Regulation of Transborder Data Flows under ... - Tilburg University

More documents

Recommendations

Info

Kuner/Regulation of Transborder Data Flows under Data Protection and Privacy Law 16 personal data to countries without data protection laws and performing the processing there. 25 The restrictions contained in these early laws range from a requirement to obtain an explicit authorization from the data protection authority before transferring personal data outside the country (e.g., in Austrian and Swedish law); to adopting verbatim the provisions of Article 12 of Counsel of Europe Convention 108 (e.g., in Irish law); to a requirement that either the individual whose data were transferred had to consent to the transfer, or that the country of import had to have a data protection law with a similar level of protection (e.g., in Finnish law). However, despite these provisions, at the time the first data protection laws were drafted the transborder flow of personal data seems to have been regarded as the exception rather than the rule. 26 C. International instruments The OECD Privacy Guidelines represent the first attempt to deal with transborder data flows from a global perspective. Adopted in 1980, the Guidelines are a non-binding set of principles that member countries may enact, and have the dual aim of achieving acceptance of certain minimum standards of privacy and personal data protection, and of eliminating, as far as possible, factors which might induce countries to restrict transborder data flows for reasons associated with such flows. 27 The Guidelines contain the following main provisions dealing with transborder data flows: --Member countries are to consider in their legislation the implications for other member countries of domestic processing and the re-export of personal data (para. 15). --Member countries should take ‘all reasonable and appropriate steps’ to ensure that transborder flows of personal data (including transit of data) are uninterrupted and secure (para. 16). --Member countries should refrain from restricting transborder flows of personal data between themselves, except where the recipient country ‘does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation’. A member country is also allowed to impose restrictions ‘in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection’ (para. 17). 25 See Lee Bygrave, Data Protection Law: Approaching its Rationale, Logic and Limits (Kluwer Law International 2002), at 79-80, stating that the chief aim of restrictions on transborder data flows is ‘to hinder data controllers from avoiding the requirements of data protection laws by shifting their data-processing operations to countries with more lenient requirements’; European Commission, Amended Proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(92) 422 final, 15 October 1992, at 34, stating that without restrictions on international data transfers, ‘the Community’s efforts to guarantee a high level of protection for individuals could be nullified by transfers to other countries in which the protection provided is inadequate’. 26 See F. Hondius, ‘International Data Protection Action’, in: Policy Issues in Data Protection and Privacy (n 6), at 208, stating that ‘the vast majority of data processing operations take place within the limits of national frameworks, either in the private or in the public sector’. 27 OECD Guidelines, Explanatory Memorandum, para. 25.
Kuner/Regulation of Transborder Data Flows under Data Protection and Privacy Law 17 --Member countries are to ‘avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection’ (para. 18). In 1990 the United Nations issued its Guidelines concerning Computerized Personal Files, which take the form of a non-binding guidance document. 28 The UN General Assembly has requested ‘governmental, intergovernmental and non-governmental organisations to respect those guidelines in carrying out the activities within their field of competence’. 29 The Guidelines state in paragraph 9 that ‘when the legislation of two or more countries concerned by a transborder data flow offers comparable safeguards for the protection of privacy, information should be able to circulate as freely as inside each of the territories concerned. If there are no reciprocal safeguards, limitations on such circulation may not be imposed unduly and only in so far as the protection of privacy demands’. Regulation of transborder data flows may restrict the provision of services across borders, which may give rise to questions under the General Agreement on Trade in Services (GATS), a treaty of the World Trade Organization (WTO) that entered into force in 1995. 30 Data protection regulation (including regulation of transborder data flows) is exempted from scrutiny under the GATS, but only as long as it does not represent a disguised restriction on trade. 31 Governments have also concluded international agreements providing privacy protections for personal data transferred between jurisdictions for law enforcement purposes. For example, such agreements have been concluded between the EU and the United States covering the transfer of passenger name record (PNR) data of airline passengers 32 and of financial messaging data. 33 The ‘High Level Contact Group’, which is comprised of officials from various entities of the EU and the United States government, has also 28 UN Guidelines concerning Computerized Personal Data Files of 14 December 1990, UN Doc E/CN.4/1990/72. 29 UN Doc A/RES/45/95, 14 December 1990. 30 See Peter P. Swire and Robert E. Litan, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (Brookings Institution Press 1998), at 189-196. 31 GATS Article XIV(c)(ii), stating that ‘Subject to the requirement that such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services, nothing in this Agreement shall be construed to prevent the adoption or enforcement by any Member of measures…(c) necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to…(ii) the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts…’ See also Maria Verónica Perez Asinari, ‘Is there any Room for Privacy and Data Protection within the WTO Rules?’, 9 Electronic Commerce Law Review 249 (2002). 32 Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), [2007] OJ L204/18. 33 Council of the European Union, Council Decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program, 24 June 2010. See .
Page 1 and 2: TILT (TILBURG INSTITUTE FOR LAW, TE
Page 3 and 4: Kuner/Regulation of Transborder Dat
Page 15: Kuner/Regulation of Transborder Dat
Page 67 and 68:
Kuner/Regulation of Transborder Dat
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
show all

Regulation of Transborder Data Flows under ... - Tilburg University

Create successful ePaper yourself

Delete template?

Save as template?