![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
Cloud users could become subject to EU data protection laws where cloud computing services utilise European Economic Area (EEA' data centres, or even EEA service providers, because such data centres or providers may be their ‘establishment’, or involve their ‘making use’ of EEA equipment. This could occur directly or indirectly, e.g. non-EEA cloud users using EEA providers, or using non-EEA providers (who themselves use EEA providers or data centres). EU data protection regulators consider that Software as a Service providers may be subject to EU laws if saving or retrieving cookies on users' equipment. Even national implementations diverge. These uncertainties may discourage using EEA data centres or EEA providers for cloud computing. This paper argues that data protection obligations should be based on clear tests involving country of origin, for EEA entities, and targeting or directing, for non-EEA entities. While the draft Data Protection Regulation would introduce country of origin and targeting approaches, it fails to address many existing problems. Certain existing concepts, if retained, require further clarification and harmonisation; some new concepts need explication. The status of physical and software infrastructure providers and intermediate providers also needs clarification, particularly regarding when EU data protection laws apply to processors, and which rules.
Acknowledgements
This article forms part of the QMUL Cloud Legal Project (‘CLP’) http://cloudlegalproject.org, Centre for Commercial Law Studies, Queen Mary, University of London (‘CCLS’). Specifically, this paper forms part 3 of a 4-part series of related CLP papers on key foundational data protection issues relevant to cloud computing, namely: what information is regulated under the DPD; who is regulated; which country's laws apply and which authorities are competent to regulate; and how can restrictions on transferring personal data outside the EEA be addressed? The first two papers covered personal data (W.K. Hon, Millard, C., and Walden, I. 2011. The problem of ‘personal data’ in cloud computing: what information is regulated?—the cloud of unknowing. International Data Privacy Law 1, no. 4: 211–228. doi: 10.1093/idpl/ipr018 (‘CLP Personal Data Paper’)) and responsibility for personal data in the cloud (W.K. Hon, Millard, C., and Walden, I. 2012. Who is responsible for ‘personal data’ in cloud computing?—the cloud of unknowing, Part 2. International Data Privacy Law 2, no. 1: 3–18. doi: 10.1093/idpl/ipr025 (‘CLP Controllers/Processors Paper’)). The fourth paper covered the DPD's data export provisions (W.K Hon, and Millard, C., 2011. Data export in cloud computing – how can personal data be transferred outside the EEA? The cloud of unknowing, part 4. Queen Mary School of Law Legal Studies Research Paper No 85/2011 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1925066> last accessed 9 February 2012).
The authors are grateful to Microsoft for generous financial support making this project possible. Views herein, however, are solely the authors'.
Notes
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L 281/31, 23 November 1995. The DPD extends to non-EU countries within the EEA, namely Iceland, Liechtenstein or Norway, by virtue of Joint Committee Decision of the EEA Joint Committee No 83/1999 of 25 June 1999 amending Protocol 37 and Annex XI (Telecommunication services) to the EEA Agreement OJ L 296/41, 23 November 2000. Hence, this paper generally uses the broader ‘EEA’ instead of ‘EU’ in this paper. Unless otherwise stated, references in this paper to articles and recitals will be to articles and recitals of the DPD.
See work mentioned in Acknowledgement.
Bradshaw, S., Millard, C., and Walden, I. 2011. Contracts for clouds: comparison and analysis of the Terms and Conditions of cloud computing services. International Journal of Law and Technology 19, no. 3: 187 doi:10.1093/ijlit/ear005 (‘CLP Contracts Paper’).
See further CLP Personal Data Paper (in Acknowledgement):
| • | IaaS – computing resources such as processing power and/or storage; | ||||
| • | PaaS tools for constructing (and usually deploying) custom applications; | ||||
| • | SaaS – end-user application functionality, e.g. webmail services such as Yahoo! Mail, social networking sites such as Facebook, Salesforce's online customer relationship management service (enterprise SaaS). | ||||
CLP Contracts Paper (note 3), s 3, 8.
Heroku, ‘Can I connect to services outside of Heroku?’ <http://devcenter.heroku.com/articles/external-services> last accessed 9 February 2012. Heroku's acquisition by SaaS (and, increasingly, PaaS) provider Salesforce.com was completed in January 2011. Salesforce.com. 2011. Salesforce.com Completes Acquisition of Heroku.
Mell, P., and Grance, T. 2011. The NIST definition of cloud computing. Special Publication 800-145. US National Institute of Standards and Technology.
A separate paper discusses transferring personal data outside the EEA – see Note 2.
For example, national security, defence – art 3(2).
Kuner, C. 2007. European data protection law: corporate compliance and regulation, 2nd edn, ch 1 pt G. Oxford: Oxford University Press.
European Commission. 2012. Data protection reform: frequently asked questions. 25 January 2012. MEMO/12/41. The draft Regulation is ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ COM(2012) 11 final 2012/0011 (COD).
LRDP Kantor Ltd in association with Centre for Public Reform, New Challenges to Data Protection- Final Report (European Commission, 2010) [36]-[44].
Established under art 29 DPD, comprising national EU data protection regulators and the European Data Protection Supervisor (who supervises compliance by EU institutions with data protection requirements).
Article 29 Data Protection Working Party, Opinion 8/2010 on applicable law, WP 179 (2010) (‘WP179’).
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market OJ L 178/1, 17.7.2000.
See note 11.
See also Bygrave, L.A. 2001. Determining applicable law pursuant to European data protection legislation. In Ecommerce law and practice in Europe, eds. J. Hörnle, and I. Walden, 1-11, 4. Cambridge: Woodhead Publishing; however the location of equipment or means of processing is relevant, discussed at 2.3 below.
WP179; Wuermeling, U. 2000. Handelshemmnis Datenschutz, 76. Carl Heymanns Verlag.
For a detailed discussion of art 4, see Moerel, Lokke. 2011. Back to basics: when does EU data protection law apply? International Data Privacy Law 1, no. 2: 92.
For example, in the incident relating to Belgian entity SWIFT - Article 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), WP 128 (2006). However, the final decision of the Belgian authority was that Belgian law did not apply on US territory – Belgian Privacy Commission, Decision of 9 December 2008, Control and recommendation procedure initiated with respect to the company SWIFT scrl, [167].
Art 4(1)(a), second sentence.
Note 14.
Case C-168/84 Bergholz ECR [1985] 2251 [14]; Case C-390/96 Lease Plan Luxembourg ECR [1998] I-2553.
WP179, text to fn 19: ‘A server or a computer is not likely to qualify as an establishment as it is simply a technical facility or instrument for the processing of information’.
Note 14.
WP179 (ibid), 14.
WP179, 30.
Tribunal of Milan, Sentenza n.1972/2010.
Sartor, G., and de Azevedo, M.V. 2010. Cunha ‘The Italian Google case: privacy, freedom of speech and responsibilities of providers for user-generated contents. International Journal of Law and Information Technology 18, no. 4: 356–378, 363.
Ibid.
The Italian version of the DPD also refers to ‘context’, contesto.
Article 29 Working Party, Opinion 1/2008 on data protection issues related to search engines, WP 148 (2008) (‘WP148’), 10.
WP179, 15.
Ibid.
Draft Regulation arts 3(1), 4(13) and 51(2); see also recitals 19, 27, 63-64, 97-98, art 34(5).
See Greenleaf, Graham. 2012. Global data privacy laws: 89 countries and accelerating. Queen Mary School of Law Legal Studies Research Paper No 98/2012 <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2000034> last accessed 9 February 2012.
Ships could be moored in territorial waters, or outside territorial waters. If outside EU territorial waters, EU laws may not apply, but the laws of the flag state – which could be non-EU – could.
See Dignan, Larry. 2009. Google wins floating data center patent (Between the Lines, ZDNet 2009) <http://www.zdnet.com/blog/btl/google-wins-floating-data-center-patent/17266> last accessed 9 February 2012.
Although other factors may influence server location, e.g. tax.
Art 4(2) DPD.
WP179, 23.
WP179, 19 – it nevertheless calls for a clarification of the issue in the revision of the DPD, ibid 30.
Bygrave (note 17) 7.
‘moyen’.
‘Mittel’.
WP179, 20.
Ibid.
WP148 (n 36) 10-11.
WP179, 20.
Wuermeling, U. 2000. Handelshemmnis Datenschutz, 78. Berlin: Carl Heymanns Verlag.
Wuermeling, U. 2000. Handelshemmnis Datenschutz, 78, 20. Berlin: Carl Heymanns Verlag.
(CA) [2003] EWCA Civ 139 [45]-[47].
See s 5(1)(b) Data Protection Act 1998, implementing art 4(1)(c) of the DPD.
European Commission. 2003. First Report on the Implementation of Directive 95/46/EC COM(2003)265 final, 17; Bygrave (note 17), 9.
WP179, 21, 32.
Draft Regulation arts 3(2), 25(2)(d), 25(3); see also recitals 20-21, 63-64, 105. Recital 21 expands on what is considered ‘monitoring’ – ‘whether individuals are tracked on the internet with data processing techniques which consist of applying a “profile” to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes’. Such a controller must also appoint an EEA representative – in only one of the Member States concerned, rather than all of them – who interacts with EEA supervisory authorities (and is liable in the EEA for penalties – art 78(2)) – unless the controller is established in a third country ensuring an adequate level of protection, is a small or medium sized enterprise or public authority or body, or is ‘only occasionally’ offering goods or services to EEA residents – art 25, recitals 63-64. Such a controller (and indeed, processors) must also appoint an independent data protection officer to assist it internally on compliance, if it is in the public sector, is a large enterprise, or (whatever its size) if its ‘core activities’ ‘involve’ processing operations which ‘require’ ‘regular and systematic monitoring’ – art 35(1), recital 75. A large enterprise is one that has at least 250 employees.
Cookies are text files which are ‘set’, i.e. saved onto a user's computing equipment by the user's web browser, when the user visits a webpage with the browser and the browser automatically follows instructions sent by the web server to save the cookie. Cookies may be retrieved from the user's equipment and ‘read’ by the website on subsequent browser visits to the site. Cookies may also be set by Javascript or other scripts run by the browser, e.g. after automatically downloading the script from a visited webpage. Information saved in a cookie may be used for authentication, identifying a user session, saving user's preferences or shopping cart contents, or other purposes – A Barth, Internet Engineering Task Force (IETF), ‘Request for Comments 6265 HTTP State Management Mechanism’ (2011) ISSN: 2070-1721.
See the discussion above.
WP148 (n 36), 10-11; Article 29 Working Party, Opinion 5/2009 on online social networking WP 163 (2009), 5, and WP179, 21.
That is, setting.
WP179, 22.
CLP Controllers/Processors Paper (see Acknowledgement).
Unless and until they access the data – ibid.
Although in some circumstances the PaaS or IaaS provider might become a controller – ibid.
For example, the Dutch data protection authority seems to interpret ‘established’ in art 4(1)(a) to require incorporation under Netherlands law, thus applying Dutch data protection laws on the ‘establishment’ ground only to Dutch corporations, see Moerel (note 19). For an outline of several different national implementations of ‘establishment’, see Korff, Douwe. 2010. New Challenges to Data Protection Working Paper No 2 - Data protection laws in the EU: The difficulties in meeting the challenges posed by global social and technical developments, 27–29. European Commission.
WP179, 12.
In one case on freedom of establishment, an English bookmaker Stanley had commercial agreements with Italian operators or intermediaries relating to the creation of data transmission centres to make electronic means of communication available to Italian users, collect and register users' intentions to bet, and forward them to Stanley in the UK. The ECJ considered that these arrangements involved Stanley having a presence, indeed ‘agencies’, in Italy, and that: ‘Where a company established in a Member State (such as Stanley) pursues the activity of collecting bets through the intermediary of an organisation of agencies established in another Member State (such as the defendants in the main proceedings), any restrictions on the activities of those agencies constitute obstacles to the freedom of establishment’. Case C-243/01 Gambelli e.a. [2003] ECR I-13031 [14], [46].
There is no requirement for ‘context’ in the laws of Finland, Greece and Sweden, while Austria's law applies simply to ‘processing of personal data in Austria’ – European Commission. 2003. Analysis and impact study on the implementation of Directive EC 95/46 in Member States, 6 and Mitrou, Lilian. 2010. New challenges to data protection country study A.5 – Greece, 6–7. European Commission. Italy's law applies to ‘processing of personal data, by anyone, carried out on the territory of [Italy]’, Denmark's law to activities by a Denmark-based controller, but only if those activities ‘are carried out within the territory of the European Community’. Korff (note 65) 28.
If Austrian and German laws conflict, however, German law would apply as regards the security requirements – see section 4 below.
16–17.
See 3.2.3 below on ‘relevant’ establishment.
Ibid.
WP179, 12. Korff (note 65) 25 considers ‘An agent used on an ad hoc basis is not an establishment of the controller but merely a “processor” (although if the arrangements between the controller and the agent become quasi-permanent, this could change)’.
note 32.
See recital 19, text after note 23, above.
That is, a dedicated managed private cloud, but this analysis could apply equally to a traditional IT outsourcing involving dedicated managed hosting using an EEA data centre.
While acknowledging that ‘it is not clear whether this and subsequent interpretations by the ECJ as regards the freedom of establishment under art 50 TFEU could be fully applied to the situations covered by art 4 of the Data Protection Directive’ – WP179, 11. Moerel (note 19) suggests that it would be more appropriate to consider the jurisprudence on ‘establishment’ under the EU legislation on e-commerce and broadcasting.
WP179, 12.
Section 5 UK Data Protection Act 1998 is in almost identical terms.
Art 5(1) Loi du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés: ‘a controller is deemed to be established [in France] if he carries out an activity on French territory in the context of an establishment [installation], whatever the legal form [of that establishment]’. Translation from Korff, Douwe. 2010. New challenges to data protection country study A.3 – Greece. European Commission.
Kuner, C. 2007. European data protection law: corporate compliance and regulation, 2nd edn, 122 (d). Oxford: Oxford University Press. The DPD contains no concept of piercing the corporate veil.
This paper considers further below the ‘transit through’ exception and the condition that the ‘controller is not established on Community territory’.
WP148 (note 32) 11.
See text to note 101.
Article 29 Working Party, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites, WP 56 (2001) (‘WP56’) 9.
24.
25. Kuner (note 81) 4.33 discusses a view that if an EEA Member State's law applies to a non-EEA person by virtue of art 4, the data export restriction should not apply, as the purpose of the restriction is to ensure that substantive data protection law requirements apply to the data, and that person will be bound by those substantive laws under art 4 so transfer of the data to it should not be restricted.
Again this discussion could apply equally to a traditional IT outsourcing.
Indeed, the CNIL considers that if a controller established outside the EU sends a paper form to a data subject in France, the form constitutes a ‘means’ used to process data. Korff (note 65), 30.
CNIL, ‘CNIL facilitates the use of outsourcing services performed in France on behalf of non-European companies’ (CNIL, 2011).
Délibération no. 2011-023 du 20 janvier 2011 dispensant des traitements automatisés effectués sur le territoire français par des prestataires agissant pour le compte de responsables de traitement établis hors de l'Union européenne et concernant des données personnelles collectées hors de l'Union européenne (dispense no. 15) (2011) – i.e. the processing of personal data relating to employees, clients and prospects, for the purposes of managing payroll, employees, clients and prospects, is exempt from obligations of: notification, authorisation by the CNIL of data transfer back outside the EU, and (if it would involve disproportionate effort) informing the data subjects about that processing.
Whether, if Provider is incorporated in another EEA Member State, that State's laws also apply (on the ‘establishment’ or ‘equipment’ ground), is another matter, depending on that State's national implementation of the DPD.
WP56 (note 85), 9.
See the CLP Controllers/Processors Paper (see Acknowledgement).
Even if Provider were considered a controller, that would not exclude the possibility of Customer (who remains a controller) still being considered to use equipment in the EEA through Provider.
Assuming that Customer has no establishment in the EEA in the context of which such personal data processing is taking place. Or in the words of WP179, 20, ‘provided they are not acting in the context of the activities of an establishment of the controller in the EEA – in which case art 4(1)(a) would apply.’
WP179, 31.
Ibid 20.
WP56 (note 85), WP148 (note 32) 10–11, WP179.
Moerel (note 19), paragraph containing fn 78.
24.
WP179, 32.
Moving data processing to data centres which have the most available energy (e.g. solar power when the sun is shining, or a wind powered data centre when it is windy there), or to certain regions during working hours for those regions when employees are most likely to need to use the data –<http://en.wikipedia.org/wiki/Follow-the-sun> last accessed 9 February 2012.
Korff (note 65) 30.
European Commission. 2003. Analysis and impact study on the implementation of Directive EC 95/46 in Member States, 7.
Even so, there still remains the difficult issue of what ‘context’ means and whether, if a data centre is an establishment, personal data processing taking place within its servers should be considered ‘in the context’ of its activities.
WP179, 25.
Kuner (note 81), 5.137.
WP179, 25.
European Commission. 2010. A comprehensive approach on personal data protection in the European Union. (Communication) COM. 609 final (November 2010), 17.
LRDP Kantor Ltd (note 12), [44].
Ibid.
WP179, 31. See also LRDP Kantor Ltd (note 12), 26. On the draft Regulation see note 11.
Ibid.
Ibid.
Joined Cases C-585/08 and C-144/09, Peter Pammer v Reederei Karl Schlüter GmbH & Co. KG (C-585/08) and Hotel Alpenhof GesmbH v Oliver Heller (C-144/09), judgment 7 December 2010 (not yet reported in ECR).
[75].
[82].
[93].
WP179, 31.
Ibid.
Ibid, see also Bygrave (note 17) 10–11.
Asahi Metal Industry Co v Superior Court 480 US 102 (1987) – this case turned on whether there were sufficient minimum contacts, rather than knowledge as such and it concerned goods rather than services, but the rationale can be applied by analogy.
For a similar argument see MacDonald, A. 2009. Youtubing Down the Stream of Commerce. Albany Law Journal of Science and Technology 19: 519–556, 552–556.
Reding, Viviane. 2011. Your data, your rights: safeguarding your privacy in a connected world. (Privacy Platform ‘The Review of the EU Data Protection Framework’ Brussels, 16 March 2011) SPEECH/11/183.
For example, Reding, Viviane. 2011. The reform of the EU Data Protection Directive: the impact on businesses. (European Business Summit Brussels, 18 May 2011) SPEECH/11/349.