Author(s): Paul M. Schwartz
Year: 2013
Abstract:
Cloud
computing is the locating of computing resources on the Internet in a
fashion that makes them highly dynamic and scalable. This kind of
distributed computing environment can quickly expand to handle a greater
system load or take on new tasks. Cloud computing thereby permits
dramatic flexibility in processing decisions – and on a global basis.
The rise of the cloud has also significantly challenged established
legal paradigms. This Article analyzes current shortcomings of
information privacy law in the context of the cloud. It also develops
normative proposals to allow the cloud to become a central part of the
evolving Internet. These proposals rest on strong and effective
protections for information privacy that are sensitive to technological
changes.
This Article examines three areas of change in
personal data processing due to the cloud. The first area of change
concerns the nature of information processing at companies. For many
organizations, data transmissions are no longer point-to-point
transactions within one country; they are now increasingly international
in nature. As a result of this development, the legal distinction
between national and international data processing is less meaningful
than in the past. Computing activities now shift from country to country
depending on load capacity, time of day, and a variety of other
concerns. The jurisdictional concepts of EU law do not fit well with
these changes in the scale and nature of international data processing.
A
second legal issue concerns the multi-directional nature of modern data
flows, which occur today as a networked series of processes made to
deliver a business result. Due to this development, established concepts
of privacy law, such as the definition of “personal information” and
the meaning of “automated processing” have become problematic. There is
also no international harmonization of these concepts. As a result,
European Union and U.S. officials may differ on whether certain
activities in the cloud implicate privacy law.
A final change
relates to a shift to a process-oriented management approach. Users no
longer need to own technology, whether software or hardware, that is
placed in the cloud. Rather, different parties in the cloud can
contribute inputs and outputs and execute other kinds of actions. In
short, technology has provided new answers to a question that Ronald
Coase first posed in “The Nature of the Firm.” New technologies and
accompanying business models now allow firms to approach “make or buy”
decisions in innovative ways. Yet, privacy law’s approach to liability
for privacy violations and data losses in the new “make or buy” world of
the cloud may not create adequate incentives for the multiple parties
who handle personal data.
Keywords: information privacy, data protection, European Union
Link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2290303