I Soggetti Coinvolti nel Trattamento dei Dati Personali nel Cloud Computing: la Rottura del Dualismo Controller-Processor- Conference "Getting around the cloud(s) - Technical and legal issues on Cloud services”

Authors: Gianclaudio Malgieri


The current data protection directive is inadequate to cope with the complexity of the technology of cloud computing. However, the Proposed General Data Protection Regulation seems to offer a suitable solution to this problem.
The main issue is to establish who is the controller, and who is the processor in the cloud computing data processing, even considering all intermediate or subordinate positions and the two different kinds of data: user- related personal information and cloud-processed personal information.

Several asymmetries complicate this qualification: a contractual and a structural asymmetry does not allow the “user” to be defined a data-controller, in fact, although he determines “scope” and “means” of the treatment, he is a mere “cloud consumer” (users ignore individuals involved in the treatment, the location of the servers where data are collected, and their displacement; he can neither determine autonomously technical or security means of the processing and he just accepts a standard contract). On the other side, an information asymmetry does not allow the “provider” to be defined a data-processor (providers accesses to data just incidentally and just for technical purposes and usually fragments data so that they are not intelligible as personal data). Moreover, if the user is proved to be the “controller” he would be covered by the “household exemption”, with the paradox that the only subject which would be legally liable is the provider-processor (whose role depends on the decisions of the controller).

This context is further complicated by the more and more diffused practice to outsource the cloud providing service to sub-contractors (“sub-processors”).
Fortunately, the Proposed Regulation can provide a general solution to these problems by the new figure of the “joint-controller” (art. 24) and the more onerous figure of the processor (with precise requirements for the “sub- processor”).

This paper proposes to break the dualism controller/processor and espouse a multi-level, transverse and functionalist approach: so for cloud-processed data, the user would be a “subject/joint-controller”, the provider a “processor/joint-controller”. In fact, the purposes of the processing are mainly determined by the users; while conditions and technical means are determined by the provider and the choice of security means is shared. It is also interesting to underlined that the Proposed Regulation specifies that processors who processes data beyond the controller’s instructions is to be considered as a joint controller (art. 26).

Obviously, the breach of dualism controller/processor requires precise and accurate Terms of Use. From a general review of the terms of use of several popular cloud services, none of them defines precisely the role of provider. The most desirable solution would be the development of a European standard for privacy terms clarifying the different functions, responsibilities, rights and duties for all different subjects involved in a cloud service.

Keywords: joint controller - data controller - data processor - sub-processor - cloud computing – privacy - Data Protection Regulation - cloud provider - cloud consumer - cloud user