Review: 'Data Localization Laws and Policy', by Kuan Hon

It might cost £110, but that's cheap compared to the cost of consulting with the best data protection lawyers - or a fine under GDPR

Any CIO that has, no doubt reluctantly but with a sense of duty, turned their attention to GDPR will almost certainly have heard of Kuan Hon.

Kuan Hon is not just a director in the Privacy, Security and Information group at law firm Field Fisher, she's also editor of Sweet & Maxwell's Encyclopedia of Data Protection and Privacy, a Fellow of the Open Data Institute, a lifetime professional member of the Cloud Industry Forum, ran the world's first cloud computing law course at Queen Mary University and many, many other things besides.

And she combines this apparent boundless energy with degrees in both law and Computing Science (from Imperial College, no less - they don't take any old riff-raff at Imperial) and a real ability for communicating: both in terms of knowledge, concisely conveyed, and also enthusiasm for the subject.

Anyone who watched her presentation at Computing's Cloud & Infrastructure Summit in 2016 will know just what we mean - and will also have enjoyed an unfair headstart on their GDPR preparations. Kuan Hon has written for Computing in the past so, if you want any examples of her expertise, take a look here, here and here.

It may be fewer than 100 days until the GDPR regime kicks off in earnest, but the rush to hit that particular deadline shouldn't blind anyone to the ongoing issues around data, data protection, personal privacy and data transfers, which are set to become ever-more challenging.

In Data Localization Laws and Policy, Hon has taken in a colossal number of cases and legal decisions in the UK, across the EU, the US, Singapore, Australia, Canada, Germany and many other places. In the process, she has weaved together an informative narrative that takes the reader on a journey from the legislative history behind data protection through to mechanisms and derogations, and compliance and enforcement.

But it is not a heavy-going read and the advice is practical and realistic, rather than legalistically prescriptive - and no doubt unrealistic given the high (and sometimes hypocritical) ideals underlying data protection and data transfer legislation.

Kuan Hon notes, for example, the weaknesses inherent in the US-EU Safe Harbour and Privacy Shield mechanism: "Numerous breaches of the Restriction are probably, with little enforcement - partly because volumes involved far exceed DPA's [data protection authorities] resources and many DPAs negotiate compliance for the future rather than imposing punishment while penalties imposed may be low, so that risks of enforcement may lack deterrent effect."

Cross-border data transfers have become an especially thorny issue with the rise of cloud computing. It raises such questions as: can I legally consolidate human resources systems across Europe? If so, where will it be legal to store and/or process that data? What about customer data?

In the vast majority of instances, the questions will be perfectly innocent - organisations just seeking to maximise their efficiency and simplify their IT estates. But what does German law have to say about this? Where do pan-EU laws end and EU nation states' laws on data protection begin? And there are also manifold questions about Safe Harbour, Privacy Shield and global data transfers that only a long time with an expensive lawyer can explain.

Hence, the £100 or so invested on Data Localization Laws and Policy is not only a lot cheaper, but is packed with practical - as distinct from purely legal - analysis.

It's not just CIOs and the burgeoning army of data protection officers who ought to have a copy of this book displayed prominently on their shelves, but also that equally burgeoning army of lawyers working in the field. The legal points are impressively comprehensively footnoted, so that every assertion can be followed up to the source.

Given how important data protection has become - and how much more important it will become post-25-May 2018 - we'd advise every CIO not just to get their hands on a copy, but to make sure they get the hardback version. That way, when someone does something irredeemably foolish with customer data, you'll have something robust to beat them with - metaphorically, of course.