Missing Links in the Proposed EU Data Protection Regulation and Cloud Computing Scenarios: A Brief Overview

• Author: Iheanyi Samuel Nwankwo
• Position: LL.M, Research Assistant, Institute for Legal Informatics, Leibniz University Hannover
• Pages: 32-38

2014

Iheanyi Samuel Nwankwo

32

1

Missing Links in the Proposed EU

Data Protection Regulation and Cloud

Computing Scenarios: A Brief Overview

by Iheanyi Samuel Nwankwo*, LL.M, Research Assistant, Institute for Legal Informatics, Leibniz University

Hannover

© 2014 Iheanyi Samuel Nwankwo

Everybody may disseminate this ar ticle by electroni c means and make it available for downlo ad under the terms and

conditions of the Digita l Peer Publishing Licence (DPPL). A copy of the license text may be obtaine d at http://nbn-resolving.

de/urn:nbn:de:0009-dppl-v3-en8 .

Recommended citation: Iheany i Samuel Nwankwo, Missing Links in the Proposed EU Data Pr otection Regulation and Cloud

Computing Scenarios: A Brie f Overview, 5 (2014) JIPITEC 32, para 1.

Keywords: Cloud computing, Data Protection Regulation, Data Transfer, Controller, Processor Measures, DRM

when analyzed in cloud scenarios. This paper gives a

brief overview of the relevant provisions of the regu-

lation that will have an impact on cloud transactions

and addresses the missing links. It is hoped that

these loopholes will be reconsidered before the final

version of the law is passed in order to avoid unin-

tended consequences.

Abstract: Applying location-focused data pro-

tection law within the context of a location-agnostic

cloud computing framework is fraught with difficul-

ties. While the Proposed EU Data Protection Regu-

lation has introduced a lot of changes to the current

data protection framework, the complexities of data

processing in the cloud involve various layers and in-

termediaries of actors that have not been properly

addressed. This leaves some gaps in the regulation

A. Introduction

1

Although the concept of “cloud” is metaphorical,

cloud computing currently represents another big

innovation in the IT industry that tends to maxi-

mize the use of the Internet. This is not only seen in

its concentration of large computing power in a sin-

gle space, but also in its functionality as an always

available, unlimited tool to store and access data no

matter the location.1 However, like some other tech-

nical innovations before it, it has not been easy to



to the concept as well as to bring its uses within a

legal framework. This conundrum is easily appreci-

ated when analyzing data protection laws within the

context of cloud computing, for instance, because

data represents the main raw material upon which

cloud technology thrives. The fact that more data is

constantly linking to individual persons, of course,

plausibly triggers debates concerning data protec-

tion requirements in cloud transactions (require-

ments relating to privacy, security, transparency, ac-

cessibility, and rights and freedoms of data subjects).

Such requirements could, for example, restrict per-

sonal data from being transferred from one country

to another for jurisdictional purposes.2 Cloud com-

puting, on the other hand, depends on automated

data movement around several data centers located

in different parts of the world, and relies on the In-

ternet for access to such data. This location-agnostic

feature of cloud computing potentially has several

data protection implications because of the multi-

ple jurisdictions that may be involved.