The Bureau of National Affairs, Inc.
Third-party data service providers, especially providers of cloud computing services, present unique and difficult privacy and data security challenges. While many companies that directly collect data from consumers are bound by the promises they make to individuals in their privacy policies, cloud service providers are usually not a part of this arrangement. It is not entirely clear what, if any, obligations cloud service providers have to protect the data of individuals with whom they have no contractual relationship. This problem is especially acute because many institutions sharing personal data with cloud service providers fail to include significant privacy and security protections in the contracts that govern the exchanges. Individuals can thus be placed at the mercy of contracts that they did not negotiate and that offer insufficient protection of their data.
For example, a study conducted by Fordham School of Law’s Center on Law and Information Policy revealed that contracts between K-12 school districts and cloud service providers lacked essential terms for the protection of student data.1 Many of the agreements analyzed failed to give the school districts the right to audit and inspect the vendor’s practices with respect to the transferred data.2 The agreements also failed to prohibit or limit redisclosure of student data or other confidential information.3 No agreement ‘‘specifically prohibited the sale and marketing of children’s information.’’
In situations like the one above, students are caught in the crossfire, because their interests are often ignored in these contracts unless the schools fight for them, and it appears from the study that many schools lack the knowledge, expertise and resources to establish the appropriate contractual arrangements. In the context of schools, the Department of Education (DOE) under the Family Educational Rights and Privacy Act (FERPA) has very little ability to do much about it. Unlike the Department of Health and Human Services, which can enforce the Health Insurance Portability and Accountability Act directly against most entities that receive protected health information, the DOE has no direct authority under FERPA to regulate companies receiving education records.5
Daniel J. Solove,
The FTC and Privacy and Security Duties for the Cloud
BNA Privacy & Security Law Report
Available at: https://scholarship.law.bu.edu/faculty_scholarship/3380