Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Kuner/<strong>Regulation</strong> <strong>of</strong> <strong>Transborder</strong> <strong>Data</strong> <strong>Flows</strong> <strong>under</strong> <strong>Data</strong> Protection and Privacy Law 25<br />
Moreover, the very word ‘accountability’ seems to have no precise translation in many<br />
languages, so that its legal status in non Anglo-American legal systems remains<br />
uncertain. 77 But it seems that the concept <strong>of</strong> accountability may prove useful in helping to<br />
bridge the various approaches to the governance <strong>of</strong> transborder data flows.<br />
Because <strong>of</strong> the diversity <strong>of</strong> national data protection and privacy legislation, there have<br />
been growing calls for a global legal instrument on data protection, which has resulted in<br />
the drafting <strong>of</strong> proposed standards by a group <strong>of</strong> data protection authorities from around<br />
the world <strong>under</strong> the leadership <strong>of</strong> the Spanish <strong>Data</strong> Protection Authority. In November<br />
2009, the group published ‘The Madrid Resolution’, which is a set <strong>of</strong> international<br />
standards for data protection and privacy. 78 The Madrid Resolution contains a provision<br />
dealing with international data transfers, which provides that international data transfers<br />
may generally be carried out when the country <strong>of</strong> data import affords the level <strong>of</strong><br />
protection provided in the Resolution. 79 In addition, the document allows such level <strong>of</strong><br />
protection to be afforded by other means, such as contractual clauses or binding corporate<br />
rules. 80 The Resolution further allows countries to authorize data transfers in situations<br />
similar to those covered in the exceptions in Article 26(1) <strong>of</strong> the EU Directive (e.g., when<br />
the data subject consents, etc.). 81 Finally, national data protection authorities are<br />
empowered to make such data transfers subject to authorizations before being carried<br />
out. 82<br />
on allowing organisations discretion in determining appropriate measures to reach those goals’) with the<br />
description in Article 29 Working Party, ‘The Future <strong>of</strong> Privacy’ (WP 168, 1 December 2009) (at 20,<br />
stating ‘Pursuant to this principle, data controllers would be required to carry out the necessary measures to<br />
ensure that substantive principles and obligations <strong>of</strong> the current Directive are observed when processing<br />
personal data’).<br />
77<br />
See Article 29 Working Party, ‘Opinion 3/2010 on the principle <strong>of</strong> accountability’ (WP 173, 13 July<br />
2010), at 8.<br />
78<br />
The Madrid Resolution, ‘International Standards on the Protection <strong>of</strong> Personal <strong>Data</strong> and Privacy’ (2009).<br />
79 Ibid., para. 15(1).<br />
80 Ibid., para. 15(2).<br />
81 Ibid., para. 15(3).<br />
82 Ibid.