Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside the Eea? The Cloud of Unknowing, Part 4

38 Pages Posted: 10 Sep 2011 Last revised: 11 Mar 2014

W. Kuan Hon

Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies; Oxford Internet Institute

Date Written: April 4, 2012

Abstract

The lack of clarity and harmonisation across European Economic Area (EEA) Member States of the data export rules under the European Union (‘EU’) Data Protection Directive gives rise to significant uncertainties relating to the use of cloud computing. The concepts of transfer and data location are especially problematic. An intense and narrow focus on data location made sense when data could be transported between countries only by physically carrying storage media across borders. With the inception of the internet and the ease of remote access to data, the concept of ‘location’ is increasingly meaningless as well as irrelevant to data protection.

The Directive’s focus on data location should not obscure the underlying purpose of the data export restriction, namely data protection. The specific objective of this restriction was, and remains, to protect personal data against access by unauthorised persons (and unauthorised use, which depends on access). Where data are strongly encrypted and the decryption keys securely managed, the data’s location should be irrelevant. Even if such encrypted data are stored outside the EEA, unauthorised persons would not be able to access the data in intelligible form without the key. Conversely, keeping data within the EEA does not guarantee better protection where data are stored unencrypted (or only weakly encrypted).

In this paper, we argue that the focus should be on restricting unauthorised access to intelligible data, rather than restricting data export. We suggest that the data export restriction should be replaced by requirements regarding accountability, transparency and security.

Keywords: Cloud Computing, Data Privacy, Data Protection, EU, European Union, Internet, Legal Issues, Liability, Outsourcing, Personal Data, Personal Identifying Information, Privacy

JEL Classification: K2, K20

Suggested Citation

Hon, W. Kuan and Millard, Christopher, Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside the Eea? The Cloud of Unknowing, Part 4 (April 4, 2012). SCRIPT-ed, Vol. 9:1, No. 25; Queen Mary School of Law Legal Studies Research Paper No. 85/2011. Available at SSRN: https://ssrn.com/abstract=2034286 or http://dx.doi.org/10.2139/ssrn.1925066

W. Kuan Hon (Contact Author)

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln’s Inn Fields
London, WC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/people/academic/hon.html

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln's Inn Fields
London, EC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/staff/millard.html

Oxford Internet Institute

1 St Giles
Oxford, OX1 3JS
United Kingdom

HOME PAGE: http://www.oii.ox.ac.uk/

Paper statistics

Downloads
1,627
Rank
4,828
Abstract Views
5,881