'Personal Data' in Cloud Computing
A paper by Kuan Hon, Prof Christopher Millard and Prof Ian Walden reporting on this research is available via SSRN: 'The Problem of 'Personal Data' in Cloud Computing - What Information is Regulated? The Cloud of Unknowing, Part 1 '.
This research has also been published as follows:
- Data protection, the law and you - The cloud of unknowing, and the "personal data" problem, ComputerWorldUK Cloud Vision blog, 13 Apr 2011
- The problem of ‘personal data’ in cloud computing: what information is regulated?—the cloud of unknowing, W Kuan Hon, Christopher Millard and Ian Walden, International Data Privacy Law (2011) 1 (4): 211-228. doi: 10.1093/idpl/ipr018, published online 14 Sept 2011 (free to access full text)
Cloud computing service providers, even those based outside Europe, may become subject to the EU Data Protection Directive's extensive and complex regime purely through their customers' choices, of which they may have no knowledge or control. This research considers the definition and application of the EU 'personal data' concept in the context of anonymisation / pseudonymisation, encryption and data fragmentation in cloud computing, arguing that the definition should be based on the realistic risk of identification, and that the applicability of data protection rules should be based on the risk of harm and its likely severity.
In particular, the status of encryption and anonymisation / pseudonymisation procedures should be clarified to promote their use as privacy-enhancing techniques, and data encrypted and secured to recognised standards should not be considered 'personal data' in the hands of those without access to the decryption key, such as many cloud computing providers.
Finally, unlike, for example, social networking sites, Infrastructure as a Service and Platform as a Service providers (and certain Software as a Service providers) offer no more than utility infrastructure services, and may not even know if information processed using their services is 'personal data' (hence, the 'cloud of unknowing'), so it seems inappropriate for such cloud infrastructure providers to become arbitrarily subject to EU data protection regulation due to their customers' choices.
