'The Problem of 'Personal Data' in Cloud Computing - What Information is Regulated?' (Queen Mary University of London, School of Law Legal Studies Research Paper No. 75/2011) by W Kuan Hon, Christopher Millard & Ian Walden argues that -
Cloud computing service providers, even those based outside Europe, may become subject to the EU Data Protection Directive's extensive and complex regime purely through their customers' choices, of which they may have no knowledge or control. We consider the definition and application of the EU 'personal data' concept in the context of anonymisation / pseudonymisation, encryption and data fragmentation in cloud computing, arguing that the definition should be based on the realistic risk of identification, and that the applicability of data protection rules should be based on the risk of harm and its likely severity. In particular, the status of encryption and anonymisation / pseudonymisation procedures should be clarified to promote their use as privacy-enhancing techniques; data encrypted and secured to recognised standards should not be considered 'personal data' in the hands of those without access to the decryption key, such as many cloud computing providers; and finally, unlike, for example, social networking sites, Infrastructure as a Service and Platform as a Service providers (and certain Software as a Service providers) offer no more than utility infrastructure services, and may not even know if information processed using their services is 'personal data' (hence, the 'cloud of unknowing'), so it seems inappropriate for such cloud infrastructure providers to become arbitrarily subject to EU data protection regulation due to their customers' choices.
The authors conclude -
We have advanced proposals which we suggest would enable data protection laws to cater for cloud computing and other technological developments in a clearer and more balanced way.
An accountability approach to data protection responsibilities should be taken by raising the threshold inherent in the 'personal data' definition, basing it instead on the realistic risk of identification and considering a continuum or spectrum of parties (depending on the circumstances) who may be processing personal data, each having varying degrees of obligations and liabilities under data protection law, with the risk of identification and risk of harm (and its likely severity) being the key factors. Such an approach should result in lighter, or even no, data protection regulation of passive utility infrastructure cloud providers, while reinforcing the obligation of cloud providers who knowingly and actively process personal data to handle such data appropriately.
More specifically, it is important to clarify the status of encrypted data and anonymised data to ensure that securely-encrypted data are not treated as 'personal data'. The legal status of the encryption or anonymisation procedure, i.e. converting personal data into an encrypted or anonymised state, also needs consideration and clarification.
As for the industry, cloud computing providers, especially infrastructure providers, may wish to consider developing and putting into place measures to minimise the likelihood of their cloud service being regulated inappropriately by EU data protection laws, such as encryption at the user end by default. They may also benefit from providing more transparency on their sharding and other operational procedures, and from continuing work on developing industry standards, such as on encryption of data to be stored in the cloud, including various elements of privacy by design. Such an emphasis on standards, while facilitating a more flexible and pragmatic approach to the regulation of the various actors in the cloud ecosystem, should also help to shift regulatory focus back to protecting the interests of individuals.