Following a recent ICO seminar on cloud computing, the ICO says that ‘under normal circumstances a cloud provider is the data processor on behalf of the cloud client who is the data controller’. However, cloud providers that are asked to release personal data under the US Patriot Act, and do so, will be regarded as the data controller in respect of that disclosure.
‘This is because it is making the decision to disclose based on a legal obligation it is under regardless of the client’s wishes. Regulatory action against the client is unnecessary because the client has not acted wrongly simply because it has chosen a provider which is subject to foreign law enforcement agency requests. Regulatory action against a provider, in its role as a data controller, is unlikely because it is responding to a request it is legally obliged to comply with. However if the request comes from a country which has questionable rule of law – then we would have to consider the issue on the facts of the matter’, the ICO says.
The ICO is planning to issue guidance on the cloud, and will seek stakeholders’ input once the first draft is ready.