Titus

Growing from USD 700 billion in 2023 to USD 3.2 trillion by 2030, the XaaS (Anything as a Service) market signifies a monumental shift in global business operations.[1] XaaS, short for “Anything as a Service”,encompasses a vast array of subscription and pay-per-use offerings delivered via the cloud—providing consumers with unmatched flexibility, scalability, and accessibility. However, while a surge in XaaS investments promises new revenue streams, it also introduces significant legal challenges for consumers. Dissecting the dual-edged nature of XaaS, we first underscore its transformative impact on businesses in the service economy; we then delve into the legal and regulatory obstacles, such as data privacy compliance, intellectual property ownership, and contractual complexities that must be overcome by consumers. With XaaS evolving into a mega-trend, legal practitioners must move beyond mere compliance, positioning themselves as strategic partners to help businesses thrive in this dynamic and uncertain terrain. Business Boon: How XaaS Transforms Performance Flexibility, Scalability, and Accessibility XaaS is singularly advantageous for startups and SMEs, providing access to advanced, enterprise-grade tools without significant upfront investments, which enables better budget and cash flow management. XaaS spans a broad spectrum of models—from Software as a Service (SaaS) to emerging concepts like AI-as-a-Service (AIaaS) and Vertical SaaS tailored to specific industries. These models enable businesses to scale resources up or down based on demand, replacing large upfront capital expenditures (CapEx) with predictable and scalable operational expenditures (OpEx). For example, AI-as-a-Service platforms allow businesses to leverage machine learning algorithms for fraud detection, customer analytics, and operational efficiency without the need to invest in costly specialized infrastructure. Similarly, Infrastructure-as-a-Service (IaaS) providers eliminate the need for on-premises infrastructure, offering scalable cloud computing solutions on a pay-per-use basis. Industry-driven Innovation Emerging models like Vertical SaaS are revolutionizing industries by delivering tailored solutions. Unlike generic SaaS platforms, Vertical SaaS caters to the specific needs of sectors such as automotive, manufacturing, and telecommunications. In the automotive sector, Vertical SaaS platforms support real-time fleet management while ensuring compliance with cybersecurity standards. In telecommunications, SaaS solutions enable scalable network infrastructure optimized for 5G deployment. These tailored solutions lower barriers to innovation, enhance workflow efficiency, and increase competitiveness. However, this very customization also introduces industry-specific legal complexities. Legal Challenges of XaaS: Why They Matter While XaaS offers immense commercial potential, unresolved legal risks could undermine its benefits. 1. Data Privacy and Security Storing and transferring sensitive data across multiple jurisdictions exposes XaaS services to significant compliance challenges, especially with varying global regulations like the General Data Protection Regulation[2] (“GDPR”). The cross-border nature of these services often involves opaque and intensifying scrutiny over data handling practices, leaving businesses vulnerable to penalties and reputational damage. In the landmark Schrems II decision[3], the European Court of Justice invalidated the EU-US Privacy Shield, which had previously facilitated cross-border data transfers between the EU and the US, leaving businesses working urgently to comply with the GDPR. For XaaS consumers, this means stricter scrutiny over how and where their data is stored. Non-compliance with GDPR can result in fines of up to 4% of global turnover[4], alongside reputational damage and loss of customer trust. For businesses in highly regulated industries like finance, the risks are more pronounced. Failure to meet privacy standards may expose sensitive customer data, disrupt operations and lead to costly litigation— the stakes are high. The Capital One Data Breach Litigation[5] further demonstrates these vulnerabilities. A misconfigured firewall in a cloud environment exposed millions of customer records, triggering questions about the shared responsibility model between XaaS providers and consumers. Data is the lifeblood of modern businesses. Without legal safeguards, businesses face disproportionate risks when providers fail to ensure adequate security controls that could jeopardize their reputation and bottom line. Practical Legal Solutions: i. Incorporate Robust Data Protection Clauses: Contracts should specify safeguards like encryption, regular security audits, data localization, breach notification protocols, and clearly state who owns the data. Employing Standard Contractual Clauses (SCCs) can facilitate compliance with GDPR for cross-border data transfers. ii. Strengthen Vendor Accountability: Contracts should impose strict obligations on third-party vendors and suppliers to implement robust cybersecurity practices, restrict third parties’ access to sensitive data and adhere to applicable regulations. This ensures that businesses are protected from vulnerabilities introduced through third-party relationships. iii. Allocate Liability for Data Breaches: Indemnification clauses should hold XaaS providers accountable for security failures. High-profile cases like the Capital One breach demonstrate the critical importance of clearly allocating liability in contracts, ensuring providers are responsible for damages caused by negligence or non-compliance. 2. Intellectual Property Ownership Intellectual property ownership is a key issue and critically important in XaaS agreements. Unlike traditional software licenses, XaaS agreements often allow service providers to retain rights to derivative works or customizations developed for clients, potentially blurring the boundaries of IP ownership between creators and users. Intellectual property is often a business’s most valuable asset. Yet, ambiguities in XaaS agreements could greatly erode a company’s ability to monetize its business innovations, weaken its competitive edge, and trigger costly lawsuits. In SAS Institute Inc. v. World Programming Ltd.[6], the European Court of Justice held that replicating software functionality, such as syntax formats and output design styles, without copying source code, did not infringe copyright. This highlights that laws in copyright alone cannot provide adequate protection to functionality in XaaS. Further, limitations in copyright laws to protect software was demonstrated in another copyright infringement case, Google LLC v. Oracle America., Inc.[7] Although the U.S. Supreme Court ruled that Google’s use of Oracle’s APIs constituted “fair use” due to its transformative nature and its role in fostering innovation, the case highlights potential IP ownership issues when there is an integration of  third-party software or APIs, particularly when XaaS agreements are vague or silent on these usage rights. Further, in Oysterware Ltd v Intentor Ltd and others[8], the Hight Court highlighted that a copyright infringement claim must clearly identify the aspects of the software application in which copyright protection is claimed, and the way its copyright was infringed upon. If the software is purely an adaptation of off-the-shelf software toolkits, it is challenging to establish subsistence and infringement of copyright. Therefore, the Plaintiff’s copyright infringement claim was dismissed. Practical Legal Solutions: i. Negotiate Clear Ownership of Customization and Derivative Works: When businesses rely on XaaS platforms to develop proprietary materials, contracts must clearly define ownership of IP created on XaaS platforms. For instance, a telecommunications company using a Platform-as-a-Service (PaaS) solution to create network optimization software should secure exclusive rights to the resulting IP. ii. Incorporate Industry-Specific IP Protections: Different industries face unique IP challenges, and agreements should address these concerns. In technology, media, and telecommunications (TMT), contracts should focus on safeguarding monetizable innovations and licensing rights. In manufacturing, agreements must secure ownership of operational data generated by XaaS platforms to protect strategic assets. Tailoring IP clauses to industry-specific priorities mitigate risks and aligns contracts with business objectives. 3. Contractual Complexity in Service-Level Agreements (SLAs) SLAs, the backbone of XaaS contracts, define performance metrics, uptime guarantees, and remedies for non-compliance between XaaS users and service providers. However, vague or overly technical SLAs expose businesses to substantial risks. The notorious 2020 Amazon Web Services (AWS) outage, which was caused by a failure in its Kinesis service, basically brought down the internet and disrupted the operations of major platforms like Netflix and Spotify. It illustrates how a single failure on the part of cloud providers can massively cripple business operations, resulting in a major loss in revenue for consumers. Fundamentally, contractual remedies limited to service credits often fail to compensate for the full extent of financial or reputational losses, as well as ensuring operational continuity. If SLAs are weakly negotiated and service-level obligations are unclear, businesses may struggle to enforce uptime guarantees or secure meaningful remedies for prolonged outages. On the other hand, in Delta Air Lines, Inc. v CrowdStrike, Inc.[9], SLAs with clearly defined service-level obligations help mitigate service providers from suffering financial losses. The case involves an incident which caused a cancellation of 7,000 flights within the five days following an IT outage. However, it was difficult to fully prove service providers liable for the outage due to protections such as clearly defined liability caps in the SLAs. Therefore, even if Delta Air Lines succeeded in the action, it may only be compensated with nominal damages, which was possibly outweighed by the legal and judicial costs of pursuing after the service provider. Practical Legal Solutions: i. Enforce Clear Performance Metrics with balanced terms: SLAs may include well-defined, measurable terms for service levels, such as “99.99% uptime guarantees”, response times, availability, data recovery timelines, and capacity thresholds. At the same time, SLAs should reflect commercial priorities by inserting liability caps, termination rights, and remedies that go beyond service credits to adequately compensating for financial or reputational losses, particularly for mission-critical services. ii. Employ Seamless Exit Strategies: Contracts must include provisions for data migration and operational continuity upon termination, ensuring businesses can transition to alternative providers without disruption. iii. Address Subcontractor Risks: To avoid liability gaps, subcontractors must adhere to consistent obligations, including performance standards and data protection measures, as outlined in the SLA. Emerging Trends in XaaS As XaaS continues to redefine the business landscape, legal practitioners representing consumers are playing an increasing role in tackling challenges from emerging trends, shaping the future of the industry: i. AI-as-a-Service (AIaaS): AI-driven XaaS platforms present risks including algorithmic biases and errors in automated decision-making, which may lead to legal challenges, such as biased hiring algorithms under employment law. Legal practitioners should shift from relying on indemnity clauses to adopting proactive measures, ensuring that AIaaS providers not only offer comprehensive documentation for transparency in AI processes, covering algorithm functions and data ethics, but also provide educational training and support for end-users. This holds AIaaS providers accountable for any unfair outcomes, ultimately protecting consumers’ interests. ii. Sustainability and ESG: With growing emphasis on environmental, social, and governance (ESG) goals for corporates, businesses may demand sustainable practices from their XaaS providers. To meet consumer and investor expectations, legal practitioners may incorporate provisions that promote ESG compliance, requiring providers to report on environmental impact metrics (e.g. energy consumption, carbon emissions, resource optimization, and waste reduction). iii. Multi-Cloud and Dynamic Pricing Models: As businesses embrace multi-cloud and hybrid environments to avoid vendor lock-in, XaaS providers must ensure seamless integration across platforms. These setups also bring unpredictable costs due to dynamic pricing models based on usage. To prevent cost overruns, legal practitioners should negotiate clear pricing structures, caps on variable fees, and transparency in cost escalations, while also addressing interoperability and service continuity to manage multi-cloud complexities. The Road Ahead: A Strategic Imperative XaaS is more than a technological innovation—it is a paradigm shift in how businesses increasingly operate in the digitalisation and servitisation of the economy. However, the promise of flexibility, scalability, and accessibility comes with significant risks that must be resolved through commercially-oriented legal solutions. Ultimately, XaaS is a double-edged sword. Through mitigating issues in data privacy, intellectual property and crafting airtight SLAs, legal practitioners play a pivotal role in shaping a more balanced XaaS ecosystem — one that not only captures key commercial opportunities, but manages risks, maintains integrity, and maximizes resilience. Author: Jacqueline Kwong Footnote [1]  https://www.fortunebusinessinsights.com/everything-as-a-service-xaas-market-102096 [2] Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 laying down the General Data Protection Regulation [2016] OJ L119 [3] Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, ECLI:EU:C:2020:559 (July 16, 2020). [4] https://gdpr-info.eu/issues/fines-penalties/ [5] re Capital One Consumer Data Security Breach Litigation MDL No.1:19md2915 (AJT/JFA) (E.D. Va. Jun. 25, 2020) [6] Case C-406/10, ECLI:EU:C:2012:259 (2 May 2012) [7] 141 S. Ct. 1183 [2021] [8] Oysterware Ltd v Intentor Ltd and others [2020] EWHC 2125 (Ch) [9] Case 24CV013621 (Ga.Super. 25 Oct 2024)

In recent years, the introduction and rise of use of blockchain technology, cryptocurrency and non-fungible tokens (“NFTs”) across the globe has led to booms in technology and finance.Unfortunately, this same technology has opened up fertile grounds for wrongdoers to exploit this novel digital landscape, defrauding unsuspecting individuals with relative ease and evading the legal ramifications, due to the anonymity associated with cryptocurrency coupled with minimal regulatory oversight. As a result of the above, the Hong Kong Courts have started to grapple with the challenges and complexity of crypto-related crime, seeking to devise innovative approaches to counteract the ever-evolving challenges in this digital landscape. One challenge that is all too common in such cryptocurrency frauds arises from the anonymous nature of cryptocurrency and blockchain technology. While this anonymity has certain benefits, it is a double-edged sword that fraudsters can wield to hide their identities and locations when perpetrating such frauds on innocent victims. This leads to a challenge faced by many, if not most, victims of cryptocurrency frauds: how can they identify the unknown fraudsters and bring the proceedings to their attention. In a recent case we surpassed this challenge by serving legal documents by NFT following discussions and consultations with First Digital Trust Limited, who advised on the issuance and mechanics of the NFTs. The Traditional Process of Serving Legal Documents and the Alternate Service In Hong Kong, Order 10, rule 1, Rules of the High Court (Cap. 4A), requires individuals to be notified of the legal proceedings against them. Traditionally, the process of initiating proceedings against defendants and service of legal documents often requires in-person delivery or registered post, which can be cumbersome. Alternatives to the traditional forms of serving legal documents range from advertisements in local newspapers to service by way of email or other electronic communications, where such identifying information is known about the defendant. Issues have arisen due to the intrinsic anonymity of cryptocurrency cases and cybercrime, as the identity of the defendant is difficult to ascertain and often unknown. Fortunately, the law recognizes the practical difficulties of service in circumstances where there is minimal identifying information of the defendants, and the Hong Kong Courts are beginning to permit alternative service methods. Alternate Service in Cryptocurrency Related Cases To date, there are a handful of instances where alternative services is required in legal proceedings concerning cryptocurrency fraud in Hong Kong.  A notable decision would be Wang Chichen v FeCommerce fDeal Co Limited and other [2023] (HCA 1017/2023), where the Hong Kong Court adopted a similar position in D’Aloia v (1) Persons Unknown (2) Binance Holdings Limited & Others [2022] EWHC 1723 by allowing the claimant to airdrop an NFT with a link to the court documents into the crypto wallet addresses of the unknown defendants. Such an instance indicates the Hong Kong Court’s willingness towards embracing the use of NFT as a viable means of alternative service in the context of cryptocurrency proceedings, where the only available identifying characteristic of the perpetrators is the cryptocurrency wallet address held by them and used to effect the fraud. Our recent case In one of our recent cases, our client was induced by unknown fraudsters to pay a large sum of stablecoins, amounting to the equivalent of thirty million Hong Kong Dollars, to a fraudulent cryptocurrency wallet address. The inducement was effected by a phishing scam, whereby our client mistakenly sent the stablecoins to a wallet address created by the perpetrators to mimic that of the intended wallet address. Such a phishing scam is commonly known as ‘address spoofing’ or ‘address poisoning’ and is carried out by creating wallet addresses with identical start and end characters to the intended wallet address. Once a fraudulent wallet address is created by way of spoofing, fraudsters initiate a small amount of cryptocurrency from this fraudulent address to the victim’s wallet, with the hopes that the victim wrongly identifies this amount is sent by the intended wallet address, and would mistakenly send funds to that address in return. As with all cryptocurrency transfers, once the transaction is sent, it cannot be recalled, and the victim’s funds are lost. As a result of the fraudster’s wallet address spoofing, our client’s funds were erroneously transferred with no ability to ascertain identifying information of the perpetrators, other than their cryptocurrency wallet address and those wallets the funds were further dissipated to. Through our firm, our client attempted to seek legal recourse to retrieve the funds. To ensure that our client’s assets are protected, we sought and successfully secured a proprietary injunction order to freeze our client’s assets in the defendant’s crypto wallets. In our application for the proprietary injunction order, we requested that alternative service be effected by airdropping NFTs into the fraudster’s cryptocurrency wallet addresses, noting that there were no feasible alternatives to bring the action to their attention. Following the Court granting alternative service by way of NFT, we initiated the creation of a smart contract on Tron, a decentralized blockchain-based operating system with smart contract functionality, and used it to create eight NFTs. The NFTs containing the proprietary injunction, writ of summons, and other legal documents were then securely and instantaneously transferred to the cryptocurrency wallet addresses of the two defendants. Our case is an illustrative example of the Hong Kong Courts' increasing willingness to embrace innovative digital strategies and align itself with broader trends among global legal systems, to counteract these challenges by exploring alternative service methods. The affirmative court ruling on this issue further paves the way for more flexible approaches in crypto cases and ensures that justice is not hindered by traditional barriers. It is worth noting that serving legal documents by NFT does not increase the chance of successfully recovering lost funds. With the increase of cryptocurrency fraud, more solutions are needed to combat these new areas, with service via NFTs being one of these innovative solutions within existing legal procedures to protect claimant’s interests and to ensure justice is served. Author: Michael Titus