This paper is an empirical study of the Terms of Service and Privacy Policies of 20 cloud providers. Our study focuses on the ways these 20 cloud providers treat various key rights that individuals have under data protection law, either when they contract directly with a cloud provider or when they access cloud services through a business or institution, such as their employer, including the right to have their personal data processed fairly and lawfully, the right to be informed about the collection of data, the specific purposes of processing and the way their data may be shared with or disclosed to third parties, including law enforcement agencies.
We also look at the right to access, correct or erase personal data, the right to object to processing, the right to object to direct marketing, and the right to have personal data processed securely and be protected from accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access to data. In addition, this paper discusses the providers’ approach to disputes arising out of the use of their cloud service and their approach to compensation and indemnification. This paper also uncovers common approaches adopted by providers and mismatches between their various legal documents, and highlights the advantages and disadvantages of various practices found in the study. Finally, we make some suggestions for more effective transparency and redress options for individuals, and conclude the paper with a number of practical findings arising from the review.
The paper is written by Dimitra Kamarinou, Christopher Millard & W Kuan Hon and it is available online at SSRN at: