Book Review: Data Localization Laws and Policy

Laurence Eastham reviews this close examination of international transfers from W Kuan Hon (Edward Elgar Publishing, 479 pp, £110/£99, ISBN 978 1 78643 196 7; also available as an ebook).

The subtitle to this detailed look at ‘data localization’ is ‘The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens’. To turn such subject-matter into a readable text of almost 500 pages is quite an achievement, but I promise you that Kuan Hon has achieved precisely that. It’s so readable that I actually read (almost all) the book when my aim was to read the minimum number of pages possible in order to write a respectable review.

As Rosemary Jay states in a foreword, the book addresses issues which seem to be academic in nature but which impact on every facet of our commercial and social environment. The impact of ‘the Restriction’ is felt more widely than one might initially expect – there is a lot more to this than concerns about Safe Harbor/Privacy Shield and the impact is ongoing – it won’t be an issue that dies as GDPR bites. Indeed, one of the strengths of the book is the balance which is found in dealing with the (old) Data Protection Directive (which is not dead yet and will have a considerable after-life) and the incoming GDPR.

This book begins by stating its principal argument very clearly – it aims to ‘show the fallacies underlying restrictions on cross-border transfer of digital data’. It goes on quickly to defining and explaining cloud computing and the restriction on transfers. Given that the restriction is based on a cocktail of politics and law, Chapter 2 on ‘Legislative history and objectives’ is, I suppose, a necessary evil – I found it the least engaging chapter. The ensuing chapters on ‘The transfer concept’ and ‘Assumptions’ offer compelling arguments that swung my view on the attractiveness of the abolition of ‘the Restriction’ and she makes constructive suggestions for a softening of its application through interpretation and the encouragement of mechanisms for enabling sensible and securely protected transfers. She makes the case that the law has been based on unstated assumptions that no longer fit the reality of Internet usage and has undermined the original objective; ‘the Restriction’ puts too high a value on location and discounts other factors, such as encryption, which have more real value.

Chapters 5 and 6 give a detailed account of the various mechanisms for permitting transfers and review compliance and enforcement. It is less than surprising that the author finds those mechanisms overly complex and notes that they are often ignored by all but large-scale operatives in the field and that enforcement is below the minimum level necessary to engender compliance (possibly good news for the UK post-Brexit). Chapter 7 on ‘Access and security’ does what it says on the tin.

The closing chapter provides a series of recommendations - - the lead recommendation being the abolition of ‘the Restriction’ because of its essential impracticality. There is though an acknowledgement that, where impracticality and politics clash, political convenience will win out so abolition is unlikely and there is a very tight summary of the matters which Kuan Hon hopes will be considered on a GDPR review.

While this book tells you all you need to know about data localization, readers of this review will wonder how much they do actually need to know to get by in practice. I think there is a bit more to it than that; it is more than a dissection of an important but limited area and looks at far-reaching matters. Borrowing from the other foreword (from Christopher Kuner), the issues covered here reflect ‘a profound unease with increasing globalization, and a lack of certainty as to whether we want national borders carried over into the online space.’ Data Localization Laws and Policy ‘illuminates the choices that we face as a society in deciding where we want those boundaries to be set’.

You can explore the book’s content via a preview here or for a range of links for purchase and content, try

Laurence Eastham is Editor of Computers & Law.


      This site uses cookies. By using the site you agree to our use of cookies as set out in our Privacy Policy.

      Please wait...