What Do They Really Know About Me in the Cloud? A Comparative Law Perspective on Protecting Privacy and Security of Sensitive Consumer Data
| Date | 01 June 2013 |
| DOI | http://doi.org/10.1111/ablj.12012 |
| Published date | 01 June 2013 |
What Do They Really Know About
Me in the Cloud? A Comparative
Law Perspective on Protecting
Privacy and Security of Sensitive
Consumer Data
Nancy J. King* and V.T. Raja**
How much do they know about me in the “Cloud”? They know a lot....It’s
almost like there’s an image of us accumulating in [the] Cloud that will become
an ever more vivid copy, with information we wouldn’t tell our best friends,
our family or our spouse. But the Cloud knows.1
INTRODUCTION
Like mobile commerce and online marketing, the cloud computing indus-
try is built on advances in Internet technology and the ever-increasing
*Associate Professor of Business Law, Oregon State University College of Business; J.D,
Gonzaga University School of Law; Masters of Science in Taxation, Gonzaga University;
Certified Information Privacy Professional.
**Senior Instructor, Oregon State University College of Business; Ph.D., Business Adminis-
tration, Washington State University; Master’s Degree in Mathematics, Indian Institute of
Technology.
This article received the Holmes-Cardozo Award for Outstanding Submitted Conference
Paper and the Ralph J. Bunche Award for best paper on international law at the 2012 Annual
Conference of the Academy of Legal Studies in Business. We would like to thank the editors
and reviewers of the American Business Law Journal for their insightful comments to improve this
article.
1See Robert Krulwich, How Much Do They Know About Me in the ‘Cloud’?,KRULWICH WONDERS
(Feb. 27, 2012, 11:10 AM), http://www.npr.org/blogs/krulwich/2012/02/27/147497042/how-
much-do-they-know-about-me-in-the-cloud (discussing a video by Mark Rigely, a graphic
designer from San Francisco, California, showing “how emails, ISP data, weblogs and voice
data are being used to paint our portraits, and how, with time, those portraits become dense
with detail, pattern and personality”). According to Rigely, “The average user will have 736
pieces of this personal information collected every day.” Id.; see also James Ball, Me and My
Data: How Much Do the Internet Giants Really Know?,T
HE GUARDIAN, Apr. 22, 2012, at 12.
bs_bs_banner
American Business Law Journal
Volume 50, Issue 2, 413–482, Summer 2013
© 2013 The Authors
American Business Law Journal © 2013 Academy of Legal Studies in Business
413
capacity to use computer technology to capture and process consumers’
personal data for commercial and other purposes.2Yet, there is informa-
tion privacy peril in the cloud because cloud computing, or “cloud-
sourcing,”3exposes consumers to privacy and security threats on a global
scale. Even national borders cannot constrain cloud services, stimulating
global information privacy concerns and cross-border regulatory chal-
lenges for governments.4Although consumers and companies may find
economic and other advantages in adopting cloud computing for their
information processing needs, they must also consider the risks of cloud
computing for sensitive personal data.5Information privacy and security
failures in the cloud may lead to lawsuits, invite government investigations,
and undermine consumers’ trust.6
This article looks at the question of whether new information privacy
laws are needed to protect the privacy and security of sensitive consumer
data stored in the cloud and to support the growth of the cloud computing
2See Omer Tene & Jules Polonetsky, Privacy in the Age of Big Data: A Time for Big Decisions,64
STAN.L.REV.ONLINE 63, 65 (Feb. 2, 2012), http://www.stanfordlawreview.org/sites/default/
files/online/topics/64-SLRO-63_1.pdf (commenting that the “tasks of ensuring data security
and protecting privacy become harder as information is multiplied and shared ever more
widely around the world”).
3Cloud-sourcing is the outsourcing of elements of an organization’s information technology
(IT) infrastructure with access achieved via the Internet. Andrew Joint et al., Hey, You, Get Off
of that Cloud?,25C
OMPUTER L.&SECURITY REV. 270, 270 (2009).
4See WORLD ECONOMIC FORUM,ADVANCING CLOUD COMPUTING:WHAT TO DONOW?PRIORITIES
FOR INDUSTRY and GOVERNMENTS 5 (2011), available at http://www3.weforum.org/docs/
WEF_IT_AdvancedCloudComputing_Report_2011.pdf (explaining that in cloud architec-
tures it is not always clear under which legal jurisdiction data in the cloud fall because cloud
architectures may split up and store data in multiple locations; noting also that in some cases,
it is impossible to determine where a particular piece of data is physically located at a
particular moment).
5See Battle of the Clouds,ECONOMIST, Oct. 15, 2009, at 16, available at http://www.economist.com/
node/14644393 (noting that consumers benefit from cheaper and more accessible software
while businesses benefit from simplification and reduced costs while also noting also potential
drawbacks to cloud computing).
6See, e.g.,Online Storage Provider Dropbox Sued over Data Breach,THOMSON REUTERS NEWS &
INSIGHT (July 15, 2011), http://newsandinsight.thomsonreuters.com/California/News/Journal/
2011/07_-_July/Online_storage_provider_Dropbox_sued_over_data_breach (reporting the
filing of a lawsuit in federal district court in California against an online cloud storage
provider that claims invasion of privacy and violation of California’s unfair-competition law).
The plaintiff in the suit seeks to represent a class of consumers seeking damages and other
relief after a data breach occurred that allegedly resulted from a security failure that allowed
logged-in users to access data contained in other users’ accounts. Id.
414 Vol. 50 / American Business Law Journal
industry.7The answer to the question is complex because it must start with
understanding what laws currently apply to cloud computing. It is further
complicated by the fact that regulatory jurisdiction may be unclear since
“the exact place where data are located [in the cloud] is not always known
and it can change in time.”8This article focuses on the information privacy
laws of the United States and the European Union (EU), the world’s two
largest trading partners and regulators of significant participants in the
cloud computing industry.9
Although progress has been made in international efforts to find
common ground through self-regulatory codes and development of
privacy principles that may be voluntarily adopted by businesses or
to inform national efforts to adopt information privacy legislation,10 a
7The terms information privacy and data protection are used synonymously in this article and
encompass the concept of information security. Protecting the security of personal data is a
key principle of data protection laws designed to protect the information privacy of personal
data. See, e.g., DANIEL J. SOLOVE &PAUL M. SCHWARTZ,INFORMATION PRIVACY LAW 1063 (4th ed.
2011) (discussing the security safeguards principle from the Organization for Economic
Cooperation and Development’s (OECD) 1980 guidelines for the transfer of personal infor-
mation across national borders, which provide “personal data should be protected by rea-
sonable security safeguards against such risks as loss or unauthorized access, desctruction,
use, modification or disclosure of data”). The term personal data refers to personally iden-
tifiable data about a natural person. Id. at 872–73, 1112. As used in this article, the term
consumer refers to one who is acting for personal, household or family purposes. See, e.g., A
HANDBOOK OF BUSINESS LAW TERMS 136 (Bryan A. Garner ed., 1999). Personal data about
customers in the hands of businesses may be consumer data to the extent that the customer
is a natural person as opposed to a business.
8Article 29 Data Protection Working Party, Opinion 8/2010 on Applicable L aw, at 21, 0836-
02/10/EN WP 179 (Dec. 16, 2010) [hereinafter Art. 29 Opinion 8/2010], available at http://
ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf.
9United States—Trade,EUR.COMMISSION, http://ec.europa.eu/trade/issues/bilateral/countries/
usa/index_en.htm (last updated Oct. 29, 2012). Of course, regulators around the world have
similar concerns about weak or inconsistent privacy laws that may hinder cross-border
provision of online services.
10Significant international efforts to establish information privacy principles and industry
self-regulatory codes to support global commerce have produced the Asian-Pacific Economic
Cooperation Privacy Framework (APEC) and a 2011 report by the OECD. See Press Release,
Federal Trade Commission, FTC Welcomes a New Privacy System for the Movement of
Consumer Data Between the United States and Other Economies in the Asia-Pacific Region
(Nov. 14, 2011), available at http://www.ftc.gov/opa/2011/11/apec.shtm (commenting on a
self-regulatory code of conduct that the Federal Trade Commission (FTC) and U.S. Depart-
ment of Commerce helped to create that is designed to establish more consistent privacy
protections for consumers when their data move between countries with different privacy
regimes in the APEC region); ORG.FOR ECON.CO-OPERATION AND DEV., THE EVOLVING PRIVACY
2013 / What Do They Really Know About Me in the Cloud? 415
To continue reading
Request your trial