“Cloud computing is the locating of computing resources on the Internet in a fashion that makes them highly dynamic and scalable. This kind of distributed computing environment can quickly expand to handle a greater system load or take on new tasks. Cloud computing thereby permits dramatic flexibility in processing decisions—on a global basis. The rise of the cloud has also significantly challenged established legal paradigms. This Article analyzes current shortcomings of information privacy law in the context of the cloud. It also develops normative proposals to allow the cloud to become a central part of the evolving Internet. These proposals rest on strong and effective protections for information privacy that are also sensitive to technological changes. This Article takes a comparative focus: it examines legal developments in the United States and the European Union. As the White House noted in its 2012 consumer privacy framework, the United States “is a world leader” in cloud computing. While leading cloud companies are U.S.- based, the European Union sets strong requirements for flows of personal data, and these obligations have already had a major impact on U.S. com- panies. The European Union’s significant role in international decisions around information privacy has been bolstered by the authority of EU member states to block data transfers from their country to third-party nations. Such nations include the United States, which the European Union generally considers to lack “adequate” privacy protections. Moreover, the European Commission’s release in late January 2012 of its “General Data Protection Regulation” provides a perfect juncture to assess the issue of privacy in the cloud.
This Article examines three areas of change in personal data processing due to the cloud. In doing so, it draws on an empirical study in which I analyzed the data processing of six major international companies. The first area of change concerns the nature of information processing at companies. For many organizations, data transmissions are no longer point-to-point transactions within one country; they are now increasingly international in nature. As a result of this development, the legal distinction between national and international data processing is less meaningful than in the past. Computing activities now shift from country to country depending on load capacity, time of day, and a variety of other concerns. The jurisdictional concepts of EU law do not fit well with these changes in the scale and nature of international data processing. A second legal issue concerns the multidirectional nature of modern data flows, which occur today as a networked series of processes made to deliver a business result. Due to this development, established concepts of privacy law, such as the definition of “personal information” and the meaning of “automated processing” have become problematic. There is also no inter- national harmonization of these concepts. As a result, EU and U.S. officials may differ on whether certain activities in the cloud implicate privacy law. A final change relates to the shift toward a process-oriented manage- ment approach. Users no longer need to own technology, whether software or hardware, that is placed in the cloud. Rather, different parties in the cloud can contribute inputs and outputs and execute other kinds of actions. In short, technology has provided new answers to a question that Ronald Coase first posed in The Nature of the Firm. In that classic essay, Coase sought to shed light on a fundamental question of corporate organization— when a firm will produce something for itself, and when it will procure from another.
New technologies and accompanying business models now allow firms to approach “make or buy” decisions in innovative ways. Different functions and operations can be packaged as modular units that can be pulled apart and reassembled. Yet information privacy law tends to assess legal responsibility in a static fashion. In particular, privacy law’s approach to liability for privacy violations and data losses in the new “make or buy” world of the cloud may not create adequate incentives for the multiple parties who handle personal data. Thus, this Article’s focus is a comparative one from which it explores significant changes in data processing due to the cloud and the resulting tension with contemporary information privacy law. This Article concentrates on issues relating to the private ordering of data processing. There are, therefore, important restrictions on its scope. It discusses neither national security nor criminal law issues. To be sure, the cloud changes the ability of intelligence agencies and law enforcement officials to access personal data, but these matters are conceptually different enough from those involving purely private parties as to merit separate analysis. This Article also does not analyze issues that arise when the government uses cloud services. Here, too, there are distinct policy and legal issues.”