Protecting digital identity in the cloud: Regulating cross border data disclosure

Widespread use of cloud computing and other off-shore hosting and processing arrangements make regulation of cross border data one of the most significant issues for regulators around the world. Cloud computing has made data storage and access cost effective but it has changed the nature of cross border data. Now data does not have to be stored or processed in another country or transferred across a national border in the traditional sense, to be what we consider to be cross border data. Nevertheless, the notion of physical borders and transfers still pervades thinking on this subject. The European Commission (“EC”) is proposing a new global standard for data transfer to ensure a level of protection for data transferred out of the EU similar to that within the EU. This paper examines the two major international schemes regulating cross-border data, the EU approach and the US approach, and the new EC and US proposals for a global standard. These approaches which are all based on data transfer are contrasted with the new Australian approach which regulates disclosure. The relative merits of the EU, US and Australian approaches are examined in the context of digital identity, rather than just data privacy which is the usual focus, because of the growing significance of digital identity, especially to an individual's ability to be recognized and to transact. The set of information required for transactions which invariably consists of full name, date of birth, gender and a piece of what is referred to as identifying information, has specific functions which transform it from mere information. As is explained in this article, as a set, it literally enables the system to transact. For this reason, it is the most important, and most vulnerable, part of digital identity. Yet while it is deserving of most protection, its significance has been largely under-appreciated. This article considers the issues posed by cross border data regulation in the context of cloud computing, with a focus on transaction identity and the other personal information which make up an individual's digital identity. The author argues that the growing commercial and legal importance of digital identity and its inherent vulnerabilities mandate the need for its more effective protection which is provided by regulation of disclosure, not just transfer.