34
harmonised areas, since the EU usually grants its member states a certain
leeway as far as the transposition of EU‐rules is concerned. However within
the community one at least profits from a common legal basis.
The location of the core IT servers can have a significant role in this context;
this is why it is usually considered an important criterion when selecting a
Cloud provider. Even if the general law of the country, in which the server is
located, may not be applicable, the location may nevertheless be relevant
for certain important fields of law, for instance for compliance, insolvency
law or tax law. The relevance of the location of the server may vary since it
depends on the national law, after which it is evaluated. However, despite
the lack of any generally applicable conclusions, certain tendencies
nevertheless exist. As an example, countries aim to make certain provisions
of public law, such as tax law, data protection and sometimes compliance
applicable solely on the basis of the location of the IT servers.
2.3.2
Data protection
In light of the transnational usage of common data, perhaps even typical, for
Cloud Computing, it is imperative to know the applicable national data
protection law. The reason for this is that data protection law does not
follow any contractual choice of law, that is the possibility to agree upon the
country whose law shall be applicable.
Within the EU, data protection law is partly harmonised by the Data
Protection Directive. The directive applies on the one hand, if the controller
is established in the EU, thus if it has its seat or a (legally independent)
establishment within the EU or the EEA, and is processing data there. On the
other hand EU law applies if the entity has no seat within an EU member
state but actually processes data within the EU. Following these principles,
the user of Cloud services is responsible for the usage of data to be
permissible and legal. Therefore the laws of his jurisdiction shall apply and
not those of the Cloud provider’s. The notable exceptions to this are
obligations deriving from public law (e.g. notification requirements). Over
time, technological advances have required member states to find solutions
for questions not addressed in the directive from 1995, thus further
reducing harmonization. The EU’s answer to this is the draft of a new and
modern Data Protection Regulation presented in 2012. As a regulation, it
will be directly applicable in all member states and, according to the plans of
the EU, shall enter into force rather sooner than later.