It appears that Congress is taking seriously the mandate from the Obama Administration regarding Internet privacy issues. In February, Senate Judiciary Committee Chairman Patrick Leahy announced the creation of a new subcommittee called Privacy, Technology and the Law, which will oversee laws and policies that govern the “collection, protection, use and dissemination of commercial information by the private sector.” In March, Senators John McCain and John Kerry introduced proposed legislation that would create an “online bill of rights.” The McCain-Kerry law is poised to become the first comprehensive federal privacy law governing data collection, storage, and transfer. While these actions are aimed at addressing privacy issues as they implicate individual consumer rights, there is no limit to how impactful these laws could be in creating additional administrative and procedural requirements for the majority of cloud computing providers.
Traditionally, cloud service providers have attempted to disclaim any and all liability for violations of state or federal privacy laws. Whether addressed in an “applicable law” or hidden somewhere in a “limitation to liability” provision, cloud providers have put the onus of adherence to state or federal data privacy regulations squarely on their clients. Providers in effect were saying, “we can help you house and store your data, but we cannot be expected to account for laws associated with types of data you store on our servers. That expertise—and therefore liability—lies with you.” Congress’ likely response to cloud providers is that they can, in fact, expect to be liable for data privacy regulations because the laws will specifically require them to be.
If the HITECH Act is any indicator of the direction the wind is blowing on Capitol Hill, cloud providers likely will be forced to enact policies designed to comply with these new privacy laws. Contractual limitations on liability and disclaimers of responsibility for compliance with applicable laws will give way to technical and administrative data security baseline requirements. It is important for software companies considering taking their services to the cloud and for businesses seeking a cloud provider to consider the ramifications these laws will have on their agreements. Careful risk balancing at the outset of a cloud-service relationship can protect both parties from impending developments in federal privacy law regulations.