ART :: Schwartz, Paul M., Information Privacy in the Cloud (May 1, 2013). University of Pennsylvania Law Review

Schwartz, Paul M., Information Privacy in the Cloud (May 1, 2013). University of Pennsylvania Law Review, Vol. 161, No. 1623 (2013). Available at SSRN: http://ssrn.com/abstract=2290303

Abstract:  Cloud computing is the locating of computing resources on the Internet in a fashion that makes them highly dynamic and scalable. This kind of distributed computing environment can quickly expand to handle a greater system load or take on new tasks. Cloud computing thereby permits dramatic flexibility in processing decisions – and on a global basis. The rise of the cloud has also significantly challenged established legal paradigms. This Article analyzes current shortcomings of information privacy law in the context of the cloud. It also develops normative proposals to allow the cloud to become a central part of the evolving Internet. These proposals rest on strong and effective protections for information privacy that are sensitive to technological changes.

This Article examines three areas of change in personal data processing due to the cloud. The first area of change concerns the nature of information processing at companies. For many organizations, data transmissions are no longer point-to-point transactions within one country; they are now increasingly international in nature. As a result of this development, the legal distinction between national and international data processing is less meaningful than in the past. Computing activities now shift from country to country depending on load capacity, time of day, and a variety of other concerns. The jurisdictional concepts of EU law do not fit well with these changes in the scale and nature of international data processing.

A second legal issue concerns the multi-directional nature of modern data flows, which occur today as a networked series of processes made to deliver a business result. Due to this development, established concepts of privacy law, such as the definition of “personal information” and the meaning of “automated processing” have become problematic. There is also no international harmonization of these concepts. As a result, European Union and U.S. officials may differ on whether certain activities in the cloud implicate privacy law.

A final change relates to a shift to a process-oriented management approach. Users no longer need to own technology, whether software or hardware, that is placed in the cloud. Rather, different parties in the cloud can contribute inputs and outputs and execute other kinds of actions. In short, technology has provided new answers to a question that Ronald Coase first posed in “The Nature of the Firm.” New technologies and accompanying business models now allow firms to approach “make or buy” decisions in innovative ways. Yet, privacy law’s approach to liability for privacy violations and data losses in the new “make or buy” world of the cloud may not create adequate incentives for the multiple parties who handle personal data.