Abstract

http://ssrn.com/abstract=1925066
 
 

Footnotes (131)



 


 



Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside the Eea? The Cloud of Unknowing, Part 4


W. Kuan Hon


Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Christopher Millard


Queen Mary University of London, School of Law - Centre for Commercial Law Studies; Oxford Internet Institute

April 4, 2012

SCRIPT-ed, Vol. 9:1, No. 25
Queen Mary School of Law Legal Studies Research Paper No. 85/2011

Abstract:     
The lack of clarity and harmonisation across European Economic Area (EEA) Member States of the data export rules under the European Union (‘EU’) Data Protection Directive gives rise to significant uncertainties relating to the use of cloud computing. The concepts of transfer and data location are especially problematic. An intense and narrow focus on data location made sense when data could be transported between countries only by physically carrying storage media across borders. With the inception of the internet and the ease of remote access to data, the concept of ‘location’ is increasingly meaningless as well as irrelevant to data protection.

The Directive’s focus on data location should not obscure the underlying purpose of the data export restriction, namely data protection. The specific objective of this restriction was, and remains, to protect personal data against access by unauthorised persons (and unauthorised use, which depends on access). Where data are strongly encrypted and the decryption keys securely managed, the data’s location should be irrelevant. Even if such encrypted data are stored outside the EEA, unauthorised persons would not be able to access the data in intelligible form without the key. Conversely, keeping data within the EEA does not guarantee better protection where data are stored unencrypted (or only weakly encrypted).

In this paper, we argue that the focus should be on restricting unauthorised access to intelligible data, rather than restricting data export. We suggest that the data export restriction should be replaced by requirements regarding accountability, transparency and security.

Number of Pages in PDF File: 38

Keywords: Cloud Computing, Data Privacy, Data Protection, EU, European Union, Internet, Legal Issues, Liability, Outsourcing, Personal Data, Personal Identifying Information, Privacy

JEL Classification: K2, K20

working papers series


Download This Paper

Date posted: September 10, 2011 ; Last revised: March 11, 2014

Suggested Citation

Hon, W. Kuan and Millard, Christopher, Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside the Eea? The Cloud of Unknowing, Part 4 (April 4, 2012). SCRIPT-ed, Vol. 9:1, No. 25; Queen Mary School of Law Legal Studies Research Paper No. 85/2011. Available at SSRN: http://ssrn.com/abstract=2034286 or http://dx.doi.org/10.2139/ssrn.1925066

Contact Information

W. Kuan Hon (Contact Author)
Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )
London
United Kingdom
HOME PAGE: http://www.law.qmul.ac.uk/people/academic/hon.html
Christopher Millard
Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )
67-69 Lincoln's Inn Fields
London, EC2A 3JB
United Kingdom
HOME PAGE: http://www.law.qmul.ac.uk/staff/millard.html
Oxford Internet Institute
1 St Giles
Oxford, OX1 3JS
United Kingdom
HOME PAGE: http://www.oii.ox.ac.uk/
Feedback to SSRN


Paper statistics
Abstract Views: 3,377
Downloads: 1,119
Download Rank: 5,781
Footnotes:  131

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo4 in 0.578 seconds