Even when no laws or obligations block the ability of a user to disclose information to a cloud provider, disclosure may still not be free of consequences. Information stored with a third party (including a cloud computing provider) may have fewer or weaker privacy protections than information in the possession of the creator of the information. Government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information. The expanded ability of the government and others to obtain information from a third party affects both businesses and individuals.

Several other aspects of cloud computing affect privacy and confidentiality interests. The most important of these are the terms of service and privacy policy established by a cloud provider. The location of data, ownership of the cloud provider, use of transactional information, and other issues are considered here.

Cloud computing is well underway and appears to be expanding rapidly. There has been a good deal of public discussion of the technical architecture of cloud computing and the business models that could support it. Debate about the legal and policy issues regarding privacy and confidentiality raised by cloud computing has not kept pace. The findings set out at the beginning of this document are a contribution to the debate, as are the following policy observations.

Report Author:
Robert Gellman, Privacy and Information Policy Consultant, .

Contributor:
Pam Dixon, Executive director, World Privacy Forum, read and commented on the report drafts and also edited the document.

Medical privacy | HIPAA | FTC — According to a legal complaint, CVS pharmacies — the largest pharmacy chain in the United States — did not take appropriate steps to protect its customers’ and employees’ sensitive information when it improperly disposed of documents, labels, prescription bottles, and other items with clearly identifiable and highly sensitive personal information such as SSNs, prescription information, driver’s license numbers, and other information still on those materials. CVS agreed to pay $2.25 million to settle its violations of HIPAA as part of a Resolution Agreement with the Department of Health and Human Services. CVS has also signed a consent agreement with the FTC; the public can comment on this agreement until March 20, 2009. The World Privacy Forum will be filing comments with the FTC on the consent agreement with CVS, which we will post here.