Learning Lessons from Cloud Investigations in Europe: Bargaining Enforcement and Multiple Centers of Regulation in Data Protection
journal contribution
posted on 2023-09-01, 13:57authored byAsma A. I. Vranaki
The race is on for businesses and consumers to join the cloud. From increased efficiency to low operational costs to scalability, reasons abound as to why we are adopting cloud solutions. However, unleashing the potential of cloud ecosystems for companies and individuals has not been without difficulties. Industry research has highlighted that data protection and privacy concerns, in particular, can often be one of the main inhibitors to the widespread adoption of cloud-based systems. Lately, some US-based cloud companies have been required to comply with European data protection laws through the regulatory process of investigation by European data protection authorities (“Cloud Investigations”).
In this article, I analyze selected empirical findings from my recent qualitative socio-legal research project where I have examined the investigations of cloud providers by European data protection authorities (“EU DPAs”) to reflect on the roles of data protection laws during such investigations.
I advance two arguments. Firstly, a decentralized perspective on Cloud Investigations sheds a more comprehensive light on the roles of data protection laws during Cloud Investigations without assuming a priority that such laws have a privileged and static role in the regulatory process.
Secondly, and relatedly, I argue that by “cutting off the King’s head”, we can understand more fully the dynamic and context-dependent roles of data protection laws during Cloud Investigations. From time to time, law can be deployed to achieve the aims of the law-makers or enforcers. At other times, law can also be used as bargaining chips by EU DPAs and Cloud Providers to obstruct or facilitate the negotiations during Cloud Investigations. At other times still, law can often retreat from the field of action as other actors carry out the “act of government” to determine if and to what extent Cloud Providers are “accountable in reality.”