The subtitle to this detailed look at ‘data localization’ is
‘The EU Data Protection International Transfers Restriction Through a Cloud
Computing Lens’. To turn such subject-matter into a readable text of almost 500
pages is quite an achievement, but I promise you that Kuan Hon has achieved
precisely that. It’s so readable that I actually read (almost all) the book
when my aim was to read the minimum number of pages possible in order to write
a respectable review.
As Rosemary Jay states in a foreword, the book addresses issues
which seem to be academic in nature but which impact on every facet of our
commercial and social environment. The impact of ‘the Restriction’ is felt more
widely than one might initially expect – there is a lot more to this than concerns
about Safe Harbor/Privacy Shield and the impact is ongoing – it won’t be an
issue that dies as GDPR bites. Indeed, one of the strengths of the book is the
balance which is found in dealing with the (old) Data Protection Directive
(which is not dead yet and will have a considerable after-life) and the
incoming GDPR.
This book begins by stating its principal argument very
clearly – it aims to ‘show the fallacies underlying restrictions on cross-border
transfer of digital data’. It goes on quickly to defining and explaining cloud computing
and the restriction on transfers. Given that the restriction is based on a
cocktail of politics and law, Chapter 2 on ‘Legislative history and objectives’
is, I suppose, a necessary evil – I found it the least engaging chapter. The
ensuing chapters on ‘The transfer concept’ and ‘Assumptions’ offer compelling
arguments that swung my view on the attractiveness of the abolition of ‘the
Restriction’ and she makes constructive suggestions for a softening of its
application through interpretation and the encouragement of mechanisms for enabling
sensible and securely protected transfers. She makes the case that the law has
been based on unstated assumptions that no longer fit the reality of Internet
usage and has undermined the original objective; ‘the Restriction’ puts too
high a value on location and discounts other factors, such as encryption, which
have more real value.
Chapters 5 and 6 give a detailed account of the various
mechanisms for permitting transfers and review compliance and enforcement. It
is less than surprising that the author finds those mechanisms overly complex
and notes that they are often ignored by all but large-scale operatives in the field
and that enforcement is below the minimum level necessary to engender
compliance (possibly good news for the UK post-Brexit). Chapter 7 on ‘Access
and security’ does what it says on the tin.
The closing chapter provides a series of recommendations – –
the lead recommendation being the abolition of ‘the Restriction’ because of its
essential impracticality. There is though an acknowledgement that, where impracticality
and politics clash, political convenience will win out so abolition is unlikely
and there is a very tight summary of the matters which Kuan Hon hopes will be
considered on a GDPR review.
While this book tells you all you need to know about data
localization, readers of this review will wonder how much they do actually need
to know to get by in practice. I think there is a bit more to it than that; it is more than a dissection of an important but limited area and looks at far-reaching matters. Borrowing
from the other foreword (from Christopher Kuner), the issues covered here reflect
‘a profound unease with increasing globalization, and a lack of certainty as to
whether we want national borders carried over into the online space.’ Data
Localization Laws and Policy ‘illuminates the choices that we face as a society
in deciding where we want those boundaries to be set’.
You can explore the book’s content via a preview here or for a range of links for purchase and content,
try http://www.kuan0.com/publications.html
Laurence Eastham is Editor of Computers & Law.