Christopher Millard Asks: Is Privacy the Real Driver of Forced Localization of Cloud Services?

By TAP Staff Blogger

Posted on June 26, 2015


Professor Christopher Millard, Centre for Commercial Law Studies at Queen Mary University of London, asks why governments, legislators and regulators are focusing so intensely on the physical location of data. In his recent Cloud Computing, IEEE article, “Forced Localization of Cloud Services: Is Privacy the Real Driver?,” Professor Millard states that “Mistrust has become commonplace in international debates regarding regulation of cloud and other online services, especially in relation to geographical and jurisdictional restrictions on data flows.”

Forced localization of cloud services refers to in-country data storage facilities that physically keeps the data stored on servers within a country’s borders, and also allows the data to be subject to country-specific regulation.

Below are a few excerpts from “Forced Localization of Cloud Services: Is Privacy the Real Driver?” (Cloud Computing, IEEE, Volume 2, Issue 2, March-April 2015, pages 10-14)

It is time to stop and ask whether the intense focus on data location is misplaced, or at least greatly exaggerated, from the perspective of assuring privacy. Control over data location may be a factor in the bigger picture of cloud security but it is neither a panacea nor, arguably, the most important factor. From a technical perspective, physical access to a server or other device containing data is neither a necessary, nor a sufficient, condition for access to information in an intelligible form. On the other hand, logical access is both necessary, and may be sufficient, to provide access to data in an intelligible form, regardless of geographic location. For example, if data are encrypted securely (with effective key management), physical access to the data, whether at rest or in transit, may not constitute a significant privacy risk, regardless of geography. Conversely, data that are located physically on a server in, say, Germany, but which are not managed securely, may turn out to be accessible from anywhere on the planet.

The Snowden revelations of systematic, mass government surveillance have led to widespread soul-searching about both the relevance of fundamental privacy concepts and the effectiveness of existing frameworks for ensuring protection of personal data. As with that surveillance controversy, however, arguments about Internet regionalization and data localization are often stymied by a fundamental lack of transparency. Mixed message and hypocrisy abound and privacy is increasingly invoked as a justification, or at least used as a smokescreen, for policies that are incoherent and, in many cases, far from privacy-enhancing.

Over-reliance on privacy as a simplistic mantra to justify complex jurisdictional policies and rules has already begun to produce unintended, and unhelpful, consequences. The widespread deployment of cloud services by businesses and governments provides a good opportunity for a re-evaluation of the risks associated with different delivery models for data processing services. Forced data localization is not the only, and arguably not the best, strategy for securing data sovereignty.

Read the full article: “Forced Localization of Cloud Services: Is Privacy the Real Driver?”


Christopher Millard is Professor of Privacy and Information Law and Director of the Cloud Legal Project at the Centre for Commercial Law Studies, Queen Mary University of London. He is also a Research Associate at the Oxford Internet Institute and is Senior Counsel to the law firm Bristows. Professor Millard has over 30 years of experience in the technology law field in legal practice and academia. He is editor and coauthor of the book, Cloud Computing Law and is a founding editor of both the International Journal of Law and Information Technology and International Data Privacy Law.