Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Kuner/<strong>Regulation</strong> <strong>of</strong> <strong>Transborder</strong> <strong>Data</strong> <strong>Flows</strong> <strong>under</strong> <strong>Data</strong> Protection and Privacy Law 17<br />
--Member countries are to ‘avoid developing laws, policies and practices in the name <strong>of</strong><br />
the protection <strong>of</strong> privacy and individual liberties, which would create obstacles to<br />
transborder flows <strong>of</strong> personal data that would exceed requirements for such protection’<br />
(para. 18).<br />
In 1990 the United Nations issued its Guidelines concerning Computerized Personal<br />
Files, which take the form <strong>of</strong> a non-binding guidance document. 28 The UN General<br />
Assembly has requested ‘governmental, intergovernmental and non-governmental<br />
organisations to respect those guidelines in carrying out the activities within their field <strong>of</strong><br />
competence’. 29 The Guidelines state in paragraph 9 that ‘when the legislation <strong>of</strong> two or<br />
more countries concerned by a transborder data flow <strong>of</strong>fers comparable safeguards for the<br />
protection <strong>of</strong> privacy, information should be able to circulate as freely as inside each <strong>of</strong><br />
the territories concerned. If there are no reciprocal safeguards, limitations on such<br />
circulation may not be imposed unduly and only in so far as the protection <strong>of</strong> privacy<br />
demands’.<br />
<strong>Regulation</strong> <strong>of</strong> transborder data flows may restrict the provision <strong>of</strong> services across borders,<br />
which may give rise to questions <strong>under</strong> the General Agreement on Trade in Services<br />
(GATS), a treaty <strong>of</strong> the World Trade Organization (WTO) that entered into force in<br />
1995. 30 <strong>Data</strong> protection regulation (including regulation <strong>of</strong> transborder data flows) is<br />
exempted from scrutiny <strong>under</strong> the GATS, but only as long as it does not represent a<br />
disguised restriction on trade. 31<br />
Governments have also concluded international agreements providing privacy protections<br />
for personal data transferred between jurisdictions for law enforcement purposes. For<br />
example, such agreements have been concluded between the EU and the United States<br />
covering the transfer <strong>of</strong> passenger name record (PNR) data <strong>of</strong> airline passengers 32 and <strong>of</strong><br />
financial messaging data. 33 The ‘High Level Contact Group’, which is comprised <strong>of</strong><br />
<strong>of</strong>ficials from various entities <strong>of</strong> the EU and the United States government, has also<br />
28<br />
UN Guidelines concerning Computerized Personal <strong>Data</strong> Files <strong>of</strong> 14 December 1990, UN Doc<br />
E/CN.4/1990/72.<br />
29<br />
UN Doc A/RES/45/95, 14 December 1990.<br />
30<br />
See Peter P. Swire and Robert E. Litan, None <strong>of</strong> Your Business: World <strong>Data</strong> <strong>Flows</strong>, Electronic<br />
Commerce, and the European Privacy Directive (Brookings Institution Press 1998), at 189-196.<br />
31<br />
GATS Article XIV(c)(ii), stating that ‘Subject to the requirement that such measures are not applied in a<br />
manner which would constitute a means <strong>of</strong> arbitrary or unjustifiable discrimination between countries<br />
where like conditions prevail, or a disguised restriction on trade in services, nothing in this Agreement shall<br />
be construed to prevent the adoption or enforcement by any Member <strong>of</strong> measures…(c) necessary to secure<br />
compliance with laws or regulations which are not inconsistent with the provisions <strong>of</strong> this Agreement<br />
including those relating to…(ii) the protection <strong>of</strong> the privacy <strong>of</strong> individuals in relation to the processing and<br />
dissemination <strong>of</strong> personal data and the protection <strong>of</strong> confidentiality <strong>of</strong> individual records and accounts…’<br />
See also Maria Verónica Perez Asinari, ‘Is there any Room for Privacy and <strong>Data</strong> Protection within the<br />
WTO Rules?’, 9 Electronic Commerce Law Review 249 (2002).<br />
32<br />
Agreement between the European Union and the United States <strong>of</strong> America on the processing and transfer<br />
<strong>of</strong> Passenger Name Record (PNR) data by air carriers to the United States Department <strong>of</strong> Homeland<br />
Security (DHS) (2007 PNR Agreement), [2007] OJ L204/18.<br />
33<br />
Council <strong>of</strong> the European Union, Council Decision on the conclusion <strong>of</strong> the Agreement between the<br />
European Union and the United States <strong>of</strong> America on the processing and transfer <strong>of</strong> Financial Messaging<br />
<strong>Data</strong> from the European Union to the United States for purposes <strong>of</strong> the Terrorist Finance Tracking<br />
Program, 24 June 2010. See .