Privacy Regulations for Cloud Computing: Compliance and Implementation in Theory and Practice

  • Joep Ruiter
  • Martijn Warnier


Cloud Computing is a new paradigm in the world of IT. In traditional IT environments, clients connected to a number of servers located on company premises. In Cloud Computing, users connect to the ’Cloud’, appearing as a single entity as opposed to multiple servers. Outsourcing data to the Cloud Service Provider (CSP), an external party involves giving the CSP some form of control over the data. Privacy regulations put requirements on organizations regarding storage, processing and transmission of data. Outsourcing this data to a CSP involves outsourcing partial control over the storage, processing and transmission of data and privacy regulations become relevant. This paper addresses the questions as to how existing regulations in the area of privacy affect the implementation of Cloud Computing technologies and how the implementation of Cloud Computing technologies affect compliance with these regulations.


Cloud Computing Cloud Service Provider Federal Trade Commission Public Cloud Privacy Regulation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors would like to thank Shay Uzery and Accenture for making this research possible. We also like to thank the anonymous reviewers for many suggestions that helped to improve the overall quality of the paper.


  1. Annecharico, D. “Notes & Comments: V. Privacy after GLBA: Online Transactions: Squaring the Gramm-Leach-Bliley Act Privacy Provisions With the FTC Fair Information Practice Principles.” North Carolina Banking Institute 6, (2002): 637–695.Google Scholar
  2. Armbrust, M., A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, et al. “Above the clouds: A berkeley view of cloud computing.” EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2009–28, 2009.Google Scholar
  3. Baase, S. A Gift of Fire: Social, Legal, and Ethical Issues for Computing and the Internet. Prentice Hall, 2007.Google Scholar
  4. Baumer, D., J. Earp, and J. Poindexter. “Internet Privacy Law: A Comparison Between the United States and the European Union.” Computers & Security 23, 5 (2004): 400–412.CrossRefGoogle Scholar
  5. Bender, D., and L. Ponemon. “Binding Corporate Rules for Cross-Border Data Transfer.” Rutgers Journal of Law & Public Policy, (2006)Google Scholar
  6. Birnhack, M. “The EU Data Protection Directive: An Engine of a Global Regime.” Computer Law & Security Report 24, 6 (2008): 508–520.CrossRefGoogle Scholar
  7. Bull, G. “Data Protection – Safe Harbor, Transferring Personal Data To The USA.” Computer Law & Security Report 17, 4 (2001): 239–243.CrossRefGoogle Scholar
  8. Eisenhauer, M. “Privacy and Security Law Issues in Off-shore Outsourcing Transactions.” Hunton & Williams, Atlanta Georgia 15, (2005).Google Scholar
  9. EU Directive. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, (1995).Google Scholar
  10. Fromholz, J. “The European Union Data Privacy Directive.” Berkeley Technology Law Journal 15, (2000): 461.Google Scholar
  11. FTC. Federal Trade Commission, Fair Credit Reporting Act, (2009).Google Scholar
  12. Gellman, R. “WPF REPORT: Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing.” Released February 23, (2009).Google Scholar
  13. Gentry, C. A Fully Homomorphic Encryption Scheme, Phd Thesis, Standford University, (2009).Google Scholar
  14. Grossman, R. “The Case for Cloud Computing.” IT Professional 11, 2 (2009): 23–27.CrossRefGoogle Scholar
  15. Grossman, R., and Y. Gu. “On the Varieties of Clouds for Data Intensive Computing.” Data Engineering 44, (2009).Google Scholar
  16. HIPAA (1996). Health Insurance Portability and Accountability Act of 1996.Google Scholar
  17. Jaeger, P., J. Lin, and J. Grimes. “Cloud Computing and Information Policy: Computing in a Policy Cloud?” Journal of Information Technology & Politics 5, 3 (2008): 269–283.CrossRefGoogle Scholar
  18. Jaeger, P., J. Lin, J. Grimes, and S. Simmons. “Where is the Cloud? Geography, Economics, Environment, and Jurisdiction in Cloud Computing.” First Monday 14, 5–4, (2009).Google Scholar
  19. Jentzsch, N. “The regulation of financial privacy: the United States Vs Europe.” ECRI Research Report 5, (2003).Google Scholar
  20. Leavitt, N. “Is Cloud Computing Really Ready for Prime Time?” Computer 42, 1 (2009): 15–20.CrossRefGoogle Scholar
  21. Lederman, L., B. Suri, J. Houston, and S. Itchhaporia. The Next Stage of Computing. William Blair & Company, (2008).Google Scholar
  22. Lewis, S. “Cloud Computing Brings New Legal Challenges.” New York Law Journal, (2009).Google Scholar
  23. Lin, G., D. Fu, J. Zhu, and G. Dasmalchi. “Cloud Computing: IT as a Service.” IT Professional 11, 2 (2009): 10–13.CrossRefGoogle Scholar
  24. Movius, L. and N. Krup. “U.S. and EU Privacy Policy: Comparison of Regulatory Approaches.” International Journal of Communication, (2009):169–187.Google Scholar
  25. Mowbray, M. “The Fog over the Grimpen Mire: Cloud Computing and the Law.” Scripted Journal of Law, Technology and Society 6, 1 (2009).Google Scholar
  26. PCI (2009). PCI Security Standards Council, Payment Card Industry (PCI) Data Security Standard – Requirements and Security Assessment Procedures version 1.2.Google Scholar
  27. Regan, P. “Old Issues, New Context: Privacy, Information Collection, and Homeland Security.” Government Information Quarterly 21, 4 (2004): 481–497.CrossRefGoogle Scholar
  28. RIPA (2000). United Kingdom. Regulation of Investigatory Powers Act.Google Scholar
  29. Ruiter, J. The Relationship between Privacy and Information Security in Cloud Computing Technologies. Master’s thesis, Vrije Universiteit Amsterdam, (2009).Google Scholar
  30. Sarathy, R., and C. Robertson. “Strategic and ethical considerations in managing digital privacy.” Journal of Business ethics 46, 2 (2003): 111–126.CrossRefGoogle Scholar
  31. SAS70. American Institute of Certified Public Accountants, Statement on Auditing Standard 70.Google Scholar
  32. Soghoian, C. (2009). Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era.Google Scholar
  33. Steinke, G. “Data privacy approaches from US and EU perspectives.” Telematics and Informatics 19, 2 (2002): 193–200.CrossRefGoogle Scholar
  34. Strauss, J., and K. Rogerson. “Policies for online privacy in the United States and the European Union.” Telematics and Informatics 19, 2 (2002): 173–192.CrossRefGoogle Scholar
  35. Vaquero, L., J. Caceres, M. Lindner, and L. Rodero-Merino. “A Break in the Clouds: Towards a Cloud Definition.” ACM SIGCOMM Computer Communication Review, (2009): 50–55.Google Scholar
  36. VISA (2009). VISA Inc, Global List of PCI DSS Validated Service Providers.Google Scholar
  37. Wang, L., G. von Laszewski, M. Kunze, and J. Tao. “Cloud Computing: A Perspective Study.” Service Oriented Cyberinfrastruture Lab, Rochester Inst. of Tech–Dezembro de, (2008).Google Scholar
  38. Weinhardt, C., A. Anandasivam, B. Blau, and J. Stosser. “Business Models in the Service World.” IT Professional 11, 2 (2009): 28–33.CrossRefGoogle Scholar
  39. Wright, S. PCI DSS: A Practical Guide to Implementation. IT Governance Ltd., (2008).Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2011

Authors and Affiliations

  1. 1.Faculty of SciencesVU University AmsterdamAmsterdamThe Netherlands
  2. 2.Faculty of TechnologyPolicy and Management Delft University of TechnologyDelftThe Netherlands

Personalised recommendations