I’ve been working an awful lot on security and privacy in the cloud lately, surprise surprise ;-), and the thing that is really an interesting problem when it comes to the privacy of data being held, is precisely where the data is physically? This presents some challenges, for example not many countries outside of the EU have equivalent privacy legislation implemented, so if personal data from the EU is stored in the cloud, the hosting country needs to have equivalent legislation or some workaround to protect data both physically and legally. ComputerWeekly.com have a pretty good high level article on this. Also to get a feel of how privacy legislation is working worldwide. The article (p.17) published by ISSA (December 2009, and reprinted later by IAPP July 2010) may be a worthwhile background read. Be aware that there has been an update to this directive since, e.g. the “cookie directive”. I will publish more on this later.