Updated 9 February 2012 for the draft Data Protection Regulation - please see links towards the end of this page.
The paper by Kuan Hon, Dr Julia Hörnle and Prof Christopher Millard reporting on this research is available via SSRN: 'Data Protection Jurisdiction and Cloud Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3' - updated 9 February 2012 for the draft Data Protection Regulation. For the redlined changes from the previous version, please see this document [PDF 537KB].
This research has also been published as follows:
Where data centres located in the EEA are utilised for cloud computing services, the customers, and in some circumstances even cloud service providers, could become subject to the EU Data Protection Directive on the basis that the data centre may be an ‘establishment’ of theirs, or involves their ‘making use’ of equipment in the EEA. This may be the case whether the utilisation is direct or indirect through ‘layers’, for example where a non-EEA cloud user uses the services of an EEA provider, or indeed of a non-EEA provider who happens to use an EEA cloud provider or a data centre situated in the EEA. Software as a Service providers may similarly find themselves subject to the Directive if they save or retrieve cookies or the like on their end users’ equipment, as EU data protection regulators have asserted, not without controversy. Even within the EEA, national implementations diverge.
The current legal uncertainties are unsatisfactory, and may discourage the use of EEA data centres or EEA providers for cloud computing. We argue that Data Protection Directive obligations should be applied to entities based on country of origin, within the EEA, and targeting, for non-EEA entities, with clear tests for both concepts. If the current concepts ‘establishment’ and ‘equipment’/‘means’ are to be retained, they should be clarified and harmonised. The status of providers of physical and software infrastructure, as well as intermediate providers, would also benefit from clarification, in particular as regards which country’s security requirements and other rules apply to a cloud provider.