Data Localization Laws and Policy
Show Less

Data Localization Laws and Policy

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

Countries are increasingly introducing data localization laws, threatening digital globalization and inhibiting cloud computing adoption despite its acknowledged benefits. This multi-disciplinary book analyzes the EU restriction (including the Privacy Shield and General Data Protection Regulation) through a cloud computing lens, covering historical objectives and practical problems, showing why the focus should move from physical data location to effective jurisdiction over those controlling access to intelligible data, and control of access to data through security.
Buy Book in Print
Show Summary Details
You do not have access to this content

Chapter 2: Legislative history and objectives

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon


• Historical national ‘border control’ data export legislation, policy objectives including anticircumvention, foreign country risk, ‘data sovereignty’, ‘data residency’. • OECD Privacy Guidelines, Council of Europe Convention 108 on automatic processing of personal data, Data Protection Directive, General Data Protection Regulation (GDPR) and Data Protection Regulation for EU institutions. • Other countries’/regions’ ‘accountability’ approach: Canada (PIPEDA) and APEC (CBPR). • The Restriction’s original objective: preventing controllers from circumventing substantive data protection principles. How the Directive’s drafts and little-known contemporaneous Council documents show that restricting physical data location should have become irrelevant for anticircumvention purposes when the 1990 draft’s jurisdictional bases changed; the Restriction’s retention and treatment as a stand-alone ‘Frankenrule’ on data location diverts attention from substantive data protection. • Legislative evolution regarding responsibility for data protection (countries, controllers, recipients) and how data should be protected (technical and/or legal means). • Jurisdiction over transferors/recipients: a better basis than data location. Keywords: policy, Data Protection Directive, data exports, OECD Privacy Guidelines, Convention 108, accountability

You are not authenticated to view the full text of this chapter or article.

Elgaronline requires a subscription or purchase to access the full text of books or journals. Please login through your library system or with your personal username and password on the homepage.

Non-subscribers can freely search the site, view abstracts/ extracts and download selected front matter and introductory chapters for personal use.

Your library may not have purchased all subject areas. If you are authenticated and think you should have access to this title, please contact your librarian.

Further information

or login to access all content.