Who is Responsible for 'Personal Data' in Cloud Computing? The Cloud of Unknowing, Part 2

International Data Privacy Law (2012) 2 (1): 3-18

Queen Mary School of Law Legal Studies Research Paper No. 77/2011

31 Pages Posted: 26 Mar 2011 Last revised: 19 Jun 2014

See all articles by W. Kuan Hon

W. Kuan Hon

Imperial College London

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Ian Walden

Queen Mary University of London - Centre for Commercial Law Studies (CCLS)

Date Written: March 21, 2011

Abstract

In part one of this series, we considered what information is regulated as 'personal data' in the cloud. In this part two, we develop further the argument made in part one that it is not appropriate for infrastructure cloud providers, many of which are based outside Europe, to become subject arbitrarily to obligations under the EU Data Protection Directive due to choices made by their users.

EU data protection responsibilities and liabilities are imposed primarily on the 'controller,' who may employ 'processors' to process data for it. We suggest, as with the concept of 'personal data,' the binary nature of the controller/processor distinction is no longer tenable. In today's environment of complex chains of actors, end to end accountability should replace the binary distinction. While cloud computing service providers are commonly considered processors or controllers, this paper further argues that many infrastructure cloud computing providers are not even 'processors,' but simply provide facilities and/or tools for use by the controller/cloud user. Infrastructure as a Service and Platform as a Service providers, and certain Software as a Service providers, who offer no more than utility infrastructure services, will often not know whether information stored or processed through their services is 'personal data' or not – hence, the 'cloud of unknowing.' Infrastructure cloud providers are qualitatively distinct from services such as social networking websites.

We suggest that infrastructure cloud computing providers should be considered mere neutral intermediaries. Existing liability defences for certain service providers under the EU Electronic Commerce Directive, to help foster electronic commerce, are lost upon the provider having knowledge and control. Similarly, our proposed intermediary immunity from data protection obligations would be lost if the provider gains the requisite knowledge and/or the requisite access to such data. It may also behove cloud computing providers to develop appropriate common industry standards and best practices measures in order to help provide a clear boundary between this intermediary status and 'processor' (or even 'controller') status.

Keywords: Cloud Computing, Data Privacy, Data Protection, EU, European Union, Internet, Legal Issues, Liability, Outsourcing, Personal Data, Personal Identifying Information, Privacy

JEL Classification: K2

Suggested Citation

Hon, W. Kuan and Millard, Christopher and Walden, Ian, Who is Responsible for 'Personal Data' in Cloud Computing? The Cloud of Unknowing, Part 2 (March 21, 2011). International Data Privacy Law (2012) 2 (1): 3-18, Queen Mary School of Law Legal Studies Research Paper No. 77/2011, Available at SSRN: https://ssrn.com/abstract=1794130

W. Kuan Hon (Contact Author)

Imperial College London ( email )

South Kensington Campus
Exhibition Road
London, Greater London SW7 2AZ
United Kingdom

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln's Inn Fields
London, EC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/staff/millard.html

Ian Walden

Queen Mary University of London - Centre for Commercial Law Studies (CCLS) ( email )

67-69 Lincoln's Inn Fields
London, WC2A 3JB
United Kingdom

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
3,418
Abstract Views
15,658
Rank
6,350
PlumX Metrics