You are looking at 1 - 10 of 17 items

  • Author or Editor: W. Kuan Hon x
Clear All Modify Search
This content is available to you

Foreword - Rosemary Jay

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

This content is available to you

Foreword - Christopher Kuner

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

This content is available to you

Preface

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

This content is available to you

Abbreviations/glossary

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

This content is available to you

Table of cases

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

This content is available to you

Table of legislation

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

This content is available to you

Background

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

• Scope and aim: analysing the restriction under Arts.25–6, EU Data Protection Directive (Directive 95/46/EC) on ‘transfer’ of personal data ‘to’ ‘third countries’ outside the European Economic Area (Restriction), as a barrier to EEA controllers’ processing of digital personal data using public cloud computing. • Physical ‘data localization’ approach of EEA data protection authorities and others. • Basic concepts and terminology regarding cloud computing (service and deployment models, characteristics of infrastructure cloud and layered cloud services). Cloud use in the EU. • Overview of EU data protection laws under the Data Protection Directive, objectives, data controllers, processors, processing, exemptions, national law implementations, supervision, and fundamental data protection principles. • Key aspects of the Restriction. Mechanisms for allowing transfers: adequate protection, adequate safeguards. Derogations. • GDPR’s version of the Restriction. Keywords: cloud computing, Data Protection Directive, General Data Protection Regulation (GDPR), international transfers, third countries, data localization

You do not have access to this content

Legislative history and objectives

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

• Historical national ‘border control’ data export legislation, policy objectives including anticircumvention, foreign country risk, ‘data sovereignty’, ‘data residency’. • OECD Privacy Guidelines, Council of Europe Convention 108 on automatic processing of personal data, Data Protection Directive, General Data Protection Regulation (GDPR) and Data Protection Regulation for EU institutions. • Other countries’/regions’ ‘accountability’ approach: Canada (PIPEDA) and APEC (CBPR). • The Restriction’s original objective: preventing controllers from circumventing substantive data protection principles. How the Directive’s drafts and little-known contemporaneous Council documents show that restricting physical data location should have become irrelevant for anticircumvention purposes when the 1990 draft’s jurisdictional bases changed; the Restriction’s retention and treatment as a stand-alone ‘Frankenrule’ on data location diverts attention from substantive data protection. • Legislative evolution regarding responsibility for data protection (countries, controllers, recipients) and how data should be protected (technical and/or legal means). • Jurisdiction over transferors/recipients: a better basis than data location. Keywords: policy, Data Protection Directive, data exports, OECD Privacy Guidelines, Convention 108, accountability

You do not have access to this content

The ‘transfer’ concept

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

• ‘Transfer to a third country’: meaning, data ‘movement’, physical location. • Internet ‘transfers’ – ‘pull’/‘push’; multistage (websites, public cloud, modern outsourcing chains). • ‘Transit’ for Internet routing; GDPR problems. • Webhosting ‘transfers’, provider’s establishment, infrastructure location. • Lindqvist. ‘Pull’, intention to provide access, providers’ status/establishment; server location; UK, the Netherlands, European Data Protection Supervisor (EDPS). • Cloud computing ‘transfers’. Data location, jurisdiction, vs intelligible access to data. • Cloud infrastructure’s location, vs EU regulators’ location-centricity (SWIFT, Safe Harbour, ‘model clauses’, cloud decisions in Denmark, Sweden; Article 29 Working Party (WP29)’s WP196; cf. Canada). • US Microsoft warrant case, extraterritoriality, International Communications Privacy Act (ICPA). • Cloud supply chains, intelligible access, jurisdiction. Legal responsibility for data protection. Many possible cloud ‘locations’ (storage, VMs, metadata, CDNs, ‘regions’); contractual location commitments. • Location-centricity’s implications, e.g. no country’s jurisdiction. Cloud subcontractors. • Data localization’s disadvantages: costs, resilience/business continuity, global trade/business, knowing/verifying locations. • Policy recommendations. Keywords: international transfers, interpretation, cloud computing, data location, WP196, Lindqvist

You do not have access to this content

Assumptions

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

• Unspoken assumptions underlying policies driving data export restrictions and the Directive’s approach to transfers, dating from the 1970s, leading to its lack of technology-neutrality, which the GDPR perpetuates. • Assumptions regarding how controllers use processors: ‘computer service bureaux’, cf. cloud’s direct self-service. • Assumptions behind the Restriction: • data location (mainframe model vs modern Internet/cloud realities), • access (physical possession vs intelligible access including encryption, remote access, simultaneous access; data location as only one factor among others), • countries’ jurisdiction (data location vs effective jurisdiction and modern supply chains’ multi-intermediation and multiple locations), • who can protect data (power/responsibility of countries to protect data adequately, and controllers’ risk assessments). Keywords: Internet, technology-neutrality, data location, cyberspace, jurisdiction, cloud computing