SOME KEY QUESTIONS REGARDING CLOUD DATA PROTECTION. TOWARDS A "NEBULOUS" REGULATION

This article points out some of the deficiencies in the old, and now superseded, national and European data protection regulations applicable to cloud computing, and the action of data protection institutions to correct these deficiencies. It also analyses the awaited European data protection regulation on cloud services, in particular regarding the duties of the cloud service provider as "processor" and the cloud customer as "controller". Likewise, the article details demands regarding the contracts and outsourcing of cloud services. As regards the requirements for international transfers of data to third countries, the article looks at standard contractual clauses and Binding Corporate Rules as ways of relaxing the need for prior authorisation. Finally, the article discusses the role of private technical standards on cloud services (such as ISO standards or self-regulation rules), as well as the future technical regulations of public origin (by the European Commission or by each state, depending on the final version of the European data protection regulation). This co-regulatory complex implies, in the author's view, a "nebulous" legal system.