Cloud computing, trans-border data flows and the European Directive 95/46/EC: applicable law and task distribution

1. Italian case law In order to define the fundamental issues concerning trans-border data flows and their consequences on applicable law, we consider three different cases decided by the Italian Data Protection Authority (Garante per laprotezione dei dati personali). In the first case a website located in the U.S. disseminated personal information and offensive opinions regarding some researchers criticized for their experiments conducted on animals. Leaving aside the aspects relating to freedom of expression, the Italian authority considered the case from the perspective of data protection and deemed that the violations were committed through websites not subject to Italian data protection law as they were located in countries outside the European Union. [2] The second lawsuit concerned a company (Google Inc.) based, like in the first case, outside E.U., but in this case the equipment used was situated in Italy. Under Article 4 of the Directive 95/45/EC the national provisions concerning data protection are applied by each Member State when the controller: '…is not established on Community territory and, for the purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community'. [3] In line with this, the Italian DPA considered that the processing of personal data made by Google Inc. was subject to the Italian data protection law, adopted pursuant to the above mentioned Directive, because 'done using tools located in the State'. [4] The DPA drew this conclusion analysing the way in which the images were acquired in Italy by Google's cars and sent automatically to the company's server in the U.S. [5] Finally we consider a typical case of outsourcing services involving trans-border data flows: Heinz Italia S.p.a. asked the Italian DPA for a preliminary evaluation concerning its new tool called 'Heinz 360 Feedback' which aims to introduce 'a new model of business skills' based on feedback provided 'by all stakeholders' who come into contact with the employees. This feedback was to be sent to an outsourcee, located in the United States of America, compliant with Safe Harbor and qualified as a processor. [6] The Italian DPA decided that this transfer of personal data was compliant with Italian law, adopted following the EU Directive, since the data processing was related to an employment contract and the consent of data subject had …