Cloudy opinions: Online activities are still in the Wild West of regulation
Illustration by Michael Morgenstern
Experts warned that cloud computing would trigger countless stormy disputes, and a body of case law is already beginning to emerge.
The verdict, according to a panel at LegalTech New York 2013? Laws, regulations and policies are being written to protect businesses, but the efficacy of those tools has been a crapshoot when tested in court.
Essentially, when it comes to any standardization of cloud regulations, attorneys are being forced to deal with a modern-day Wild West, according to Tim Carroll, a Chicago-based partner at Perkins Coie.
Retailers working in the cloud—under the impression that current international regulation allows them to do business in many countries without fear of taxation—are still being slapped by some judges who decide those laws and regulations carry no weight in their countries.
Meanwhile, nations that write privacy laws strictly prohibiting the release of personal data stored in the cloud are in many instances ignored in other jurisdictions. Instead, attorneys are being ordered to produce the data judges want, regardless of international consequences.
And opportunists seeking to shield questionable activities by hiding behind the varying privacy standards are in some cases slamming into judges who look beyond the letter of the law and enforce its spirit.
One international player smarting from cloud law vagaries is eBay. While international law seemed to indicate its sales between Canada and Swiss citizens were protected from taxation, a judge for our neighbors to the north decided otherwise. The Web giant argued its sales were exempt from taxation in part because its computer servers were located outside Canada. But because the sales transaction data was sometimes in Switzerland and sometimes in Canada, the judge found Canada had the right to tax the sale, according to Kenneth N. Rashbaum, principal of Rashbaum Associates in New York City.
“Political boundaries are being blurred because technological boundaries are being blurred,” Rashbaum said during the conference in January.
The storage, exchange and dispersability of personal data in the cloud can be even more unpredictable. European Union citizens, for example, are under the impression their privacy is being guarded more robustly than that of their U.S. cousins. But in reality, things can go south in a U.S. court. A judge sitting in California doesn’t really care where the data is, Carroll said. If an attorney has access to the data, he or she has to produce it.
U.S. PRESSURE
It’s not unheard of for a client to be pressured by a U.S. regulator to deliver personal data supposedly protected by EU privacy laws, said George Tziahanas, a senior vice president at HP Autonomy. In fact, U.S. regulators may threaten to secure the data directly from the company’s cloud service provider if the company balks.
Equally exacerbating: Attorneys are finding that getting standardization on cloud privacy laws is akin to a game of Whac-a-Mole. While privacy laws in the EU are generally migrating toward standardization, a state within Germany recently bolted in the opposite direction, decreeing that sending any data to cloud service providers outside its borders was a violation of German law, according to Rashbaum.
Fortunately, common sense seems to be prevailing. Operators of the movie-download site TorrentSpy.com, for example, attempted to distribute movies over the Web without compensating Columbia Studios. Their method: Offer films from computer servers based in the Netherlands and hide behind privacy laws.
The defendants argued that since EU privacy laws forbid involuntary release of any transaction data or content residing on the Dutch servers, they were in the clear. But the judge ruled they could not use privacy laws as a fig leaf to obscure blatantly illegal activity, Rashbaum said.
Regulations will probably standardize within the next five years, according to Carroll. In the meantime, attorneys need to be especially vigilant when handling their own data in the cloud, as well as the data of their clients.
Toward that end, job one is to establish a “good, strong governance information protocol,” Rashbaum advised. Otherwise, attorneys and their clients could face a situation in which employees are posting data all over the Web with no monitoring or tracking protocols. Equally precarious is storing client data in the cloud without taking reasonable security precautions. Attorneys could face sanctions from their state ethics board, he added.
“What I really would encourage you to do,” Carroll said, “is visit these issues before you get to regulatory investigation.”
