Regulation and standardization of data protection in cloud computing

Standards are often considered as an alternative form of regulation to legislative rule setting. However, standards also complement legislative acts, supporting their effective implementation and providing precise definitions for sometimes vague legal concepts. As we demonstrate, standards are not mere technical regulations but relate to sensitive political issues. The genesis and contents of ISO/IEC 27018 illustrate the interaction between both forms of regulation in the case of data protection in cloud computing. While the standard has been written with intensive consideration of the legal framework, we argue that the standard could reciprocally influence legal rule-making in the same domain.