Data Localization Laws and Policy
Show Less

Data Localization Laws and Policy

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

Countries are increasingly introducing data localization laws, threatening digital globalization and inhibiting cloud computing adoption despite its acknowledged benefits. This multi-disciplinary book analyzes the EU restriction (including the Privacy Shield and General Data Protection Regulation) through a cloud computing lens, covering historical objectives and practical problems, showing why the focus should move from physical data location to effective jurisdiction over those controlling access to intelligible data, and control of access to data through security.
Buy Book in Print
Show Summary Details
You do not have access to this content

Chapter 7: Access and security

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon


• Data protection laws’ objectives. • Control access to control use/disclosure/condition. Security: confidentiality, integrity, availability (CIA), intelligible access; Directive Arts.16–17, GDPR. • Backups, authentication/authorization, physical access. Cloud’s shared responsibility. • Logical/physical security for compliance: relevance, risks, mitigation. • Encryption (at rest, in transmission), key management. Intelligible access, legal obligations (processors/subprocessors). Tokenization. Cloud encryption/tokenization gateways. • Encryption: costs/performance, operations, ‘snake oil’ (security expertise), breakability, implementations, nation-states’ decryption/cracking, alternatives e.g. IFC. Integrity, availability. • Unauthorized intelligible access: co-tenants, hackers, insiders (controllers/processors). Mitigation through contract, structure e.g. ‘data trustee’. Processor obligations: use/disclosure, security (cf. ‘instructions’). • Deletion – degrees; contractual constraints, risk-based approach. Define ‘deletion’. • Providers’ compliance: physical datacentre inspections/audits: logical vs physical security, logs. • Authorities’ access. Effective jurisdiction to compel disclosures, cf. The Pirate Bay (cloud, encryption). Interception without providers’ knowledge/cooperation – communications links; data location. Mass/bulk data collection/surveillance by states/governments. Jurisdictional conflicts, GDPR’s ‘anti-FISA’ Art.48. International agreement on surveillance’s limits/oversight. Keywords: information security, confidentiality, integrity, availability, encryption, mass state surveillance

You are not authenticated to view the full text of this chapter or article.

Elgaronline requires a subscription or purchase to access the full text of books or journals. Please login through your library system or with your personal username and password on the homepage.

Non-subscribers can freely search the site, view abstracts/ extracts and download selected front matter and introductory chapters for personal use.

Your library may not have purchased all subject areas. If you are authenticated and think you should have access to this title, please contact your librarian.

Further information

or login to access all content.