| dc.description |
Part 1<sup>1</sup> considered what information is regulated as ‘personal data’ in the cloud. In part 2, we develop the argument that it is inappropriate for infrastructure cloud providers, many of which are based outside Europe, to become subject arbitrarily to EU Data Protection Directive obligations due to their users' choices.EU data protection responsibilities are imposed primarily on ‘controllers’, who may engage ‘processors’. We suggest that end-to-end accountability should replace the binary controller/processor distinction, given today's environment of complex chains of actors.While cloud computing providers are commonly considered processors or controllers, we further argue that many providers are not even ‘processors’, but simply provide resources for use by others. Infrastructure as a Service, Platform as a Service, and certain Software as a Service providers, who offer no more than utility infrastructure, will often not know whether information processed through their services is ‘personal data’—hence, the ‘cloud of unknowing’. They are qualitatively distinct from services like social networking websites.We suggest such providers should be considered mere neutral intermediaries. Existing liability defences for certain providers under the EU Electronic Commerce Directive, to help foster electronic commerce, cease upon the provider having knowledge and control. Similarly, our proposed intermediary immunity from data protection obligations would cease if the provider gains the requisite knowledge and/or requisite access to personal data.It may also behove cloud computing providers to develop appropriate industry standards/best practices to help provide a clear boundary between this intermediary status and ‘processor’ (or even ‘controller’) status. |
