Cloud computing technology offers many advantages for both end-users and service providers. It is expected that an increasing number of services would be using cloud computing technology. If end-users or service providers use cloud service, user data will be stored in data centres operated by cloud service providers. This is a significant change compared to the conventional manner of storing one’s data on a device controlled by end-users or service providers themselves (rather than cloud service providers). The cloud computing makes geographical or physical location of the storage facilities technically irrelevant. This paper examines issues relating cloud computing by distinguishing ‘personal cloud’ and ‘service cloud’. Personal cloud is a service which enables end-users to store private data in the cloud storage and to access, retrieve, edit or play them. Service cloud enables service providers to obtain computing resources ‘as a service’ so that they can provide service to their customers using the computing resources which are extensible or scalable depending on the level of demand. In the case of personal cloud, the issues relating to protection of personal data are not different from conventional service models. Users’ private data must be distinguished from users’ personal data. ‘Private data’ would include all sorts of information (not necessarily personal data) which is under the user’s control. Personal cloud provider should not be required to sift through users’ ‘private data’ stored in the personal cloud to determine which of those data are ‘personal data’. The protection of ‘personal data’ would be applicable only to the ‘subscriber information’. Service cloud, on the other hand, poses complex issues relating to ‘overseas transfer’ of personal data. This paper proposes a distinction between ‘supplying personal data to a third party located overseas’ and ‘transfer of personal data overseas’. ‘Supplying personal data to a third party’ means that the recipient (whether located within the country or out of the country) is provided with the data so that it can use them for a given purpose. ‘Overseas transfer’ of personal data, on the other hand, means not only ‘supply of personal data to an overseas recipient’ but also storing personal data at overseas data centres operated by cloud service provider who has no right to ‘use’ such personal data. Where a service provider stores personal data of domestic users at overseas data centres operated by a cloud provider (such as Amazon), it is true that domestic users’ personal data are ‘transferred overseas’. But it is wrong to say that those data are ‘supplied to a third party’ as the cloud provider is not allowed to use such data. Nor is it possible to argue that the overseas cloud provider is ‘entrusted with the processing of personal data’ by the service cloud users (service providers who use service cloud to obtain computing resources to do their business vis-a-vis end-users).However, increasing popularity of cloud computing and storage of ‘private data’ in data centres operated by cloud providers would tend to increase the likelihood of ‘voluntary cooperation’ of cloud providers to the demand of law enforcement agencies even if the demand is not adequately supported by proper judicial mandate. A more careful study is needed to ensure more robust protection of individual’s freedom and privacy in connection with the use of cloud service.