The lack of clarity and harmonisation across European Economic Area (EEA) Member States of the data export rules under the European Union (‘EU’) Data Protection Directive gives rise to significant uncertainties relating to the use of cloud computing. The concepts of transfer and data location are especially problematic. An intense and narrow focus on data location made sense when data could be transported between countries only by physically carrying storage media across borders. With the inception of the internet and the ease of remote access to data, the concept of ‘location’ is increasingly meaningless as well as irrelevant to data protection.
The Directive’s focus on data location should not obscure the underlying purpose of the data export restriction, namely data protection. The specific objective of this restriction was, and remains, to protect personal data against access by unauthorised persons (and unauthorised use, which depends on access). Where data are strongly encrypted and the decryption keys securely managed, the data’s location should be irrelevant. Even if such encrypted data are stored outside the EEA, unauthorised persons would not be able to access the data in intelligible form without the key. Conversely, keeping data within the EEA does not guarantee better protection where data are stored unencrypted (or only weakly encrypted).
We argue that the focus should be on restricting unauthorised access to intelligible data, rather than restricting data export. We suggest that the data export restriction should be replaced by requirements regarding accountability, transparency and security.
The current paper by Kuan Hon and Prof Christopher Millard reporting on this research is available via SSRN: 'Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside the EEA? The Cloud of Unknowing, Part 4'.
An earlier version of this paper is available via SSRN here.
This research has also been published as Data Export Cloud Computing - How can Personal Data be Transferred Outside the EEA? by Scripted
A version of this paper has also been featured on ComputerWorld UK