A right too far? Requiring cloud service providers to deliver adequate data security to consumers

Abstract

The European consumer has substantial rights when contracting for goods or servicesonline. Nevertheless, unlike European data protection law, specific requirements foradequate data security practices are largely absent from European legislation governingBusiness-to-Consumer (B2C) transactions. The following article evaluates the applicationof current EU consumer protection requirements and appraises the extent towhich they oblige service providers to include data security or information regardingdata security practices in contract terms. In addition to considering the core Europeanconsumer protection instruments currently in place, the article evaluates proposed legislationfor digital goods and assesses its potential application to contract termscommonly offered by cloud service providers (CSPs). Furthermore, the article providessome comparative analysis of data security requirements from the USA.