Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Kuner/<strong>Regulation</strong> <strong>of</strong> <strong>Transborder</strong> <strong>Data</strong> <strong>Flows</strong> <strong>under</strong> <strong>Data</strong> Protection and Privacy Law 21<br />
organisations or countries to which the personal data travels subsequently’. 54 The APEC<br />
framework foresees that organisations (such as companies) may adopt Cross-Border<br />
Privacy Rules (CBPRs) as a way to apply protections across the organisation no matter<br />
where the data are processed. 55<br />
Some APEC member economies have implemented the accountability approach in their<br />
own data protection legislation. For example, accountability is used <strong>under</strong> the Canadian<br />
Personal Information Protection and Electronic Documents Act (PIPEDA), and the<br />
concept is also contained in the Australian Government’s draft Privacy Principles that<br />
were released for consultation in June 2010. 56 Accountability does not specifically restrict<br />
transborder data flows, but imposes compliance responsibilities on parties that transfer<br />
personal data internationally. As the Office <strong>of</strong> the Privacy Commissioner <strong>of</strong> Canada has<br />
explained, ‘PIPEDA does not prohibit organizations in Canada from transferring personal<br />
information to an organization in another jurisdiction for processing. However <strong>under</strong><br />
PIPEDA, organizations are held accountable for the protection <strong>of</strong> personal information<br />
transfers <strong>under</strong> each individual outsourcing arrangement’. 57 On a practical level,<br />
accountability may require organisations to take steps such as implementing appropriate<br />
privacy policies which are approved by senior management and implemented by a<br />
sufficient number <strong>of</strong> staff; training employees to comply with these policies; adopting<br />
internal oversight and external verification programs; providing transparency to<br />
individuals as to the policies and compliance with them; and adopting mechanisms to<br />
enforce compliance. 58<br />
However, the APEC Privacy Framework is far from being a monolithic or uniform<br />
approach. Because it is so new, there is little experience <strong>of</strong> how it will work in practice,<br />
besides the experience in those countries that have already implemented a similar system<br />
<strong>of</strong> privacy protection. Since the Framework is voluntary, it is also unclear how many<br />
members will implement it; in fact, at present APEC members have their own approaches<br />
to privacy protection, which cover a wide range <strong>of</strong> positions. Implementation <strong>of</strong> the<br />
Framework may not necessarily require legislation, but can also be accomplished through<br />
mechanisms such as industry self-regulation, 59 meaning that divergence is likely to<br />
continue even between those countries that have implemented it. In addition, the APEC<br />
Framework does not have binding legal effect as would result, for example, from<br />
conclusion <strong>of</strong> an international treaty, and its provisions are subject to derogation by<br />
54<br />
Malcolm Crompton, Christine Cowper and Christopher Jefferis, ‘The Australian Dodo Case: An Insight<br />
for <strong>Data</strong> Protection <strong>Regulation</strong>’ (26 January 2009) BNA Privacy & Security Law Report 180, at 181.<br />
55<br />
See APEC <strong>Data</strong> Privacy Pathfinder Projects Implementation Work Plan (Revised), APEC document<br />
2009/SOM1/ECSG/SEM/027,<br />
.<br />
56<br />
Australian Government, ‘Australian Privacy Principles, Exposure Draft’ (24 June 2010), at 15-17,<br />
; and Australian<br />
Government, ‘Australian Privacy Principles, Companion Guide’ (June 2010), at 13,<br />
.<br />
57<br />
Office <strong>of</strong> the Privacy Commissioner <strong>of</strong> Canada, ‘Guidelines for Processing Personal <strong>Data</strong> across<br />
Borders’ (2009), at 5, .<br />
58<br />
Galway Project and Centre for Information Policy Leadership, ‘<strong>Data</strong> Protection Accountability: The<br />
Essential Elements, A Document for Discussion’ (2009),<br />
, at 11-14.<br />
59<br />
APEC Privacy Framework (n 2), at 31.