44 Pages Posted: 9 Sep 2011 Last revised: 5 Jul 2015
Date Written: February 9, 2012
Where data centres located in the European Economic Area ('EEA') are utilised for cloud computing services, the customers, and in some circumstances even cloud service providers, could become subject to the EU Data Protection Directive on the basis that the data centre may be an ‘establishment’ of theirs, or involves their ‘making use’ of equipment in the EEA. This may be the case whether the utilisation is direct or indirect through ‘layers’, for example where a non-EEA cloud user uses the services of an EEA provider, or indeed of a non-EEA provider who happens to use an EEA cloud provider or a data centre situated in the EEA. Software as a Service providers may similarly find themselves subject to the Directive if they save or retrieve cookies or the like on their end users’ equipment, as EU data protection regulators have asserted, not without controversy. Even within the EEA, national implementations diverge.
The current legal uncertainties are unsatisfactory, and may discourage the use of EEA data centres or EEA providers for cloud computing. This paper argues that Data Protection Directive obligations should be applied to entities based on country of origin, within the EEA, and targeting or directing, for non-EEA entities, with clear tests for both concepts.
While the draft Data Protection Regulation would introduce approaches based on country of origin and targeting, the concepts it uses in that regard fail to address many of the current problems. The concepts of ‘establishment’, 'context of activities' and 'main establishment', if retained, need to be further clarified and harmonised, and the new concepts of 'occasionally offering' and 'monitoring' further explained. The status of providers of physical and software infrastructure, as well as intermediate providers, would also benefit from further clarification, in particular as regards in what circumstances EU data protection laws apply to processors, and which rules apply to cloud providers as processors.
Keywords: Cloud Computing, Data Privacy, Data Protection, EEA, EU, European Economic Area, European Union, Internet, Legal Issues, Liability, Outsourcing, Personal Data, Privacy
JEL Classification: K2, K20
Suggested Citation: Suggested Citation
Hon, W. Kuan and Hörnle, Julia and Millard, Christopher, Data Protection Jurisdiction and Cloud Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3 (February 9, 2012). International Review of Law, Computers & Technology, Vol. 26, No. 2-3, 2012; Queen Mary School of Law Legal Studies Research Paper No. 84/2011. Available at SSRN: https://ssrn.com/abstract=1924240 or http://dx.doi.org/10.2139/ssrn.1924240
By Ian Walden
By Chris Reed