Table of Contents  I.   Introduction  II.  Primary Privacy Law of Cloud Computing       A. Privacy Contracts       B. Privacy Policies  III. Secondary Privacy Law of Cloud Computing       A. Information Collection       B. Information Disclosure          1. Disclosure to Private Parties          2. Disclosure to the Government       C. Information Use       D. Information Management  IV. Concluding Remarks  I. Introduction 

This article surveys and evaluates the privacy law of web applications and cloud computing. The National Institute of Standards and Technology defines "cloud computing" as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." (1) Depending on which services are provided, three categories of cloud computing can be distinguished: software-as-a-service (applications), platform-as-a-service (foundational elements to develop applications), and infrastructure-as-a-service (computational and storage infrastructure). (2) Therefore, cloud computing services also cover web applications, such as webmail services, web search services, and social networks. (3) They are subject to the same considerations as other cloud computing services and accordingly addressed in this article.

The privacy law of cloud computing can be separated into two tiers. The primary privacy law is created by privacy contracts, while the secondary privacy law follows from constitutional privacy rights, common law rules, statutes, and regulations. (4) By making use of privacy contracts, cloud service providers and users can shape their privacy relationship largely any way they want. Generally, they are subject to the secondary privacy law only to the extent they do not make use of privacy contracts. The reason for the supremacy of privacy contracts over the secondary privacy law is the constitutionally guaranteed freedom of contract. Thus, for example, a valid provision in a privacy contract can be understood as a user's consent to exclude an otherwise applicable privacy protection law. (5) The primary privacy law of cloud computing will be addressed in Part II. Part III will then describe the secondary privacy law. Lastly, Part IV will conclude with a few final remarks.

II. Primary Privacy Law of Cloud Computing

From a formal perspective, a privacy contract binds only the contract parties. (6) However, because court decisions and regulatory enforcement actions can establish precedents and approved practices, privacy contracts can become relevant for third parties as well. Generally, cloud service providers and users can agree to any privacy arrangement they want. Privacy contracts can be explicit or implicit and, in the area of cloud computing, will often take the form of service level agreements or be dependent on terms and conditions. The following section will discuss various aspects of privacy contracts between cloud service providers and users, in particular, contract formation, enforcement, and remedies. Thereafter, the next section will explore the extent to which privacy policies are equal to contracts, and how they can shape privacy relationships.

A. Privacy Contracts

Every enforceable contract requires valid contract formation, (7) which consists of an offer, acceptance, mutual assent, and consideration. (8) In many cases contract formation on the web happens through clickwrap and browsewrap mechanisms. A cloud service provider using a clickwrap or browsewrap mechanism would display the contract terms on its website for the user to accept by clicking on a button or browsing the website, respectively. For both mechanisms valid contract formation often hinges on mutual assent. ProCD v. Zeidenberg addressed a clickwrap mechanism and found the click on a button before software could be used sufficient to indicate assent to the terms of the software license. …