cross-border data flow [English]

Syndetic Relationships

InterPARES Definition

n. ~ Movement of data across international boundaries, especially as regards the impact of different juridical systems on the access and use of the data and the rights of entities represented in those records.

General Notes

Because jurisdiction is generally tied to territoriality, it may be difficult to determine the relevant jurisdiction or specific legal rights or obligations if records are stored internationally.


  • Bushey et al. 2016 (†755 ): · Will you be notified if the data location is moved outside your jurisdiction? · Is the issue of your stored data being subject to disclosure orders by national or foreign security authorities addressed? · Does the Provider clearly state the legal jurisdiction in which the agreement will be enforced and potential disputes will be resolved? (†1904)
  • Goh 2014 (†726 p.60): Although the cloud computing environment facilitates transborder data flow across countries, records-related legislation is still largely based on the principle of territoriality. The territoriality principle is one of the basic jurisdictional principles, and states that any act committed in the physical territory of a jurisdiction will be tried under the laws of that jurisdiction (Ryngaert, 2008). The recent changes to the licensing rules stipulated in the Broadcasting (Class Licence) Notification (c. 28. 2013) in Singapore is an example of how countries still subscribe to the principle of territoriality, which conflicts with the borderless nature of the cloud. (†1655)
  • Goh 2014 (†726 p.59): Transborder data flow is defined as the “movement across national boundaries of computerized, machine-readable data for processing, storage, or retrieval” (United Nations Center on Transnational Corporations, 1982, p. 8). Although this definition was used by the United Nations in 1982, well before the advent of cloud computing, it is still relevant in a cloud environment, as it conveys the continuous movement of data across national boundaries. In fact, Industry Canada’s Report on the Trilateral Committee on Transborder Data Flows (2010) highlighted that while the concept has not changed since the 1980s, “technological advances and ever-increasing efficiencies applied to existing technologies have expanded the scope of transborder data flows.” There are multiple juridical systems to be taken into consideration in a cloud computing environment: the legal system of the cloud service provider, the legal system of the cloud customer, the legal system of the place where the data centers storing the data/records are located, and the legal system of the individuals to which the data/records are related (McCullagh, 2012). This involvement of multiple juridical systems means that in case of litigation, it may be very difficult to establish the relevant jurisdiction because “nationality is not a quality attributable to data” but it is “an attribute to an individual person” (Poullet et al., 2010, p. 9). Claims of breaches in privacy, data protection, and copyright could be extremely difficult to resolve (Weber, 2013). (†1656)
  • Kuner 2011 (†727 p.21-22): The increasing complexity of regulation governing transborder data flows also creates difficulties for individuals. On the one hand, the Internet has given individuals a greater direct involvement in the transborder transfer of their personal data than ever before. On the other hand, regulation has become more complicated and less transparent, and thus less understandable for individuals. For example, many transborder data flows are conducted based on the consent of the individual, but there is growing concern that individuals may not understand what they are consenting to, and that they may not have a meaningful opportunity to refuse consent. The greater use of cloud computing technologies also means that it will become increasingly difficult for individuals to exercise their rights with regard to data stored in other countries. (†1657)
  • Kuner 2011 (†727 p.26): However, geography will continue to play a role in the regulation of transborder data flows, ... There will always be cases where individuals become concerned about the processing of their personal data outside the borders of their country, based, for example, on a perceived risk of access to the data by foreign law enforcement, the chance of a breach of data security, or some other potential danger. Data controllers may also prefer to keep data within a particular region, and some cloud computing service providers already grant customers the option of keeping data within a national or regional ‘cloud’. Thus, the market for data processing services, driven by demand from both data controllers and individuals, will increasingly allow them to choose whether to restrict the transborder transfer of their personal data. Geography will also remain important with regard to law enforcement access to data, since more and more governments are likely to demand that entities offering communications in their countries also maintain communications equipment there, in order to facilitate such access. (†1658)