Regulation of International Data Transfers in Clouds: The Impact of the GDPR
Chapter 10, ‘Regulation of International Data Transfers in Clouds’, in C. Millard (ed.) Cloud Computing Law, (2nd edn, OUP 2021)
57 Pages Posted: 25 Jan 2023 Last revised: 14 Apr 2023
Date Written: October 22, 2022
Abstract
The EU’s General Data Protection Regulation (‘GDPR’) has a ‘long-arm’ reach, or extraterritorial application, that extends well beyond Europe. The rules apply to processing that takes place anywhere in the world in the context of an establishment in the European Union ('EU’). This means, for example, that a company based in France may need to comply with the GDPR when it is using cloud services in the United States. In addition, the GDPR regulates processing by organisations based outside the EU for purposes of offering goods or services to, or monitoring the behaviour of, individuals in the EU. So, for example, a Chinese company that targets its services to individual customers in Germany, or which monitors the activities of service users in Sweden, may also be subject to the GDPR. Where the provision and use of cloud services involve transfers of personal data out of the EU, the GDPR’s restrictions on transfers of data to countries without an ‘adequate’ level of protection will apply. The third country transfer restriction can be highly problematic in cloud environments, not least because of a lack of clarity as to whether, and how, specific legal and technical mechanisms may be used to demonstrate that transfers are compliant. We explore these issues in this paper.
Keywords: Cloud Computing, Cloud Services, Data Protection, Privacy, Data Transfers, Contracts, Privacy Policy, Terms of Service, Data Subject, European Union, General Data Protection Regulation, GDPR
JEL Classification: K1, K2, K12, K23, K33, L81, L86, M1, M15, M16, O3, O33
Suggested Citation: Suggested Citation