The paper by Kuan Hon, Prof Christopher Millard and Prof Ian Walden reporting on this research is available via SSRN: 'Who is Responsible for 'Personal Data' in Cloud Computing? The Cloud of Unknowing, Part 2 '.
This research has been published as follows:
In part one of this series, we considered what information is regulated as 'personal data' in the cloud. In part two, we develop further the argument made in that it is not appropriate for infrastructure cloud providers, many of which are based outside Europe, to become subject arbitrarily to obligations under the EU Data Protection Directive due to choices made by their users.
EU data protection responsibilities and liabilities are imposed primarily on the 'controller', who may employ 'processors' to process data for it. We suggest, as with the concept of 'personal data', that the binary nature of the controller/processor distinction is no longer tenable. In today's environment of complex chains of actors, end to end accountability should replace the binary distinction. While cloud computing service providers are commonly considered processors or controllers, our paper further argues that many infrastructure cloud computing providers are not even 'processors', but simply provide facilities and/or tools for use by the controller/cloud user. Infrastructure as a Service and Platform as a Service providers, and certain Software as a Service providers, who offer no more than utility infrastructure services, will often not know whether information stored or processed through their services is 'personal data' or not – hence, the 'cloud of unknowing'. Infrastructure cloud providers are qualitatively distinct from services such as social networking websites.
We suggest that infrastructure cloud computing providers should be considered mere neutral intermediaries. Existing liability defences for certain service providers under the EU Electronic Commerce Directive, to help foster electronic commerce, are lost upon the provider having knowledge and control. Similarly, our proposed intermediary immunity from data protection obligations would be lost if the provider gains the requisite knowledge and/or the requisite access to such data. It may also behove cloud computing providers to develop appropriate common industry standards and best practices measures in order to help provide a clear boundary between this intermediary status and 'processor' (or even 'controller') status.