Limns core and emerging concepts of legislation, jurisprudence, and policy regarding software, platform, and infrastructure as IT services, focusing on the European Union and United Kingdom circa 2020. To this reader, the most pertinent topics may be divided as operations, commercial matters, and taxation.

Operations:
• Cloud services, for purposes of governance, are fundamentally different from outsourcing in terms of design and control and geographic nexus
• PaaS is indicated by large degree of client control over specification or complexity of usage
• Security
o Security by nature entails risk management, as rules can never encompass all use cases; risk management is well suited to principle-based regulation (common in UK and Australia). For this reason, insurance is commonly part of risk management
o Misconfigurations are the largest internal threat to security
o To establish one’s services as a ‘trusted execution environment’, one should encourage the client to consider whether the vendor’s security setup is better or worse than the client’s own systems
• Data transfers
o across international borders may be governed by any of several mechanism (e.g., Privacy Shield, Standard Contractual Clauses, approved bespoke certifications)
o The acceptability of the SCCs to the EU is premised on the former’s compliance with the recipient country’s standards (e.g., the Australian Privacy Principles)
• Privacy: data sharing (e.g., among companies) is a controller-to-controller sequence; conversely, controller-to-processor is provision and instructed use. See chart p. 311 (which further demonstrates that Jacobi’s control of platform security, etc., make it at least a joint controller)

Commercial matters:
• The most negotiated clauses are liability (12 months’ fees being standard) including carveouts; service levels including availability; security and privacy; lock-in, portability, and exit; and intellectual property rights
• An estimated 1/3d of negotiations fail over the transparency of using subcontractors
• Data residency and indemnification for 3d-party claims are frequently client imperatives, increasingly joined by transition plans. APIs have come to be seen as acceptable means of interoperability or portage
• Pre-commercial procurements (PCP) are a means for public buyers (government) purchasing and then sharing emerging technologies without violating state-aid strictures of GATT

Taxation
• The most fluid question is re-establishing consensus of jurisdiction: where is value created? The residence of a provider’s 3d-party infrastructure does not create nexus (because the provider does not control hardware); however the location of the end user (the client) might. There is dispute among OECD and UN principles,
• Cloud fees (including PaaS) are generally taxed business profits not royalties
• A service that is linked (i.e., not separable) is likely to be singularly taxed, rather than as separate products or business lines