Another important legal issue in addition to the intellectual property issues for cloud computing is the data protection issues. Most of the cloud computing services will involve some kind of processing of personal data. In this case, the service will need to meet the requirements of the Data Protection Directive if the customer is established or the data is processed in one of the 27 EU member states. In the UK the Data Protection Directive has been implemented by the Data Protection Act 1998. 

Data protection obligations

In general, data protection obligations apply to data controllers, in the other words the person who determines the purpose and the manner in which any data is to be processed. By contrast, a data processor (someone who processes data on behalf of the controller) only has to comply with security obligations. Cloud computing service providers generally have little or no control over the nature of the data processed on their servers. Accordingly, they will argue that are not be able to accept liability for data quality or for obtaining individual consent to the processing of personal data. In other words they will argue that they act as processors while their clients act as data controllers. From the customer’s point of view however, this approach, puts the risk and burden of data protection compliance on the customer, who has little or no control over matters such as security and data transfers.

Data security

The Data Protection Directive  and Data Protection Act require that "appropriate technical and organisational measures" are taken to protect personal data. Where a third party (a data processor) is appointed to process data, then the controller must select a cloud computing service provider who can:

·         Offer appropriate levels of security.

·         Evidenced in a written contract.

·         Ensure compliance.

As customers will be liable under data protection legislation for any breaches of security caused by a data processor, they require audit rights for data processors. This may compromise confidentiality and security for service providers, who may use shared infrastructure for many customers and who would find multiple audit requests from clients disruptive.

Furthermore, cloud computing often involves chains of sub-processors. However, in some member states, data protection law requires the controller to independently authorise all subcontracts and to enter into direct contracts with all processors.In most member states, it is left to data controllers or processors to determine what amounts to appropriate technical and organisational measures. However, some countries (for example, Spain, Italy and Poland) have prescriptive requirements for security set out in their legislation. If a customer that operates in one of these countries wishes to put data into the cloud, then it will need the cloud computing service provider to confirm that its security arrangements meet these particular countries laws.

Data transfer

The Data Protection Directive prohibits the transfer of personal data to third countries (non EEA countries) that do not offer adequate protection. There are a limited number of exceptions to this rule. The main exceptions relevant to cloud computing are:

·         White-listed countries.

·         US-EU Safe Harbor.

·         Use of EU-approved data export agreements.

The European Commission has found that the following countries provide adequate safeguards for the purposes of transferring data:  Andorra,  Argentina, Canada (if the relevant data controller is subject to the Personal Information Protection and Electronic Documents Act), Guernsey, The Faeroe Islands, The Isle of Man,  Israel,  Jersey, Switzerland.

The Safe Harbor scheme was negotiated between the EU Commission and the US government in 2000. It consists of a set of principles and FAQs (which set out broadly equivalent rules for processing of personal data to those in the Data Protection Directive). Organisations publicly declare their participation in the scheme by registering with the Department of Commerce. Failure to comply with its principles is then actionable by the Federal Trade Commission as a deceptive or misleading trade practice.  

Members of the scheme select the categories of data to which they will apply the Safe Harbor principles (for example, this could be on-line data, customer data or human resources data) and must renew their participation annually. Accordingly, it is not sufficient to transfer data to a service provider with no further due diligence: a cloud customer must check the Safe Harbor list (maintained by the Department of Commerce) to see if the service provider's certification is up to date and to check that it covers the type of data the customer intends to use the service provider for. If Safe Harbor is not available (because the service provider is not a member of the scheme or because the data are not being transferred to the US), then the next alternative is to use the export agreement.

There are two types of EU approved data export agreements: (i) for use when data are transferred to a controller and (ii) when data are transferred to a processor.  First, in the majority of the EU member states, the cloud customer will need to register its use of such agreements with the local data protection authority, or even seek prior authorisation for the transfer of the data. In some countries, this is quick and straightforward, however, in others this can be complex and time consuming, thus detracting from the benefit of cloud computing as a low-cost, easy to use offering.  Second, many service provider will subcontract elements of the service and use of subcontracting  requires customer approval for all subcontractors and requires the processor to flow down specific provisions from the agreements to its subcontractors and to provide copies of the sub-processing data protection agreements to its customers.