What information is regulated and who is responsible for 'personal data' in cloud computing? At present cloud computing service providers may become subject to the EU Data Protection Directive's regime purely through their users' choices. It is argued that the realistic risk of identification and the risk of harm and its likely severity should be the basis of the application of the data protection legislation. Data encrypted and secured to recognised standards should not be considered 'personal data' in the hands of those without access to the decryption key, such as many cloud computing providers it is claimed. These are the conclusions of a series of research papers by the Centre for Commercial Law Studies (CCLS) at Queen Mary, University of London. The papers are titled - "'Personal Data' in Cloud Computing - What Information is Regulated? The Cloud of Unknowing, Part 1" and "Who is Responsible for 'Personal Data' in Cloud Computing? The Cloud of Unknowing, Part 2" andcan be accessed online at - http://www.cloudlegal.ccls.qmul.ac.uk/Research/index.html.