25 June 2021

Clouds

'Privacy in the Clouds, Revisited: An Analysis of the Privacy Policies of 40 Cloud Computing Services' (Queen Mary Law Research Paper No. 354/2021) by Felicity Turton, Dimitra Kamarinou, Johan David Michels and Christopher Millard comments 

In this paper, we analyse the results of a detailed survey of the privacy policies, and data protection terms more broadly, of 40 major cloud computing services, including Amazon Web Services, Google Cloud, and Microsoft Azure. We review terms relating to controller and processor designations; purposes and legal bases for data processing; individuals’ rights of access, rectification, and erasure of personal data; the right to data portability; security and data breach notification; monitoring; transfers of personal data outside of the EEA; and appointment of a Data Protection Officer. Where relevant, we compare the results to those of previous surveys conducted in 2010, 2013, and 2015 to show how cloud privacy policies have developed over time, including changes that appear to have been made in response to the General Data Protection Regulation. 

 'Contracts for Clouds, Revisited: An Analysis of the Standard Contracts for 40 Cloud Computing Services' by Michels, Millard and Turton offered a related survey of the standard contracts of 40 cloud services: 

In this paper, we report the results of a detailed survey of the standard contracts for 40 major cloud computing services, including Amazon Web Services, Google Cloud, and Microsoft Azure. We cover a broad range of contractual issues, including clauses dealing with choice of law, termination, data retention, liability, and intellectual property. We compare the results to those of previous surveys conducted in 2010, 2013, and 2015 to show how cloud contracts have developed over time. In particular, we identify changes with regard to choice of law and of forum, and warranty and liability provisions. We conclude that over the past ten years, standard cloud contracts have become more tailored to customer location, for instance by having distinct terms for US and European customers, and more in line with European consumer protection law, including by having distinct terms for businesses and consumers.