Download this Paper Open PDF in Browser

The FTC and Privacy and Security Duties for the Cloud

6 Pages Posted: 15 Apr 2014 Last revised: 30 Aug 2014

Daniel J. Solove

George Washington University Law School

Woodrow Hartzog

Northeastern University School of Law and College of Computer and Information Science; Stanford Law School Center for Internet and Society

Date Written: April 14, 2014

Abstract

Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider. In many cases, however, these contracts fail to contain key protections of data. Because the consumer is not a direct party to these contracts and often cannot even have access to these contracts, the consumer is often powerless, and the consumer’s interests are often not adequately represented.

In this short essay, we argue that there is a remedy in Section 5 of the Federal Trade Commission (FTC) Act that prohibits unfair and deceptive trade practices. Certain key cases from the emerging body of FTC enforcement actions on data protection issues can be read together to create a double-edged set of duties – both on the organizations contracting with cloud service providers and on the cloud service providers themselves. Not only does an organization owe a duty to consumers to appropriately represent their privacy and data security interests in the negotiation, but cloud service providers have an obligation to the consumer as well, and cannot enter into contracts that lack adequate protections and controls.

Keywords: privacy, data security, cloud, contract, FTC, Federal Trade Commission, consumer protection law

Suggested Citation

Solove, Daniel J. and Hartzog, Woodrow, The FTC and Privacy and Security Duties for the Cloud (April 14, 2014). 13 BNA Privacy & Security Law Report 577 (2014); GWU Law School Public Law Research Paper No. 2014-28; GWU Legal Studies Research Paper No. 2014-28. Available at SSRN: https://ssrn.com/abstract=2424998

Daniel J. Solove (Contact Author)

George Washington University Law School ( email )

2000 H Street, N.W.
Washington, DC 20052
United States
202-994-9514 (Phone)

HOME PAGE: http://danielsolove.com

Woodrow Hartzog

Northeastern University School of Law and College of Computer and Information Science ( email )

416 Huntington Avenue
Boston, MA 02115
United States

HOME PAGE: http://https://www.northeastern.edu/law/faculty/directory/hartzog.html

Stanford Law School Center for Internet and Society ( email )

Palo Alto, CA
United States

HOME PAGE: http://cyberlaw.stanford.edu/profile/woodrow-hartzog

Paper statistics

Downloads
685
Rank
30,079
Abstract Views
3,084