Data protection and data privacy are significant challenges in cloud computing for multinational corporations. There are no standard laws to protect data across borders. The institutional and regulatory constraints and governance differ across countries. This article explores the challenges of institutional constraints faced by cloud computing service providers in regard to data privacy issues across borders. Through a qualitative case study methodology, this research compares the institutional structure of a few host countries, with regard to data privacy in cloud computing and delineates a relative case study. This article will also review the cloud computing legal frameworks and the history of cloud computing to make the concept more comprehensible to a layman.
Agency Digital Italy (2012). Features of electronic systems for cloud in public administration. Retrieved from http://www.agid.gov.it/sites/default/files/linee_guida/sistemi_cloud_pa.pdf
2.
AlSudiariM. A., & VasistaT. (2012). Cloud computing and privacy regulations: An exploratory study on issues and implications. Advanced Computing, 3(2), 159–169.
3.
ArrowK. (1962). Economic welfare and the allocation of resources for invention. In NelsonR. (Ed.), The rate and direction of inventive activity: Economic and social factors (pp. 609–625). Princeton, NJ: Princeton University Press.
4.
Berners-LeeT., & FischettiM. (2001). Weaving the web: The original design and ultimate destiny of the World Wide Web by its inventor. Darby, PA: Diane Publishing Company.
5.
BlagovS. (2015). Russia pledges more data localization audits. Retrieved from http://www.bna.com/russia-pledges-data-n57982063580
6.
BoehmF. (2015). A comparison between US and EU data protection legislation for law enforcement purposes. Retrieved from https://legalresearchplus.files.wordpress.com/2015/11/ipol_stu2015536459_en.pdf
7.
BortJ. (2015). Everyone is talking about how Microsoft Office 365 is suddenly beating Google apps. Retrieved from https://www.businessinsider.com.au/how-office-365-is-beating-google-apps-2015-3.
8.
BrattonB. H. (2016). The stack: On software and sovereignty. Cambridge, MA: MIT Press.
9.
BrownI., & LaurieB. (2000). Security against compelled disclosure. In Computer Security Applications, 2000. ACSAC’00. 16th Annual Conference (pp. 2–10). IEEE.
10.
ChahabadiD. (2016). Internationalization of firms: Antecedents, speed, and performance implications: Evidence from the German renewable-energy industry (Doctoral dissertation). Macquarie University, Sydney, Australia.
11.
CLOUD Act, House of Representatives Bill 4943, 115th Cong (2018). Retrieved from https://www.congress.gov/bill/115th-congress/house-bill/4943/text
12.
DebusscheJ., & AsbroeckB. (2014). Cloud computing and privacy series: The general legal framework. Retrieved from https://www.twobirds.com/en/news/articles/2014/global/cloud-computing-and-privacy-series-the-general-legal-framework-1
13.
Department of Communications and Arts of Australian Government (2014). Cloud computing and privacy: Consumer factsheet. Retrieved from https://www.communications.gov.au/sites/g/files/net301/f/2014-112101-CLOUD-Consumer-factsheet.pdf
14.
Department of Defence of Australian Government (Defence) (2012). Cloud computing security considerations. Retrieved from https://www.asd.gov.au/publications/protect/cloud_computing_security_considerations.htm
15.
Department of Finance of Australian Government (2013). Australian government ICT expenditure report 2008–09 to 2011–12. Retrieved from https://www.finance.gov.au/files/2012/04/Australian-Government-ICT-Expenditure-Report-2008-09-to-2011-12.pdf
16.
Department of Finance of Australian Government (2014). Australian government cloud computing policy. Retrieved from https://www.finance.gov.au/sites/default/files/australian-government-cloud-computing-policy-3.pdf
17.
EisenhardtK. M., & GraebnerM. E. (2007). Theory building from cases: Opportunities and challenges. Academy of Management Journal, 50(1), 25–32.
18.
European Commission (2012). Unleashing the potential of cloud computing in Europe. Retrieved from http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF
19.
European Parliament (2013). European Parliament resolution of 10 December 2013 on unleashing the potential of cloud computing in Europe. Retrieved from http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-0535
20.
Federal Office for Information Security (2011). Security recommendations for cloud computing providers. Retrieved from https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/CloudComputing/SecurityRecommendationsCloudComputingProviders.html
21.
FehrmanJ. (2012). Who has legal jurisdiction in the cloud? Retrieved from http://eddblogonline.blogspot.com.au/2010/08/who-has-legal-jurisdiction-in-cloud.html
22.
GellmanR. (2012). Privacy in the clouds: Risks to privacy and confidentiality from cloud computing. InProceedings of the World Privacy Forum. Retrieved from https://www.worldprivacyforum.org/2009/02/report-privacy-in-the-clouds
23.
GordonM., & MarchesiniK. (2010). Legal issues and developments in cloud computing privacy. Retrieved from https://www.unc.edu/courses/2010spring/law/357c/001/cloudcomputing/privacy_legal_US.html
24.
GrollE. (2016). Microsoft vs. the Feds, cloud computing edition. Retrieved from https://foreignpolicy.com/2016/01/21/microsoft-vs-the-feds-cloud-computing-edition
25.
HaskelJ. E., PereiraS. C., & SlaughterM. J. (2007). Does inward foreign direct investment boost the productivity of domestic firms?The Review of Economics and Statistics, 89(3), 482–496.
26.
HeniszW. J. (2003). The power of the Buckley and Casson thesis: The ability to manage institutional idiosyncrasies. Journal of International Business Studies, 34(1), 173–184.
27.
Hogan Lovells (2010). Cloud computing: A primer on legal issues, including privacy and data security concerns. Retrieved from http://www.cisco.com/c/dam/en_us/about/doing_business/legal/privacy_compliance/docs/CloudPrimer.pdf
28.
HuT.-H. (2015). A prehistory of the cloud. Cambridge, MA: MIT Press.
29.
Information Shield (2016). United States Privacy Law. Retrieved from https://informationshield.com/free-security-policy-tools/us-data-privacy-laws
30.
IonascuD., MeyerK. E., & ErstinS. (2004). Institutional distance and international business strategies in emerging economies (William Davidson Institute Working Paper No. 728). Retrieved from https://deepblue.lib.umich.edu/bitstream/handle/2027.42/40114/wp728.pdf
31.
JansenW., & GranceT. (2011). Guidelines on security and privacy in public cloud computing (NIST, U. S. Department of Commerce, Special Publication 800-144). Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf
32.
KellerW. (2004). International technology diffusion. Journal of Economic Literature, 42(3), 752–782.
33.
KostovaT., & ZaheerS. (1999). Organizational legitimacy under conditions of complexity: The case of the multinational enterprise. Academy of Management Review, 24(1), 64–81.
34.
LuoY. (2001). Determinants of entry in an emerging economy: A multilevel approach. Journal of Management Studies, 38(3), 443–472.
35.
MarchiniM. (2013). Data transfers within a multinational group: Safely navigating ED data protection rule. Retrieved from http://documents.jdsupra.com/22cd8b20-2c2b-4282-a090-84cd66493b2d.pdf
36.
MariottoF. L., ZanniP. P., & MoraesG. H. S. (2014). What is the use of a single-case study in management research?Revista de Administracao de Empresas, 54(4), 358–369.
37.
McClennanJ., & SchickV. (2006). O, privacy-Canada’s importance in the development of the international data privacy regime. Georgetown Journal of International Law, 38, 669.
38.
MellP., & GranceT. (2010). The NIST definition of cloud computing. Communications of the ACM, 53(6), 50.
39.
MeyerK. E. (2001). Institutions, transaction costs and entry mode choice in Eastern Europe. Journal of International Business Studies, 32(2), 357–367.
40.
MeyerK. E., EstrinS., BhaumikS. K., & PengM. W. (2009). Institutions, resources, and entry strategies in emerging economies. Strategic Management Journal, 30(1), 61–80.
41.
Ministry of the Presidency (2010). Spanish national interoperability framework. Retrieved from https://administracionelectronica.gob.es/ctt/resources/Soluciones/145/Descargas/Spain-National-Interoperability-Framework-NIF-English-version.pdf
42.
Network and Information Security Agency (ANSSI) (2010). Risk management of information. Retrieved from http://www.ssi.gouv.fr/IMG/pdf/2010-12-03_Guide_externalisation.pdf
43.
NovackJ. (2014). Memorandum of law in support of Verizon Communications Inc.’s motion to participate as Amicus Curiae and Microsoft Inc.’s motion to vacate search warrant. Retrieved from https://www.verizon.com/about/sites/default/files/Verizon_Amicus_Final1.pdf
44.
Office of Australian Information Commissioner (OAIC) (2014). Data breach notification—A guide to handling personal information security breaches. Retrieved from https://www.oaic.gov.au/privacy-law/privacy-archive/privacy-resources-archive/data-breach-notification-a-guide-to-handling-personal-information-security-breaches
45.
Office of Australian Information Commissioner (OAIC) (2015). Privacy business resource 8: Sending personal information overseas. Retrieved from https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-8
46.
Office of Australian Information Commissioner (OAIC) (2017). Privacy business resource 23: Handling personal information in the my health record system. Retrieved from https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-23-handling-personal-information-in-the-my-health-record-system
47.
Office of Australian Information Commissioner (OAIC) (2018a). Australian businesses and the EU General Data Protection Regulation. Retrieved from https://www.oaic.gov.au/resources/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation.pdf
48.
Office of Australian Information Commissioner (OAIC) (2018b). Australian Privacy Principles. Retrieved from https://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principles
49.
Office of Australian Information Commissioner (OAIC) (2018c). Privacy Act. Retrieved from https://www.oaic.gov.au/privacy-law/privacy-act/
50.
Office of Australian Information Commissioner (OAIC) (2018d). Data breach preparation and response. Retrieved from https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response
51.
PengM. W., WangD. Y., & JiangY. (2008). An institution-based view of international business strategy: A focus on emerging economies. Journal of International Business Studies, 39(5), 920–936.
52.
RuiterJ., & WarnierM. (2011). Privacy regulations for cloud computing: Compliance and implementation in theory and practice computers, privacy and data protection: An element of choice (pp. 361–376). London: Springer.
53.
SarrafS. (2018). Australia ranked among top five IT economies for cloud policies. Retrieved from https://www.arnnet.com.au/article/634361/australia-ranked-among-top-five-it-economies-cloud-policies
54.
SchwensC., EicheJ., & KabstR. (2011). The moderating impact of informal institutional distance and formal institutional risk on SME entry mode choice. Journal of Management Studies, 48(2), 330–351.
55.
ScottW. R. (1995). Institutions and organizations (1st ed.). Thousand Oaks, CA: SAGE Publications.
56.
ScottW. R. (2001). Institutions and organizations (2nd ed.). Thousand Oaks, CA: SAGE Publications.
57.
ScottW. R. (2013). Institutions and organizations: Ideas, interests, and identities. Thousand Oaks, CA: SAGE Publications.
58.
SinghB. N. (2010). In absence of dedicated privacy law & data protection law: Is India ready for cloud computing? Retrieved from https://www.techno-pulse.com/2010/12/privacy-data-protection-law-india-cloud.html
59.
SmithP. (2017). Cloud leads the way as Australian tech spending set to rise to A$84.8b in 2018. Retrieved from http://www.afr.com/technology/cloud-leads-the-way-as-australian-tech-spending-set-to-rise-to-848b-in-2018-20171029-gzalqq
60.
SofkaW., ShehuE., & de FariaP. (2014). Multinational subsidiary knowledge protection Do mandates and clusters matter?Research Policy, 43(8), 1320–1333.
61.
SultanN. (2010). Cloud computing for education: A new dawn?International Journal of Information Management, 30(2), 109–116.
62.
The United States Court of Appeals for the Second Circuit (2d Cir.) (2015). In the matter of a warrant to search a certain e-mail account controlled and maintained by Microsoft Corporation. Retrieved from https://assets.documentcloud.org/documents/2997030/Microsoft-Ireland-2d-Cir-Opinion-20160714.pdf
63.
TranE., & AtkinsonM. (2002). Security of personal data across national borders. Information Management & Computer Security, 10(5), 237–241.
64.
TsoukasH. (2009). Craving for generality and small-n studies: The Wittgensteinian approach towards the epistemology of the particular in organization and management studies. In BuchananD. A. & BrymanA. (Eds.), Organizational research methods (pp. 285–301). London: SAGE Publications.
65.
U.S. Department of Justice (2013). Electronic Communications Privacy Act of 1986 (ECPA). Retrieved from https://it.ojp.gov/privacyliberty/authorities/statutes/1285
66.
WeinsteinJ. (2013). United States: Cloud computing—The US versus the EU. Retrieved from http://www.mondaq.com/unitedstates/x/254522/Data+Protection+Privacy/Cloud+Computing+The+US+versus+The+EU
67.
Whisper Systems (2016). Open Whisper Systems. Retrieved from https://whispersystems.org
68.
XuD., & ShenkarO. (2002). Note: Institutional distance and the multinational enterprise. Academy of Management Review, 27(4), 608–618.
69.
YinR. K. (2009). Doing case study research (4th ed.). Thousand Oaks, CA: SAGE Publications.
