Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside the Eea? The Cloud of Unknowing, Part 4

38 Pages Posted: 10 Sep 2011 Last revised: 11 Mar 2014

See all articles by W. Kuan Hon

W. Kuan Hon

Imperial College London

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Date Written: April 4, 2012

Abstract

The lack of clarity and harmonisation across European Economic Area (EEA) Member States of the data export rules under the European Union (‘EU’) Data Protection Directive gives rise to significant uncertainties relating to the use of cloud computing. The concepts of transfer and data location are especially problematic. An intense and narrow focus on data location made sense when data could be transported between countries only by physically carrying storage media across borders. With the inception of the internet and the ease of remote access to data, the concept of ‘location’ is increasingly meaningless as well as irrelevant to data protection.

The Directive’s focus on data location should not obscure the underlying purpose of the data export restriction, namely data protection. The specific objective of this restriction was, and remains, to protect personal data against access by unauthorised persons (and unauthorised use, which depends on access). Where data are strongly encrypted and the decryption keys securely managed, the data’s location should be irrelevant. Even if such encrypted data are stored outside the EEA, unauthorised persons would not be able to access the data in intelligible form without the key. Conversely, keeping data within the EEA does not guarantee better protection where data are stored unencrypted (or only weakly encrypted).

In this paper, we argue that the focus should be on restricting unauthorised access to intelligible data, rather than restricting data export. We suggest that the data export restriction should be replaced by requirements regarding accountability, transparency and security.

Keywords: Cloud Computing, Data Privacy, Data Protection, EU, European Union, Internet, Legal Issues, Liability, Outsourcing, Personal Data, Personal Identifying Information, Privacy

JEL Classification: K2, K20

Suggested Citation

Hon, W. Kuan and Millard, Christopher, Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside the Eea? The Cloud of Unknowing, Part 4 (April 4, 2012). SCRIPT-ed, Vol. 9:1, No. 25, Queen Mary School of Law Legal Studies Research Paper No. 85/2011, Available at SSRN: https://ssrn.com/abstract=2034286 or http://dx.doi.org/10.2139/ssrn.1925066

W. Kuan Hon (Contact Author)

Imperial College London ( email )

South Kensington Campus
Exhibition Road
London, Greater London SW7 2AZ
United Kingdom

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln's Inn Fields
London, EC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/staff/millard.html

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
2,066
Abstract Views
9,698
Rank
14,149
PlumX Metrics