Our Privacy and Data Security Depend Upon Contracts Between Organizations

Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider.

In many cases, these contracts fail to contain key protections of data. For example, a study conducted by Fordham School of Law's Center on Law and Information Policy revealed that contracts between K-12 school districts and cloud service providers lacked essential terms for the protection of student data. I blogged about this study previously here.

Because people are not direct parties to these contracts and often cannot even have access to these contracts, they are often powerless, and their interests are often not adequately represented. Professor Woodrow Hartzog and I recently developed a theory of how Section 5 of the Federal Trade Commission (FTC) Act can be interpreted to impose duties upon both parties to these contracts that protect consumers. The FTC Act prohibits unfair and deceptive trade practices and is enforced by the FTC. Since the 1990s, the FTC has been using its enforcement power under the FTC Act to regulate companies in privacy and security matters.

In our short essay, The FTC and Privacy and Security Duties for the Cloud, we argued that certain key cases from the emerging body of FTC enforcement actions on data protection issues can be read together to create a double-edged set of duties – both on the organizations contracting with cloud service providers and on the cloud service providers themselves. Not only does an organization owe a duty to consumers to appropriately represent their privacy and data security interests in the negotiation, but cloud service providers have an obligation to the consumer as well, and cannot enter into contracts that lack adequate protections and controls.

For example, , the FTC concluded that a company’s failure to adequately choose, contract with and oversee a data service provider constituted an unfair and deceptive trade practice. Next, consider , where the FTC brought an action against a company that violated another company's privacy policies. The FTC didn't see this situation as involving merely an arrangement between two companies. Consumers were caught in the middle, and the FTC ensured that their interests would not be lost in the shuffle. Consumers need not have a direct relationship to companies that cause them harm. Combining Vision I with GMR suggests that consumers can be harmed when the appropriate contractual protections are not included in agreements involving the sharing of personal data. For more details about our theory, please read our essay.

Some implications of this theory:

1. Although the FTC lacks enforcement power against most schools, government organizations, and non-profits when these entities have deficient contracts with businesses that handle personal data, the FTC can still go after the businesses that are operating under that contract. With schools in particular, some businesses are taking advantage of the fact that many schools lack the knowledge and resources to include the appropriate controls over data in their contracts. The FTC can step in and stop these practices.

2. Since so much of people's data is transferred between different organizations to perform different functions, they depend upon the contracts these organizations have with third party data vendors for the protection of their privacy. People often have little knowledge and choice when it comes to these third parties. They don't get to see the contracts. So, for example, your child's personal data at school might very well be in the hands of a cloud service provider that the school has contracted with. Have you seen the contract? Does it provide the appropriate protections? You can see the school's privacy policies, but you often won't see these contracts.

3. The FTC can likely enforce even without a data incident. The GMR case was sparked by an incident, but unfairness and deception do not turn on the existence of an incident. An inadequate contract alone might be sufficient for the FTC to find a violation of the FTC Act.

* * *

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. He is the author of 9 books (including Understanding Privacy and Nothing to Hide: The False Tradeoff Between Privacy and Security) and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.

The views here are the personal views of Professor Solove and not those of any organization with which he is affiliated.