INTRODUCTION I. THE USE OF THE CLOUD A. International Processing of Personal Data B. Networked Data Processes C. Modular Units and Outsourced Services II. THE MISMATCH WITH INFORMATION PRIVACY LAW A. Jurisdiction: Which Nation's Privacy Law Applies? 1. The Data Protection Directive (1995) a. Who Is a Controller? b. When Is There a "Use of Equipment Situated Within the Territory" of the European Union? 2. The Proposed General Data Protection Regulation (2012) a. What Is an "Offering of Goods or Services"? b. What Is "Monitoring" of Behavior? B. Networked Intelligence in the Cloud: When Does Privacy Law Apply? C. "Make or Buy": Who Is Liable? III. SOLUTIONS FOR INFORMATION PRIVACY LAW A. Jurisdiction B. Networked Data Processes and PII 2.0 C. Contracts Plus CONCLUSION INTRODUCTION
Cloud computing is the locating of computing resources on the Internet in a fashion that makes them highly dynamic and scalable. This kind of distributed computing environment can quickly expand to handle a greater system load or take on new tasks. Cloud computing thereby permits dramatic flexibility in processing decisions--on a global basis. The rise of the cloud has also significantly challenged established legal paradigms. This Article analyzes current shortcomings of information privacy law in the context of the cloud. It also develops normative proposals to allow the cloud to become a central part of the evolving Internet. These proposals rest on strong and effective protections for information privacy that are also sensitive to technological changes.
This Article takes a comparative focus: it examines legal developments in the United States and the European Union. As the White House noted in its 2012 consumer privacy framework, the United States "is a world leader" in cloud computing. (1) While leading cloud companies are U.S.-based, the European Union sets strong requirements for flows of personal data, and these obligations have already had a major impact on U.S. companies. The European Union's significant role in international decisions around information privacy has been bolstered by the authority of EU member states to block data transfers from their country to third-party nations. (2) Such nations include the United States, which the European Union generally considers to lack "adequate" privacy protections. (3) Moreover, the European Commission's release in late January 2012 of its "General Data Protection Regulation" (4) provides a perfect juncture to assess the issue of privacy in the cloud.
This Article examines three areas of change in personal data processing due to the cloud. In doing so, it draws on an empirical study in which I analyzed the data processing of six major international companies. (5) The first area of change concerns the nature of information processing at companies. For many organizations, data transmissions are no longer point-to-point transactions within one country; they are now increasingly international in nature. As a result of this development, the legal distinction between national and international data processing is less meaningful than in the past. Computing activities now shift from country to country depending on load capacity, time of day, and a variety of other concerns. The jurisdictional concepts of EU law do not fit well with these changes in the scale and nature of international data processing.
A second legal issue concerns the multidirectional nature of modern data flows, which occur today as a networked series of processes made to deliver a business result. Due to this development, established concepts of privacy law, such as the definition of "personal information" and the meaning of "automated processing" have become problematic. There is also no international harmonization of these concepts. As a result, EU and U.S. officials may differ on whether certain activities in the cloud implicate privacy law.
A final change relates to the shift toward a process-oriented management approach. Users no longer need to own technology, whether software or hardware, that is placed in the cloud. Rather, different parties in the cloud can contribute inputs and outputs and execute other kinds of actions. In short, technology has provided new answers to a question that Ronald Coase first posed in The Nature of the Firm. (6) In that classic essay, Coase sought to shed light on a fundamental question of corporate organization--when a firm will produce something for itself, and when it will procure from another. New technologies and accompanying business models now allow firms to approach "make or buy" decisions in innovative ways. Different functions and operations can be packaged as modular u=nits that can be pulled apart and reassembled. Yet information privacy law tends to assess legal responsibility in a static fashion. In particular, privacy law's approach to liability for privacy violations and data losses in the new "make of buy" world of the cloud may not create adequate incentives for the multiple parties who handle personal data. (7)
Thus, this Article's focus is a comparative one from which it explores significant changes in data processing due to the cloud and the resulting tension with contemporary information privacy lave. This Article concentrates on issues relating to the private ordering of data processing. There are, therefore, important restrictions on its scope. It discusses neither national security nor criminal law issues. To be sure, the cloud changes the ability of intelligence agencies and law enforcement officials to access personal data, but these matters are conceptually different enough from those involving purely private parties as to merit separate analysis. This Article also does not analyze issues that arise when the government uses cloud services. Here, too, there are distinct policy and legal issues.
THE USE OF THE CLOUD
The term "cloud" comes from the traditional representation of the Internet in network diagrams. Network diagrams typically depict in detail the servers, client PC's, and routers that are internal to an organization, and then illustrate the Internet simply with a cloud. (8) Over time, people realized that they could move computer resources that had been inside an organization to the Internet--that is, onto the "cloud." The National Institute of Standards and Technology defines cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources ... that can be rapidly provisioned and released with minimal management effort or service provider interaction." (9)
The cloud has already had an impact on many people. By 2008, the Pew Internet & American Life Project had found that "[s]ome 69% of online Americans use webmail services, store data online, or use software programs such as word processing applications [the] functionality [of which] is located on the web." (10) The trend has continued: more people expect that, in the future, they will access software applications online and share information through remote server networks rather than on their personal computers. (11)
The cloud has also been an incredible economic success story. The research firm Forrester forecasts that the global market for cloud computing "will leap from $40.7 billion [in 2011] to more than $241 billion in 2020." (12) In Germany, the largest economy in the European Union, investments in and the services of the 2010 cloud market were worth 1.14 billion [euro]. (13) This market is estimated to be worth 3 billion [euro] by the end of 2012 and 8 billion [euro] by 2015. (14) Beyond these statistics, however, a 2012 New Yorker cartoon represents perhaps the ultimate sign of the cloud's arrival as a social phenomenon. In it, a child says to her teacher, "The Cloud are my homework." (15)
In this Part, I analyze how the cloud changes the processing of personal data by organizations. Three alterations in particular point to the need for adjustments to information privacy law. The first concerns the increased international scale of information processing. The second concerns the development of personal information processing as a networked event. Continuous, multipoint data flows are now commonplace, and decisions about information processing, such as those concerning the collection of data of its transfer, are made in a decentralized fashion through networked intelligence. Finally, there has been a change in management processes to allow outsourcing of computing resources. Today, the cloud permits operations to be packaged as modular units that can be pulled apart and reassembled in different ways. Contemporary technology permits flexibility in data processing that was previously unknown. Taken collectively, these changes suggest the need for modifications to information privacy law.
International Processing of Personal Data
In the past, companies generally worked with discrete, localized data sets and processes. An international data flow was an occasional event--an exception rather than the rule--and data processing systems were generally nationally based. From today's perspective, moreover, these past transfers were relatively static events--they did not occur continuously and they involved a fairly limited number of participants in the processing.
The Fiat incident from the late 1980s is a good illustration of this past model. At that time, Fiat-France sought to transmit human resources information about its employees to its parent company, which was located in Turin, Italy. (16) While Italy had not yet enacted a national data protection statute, France had such a law in place. The French data protection authority, the National Commission on Informatics and Liberties (Commission nationale de l'informatique et des libertes) (CNIL), intervened and issued a formal declaration that required Fiat-France and Fiat-Italy to sign a contract before the transfer could occur. (17) In this...