Regulation of Transborder Data Flows under ... - Tilburg University

More documents

Recommendations

Info

Kuner/Regulation of Transborder Data Flows under Data Protection and Privacy Law 20 adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing in question’. 47 Member State implementations of the Directive vary, and result in considerable differences in national legal approaches to international data transfers. 48 Member State data protection authorities have also authorised the use of mechanisms for the transborder transfer of personal data beyond those explicitly recognised in the Directive, such as intra-company compliance programs known as binding corporate rules (BCRs). 49 The EU Directive has been influential in inspiring a number of other countries around the world to adopt regulations on transborder data flows; examples include a number of African countries, Argentina, the Dubai International Financial Centre, and Russia. The EU has also enacted a decision to provide a common level of data protection in the processing of personal data by the police and judicial authorities. Under Article 13 of the Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, personal data may only be transferred from Member State law enforcement authorities to third countries or international bodies if certain conditions are fulfilled, including that such country or international body ensures an adequate level of protection for the data processing (though a number of exceptions to this requirement are provided). 50 In 2004, the twenty-one member economies of the Asia-Pacific Economic Cooperation (APEC) group agreed on the APEC Privacy Framework, which is a set of privacy principles that member economies may implement voluntarily. 51 The Framework protects personal data transferred outside the APEC Member State where they were collected by recourse to the principle of ‘accountability’ (the accountability principle applies to data protection compliance in general, though discussion of it in this study will be limited to transborder data flows). 52 The accountability approach, which was first mentioned in the context of data protection in the OECD Guidelines, 53 ‘ensures that the original collector of the personal information remains accountable for compliance with the original privacy framework that applied when and where the data was collected, regardless of the other 47 Article 29 Working Party, ‘Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995’ (WP 114, 25 November 2005), at 11. 48 nd See Christopher Kuner, European Data Protection Law: Corporate Compliance and Regulation (2 ed. Oxford University Press 2007), at 162-166. 49 See, e.g., Article 29 Working Party, ‘Working document setting up a framework for the structure of binding corporate rules’ (WP 154, 24 June 2008). 50 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, [2008] OJ L350/60. 51 The APEC member economies include Australia; Brunei Darussalam; Canada; Chile; the People’s Republic of China; Hong Kong, China; Indonesia; Japan; the Republic of Korea; Malaysia; Mexico; New Zealand; Papua New Guinea; Peru; the Republic of the Philippines; the Russian Federation; Singapore; Chinese Taipei; Thailand; the United States; and Vietnam. 52 See APEC Privacy Framework (n 2), Principle 9, providing that a personal information controller ‘should be accountable for complying with measures that give effect to the Principles…When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles’. 53 OECD Guidelines, Accountability Principle (Paragraph 14).
Kuner/Regulation of Transborder Data Flows under Data Protection and Privacy Law 21 organisations or countries to which the personal data travels subsequently’. 54 The APEC framework foresees that organisations (such as companies) may adopt Cross-Border Privacy Rules (CBPRs) as a way to apply protections across the organisation no matter where the data are processed. 55 Some APEC member economies have implemented the accountability approach in their own data protection legislation. For example, accountability is used under the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the concept is also contained in the Australian Government’s draft Privacy Principles that were released for consultation in June 2010. 56 Accountability does not specifically restrict transborder data flows, but imposes compliance responsibilities on parties that transfer personal data internationally. As the Office of the Privacy Commissioner of Canada has explained, ‘PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement’. 57 On a practical level, accountability may require organisations to take steps such as implementing appropriate privacy policies which are approved by senior management and implemented by a sufficient number of staff; training employees to comply with these policies; adopting internal oversight and external verification programs; providing transparency to individuals as to the policies and compliance with them; and adopting mechanisms to enforce compliance. 58 However, the APEC Privacy Framework is far from being a monolithic or uniform approach. Because it is so new, there is little experience of how it will work in practice, besides the experience in those countries that have already implemented a similar system of privacy protection. Since the Framework is voluntary, it is also unclear how many members will implement it; in fact, at present APEC members have their own approaches to privacy protection, which cover a wide range of positions. Implementation of the Framework may not necessarily require legislation, but can also be accomplished through mechanisms such as industry self-regulation, 59 meaning that divergence is likely to continue even between those countries that have implemented it. In addition, the APEC Framework does not have binding legal effect as would result, for example, from conclusion of an international treaty, and its provisions are subject to derogation by 54 Malcolm Crompton, Christine Cowper and Christopher Jefferis, ‘The Australian Dodo Case: An Insight for Data Protection Regulation’ (26 January 2009) BNA Privacy & Security Law Report 180, at 181. 55 See APEC Data Privacy Pathfinder Projects Implementation Work Plan (Revised), APEC document 2009/SOM1/ECSG/SEM/027, . 56 Australian Government, ‘Australian Privacy Principles, Exposure Draft’ (24 June 2010), at 15-17, ; and Australian Government, ‘Australian Privacy Principles, Companion Guide’ (June 2010), at 13, . 57 Office of the Privacy Commissioner of Canada, ‘Guidelines for Processing Personal Data across Borders’ (2009), at 5, . 58 Galway Project and Centre for Information Policy Leadership, ‘Data Protection Accountability: The Essential Elements, A Document for Discussion’ (2009), , at 11-14. 59 APEC Privacy Framework (n 2), at 31.
Page 1 and 2: TILT (TILBURG INSTITUTE FOR LAW, TE
Page 3 and 4: Kuner/Regulation of Transborder Dat
Page 19: Kuner/Regulation of Transborder Dat
Page 71 and 72:
Kuner/Regulation of Transborder Dat
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
show all

Regulation of Transborder Data Flows under ... - Tilburg University

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?