Abstract
This paper examines the interactions between cloud service contract law and data-protection regulation in order to highlight the role that the latter plays in protecting consumers. The analysis aims to make it possible to understand whether and to what extent the European legislature has also influenced the regulation of cloud computing services by following a holistic approach in the adoption of the General Data Protection Regulation.
Davide Mula is a lecturer in Data-protection and Biotechnologies Law, Legal Informatics and in Information and Communication Law (European University of Rome) and a fellow of the Italian Academy of the Internet Code.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
See National Institute of Standard and Technology, U.S. Department of Commerce (2011), 6: ‘Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models’.
- 2.
European Economic and Social Committee, (2012), 3.
- 3.
NIST (2011), 2. Further classification of services is outlined in particular by Bradshaw, S. / Millard, C. / Walden, I. (2010) on hardware and software infrastructure ownership and on the conditions of accessibility to the platform. According to this parameter it is classified as private cloud, public cloud, community cloud and hybrid cloud.
- 4.
See Hon / Millard / Walden (2012b), 85.
- 5.
For a detailed survey and analysis of the terms and conditions offered by cloud computing providers see Bradshaw / Millard / Walden (2010).
- 6.
Cloud service agreements are frequently signed by parties of different nationalities who normally include clauses concerning the relevant legislation applicable to the contract in this first document. See Mantelero (2012), 1221.
- 7.
European Commission Decision (2013), Recital 5: ‘The Commission intends to facilitate stakeholder agreement promoting the use of safe and fair terms and conditions in cloud computing contracts between cloud computing service providers and consumers and small firms. The Commission should work towards this goal with the active involvement of stakeholders drawing on their expertise and experience in the cloud computing sector. For this purpose, the Commission considers it appropriate to set up a group of experts on cloud computing contracts between cloud computing service providers and consumers and small firms. The tasks of the group shall be complementary to the work of the Commission on model terms for cloud computing service level agreements for contracts between cloud providers and professional users’.
- 8.
The constitution of a working group was already announced by the European Commission in its Communication of 2012: ‘The Commission will by end 2013: […] Task an expert group set up for this purpose and including industry to identify before the end of 2013 safe and fair contract terms and conditions for consumers and small firms, and on the basis of a similar optional instrument approach, for those cloud-related issues that lie beyond the Common European Sales Law’.
- 9.
Cloud Select Industry Group – Subgroup on Service Level Agreements (2014).
- 10.
As highlighted in the Guidelines, ‘this initiative will have maximum impact if standardisation of SLAs is done at an international level, rather than at a national or regional level. International standards, such as ISO/IEC 19086, provide a good venue to achieve this objective. Taking this into account, the C-SIG SLA Subgroup, as the European Commission expert group, set up a liaison with the ISO Cloud Computing Working Group to provide concrete input and present the European position at the international level. The SLA Standardisation Guidelines will serve as a basis for the further work of the C-SIG SLA and for a contribution to the ISO/IEC 19086 project’.
- 11.
The Standardisation Guidelines on this point stress: ‘Keeping the definition of service level objectives well-defined and unambiguous is important to ensure the effective standardization of cloud SLAs and to enable clear communication between cloud service providers and cloud service customers. As technology develops and new terminology is developed it will also be important to ensure definitions are up-to-date and consistent with an evolving cloud services landscape’. See European Commission (2012), Mula (2016a).
- 12.
See Mula (2016b), 148 and note 52.
- 13.
See Hon / Millard / Walden (2012b), 113.
- 14.
See article 2, number 1), Directive 2011/83/Eu of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council.
- 15.
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’), OJ (2000) 178.
- 16.
- 17.
As Papi observes (2013), 3, the more complete the service provided is, e.g. SaaS, the less possibility users have to modify the cloud service.
- 18.
Marchini highlights this aspect: Marchini (2010), 101.
- 19.
- 20.
- 21.
See Open Cloud (2010), 6.
- 22.
See Maggio (2016), 462.
- 23.
See Maggio (2016), 468.
- 24.
See Mula (2016b), 148.
- 25.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR), OJ (2016) 119.
- 26.
- 27.
Reding (2011) said ‘I want to give citizens better data portability. This means that if a user requests their information, it should be given to them in a widely used format which makes it simple to transfer elsewhere. I strongly believe that users should not be bound to one provider simply because it is inconvenient to move their information from one service to another.’
- 28.
This Recital dispels the criticism of Hon / Millard / Walden (2011), 213.
- 29.
- 30.
The right to privacy stems from the right to be let alone as described by Warren / Brandeis (1890), 193.
- 31.
- 32.
Charter of Fundamental Rights of the European Union, OJ (2000) 364.
- 33.
The development of the right to data protection is described by the Italian Academy of the Internet Code (2015).
- 34.
For the difference between the right to privacy and the right to data protection see Stazi / Mula (2013).
- 35.
See Hon / Millard / Walden (2012a), 4.
- 36.
See Hon / Hörnle / Walden (2012), 135.
- 37.
See Balducci Romano (2015), 1619.
- 38.
See GDPR, Recital 22.
- 39.
See GDPR, Recital 23.
- 40.
See GDPR, Recital 23.
- 41.
See GDPR, Recital 124.
References
Alo, E.R. (2014), EU privacy protection: a step towards global privacy, 22 Michigan State International Law Review 1096
Balducci Romano, F. (2015), La protezione dei dati personali nell'Unione europea tra libertà di circolazione e diritti fondamentali dell'uomo, Rivista Italiana di Diritto Pubblico Comunitario, 1619, Giuffrè
Bradshaw, S. / Millard, C. / Walden, I. (2010), Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services, Queen Mary School of Law Legal Studies Research Paper No. 63/2010, available at SSRN: http://ssrn.com/abstract=1662374
Busia, G. (2000), Riservatezza (diritto alla), Digesto delle discipline pubblicistiche, 476, Utet
Cerri, A. (1995), Riservatezza (diritto alla), Enciclopedia giuridica, 26, Treccani
Clarizia, R. (2012), Contratti e commercio elettronico, in: M. Durante / U. Pagallo (Eds.), Manuale di informatica giuridica e diritto delle nuove tecnologie, 361, Utet
Cloud Select Industry Group – Subgroup on Service Level Agreements (2014), Cloud Service Level Agreement Standardisation Guidelines, 24th June 2014, available at http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?action=display&doc_id=6138
European Commission (2012), Communication “Unleashing the Potential of Cloud Computing in Europe”, COM(2012) 529 final
European Commission (2013), Decision of 18 June 2013 on setting up the Commission expert group on cloud computing contracts (2013/C 174/04)
European Economic and Social Committee (2012), Opinion of the European Economic and Social Committee on “Cloud computing in Europe” (own-initiative opinion) – (2012/C 24/08)
Ferrari, G.F. (2012), La tutela dei dati personali dopo il Trattato di Lisbona, in: G.F. Ferrari (Ed.), La tutela dei dati personali in Italia 15 anni dopo. Tempo di bilanci e di bilanciamenti, 19, Egea
Finocchiaro, G. (2012), Privacy e protezione dei dati personali. Disciplina e strumenti operativi, passim, Zanichelli
Gentili, A. / Battelli, E. (2011), I contratti di distribuzione del commercio elettronico, in: R. Bocchini / A. Gambino (Eds.), I contratti di somministrazione e di distribuzione, 347, Utet
Hon, W.K. / Hörnle, J. / Walden, I. (2012), Data Protection Jurisdiction and Cloud Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3, 26 International Review of Law, Computers & Technology 129
Hon, W.K. / Millard, C. / Walden, I. (2011), The Problem of “Personal Data” in Cloud Computing - What Information is Regulated? The Cloud of Unknowing, Part 1, 1 International Data Privacy Law 211
Hon, W.K. / Millard, C. / Walden, I. (2012a), Who is Responsible for ‘Personal Data’ in Cloud Computing? The Cloud of Unknowing, Part 2, 26 International Data Privacy Law3
Hon, W.K. / Millard, C. / Walden, I. (2012b), Negotiating Cloud Contracts - Looking at Clouds from Both Sides Now, 16 Stanford Technology Law Review 79
Italian Academy of the Internet Code (2015), Position Paper “Criptazione e sicurezza dei dati nazionali”, available at: www.iaic.it
Maggio E. (2016), Access to cloud distribution platforms and software safety, 14th International Conference of Global Business and Economic Development (SGBED), Montclair State University
Mantelero, A. (2012), Il contratto per l’erogazione alle imprese di servizi di cloud computing, Contratto e impresa, 1221, Cedam
Marchini, R. (2010), Cloud Computing. A Practical Introduction to the Legal Issues, 101, BSI
Miller, L. (2007), Standard Setting, Patents, and Access Lock-In: RAND Licensing and the Theory of the Firm, 40 Industrial Law Review 351
Minervini, E. / Bartolomucci, P. (2011), La tutela del consumatore telematico, in: D. Valentino (Ed.), Manuale di Diritto dell’Informatica, 360, ESI
Mula, D. (2016a), Il trattamento dei dati nel territorio dell’Unione e il meccanismo “one stop shop”, in: S. Sica / V. D’Antonio / G.M. Riccio (Eds.), La nuova disciplina europea della privacy, 271-288, Cedam
Mula, D. (2016b), Standardizzazione delle clausole contrattuali di somministrazione di servizi cloud e benessere del consumatore, in: C.G. Corvese / G. Gimigliano (Eds.), Profili interdisciplinari del commercio elettronico, 133-150, Pacini
National Institute of Standard and Technology, U.S. Department of Commerce (2011), The NIST Definition of Cloud Computing, available at: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
Niger, S. (2006), Le nuove dimensioni della privacy: dal diritto alla riservatezza alla protezione dei dati personali, Cedam
Open Cloud (2010), Cloud Computing Use Cases, 6, available at: http://opencloudmanifesto.org/Cloud_Computing_Use_Cases_Whitepaper-4_0.pdf
Panetta, R. (2006), Libera circolazione e protezione dei dati personali, Giuffrè
Papi, M. Jr. (2013), Configurable Services in SaaS Environments Using Rules Engines, available at SSRN: http://ssrn.com/abstract=2339074
Parisi, A.G. (2012), Il commercio elettronico, in: S. Sica / V. Zeno-Zencovich (Eds.), Manuale di diritto dell’informazione e della comunicazione, 397, Cedam
Pizzetti, F. (2009), La privacy come diritto fondamentale al trattamento dei dati personali nel Trattato di Lisbona, in: P. Bilancia / M. D’Amico (Eds.), La nuova Europa dopo il Trattato di Lisbona, 83, Giuffrè
Reding, V. (2011), Building trust in the Digital Single Market: Reforming the EU’s data protection rules, available at: http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/data-protection_en.pdf
Rizzo, G. (2013), La responsabilità contrattuale nella gestione dei dati nel cloud computing, Diritto Mercato Tecnologia, 101, Italian Academy of the Internet Code
Shapiro, C. / Varian, H.R. (1999), Information Rules: A Strategic Guide to the Network Economy, 106, Harvard Business Press
Stazi, A. / Mula, D. (2013), Le prospettive di tutela della privacy nello scenario tecnologico del cloud e dei big data, available at: http://e-privacy.winstonsmith.org/2013we/atti/ep2013we_03_mula_stazi_tutela_privacy_cloud.pdf
Swire, P. / Lagos, Y. (2013), Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique, 72 Copyright Maryland Law Review 335
Troiano, G. (2011), Profili civili e penali del cloud computing nell’ordinamento giuridico nazionale: alla ricerca di un equilibrio tra diritti dell’utente e doveri del fornitore, Ciberspazio e Diritto, 242-243, Mucchi Editore
Warren, S.D. / Brandeis, L.D. (1890), The right to privacy, 4 Harvard Law Review 193
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer-Verlag GmbH Germany, part of Springer Nature
About this chapter
Cite this chapter
Mula, D. (2018). The Right to Data Portability and Cloud Computing Consumer Laws. In: Bakhoum, M., Conde Gallego, B., Mackenrodt, MO., Surblytė-Namavičienė, G. (eds) Personal Data in Competition, Consumer Protection and Intellectual Property Law. MPI Studies on Intellectual Property and Competition Law, vol 28. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-57646-5_15
Download citation
DOI: https://doi.org/10.1007/978-3-662-57646-5_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-57645-8
Online ISBN: 978-3-662-57646-5
eBook Packages: Law and CriminologyLaw and Criminology (R0)