Data Protection Jurisdiction and Cloud Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3

44 Pages Posted: 9 Sep 2011 Last revised: 5 Jul 2015

W. Kuan Hon

Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Julia Hörnle

Queen Mary University of London, School of Law

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies; Oxford Internet Institute

Date Written: February 9, 2012

Abstract

Where data centres located in the European Economic Area ('EEA') are utilised for cloud computing services, the customers, and in some circumstances even cloud service providers, could become subject to the EU Data Protection Directive on the basis that the data centre may be an ‘establishment’ of theirs, or involves their ‘making use’ of equipment in the EEA. This may be the case whether the utilisation is direct or indirect through ‘layers’, for example where a non-EEA cloud user uses the services of an EEA provider, or indeed of a non-EEA provider who happens to use an EEA cloud provider or a data centre situated in the EEA. Software as a Service providers may similarly find themselves subject to the Directive if they save or retrieve cookies or the like on their end users’ equipment, as EU data protection regulators have asserted, not without controversy. Even within the EEA, national implementations diverge.

The current legal uncertainties are unsatisfactory, and may discourage the use of EEA data centres or EEA providers for cloud computing. This paper argues that Data Protection Directive obligations should be applied to entities based on country of origin, within the EEA, and targeting or directing, for non-EEA entities, with clear tests for both concepts.

While the draft Data Protection Regulation would introduce approaches based on country of origin and targeting, the concepts it uses in that regard fail to address many of the current problems. The concepts of ‘establishment’, 'context of activities' and 'main establishment', if retained, need to be further clarified and harmonised, and the new concepts of 'occasionally offering' and 'monitoring' further explained. The status of providers of physical and software infrastructure, as well as intermediate providers, would also benefit from further clarification, in particular as regards in what circumstances EU data protection laws apply to processors, and which rules apply to cloud providers as processors.

Keywords: Cloud Computing, Data Privacy, Data Protection, EEA, EU, European Economic Area, European Union, Internet, Legal Issues, Liability, Outsourcing, Personal Data, Privacy

JEL Classification: K2, K20

Suggested Citation

Hon, W. Kuan and Hörnle, Julia and Millard, Christopher, Data Protection Jurisdiction and Cloud Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3 (February 9, 2012). International Review of Law, Computers & Technology, Vol. 26, No. 2-3, 2012; Queen Mary School of Law Legal Studies Research Paper No. 84/2011. Available at SSRN: https://ssrn.com/abstract=1924240 or http://dx.doi.org/10.2139/ssrn.1924240

W. Kuan Hon (Contact Author)

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln’s Inn Fields
London, WC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/people/academic/hon.html

Julia Hörnle

Queen Mary University of London, School of Law ( email )

67-69 Lincoln’s Inn Fields
London, WC2A 3JB
United Kingdom

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln's Inn Fields
London, EC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/staff/millard.html

Oxford Internet Institute

1 St Giles
Oxford, OX1 3JS
United Kingdom

HOME PAGE: http://www.oii.ox.ac.uk/

Paper statistics

Downloads
2,105
Rank
4,828
Abstract Views
7,909