The Problem of 'Personal Data' in Cloud Computing - What Information is Regulated? The Cloud of Unknowing, Part 1

International Data Privacy Law (2011) 1 (4): 211-228

Queen Mary School of Law Legal Studies Research Paper No. 75/2011

47 Pages Posted: 15 Mar 2011 Last revised: 11 Mar 2014

See all articles by W. Kuan Hon

W. Kuan Hon

Imperial College London

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Ian Walden

Queen Mary University of London - Centre for Commercial Law Studies (CCLS)

Date Written: March 10, 2011

Abstract

Cloud computing service providers, even those based outside Europe, may become subject to the EU Data Protection Directive's extensive and complex regime purely through their customers' choices, of which they may have no knowledge or control. We consider the definition and application of the EU 'personal data' concept in the context of anonymisation/pseudonymisation, encryption and data fragmentation in cloud computing, arguing that the definition should be based on the realistic risk of identification, and that the applicability of data protection rules should be based on the risk of harm and its likely severity. In particular, the status of encryption and anonymisation/pseudonymisation procedures should be clarified to promote their use as privacy-enhancing techniques; data encrypted and secured to recognised standards should not be considered 'personal data' in the hands of those without access to the decryption key, such as many cloud computing providers; and finally, unlike, for example, social networking sites, Infrastructure as a Service and Platform as a Service providers (and certain Software as a Service providers) offer no more than utility infrastructure services, and may not even know if information processed using their services is 'personal data' (hence, the 'cloud of unknowing'), so it seems inappropriate for such cloud infrastructure providers to become arbitrarily subject to EU data protection regulation due to their customers' choices.

Keywords: Cloud Computing, Data Privacy, Data Protection, EU, European Union, Internet, Legal Issues, Outsourcing, Personal Data, Personal Identifying Information, Privacy

JEL Classification: K2, K20

Suggested Citation

Hon, W. Kuan and Millard, Christopher and Walden, Ian, The Problem of 'Personal Data' in Cloud Computing - What Information is Regulated? The Cloud of Unknowing, Part 1 (March 10, 2011). International Data Privacy Law (2011) 1 (4): 211-228, Queen Mary School of Law Legal Studies Research Paper No. 75/2011, Available at SSRN: https://ssrn.com/abstract=1783577 or http://dx.doi.org/10.2139/ssrn.1783577

W. Kuan Hon (Contact Author)

Imperial College London ( email )

South Kensington Campus
Exhibition Road
London, Greater London SW7 2AZ
United Kingdom

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln's Inn Fields
London, EC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/staff/millard.html

Ian Walden

Queen Mary University of London - Centre for Commercial Law Studies (CCLS) ( email )

67-69 Lincoln's Inn Fields
London, WC2A 3JB
United Kingdom

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
4,741
Abstract Views
20,138
Rank
3,671
PlumX Metrics