Vviewpoints
DOI: 10.1145/2398356.2398368
Law and technology
Beyond Location: Data security
in the 21st Century
The ContinueD Attention to data protection and the growth of cloud computing highlight tensions among data protection regulators,
businesses, and the computer science
communities. As new data protection laws are proposed, these groups
have the chance to share insights and
achieve their respective goals; but right
now, with respect to data security, they
may be passing by each other.
Data protection laws seek to protect
user rights and rely in part on a certain
view of data location and related se-
curity practices to ensure those rights
are maintained. In simplified terms,
data protection laws tend to focus on
data not leaving a country or region as
part of a given data protection regime.
Businesses apply cloud techniques for
a range of purposes. Some ends are
internal such as improved network
operations; some are external such as
selling storage and services to other
businesses. In either case, advances
in, and the future of, cloud computing
rely on moving data on an almost con-
tinuous basis. Thus, the political and
business interests seem to be set to col-
lide. That collision is not, however, in-
evitable. Does data protection require
keeping data in one place? Is data secu-
rity enhanced or harmed by such an ap-
proach? Does jurisdiction have to turn
on data location? By parsing what is at
stake for location and jurisdiction and
what cloud computing may offer for
security, we should be able to fashion
laws that respect the political interests
in data protection and that draw on the
best insights of computer science to
achieve heightened data security.
Possibly Competing interests
Governments and businesses have legitimate, competing interests in data
management. For example, they disagree about what to do with cloud computing. Sometimes the debates devolve
into accusations that the other side
“doesn’t get it.” Yet, if we start by stating what those interests are, we should
be able see where the interests intersect or diverge. Once that is done, we
can see whether there is a way to bridge
remaining gaps.
Although there are many different
data protection laws, the European
Union’s approach provides a way to
understand government interests and
possible mistakes on the horizon. Un-
fortunately, mandated data location
serves two, conflicting purposes. On
the one hand, it allows for an exercise
of jurisdiction based on the idea that
data stored in a particular jurisdiction
is subject to the laws of that place. The
need for jurisdiction is real. Govern-
ments want to be able to reach out and
touch our data. They also want to en-
force laws to protect their citizens and
their data. On the other hand, the EU’s
previous Data Protection Directive
(DPD) and current, proposed General
Data Protection Regulation (GDPR)
seek to prevent unauthorized access
to and, by extension, use of data. For
example, Article 30 of the GDPR re-
quires that those responsible for data
processing take “appropriate techni-
cal and organizational measures to
ensure a level of security appropriate
to the risks represented by the process-
ing and the nature of the personal data
to be protected.” It also requires those
responsible for data “protect personal
data against accidental or unlawful
destruction or accidental loss and to
prevent any unlawful forms of process-
ing, in particular any unauthorized
disclosure, dissemination or access, or
alteration of personal data.”
The location problem arises because
the current and proposed approaches
employ complicated rules about data
location, storage, and movement to
achieve the protection goals. In addi-
tion, the laudable goals of Article 30
inadvertently run into the realities of
the latest security advances in cloud
computing. For example, in a recent de-
cision in the EU, data location require-
ments interfered with a city’s ability to
use modern cloud computing services. a
a See Notification of decision—New email so-
lution within Narvik local authority (Narvik
kommune)—Google Apps, Norwegian Data
Inspectorate, reference number 11/00593-7/
SEV, January 16, 2012 (denying a request to
use Google Apps for email and other service
based in part on location of data and methods
for data storage concerns).
What then is cloud computing and
how does it relate to data security?
First, one can think of the security
problem as the ways in which someone could gain unauthorized access to
data. That view comports with Article
30. A perhaps somewhat misunder-