Legal Issues and Developments in Cloud Computing Privacy

Legal rights and regulatory authority regarding privacy protection of cloud computing users are not well defined. Although, the U.S. Supreme Court has not fully resolved the issue of unwarranted disclosure of consolidated private data, Whalen v. Roe serves as the foundational case for recognizing decisional and information privacy.  While an email address and password may provide individuals control over access to their PHR, there is no guarantee personal information is completely protected.  “[A] person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”  In contrast, “what [a person] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.”  Although recognized, this informational privacy right is not unlimited, and the Supreme Court has yet to clearly define the scope of such privacy protection. 

Cloud computing services need to take into account the particular data protection laws of the countries in which their servers are located. However, unlike traditional data storage, clouds usually do not store a customer’s data on a single computer. 


U.S. Information Privacy Law

Currently, there is a patchwork of privacy laws and regulations at the federal and state level that applies to the transfer/sharing of personal information in the private market of banking and financial services, entertainment, cable and telecommunications, education, and health. These regulations are not based on any uniform theory of rights and differ significantly in the scope of protection offered to an individual because they were adopted in response to specific violations. In addition, specific standards for securing customer and data against unauthorized disclosures are a mixture of ad hoc requirements for specific data items.

Children’s Online Privacy Protection (COPPA)
(15 U.S.C. § 6501-6506; Pub. L. 105-277)
Applicable to data of children under 13 collected online.
Website operators must seek verifiable consent and provide specific information in privacy policies.
Electronic Communications Privacy Act (ECPA)
(18 U.S.C. 2510-2522, Pub. L. 99-508)
Applies to private entities.
The ECPA protects electronic communications while in transit. The law prohibits the intentional access or disclosure of the contents of an electronic communication by an online service provider.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)(Pub. L. 104-191) Applicable to health care providers and others dealing with health information and related entities.
Through its Privacy and Security Rules, HIPAA imposes significant restrictions on the disclosure of protected health information.

Gramm-Leach-Bliley Act, Pub. L. 106-102, 113 Stat. 1338, codified in relevant part at 15 U.S.C. §§ 6801-6809 and §§6821-6837

Applicable to financial institutions. Privacy and safeguards rules restrict financial institutions from disclosing consumers’ nonpublic personal information to non-affiliated third parties.
USA PATRIOT Act (Pub. L. 107–56) May be applicable to foreign companies that work with cloud providers that allow data to reside in or flow through the US. The Act permits the U.S. federal government to see a court order for disclosure of electronic records.
Fair Credit Reporting Act (FCRA) (15 U.S.C. § 1681b(f)) Imposes limits on disclosure of credit reports by credit bureaus.

Click here for a comprehensive list of U.S. data privacy laws that potentially could affect various companies utilizing cloud computing services operating in a particular industry.

While these requirements do not restrict the geographic movement of a company’s personal information like the European Union, they do place restrictions on the use of service providers regardless of where they, or the data are located.

The Fourth Amendment & Warrants to Access Cloud Data

The Fourth Amendment protects an individual’s data when it is in his or her house, and other places where an individual has a “reasonable expectation of privacy”.  More specifically, currently, information stored on an individual’s personal computer is protected under the Fourth Amendment. However, the Fourth Amendment does not seem to cover an individual’s data stored by cloud service providers. For instance, an individual’s spreadsheet stored on a cloud computing service provider’s server does not seem to be fully protected by the Fourth Amendment. To learn more about possible solutions, read the Center for Democracy and Technology's suggested updates to the Electronic Communications Privacy Act (ECPA) in light of modern technologies as cloud computing.

Recent Efforts at the Federal Level Impacting the Cloud

Federal Trade Commission (FTC)
In general, as the federal consumer protection agency, the FTC has jurisdiction over private sector uses of data. Recently, the FTC began looking into cloud computing’s impact on consumers. In particular, as an emerging business model, cloud computing is increasing the amount of consumer data available through the Internet. The FTC seeks to ensure consumers understand the uses of their data and that it is being stored in many different places. At a recent FTC privacy roundtable event, there was discussion regarding the need for companies to standardize data protection practices surrounding their use of cloud computing services.

The Electronic Privacy Information Center (EPIC) has informed the FTC of the ongoing privacy risks associated with cloud computing. In addition, EPIC’s 2009 complaint, pursuant to the Section 5 of the FTC Act, noted that Google’s unfair and deceptive business practices concerning the company’s cloud computing services.

Federal Communications Commission (FCC)
Although the FCC recently released its National Broadband Plan which included discussions regarding consumers concern regarding the lack of control over sensitive personal data over the Internet. While EPIC has requested the FCC to develop a comprehensive strategy for online privacy, the Plan does not clearly address growing concerns about cloud computing.

Push for Federal Legislation & Reform
While the challenge still remains on how best to balance privacy with new and emerging technologies, federal electronic privacy laws are outdated. Recently, Microsoft asked Congress to pass new legislation to regulate cloud computing services. In particular, the company has proposed the Cloud Computing Advancement Act that makes changes to privacy law by updating the Electronic Communications Privacy Act (ECPA). The Act would strengthen privacy and security protections, deter cybercrime, enhance transparency, and clarify international rules and regulations.

In addition, The Digital Due Process, a coalition of technology companies, civil rights organizations and academics has called for a reform of the ECPA. The coalition notes that the ECPA is outdated and no longer provides adequate protection of online personal data. In particular, the coalition wants law enforcement to obtain search warrants before accessing e-mail and documents stored in the cloud.

References

  • Video Privacy Protection Act (18 U.S.C. § 2710); Cable Communications Policy Act (47 U.S.C. § 551).
  • Lisa L. Dahm, et. al., Privacy, E-HEALTH BUSINESS AND TRANSACTIONAL LAW 47, 53-4 (Barbara Bennett ed.,2002) (“The existing federal laws and regulations that relate to privacy of health information are each limited in some way – either they protect only a specific portion of health information (e.g., substance abuse and treatment records), or they protect the health information of only a portion of the population (e.g., children), or they address only information that is handled electronically (e.g., electronic signatures), or they apply to only particular segment of the health care industry (e.g., “covered entities”)”).
  • Tanya Forsheit, Legal Implications of Cloud Computing (Privacy and the Cloud), Information Law Group (Sept. 30, 2009) available at http://www.infolawgroup.com/2009/09/articles/cloud-computing-1/legal-implications-of-cloud-computing-part-two-privacy-and-the-cloud/ (last visited Mar. 26, 2010).
  • The Electronic Communications Privacy Act (“ECPA”) applies to private entities. The ECPA protects electronic communications while in transit. See The Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986), 18 U.S.C. § 2510 (ECPA prohibits the intentional access or disclosure of the contents of an electronic communication by an online service provider). The Children’s Online Privacy Protection Act (“COPPA”) may also apply to companies collecting and storing health information. See 15 U.S.C. 6502(b)(1)(D) (2000) (websites must protect the “confidentiality, security, and integrity of personal information collected from children”).
  • Vera Bergelson, It’s Personal But Is it Mine? Toward Property Rights in Personal Information 381 - 82 (Rutgers University (Newark) Legal Working Paper Series, Nov. 13, 2003) available at http://works.bepress.com/vera_bergelson/2. Congress has enacted piecemeal information privacy laws to deal with the technological assault on privacy in specific sectors, including the finance and health care industries. See, e.g., Fair Credit Reporting Act of 1971, 15 U.S.C. §1681 (2005); Gramm-Leach-Bliley Act, 15 U.S.C. § 2710 (2000); Pub. L.104-191, §§ 261 – 264, 110 Stat. 1936 (1996).
  • Microsoft, Press Release, Microsoft Urges Government and Industry to Work Together to Build Confidence in the Cloud (Jan. 20, 2010) available at http://www.microsoft.com/presspass/press/2010/jan10/1-20BrookingsPR.mspx (last visited Mar. 26, 2010).