The FTC and Privacy and Security Duties for the Cloud
Daniel J. Solove
George Washington University Law School
Samford University - Cumberland School of Law; Stanford Law School Center for Internet and Society
April 14, 2014
13 BNA Privacy & Security Law Report 577 (2014)
GWU Law School Public Law Research Paper No. 2014-28
GWU Legal Studies Research Paper No. 2014-28
Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider. In many cases, however, these contracts fail to contain key protections of data. Because the consumer is not a direct party to these contracts and often cannot even have access to these contracts, the consumer is often powerless, and the consumer’s interests are often not adequately represented.
In this short essay, we argue that there is a remedy in Section 5 of the Federal Trade Commission (FTC) Act that prohibits unfair and deceptive trade practices. Certain key cases from the emerging body of FTC enforcement actions on data protection issues can be read together to create a double-edged set of duties – both on the organizations contracting with cloud service providers and on the cloud service providers themselves. Not only does an organization owe a duty to consumers to appropriately represent their privacy and data security interests in the negotiation, but cloud service providers have an obligation to the consumer as well, and cannot enter into contracts that lack adequate protections and controls.
Number of Pages in PDF File: 6
Keywords: privacy, data security, cloud, contract, FTC, Federal Trade Commission, consumer protection law
Date posted: April 15, 2014 ; Last revised: August 30, 2014