THE PROTECTION OF PERSONAL DATA PROCESSED IN CLOUD SERVICES
DOI:
https://doi.org/10.15407/econlaw.2025.03.064Keywords:
business-to-government data sharing, data protection, service provider, security protocols, confidential informationAbstract
The research on the regulation of cloud services aims to address the issue of cloud technologies law, as well as the issue of the responsibility of business and government agencies for the processing and use of business-to-government (B2G) data in the digital environment.
In particular, the entry into force of the Law of Ukraine "On Cloud Services" on September 16, 2022 and the adoption by the Cabinet of Ministers of Ukraine on February 11, 2025 of the Resolution "Some Issues of the Provision and Use of Cloud Services and/or Data Center Services" significantly affect legal practice, especially those related to the exchange B2G data. These innovations create new legal requirements and obligations that must be taken into account when providing and using cloud services and data center services. In the context of Ukraine's integration into the European legal environment, it is important to consider these issues through the prism of European Union law, such as the GDPR.
This paper analyzes the Azure (2021) and FisconetPlus (2020) cases to highlight key data protection challenges in public sector cloud adoption. It reveals issues such as a lack of transparency, excessive data processing, insufficient safeguards, and unclear responsibilities between authorities and cloud providers. The cases underscore the importance of applying GDPR principles like data minimization and privacy by design at all stages, including testing. Lessons from these cases inform recommendations for secure and compliant cloud implementation in Ukraine's public administration.
Given that many enterprises and government agencies are now actively implementing cloud services, law practitioners must be prepared to provide legal assistance in matters of data protection, compliance with regulatory requirements, and safeguards of clients' rights and interests in the context of new technological challenges. Thus, the proposed outcome of the research is necessary for professionals so that they can effectively respond to legal challenges arising in the process of integrating new technologies within the framework of national and European legislation, and provide proper legal support to businesses and government agencies working with cloud technologies.
References
Fosch-Villaronga, E., & Millard, C. (2019). Cloud robotics law and regulation. Robotics and Autonomous Systems, 119, 77–91. https://doi.org/10.1016/j.robot.2019.06.003
Sharma, P., Sharma, M., & Elhoseny, M. (Eds.). (2021). Applications of cloud computing : approaches and practices (First edition.). Chapman & Hall/CRC. https://doi.org/10.1201/9781003025696
Calder, A. (2021). EU Code of Conduct for Cloud Service Providers - A compliance guide. IT Governance Publishing.
Bulgakova, D., & Stupnik, V. (2023). THE SHARING OF BUSINESS-TO-GOVERNMENT DATA. Administrative Law and Process, (2(41), 18-37. https://doi.org/10.17721/2227-796X.2023.2.02
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016, p. 1–88.
Bulgakova, Daria (2025). СПРАВА DATATILSYNET ПРО ВИТІК ПЕРСОНАЛЬНИХ ДАНИХ У НОРВЕЗЬКІЙ СПОРТИВНІЙ ФЕДЕРАЦІЇ ПРИ ТЕСТУВАННІ ХМАРНОГО СЕРВІСУ AZURE. Cyber Scotland week, the International Scientific and Practical Conference "Social Justice and Digital Economy. 2025". Conference paper. [in Ukraine].
Case on the Azure Cloud Service: (1) Case number 20/01626; (2) Country: Norway (EU); (3) Dispute body: Datatilsynet vs Norges idrettsforbund og olympiske og paralympiske komité (NIF), the Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF), The Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF); (4) Source of law: Articles 5(1)(a)(c)(f), 6, 32 GDPR; (5) Date of decision: May 05, 2021; (6) Source: https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-overtredelsesgebyr-til-norges-idrettsforbund/; See more at: https://www.edpb.europa.eu/news/national-news/2021/norwegian-dpa-norwegian-confederation-sport-fined-inadequate-testing_en
Bulgakova, Daria (2025). GDPR REQUIREMENTS FOR THE INTEGRATION OF CLOUD SOLUTIONS ON THE EXAMPLE OF THE CASE ABOUT FISCONETPLUS. XI LEGAL MOHYLA READINGS – 2025. Conference paper, pp. 22-26 https://dspace.chmnu.edu.ua/jspui/bitstream/123456789/2794/1/%d0%a5%d0%86%20%d0%ae%d1%80%d0%b8%d0%b4%d0%b8%d1%87%d0%bd%d1%96%20%d0%9c%d0%be%d0%b3%d0%b8%d0%bb%d1%8f%d0%bd%d1%81%d1%8c%d0%ba%d1%96%20%d1%87%d0%b8%d1%82%d0%b0%d0%bd%d0%bd%d1%8f.pdf
Case on FisconetPlus: (1) Case Number: 82/2020; (2) Country: Belgium (EU); (3) Dispute body: Data Protection Authority (DPA) vs FPS Finance; (4) Source of law: Articles 6(1), 25(1), 35 GDPR; (5) Date of decision: December 23, 2020; (6) Source: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-82-2020.pdf
Millard, C. J. (Ed.). (2021). Cloud computing law (Second edition.). Oxford University Press.
Johan David Michels, Christopher Millard, and Felicity Turton, Standard Contracts for Cloud Services. In: Cloud Computing Law. Second Edition. Edited by Christopher Millard, Oxford University Press (2021), p. 61.
Georgiopoulou, Z., Makri, E.-L., & Lambrinoudakis, C. (2020). GDPR compliance: proposed technical and organizational measures for cloud provider. Information and Computer Security, 28(5), 665–680. https://doi.org/10.1108/ICS-01-2020-0009
Casalicchio, E., Cardellini, V., Interino, G., & Palmirani, M. (2018). Research challenges in legal-rule and QoS-aware cloud service brokerage. Future Generation Computer Systems, 78 (Part 1), 211–223. https://doi.org/10.1016/j.future.2016.11.025
Law of Ukraine "On Cloud Services". Available at: https://zakon.rada.gov.ua/laws/show/2075-20#Text
Resolution of the Cabinet of Ministers of Ukraine of 11th of February 2025 "Some issues of the provision and use of cloud services and/or data center services" No. 154.
Law of Ukraine “On Personal Data Protection”. Available at: https://zakon.rada.gov.ua/laws/show/2297-17#Text
Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I), OJ L 177, 4.7.2008, p. 6–16.
Zandesh, Z., Ghazisaeedi, M., Devarakonda, M. V., & Haghighi, M. S. (2019). Legal framework for health cloud: A systematic review. International Journal of Medical Informatics (Shannon, Ireland), 132, 103953–103953. https://doi.org/10.1016/j.ijmedinf.2019.103953
Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) (Text with EEA relevance), PE/49/2023/REV/1, OJ L, 2023/2854, 22.12.2023, ELI: http://data.europa.eu/eli/reg/2023/2854/oj
Suver, C., Thorogood, A., Doerr, M., Wilbanks, J., & Knoppers, B. (2020). Bringing Code to Data: Do Not Forget Governance. Journal of Medical Internet Research, 22(7), e18087–e18087. https://doi.org/10.2196/18087
Trubiani, F. (2023). Cloud Computing Services: Towards a Digital Sustainability under EU Digital Law. European Journal of Privacy Law & Technologies, 2, 143–154. https://doi.org/10.57230/ejplt232TF
