The FTC and Privacy and Data Security Duties in the Cloud

Woodrow Hartzog Daniel J. Solove by Woodrow Hartzog, Samford University, Cumberland Law School
Daniel Solove, TeachPrivacy
Tuesday, April 15, 2014

Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider. In many cases, however, these contracts fail to contain key protections of data. Because the consumer is not a direct party to these contracts and often cannot even have access to these contracts, the consumer is often powerless, and the consumer’s interests are often not adequately represented. In this short essay, we argue that there is a remedy in Section 5 of the Federal Trade Commission (FTC) Act that prohibits unfair and deceptive trade practices. Certain key cases from the emerging body of FTC enforcement actions on data protection issues can be read together to create a double-edged set of duties – both on the organizations contracting with cloud service providers and on the cloud service providers themselves. Not only does an organization owe a duty to consumers to appropriately represent their privacy and data security interests in the negotiation, but cloud service providers have an obligation to the consumer as well, and cannot enter into contracts that lack adequate protections and controls.

The Battle for Leadership in Education Privacy Law: Will California Seize the Throne?

Paul SchwartzDaniel J. Solove by Paul Schwartz, Berkeley Law School
Daniel Solove, TeachPrivacy
Thursday, March 27, 2014

Education was one of the first areas where privacy was regulated by a federal statute. Passed in the early 1970s, the Family Educational Rights and Privacy Act (FERPA) was on the frontier of federal privacy regulation. But now it is old and ineffective. With the growing public concern about the privacy of student data, states are starting to rev up their engines and become more involved. The result could be game-changing legislation for the multi-billion dollar education technology industry.

What is the Cost of a Snowden?

Paul Rosenzweig by Paul Rosenzweig, The Chertoff Group
Wednesday, March 26, 2014

In 2012, the American cybersecurity company, Mandiant (now owned by FireEye) released a report tracking an extensive, comprehensive cybersecurity threat from China. It gave the Chinese program the name “APT-1,” where APT stands for Advanced Persistent Threat. APT was as accurate a characterization as one could imagine – the techniques used by the Chinese where highly sophisticated and advanced, and they were determined and continuous.

Cyber Security: Finding the Balance

Scott Andersen by Scott Andersen, Lockheed Martin
Monday, March 17, 2014

Cyber Security is a tough situation. You have to protect your digital assets. It isn’t in your organization’s best interest to leave things open and at risk. On the other hand, your end users are pushing for more and more capabilities and access to more and more resources from more and more locations.

Is Ireland the First “Cloud Haven”?

H. Bryan Cunningham by Bryan Cunningham, Cunningham Levy LLP
Thursday, February 27, 2014

If you’re looking to launch a cloud-based venture, Ireland wants you to know it’s open for business. Very open. Not just a tax haven, mind you, Ireland wants to be very clear about that, given allegations to the contrary in the US Congress last year. In late 2013, Ireland’s Industrial Development Agency, chartered to attract foreign business to the island, pushed back hard on allegations that companies establish “headquarters” in Ireland in order to render themselves immune from corporate tax. The IDA stressed, in a Venture Beat Op-Ed, that, while it’s 12.5 percent corporate tax rate is attractive there is far more to recommend Ireland as a “cloud haven.”

SafeGov Launches

Jeff Gould by Jeff Gould,
Wednesday, February 26, 2014

SafeGov is pleased to announce a new portal to promote safe and secure cloud computing for educational institutions. is an online education resource focused on providing information and proposing ways in which parents, school officials and policymakers can take advantage of the latest cloud computing advances, while also safeguarding educational data and personal information. In today’s data-driven internet environment, knowing and fully understanding children’s online activities at home is not enough – it is equally important to ensure children’s personal information at school is kept private and used exclusively for academic purposes. We have built this site to ensure that parents, school officials and policymakers have accurate resources at their disposal. With the help of industry and education experts, our site provides guidance and proposes concrete actions that these three audiences can take to help protect student privacy.

Net Neutrality and the Cloud

Paul Rosenzweig by Paul Rosenzweig, The Chertoff Group
Tuesday, February 25, 2014

In a sweeping decision, the District of Columbia Circuit Court of Appeals in Washington struck down an order from the Federal Communications Commission (FCC) that the FCC said was intended to foster an open internet network and provide transparency and ease of access for consumers. In doing so, the DC Circuit dramatically affected the prospects for many current and future cloud applications – so dramatically, for example, that the value of Netflix stock initially dropped 5% in the wake of the decision. (Netflix is thought to be disadvantaged by the decision). The stock has rebounded since, but the incident makes it clear that some cloud providers are dependent on a particular pricing framework for internet transmission – a one size fits all model where broadband service providers cannot charge discriminatory prices to different content creators based on the nature and volume of their product. The current pricing framework is now likely to be reexamined. How that reexamination plays out will determine the security and efficacy of cloud services in the next few years.

Duties When Contracting With Data Service Providers

Daniel J. Solove by Daniel Solove, TeachPrivacy
Tuesday, February 18, 2014

In the world of data protection, it’s an old story: Personal data gets shared with a third party data service provider, and then something goes wrong at the provider.

Google admits data mining student emails in its free education apps

Jeff Gould by Jeff Gould,
Friday, January 31, 2014

When it introduced a new privacy policy designed to improve its ability to target users with ads based on data mining of their online activities, Google said the policy didn't apply to students using Google Apps for Education. But recent court filings by Google’s lawyers in a California class action lawsuit against Gmail data mining tell a different story: Google now admits that it does data mine student emails for ad-targeting purposes outside of school, even when ad serving in school is turned off, and its controversial consumer privacy policy does apply to Google Apps for Education.

New Year’s Resolution for EU: Don’t Kill Safe Harbor

H. Bryan Cunningham by Bryan Cunningham, Cunningham Levy LLP
Friday, January 24, 2014

As the year changes, everyone makes lists. Here’s mine: the top 5 reasons the EU would be wrong to kill Safe Harbor. I hope EU politicians will resolve to consider them before dropping lumps of coal into their citizens’ privacy stockings. Their threat to terminate the Safe Harbor program: is based on inaccurate information; would destroy one of the few effective US legal tools to protect EU citizens’ privacy; would heavily burden US companies and trans-Atlantic commerce; has no chance to stop NSA spying-- the professed goal; and is ill-timed given now that the US government now is starting to police itself.