Legal Aspects of Cloud Accountability
This paper explores the legal aspects of Cloud accountability which are being examined in great detail in the Cloud Accountability Project. This paper first provides an overview of the basic legal framework of the US and the EU, addresses the lawmaking process, and the impact and enforcement of jurisdiction. The primary laws within the data protection framework are then further explored, as such regulations have the greatest impact on the Cloud, Cloud providers, Cloud customers, and, ultimate, Cloud users. This paper then explores the role of contracts in the Cloud. Finally, all of the analysis is pulled together in discussing how the Cloud Accountability Project is addressing these legal aspects and how such aspects should influence Cloud actors, especially Cloud providers, in their policies and legal governance.
KeywordsCloud accountability project A4cloud Cloud computing law Data protection Cloud contracts Cloud legal aspects
An important part of the Cloud Accountability Project (A4Cloud) is the analysis of the legal and regulatory requirements that dictate how actors in the Cloud ought to behave. Such legal requirements range from terms and conditions when a user utilizes a Cloud service through contracts between businesses and Cloud providers to the various regulations, including the Data Protection Directive and e-Privacy Directive, which govern the interaction between Cloud actors. Because of the importance of those legal requirements, and in particular the constraints they impose, A4Cloud has placed a large focus on researching those legal issues, making recommendations as to future legislation and Cloud contracts, implementing such requirements into the tools being developed by A4Cloud, and providing guidance for all Cloud actors as to such legal implications. Specifically, papers have already and/or will in the future be published within A4Cloud on the evolving data protection laws, the role of standard contracts, the role of data protection audits, and the other legal and regulatory dependencies impacting the Cloud.
It is thus very difficult, especially against the vast backdrop of the legal aspects impacting Cloud Computing, to provide an all-encompassing overview of such legal and regulatory issues in a two-hour lecture and likewise within a small paper, where there are advanced degree programs with dozens of hours of lectures dedicated to these studies and multiple books and articles delving into the intricate details of the legal aspects of the Cloud. Nevertheless, that was our task in the lecture and our task here in this paper. In doing so, we provide what is only a glimpse into some of the more important legal considerations which are being examined in A4Cloud and those using or operating within the Cloud should be most concerned.
We begin this analysis with a general overview of the lawmaking process throughout the world, with a primary focus on the EU and the US, the two primary jurisdictions impacting cloud providers and users. We then discuss the equally important issue of jurisdiction and choice of law, and how such issues impact Cloud users, customers and providers. Next we move on to what is rightfully the main focus of A4Cloud and the largest set of laws impacting the Cloud by examining the various data protection and privacy laws which impact use of the Cloud. Fourthly, we examine the role of contracts in the Cloud, an equally important legal aspect of the Cloud. Finally, we pull all of the foregoing analysis together and briefly how such issues impact the Cloud and the recommendations which A4Cloud had for legal governance, policy framework and increased accountability in the Cloud.
2 A General Overview of the Law
As referenced above, we live in a world of very complex laws. Worse yet (or better, depending on the perspective and outcome), those laws are constantly being revised and compliance with such laws one month may not mean compliance the next. Perhaps even worse, courts apply such laws inconsistently (because of the inherent difficulty of interpreting text, laws oftentimes written in a vague manner, and technology surpassing the original intent of many laws) leaving those subject to the laws to oftentimes partake in a guessing game about what the laws really mean and how they will be applied in any given situation. And, what is perhaps the proverbial frosting on the cake, the nature of the Cloud, i.e. doing business across the internet and Cloud providers being able to provide services without physically being within a jurisdiction, adds a whole new layer to the legal quagmire of which laws apply in any given transaction.
In other words, the legal landscape as it applies to the Cloud is in many ways quite cloudy itself.
2.1 The Development of Modern Law
Nevertheless, we start with the basics. Most of the laws that govern the common law world today are rooted in the Magna Carta signed 800 years ago and the human rights laws derived from that charter. The Magna Carta was drafted and imposed upon King John of England to provide certain liberties to his subjects and for the King to accept that his will was not arbitrary, but rather that people could only be punished by the rule of law. From that document, many constitutions and lesser laws have followed, establishing the laws we know today, especially the human rights laws from which the data protection laws and privacy protections find their roots.
Flash forward eight centuries, and there are now 196 countries in our world, each with its own sets of law, and many of those having different laws within the country. Within those countries, there are two primary systems: common law and civil law. Common law jurisdictions are generally uncodified, meaning that there is no comprehensive recitation of statutes or codes, and instead law is primarily developed through judicial decisions which establish legal precedent over time. On the other hand, civil law jurisdictions follow a system of law that is codified, meaning that such jurisdictions have comprehensive recitations of codes attempting to envision the potential application of those codes to different scenarios that courts must follow. In these jurisdictions judicial decisions are less important in future applications of the codified laws. Finally, within both systems, there are different sets of laws that primarily fall into private law (for our purposes, contract and torts are the most important subsections of private law, also referred to as civil law, but not to be confused with the civil law distinction discussed above) or public law (which also encompasses criminal laws, but for our purposes also contains such laws as data protection laws).
Law, whether common law or civil law, can ultimately be summed up in two basic concepts. The first is ‘complicated.’ As noted, there are currently 196 countries in our world, each with its own sets of law, and many of those having different laws within the country. And ultimately, each of those nations desires those laws to protect its citizens and therefore has an inherent interest in broadly applying those protections. For example, the United States has federal laws which will generally apply to any companies doing business within the United States, i.e. targeting their activities to U.S. citizens residing in the U.S. Under that federal law system, there are hundreds of District Courts interpreting and applying those laws, thirteen Circuit Court of Appeals serving as appellate courts for appeals from those District Courts, and ultimately, the United States Supreme Court also reviewing various cases from the Circuit Court of Appeals, especially when those courts decide similar issues differently or when laws are deemed to be unconstitutional. And that is just the federal level of the United States. Concurrently with those federal laws, there are fifty states, each of which has their own set of laws. And, while many of those laws mirror the federal laws and are similar throughout the fifty states, there are nevertheless enough differences to trip up even the most savvy of businesses, users, and, oftentimes, even lawyers. Those fifty states also have dozens, sometimes hundreds, of courts, their own appellate courts, and their own courts of final jurisdiction similar to the United States Supreme Court, applying such laws, oftentimes again with little to no indication how the ultimate determinations as to any given law will be decided.
In the European Union (EU), which is the primary focus of A4Cloud, there are 28 different member states and a complicated legal framework of laws which directly apply within those states (such as Regulations), other laws which Member States are obligated to enact, but with their own interpretation (such as Directives), and other areas of the law where Member States are free to enact their own legislation or stricter legislation than otherwise required in certain areas, oftentimes with little to no guidance from the EU and such laws being solely reserved to the Member States.
The ultimate conclusion from the foregoing is it is nearly impossible for a cloud provider to comply with all of the laws that may be applicable, especially when many of those laws are in conflict. Thus, again and to say the least, laws are complicated.
The second concept to describe our international laws is “It Depends.” Ask any lawyer or legal scholar a question as to a hypothetical or real situation and how the decision of law will be applied, and you most certainly will be met with a response in the vein of “it depends.” Lawyers will ask more questions about the facts, want more details, and even when you have all those answers, the lawyer will generally respond that the result will depend, whether it be on other undiscovered facts, the laws which might or might not apply, the “other side of the story,” how a court applies the law, and, in some jurisdictions and/or cases, how a jury views and decides the facts in question. This can be very frustrating for anyone having to deal with such laws, especially where there are serious implications in regard to such legal compliance. This becomes even more heightened in the Cloud, as not only are Cloud actors faced with trying to decide which of all the possible complicated laws they should comply with, but are then faced with uncertainty as to the application of those laws. This leads to many unintended consequences, including many companies consciously deciding to not comply with certain laws (generally making a risk assessment of where they might face jurisdiction, discussed in greater detail below, or minimal sanctions or penalties) or companies deciding to not to do business at all in some jurisdictions. But, the most common result is companies do what they can to comply in spirit in order to still conduct business, but hopefully avoid any consequences for any non-compliance with any given law.
2.2 How Laws are Generally Made
Most laws generally arise from human rights, social norms, economic necessities, and the necessary protection of society and citizens. How such laws are made in any given country or state may vary greatly, but most democratic states follow systems similar to that of the EU or US, the two most important jurisdictions in our review of Cloud Computing law. As a project that is partially funded by the European Commission, A4Cloud is primarily focused on EU law, especially the Data Protection Directive and proposed Data Protection Regulation. However, many of the companies doing business in the EU are companies organized under US law and the contracts being utilized, and/or terms and conditions of the use of such services is oftentimes governed by US law. Thus, examination of US law, at least in relevant part, is as equally important as many of the EU laws impacting the Cloud.
In the European Union, there are three main decision-making institutions involved in the law-making process: the European Parliament, the Council of the European Union, and the European Commission. Together, those three institutions produce the policies and laws that apply in varying degrees throughout the EU Member States depending on the type of law adopted. The process is very time-consuming, complicated, and oftentimes politically charged. One prime example is the data protection laws discussed in greater detail below and the ongoing attempt to adopt a Data Protection Regulation to replace the current Data Protection Directive. The difference between a Directive and a Regulation is an important one, especially with the current posture of the data protection Framework. A Directive is a law that each Member State must enact, but the Member State has discretion in how the law is made effective and generally such laws do not need to be enacted for many years after adoption. To the contrary, a Regulation is directly applicable and enforceable in all Member States. Thus, as seen below, the EU is attempting to transform the current Data Protection Regulation. Attempts to reform EU Data Protection law have been ongoing for a few years now, and yet remain in a relatively early stage of the process and only complicated further by elections and changes in the European institutions noted above. Oftentimes this leads to legislation being scrapped or having to be taken back to an earlier stage to essentially restart the process.
In the United States, as we saw, there are laws enacted at both the federal level and at the state level. The federal law-making process consists of three branches of government in the legislative branch (Congress), executive branch (the President and federal administrative agencies), and the judicial branch (federal courts). In its simplest of functioning, the legislative branch enacts the laws, the executive branch applies the laws, and the judicial branch interprets the laws (which as a common law jurisdiction can supplement, refine, and/or even void enacted laws). Most of the fifty states follow a similar process in adopting their own laws. Like the EU process, the US lawmaking process is very time-consuming and politically charged.
The next major factor after understanding how the laws are made, and what those laws actually provide, is how and whether those laws will apply to persons and entities. This concept can be summarized as jurisdiction, which for our purposes includes what laws will apply to any given situation and where that dispute will be adjudicated, also known as venue. Such determinations can be as complicated as the lawmaking process itself and present two general questions in respect to the Cloud: (1) can a state apply its public law to a foreign business, and if so, when and under what circumstances; and (2) in a private dispute, which laws will apply and which Court has the power to adjudicate that dispute?
Overview of Jurisdiction. In respect to the first question, a state’s laws always apply to those who are within the state’s geographical territory. But it is common for laws also to apply to those outside the territory if their activities affect the state in some way. Extra-territorial public law jurisdiction is guided by two overriding principles. The first is comity, in that a state should not regulate an activity where it is more appropriate for another state to do so. The second is the effects doctrine, in that a state may regulate a foreign activity which has effects in its territory. That brings us back to the basic underlying problem with the Cloud – when and where is it appropriate for a state to regulate a Cloud provider? Answering those questions leads to more questions, some of which are answered and addressed below in further examining some of the rules and regulations in respect to jurisdiction. More notably and quite problematic, is that when states are perceived to have overstepped their bounds, such excessive authority claims by states can lead to problems such as legal compliance becoming even more difficult, if not impossible, to be exercised in the future by the state; it can foster a culture of evasion by businesses and citizens of not only the laws in question, but also other laws; it can dilute the otherwise normative effect of law (again, even with other laws which were not originally the subject of the excessive authority claim); and, ultimately, it can create a conflict between states (which has been seen to some degree between the US and the EU in respect to the Data Protection Directive and some of the restrictions therein in regard to transborder transfers of data, discussed below). Again, all of these problems are especially common in the Cloud based on the nature of being able to do business over the Cloud and not having to otherwise be physically located within any given state to do so. As seen below, the Data Protection Directive purportedly answers that question in respect to EU Member States’ governance of data protection issues, though it again raises more questions and the answers may not be as clear as they first seem.
EU Jurisdiction. The EU has three main regulations when it comes to the assertion of jurisdiction. The first is the Brussels Regulation, which generally applies to consumer contracts and provides that a consumer may sue within his or her own jurisdiction, regardless of what the contract otherwise states. The second is the Rome I Regulation, which decides which state’s law applies to contracts, and for most situations provides that the law of a consumer’s residence will apply if the merchant has directed its activities to that state, but that a choice of law provision contained within a contract is enforceable if it does not derogate from any protections provided under the consumer’s national law. Finally, the Rome II Regulation applies in respect to torts (a civil wrong not otherwise controlled by a contract) and generally provides that the applicable law will be that of the state where the harm occurred. Though these regulations provide some semblance of clarity as to the exercise of jurisdiction, they are not always clear-cut. It is usually only possible to work out how they apply after the problem has arisen, rather than in advance, and difficulties can arise in answering questions like what constitutes a merchant directing their activities to a state and what constitutes harm in some cases and determining where that harm ‘occurs.’
US Jurisdiction. In the United States, there are two types of jurisdiction that must be present for a federal court to exercise jurisdiction and most states follow similar principles in regard to the exercise of jurisdiction under state constitutions and laws. The first is subject matter jurisdiction, meaning that either some federal law specifically applies or that a dispute is between two citizens of different states, or a different state and different country. The second is personal jurisdiction, meaning a party must have availed itself to the protection of the laws of the U.S. and have minimum contacts with the jurisdiction in question, generally a specific state. In respect to the Cloud, the decision and test provided in Zippo Manufacturing Co. v. Zippo Dot Com, Inc.  remains rather instructive. The court in the Zippo case held that courts should apply a sliding scale where purely passive operators will not be subject to personal jurisdiction, whereas active websites (similar to the targeting test of the Rome I Regulation in the EU) will be subject to jurisdiction. This test, while not binding on other courts as it was decided by a Pennsylvania District Court and therefore has no impact outside of that court, has nevertheless been widely accepted in reviewing situations involving internet companies, web companies, and now the evolution into the Cloud. However, as can readily be recognized, most Cloud companies will fall somewhere in the middle, leading to a complicated and fact-intensive analysis all leading back to the answer of “it depends” discussed above.
Final Thoughts Regarding the Law, the Lawmaking Process and Jurisdiction. This overview was not intended to scare the reader and make one avoid the Cloud altogether. Rather, this overview introduces some of the basic concepts of law which Cloud actors should consider and be aware of in conducting business and are which strong building blocks in looking at some of the issues below in respect to data protection laws and Cloud contracts. Nevertheless, as seen, some of these concepts are quite scary and Cloud actors should proceed with caution and diligence in undertaking business in the Cloud to ensure proper compliance. Dealing with these concepts will be explored in greater detail in Sect. 5 in discussing effective legal governance and accountability from a legal perspective, a concept being further explored by A4Cloud later this year and next year in much greater detail.
3 Data Protection Laws
As noted in the Introduction, A4Cloud is most concerned with two legal areas: data protection laws and contracts. Generally speaking, the approach to data protection varies around the globe. The EU has taken a paternalistic approach in adopting the Data Protection Directive in 1995 . As seen below, that Directive strives to provide a comprehensive framework to protect a person’s personal information, with state-established bodies charged with enforcing the law. Meanwhile, the US has taken a more hands-off approach to data protection in providing very little by way of comprehensive protections and instead generally being business-friendly. But, as seen in greater detail below, this does not mean that the US does not provide any protections to personal data, but rather has developed some overriding principles and sector-specific protections. Finally, some states have followed the EU model (countries such as Canada and many Latin American countries); other states have followed a sector-based approach like the U.S. (countries such as Japan); other states have followed more of a self-regulatory scheme (countries such as Australia and New Zealand); and other states have not enacted much protection at all (countries such as China). As of mid-2013, 99 countries had some sort of data protection framework, but over half of those nations adopted such laws after the year 2000, showing the recent increase in such legislation .
3.1 The EU – the Data Protection Directive and Proposed Data Protection Regulation – a Comprehensive Approach
This section of the paper gives an overview of the main EU data protection legislation and the key concepts in EU data protection law. This focuses on the current EU Data Protection Directive 1995. It then discusses the difficulties with applying data protection law in a cloud environment.
Origins of EU Data Protection Law. As referenced above, nearly 100 countries worldwide now have laws regulating personal data. Technological advances in the twentieth century meant that data could be manipulated in a variety of different ways with an increasing capacity to process, store, search and edit personal data.
Data protection laws are based on recognition of a right to privacy. All EU Member States were signatories to the European Convention on Human Rights (ECHR) that recognises in Article 8 a right to privacy. Various harmonisation measures in Europe on data protection such as the 1980 OECD guidelines and the Convention by the Council of Europe in 1981, led the European Commission to propose EU legislation to harmonise diverging data protection legislation in EU Member States. The EU data protection directive, adopted in 1995, is the key piece of legislation on data protection. This paper will focus on the current law because it is likely to remain the law until at least 2016. It is worth noting that on 25 January 2012 the European Commission unveiled a proposed legislative reform of the current data protection law in the EU that would replace the Data Protection Directive by a General Data Protection Regulation , but at the time of writing there is no predicted date by which the reform will be completed.
One feature of the current EU data protection law is that as it is a Directive, which means that it is addressed to Member States and not to citizens. Member States are required to implement the Directive into national law and they have discretion on how it is implemented. A minimum level of harmonisation is all that is required by the Directive. All Member States have enacted their own data protection laws based on the Directive and this means that there are different national laws in each EU Member States based on the Data Protection Directive, including some of which are stricter than that required by the Directive.
Data Protection Directive Main Concepts. The Directive regulates the processing of personal data, irrespective if such processing is automated or not.
Scope of Personal Data. Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This includes any expression of opinion about the individual as set out in Article 2(a) of the DPD .
Sensitive personal data is a special category of personal data that is subject to stricter regulation under Article 8 of the DPD . Sensitive personal data relates to specific categories of data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership. There are more safeguards for sensitive personal data – due to fear of it being used to discriminate against groups of people. In most cases a person must be asked specifically if sensitive personal data can be kept about them.
The Distinction Between Data Processors and Controllers in Data Protection Law.
The law protects the rights of individuals whom the data is about, called data subjects, mainly by placing duties on those who decide how and why such data is processed, called data controllers.
A data controller is a person or company that collects and keeps data about people and ‘determines the purposes and means of processing of personal data’ under Article 2(d) of the DPD . The data controller has the main responsibility for complying with data protection legal obligations. A controller must ensure that processing of personal data complies with certain principles. Personal data must be processed fairly and lawfully for specified lawful purposes only. The processing must be adequate, relevant and not excessive. Personal data must also be updated as necessary, accurate and not kept longer than required. It must be processed in accordance with data subject rights.
The data processor is a ‘natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller’ under Article 2(e) of the DPD . Processors are not normally subject directly to obligations under the Data Protection Directive.
This distinction between data controllers and data processors is an important distinction because they are treated differently under the Directive, with responsibility and liability ultimately falling upon the data controller. Data controllers must ensure that any processing of personal data for which they are responsible complies with the law. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals.
Data processors on the other hand are not subject to the law because they are presumed to be just following data controllers’ instructions. Data processing means performing any operation or set of operations on data, including: obtaining, recording or keeping data, collecting, organizing, storing, altering or adapting the data, retrieving, consulting or using the data, disclosing the information or data by transmitting, disseminating or otherwise making it available, aligning, combining, blocking, erasing or destroying the data.
Data controllers remain responsible for ensuring their processing complies with the law, whether they do it in-house or engage a data processor. In law, a controller of personal data who chooses to ‘outsource’ data storage or processing remains a controller and responsible for complying with the Data Protection Directive. If problems arise from third party failures, the controller is still liable.
As data processing activity becomes more complex, applying the distinction between data processor and data controller has become more and more difficult .
Principles of Data Protection
Collection and use of Personal Data. There is a requirement in the Directive that personal data is “Processed fairly and lawfully” under Article 6(1)(a) of the Data Protection Directive. Fairness requires the data subject to be informed of the purpose of collection and intended uses. Moreover “fair” depends on one’s perspective, and courts tend to interpret it from the data subject perspective. In addition, the data must be processed “for specified, explicit and legitimate and not further processed in a way incompatible with those purposes.” Article 6(1)(b) of the DPD. The problem here is that nowadays purposes are constantly shifting based on the data collected.
Legitimate Processing Criteria. In order to process data in compliance with EU data protection law, Article 7 of Data Protection Directive sets out certain criteria on which a controller must base its processing activity in order to be legitimate. These criteria are consent, necessity, contract requirement, legal obligation, protection of data subject, public interest and legitimate interests of the controller. Consent of data subject is the most often cited. It is not merely consent but informed consent that is needed. It is easy now to get ‘tick box’ consent, particularly online, but more difficult to show informed consent. Contractual necessity means that the processing is necessary to perform the contract, for example: billing information about the customer, the company will need to process name, address and details of payment in order to fulfil the customer’s contract.
Application of the Law. The EU Data Protection Directive applies when the data controller is established within the EU, which for foreign controllers means that it has a subsidiary, branch or agency with in the EEA under Article 4(1)(a) of the DPD . It also applies when the controller is in a place where national law applies by virtue of international public law (in a ship or aircraft flying a particular Member States’ flag) under Article 4(1)(b) of the DPD . Finally, it may apply to a controller that is not established in the EEA but that makes use of equipment situated in the EEA for the purposes of processing personal data under Article 4(1)(c) of the DPD . The national laws implementing the Data Protection Directive are not harmonized and implementations differ. This means that the provisions on jurisdiction are subject to interpretation. Potentially any online business dealing with EU customers could be found to be processing personal data on EU equipment (the customers’ computer) and therefore subject to EU data protection law. The proposed reform to the law proposes extending the scope of jurisdiction to anyone processing personal data of EU residents or targeting EU residents through data tracking, mining and targeted advertising. This facilitates the extraterritorial application of EU law, but is intended to ensure that EU data protection laws cannot be avoided by processing data outside the EEA.
Sending Personal Data Abroad. Personal data can be transferred freely to countries within the European Economic Area. Sending it to a country or territory outside the European Economic Area is only permitted, however, if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data.
Article 25 of the Data Protection Directive restricts the transfer of data outside the EEA. A data export or transfer is considered data ‘processing’ for which data subject consent is required.
This has led to complex systems for complying with this provision and ensuring that personal data can be transferred to third countries (non-EEA) countries.
First, the European Commission can declare that certain countries provide adequate protection and data can be freely exported to those countries under Article 25(6) of the DPD . Relatively few countries feature on this list .
Effectively all exports of personal data from the EEA to third countries other than those above are prohibited unless there are special arrangements made or there is a derogation.
One of the special arrangements made for transfers of data to the US is the EU-US Safe Harbor principle, a process developed by the US Department of Commerce in consultation with the European Commission so that US companies could comply with the Data Protection Directive. This allows US organizations that import personal data from the EU to demonstrate an adequate standard of protection under Article 25 of the Data Protection Directive if they participate in this program.
Another way to comply is to use model contracts with standard contractual clauses, the terms of which have been approved by the European Commission for transfers of data outside the EEA as provided by Article 26(4) of the DPD . Clauses have been issued by the European Commission for transfers of personal data from an EEA-established controller to a controller in a third country or from an EEA-established controller to a third-country processor .
Binding Corporate Rules (BCRs) are codes of conduct dealing with international transfer of personal data within the same group of companies, within a multinational company . They are subject to approval by relevant national data protection authorities and this process can be long and costly.
Supervision and Enforcement. National data protection authorities  were required to be set up by Article 28 of the Data Protection Directive . This gives them three core powers: investigative powers, effective powers of intervention and power to engage in legal proceedings. They are required to receive and deal with complaints and required to provide annual reports that are made public. They also play a role in giving guidance and recommending changes to the law.
Supervisory authorities on data protection law include the European Data Protection Supervisor which is an independent supervisory authority to ensure that European institutions and bodies respect data protection law. In addition, there is a body that brings together all the EU data protection bodies: the Article 29 Working Party. The Article 29 Working Party is made up of representatives of the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. Its main role is to give advice to the Member States on the interpretation of the data protection directive and to achieve harmonious application of the data protection directive in the EEA. It also gives the European Commission an opinion on the laws that impact on data protection law.
Although this appears to be a vast system of data protection authorities, the reality is that the variations in national implementation of the Data Protection Directive and the lack of harmonisation between Member States has meant that there is a patchy data protection regime and, in some Member States, little enforcement of data protection law.
The Cloud and Data Protection. Cloud computing raises particular questions with regard to how data protection laws apply to personal data in the cloud. The implications of data protection law on cloud computing can be analysed based on the answers to four questions: What information in clouds is ‘personal data’? Who is responsible for personal data in clouds? Which Law(s) apply to personal data in clouds? How do restrictions on International data transfers work in cloud?  These issues are addressed briefly below but each highlights the difficulty in applying the current data protection legal framework to cloud.
Personal Data in the Cloud. The issue of what is considered as personal data in clouds is central to the application of data protection laws in the cloud . The EU Data Protection Directive and the national laws based on it only apply to ‘personal data’. The definition of personal data in the EU Data Protection Directive applies to data that is about an identifiable individual. This is a question of fact and may depend on context . In cloud, this is complicated by whether data should be treated as personal data in various different contexts: anonymized and pseudonymized data in cloud; encrypted data in cloud; and finally sharding or fragmentation of data in cloud. These forms of data involve different processes applied to personal data but in all cases whether the data remains personal data depends on the likelihood of identifying an individual. A ‘mere hypothetical possibility’ to single out someone is not enough to make the person identifiable. Nevertheless, this area of law lacks clarity. The status of encrypted and anonymized data has not been clarified in the law. The DPD dates from 1995 when technologies relating to anonymization, encryption and pseudonymization were only just developing. Therefore data controllers may need to adopt a cautious approach to personal data and the risks of someone re-identifying individuals from data.
The Distinction Between Data Processors and Data Controllers in Cloud . Data protection law is based on regulating the data controllers who are responsible for complying with data protection laws. In data protection law based on the EU Data Protection Directive, the distinction between the data controller and the data processor are key to applying the law. The controller has the main responsibility to comply with the law, while processors are not normally subject to data protection obligations. The complexity of this area particularly since the development of the internet has meant that the distinction between the controller and processor is not as straightforward as originally hoped . The official position by the Article 29 Working Party is that cloud providers are considered data processors, unless they become data controllers because they act in a manner inconsistent with their instructions . This is not the full picture and does not reflect the reality that the distinctions between data processor and data controller in cloud can be utterly blurred. For example, many cloud providers who run social networking or webmail services run advertisements based on the content of uploaded personal data and so are likely to be controllers . They are not merely processing uploaded data, but they are accessing it for its own purposes, i.e. targeting advertising to cloud users based on the uploaded data and consequently these cloud providers are data controllers. Examples like this illustrate how artificial a distinction between data processor and data controller and how one entity can be both in cloud.
The position of sub-providers in the cloud computing chain of responsibility in respect of data protection also complicates matters. Guidance by Data Protection regulators  regarding sub-providers in cloud and the chain of contractual responsibility often reflect a traditional ‘outsourcing’ view of the contractual relationship between the cloud provider and sub-providers, where the cloud provider delegates processing to its sub-provider. The reality is that many providers with sub-providers have already created services based on the sub-provider’s service . Many cloud services are pre-packaged services build on existing sub-provider services and sub-provider terms and providers may not want to change pre-existing arrangements with sub-providers for every new contract. Therefore the degree of control of sub-providers over personal data may be as a data controller rather than a processor. Consequently, the current state of the law with its distinction between controllers and processors is less and less satisfactory in cloud.
Deciding Which Laws Apply to Personal Data in Clouds. The issue of the Data Protection Directive applying to cloud computing providers and users outside the EEA and the jurisdiction of data protection authorities to regulate them is one that creates considerable uncertainty for cloud users and providers . Member States’ data protection rules are not harmonized and their interpretations of the Data Protection Directive’s jurisdictional scope are unclear. The fact that data processing is ‘somewhere in the cloud’ does not automatically exempt it from the Data Protection Directive. However, identifying when an entity falls within the jurisdiction of EU data protection law requires simplification and clarification of the current law on jurisdiction. One goal of the new proposed regulation is to clarify applicable law and to improve harmonization in the EU on this point.
Restrictions on International Data Transfer in Cloud. Cloud computing is potentially affected by restrictions on transferring personal data outside the EEA under the Data Protection Directive . The Data Protection Directive when drafted did not take into account the Internet and did not envisage cloud computing. The result is that the provisions in the Directive and the national laws based on the Directive in the EU on data export are neither clear not sufficiently harmonized across the Member States. This creates legal uncertainty with using cloud. The conception of data location in particular is particularly irrelevant to data protection laws, since data can be accessed remotely. Indeed, the concept of data location may even be meaningless in cloud.
Cloud and Managing the Problems with Current Data Protection Law. Compliance with the current law is extremely difficult for cloud providers and users since it is particularly ambiguous and has not been drafted for an online world, let alone for cloud. The danger is that the uncertainty could lead to paralysis and fear of uptake of cloud by some customers.
The current proposed reform of EU data protection law is not focussed on cloud in particular. As they stand , the proposed reforms may help with some matters, for example clarifying the issue of jurisdiction, but may make some issues worse, for example increasing restrictions on international data transfers. One way of managing the problems with current data protection laws and cloud is by ensuring that the contractual obligations as regards data location and confidentiality as well as provisions on data transfer, security and audit rights are all addressed and well defined.
3.2 The United States – a Sectoral Approach
Quite different from the comprehensive approach undertaken by the EU, the U.S. instead largely follows a sectoral model. This means that the United States has only provided for specific protections in certain industries, though, as seen below, the U.S. has expanded general protections provided to consumers and increased scrutiny on businesses in respect to privacy policies and information security. Such areas include the healthcare sector with protection of health records, law enforcement records, consumer financial transactions, telecommunications sectors, the protection of children, and some other narrow fields.
In the Matter of GeoCities, Inc.  – this represented the first FTC Internet privacy enforcement action in which the FTC alleged that GeoCities, which operated a website promoting an online community on which users could maintain personal home pages, misrepresented how it would use personal information in its privacy notice and also maintained children’s personal information without parental consent. GeoCities settled the action and the FTC issued a consent decree, which is a judgment entered by consent of the parties in which the defendant agrees to cease and desist from the alleged illegal activity, usually without admitting any wrongdoing.
In the Matter of Eli Lilly & Co.  – Eli Lilly & Co. is a pharmaceutical manufacturer which collected personal information from subscribers on its website, including sending updates to remind customers to take their medicine. When Eli Lilly & Co. ended that program, it inadvertently sent a mass email revealing the email addresses of all subscribers. Eli Lilly & Co. settled the enforcement action brought by the FTC, in which Eli Lilly & Co. agreed to adhere to its representations regarding the collection, use and protection of customer’s data. Most notably, this also marked the first case where a defendant was also required to develop and maintain an information privacy and security program.
In the Matter of Gateway Learning Corp.  – Gateway Learning maintained a privacy notice stating that it would not sell, rent or loan any customer’s personal information without express consent of the customer. The notice also contained an opt-out provision if Gateway Learning’s policy changed. Thereafter, Gateway Learning rented out customers’ personal information to third-party marketers and advertisers, without providing the opt-out option to the customers. The 2004 consent decree entered against Gateway Learning provided that Gateway Learning would comply with its policy and required Gateway to relinquish all funds obtained from renting its consumers’ information.
In the Matter of Google Inc.  – this 2011 action resulted from Google’s introduction of Google Buzz, a social networking service, which was integrated with Gmail, Google’s email service. Gmail users were automatically enrolled in Buzz without having to provide any consent. Buzz utilized information pulled from Gmail, making such information public without disclosing such use to its customers. Such conduct conflicted with Google’s own privacy notice contained on its website. The FTC alleged such conduct constituted a deceptive trade practice and that Google was in violation of the US-EU Safe Harbor framework. The consent decree was important for two reasons: (1) it represented the first time there was significant enforcement of the US-EU Safe Harbor by the FTC; and (2) it required Google to implement a comprehensive privacy program, with Google undergoing third-party privacy audits on a biannual basis.
In the Matter of Facebook Inc.  – in 2011, Facebook settled this FTC action in which there were eight counts brought against Facebook, mostly arising from Facebook’s repeated changes to its services resulting in private information being made public. Pursuant to the consent decree, Facebook was required to (1) provide users with clear notice; (2) obtain user consent before making retroactive changes to privacy terms; (3) refrain from making any further deceptive privacy claims; (4) establish and maintain a comprehensive privacy program; and (5) obtain biannual independent third-party audits of its privacy program for the next twenty years.
FTC v. Wyndham Worldwide Corporation, et al.  – this action was brought in the United States District Court, District of New Jersey in which the FTC alleged Wyndham Worldwide Corporation, which operated hotels, failed to maintain reasonable and appropriate data security for consumers’’ sensitive personal information. Wyndham moved to dismiss the case, but in April of 2014 and in a 42-page opinion, the District Court held that the FTC did have the authority to bring the claims against Wyndham, thereby bolstering the FTC’s right to bring privacy and data protection actions and implying security and privacy requirements for businesses that were not otherwise expressly required under law. The case remains pending and it appears likely that Wyndham will appeal the District Court’s decision.
Similarly, the Obama Administration has also been more proactive in promulgating overriding principles for data protection, including, individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability in its 2012 issuance of the report “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” Reference  In response to that report, the Federal Trade Commission issued a report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”  guiding companies to follow three general principles of (1) privacy by design; (2) simplified consumer choice; and (3) transparency. In examining those principles, it can be seen that perhaps the US and EU are not as far apart as to data protection as it would otherwise appear in media reports and other descriptions of the two policies.
3.3 Some Other Countries’ Noteworthy Approaches
As Cloud providers and customers may also be subject to other countries’ laws, it is worthwhile to mention a few other approaches employed throughout the world.
One approach is the use of a more self-regulatory and/or co-regulatory approach, such as the one employed in Australia, which has adopted the Privacy Amendment Act 2000, but which otherwise encourages industry organizations to develop self-regulatory codes. Australian law also generally requires organizations to do what is reasonable under any given circumstances, as opposed to some of the bright-line rules envisioned by the EU Data Protection Directive or some of the sectoral laws in the U.S.
As noted above, other countries have adopted their own regulations, oftentimes following that of the EU, oftentimes following that of the US, and/or otherwise adopting some hybrid approach.
Finally, some countries, including China (but which does provide its citizens with a constitutional right to privacy), have yet to adopt any sort of data protection regulation, though proposed legislation is being reviewed and debated in some of those countries.
4 The Role of Contracts in the Cloud
The other important legal consideration involved in the use of cloud, and a critical method to dealing with legal risks, including the data protection risks, is to manage this by agreeing appropriate safeguards in the contract with the cloud provider. Contract law concerns the legal relationship between individuals, which includes organisations. It applies irrespective of technology and therefore there no specific terms for ‘cloud contracts’. The contract establishes the ‘rules’ between parties and covers who does what, who pays what, what each side expects and is a feature of private law, rather than public regulatory law. We refer to this contract between the end-customer and the cloud provider as the ‘cloud contract’.
Contracts can be divided into two categories: the negotiated contracts and the non-negotiated standard-form contracts. Most cloud contracts are non-negotiable standard-form contracts . We will examine the main features of each below.
4.1 Standard Cloud Contracts
Standard terms and conditions contracts are often a feature of contracts between business providers and consumers or small and medium sized enterprise (SME) customers. They do not have the bargaining power of larger business customers to negotiate contract terms, nor do they have in-house legal team to help them negotiate, nor sometimes the interest in negotiating contract terms. Most cloud contracts are the providers’ standard terms designed for high-volume, low-cost, standard services. Many consumer customers click to accept without even reading them.
In a survey of standard cloud contract terms , the results showed that many cloud providers included wide-ranging disclaimers of liability or warranty that the cloud service would operate as described and it included often included remedies only in the form of credits against future services. On the other hand, the research findings showed that there was a range of potential variations between cloud providers in their standard contracts when it concerned matters such as: the threshold for disclosing customer data to third parties, the extent to which data would be maintained by the provider at the end of the contract term and the jurisdiction and choice of law in the contract for contract enforcement. These terms could be significant and influence the choice of cloud provider.
Many consumer and SME customer did not have the know-how to assess the differences between standard cloud contracts. They often clicked their consent to these terms and conditions, without considering whether the standard contract suited them or not. Section 4.3 describes a software tool being developed as part of the Accountability for Cloud project to help consumer and SME customers assess which cloud provider standard contract is most appropriate for them.
4.2 Negotiated Cloud Contracts
Negotiated contract for cloud services are the exception rather than the rule and are often confined to large customers . Contract negotiation often depends on the economic bargaining power between the respective parties and cloud contracts are no different. The starting point for cloud contracts is usually providers’ standard terms and, since these do not accommodate large business users’ needs, cloud users seek to negotiate.
limitation of liability clauses  – Cloud providers’ terms that limited or entirely excluded liability for data loss or for service outages were, unsurprising, the most important terms that cloud customers wanted to negotiate. It was also an area where cloud providers were most like to be intransigent, excluding or capping liability. The nature of the service was a factor in negotiations, with providers more reluctant to accept liability for cheap, commoditized services than for bespoke services. The type of customer also played a role; governments and financial institutions, for example, would insist on unlimited provider liability for certain types of loss caused by breach of regulation or security requirements.
clauses concerning data integrity and business continuity – Cloud providers tend to provide backup as a separate services so that if the user pays extra, the provider will make backups. Back-up service does not mean, however, that providers will warrant data integrity or accept liability for data loss and therefore additional specific warranties need to be negotiated with providers.
service levels  – the approach to service level agreements (SLAs) covering matters such as availability levels and performance often led to debate between customers concerning methods for measuring service levels. As standards in this area develop , agreeing on the key performance indicators (KPIs) will become much easier.
regulatory issues  – clauses mainly relating to the cloud customer needing to demonstrate compliance obligations to regulators since these are often not taken into account in standard cloud contract terms. For example, cloud customers have obtained warranties from cloud providers that all data centres used for their data were in the EU or EEA so that data is kept within the EU and in this way can show data protection authorities that data are not being transferred outside the EEA.
confidentiality clauses  – Users want to guarantee the confidentiality of their information, whether it is personal information of an individual user or business data which could even constitute a trade secret.
security requirements  – Security requirements are a key user concern. Users may want to specify detailed security requirements, but also ask for audit rights. Some users, particularly in the regulated financial services sector, need audit rights to show to financial auditors and regulators that they are compliant with regulation. In addition users often want security breach notifications from cloud providers, which are often not part of any standard contract terms but are required by large customers.
lock-in and exit  – End of contract transition and exit strategy are important to cloud users and concerns about ‘lock-in’ are often cited as the highest user concerns, after security. Lock-in can mean various concerns but the biggest is the inability to exit a contract and, in a cloud context, the inability to retrieve data from your cloud provider, which could effectively prevent the customer switching from the cloud provider and result in them being “lock-in” to a particular cloud provider. Users want to be able to retrieve data from cloud providers at the end of the contract, or whenever they terminate the contracts. Data portability and data retention on termination of the contract, to allow the customer enough time to retrieve contract data, are key issues in negotiated contracts.
term and termination  – the length of the contract and how the contract is terminated, whether by the passage of term, fulfilment of obligations, and/or some other event, i.e. default.
The level of success in negotiating these issues appeared to depend on the bargaining power of the customer and their insistence. Large providers generally refuse to negotiate terms and decline changes to their standard terms insisting on a ‘take it or leave it’ approach even when a large customer requests it . Negotiated cloud contracts are as a result rare and the majority of cloud contracts are on cloud providers’ standard terms.
4.3 A4Cloud Approach to Cloud Contracts
Accountability tools are intended to reassure customers and win their confidence in using cloud services. As part of the Accountability for Cloud project, a software tool called the COAT tool (Cloud Offerings Advisory Tool) is being developed that is geared towards enabling customers understand and compare various cloud provider standard contracts. This tool is aimed at consumers and SME customers. These customers do not have the ability to negotiate contract terms with cloud providers and often accept standard contract terms from cloud providers without really understanding their implications. They are customers that may not be well informed about contract terms and may not be in a position to seek specialist advice before agreeing to a contract. This tool is intended to empower these customers by acting like a comparison website, comparing the various offerings by different cloud providers and trying to match the offering that is most appropriate for the customer, based on criteria that the customer specifies.
Comparison websites have flourished particularly in regulated markets like insurance, energy and communications. Consumers seek to understand complex offering in these markets by having a comparison website provider rank different offers with explanations of the differences. Choice tools, such as comparison websites, have been praised by consumer authorities for empowering consumers to make choices, particularly in complex product and services markets . This is however on condition that they respect data protection laws, are transparent about how they show search results and have clear contact details and a complaints procedure for consumers that are shown on the website .
The COAT tool operates like a comparison website for cloud standard contracts. The customer needs to complete a questionnaire online states its preference for particular features of cloud service. The tool compares standard cloud offerings by comparing cloud contract terms offered to consumers and SMEs - for example location of storage or jurisdiction for litigation. In addition, the tool gives ‘pop-up’ explanations of what the contract terms means for the consumer or SME customer so that they understand what these mean. The result is that the customer has a tool to compare the various standard cloud contracts and it can choose only from those cloud providers that have the features it requires in a cloud service.
5 Policy and Governance
As we have seen, there are numerous legal considerations for Cloud providers, Cloud customers, and Cloud users to consider in their use of the Cloud. And, while most of the strictest requirements arise from the law, in particular regulatory obligations and contractual obligations, sound legal governance also takes into consideration technological developments and tools, market and economic factors, and the cost and value of compliance. Accordingly, A4Cloud tries to take all of those factors into consideration in providing guidance and tools for Cloud providers to better achieve accountability, thereby benefitting all Cloud actors in increased security, a higher level of automated compliance, and a sound overall policy to achieve accountability. Discussion of the various A4Cloud tools which are in development, as well as comprehensive guidance as to legal and regulatory dependencies by Cloud providers, is beyond the scope of this paper. Additionally, there are approximately a dozen tools currently in various stages of development, most of which have corresponding papers detailing the issues which the tools address .
For Cloud providers, sound legal governance is generally viewed as effectuating safeguards to protect confidentiality, integrity and availability of data. Such protections arise from three areas: administrative steps, technical steps, and physical steps in effectuating proper safeguards within a company. Administrative steps include developing strong policies and safeguards and utilizing other administrative measures such as role-based controls to provide sound information security. Administrative steps also include policy enforcement, training, and enforcement of such policies. Technical steps include the use of technology, such as encryption, public key infrastructure, password management, authentication, tracking, non-repudiation, digital signatures and other technological tools to aid in data protection. Notably, much of the focus of A4Cloud is on the development of such tools in promoting information security, data protection, and accountability. Finally, physical steps are those steps that can be physically taken and which should not otherwise be forgotten by Cloud providers. Those steps include use of locks, perimeter controls and security monitoring. While companies are not required under any regulations to employ all measures available to them, they nevertheless should conduct a risk assessment in identifying the threat, vulnerability, and the expected loss in determining which measures should be taken and at what cost. Such an assessment and the resulting measures not only will serve to better protect the data entrusted to the Cloud provider, but it will also aid the Cloud provider in defending those measures in the event of a breach and, ultimately, to be a more accountable Cloud provider, the overriding goal of A4Cloud.
All of the foregoing takes hours of preparation, implementation, and ongoing monitoring and enforcement. Most Cloud providers should begin their compliance programs with the hiring and/or selection of a capable person as a privacy officer to oversee the entire program. This might not be a lawyer, but certainly a lawyer should be consulted to ensure that there is proper regulatory and contractual compliance and to ensure that contracts are properly negotiated and prepared. The lawyer will also be able to assist in an advisory role as to ongoing compliance, especially in tracking the evolving regulations and enforcement actions by various authorities. However, an effective policy, use of available tools, and consistent monitoring and enforcement of the policy will ensure accountability, especially when faced with a system failure and/or data breach.
Cloud customers will want to ensure that the contracts entered into with Cloud providers provide adequate protection for service levels, audit rights, redress and remediation, and other contractual provisions to ensure that the Cloud provider is fulfilling its contractual and regulatory requirements. Again, use of a lawyer will be the best first step in such protections, especially in regard to preparing or reviewing, negotiating and finalizing any contract. But of course, consumers and SMEs may not be able to afford lawyers, and will thus need to rely on tools such as COAT.
Finally, Cloud users, i.e. individual consumers, will want to ensure that the Cloud provider and/or any business with which the user is dealing with which are conducting some business through the Cloud and collect, use or otherwise process personal information, have proper policies in place and that such companies ensure, at least through their privacy notices, terms and conditions, and/or contract that such personal information is processed for only the stated purposes and that proper remedies are in place should the Cloud provider or business utilizing the Cloud fail in their obligations.
A4Cloud is undertaking more than three years of analysis and development of the current Cloud landscape in developing guidance and tools for all cloud actors in increasing accountability throughout the Cloud. A major part of that endeavor is the analysis of the regulatory and contractual issues that oftentimes dominate accountability. As seen herein, the legal landscape, especially as it relates to the Cloud, can be quite a quagmire of unclear and conflicting regulations, leaving Cloud providers oftentimes to guess and make what amounts to a best effort in complying. Nevertheless, by carful analysis and the consistent exercise of diligence, Cloud providers can be accountable, even when it comes to the regulatory compliance of the most relevant and controlling laws. Further, drafting of contracts and regular review of contractual terms and obligations can provide further protection to all Cloud actors. Finally, Cloud providers can increase their own accountability for the betterment of all Cloud actors by carefully considering and implementing policies and tools to increase transparency and responsibility. A4Cloud continues to research and provide guidance as to all these areas, as well as the development of tools to help automate many of the tasks necessary for Cloud providers to increase accountability. All research being conducted, all guidance being provided, and all tools being developed are scheduled to be completed by A4Cloud by the end of 2015 and we invite you to continue to follow such research and development.
- 1.Zippo Manufacturing Co. v. Zippo Dot Com, Inc., 952 F.Supp. 1119 (W.D. Pa. 1997)Google Scholar
- 2.Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281, 23/11/1995, pp. 31 – 50. (Hereafter referred to as the ‘Directive’ and/or the ‘DPD’)Google Scholar
- 3.Global Tables of Data Privacy Laws and Bills (3rd edn., June 2013), UNSW Law Research Paper No. 2013-39Google Scholar
- 4.Data protection law reform proposals published by the European Commission on 25 January 2012 are available at http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
- 5.WP169, Opinion 1/2010 on the Concepts of ‘Controller’ and ‘Processor’, WP 169 (2010)Google Scholar
- 6.Commission decisions on the adequacy of the protection of personal data in third countries published by the European Commission available at http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/index_en.htm
- 7.Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU0), [12 February 2010] OJ L39/5Google Scholar
- 8.European Commission working papers on Binding Corporate Rules at http://ec.europa.eu/justice/data-protection/document/international-transfers/binding-corporate-rules/tools/index_en.htm
- 9.EU Member State data protection authorities are listed on the European Commission website at http://ec.europa.eu/justice/data-protection/bodies/authorities/eu/index_en.htm
- 10.Millard, et al.: Cloud Computing Law (2013, OUP Oxford) Part III Protection of Personal Data in Clouds, pp. 165–282Google Scholar
- 11.Hon, W., Millard, C., Walden, I.: What is regulated as personal data in clouds? In: Millard, C. (ed.) Cloud Computing Law, chap. 7, pp. 167–192. Oxford University Press, Oxford (2013)Google Scholar
- 12.Opinion 4/2007 on the Concept of Personal Data, WP 136 (2007)Google Scholar
- 13.Hon, W., Millard, C., Walden, I.: Who is responsible for personal data in the clouds? In: Millard, C. (ed.) Cloud Computing Law, chap. 8, pp. 193–219. Oxford University Press, Oxford (2013)Google Scholar
- 14.A29WP, Opinion 1/2010 on the Concepts of ‘Controller’ and ‘Processor’, WP169 (2010)Google Scholar
- 15.A29WP, Opinion 05/2012 on Cloud Computing, WP196 (2012)Google Scholar
- 16.Hon, W., Hörnle, J., Millard, C.: Which law(s) apply to personal data in clouds? In: Millard, C. (ed.) Cloud Computing Law, chap. 9. Oxford University Press, Oxford (2013)Google Scholar
- 17.Hon, W., Millard, C., Walden, I.: How do restrictions on international data transfers work in clouds? In: Millard, C. (ed.) Cloud Computing Law, chap. 10, pp. 254–282. Oxford University Press, Oxford (2013)Google Scholar
- 18.Decision and Order, In the Matter of GeoCities, Inc., FTC File No. 98203915, 12 February 1999. www.ftc.gov/os/1999/02/9823015.do.htm
- 19.Decision and Order, In the Matter of Eli Lilly & Co., FT File No. 012-3214, 10 May 2002. www.ftc.gov/os/1999/02/9823015.do.htm
- 20.Decision and Order, In the Matter of Gateway Learning Corp., FTC File No. 042-3047, 17 September 2004. www.ftc.gov/os/caselist/0423047/040917do0423047.pdf
- 21.Decision and Order, In the Matter of Google Inc., FTC File No. 102-3136, 30 March 2011. www.ftc.gov/os/caselist/1023136/110330googlebuzzagreeorder.pdf
- 22.Decision and Order, In the Matter of Facebook, Inc., FTC File No. 092-3184, 29 November 2011. http://ftc.gov/os/caselist/0923184/111129facebookagree.pdf
- 23.Federal Trade Commission v. Wyndham Worldwide Corporation, et al., Case No. 2 :13-cv-1887 (ES-JAD), United States District Court, District of New Jersey, Doc. No. 181 filed April 7, 2014Google Scholar
- 24.US Government White House ‘Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy’ February 23, 2012 available at www.whitehouse.gov/sites/default/files/privacy-final.pdf
- 25.Federal Trade Commission report ‘Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers’ March 26, 2012 available at http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf
- 26.Bradshaw, S., Millard, C., Walden, I.: Standard contracts for cloud services. In: Millard, C. (ed.) Cloud Computing Law, chap. 3, pp. 39–72. Oxford University Press, Oxford (2013)Google Scholar
- 27.Hon, W., Millard, C., Walden, I.: Negotiated contracts for cloud services. In: Millard, C. (ed.) Cloud Computing Law, chap. 4, pp. 73–107. Oxford University Press, Oxford (2013)Google Scholar
- 28.Gleeson, N., Walden, I.: It’s a jungle out there’?: Cloud computing, standards and the law. Eur. J. Law Technol. 5(2) (2014)Google Scholar
- 29.OFT (2012) “Price Comparison Websites. Trust, Choice and Consumer Empowerment in online markets” (November 2012, OFT 1467). European Commission ‘Comparison Tools – Report from the Multi-Stakeholder Dialogue, Providing consumers with transparent and reliable information’ (Report presented at the European Consumer Summit 18–19 March 2013)Google Scholar
- 30.Papers and updates on A4Cloud tools are available at the project website at www.a4cloud.eu