91
3.3.3
Issues Of No Choice (Purchaser Perspective)
Data Protection Law
There is much more to the term “data protection” than just regulation
relating to personally identifiable information. Protection of business secrets
etc. should also be discussed when referring to “data protection”.
It is the purchaser of Cloud services that remains responsible to ensure
compliance with data protection laws for data migrated into the Cloud. The
purchaser can shift responsibility to the Cloud services provider, but even if
it does, its overall accountability remains.
When determining what data protection rules apply in cross‐border data
processing settings, the first question is that of which national data
protection law applies. Data protection issues are governed by the relevant
local data protection act, noting that data protection is subject to EU‐wide
harmonisation. Currently, the EU Data protection directives provide for core
rules, leaving national data protection laws in force while the national laws
of member states implement these rules. However, in January 2012, the EU
commission proposed to replace the national rules by one single regulation
on data protection.
42
Within the EU framework of data protection, distinguishing data controllers
and data processors, two main principles determine what data protection
law applies:
State of Residence: Under the European Data Protection Directive
the "state of residence principle" applies. It states that European
data protection law is applicable if the purchaser resides in the EU.
Residence means having its registered offices or a (legally
independent) subsidiary in the EU or the EEA. The relevant factor is
thus always the purchaser and not the Cloud service provider.
Territoriality Principle: The state of residence principle is not used
without restriction. On the contrary, in some constitutions a
"
territoriality principle
”
xe "territoriality principle" applies. It states
that the location of where data is processed is relevant to
determining the applicable jurisdiction. The territoriality principle
applies if the legal entity is not domiciled in an EU member state.
Accordingly, the national data protection law for the country in
which the data are actually processed then applies. German data
42
An expanded version of this chapter can be found under