38 Pages Posted: 10 Sep 2011 Last revised: 11 Mar 2014
Date Written: April 4, 2012
The lack of clarity and harmonisation across European Economic Area (EEA) Member States of the data export rules under the European Union (‘EU’) Data Protection Directive gives rise to significant uncertainties relating to the use of cloud computing. The concepts of transfer and data location are especially problematic. An intense and narrow focus on data location made sense when data could be transported between countries only by physically carrying storage media across borders. With the inception of the internet and the ease of remote access to data, the concept of ‘location’ is increasingly meaningless as well as irrelevant to data protection.
The Directive’s focus on data location should not obscure the underlying purpose of the data export restriction, namely data protection. The specific objective of this restriction was, and remains, to protect personal data against access by unauthorised persons (and unauthorised use, which depends on access). Where data are strongly encrypted and the decryption keys securely managed, the data’s location should be irrelevant. Even if such encrypted data are stored outside the EEA, unauthorised persons would not be able to access the data in intelligible form without the key. Conversely, keeping data within the EEA does not guarantee better protection where data are stored unencrypted (or only weakly encrypted).
In this paper, we argue that the focus should be on restricting unauthorised access to intelligible data, rather than restricting data export. We suggest that the data export restriction should be replaced by requirements regarding accountability, transparency and security.
Keywords: Cloud Computing, Data Privacy, Data Protection, EU, European Union, Internet, Legal Issues, Liability, Outsourcing, Personal Data, Personal Identifying Information, Privacy
JEL Classification: K2, K20
Suggested Citation: Suggested Citation
Hon, W. Kuan and Millard, Christopher, Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside the Eea? The Cloud of Unknowing, Part 4 (April 4, 2012). SCRIPT-ed, Vol. 9:1, No. 25; Queen Mary School of Law Legal Studies Research Paper No. 85/2011. Available at SSRN: https://ssrn.com/abstract=2034286 or http://dx.doi.org/10.2139/ssrn.1925066
By Ian Walden
By Chris Reed