Book Review: Cloud Computing Law
Edited by Christopher Millard
Oxford: Oxford University Press, 2013, 448 pp, £34.95 ISBN 978-0-19-967168-7
Cite as: Nuno Sousa e Silva, “Book review: Cloud Computing Law”, (2014) 11:3 SCRIPTed 337 http://script-ed.org/?p=1679
© Nuno Sousa e Silva 2014. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please click on the link to read the terms and conditions.
The immediate association on the intersection of Internet and the law is no longer intellectual property. Rather, the hot topic is – for a number of reasons – privacy and data protection. Considering that Internet users are (sometimes unconsciously) migrating their whole lives to the cloud, carrying huge amounts of information about themselves and their activities in their pockets, synching them to the cloud via a multitude of devices, we could think that cloud computing law is all about data protection. However, this technology poses a wider array of legal questions extending far beyond privacy. This book is a first charter to this largely unexplored territory.
As Christopher Millard explains in his preface, he has been facing scepticism concerning the need for innovative legal solutions driven by technological change ever since he started focusing on them. As any good book dealing with technology, this one starts by explaining it. The first two chapters are devoted to the technical features involved in cloud computing.
After all, what is the cloud? In a remarkable book Andrew Blum highlights how the Internet is indeed very physical: a network of transoceanic cables linking the whole planet, covering thousands of miles underwater. Likewise there is nothing metaphysical about cloud computing. Data centres, often of very significant proportions, are the “home” of the cloud. The expression is meant to describe the technologies, which provide computing as a service, instead of as a product, via a network (chiefly the Internet). Computing can mean resources (such as processing power or storage), platforms for developing software, end-user applications (e.g. Facebook or Google apps) or a mixture of some of these (like Dropbox).
The first chapter of this book, written by W Kuan Hon and Christopher Millard, is very technical in nature explaining the details of the technologies at the root of cloud computing (usually a complex combination of hardware and software, capable of generating an apparent simplicity for the end user). This is important to understand both the functioning of the market and the underlying contractual arrangements. The next chapter, by the same authors, focuses on risk management in cloud environments (addressing confidentiality, integrity and availability concerns). The chapter is still very technical but manages to explain that users of cloud computing technology have a wide array of options with varying degrees of risk exposure.
Part II focuses on cloud computing transactions. Chapter 3 contains a thorough analysis of standard terms of service for cloud computing services and their evolution from 2010 to 2013. The authors looked at major types of cloud computing services (Facebook, Paypal, Dropbox) and present a very valuable summary of the contents of their terms of service in a critical and informative manner. Chapter 4 also follows an empirical research methodology (here qualitative whereas it was quantitative in Chapter 3) focusing on negotiated contracts, relying mainly on interviews. It is interesting to note that the most negotiated issues were liability and remedies, service levels and security, and privacy. The authors of the chapter conclude that there is a tendency to see more negotiated contracts, although these are still rare. Chapter 5 deals with public sector cloud contracts, relying mainly on a case study: the UK Government’s G-Cloud programme, and is a more descriptive piece.
Chris Reed and Alan Cunningham write about ownership of information in clouds in Chapter 6. This chapter concerns mainly the interface of intellectual property (including trade secrets) and cloud computing. Unsurprisingly, cloud computing service providers do not have too many claims regarding ownership of content created in the cloud environment. This chapter is quite interesting, but lacks an analysis of the role of licences and consent in this field.
Part III addresses the protection of personal data in cloud computing environments. Chapter 7 tries to draw the line between what is and is not personal data according to EU data protection regulation in order to determine the extent to which cloud computing operations come within the scope of such legislation. The main findings are that there is much uncertainty in this regard, and that there is a corresponding need for a more flexible and balanced approach. In brief, the data protection regulation in this field of law is not fit for purpose. The next chapter analyses the several entities that deal with data in the cloud i.e., data controllers, cloud users and cloud service providers, their liabilities and possible exclusion thereof (mainly pursuant to the E-Commerce Directive).
Chapter 8 similarly concludes that there is a need for reform and presents three main proposals in that regard: abolishing the distinction between data controllers and data processors and replacing it by a principle of end-to-end accountability; acknowledging the role of intermediaries who do not process personal data in a meaningful sense; and abolishing the instructions requirement. The thorny issue of jurisdiction over personal data in clouds is the topic of Chapter 9. This is a complex exercise in interpreting Article 4 of the Data Protection Directive 95/46/EC, an aspect which, according to the authors, also demands clearer rules. International data transfers (also known as data export) are finally considered by W Kuan Hon and Christopher Millard in Chapter 10. This is a very complex problem and the difficulties of guaranteeing effectiveness are considerable. In fact, the whole section of the book regarding privacy and data protection highlights both the inadequacy of the current EU data protection law and its (growing) detachment from reality. However, unlike other pessimists, the several authors of this section present practical and convincing suggestions for improvement.
Part IV deals with the relationship of other fields of law with cloud computing and the extent to which countries can enforce these laws, before concluding with a chapter that puts the governance of cloud computing in perspective. Chapter 11 peruses the possibilities and limits to law enforcement actions concerning data in clouds. The difficulties and challenges both at technical and legal level are clearly outlined by Ian Walden. Sovereignty over data is the defining issue here and without some concessions, tolerance and cooperation, law enforcement access is unlikely to even occur.
Chapter 12 approaches the field of cloud computing from a competition law perspective. The extent to which competition law can and should perform regulatory functions beyond pure market regulation is a classic (and much debated) question. Some authors have voiced the need for this regulatory thinking also in the field of privacy e.g. the need to consider data protection effects in the case of mergers. Another aspect is the need to adjust competition law to some markets where network effects are strong and/or dynamic competition is paramount, such being often the case with new technologies. This chapter describes the cloud computing market by analysing specific practices – mainly standard-setting and interoperability – on the basis of Articles 101 and 102 of the Treaty on the Functioning of the European Union (deemed the supply-side of competition); and the operation of public procurement (seen as the demand-side of competition). Before concluding the chapter other regulatory mechanisms are also briefly described. In the following chapter Allan Cunningham and Chris Reed address consumer protection rules, focusing on non-negotiated terms of service, approaching ex ante (i.e. rules that operate before or during the contracting process) and ex post (i.e. rules concerning the duration and termination of the contract) consumer protection rules. The chapter draws on the survey of terms of service (described in Chapter 3) to highlight twelve points of concern for the consumer.
Chapter 14 is the closing chapter. Chris Reed writes on governance, defined as “the system of rule-creation and enforcement which does not depend solely on state command-and-control, but instead involves participants from a wider community”. In fact, drawing from the conclusions of previous chapters, he shows the need for co-regulation and presents a way not only to build better rules, but also to achieve balanced and effective solutions.
To conclude, this book — edited by Christopher Milliard – who also co-authors nine out of the fourteen chapters of the book – and written by several authors from different backgrounds, provides a picture of cloud computing that goes beyond the law and is a major contribution to the understanding of a hitherto opaque (albeit almost omnipresent) technology. It contains relevant empirical data, technical analysis and legal thinking. This book will be indispensable for anyone who aims at working in and understanding the field. Furthermore, this work is also extremely relevant at a normative level, putting forward serious and informed proposals to improve the legal framework of cloud computing. The uncertainties are tremendous and the authors are honest enough in highlighting them. The future is challenging and the authors were not only brave but also competent in trying to understand and frame it from a legal, social and technical perspective.
Nuno Sousa e Silva
Master of Laws, LLM IP (MIPLC), Assistant lecturer at UCP (Porto), Attorney-at-law.
 Tubes: Behind the Scenes at the Internet (Penguin 2013)
 Cfr. EJ Koop, “The trouble with European data protection law” (2014) 4: 4 International Data Privacy Law 250-261.
 See O Odudu, “Editorial—Competition Efficiency and Other Things” (2010) 6 Competition Law Review.
 C Kuner et al, “When two worlds collide: the interface between competition law and data protection” (2014) 4: 4 International Data Privacy Law 247-248.