Abstract

Cloud users could become subject to EU data protection laws where cloud computing services utilise European Economic Area (EEA' data centres, or even EEA service providers, because such data centres or providers may be their ‘establishment’, or involve their ‘making use’ of EEA equipment. This could occur directly or indirectly, e.g. non-EEA cloud users using EEA providers, or using non-EEA providers (who themselves use EEA providers or data centres). EU data protection regulators consider that Software as a Service providers may be subject to EU laws if saving or retrieving cookies on users' equipment. Even national implementations diverge. These uncertainties may discourage using EEA data centres or EEA providers for cloud computing. This paper argues that data protection obligations should be based on clear tests involving country of origin, for EEA entities, and targeting or directing, for non-EEA entities. While the draft Data Protection Regulation would introduce country of origin and targeting approaches, it fails to address many existing problems. Certain existing concepts, if retained, require further clarification and harmonisation; some new concepts need explication. The status of physical and software infrastructure providers and intermediate providers also needs clarification, particularly regarding when EU data protection laws apply to processors, and which rules.