Abstract

http://ssrn.com/abstract=1924240
 
 

Footnotes (101)



 


 



Data Protection Jurisdiction and Cloud Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3


W. Kuan Hon


Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Julia Hörnle


Queen Mary University of London, School of Law

Christopher Millard


Queen Mary University of London, School of Law - Centre for Commercial Law Studies; Oxford Internet Institute

February 9, 2012

International Review of Law, Computers & Technology, Vol. 26, No. 2-3, 2012
Queen Mary School of Law Legal Studies Research Paper No. 84/2011

Abstract:     
Where data centres located in the European Economic Area ('EEA') are utilised for cloud computing services, the customers, and in some circumstances even cloud service providers, could become subject to the EU Data Protection Directive on the basis that the data centre may be an ‘establishment’ of theirs, or involves their ‘making use’ of equipment in the EEA. This may be the case whether the utilisation is direct or indirect through ‘layers’, for example where a non-EEA cloud user uses the services of an EEA provider, or indeed of a non-EEA provider who happens to use an EEA cloud provider or a data centre situated in the EEA. Software as a Service providers may similarly find themselves subject to the Directive if they save or retrieve cookies or the like on their end users’ equipment, as EU data protection regulators have asserted, not without controversy. Even within the EEA, national implementations diverge.

The current legal uncertainties are unsatisfactory, and may discourage the use of EEA data centres or EEA providers for cloud computing. This paper argues that Data Protection Directive obligations should be applied to entities based on country of origin, within the EEA, and targeting or directing, for non-EEA entities, with clear tests for both concepts.

While the draft Data Protection Regulation would introduce approaches based on country of origin and targeting, the concepts it uses in that regard fail to address many of the current problems. The concepts of ‘establishment’, 'context of activities' and 'main establishment', if retained, need to be further clarified and harmonised, and the new concepts of 'occasionally offering' and 'monitoring' further explained. The status of providers of physical and software infrastructure, as well as intermediate providers, would also benefit from further clarification, in particular as regards in what circumstances EU data protection laws apply to processors, and which rules apply to cloud providers as processors.

Number of Pages in PDF File: 44

Keywords: Cloud Computing, Data Privacy, Data Protection, EEA, EU, European Economic Area, European Union, Internet, Legal Issues, Liability, Outsourcing, Personal Data, Privacy

JEL Classification: K2, K20

working papers series





Download This Paper

Date posted: September 9, 2011 ; Last revised: October 29, 2012

Suggested Citation

Hon, W. Kuan and Hörnle, Julia and Millard, Christopher, Data Protection Jurisdiction and Cloud Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3 (February 9, 2012). International Review of Law, Computers & Technology, Vol. 26, No. 2-3, 2012; Queen Mary School of Law Legal Studies Research Paper No. 84/2011. Available at SSRN: http://ssrn.com/abstract=1924240 or http://dx.doi.org/10.2139/ssrn.1924240

Contact Information

W. Kuan Hon (Contact Author)
Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )
London
United Kingdom
HOME PAGE: http://www.law.qmul.ac.uk/people/academic/hon.html
Julia Hörnle
Queen Mary University of London, School of Law ( email )
London
United Kingdom
Christopher Millard
Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )
67-69 Lincoln's Inn Fields
London, EC2A 3JB
United Kingdom
HOME PAGE: http://www.law.qmul.ac.uk/staff/millard.html
Oxford Internet Institute
1 St Giles
Oxford, OX1 3JS
United Kingdom
HOME PAGE: http://www.oii.ox.ac.uk/
Feedback to SSRN


Paper statistics
Abstract Views: 5,340
Downloads: 1,602
Download Rank: 5,367
Footnotes:  101

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo4 in 0.250 seconds