Re-thinking the allocation of roles under the GDPR in the context of cloud computing

Abstract

Abstract • Cloud computing is a well-established and flourishing phenomenon, whose key activity on personal data is the storage thereof. This study analyses the allocation of the controller–processor roles under the General Data Protection Regulation (GDPR) to the cloud computing actors in the context of the storage of personal data. It examines the current controller–processor model and suggests a joint controllership interpretation to the EU regulators, as a more appropriate allocation of roles in the context of cloud computing. • We argue that the prevailing controller–processor interpretation stems from the current primacy of the purpose criterion, as well as the recognition of consent as a criterion to allocate controllership. This article suggests that cloud providers control some of the essential means of the storage of personal data, thereby shifting part of the control from cloud customers to cloud providers. • If the joint controllership approach was to be followed by the EU regulators, this article argues that it would better reflect the economic and technical reality, and provide a more appropriate responsibility and liability framework for cloud providers and customers, which in turn would enhance the level of protection that data subjects should benefit from under the GDPR.