This anthology reads as a desktop companion for practising lawyers on the legal technical issues concerning cloud computing and related privacy concerns. It is an authoritative guide for anyone seeking an in-depth compendium on the myriad legal pitfalls associated with security, licensing agreements, cross-jurisdictional data flows, and personal information in cloud computing. What it does not do, however, is explore the ideological and normative backdrop to the challenges arising in a rapidly evolving field. Although thorough and comprehensive, the book risks losing some of its relevancy with anticipated changes in the technological and related legal environment.
In her opening remarks, editor Anne S.Y. Cheung describes a new age of cloud computing, citing an impressive array of facts and figures. The prevalence of this new technology is staggering when considering that it was hardly known only a few years ago. Thus, the collection's analysis of both the technical issues and their legal implications is a timely contribution to the literature. Privacy and legal issues in cloud computing belong to an increasingly complex field that easily merits the book's 290 pages authored by experts.
Yet this may not be the easiest collection to digest for readers who come to Internet and data-protection law for the first time. Most of the chapters focus on highly technical investigations of the relationship between cloud computing and specific legal rules. They include cross-jurisdictional data transfers, encryption, sector regulation, and licensing schemes. Following the intricacies of these juridical webs may be a daunting task for someone without a firm grasp of the legal landscape.
That noted, there are attempts to broaden the access to the materials. We are introduced to especially helpful analogies taken from real estate that explain the multiple layers of responsibilities, ownership, and access, which are defining features in the cloud computing environment. The chapters have been carefully edited to build our understanding from one to the next, lessening the need to repeat technical information. Steadily mapping the technical landscape acquaints an unfamiliar reader with its varied hills and valleys. Having laid the groundwork for a technical and contextual understanding of cloud computing, the remaining chapters examine, in depth, specific aspects – such as intellectual property, ownership, data mining, and health care. This sectoral approach is useful when using the book as a guide in a specific case or context.
There is no doubt that cloud computing is a complex and fast-moving area in law. Therefore, it is not surprising that the volume, with all its studiousness, has not quite managed to capture all the facets of this emerging field. The collection aims to address the fact that legal issues in cloud computing by definition arise in an international context, and its authors contribute a multiple of jurisdictional viewpoints. On the whole, however, the focus of the book is slanted towards a common law perspective, with more than two-thirds of the contributors based in Hong Kong. Yet, this slant, albeit giving the book perhaps some of its originality, is somewhat puzzling when considering that there is not a single chapter solely dedicated to the legal architecture surrounding cloud computing in the US. After all, cloud computing was born and continues to develop predominantly in Silicon Valley.
Privacy issues crop up in multiple chapters, yet it is difficult to see why privacy is specifically mentioned in the title when it appears to be just one of several issues discussed in the book's 12 chapters. Cheung's chapter on the issues of anonymisation and personal data certainly demonstrates persuasive expertise, but her call for a reconceptualisation of the definition of personal information is hardly novel. As such, it seems that most of the privacy issues raised are simply an amplification of the concerns that are already prevalent in current data-protection discourse. Similarly, Dominic N. Staiger's essay on the cross-border flow of data illustrates the dangers of a collection that offers a purely doctrinal analysis of a rapidly changing field. Staiger takes great pains to explain the various legal regimes that allow for the trans-border flow of data. Yet, with the Court of Justice of the European Union's ruling on 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner, invalidating the Safe Harbour Agreement between the European Union and the US, substantial sections of his chapter no longer represent good law.
Further, the somewhat narrow approach begs the question of why so few of the chapters explore the wider implications of cloud computing beyond narrow legal technicalities. For example, the sectoral approach does not address the fundamental tension between the US server companies (Google, Amazon, et al.) and an often incompatible European data-protection regime beyond a pure doctrinal analysis. Indeed, the US legal notion of privacy greatly diverges from the European conception of data protection. Regrettably, the authors leave a number of salient questions unanswered. The limited length of the volume may naturally restrict the collection from being too ambitious in scope, and some of the broader normative implications have yet to emerge. Nevertheless, a wider conceptual approach might have given the volume greater longevity.
Several of the chapters are reminiscent of early writing on the Internet in the 1990s that overflowed with complex, technical expositions that few people except computer science students truly understood. Today, thankfully, we seldom encounter detailed explications of Internet code in academic legal analysis. I suspect that, a decade from now, this book will be an early illustration of how we attempted to grapple with the innovative cloud computing architecture. The real value of this book is therefore not its lasting legacy, but its practical use within the next few years.
