In this paper, we analyse the results of a detailed survey of the privacy policies, and data protection terms more broadly, of 40 major cloud computing services, including Amazon Web Services, Google Cloud, and Microsoft Azure. We review terms relating to controller and processor designations;...

Effective protection of individuals under the EU’s General Data Protection Regulation (‘GDPR’) depends mainly on the ‘accountability’ of one or more persons, usually organizations, for ensuring compliance with relevant obligations. As we will see, identifying the ‘controllers’,...

In this paper we explore the rights that individuals have under the EU’s General Data Protection Regulation (‘GDPR’) when their data are processed in clouds, and the remedies that might be available to them if those rights are breached. The complex nature of cloud ecosystems can make it...

Where data centres located in the European Economic Area ('EEA') are utilised for cloud computing services, the customers, and in some circumstances even cloud service providers, could become subject to the EU Data Protection Directive on the basis that the data centre may be an...

Cloud computing service providers, even those based outside Europe, may become subject to the EU Data Protection Directive's extensive and complex regime purely through their customers' choices, of which they may have no knowledge or control. We consider the definition and application of the EU...

In part one of this series, we considered what information is regulated as 'personal data' in the cloud. In this part two, we develop further the argument made in part one that it is not appropriate for infrastructure cloud providers, many of which are based outside Europe, to become subject...

The lack of clarity and harmonisation across European Economic Area (EEA) Member States of the data export rules under the European Union (‘EU’) Data Protection Directive gives rise to significant uncertainties relating to the use of cloud computing. The concepts of transfer and data...

Data intermediaries serve as a mediator between those who wish to make their data available, and those who seek to leverage that data. The intermediary works to govern the data in specific ways, and provides some degree of confidence regarding how the data will be used.

Personal information management systems (PIMS) aka personal data stores (PDSs) represent an emerging class of technology that seeks to empower individuals regarding their data. Presented as an alternative to current ‘centralised’ data processing approaches, whereby user data is (rather...

While discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for tech startups, who are often innovating at the ‘cutting-edge' – pushing the boundaries of technologies that typically lack established...