Privacy in the Clouds, Revisited: An Analysis of the Privacy Policies of 40 Cloud Computing Services
77 Pages Posted: 9 Apr 2021 Last revised: 7 May 2021
Date Written: April 9, 2021
Abstract
In this paper, we analyse the results of a detailed survey of the privacy policies, and data protection terms more broadly, of 40 major cloud computing services, including Amazon Web Services, Google Cloud, and Microsoft Azure. We review terms relating to controller and processor designations; purposes and legal bases for data processing; individuals’ rights of access, rectification, and erasure of personal data; the right to data portability; security and data breach notification; monitoring; transfers of personal data outside of the EEA; and appointment of a Data Protection Officer. Where relevant, we compare the results to those of previous surveys conducted in 2010, 2013, and 2015 to show how cloud privacy policies have developed over time, including changes that appear to have been made in response to the General Data Protection Regulation.
For a related survey of the standard contracts of 40 cloud services, see “Contracts for Clouds, Revisited: An Analysis of the Standard Contracts for 40 Cloud Computing Services” on SSRN: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3624712
Keywords: Cloud computing, Data Protection, Privacy, Information Technology, Contracts, Privacy Policy, Terms of Service, Terms and Conditions, Data Subject, Rights, European Union, Localisation, GDPR
JEL Classification: K1, K12, K2, M15, L81, L86, K24, O33
Suggested Citation: Suggested Citation