Kuan's publications
My first solo book: Data localization laws and policy - the EU data protection international transfers restriction through a cloud computing lens (Edward Elgar, 2017), with forewords by Rosemary Jay and Christopher Kuner, and including discussion of the EU General Data Protection Regulation and the EU-US Privacy Shield. Available as an ebook via e.g. Google Play (around £20), and in hardcover format (see the publisher's page for details of both).For my other publications, please scroll down.
![]()
|
‘It should be read by every data protection supervisory
authority and law-maker in Europe.’ ‘Displaying great originality and rigour, this book
makes the case that location-based personal data protection should have
that “Frankenrule” replaced by regulation based on enforcement of
security and encryption standards. With an interdisciplinary focus on
law, computer security and industrial organisation (in technological
and business value chains of data processing), this approach is to be
recommended to legal scholars of the Internet.’ Reviews Not a review as such, but I understand Roger
Bickerstaff kindly mentioned my book in his SCL
Annual Conference 2020 talk on data localization - thank you
Roger! '...W Kuan Hon’s Data
Localization Laws and Policy represents an excellent
example of how an academic title – which often goes at length on a
serious topic – may maintain the balance between a remarkable degree of
engagement and an objective, accurate, structural, and sometimes
technical narrative... Data
Localization Laws and Policy represents a significantly
well-researched and highly accessible monograph that provides important
and timely observations on the EU’s data localisation law and policy.
Researchers, policymakers, data protection authorities and officers,
and indeed anyone interested in the legal issues surrounding
cross-border data flows will find the comprehensive coverage and
in-depth analyses of the book significantly helpful in deciphering the
complex legal and political picture.' '...an essential guide... a fundamental resource... The
author smoothly guides the reader through intellectually challenging
problem areas in a way that is comprehensive without sacrificing
nuance, whilst at the same time incorporating academic, business, and
political issues in a manner that consistently incorporates them
throughout in the context of how personal data is transferred and
processed on a transnational basis... can be considered a practical
accomplishment that helps to create a vital interlinkage between the
legal and academic world that is not always obvious, but also, she has
done it in a way that provides vision in the often foggy landscape
occupied by substantive legal and technical issues that are at the
forefront of the constrained debate that is data localization ...an
unrivalled level of accessibility to the table, whereby explanations
are technical enough to satisfy those in academia and practice, but
also, are succinct enough to take it beyond the niche of specialists.
It is a text which exerts a key quality often missed in books of this
nature and it is refreshing to see that intellectual stimulation and
practical accessibility are two compatible concepts which can
coexist... It brings the most important matters to the forefront and
encourages users to think beyond the present and towards the future
implications of legal barriers to the free interchange of personal data
globally. This book should for essential reading to anyone interested
in data localization laws and policy generally, but also, those who
wish to explore the technical rules and regulations on how to protect
personal data that is transferred and processed on the global
Internet...' '...As Dr. W. Kuan Hon convincingly argues in her book
Data Localization Law and Policy, the “location fixation” is
fundamentally at odds with the complex web of relationships involved in
cloud computing technology... The author thus aptly calls the
Restriction a “Frankenrule”, evoking the idea of a monster that has
taken life on its own and may serve policy purposes going beyond that
for which it had been conceived (e.g., trade protectionism)... The
author should be given credit for starting a very important discussion
on the responsibilities of mere infrastructure providers, though the
solution offered – that those providers be qualified as neither
controllers nor processors- appears less convincing from an exegetical
perspective... this book provides food for thought with a valuable and
comprehensive picture of data protection law and policy issues in
relation to cross border data transfers.' First review in a French journal!: '...she has weaved together an informative narrative
that takes the reader on a journey from the legislative history behind
data protection through to mechanisms and derogations, and compliance
and enforcement. But it is not a heavy-going read and the advice is
practical and realistic, rather than legalistically prescriptive...
It's not just CIOs and the burgeoning army of data protection officers
who ought to have a copy of this book displayed prominently on their
shelves, but also that equally burgeoning army of lawyers working in
the field... we'd advise every CIO not just to get their hands on a
copy, but to make sure they get the hardback version...' '...provides a thorough analysis of the law and
highlights the absurdity of rules which use physical location as a
shorthand for data security, while ignoring the impact of encryption,
remote access, and cloud computing... Punchy, timely and opinionated.' '...Overall this volume represents an accessible,
comprehensively researched and thorough in-depth analysis which focuses
on what has become an extremely important, but perhaps to date
under-studied, aspect of the European data protection framework. It is
a title in an area of law that, at the time of writing, is lacking in
high-quality legal scholarship, which will be of course be highly
pertinent to both students and researchers of data protection law, but
is likely also to pique the curiosity of those interested in IT law,
international commercial law, computer science and regulation more
broadly.' '...To turn such subject-matter into a readable text of
almost 500 pages is quite an achievement, but I promise you that Kuan
Hon has achieved precisely that. It’s so readable that I actually read
(almost all) the book when my aim was to read the minimum number of
pages possible in order to write a respectable review...one of the
strengths of the book is the balance which is found in dealing with the
(old) Data Protection Directive (which is not dead yet and will have a
considerable after-life) and the incoming GDPR...' See full
review. '...This
book which is partly a legalistic discussion about terms and concepts
is however very useful for companies involved in cloud computing, as it
explains the challenges in practical terms and with many examples of
real cases. The arguments that the author makes are often not only
relevant in the cloud computing context, but also apply more generally
for cross-border transfers.' See full
review (PDF).
|
See: my list of GDPR transfers enforcement and other transfers-related links.
Also see my blogs/articles on LinkedIn) and my papers on SSRN. For my blog, please see Kuan0's blog; for books, see the right sidebar.
Selected recent or forthcoming publications are listed below:
- Do you make, import or distribute smart/IoT products in the UK? New security-related obligations and liability under the Product Security and Telecommunications Infrastructure Act 2022, Dentons Insights (with Antonis Patrikios), 24 Jan 2023
- EU Digital Services Act: key action points for February 2023 and later deadlines, Dentons Insights (with Antonis Patrikios), 1 Dec 2022
- Data transfers: A triangle with zero trust, not zero risk?, IAPP, 22 Nov 2022
- UK perspective – data transfers / data sharing in a global environment, Dentons Insights, 25 Oct 2022
- Reviewed/commented on Phil Lee's flyer "Digital Services Act: Key advertising rules for online platforms",Sept 2022
- The regulatory landscape surrounding the use of bot technologies, Dentons Insights, 21 Jul 2022 (first published on Lexis®PSL on 12 Jul 2022)
- UK BCRs: ICO to publish new guidance, Dentons Insights (with others), 4 July 2022
- Changes to UK Data Protection Laws: Key headlines, Dentons Insights (with others), 22 June 2022
- The AI trilogy series, Part 2: Our top five key takeaways, Dentons Insights (with others), 31 Mar 2022
- International transfers from the UK – new tools published, Dentons Insights (with others), 10 Feb 2022
- Transfers Takeaways from GDPR Enforcement in Cloud Computing & Beyond, SSRN, 24 Jan 2022
- Note: further links have been added in my update webpage on transfers, Google Analytics/Fonts & GDPR
- UK launches plan to develop leading AI Standards, Dentons Insights (with Simon Elliott), 24 Jan 2022
- The 2021 EU SCCs: practical issues... & some solutions?, Society for Computers & Law, 20 Jan 2022
- Cloud
computing & the EDPB: 2021 in retrospect, Society for
Computers & Law, 7 Jan 2022
- Letter: Amazon’s spy agency deal should leave no clues in the cloud, Financial Times, Nov 2021
- Contributed to Sweet & Maxwell's Encyclopedia of Data Protection & Privacy, Nov 2021 release:
- UK intelligence services and national security
processing
- New
C2P SCCs for controllers and processors in the EEA, LexisPSL
(subscription required), June 2021; also published on Fieldfisher
blog
- The
proposed DSA - Part 4 - Knowing your obligations under the DSA,
Fieldfisher blog (with Charley Guile), May 2021
- Cloud computing - more regulation, better regulation? - article on EU regulation affecting cloud computing, in CIO Applications Europe, May 2021
- Cloud Computing Law (OUP, 2nd edition 2021) book now published in a new edition! In the second edition of this book I remain as lead author of the first two chapters and the chapter on negotiating cloud contracts, and I also commented on drafts of several other chapters. The links on the right are still to the 1st edition but I plan to add links to the 2nd edition too
- Review by Darren Grayson Chng in Singapore's Law Gazette, Jan 2022
- Contributed to Tanya Álvarez's report, Maximising
the opportunities the P2B Regulation offers SMEs and platforms in Spain
and abroad, Digital Future Society, Apr 2021
- Quoted in Computing, regarding my blog on the security/identity theft risks of including birthdates & NHS numbers in Covid-19 test results emails, Apr 2021
- Cookie
consent tool spoof, 1 Apr 2021!
- Offering
cloud services/online marketplaces in the UK? NIS representative,
registration and fines, Fieldfisher blog, Mar 2021
- Will companies be prevented from using Irish law to govern their SCCs?, Fieldfisher blog (with Phil Lee), Feb 2021
- Proposed
Digital Services Act - Key Liability & Due Diligence Rules
- my infographic/cheatsheet published by Society for Computers
& Law, Feb 2021
- GDPR - Your questions answered on Data Protection Day, Computing, Jan 2021
- Contributed to Sweet & Maxwell's Encyclopedia of Data Protection & Privacy, Nov 2020 release:
- Enforcement of the GDPR
- Invited peer reviewer for the 5th edition of Rosemary Jay's
seminal book Data
Protection Law and Practice (Sweet & Maxwell, Nov
2020), research chapter
- Book
review, Cryptography: The Key to Digital Security, How It Works, and
Why It Matters, Society for Computers & Law, Oct 2020
- Raising
the bar: UK hospitality sector braces for stricter Covid data
collection and other obligations, Fieldfisher blog, Sept 2020
- Comment—EDPS
to EU institutions: revert to expensive 20th century outsourcing,
longer documents (cloud computing), Fieldfisher blog (first
published on LexisPSL),
Aug 2020
- The
Platform to Business Regulation is here! – non-compliant terms could be
void, Fieldfisher technology and outsourcing blog, July 2020
- Quoted in ComputerWeekly on UK NIS Regulations' 2-year review, June 2020
- Raise
a glass to 4th of July but don't forget the GDPR, Fieldfisher
blog on UK hospitality sector Covid-19 contact tracing guidance (with
Natalie Barnfield as lead author), June 2020
- Cloud / Hosting Providers Beware? An Unintended Consequence of the P2B Regulation, Society for Computers & Law, Mar 2020
- Cyber
security due diligence in M&A transactions,
Fieldfisher blog (with James Walsh), Nov 2019
- Quoted in Global Data Review on NIS Directive and essential services, Nov 2019
- GDPR - practical experiences - part 1 contracts, children etc, part 2 data subject rights, LinkedIn blogs, July 2019
- Security: lessons from GDPR fines (LinkedIn blog), also Fieldfisher privacy blog (although my name has been removed post-Dec 2021), July 2019
- Tweeted by @saqibali_ca
- Quoted in Global Data Review on new
EU P2B Regulation on promoting fairness and transparency for
business users of online intermediation services, June 2019
- Not a publication, but for those who like parodies - my Accountability Song (LinkedIn, YouTube) to mark the occasion of the first anniversary of the GDPR becoming applicable throughout the EU (with apologies to those behind the tune of the old spiritual "Down By the Riverside"!), May 2019
- More parodies: I-CO!
I-CO!, A
GDPR Carol, and Killing
Cloud Quickly with DP
- Contributed to Sweet & Maxwell's Encyclopedia of Data Protection & Privacy, April 2019 release:
- Codes of conduct and certifications under the GDPR
- Quoted in Global Data Review on
English data subject access request case, April 2019
- Quoted in Global Data Review on cybersecurity report, April 2019
- "Cookie law" vs. GDPR - EDPB regulatory views, LinkedIn blog, Mar 2019
- Double security breach notification - or not? GDPR vs. ePrivacy Directive, LinkedIn blog, Mar 2019
- GDPR
enforcement statistics - summary of new report, LinkedIn
blog, Mar 2019
- NCSC's 5 Cyber Ps for the Boardroom, LinkedIn blog, Nov 2018
- Quoted in Infosecurity Magazine on NIS Directive, Oct 2018
- Quoted in Computing on NIS
Directive, Oct 2018
- When to Conduct DPIAs?, Society for Computers & Law, Oct 2018 - analysing the European Data Protection Board's first 22 consistency opinions (on national lists of situations requiring data protection impact assessments under Art.35 GDPR)
- Tweeted by @Janet_LegReg
- Quoted in Computing on firmware and security by design, 3 Oct 2018
- Quoted in Computing "You
could be fined twice for the same breach under GDPR and NIS",
27 Sept 2018
- Product
Review: Gemini – the Psion 2.0!, Society for Computers
& Law, July 2018
- Cloud
and Other Digital Services Providers – Security & Incident
Notification Obligations under the UK NIS Regulations, and GDPR
comparison, Society for Computers & Law, July 2018
(summary of longer paper on
SSRN)
- Not an article, but I've updated
the GDPR's text to show the changes made by the 23 May corrigendum
- and you can link directly to an individual Article or Recital in my corrected GDPR text.
- Cloud
service providers under the NIS Directive – the UK’s implementation
(with GDPR comparisons), SSRN, June 2018
- I-CO, I-CO! - a GDPR song, May 2018
- Quoted in GDPR:
Compliance emails unnecessary and based on 'bad advice',
claims Dr Kuan Hon, Computing, May 2018
- Quoted on GDPR in "GDPR Compliance Countdown: Shops 'Just Not There' Yet", Beagan Wilcox Volz, IGNITES (Financial Times service) 23 May 2018
- Contributed to Sweet & Maxwell's Encyclopedia of Data Protection & Privacy, April 2018 release:
- Security and breach notification under the General Data Protection Regulation
- (Secondary contributor) Data processor obligations and
liability
- Personal Breach Notification Guidelines Analysed (overview/summary of draft regulatory GDPR guidelines), Society for Computers & Law, Dec 2017
- What's
wrong with WP29 guidelines on personal breach notification under GDPR?
(specific issues with draft regulatory GDPR guidelines), IAPP, Nov 2017
- Does
GDPR enable identity theft?, answering more questions put by
Computing, Nov 2017
- Could
cloud vendors dump big customers to avoid shared liability once GDPR is
enacted?, answering questions put by Computing, Nov 2017
- Data Protection: Controllers, Processors, Contracts, Liability – the ICO Draft Guidance, Society for Computers & Law, Oct 2017
- Shorter version (but with diagram) What's
wrong with the ICO's draft guidance on controller-processor contracts?,
IAPP, Oct 2017
- Contributed to Sweet & Maxwell's Encyclopedia of Data Protection & Privacy, April 2017 release: International transfers under the General Data Protection Regulation
- My articles in Out-Law:
- New
ePrivacy rules must not overload businesses and consumers with security
information they cannot apply, says expert; Planned
'cookie law' update will exacerbate problems of old law, says expert;
More
detail on workings of GDPR certification schemes necessary to prompt
business take-up, says expert; Update
E-Commerce Directive to address imbalance in GDPR liabilities for
infrastructure cloud providers, says expert; Data
protection and service providers - new obligations, liabilities and
contract changes loom; GDPR:
potential fines for data security breaches more severe for data
controllers than processors, says expert
- Also quoted in other Out-Law articles, including: New
GDPR guidance helps explain when businesses should carry out data
protection impact assessments; Organisations
fear lack of preparedness for GDPR could put them out of business;
New
guidance on incident reporting under EU cybersecurity laws issued for
digital service providers; Ransomware
fast becoming the top cyber risk facing organisations, says expert;
Managing
cybersecurity risk entails more than installing firewalls, say experts;
Cloud
industry body sets up new data protection code; EU-Canada
PNR deal is incompatible with rights, says advocate general; Amazon
taking 'belts and braces approach' to Privacy Shield certification,
says expert; Rail
network cyber attacks might have triggered notification threshold under
new network and information security laws, says expert;
BREXIT:
Minister admits the General Data Protection Regulation might not apply
in the UK; Business
costs of adapting to data protection reforms will increase the longer
companies wait, says expert; Companies
able to rely on Privacy Shield from August after EU-US data transfer
framework is finalised; Privacy
Shield wins endorsement from EU governments; New
EU data protection laws finalised after vote; EU
data protection reforms expected to be finalised on 14 April;
Watchdog
sets April date for issuing opinion on EU-US Privacy Shield; Privacy
principles published for new EU-US Privacy Shield; Companies
can be subject to multiple data protection regimes within the EU, says
watchdog; New
EU data protection laws could spark debate over liability for data
breaches, says expert; TalkTalk
data breach to cost company up to £`35m in one-off costs, CEO says
- Quoted in Banks
rush to protect against data breach fines, Alina
Haritonova, Risk.net, 29 Mar 2017
- Quoted in Cyber Security Practitioner Volume 3 issue 3, Mar 2017, on ENISA's incident notification guide for DSPs
- Quoted in Why
GDPR may inhibit privacy and security-enhancing technologies,
John Leonard, Computing, 2 Feb 2017
- I'm not an author as such but I commented on drafts, and my
contribution is acknowledged in EU security agency ENISA's paper Distributed
Ledger Technology & Cybersecurity - Improving information
security in the financial sector, Jan 2017
- Feature in Computing - Part 1: How GDPR and the Network and Information Systems Security Directive will complicate cloud computing, 5 Dec 2016; Part 2: How GDPR will weigh on cloud computing providers and impose new breach notification rules, 6 Dec 2016; Part 3: More than GDPR: Brexit, Safe Harbour and Privacy Shield, and the Network and Information Systems Security Directive, 7 Dec 2016
- This feature comprises the edited transcript of my
presentation at the Cloud & Infrastructure Summit 2016 in Sept
2016 - see Presentations
- Use by Banks of Cloud Computing: An Empirical Study (with Christopher Millard), SSRN, Oct 2016
- Updated version published in three parts in Computer Law
& Security Review, late 2017 and early 2018: Banking
in the cloud: Part 1 – banks' use of cloud services; Banking
in the cloud: Part 2 – regulation of cloud as ‘outsourcing’; Banking
in the cloud: Part 3 – contractual issues
- More
detail on workings of GDPR certification schemes necessary to prompt
business take-up, says expert, Out-Law, 27 Oct
2016
- Not publications as such, but in 2016 I was
quoted/mentioned in: Computing
(see Publications),
The
Register, BBC.
- International transfers under GDPR: Key changes, Privacy Laws & Business International Report issue 141, June 2016, p.7
- Times are changing: Navigating policy and getting to grips with data location, guest blog on VMWare's EMEA blog, April 2016
- GDPR’s extra-territoriality means trouble for cloud computing, Privacy Laws & Business International Report issue 140, April 2016, p. 25
- A question of trust, by Maxwell Cooter, writing in Diginomica, quotes me on cloud and GDPR, March 2016
- Killing Cloud Quickly, with GDPR...?, Society for Computers & Law, Feb 2016 (with bonus song lyrics, for those who like to sing!)
- Shorter version published in IAPP Privacy Perspective, Mar 2016, tweeted by @mdbeebe
- Twenty Legal Considerations for Clouds of Things (with Christopher Millard and Jatinder Singh), SSRN, Jan 2016
- Updated version published as Internet
of Things Ecosystems: Unpacking Legal Relationships and Liabilities,
2017 IEEE International Conference on Cloud Engineering (IC2E), Apr 2017
- Dark Clouds? (2016) 43(4) Intermedia (Journal of The International Institute of Communications (IIC)), Jan 2016
- Data security developments under the General Data Protection Regulation, LexisNexis World of IP and IT Law blog, Sep 2015
- Republished on Pinsent Masons website, Oct 2015
- Open Season on Cloud Providers? The General Data Protection Regulation Cometh..., Society for Computers & Law, Aug 2015
- Republished in LexisNexis World of IP and IT Law blog and IAPP Privacy Perspectives, Aug 2015; and, in different form, on Out-Law.com, Sep 2015
- Privacy in the Clouds: An Empirical Study of the Terms of Service and Privacy Policies of 20 Cloud Service Providers, Dimitra Kamarinou (lead author), Christopher Millard & W Kuan Hon, SSRN, Aug 2015
- Updated version published as Cloud privacy: an empirical
study of 20 cloud providers' terms and privacy policies, Dimitra
Kamarinou, Christopher Millard & W Kuan Hon, International Data
Privacy Law Part
I (2016) 6(2): 79-101 https://doi.org/10.1093/idpl/ipw003,
and Part
II (2016) 6(3): 170-194 https://doi.org/10.1093/idpl/ipw004
- Conference presentation reported in "Time
to get loud about the cloud", Science Node, Mar 2015
- Infographics comparing the legislative progress of the Data Protection Directive and draft General Data Protection Regulation, Jan 2015
- Mapping the cloud maturity curve - the fundamental five, briefing paper for The Economist Intelligence Unit by Stuart Lauchlan - quotes me on cloud (main webpage), 16 Dec 2014
- Policy, Legal and Regulatory Implications of a Europe-Only Cloud (with Christopher Millard, Chris Reed, Jatinder Singh, Ian Walden and Jon Crowcroft), SSRN, 21 Nov 2014
- Updated version published as Policy,
legal and regulatory implications of a Europe-only cloud, W
Kuan Hon; Christopher Millard; Jatinder Singh; Ian Walden; Jon
Crowcroft, Int J Law Info Tech (Autumn 2016) 24 (3): 251-278 2016; doi:
10.1093/ijlit/eaw006
- Regional clouds: technical considerations, Jatinder Singh (lead author), Jean Bacon, Jon Crowcroft, Anil Madhavapeddy, Thomas Pasquier, W. Kuan Hon, Christopher Millard, University of Cambridge Computer Laboratory Technical Report UCAM-CL-TR-863, Nov 2014
- My review of Google Glass on the Society for Computers & Law website (and hard copy magazine); and see the full review of Google Glass including all photos and graphics - termed "staggeringly thorough"!
- Not so much a publication, as an interview with me in Science Node, a publication that covers the real-world impact of advanced computing and networks, 11 June 2014 (cached version if their site is down)
- Deploying Medical Sensor Networks in the Cloud – Accountability Obligations from a European Perspective (lead author Karin Bernsmed; with Christopher Millard), SSRN, 22 Apr 2014 and 2014 IEEE 7th International Conference on Cloud Computing
- Cloud Accountability: The Likely Impact of the Proposed EU Data Protection Regulation (with Eleni Kosta, Christopher Millard and Dimitra Stefanatou), SSRN, 7 Mar 2014
- Produced for the EU A4Cloud project: A4Cloud version Feb 2014
- Cloud Computing: Geography or Technology - Virtualisation and Control, Society for Computers & Law, website 24 Jan 2014 and magazine Feb 2014 / Mar 2014 Vol 24, Iss 6
- Shorter version published on IAPP website as Cloud Computing: the Case for Logical Control over Physical Control, 16 Apr 2014
- Copyleft in the Cloud (with Jakub Menčl, who was the lead
author), chapter 9 in Shemtov and Walden (eds), Free
and Open Source Software: Policy, Law, and Practice
(OUP 2013)
- Chapters which I wrote (and co-authors reviewed) in Millard
(ed), Cloud
Computing Law
(OUP 2013), and see image links and reviews on the right:
- Cloud Technologies and Services (ch 1, with Christopher Millard)
- Control, Risk and Security in the Cloud (ch 2, with Christopher Millard)
- Negotiated Contracts for Cloud Services (ch 4, with Christopher Millard and Ian Walden)
- Public Sector Cloud Contracts (ch 5, with Christopher Millard and Ian Walden)
- What is Regulated as Personal Data in Clouds? (ch 7, with Christopher Millard and Ian Walden)
- Who is Responsible for Personal Data in Clouds? (ch 8, with Christopher Millard and Ian Walden)
- Which Law(s) Apply to Personal Data in Clouds? (ch 9, with Julia Hörnle and Christopher Millard)
- How Do Restrictions on International Data Transfers Work
in Clouds? (ch 10, with Christopher Millard)
(note: chapters 4-5 and 7-10 are updated versions of papers referred to below; I also commented on all but one of the remaining chapters in this book) - Book
Review: Data Protection Law & Practice, Society for
Computers & Law, 26 July 2013
- Negotiating Cloud Contracts - Looking at Clouds from Both Sides Now (with Christopher Millard and Ian Walden), Stanford Technology Law Review, 16 Stan Tech L Rev 81 (2012)
- This work has been reported eg by Forbes, Phys.org, Trend Micro and Seagate. It has also beeen cited e.g. in a a study on Potential and Impacts of Cloud Computing Services and Social Network Websites for the European Parliamentary Research Service's Science and Technology Options Assessment (STOA), a report by UNCTAD, The Cloud Economy and Developing Countries (2013), a report by the Australian Government's Department of Communications, Cloud Computing Regulatory Stock Take (2014), and Helix-Nebula - The Science Cloud: a catalyst for change in Europe
- UK G-Cloud v1 and the impact on cloud contracts (with Christopher Millard and Ian Walden) – Part I, Communications Law, (2012) Volume 17 Number 3 p 78; part II, Communications Law, (2012) Volume 17 Number 4 p 121 (paywalled) - the full working paper on UK G-Cloud v1 is freely downloadable
- This work has been cited eg in a study on Ubiquitous Developments of the Digital Single Market for the European Parliament's Committee on Internal Market and Consumer Protection (IMCO)
- Cloud Computing vs Traditional Outsourcing – Key Differences, Society for Computers & Law, Oct 2012 (with Christopher Millard) - the full working paper is available on SSRN
- 'Cookies and Law Firm Compliance', Society for Computers & Law, June 2012
- 'US PATRIOT Act - Can UK cloud customers use US cloud providers?' (a summary of Ian Walden's updated paper), ComputerWorldUK Cloud Vision blog, 29 May 2012
- 'Cloud computing and EU data protection law: Part Two - On international transfers of personal data', ComputerWorldUK Cloud Vision blog, 23 Apr 2012
- 'UK G-Cloud v1 and the Impact on Cloud Contracts', summarised in G-Cloud v1: Cloud Legal Project’s Analysis, Society for Computers & Law, Apr 2012 (with Christopher Millard and Ian Walden)
- 'The 12 Cs of Cloud Computing - a Culinary Confection', Society for Computers & Law, Apr 2012
- Data protection jurisdiction and cloud computing – when are cloud users and providers subject to EU data protection law? The cloud of unknowing (with Julia Hörnle and Christopher Millard) International Review of Law, Computers & Technology, Vol. 26, No. 2-3, 2012 (paywalled) - the full working paper on data protection jurisdiction in cloud computing is freely downloadable
- This work has been referenced eg in a study on Fighting Cyber Crime and Protecting Privacy in the Cloud for the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE)
- 'Data Export in Cloud Computing – How can Personal Data be Transferred Outside the EEA? The Cloud of Unknowing, Part 4', (2012) 9:1 SCRIPTed 25 (with Christopher Millard)
- This work has been referenced eg in a study on Reforming the Data Protection Package for the European Parliament's Committee on Internal Market and Consumer Protection (IMCO), a study on Fighting Cyber Crime and Protecting Privacy in the Cloud for the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE), and a note for the European Parliament on The US National Security Agency (NSA) surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens' fundamental rights
- 'Defining 'Personal Data' in E-Social Science', (2012) 15(1) Information, Communication and Society 66 (with Christopher Millard who was the lead author)
- ‘Who is responsible for ‘personal data’ in cloud computing?—The cloud of unknowing, Part 2', (2012) 2(1) International Data Privacy Law 3 (with Christopher Millard and Ian Walden)
- This work has been referenced eg in a study on Cloud Computing for the European Parliament's Committee on Internal Market and Consumer Protection (IMCO), a study on Reforming the Data Protection Package for the European Parliament's Committee on Internal Market and Consumer Protection (IMCO), and a study on Fighting Cyber Crime and Protecting Privacy in the Cloud for the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) and a study on Potential and Impacts of Cloud Computing Services and Social Network Websites for the European Parliamentary Research Service's Science and Technology Options Assessment (STOA)
- Cloud computing and EU data protection law, Part one: Understanding the international issues, ComputerWorldUK Cloud Vision blog, 28 Sep 2011
- 'The problem of ‘personal data’ in cloud computing: what information is regulated?—the cloud of unknowing', (2011) 1(4) International Data Privacy Law 211 (with Christopher Millard and Ian Walden)
- This work has been acknowledged eg by the UK Information Commissioner (p 11 text to fn 4), and referenced in the ICO's Anonymisation: Managing Data Protection Risk Code of Practice, a study on Cloud Computing for the European Parliament's Committee on Internal Market and Consumer Protection (IMCO), a study on Data Protection Review: Impact on EU Innovation and Competitiveness for the European Parliament's Committee on Industry, Research and Energy (ITRE), a study on Fighting Cyber Crime and Protecting Privacy in the Cloud for the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) and a UNESCO Global Survey on Internet Privacy and Freedom of Expression (2012)
- Law enforcement agencies access rights to your cloud data (a summary of Ian Walden's paper), ComputerWorldUK Cloud Vision blog, 22 July 2011
- Who's responsible for personal data in cloud computing? You and your Saas, Paas and IaaS providers, ComputerWorldUK Cloud Vision blog, 23 May 2011
- Book review: Amazon SimpleDB Developer Guide, on a book regarding Amazon Web Services' SimpleDB NoSQL database API, Slashdot, 27 Apr 2011 (and see my unofficial errata for the Amazon SimpleDB Developer Guide)
- Data protection, the law and you - The cloud of unknowing, and the "personal data" problem, ComputerWorldUK Cloud Vision blog, 13 Apr 2011.