Data Localization Laws and Policy The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens W. Kuan Hon, kuan0.com http://www.e-elgar.com/shop/data-localization-laws-policy http://www.e-elgar.com/data-localization-laws-and-policy- companion-site References As at 1 May 2017 1 451 Research, 2014. Hosting and Cloud Study 2014: Hosting and Cloud Go Mainstream – Survey Results. Available at: https://news.microsoft.com/download/presskits/cloud/docs/HostingStudy2014.pdf [accessed 26 October 2016]. Abelson, H. et al., 2015. Keys under doormats: mandating insecurity by requiring government access to all data and communications. DSpace@MIT. Available at: http://dspace.mit.edu/handle/1721.1/97690 [accessed 26 October 2016]. ACCA, 2012. Asia Cloud Computing Association, Cloud Readiness Index. Available at: http://www.asiacloudcomputing.org/images/stories/contents/files/CRI_2012.pdf [accessed 26 October 2016]. ACCA, 2014. Asia Cloud Computing Association, The Impact of Data Sovereignty on Cloud Computing in Asia. Available at: http://www.asiacloudcomputing.org/images/research/ACCA- DS2013_FULL.REPORT.pdf [accessed 26 October 2016]. AEPD, 2013. Agencia Española de Protección de Datos, Guía para clientes que contraten servicios de Cloud Computing. Available at: http://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Guias/GUIA _Cloud.pdf [accessed 26 October 2016]. Ahmed, M. and Waters, R., 2015. Microsoft unveils German data plan to tackle US internet spying. Financial Times. Available at: https://www.ft.com/content/540a296e-87ff-11e5-9f8c- a8d619fa707c [accessed 26 October 2016]. Air Berlin, 2011. Comments on the European Commission’s Communication on a Comprehensive Approach on Data Protection in the European Union (Brussels, 4.11.2010 – COM(2010) 609 final). Available at: http://ec.europa.eu/justice/news/consulting_public/0006/contributions/organisations/air_berlin _en.pdf [accessed 26 October 2016]. Alcatel-Lucent, 2009. The European Commission’s Consultation on the Legal Framework for the Fundamental Right to Protection of Personal Data. Available at: http://ec.europa.eu/justice/news/consulting_public/0003/contributions/organisations_not_regis tered/alcatel_lucent_en.pdf#10 [accessed 26 October 2016]. Allen & Overy, 2013. Binding Corporate Rules. Available at: http://www.allenovery.com/sitecollectiondocuments/bcrs.pdf [accessed 26 October 2016]. AmCham, 2010. AmCham EU Response to the Commission Consultation on Protection of Personal Data. Available at: http://ec.europa.eu/justice/news/consulting_public/0003/contributions/organisations/american _chamber_commerce_to_eu_en.pdf [accessed 26 October 2016]. AmCham EU, 2016. Adoption of the EU-US Privacy Shield Restores Trust to Transatlantic Data Flows. Available at: http://www.amchameu.eu/sites/default/files/press_releases/press_- _adoption_of_the_eu- us_privacy_shield_restores_trust_to_transatlantic_data_flows.pdf?platform=hootsuite [accessed 26 October 2016]. Anderson, R., 2005. The crypto wars are over! Computer and Telecommunications Law Review, 11(6), pp.183–4. Anderson, R.J., 2008. Security Engineering: A Guide to Building Dependable Distributed Systems 2nd edition. Tokyo, New York: John Wiley & Sons. 2 Angulo, J. et al., 2013. D37.1 General HCI principles and guidelines. A4Cloud. Available at: http://www.a4cloud.eu/sites/default/files/D37.1%20General%20HCI%20principles%20and%2 0guidelines.pdf [accessed 26 October 2016]. Anon, 2015. TISA Annex on Electronic Commerce. Available at: https://wikileaks.org/tisa/document/20151001_Annex-on-Electronic- Commerce/20151001_Annex-on-Electronic-Commerce.pdf [accessed 26 October 2016]. ANSI/TIA, 2005. American National Standards Institute/Telecommunications Industry Association, Telecommunications Infrastructure Standard for Data Centers ANSI/TIA-942-2005. Available at: https://global.ihs.com/doc_detail.cfm?&rid=TIA&input_doc_number=942&item_s_key=004148 11&item_key_date=860905&input_doc_number=942&input_doc_title=&org_code=TIA [accessed 26 October 2016]. AP, 2005. Associated Press, New Nuclear Sub Is Said to Have Special Eavesdropping Ability. Available at: http://www.nytimes.com/2005/02/20/politics/20submarine.html [accessed 26 October 2016]. AP, 2013. Associated Press, Snowden Says US Targets Included China Cell Phones. Available at: http://www.scmp.com/news/hong-kong/article/1267265/snowden-says-us-targets-included- china-cell-phones [accessed 26 October 2016]. AP, 2014a. Associated Press, Brazil: Google Fined in Petrobras Probe. Available at: http://news.yahoo.com/brazil-google-fined-petrobras-probe-183507202.html [accessed 26 October 2016]. AP, 2014b. Associated Press, Microsoft Corporation Loses Ruling by New York Judge on Ireland Emails. Available at: http://www.cbsnews.com/news/microsoft-corporation-loses-ruling-by- new-york-judge-on-ireland-emails/ [accessed 26 October 2016]. APEC, n.d. APEC Cross-Border Privacy Enforcement Arrangement (CPEA). Available at: http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce- Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx [accessed 26 October 2016]. APEC, 2005. APEC Privacy Framework. Available at: http://www.apec.org/Groups/Committee-on- Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx [accessed 26 October 2016]. APEC, 2009. APEC Cooperation Arrangement for Cross-Border Privacy Enforcement. Available at: http://www.apec.org/~/media/Files/Groups/ECSG/CBPR/CBPR- CrossBorderPrivacyEnforcement.pdf [accessed 26 October 2016]. APEC, 2011. APEC Cross-Border Privacy Rules System: Policies, Rules and Guidelines. Available at: http://www.apec.org/groups/committee-on-trade-and- investment/~/media/files/groups/ecsg/cbpr/cbpr-policiesrulesguidelines.ashx [accessed 26 October 2016]. Appelbaum, J., Horchert, J. and Stöcker, C., 2013. Catalog reveals NSA has back doors for numerous devices. Spiegel Online. Available at: http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous- devices-a-940994.html [accessed 26 October 2016]. Arbeit der DSB, 2016. Zur Ungültigerklärung der Safe Harbor-Entscheidung der Europäischen Kommission durch den EuGH: Österreichische Datenschutzbehörde. Available at: http://web.archive.org/web/20160508033524/https://www.dsb.gv.at/site/6218/default.aspx [accessed 26 October 2016]. 3 Archer, Q., Maxwell, W. and Wolf, C., 2012. A global reality: government access to data in the cloud – a comparative analysis of ten international jurisdictions. Chronicle of Data Protection. Available at: http://www.hldataprotection.com/uploads/file/Revised%20Government%20Access%20to%20 Cloud%20Data%20Paper%20(18%20July%2012).pdf [accessed 26 October 2016]. Archer, Q., Maxwell, W. and Wolf, C., 2013. A global reality: governmental access to data in the cloud. SCL. Available at: http://www.scl.org/site.aspx?i=ed32952 [accessed 26 October 2016]. Austrian Bar, 2009. Consultation on the Legal Framework for the Fundamental Right to Protection of Personal Data. Available at: http://ec.europa.eu/justice/news/consulting_public/0003/contributions/public_authorities/austri an_bar_en.pdf [accessed 26 October 2016]. Autoriteit Persoonsgegevens (formerly CBP), 2012. Written Opinion on the Application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the Case of a Contract for Cloud Computing Services from an American Provider. Unofficial translation. Available at: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/dutch-dpa-written-opinion- cloud-computing-unofficial-translation.pdf [accessed 26 October 2016]. AWS, 2014a. Amazon Web Services: Overview of Security Processes. Available at: https://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf [accessed 26 October 2016]. AWS, 2014b. Announcing the AWS EU (Frankfurt) Region. Available at: http://aws.amazon.com/about-aws/whats-new/2014/10/23/announcing-the-aws-eu-frankfurt- region/ [accessed 26 October 2016]. AWS, 2015. AWS Customer Agreement. Available at: http://aws.amazon.com/agreement/ [accessed 26 October 2016]. AWS, 2016. AWS Customer Agreement. Available at: http://aws.amazon.com/agreement/ [accessed 26 October 2016]. Ax, J., 2014. RPT-UPDATE 2-U.S. judge orders Microsoft to submit customer’s emails from abroad. Reuters. Available at: http://www.reuters.com/article/2014/07/31/usa-tech-warrants- idUSL2N0Q61WN20140731 [accessed 26 October 2016]. Axciom, 2009. Response to the European Commission Consultation on European Data Protection Legal Framework. Available at: http://ec.europa.eu/justice/news/consulting_public/0003/contributions/organisations/acxiom_e n.pdf [accessed 26 October 2016]. Babcock, C., 2015. VMware shows off new live migration: OpenStack options. InformationWeek. Available at: http://www.informationweek.com/cloud/infrastructure-as-a-service/vmware- shows-off-new-live-migration-openstack-options/d/d-id/1318890 [accessed 26 October 2016]. Baesman, R., 2015. Building the best place to get work done. Dropbox for Business Blog. Available at: https://blogs.dropbox.com/business/2015/06/dropbox-for-business-updates/ [accessed 26 October 2016]. Baker, J., 2016a. Privacy Shield approved by EU member states, but 4 nations abstain. Ars Technica UK. Available at: http://arstechnica.co.uk/tech-policy/2016/07/privacy-shield-approved-eu- member-states-4-nations-abstain/ [accessed 26 October 2016]. Baker, J., 2016b. Catching up with Max Schrems. IAPP. Available at: https://iapp.org/news/a/catching-up-with-max-schrems/ [accessed 17 February 2017]. 4 Baker,