Regulation of International Data Transfers in Clouds: The Impact of the GDPR

Chapter 10, ‘Regulation of International Data Transfers in Clouds’, in C. Millard (ed.) Cloud Computing Law, (2nd edn, OUP 2021)

57 Pages Posted: 25 Jan 2023 Last revised: 14 Apr 2023

See all articles by Ulrich Wuermeling

Ulrich Wuermeling

Queen Mary University of London, School of Law

Isabella Oldani

Queen Mary University of London, School of Law

Date Written: October 22, 2022

Abstract

The EU’s General Data Protection Regulation (‘GDPR’) has a ‘long-arm’ reach, or extraterritorial application, that extends well beyond Europe. The rules apply to processing that takes place anywhere in the world in the context of an establishment in the European Union ('EU’). This means, for example, that a company based in France may need to comply with the GDPR when it is using cloud services in the United States. In addition, the GDPR regulates processing by organisations based outside the EU for purposes of offering goods or services to, or monitoring the behaviour of, individuals in the EU. So, for example, a Chinese company that targets its services to individual customers in Germany, or which monitors the activities of service users in Sweden, may also be subject to the GDPR. Where the provision and use of cloud services involve transfers of personal data out of the EU, the GDPR’s restrictions on transfers of data to countries without an ‘adequate’ level of protection will apply. The third country transfer restriction can be highly problematic in cloud environments, not least because of a lack of clarity as to whether, and how, specific legal and technical mechanisms may be used to demonstrate that transfers are compliant. We explore these issues in this paper.

Keywords: Cloud Computing, Cloud Services, Data Protection, Privacy, Data Transfers, Contracts, Privacy Policy, Terms of Service, Data Subject, European Union, General Data Protection Regulation, GDPR

JEL Classification: K1, K2, K12, K23, K33, L81, L86, M1, M15, M16, O3, O33

Suggested Citation

Wuermeling, Ulrich and Oldani, Isabella, Regulation of International Data Transfers in Clouds: The Impact of the GDPR (October 22, 2022). Chapter 10, ‘Regulation of International Data Transfers in Clouds’, in C. Millard (ed.) Cloud Computing Law, (2nd edn, OUP 2021), Available at SSRN: https://ssrn.com/abstract=4255861 or http://dx.doi.org/10.2139/ssrn.4255861

Ulrich Wuermeling

Queen Mary University of London, School of Law ( email )

Mile End Road
Lincoln's Inn Fields
London, London E1 4NS
United Kingdom
07572603863 (Phone)

Isabella Oldani (Contact Author)

Queen Mary University of London, School of Law ( email )

67-69 Lincoln’s Inn Fields
London, WC2A 3JB
United Kingdom

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
763
Abstract Views
1,210
Rank
60,658
PlumX Metrics