Communications of the ACM, Vol. 56, January 2013
3 Pages Posted: 24 Mar 2013 Last revised: 28 Oct 2015
Date Written: December 3, 2012
The continued attention to data protection and the growth of cloud computing highlight tensions among data protection regulators, businesses, and the computer science communities. As new data protection laws are proposed, these groups have the chance to share insights and achieve their respective goals; but right now, with respect to data security, they may be passing by each other. Going forward, governments, companies, and computer scientists must work together to fashion security for the 21st century.
In this short piece, I argue that data protection goals that focus on where data is located as a way to exert jurisdiction clash with best practices in security and networking. From a security perspective, location-based rules falter in a large area such as the EU; they fail in smaller markets.
Uncoupling jurisdiction and data location will allow data protection to move forward. Jurisdictional interests are real. Governments want to be able to reach out and touch our data. They also want to enforce laws to protect their citizens and their data. At the same time the proposed General Data Protection Regulation (GDPR) seeks to prevent unauthorized access to and, by extension, use of data. It mandates using measures “to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.” Those responsible for data must also “protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data.” Meeting these interests requires embracing the latest in security, networking, and cloud computing practices. Many of the best systems rely on continual movement of data to achieve the specific goals the GDPR sets. Thus location-based security is a failing strategy.
At the same time, the era when a company could stick its data-head in the sand of one country and reject other countries’ laws may be over precisely because of government needs, global computing services, and advances in data security and networking. If companies wish to have the flexibility to employ different data management methods and especially ones that involve continual movement of data, they cannot simultaneously argue that no law or method covers how and when a government may gain access to data. As such, I offer thoughts on how treaties, processes for access to data, improved data breach laws, and an increased ability for companies to challenge government requests for data could work together to improve data security in the future.
Keywords: data security, privacy, Data Protection Directive, General Data Protection Regulation, cloud computing, data breach, jurisdiction, distributed computing, computer science
Suggested Citation: Suggested Citation
Desai, Deven R., Beyond Location: Data Security in the 21st Century (December 3, 2012). Communications of the ACM, Vol. 56, January 2013. Available at SSRN: https://ssrn.com/abstract=2237712