Is a Picture Worth a Thousand Terms? Visualising Contract Terms and Data Protection Requirements for Cloud Computing Users

  • Samson Esayas
  • Tobias Mahler
  • Kevin McGillivray
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9881)


The following article evaluates two models for providing purchasers of online digital content, including cloud computing services, with visual notice of contract terms and data collection practises. Visualisation of contract terms and privacy policies has the potential to provide cloud consumers with an improved means of understanding the contract terms they are accepting when entering into an agreement with a Cloud Service Provider (CSP). The following paper examines two concrete proposals or models for the visualisation of contract terms and privacy practises as compliance tools in the European context. The article focuses primarily on consumer and data protection law. Although the visualisation models are not currently binding or legally required, they start an important conversation on how such terms can be more effectively conveyed.


Visualisation of law Contract terms Consumer protection law Data protection law Cloud computing 



This work was partly supported by EU-funded (FP7/2007-2013) Coco Cloud project [grant no. 610853] and the SIGNAL project (Security in Internet Governance and Networks: Analysing the Law) funded by the Norwegian Research Council and UNINETT Norid AS.


  1. 1.
    Mell, P., Grance, T.: The NIST Definition of Cloud Computing (Special Publication 800-145 edn., Version 15 (2011)Google Scholar
  2. 2.
    Jansen, W., Grance, T.: NIST guidelines on security and privacy in public cloud computing. In: U.S. Department of Commerce (ed.) (Special Publication 800-144: National Institute of Standards and Technology (2011)Google Scholar
  3. 3.
    Reinecke, P., Seybert, H.: EuroSTAT Internet and cloud services - statistics on the use by individuals (2014)Google Scholar
  4. 4.
    Waelde, C., Edwards, L.: Law and the Internet, 3rd edn. Hart Publishing, Oxford (2009)Google Scholar
  5. 5.
    Matwyshyn, A.M.: Privacy the hacker way. Southern California Law Review, vol. 87(1) (2013)Google Scholar
  6. 6.
    Mahler, T.: Visualisation of legal norms. In: Jon Bing: En Hyllest/A Tribute. Gyldendal Norsk Forlag A/S, pp. 137–153 (2014). ISBN: 9788205468504Google Scholar
  7. 7.
    Barton, T.D., Berger-Walliser, G., Haapio, H.: Visualization: seeing contracts for what they are, and what they could become. J. Law Bus. Ethics 19, 47–64 (2013) Google Scholar
  8. 8.
    Lessig, L.: Code version 2.0 (Basic Books) (2006)Google Scholar
  9. 9.
    Rumbaugh, J., Booch, G., Jacobson, I.: The Unified Modeling Language Reference Manual, 2nd edn. Addison-Wesley, Boston (2004)Google Scholar
  10. 10.
    Chang, C.: Street Vendor Guide: Accessible City Regulations (2009)Google Scholar
  11. 11.
    Hilgendorf, E.: Beiträge zur Rechtsvisualisierung (Logos) (2005)Google Scholar
  12. 12.
    Röhl, K.F., Ulbrich, S.: Recht anschaulich: Visualisierung der Juristenausbildung. Halem, Köln (2007)Google Scholar
  13. 13.
    Hoogwater, S.: Beeld‘‘al voor juristen: Grafische modellen om juridische informatie toegankelijker te maken (Boom Juridische uitgevers) (2009)Google Scholar
  14. 14.
    Brunschwig, C.: Visualisierung von Rechtsnormen legal design (Schulthess) (2001)Google Scholar
  15. 15.
    Kohn, B.: Amicus Curiae, Brief to the United States District Court for the Southern District of New YorkGoogle Scholar
  16. 16.
    Brunschwig, C.: Tabuzone juristischer Reflexion, Zum Mangel an Bildern die geltendrechtliche Inhalte visualisieren. In: Schweighofer et al. (ed.), Zwischen Rechtstheorie und e-Government, Aktuelle Fragen der Rechtsinformatik (2003)Google Scholar
  17. 17.
    Wagner, A.: The rules of the road, a universal visual semiotics. Intl. J. Semiotics Law 19, 311–324 (2006)CrossRefGoogle Scholar
  18. 18.
    Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281/31Google Scholar
  19. 19.
    Posner, R.A.: Economic Analysis of Law, Aspen Casebook Series, 8th edn. Aspen Publishers, New York (2011)Google Scholar
  20. 20.
    Lynskey, O.: Deconstructing data protection: the “added-value” of a right to data protection in the EU legal order. Intl. Comp. Law Q. 63(03), 569–597 (2014)CrossRefGoogle Scholar
  21. 21.
    Edwards, L., Abel, W.: The use of privacy icons and standard contract terms for generating consumer trust and confidence in digital services. CREATe working paper series.  10.5281/zenodo.12506
  22. 22.
    Special Eurobarometer 431, Data Protection (European Commission, 2015) Catalogue Number DS-02-15-415-EN-NGoogle Scholar
  23. 23.
    World Economic Forum, Unlocking the Value of Personal Data: From Collection to Usage (2013)Google Scholar
  24. 24.
    McDonald, A., Cranor, L.: The cost of reading privacy policies. In: Proceedings of the Technology Policy Research Conference, 26–28 September 2008Google Scholar
  25. 25.
    Calo, R.: Digital market manipulation. Geo. Wash. L. Rev. 82, 995 (2013)Google Scholar
  26. 26.
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive Directive 95/46/EC (General Data Protection Regulation, hereinafter GDPR) OJ L 119/1Google Scholar
  27. 27.
    De Hert, P., Papakonstantinou, V.: The proposed data protection Regulation replacing Directive 95/46/EC: a sound system for the protection of individuals. Comput. Law Secur. Rev. 28, 130–142 (2012)CrossRefGoogle Scholar
  28. 28.
    Sunstein, C.R.: Information regulation and information standing: akins and beyond. University of Pennsylvania L. Rev. 147, 613 (1999)CrossRefGoogle Scholar
  29. 29.
    Committee on Civil Liberties, Justice & Home Affairs, Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 21 November 2013. Available at (LINK) (Hereinafter Parliament Draft)Google Scholar
  30. 30.
    Consolidated Version of the Treaty on the Functioning of the European Union, Article 289(1) (2012) O.J (C 326)Google Scholar
  31. 31.
    Helton, A.: Privacy Commons Icon Set (2009).
  32. 32.
    Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts, OJ L 095, 21/04/1993, pp. 0029–0034 (Unfair Terms Directive)Google Scholar
  33. 33.
    Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98//27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council, OJ L 149, 11/06/2005, pp. 0022–0039 (Unfair Commercial Practices Directive)Google Scholar
  34. 34.
    Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council Text with EEA relevance (Consumer Rights Directive)Google Scholar
  35. 35.
    Regulation (EC) No. 593/2008 of 17 June 2008 on the law applicable to contractual obligations (Rome I)Google Scholar
  36. 36.
    Council Regulation (EC) No. 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels I)Google Scholar
  37. 37.
    Consumer Rights Directive Art. 3. See also Rec. 22. The ECD introduces concepts such as the ‘country of origin rule’ to harmonize the rules (licensing etc.) that online actors must comply with. Essentially, this requires that CSPs only have to follow the regulations of the country where they are established, not the rules of all member statesGoogle Scholar
  38. 38.
    Rustad, M.L., Onufrio, M.V.: Reconceptualizing consumer terms of use for a globalized knowledge economy. Univ. Pennsylvania J. Bus. Law 14, 1085 (2012)Google Scholar
  39. 39.
    Millard, C.J.: Cloud Computing Law. Oxford University Press, Oxford (2013)CrossRefGoogle Scholar
  40. 40.
    Loos, M.B.M.: Analysis of the applicable legal frameworks and suggestions for the contours of a model system of consumer protection in relation to digital content contracts. University of Amsterdam (2011)Google Scholar
  41. 41.

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Samson Esayas
    • 1
  • Tobias Mahler
    • 1
  • Kevin McGillivray
    • 1
  1. 1.Norwegian Research Center for Computers and LawUniversity of OsloOsloNorway

Personalised recommendations