Press, Kim Dotcom in court for US extradition hearing after three years of delays, The Guardian (Sept. 21, 2015 1:17 PM),

[18] See Michael John Garcia & Charles Doyle, Cong. Research Serv., 98-958, Extradition to and from the United States: Overview of the Law and Recent Treatise 2 (2010).

[19] Nate Anderson, Explainer: How can the US seize a “Hong Kong site” like Megaupload?, ARS Technica (Jan. 20, 2012, 5:05 PM),

[20] Greg Sandoval, After nearly four years, is it time to just settle the Megaupload case?, The Verge (Sept. 28, 2015, 3:41 PM),

[21] See, Swedish court: ‘We cannot ban Pirate Bay’, The Local se (Nov. 27 2015, 1:14 PM),

[22] Jack Powers, Anguillan Entrepreneur Offers Offshore Alternative For Net-Based Business, Micro Times, (last visited Apr. 10, 2017).

[23] Brett Winterford, Four key questions from the ‘Mega conspiracy’, itnews (Jan. 23, 2012, 6:57 AM),

[24] Id.