Importance of the geographical localization of the commercial provider of cloud storage services with regard to the protection of consumer's rights through European Union rules

The article provides an outline of the issues raised by cloud storage from the perspective of consumer rights in the European Union. Cloud storage, whether of pictures, videos, text messages or other significant personal data involves the distributed storage of such information over a wide network of servers (i.e., "the cloud"), located geographically in several jurisdictions, both within and outside the European Union. While the location of data is dynamic and can even be partitioned (i.e., the information pertaining to one physical person can move from server A to server B and can be also split or shared between them), within the general "cloud", the view of each jurisdiction is static. Thus, each country claims jurisdiction over the information located on servers within that country from the point of view of various legislative enactments. This creates a wide gap between the fundamental assumptions of the legislator and reality. It is also a fact that the consumer does not and cannot know where the data are located at a particular point in time. When the consumer contracts a cloud storage agreement with a provider, he gives a general agreement regarding the privacy policy of the provider. However, just as usually, the provider does not make specific undertakings, and also contracts cloud storage services from a further, third provider, such as Google, Amazon (who are renowned for their server farms) or others. The norms of the European Union are established so as to be effective. One of the most problematic areas where personal rights are at stake is that of privacy and the dissemination of personal information. This is because, even though the European Union has very strong legislation on this topic, the fact that data moves outside the Union puts it within the reach of jurisdictions with diluted data protection laws, thus enabling third parties, or government authorities to use the data other than prescribed by the European Union norms. When such data moves "in the cloud" outside the Union, and maybe even on the servers of a third party "cloud" provider, this provider may, according to its own rules, diminish the level of protection afforded to such data, enabling vast hacking, such as what has happened with Sony Studios after the launch of the movie "The Interview", when millions of data points, including personal identification data and passwords of its users were stolen and exposed on the internet. The risk is such that, by passing into a lesser-protection jurisdiction, information 225 may be exposed on-line, creating a great image, economic and even personal danger to the consumer. One method to ensure that such risk is diminished is holding the provider responsible for ensuring the same, high, level of protection for private information as that provided by the European Union. This, in turn, raises a question of jurisdiction over the provider. In other words, whether any particular country in the European Union has jurisdiction to hold the provider to account so as to ensure the respect of the consumer's rights. The article discusses this issue and posits that the better view is to base jurisdiction on the provider's physical presence because only the consumer protection authorities from such a place have the means and effective contacts required to ensure an efficient communication with the provider, taking proactive steps to protect the consumer's data. The lesser option is for the consumer to appeal to his national courts in order to obtain the protection of his data. However, this option if wrought with obstacles, the most important of which is the dynamic nature of the internet, much unlike the slow-paced approach of the courts. Therefore, for a preventive approach, it is the responsibility of the consumer protection agency of the country where the cloud storage provider is located to ensure a high level of protection for all consumers contracting with that provider, wherever they are located.