Regulating Cross-Border Data Flow in the

Era of Cloud Computing

109 1
(cloud computing)

》 。
“

GDPR

“
“

i
 Abstract
Cloud computing is a type of technique that can storage and process massive
demands of data through the Internet. With its high flexibility and expansibility, cloud
computing has soon become popular taste. It has changed the way people store and
process data, from local storage into the world of cloud. In order to sustain
monumental computing, cloud provider usually deploy several data centers in
different countries around the world. This came into the result of transmitting data
almost every moment in cloud computing. When personal data being stored or
processed in the cloud, it might imperil the privacy of personal data.
EU and some other countries restrict transferring data outside one's jurisdiction,
so as to protect information privacy of data subjects. By contrast, Personal Data
Protection Act in our nation adopts a fairly loose principle of allowance. In purpose of
finding how to maintain personal data protection in the cloud, this paper sets out four
scenarios of cloud computing. The four scenarios are respectively placed under
GDPR and Personal Data Protection Act to examine what scenario constitutes data
transfer. Restricting data transfer has its own pros and cons, it's hard to say there exit
a perfect law policy that can fit in every country. By analyzing two different
cogitations of policy (whether to restrict or not), this paper aims to find the best policy
for our nation.
This thesis argues our nation has the urgency to restrict personal data transfer.
Recently, some cloud providers start to deploy their data centers in countries where it
certainly lacks of data protection and privacy care. If we don't restrict transferring
data outside foreign countries, once the data subject gets hurt by unsafe transfer, he or
she can hardly claim one’s rights.
Therefore, in order to protect data subject, this paper suggests to restrict data
transfer, and sets several ways for permitting transfer. With EU policy as reference,
we can establish a data protection classification list of our nation, and restrict or ban
data transmission to countries with low data protection levels. While protecting the
individuals’ privacy, the needs of keeping data flow should be taken into account too,
this paper proposes several methods that exceptionally allow transfer.

ii
 2020 1 15

iii
1 ........................................................................................................................ 1
1.1 ............................................................................................ 1
1.2 .................................................................................... 3
1.3 ............................................................................................ 4
1.4 ........................................................................................................ 4
1.5 ........................................................................................................ 5
2 ........................................................................................ 7
2.1 .................................................................................... 7
2.1.1 ........................................................................................ 9
2.1.2 ...................................................................................... 10
2.1.3 ...................................................................... 12
2.2 ...................................................... 14
2.2.1 .................................................................. 15
2.2.2 .................................................................................. 15
2.2.3 .................................................................. 16
2.2.4 .............................................................. 17
2.3 ...................................................................................... 19
2.3.1 ...................................................................... 19
2.3.2 .......................................................................... 20
2.4 .............................................................................................. 23
3 .............................................................................. 27
3.1 .......................................................................................... 28
3.1.1 ...................................................................................... 29
3.1.2 .............................................................................................. 30
3.1.3 .............................................................................................. 30
3.2 .......................................................................................... 31
3.3 “ .......................................................................... 32
3.3.1 “ .............................................................. 33
3.3.2 “ .............................................................. 33
3.4 ...................................................................................... 34
3.4.1 .................................................................................................. 34
3.4.2 .................................................................................................. 36
3.4.3 .................................................................................................. 38
3.4.4 .................................................................................................. 39

iv
 3.4.5 ...................................................................................... 46
3.4.6 .............................................................................. 46
3.5 .............................................................................. 47
3.5.1 (Adequacy Decision) ..................... 48
3.5.2 (Appropriate Safeguards) ................................... 48
3.5.3 (Derogations) ..................................................................... 49
4 .......................................................................... 53
4.1 .............................................................................................. 53
4.1.1 .......................................................................... 53
4.1.2 .......................................................................... 54
4.2 .......................................................................... 67
4.2.1 ( ) ..................................................................... 67
4.2.2 ...................................................................... 70
4.2.3 ...................................................................... 74
4.3 .............................................................................. 75
5 .......................................................................... 79
5.1 ...................................................................... 79
5.1.1 .................................................................. 79
5.1.2 “ .................................................................. 79
5.2 .......................................................................... 81
5.2.1 .................................................................................................. 81
5.2.2 .................................................................................................. 83
5.2.3 .................................................................................................. 85
5.2.4 .................................................................................................. 85
5.3 .......................................................................... 89
5.3.1 .......................................................................... 89
5.3.2 .............................................................................. 89
5.4 .......................................................................... 90
5.4.1 .............................................................. 90
5.4.2 ...................................................................... 91
5.5 .................................................................. 94
5.5.1 ...................................................................... 94
5.5.2 .......................................................................... 95
6 .................................................................................................................... 101

.............................................................................................................. 105

v
.................................................................................... 25
........................................................ 44
........................................................ 87
.................................................................... 90

vi
1
1.1

“
2
》
2》 Facebook Instagram
Google
3.5 》 2 DropBox
Google Drive
YouTube SoundCloud Google Docs
Grammerly Google
Analytics SAP HANA “ Salesforce
Amazon Web Services ○
“
“

“ (
) “

1
 ○

Schrems v. Data Prot. Commissioner1

Facebook
》

2017 “
2

“
“
“ “ Apple
iCloud
iCloud
3

1
Case C-362/14, Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650.
2
37
3
iCloud “ 》
https://www.bnext.com.tw/article/47757/apple-will-begin-storing-chinese-customer-icloud-data-at-

2
 、
“
4

Apple iCloud
iCloud “
iCloud
Amazon Evernote

“ 》
“
“
2
○

1.2
2 “

5
“
6

new-china-data-center-from-next-month ( 2019/07/15)
4
28
5
99 2011 28-36

“ 、
43 2014 53-106
6
、 :

3
 、

1.3

1.4
:
1. “ “

46 2 2017 399-422

4
2.
“
3.

4.
5.
“
1.5

5
6
2
2.1

(cloud computing)

(cloud computing)
7

(NIST, National Institute of Standards and Technology)

( )
“
8

“
1960 2006
(Amazon Web Service, AWS)
Elastic Cloud Computing (EC2) Simple Storage Service (S3)9
2
AWS Microsoft Azure (Azure) IBM IBM Cloud SalesForce
SAP Google Google Cloud Platform (GCP)
“
》

7
See Gartner Inc., Cloud Computing, GARTNER.COM http://www.gartner.com/it-glossary/cloud-
computing/ (last visited Jun. 21, 2019).
8
See Peter Mell & Timothy Grance, The NIST Definition of Cloud Computing (2011), at 2.
9
See DAN MARINESCU, CLOUD COMPUTING: THEORY AND PRACTICE 2 (Morgan Kaufmann eds., 2th
ed. 2018).

7
 “ “

“
。
“
“
“
》
7 “
“
“ 》

3
Facebook
Instagram Twitter Google Drive
DropBox Evernote Google Analytics SimilarWeb
Google Doc

“
》 。

“
10
2 “
“ 2
“ 4.0

10
2016 2

8
 (Big Data) (Internet of Things) (Artificial
Intelligence)
2.1.1

(Infrastructure as a Service, IaaS) (Platform as a Service,

PaaS) (Software as a Service, SaaS)
(IaaS) (Paas)
(SaaS)
“

2.1.1.1 (IaaS)

11

12
“

”
IP “
Web
2
“ Amazon EC2 Google Compute
13
Engine Microsoft Azure IBM Oracle
2.1.1.2 (PaaS)
(PaaS)

11
11
12
See DAN MARINESCU, supra note 9, at 3.
13
See Bob Evans, Top 5 Cloud Vendors in the World, CLOUD NEWS (Jan. 14, 2019),
https://cloudwars.co/worlds-top-5-cloud-vendors-cloud-wars/.

9
 “

14
Python Java Ruby
(PaaS) 3 (IaaS) (SaaS)
Google App Engine Microsoft Windows Azure Heroku Force.com

2.1.1.3 (SaaS)
(SaaS) “

SaaS
“ SaaS Facebook Twitter
Instagram Reddit Gmail
Google Document SAP Salesforce “
15
(SaaS)
(
)

(PaaS) (SaaS) (IaaS)

SaleForce (SaaS)
AWS

2.1.2
2.1.2.1

14
10 12
15
See MICHAEL J. KAVIS, ARCHITECTING THE CLOUD: DESIGN DECISIONS FOR CLOUD COMPUTING
SERVICE MODELS 51 (Wiley. eds., 1st, 2014).

10
 16
“
Google Drobox Office 365 Facebook
Instagram YouTube Sound Cloud “
Salesforce Amazon Web Services
2.1.2.2
“

IBM Cloud “
( Network Attached Storage, NAS)
2.1.2.3

17
Oracle Cloud “

2.1.2.4

18

“
“
(SaaS) Gartner (
) 2019
17.3 2060 SaaS IaaS 736
19
408 (International Data Corporation,

16
See DAN MARINESCU, supra note 9, at 9.
17
See id.
18
10 13
19
See Gartner Inc., Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17.5 Percent in
2019, GARTNER.COM (April. 2, 2019), https://www.gartner.com/en/newsroom/press-releases/2019-04-02-

11
IDC) IT
“
20
IDC 2020
2.1.3
“

“
( )

○ 、
“

gartner-forecasts-worldwide-public-cloud-revenue-to-g
20
See Framingham Mass, Cloud it Infrastructure Revenues Surpassed Traditional it Infrastructure
Revenues for the First Time in the Third Quarter of 2018, according to IDC, IDC (Jan. 1, 2019),
https://www.idc.com/getdoc.jsp?containerId=prUS44670519

12
 《 「
○
Whitman

21

Schwartz (Rights Talk)

22

23

24

、 (Marketplace
Discourse)25

26 27

21
See generally James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty,
113 YALE L.J. 1151 (2004).
22
See Paul M. Schwartz & Karl Nikolaus Peifer, Transatlantic Data Privacy Law, 106 GEORGETOWN
L. J. 115, 122-23 (2017).
23
See id. at 131.
24
See id. at 127.
25
See id.
26
See id. at 121.
27
See id. at 132.

13
 “
、

2000
(Safe Harbor) “
28
》 2013

》 2015
Schrems
(Privacy Shield)

2.2

28

14
2.2.1
“○

2.2.2
、

29
○
30

29
“ 32 2014
63
30
17

15
2.2.3

“
“

(McKinsey) 2016

10.1
31
GSM (Groupe Speciale Mobile Association, GSMA)

“
32
“

31
See JAMES MANYIKA, SUSAN LUND, JACQUES BUGHIN, JONATHAN WOETZEL, KALIN STAMENOV &
DHRUV DHINGRA, DIGITAL GLOBALIZATION: THE NEW ERA OF GLOBAL FLOWS 76 (2016).
32
See WICKHAM HEATH CONSULTING, CROSS-BORDER DATA FLOWS REALISING BENEFITS AND
REMOVING BARRIERS 4-9 (2018).

16
 “

、
、

2.2.4

○ 、
、 “
33
Facebook

Amazon Google
Facebook Microsoft Yahoo Twitter IBM

33
See Carole Cadwalladr & Emma Graham-Harrison, Revealed: 50 Million Facebook Profiles
Harvested for Cambridge Analytica in Major Data Breach, THE GUARDIAN (2018),
https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election

17
 “

“ 7
“
“ 2
34

2013

“
“ Microsoft Yahoo Google Facebook YouTube
Skype Apple Inc. “
“

Sophie in 't Veld

35
Peter Schaar
○ 」
( Information Commissioner’s Office, ICO)

“ 7

34
See David Samuels, Is Big Tech Merging with Big Brother? Kinda Looks Like It, WIRED (2019),
https://www.wired.com/story/is-big-tech-merging-with-big-brother-kinda-looks-like-it/
35
See Kevin Collier, Does the NSA’s PRISM Spying Program Violate EU Law?, DAILY DOT (Dec. 11,
2015), https://www.dailydot.com/news/prism-nsa-government-surveillance-europe-law/. (“In principle
EU law does not allow for data to be transferred to the US. Companies often find themselves caught
between two jurisdictions. They usually prefer to comply with US law, rather than EU law. This way
US law effectively takes precedence over EU law, even on EU territory. So far the European
Commission has done preciously little to solve the issue of jurisdiction and protect the rights of EU
citizens. The Prism story is only one of many of massive US spying on people both inside and outside
the US.”)

18
“ ○ “ 7

Schrems Facebook
Facebook

“ “

36

2.3
2.3.1

36
(BEUC)

」 (Office of the Director of National Intelligence,

ODNI)
See Privacy Shield: Strong and Shiny or Porous
and Rusty?, BEUC (Feb. 5, 2016), https://www.beuc.eu/press-media/news-events/privacy-shield-
strong-and-shiny-or-porous-and-rusty. see also Emily Linn, A Look into the Data Privacy Crystal Ball:
A Survey of Possible Outcomes for the EU-U.S. Privacy Shield Agreement, 50 Vand. J. Transnat'l L.
1311, 1320-21 (2017).
238 2018

19
 37

38

39 40
、

“
、
、
41
“

2.3.2

37
106

250
38

39

40
See Martina Ferracane, Restrictions on Cross-Border Data Flows (ECIPE, Working Paper No. 1,
2017), at 2.
41
21

20
 42

“ 、

43

Facebook

42
See Schwartz & Peifer, supra note 22.
43
Facebook Instagram Reddit Twitter 2018
Twitter 21% See Marlene Greenfield,
Distribution of Twitter Users Worldwide from 2012 to 2018, by Region, STATISTA (May. 27, 2014),
https://www.statista.com/statistics/303684/regional-twitter-user-distribution/

21
 、 1995
( )

“
“ “
、
、

“
“

44
“

44

22
 45

21

2.4

45

23
 “
“

(1)
(2) (3)
“

“ “
」 “

“
」
“
」
」

24
 ○

25
26
3
1995
(Directive 95/46/EC, DPD)46
(directive)

2016 (General Data

Protection Regulation, GDPR 2016/679 GDPR )47 2018 5
GDPR (regulation)
》 GDPR

DPD 2 GDPR
(European Economic Area, EEA)

”transmission” ” transfer”
》

(transmission )
》
(transfer) 》(transfer) 7

46
Council Directive 95/46/EC, of the European Parliament and of the Council of 24 Oct 1995 on the
Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of
Such Data, 1995 O.J. (L 281) 31. [hereinafter “Directive”]
47
Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016 on the
Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free
Movement of Such Data, 2016 O.J. (L 119) 1. [hereinafter “GDPR”]

27
 》

( ) (transmission)
、 》 (transfer)
、
》 transfer” 》

“
GDPR GDPR

3.1
GDPR ( )
4

48

○
29 (Article 29 Working Party, A29WP)

48
GDPR art. 4(1), 2016 O.J. (L 119) 1, 33.; See Article 29 Working Party Document No. WP136:
"Opinion 4/2007 on the Concept of Personal Data," adopted on June. 20, 2007, at 12.

28
 49

( )

3.1.1
(de-identification)

50
“
51

29 (retraceable)
(non-retraceable) (context)

( )
52

(pseudonymization)
(anonymization)
GDPR (recital) 26 》
53

49
See id. at 13.
50
See W Kuan Hon & Christopher Millard, The Problem of 'Personal Data' in Cloud Computing-
What Information is Regulated? The Cloud of Unknowing, Part 1, 4 INT. DATA PRIV. LAW. 211, 227
(2011).
51
43 71
52
See WP136, supra note 48, at 18-20.
53
See id. at 15-16.; recital 26 of GDPR.

29
 29 WP216

( “single out” an individual) (link

records “relating” to an individual)
(can information be “inferred” concerning an individual)54

○
3.1.2
(encrypted) 》

55
○ “
56
“

57
“
“
58

3.1.3
“

54
See Article 29 Working Party Document No. WP216, Opinion 05/2014 on Anonymisation
Techniques, adopted on April. 10, 2014, at 3. [hereinafter WP216]
55
See Hon & Millard, supra note 50, at 218.
56
See id. at 218-219.
57
See WP136, supra note 48, at 18-19.
58
See Hon & Millard, supra note 50, at 220.

30
 (data fragments / shards)

59

○
“

3.2

○
60

(OECD)

61
(The Convention for the Protection of Individuals
with Regard to Automatic Processing of Personal Data 108 )
3
62

59
See id. at 222.
60
See CHRISTOPHER KUNER, TRANSBORDER DATA FLOWS AND DATA PRIVACY LAW, 4 (Oxford Univ.
Press ed., 2013)
61
OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data,
OECD (2013), at 13. (“Transborder flows of personal data means movements of personal data across
national borders.”)
62
Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data
28 January 1981, art 12(1). [hereinafter “the Convention 108”].

31
 DPD GDPR
63
GDPR (recital) (guideline)
GDPR GDPR 44
》
64
GDPR (recital) 101
“
》
65
ICO (guidance)
GDPR GDPR
” transfer”66
67

(transfer) 》
(third country)
3.3 “
“
“
(data controller) (data processor)

29

63
See W Kuan Hon & Christopher Millard, Data Export in Cloud Computing – How can Personal
Data be Transferred Outside the EEA? The Cloud of Unknowing, Part 4, 9 SCRIPT-ed. 25, 34 (2012).
GDPR 4 ”transfer”
64
GDPR art. 44, 2016 O.J. (L 119) 1, 60.
65
Recital 101 of GDPR.
66
See ICO, Guide to the General Data Protection Regulation (GDPR), https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-
gdpr/international-transfers/
67
See Sveinbjarnardóttir and Þorgerður Jóhanna, The Concept of 'Transfer' of Data Under European
Data Protection Law: In the Context of Transborder Data Flows (Dec. 1, 2015) (B.A. thesis, University
of Oslo), at 7.

32
 68

3.3.1 “
29 2010
69

70
GDPR 4 7

71

29
Facebook Twitter Reddit
Instagram (end-user) “
“

72

“
“
“

“
3.3.2 “

68
See Article 29 Working Party Document No. WP169, “Opinion 1/2010 on the Concepts of
“Controller” and “Processor” ”, adopted on Feb. 16, 2010, at 4-5. [hereinafter WP169]
69
See id. at 32.
70
See id.
71
GDPR art. 4(7), 2016 O.J. (L 119) 1, 33.
72
See WP169, supra note 68, at 21.

33
 29

73
GDPR 4 8
74

75
○
( )
“
3.4
EEA EEA

SaaS PaaS IaaS

○

3.4.1
EEA EEA
“
“

3.2

ICO EEA

“ EEA

73
See W. K. Hon, C. Millard & I. Walden, Who is Responsible for “Personal Data” in Cloud
Computing?--The Cloud of Unknowing, Part 2, 2 INT. DATA PRIV. LAW. 3, 9 (2011).
74
GDPR art. 4(8), 2016 O.J. (L 119) 1, 33.
75
See WP169, supra note 68, at 25.

34
 EEA
GDPR
EEA
“
“ EEA
EEA

“ EEA

“ 7

GDPR (recital) 48
76
“

“
EEA ( ) 》

“ EEA
“

(Datatilsynet) Odense
Google Apps Google
EEA
EEA

76
Recital 48 of GDPR.

35
77
、
Odense
ICO

78
“
“

、
○

3.4.2
EEA
“
EEA 」 (office) (branch) (subsidiary)
(no EEA connection)
“
DPD GDPR

○ DPD 4 1 c
(equipment)
79
○ (equipment) (
) 29

77
See Hon & Millard, supra note 73, at 11.
78
See id. at 35.
79
Directive, Art 4(1)(c), 1995 O.J. (L 281) 1, 39.

36
 cookies
29 JavaScript
80
DPD 4 1 c
cookies
DPD ○
81

GDPR 3 2 b DPD 4 1 c
“ EEA
GDPR

82

cookies GDPR 3
2 b ○
GDPR 3 2 a EEA

( )

83
a
EEA “

80
See Article 29 Working Party Document No. WP56, “Working Document on Determining the
International Application of EU Data Protection Law to Personal Data Processing on the Internet by
Non-EU Based Web Sites”, adopted on May. 30, 2002, at12. [hereinafter WP56]
81
See L. Moerel, The Long Arm of EU Data Protection Law: Does the Data Protection Directive
Apply to Processing of Personal Data of EU Citizens by Websites Worldwide?, 1 INT. DATA PRIV. LAW
28, 32 (2010).
82
Recital 24 of GDPR.
83
Recital 23 of GDPR.

37
 GDPR GDPR 3 2
EEA
○
“

GDPR “

GDPR 3 2 a b ○
“
7

3.4.3
EEA EEA
“
EEA

“ EEA EEA

EEA
(transit) (transfer)84 (transit)

84
See Sveinbjarnardóttir & Jóhanna, supra note 67, at 6-7.; see ICO, The Eighth Data Protection
Principle and International Data Transfers v4.0 (2017), at 5-6. (“Transfer does not mean the same as
transit. If personal data is just electronically routed through a non-EEA country but the transfer is
actually from one EEA country to another EEA country, then it is not a restricted transfer.”). (”You are

38
 (transfer) “ EEA
EEA EEA
85

“ EEA
“
2016
86
ICO

87

EEA

」 EEA

○
3.4.4
EEA EEA

making a restricted transfer if you collect information about individuals on paper, which is not ordered
or structured in any way, and you send this to a service company located outside of the EEA”).Transfer
transit 》

85
See Sveinbjarnardóttir & Jóhanna, supra note 67, at 7.
86
See Nicole Perlroth, Yahoo Says Hackers Stole Data on 500 Million Users in 2014, N.Y. TIMES, Sep.
22, 2016, https://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html
87
See DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE, https://ico.org.uk/media/action-weve-taken/mpns/2258898/yahoo-uk-
services-ltd-mpn-20180521.pdf.

39
 “
EEA 」 (office) (branch)
(subsidiary)
EEA
“
GDPR 3 1
88

“ GDPR 3 1
(1) (establishment) (2)
(in the
context of the activities)
(establishment)
(in the context of the activities) DPD (recital)
19 (arrangements)
89

○
90

91
○

92

88
GDRP 3 1 Regulation applies to the processing of personal data in the context
of the activities of an establishment of a controller or a processor in the Union, regardless of whether
the processing takes place in the Union or not” ”in the context of the activities”

”in the context of the activities”

89
Recital 19 of Directive.
90
Id.
91
Id.
92
Id. recital 22 of GDPR. GDPR (recital) 22

40
 (in the context of the
activities) 29 WP179 (1)
(2) (3)
93

94

95
Google Spain v AEPD and Mario Costeja González
Google (
)
Google
Google Spain
96
“ in the context of the
97
activities ( Google )

○
98

93
See Article 29 Working Party Document No. 179, “Opinion 8/2010 on Applicable Law”, adopted on
Dec. 16, 2010, at 14. [hereinafter WP179]
94
See id. at 15.
95
Case C-131/12 Google Spain SL and Google Inc. v. AEPD and Mario Costeja González,
ECLI:EU:C:2014:317.
96
See id. ¶ 55 (“In the light of that objective of Directive 95/46 and of the wording of Article 4(1)(a), it
must be held that the processing of personal data for the purposes of the service of a search engine such
as Google Search, which is operated by an undertaking that has its seat in a third State but has an
establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if
the latter is intended to promote and sell, in that Member State, advertising space offered by the search
engine which serves to make the service offered by that engine profitable.”); see Dan Jerker B
Svantesson, Extraterritoriality and Targeting in EU Data Privacy Law: The Weak Spot Undermining
the Regulation, 5 INT. DATA PRIV. LAW 226, 228-29 (2015).
97
See Google Spain SL, supra note 95, ¶ 53.
98
Id. ¶ 57.

41
 EEA

99
“

100

101

(in the context of the activities)

102
in the context of the activities” ○
WP179 ○
“ 」
WP179

99
See W Kuan Hon, Julia Hörnle & Christopher Millard, Data Protection Jurisdiction and Cloud
Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of
Unknowing, Part 3, 25 INT REV LAW COMPUT TECHAT, 2, 18 (2012).
100
See id.
101
See id.
102
See id. at 19.

42
 103
○ 」
EEA
EEA

GDPR 3 1
EEA “
GDPR 3 1
GDPR 3 1
2

“ 3 2
EEA
“
EEA “

“ GDPR 3 2
“

“ GDPR 3 1
“
GDPR 3 2 a b ○
“

103
See WP179, supra note 93, at 16-17.

43
 EEA

EEA

EEA

EEA

EEA

EEA
EEA GDPR

GDPR

44
 EEA

EEA
EEA
EEA

“
EEA GDPR

GDPR

45
3.4.5
2.1.1 SaaS PaaS IaaS
SaaS PaaS IaaS

SaaS PaaS IaaS

○
SaaS SaaS SaaS
PaaS IaaS PaaS
IaaS (sub-processer)

SaaS SaaS “
PaaS

SaaS PaaS

SaaS
SaaS IaaS
IaaS
104

3.4.6
(
) “

104
See Hon & Millard, supra note 63, at 4. Hon & Millard IaaS “

(sub-processer)

46
 ○

○ GDPR 3

(
○ )
○
105

(
)
○ ( ○ )

3 GDPR

3.5
GDPR 5 》 ○ 44

105
“

47
 45 49

49
3.5.1 (Adequacy Decision)
GDPR 45 (adequacy)
106

107

(EDPB)
2
108

3.5.2 (Appropriate Safeguards)

GDPR 46

3.5.2.1 “ (Binding Corporate Rules, BCRs)

106
GDPR art. 45, 2016 O.J. (L 119) 1, 61.
107
Recital 104 of GDPR.
108
See European Comm’n, Adequacy Decisions-How the EU Determines if a Non-EU Country has an
Adequate Level of Data Protection, EUROPEAN COMM’N (2019), https://ec.europa.eu/info/law/law-
topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

48
 29

》 BCRs
BCRs
109

3.5.2.2 (Standard Contractual Clauses, SCC)

GDPR
“

110
“ 2
“
(EU controller to non-EU or EEA controller)111
(EU controller to non-EU or EEA processor)112
3.5.2.3 (Code of Conduct, CoC)
GDPR 40 ”
“ “
113
“ “
3.5.2.4 GDPR 42 (Approved Certification Mechanism)
GDPR 42 1

3.5.3 (Derogations)

109
GDPR art. 46, 2016 O.J. (L 119) 1, 62-63.
110
Recital 109 of GDPR.
111
Decision 2004/915/EC EEA
EEA
112
Decision 2010/87/EU EEA EEA

113
GDPR art. 40, 2016 O.J. (L 119) 1, 56-58.

49
 45 46 GDPR 49

114
45 46 49
GDPRE 49
3.5.3.1
115
49 1 a
(explicit consent) GDPR 4 11
116
7
GDPR (Directive)
3.5.3.2
GDPR 49 1 b c

117

(occasional) (necessary)

118

3.5.3.3
49 1 d
119

120

114
, 3 (GDPR 233
2018 46
115
GDPR art. 49(1)(a), 2016 O.J. (L 119) 1, 64.
116
GDPR art. 7, 2016 O.J. (L 119) 1, 37.
117
GDPR art. 49(1)(b)(c), 2016 O.J. (L 119) 1, 64.
118
See Article 29 Working Party Document No. WP262, “Guidelines on Article 49 of Regulation
2016/679”, adopted on Feb. 6, 2018, at 10-11. [hereinafter WP262]
119
GDPR art. 49(1)(d), 2016 O.J. (L 119) 1, 64.
120
GDPR art. 49(4), 2016 O.J. (L 119) 1, 65.

50
 “
121

3.5.3.4
GDPR 49 1 e
122

”
3.5.3.5
a

123
f

124

3.5.3.6
g
125

3.5.3.7
GDPR 49 1

126

121
See WP262, supra note 118, at 12.
122
GDPR art. 49(1)(e), 2016 O.J. (L 119) 1, 64.
123
GDPR art. 49(1)(f), 2016 O.J. (L 119) 1, 64.
124
114 50
125
GDPR art. 49(1)(g), 2016 O.J. (L 119) 1, 64.
126
GDPR art. 49(1)(b), 2016 O.J. (L 119) 1, 64.

51
52
4
4.1

○
1996 GDPR

3
、

4.1.1
”

127

“
“

、
“

“
128
2 ”

127
See Ferracane, supra note 40, at 2.
128
See id. ECIPE ”

( “)

53
 、
129

130

131

4.1.2
4.1.2.1
、

129

“ 、

130
」 8
“ “ 」 18
131
2

54
 132

(EGKS) (EWG) (EAG) 1958

133

1993
2
28

134

135

○ 1989
11 ○
136

137

132
3
133
Matthias Herdegen, 14
134

135
See Paul M Schwartz, European Data Protection Law and Restrictions on International Data
Flows, 80 IOWA LAW REV. 471, 481(1995).
136
See id. at 480-81.
137
132 97

55
 1995 (DPD) (harmonization)

138

139

(Working Party on
the Protection of Individuals with Regard to the Processing of Personal Data,
)

140 141

138
See Schwartz, supra note 135, at 482.
139
See id.
140
See id. Schwartz (equivalency)
○

141
See id.

56
 (adequate level of protection)

142
Eric Howe 1993
(Community)

143
GDPR

2
》

142
See id. at 482.; see A Commentary by the UK Data Protection Registrar, in Ninth Annual Report of
the Data Protection Registrar 66-75 (1993).
143
See Nikolaos I. Theodorakis, Cross Border Data Transfers Under the GDPR: The Example of
Transferring Data from the EU to the US (Stanford-Vienna TTLF, Working Papers No. 39, 2018), at 4.

57
 2

》 、

2 2

144
”

145
、 “

144
27 8 7
145

58
 AB B A A
○B A
146
B A B
147

“ “

146
“

147
“
○

59
4.1.2.2

2 “
“

“
148
“ 2016
GDP 3.5 2.8 2025
149
11
150
10 1.9 (
151
) 0.6
(ECIPE)

GDP
-0.2 -1.1 -0.1 - 0.5 -0.4 -
152
1.7 -0.4

148
See Nikolaos I. Theodorakis, supra note 143, at 3.
149
See MANYIKA et al., supra note 31, at 13-15.
150
See Shawn W. Tan & Alberto Osnago, Disaggregating the Impact of the Internet on International
Trade (World Bank Grp., Working Papers No. 7785, 2016), at 3-4.
151
See id.
152
See Matthias Bauer, Hosuk Lee-Makiyama, Erik van der Marel, & Bert Verschelde, The Costs of
Data Localisation: Friendly Fire on Economic Recovery, (ECIPE Occasional Paper, No. 3, 2014), at 2.
Bauer

60
 2

(Data Localization)

(multidimensional)
》 /

153

154
1987
Facebook

(Internet Fragmentation)
155

(Technical Fragmentation) (Governmental Fragmentation)

“ (Commercial Fragmentation)156 (The World
Economic Forum, WEF.) ○

153
See id. at 41. (“[L]aws that limit the storage, movement, and/or processing of data to specific
geographies and jurisdictions, or that limit the companies that can manage data based upon the
company’s nation of incorporation or principal sites of operations and management.”)
154
See Martina F. Ferracane, supra note 40, at 9.
155
See generally William J. Drake, Vinton G. Cerf & Wolfgang Kleinwächter, Internet Fragmentation:
An Overview, (WEF, White Paper, 2016), at 18.
156
See id.

61
 ○
157

158

159

160
“
“ “
161

“
162

157
See id. at 48.
158
See generally Sarah Box, Internet Openness and Fragmentation: Toward Measuring the Economic
Effects, (CENTR. FOR INT. GOV. INNOV., Paper Series No. 36, 2016).
159
See Drake et al., supra note 155, at 42.
160
See id. at 44.
161
See id. at 42.
162
See Hon & Millard, supra note 63, at 27.
(“The DPD's assumption that data can be accessed by persons in a third country, simply because data
are stored in that country, is undermined not only by the internet but by cloud computing. Depending
on the setup of the system, if authorities in the third country where a data centre is located should seize
one server or even all equipment in the data centre, that may not necessarily result in their being able to

62
 (access)
163

“
164
“
“ “
165

4.1.2.3

166

Peter Dippoldsmann

read any personal data in intelligible form, due to the use in cloud computing of data fragmentation,
proprietary file systems, and perhaps even distribution of parts of the relevant data across different data
centres. However, if third country authorities obtain the co-operation of the provider, they will
generally be able to access unencrypted or weakly encrypted data, whether held in EEA or non-EEA
data centres.”)
163
See id. at 28.
164
See id..
165
See id.
166
See ICO, supra note 66.

63
 》
167

EEA

EEA

○
GDPR 4 1

○
168

169

167
See Paul M Schwartz, supra note 135, at 485. (” Peter Dippoldsmann has pointed out that it is
incongruous to require equivalent protection within the European Union and merely adequate
protection for transfers to third nations.”) Schwartz Peter Dippoldsmann

》
168
See Article 29 Working Party Document No. WP29, “Opinion 4/2007 on the Concept of Personal
Data”, adopted on June. 20, 2007. [hereinafter WP29] ;
2018 224
169
Recital 26 of Directive.; 168 225

64
(pseudonymisation) GDPR 4 5

(anonymisation)

GDPR 6 4

( ) GDPR

GDPR

65
 2

170

GDP
(ECIPE)
GDP 0.4 “
“
“
“

170
GDPR
(PPC)
See Věra Jourová, EU Japan Adequacy Decision, Fact Sheet (Jan. 2019),
https://ec.europa.eu/info/sites/info/files/research_and_innovation/law_and_regulations/documents/adeq
uacy-japan-factsheet_en_2019_1.pdf

66
 “

“
“ 、
4.2

4.2.1 ( )
DPD GDPR (adequate level of protection)
DPD
25 》

67
171
GDPR DPD 45 1 》

172

DPD

173
GDPR 45 2 a

174

29 WP 12
175

1.

2.

3.

4.

5.

6.

171
Directive, art 25(1). (“The Member States shall provide that the transfer to a third country of
personal data…only if…the third country in question ensures an adequate level of protection.”)
172
GDPR, art 45(1), 2016 O.J. (L 119) 1, 61.
173
Directive, art 25(2), 1995 O.J. (L 281) 1, 45-46.
174
GDPR, art 45(2)(a), 2016 O.J. (L 119) 1, 61.
175
See Article 29 Working Party Document No. 12, “Transfers of Personal Data to Third Countries:
Applying Articles 25 and 26 of the EU Data Protection Directive”, adopted on July. 24, 1998, at 6.
[hereinafter WP12]

68
 》
○

○176

177

178

Schrems
8
179

○
7
8
180

Schrems
GDPR 29
WP254 WP12

WP254
Schrems
181

176

196 2016 13-14

177

178

179
See Julian Wagner, The Transfer of Personal Data to Third Countries under the GDPR: When does
a Recipient Country Provide an Adequate Level of Protection?, 8 INT. DATA PRIV. LAW 318, 323
(2018).
180
GDPR 2018
2
181
See Article 29 Working Party Document No. WP254, “Adequacy Referential (updated)”, adopted

69
 WP12 WP254 25 GDPR 45

2 ( “ )
182
( )
4.2.2
GDPR
46

(standard contractual clauses, SCC) “

( binding corporate rules, BCRs) (code of conduct, CoC)
“

183
(1) (2)
184

on Nov. 28, 2017, at 9. [hereinafter WP254]

182
See European Comm’n, supra note 108.
183
See Commission Decision 2004/915/EC, of 27 December 2004 Amending Decision 2001/497/EC
as Regards the Introduction of an Alternative Set of Standard Contractual Clauses for the Transfer of
Personal Data to Third Countries, O. J. (L 385) 74.
184
See Commission Decision 2010/87/EU, of 5 February 2010 on Standard Contractual Clauses for
the Transfer of Personal Data to Processors Established in Third Countries under Directive 95/46/EC of
the European Parliament and of the Council, O. J. (L 39) 5.

70
 185

186
》 (onward transfers)
“

187
、
》 (controller-processor)

“
188

189
“
“
、
Schrems
Max Schrems Facebook
PRISM
》3 (CJEU)
(C 362/14) 2015
Schrems Facebook 2013

Schrems
Facebook
Schrems Facebook

185
See WP254, supra note 181, at 77-81.
186
Id. at 82.
187
See Lokke Moerel, Binding Corporate Rules, GDPR.BE.BLOG, https://gdpr.be/english/binding-
corporate-rules/. (last visited Dec. 21, 2019).
188
See Hon & Millard, supra note 73, at 24.
189
See id.

71
 》 (C-311/18) 11 2019
7
IAPP(International Association of Privacy Professionals)2016
“ 81
190

“ ( binding corporate rules, BCRs)

“

191
》
GDPR
192
63
193
EDPB (European Data
Protection Board) EDPB
194

、 “ “ 、

190
(International Association of Privacy Professionals, IAPP)
“ 2016

“
2018 “ 2016 “
See J. TREVOR HUGHES & SAGI LEIZEROV, IAPP-EY:
ANNUAL PRIVACY GOVERNANCE REPORT 20 (2016).
191
See European Comm’n, Binding Corporate Rules-Corporate Rules for Data Transfers Within
Multinational Companies, https://ec.europa.eu/info/law/law-topic/data-protection/international-
dimension-data-protection/binding-corporate-rules-bcr_en (last visited Jun. 19, 2019)
192
See id.
193
See id.
194
See id.

72
 ○ “ 》

195
“
196

“
197
“
“ 、 BCRs

、
198
“ “

199

“ 、 “ 、
、 5000
8 “ 75,000
200
53 、 36%
75,000 19%201 “

195
See Olivier Proust, Why BCR are the Future of Global Data Flows - Privacy, Security and
Information Law, FIELDFISHER, https://privacylawblog.fieldfisher.com/2017/why-bcr-are-the-future-of-
global-data-flows. (last visited Jun. 19, 2019)
196
See id.
197
See HUGHES & LEIZEROV, supra note 190. IAPP
(Federal Trade Commission, FTC) “ 73%
42% “

、
198
See Olivier Proust, supra note 195.
199
See id.
200
See HUGHES & LEIZEROV, supra note190. at 21.
201
See id.

73
 “ 、

4.2.3
GDPR 49 45 46

49 1
、 “
GDPR
202 203
4 11 7

204

205
GDPR
GDPR

49 1 b d e
206

“
c 》
、

202
GDPR art. 4(11), 2016 O.J. (L 119) 1, 34.
203
GDPR art. 7, 2016 O.J. (L 119) 1, 37.
204
( )

205
See McKay Cunningham, Complying with International Data Protection Law, 84 UNIV.
CINCINNATI LAW REV. 421, 437 (2016).
206
See WP262, supra note 118, at 12.

74
“ “
“
4.3
GDPR
》
3.2 3.4

EEA
》

》 7

EEA
》 (
)
Facebook
Facebook

75
 Odense Google App
Google

Hon & Millard DPD

DPD

“
EEA

Hon&Millard
Hon Millard
DPD DPD
、
Odense 3.2

Hon & Millard

Facebook ○

7
》
》

76
 Hon & Millard

( “)

( )
?

77
78
5
GDPR
EEA

、 GDPR
、 、
7

5.1
5.1.1
2 ( ) ( )

5.1.2 “
GDPR

GDPR

79
 ○
5.1.2.1
2

○
207
○

208

5.1.2.2
8
1 4
209
3
○
210

211

、
5.1.2.3

207
8 1
208
51 78-79
209
8 1 4
210
8 3
211
51 80

80
 》
○

》
“

5.2
5.2.1

“
“

7 94
0940029553
212

( )

19 24

212
94 8 26 0940029553
( ) 19 24

○ ( )

81
 “

“
?
?
?

51 2
“

51 2
○ “

○
“
(
》)

82
 “(
) “
“

“ “

5.2.2

○ ○
( )
51
2

51 2

83
 213

214

215

○216
51 2
1995
217
○ GDPR
“

○
51 2

213
“ 1.0 2012 12
50-52
214
2012 8 173
2013 1 33
215
, 51 67
216

217
○
4 1 c (equipment) ○

84
 GDPR
“ 3

“( )
“

5.2.3

“
○ “
51
2
“

“
“

5.2.4

85
 “

“
DPD 4

“
218
“
“
○

219

○ ○
“

218
51 69
219

86
 “

“
“
“
51 2
“

“
“
“

“
“
“
“

87
 “
“ “

88
5.3
5.3.1

》
》
○
“ ( )
51 2 ○

2 ( ) ( )

5.3.2
21
“
NCC 24 (
) “
220
“

21
15 18 ○

220
10141050780

89
5.4
21

5.4.1
“

5.2

221
2019 12

( )
Apple iCloud
Microsoft Azure Facebook
Reddit Twitter

Google Line

221
“
」 “

90
 “
、

」 “ “
4.3 “
》 “

Microsoft Microsoft

Facebook

5.4.2

“
NCC
24 ( )
222
“
“

222
10141050780

91
Comparitech 1000
10 8
223

224

28

“ “

Apple Apple iCloud

iCloud
Apple
225

Apple

226

“
7

223
See Paul Bischoff, The World’s Most Surveilled Cities, Comparitech (2019),
https://www.comparitech.com/vpn-privacy/the-worlds-most-surveilled-cities/
224
See In Your Face: China’s All Seeing State, BBC NEWS. (Dec. 10, 2017),
https://www.bbc.com/news/av/world-asia-china-42248056/in-your-face-china-s-all-seeing-state
225

https://www.storm.mg/article/384340 ( 2019 12 14 )
226
iCloud 。

( )

92
 Apple iCloud
Apple iCloud

“
227
“

“ “
“ “
“
”
“

21
”
“

228
21

227
37
228

93
 229
(
)
5.5

GDPR

5.5.1
28

“ 、
“ “
230
” “
“ Google
Facebook AWS IBM Cloud Oracle 、

(Tik Tok) “

https://www.taiwannews.com.tw/ch/news/3682192 ( 2019 12 14 )

3
229

230
2018 “ http://ghginfo.moeasmea.gov.tw/files/6274/642D55FF-
7B20-456E-B8E6-3D4C58E30DDD ( 2019 12 14 ) “
2018 “ “ “ 97.7%

94
 《 「

5.5.2

231 232 233

vTaiwan

5.5.2.1
” ○

231
(2018)
https://www.tahr.org.tw/news/2268 ( 2019 11 12 )
232
DPA https://talk.vtaiwan.tw/t/topic/1442 ( 2019
12 14 )
233
37

95
 ○
2 6
( )

5.5.2.2
5.5.2.2.1
GDPR 45

( )

234

234
5

96
 235

236

5.5.2.2.2 “
GDPR
“ (SCC) “
(BCRs) 4.2.2 SCC

BCRs 、 、 “

BCRs
SCC BCRs “
“ “ “

BCRs “ BCRs

235
3 8 9
236
Artmotion BestVPN (CNIL)
Graham Greenleaf
See Graham Greenleaf, Global Tables of Data Privacy Laws and Bills, 157
PRIV. LAWS & BUS. INT'L REP. 16, 29-31(2019).

97
 BCRs

“
“ “

“
“
》
5.5.2.2.3

5.4.2

、
○

5.5.2.3

○ 21

98
、 、

99
100
6
。
“
2
“
“

GDPR
、
GDPR
“

“ EEA

101
 “ EEA
“
GDPR 3 2
“
EEA

EEA

DPD 2018 GDPR

“ “ 、

102
 21

“ “
“
“
“ 、
2

21

、 、

103
 21 GDPR

237
1570 22621 23196

104
 ( )

(2008)

32
61-105 (2014)

238 15-20 (2018)

196 12-22 (2016)

, (GDPR)
233 43-52 (2018)

1.0 (2012)

27 8
28-55 (2015).

99 28-36
(2011)

43 53-106
(2014)

105
 ---
106 54 40 185-257 (2018)

2018 “ (2019)

106
( ndc106020, 2018)

GDPR
(2018)

:
46 2 339-422 (2017)

(2016)

63 17-27
(2001)

:
4 3 137-161 (2002)

(2012)

,
43 53-106 (2014)

(2013)

Matthias Herdegen, (2006)

106
 iCloud
2018 2 26 https://www.bnext.com.tw/article/48286/apple-is-
moving-icloud-encryption-keys-for-chinese-users-to-china.

, 2018 6 12
https://www.tahr.org.tw/news/2268.

2018 1 1 https://www.storm.mg/article/384340

2019 4 17
https://www.taiwannews.com.tw/ch/news/3682192

DPA 2017 9 https://talk.vtaiwan.tw/t/topic/1442

107
Books
KUNER, CHRISTOPHER, TRANSBORDER DATA FLOWS AND DATA PRIVACY LAW, 4
(Oxford Univ. Press ed., 2013).

KAVIS, MICHAEL J., ARCHITECTING THE CLOUD: DESIGN DECISIONS FOR CLOUD
COMPUTING SERVICE MODELS 51 (Wiley. eds., 1st, 2014).

MARINESCU, DAN, CLOUD COMPUTING: THEORY AND PRACTICE 2 (Morgan

Kaufmann eds., 2th ed. 2018).

Cases
Case C-362/14, Maximillian Schrems v Data Protection Commissioner,
ECLI:EU:C:2015:650.

Case C-131/12 Google Spain SL and Google Inc v. AEPD and Mario Costeja
González, ECLI:EU:C:2014:317.

Journal Articles, Book Chapters and Reports

Article 29 Working Party Document No. WP262, “Guidelines on Article 49 of
Regulation 2016/679”, adopted on 6. Feb, 2018.

Article 29 Working Party Document No. WP254, “Adequacy Referential (Updated)”,

adopted on 28. Nov, 2017.

Article 29 Working Party Document No. WP216, Opinion 05/2014 on Anonymisation

Techniques, adopted on 10. April, 2014.

Article 29 Working Party Document No. WP179, “Opinion 8/2010 on Applicable

Law”, adopted on 16. Dec, 2010.

Article 29 Working Party Document No. WP169, “Opinion 1/2010 on the Concepts
of “Controller” and “Processor””, adopted on 16. Feb, 2010.

Article 29 Working Party Document No. WP136: “Opinion 4/2007 on the Concept of
Personal Data”, adopted on 20. June, 2007.

108
Article 29 Working Party Document No. WP56, “Working Document on Determining
the International Application of EU Data Protection Law to Personal Data
Processing on the Internet by Non-EU Based Web Sites”, adopted on 30. May,
2002.

Article 29 Working Party Document No. WP29, “Opinion 4/2007 on the Concept of
Personal Data”, adopted on 20. June, 2007.

Article 29 Working Party Document No. WP12, “Transfers of Personal Data to Third
Countries : Applying Articles 25 and 26 of the EU Data Protection Directive”,
adopted on 24. July, 1998.

A Commentary by the UK Data Protection Registrar, in Ninth Annual Report of the

Data Protection Registrar 66-75 (1993).

Box, Sarah, Internet Openness and Fragmentation: Toward Measuring the Economic
Effects, (Centr. for Int. Gov. Innov., Paper Series No. 36, 2016).

Bauer, Matthias, Hosuk Lee-Makiyama, Erik van der Marel, & Bert Verschelde, The
Costs of Data Localisation: Friendly Fire on Economic Recovery, (ECIPE
Occasional Paper, No. 3, 2014)

Commission Decision 2010/87/EU, of 5 February 2010 on Standard Contractual

Clauses for the Transfer of Personal Data to Processors Established in Third
Countries Under Directive 95/46/EC of the European Parliament and of the
Council, O. J. (L 39) 5.

Commission Decision 2004/915/EC, of 27 December 2004 Amending Decision

2001/497/EC as Regards the Introduction of an Alternative Set of Standard
Contractual Clauses for the Transfer of Personal Data to Third Countries, O. J. (L
385) 74.

Council Directive 95/46/EC, of the European Parliament and of the Council of 24 Oct
1995 on the Protection of Individuals with Regard to the Processing of Personal
Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31.

Convention for the Protection of Individuals with Regard to Automatic Processing of

Personal Data 28 January 1981.

109
Cunningham, McKay, Complying with International Data Protection Law, 84 UNIV.
CINCINNATI LAW REV. 421-450 (2016).

Drake, William J., Vinton G. Cerf & Wolfgang Kleinwächter, Internet

Fragmentation: An Overview, (WEF, White Paper, 2016).

Ferracane, Martina, Restrictions on Cross-Border Data Flows (ECIPE, Working

Paper No. 1, 2017)

Graham Greenleaf, Global Tables of Data Privacy Laws and Bills, 157 PRIV. LAWS &
BUS. INT'L REP. 16-31 (2019)

Hon, W. Kuan & Christopher Millard, Data Export in Cloud Computing – How can
Personal Data be Transferred Outside the EEA? The Cloud of Unknowing, Part
4, 9 SCRIPT-ed. 25-63 (2012).

Hon, W. Kuan, Julia Hörnle & Christopher Millard, Data Protection Jurisdiction and
Cloud Computing – When are Cloud Users and Providers Subject to EU Data
Protection Law? The Cloud of Unknowing, Part 3, 25 INT REV LAW COMPUT
TECHAT. 129-164 (2012).

Hon, W. Kuan, Christopher Millard & Ian Walden, Who is Responsible for “Personal
Data” in Cloud Computing?--The Cloud of Unknowing, Part 2, 2 INT. DATA
PRIV. LAW. 3-18 (2011).

Hon, W. Kuan, & Christopher Millard, The Problem of 'Personal Data' in Cloud
Computing- What Information is Regulated? The Cloud of Unknowing, Part 1, 4
INT. DATA PRIV. LAW. 211-228 (2011).

Hughes, J. Trevor & Sagi Leizerov, IAPP-EY: Annual Privacy Governance Report
2016,
https://iapp.org/media/pdf/resource_center/IAPP%202016%20GOVERNANCE
%20SURVEY-FINAL3.pdf.

ICO, The Eighth Data Protection Principle and International Data Transfers v4.0
(2017).

110
Jourová, Věra, EU Japan Adequacy Decision, Fact Sheet (Jan. 2019),
https://ec.europa.eu/info/sites/info/files/research_and_innovation/law_and_regula
tions/documents/adequacy-japan-factsheet_en_2019_1.pdf

Linn, Emily, A Look Into the Data Privacy Crystal Ball: A Survey of Possible
Outcomes for the EU-U.S. Privacy Shield Agreement, 50 Vand. J. Transnat'l L.
1311-1358 (2017).

MANYIKA JAMES, SUSAN LUND, JACQUES BUGHIN, JONATHAN WOETZEL, KALIN

STAMENOV & DHRUV DHINGRA, DIGITAL GLOBALIZATION: THE NEW ERA OF
GLOBAL FLOWS 1-156 (2016).

Moerel, L., The Long Arm of EU Data Protection Law: Does the Data Protection
Directive Apply to Processing of Personal Data of EU Citizens by Websites
Worldwide?, 1 INT. DATA PRIV. LAW 28-46 (2010).

Mell, Peter & Timothy Grance, The NIST Definition of Cloud Computing (Sep. 28,
2011), http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909616.

OECD Guidelines Governing the Protection of Privacy and Transborder Flows of

Personal Data, OECD (2013)

Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April
2016 on the Protection of Natural Persons with Regard to the Processing of
Personal Data and on the Free Movement of Such Data, 2016 O.J. (L 119) 1.

Schwartz, Paul M. & Karl Nikolaus Peifer, Transatlantic Data Privacy Law, 106
GEORGETOWN LAW J. 115-179 (2017).

Sveinbjarnardóttir & Þorgerður Jóhanna, The Concept of 'Transfer' of Data under

European Data Protection Law: In the Context of Transborder Data Flows (Dec.
1, 2015) (B.A. thesis, University of Oslo)

Svantesson, Dan Jerker B., Extraterritoriality and Targeting in EU Data Privacy

Law: The Weak Spot Undermining the Regulation, 5 INT. DATA PRIV. LAW 226-
234 (2015).

111
Schwartz, Paul M, European Data Protection Law and Restrictions on International
Data Flows, 80 IOWA LAW REV. 471-496 (1995).

Theodorakis, Nikolaos I., Cross Border Data Transfers Under the GDPR: The
Example of Transferring Data from the EU to the US (Stanford-Vienna TTLF,
Working Papers No. 39, 2018).

Tan, Shawn W. & Alberto Osnago, Disaggregating the Impact of the Internet on
International Trade (World Bank Grp., Working Papers No. 7785, 2016).

Wagner, Julian, The Transfer of Personal Data to Third Countries under the GDPR:
When does a Recipient Country Provide an Adequate Level of Protection?, 8 INT.
DATA PRIV. LAW 318-337 (2018).

Whitman, James Q., The Two Western Cultures of Privacy: Dignity Versus Liberty,
113 YALE L.J. 1151-1221 (2004).

WICKHAM HEATH CONSULTING, CROSS-BORDER DATA FLOWS REALISING

BENEFITS AND REMOVING BARRIERS, 1-28 (2018).

Web Resources
Bischoff, Paul, The World’s Most Surveilled Cities, COMPARITECH (2019),
https://www.comparitech.com/vpn-privacy/the-worlds-most-surveilled-cities/

BEUC, Privacy Shield: Strong and Shiny or Porous and Rusty?, BEUC (Feb. 5,
2016), https://www.beuc.eu/press-media/news-events/privacy-shield-strong-and-
shiny-or-porous-and-rusty.

Cadwalladr, Carole & Emma Graham-Harrison, Revealed: 50 Million Facebook

Profiles Harvested for Cambridge Analytica in Major Data Breach, THE
GUARDIAN (2018), https://www.theguardian.com/news/2018/mar/17/cambridge-
analytica-facebook-influence-us-election

Collier, Kevin, Does the NSA’s PRISM Spying Program Violate EU Law?, DAILY
DOT (Dec. 11, 2015), https://www.dailydot.com/news/prism-nsa-government-
surveillance-europe-law/.

112
Evans, Bob, Top 5 Cloud Vendors in the World, CLOUD NEWS (Jan. 14, 2019),
https://cloudwars.co/worlds-top-5-cloud-vendors-cloud-wars/.

European Comm’n, Adequacy Decisions-How the EU Determines if a Non-EU

Country has an Adequate Level of Data Protection, EUROPEAN COMM’N (2019),
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-
data-protection/adequacy-decisions_en.

Gartner Inc., Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17.5
Percent in 2019, GARTNER.COM (April. 2, 2019),
https://www.gartner.com/en/newsroom/press-releases/2019-04-02-gartner-
forecasts-worldwide-public-cloud-revenue-to-g

Gartner Inc., Cloud Computing, GARTNER.COM http://www.gartner.com/it-

glossary/cloud-computing/

Greenfield, Marlene, Distribution of Twitter Users Worldwide from 2012 to 2018, by

Region, STATISTA (May. 27, 2014),
https://www.statista.com/statistics/303684/regional-twitter-user-distribution/

In Your Face: China’s All Seeing State, BBC NEWS. (Dec. 10, 2017),
https://www.bbc.com/news/av/world-asia-china-42248056/in-your-face-china-s-
all-seeing-state

ICO, Guide to the General Data Protection Regulation (GDPR),

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-
data-protection-regulation-gdpr/international-transfers/

Mass, Framingham, Cloud it Infrastructure Revenues Surpassed Traditional it

Infrastructure Revenues for the First Time in the Third Quarter of 2018,
According to IDC, IDC (Jan. 1, 2019),
https://www.idc.com/getdoc.jsp?containerId=prUS44670519

Moerel, Lokke, Binding Corporate Rules, GDPR.BE.BLOG,

https://gdpr.be/english/binding-corporate-rules/.

113
Perlroth, Nicole, Yahoo Says Hackers Stole Data on 500 Million Users in 2014, N.Y.
Times, Sept. 22, 2016, https://www.nytimes.com/2016/09/23/technology/yahoo-
hackers.html

Proust, Olivier, Why BCR are the Future of Global Data Flows - Privacy, Security
and Information Law, FIELDFISHER,
https://privacylawblog.fieldfisher.com/2017/why-bcr-are-the-future-of-global-
data-flows.

Samuels, David, Is Big Tech Merging with Big Brother? Kinda Looks Like It, WIRED
(2019), https://www.wired.com/story/is-big-tech-merging-with-big-brother-
kinda-looks-like-it/

114