Regulation of Transborder Data Flows under ... - Tilburg University

Kuner/Regulation of Transborder Data Flows under Data Protection and Privacy Law 27
III. Issues and Analysis
A. Legal nature of the various approaches
Regulation of transborder data flows derives from a number of distinct legal traditions
and cultures, depending on the originating country or region. For example, some regional
legal instruments (such as Council of Europe Convention 108, 83 the European
Convention on Human Rights, 84 and the Charter of Fundamental Rights of the European
Union 85 ), recognize data protection as a fundamental human right, so that laws regulating
transborder data flows may have the quality of legally-binding human rights instruments.
Other instruments may not be based on human rights law, and may not be legally
binding. For example, a scan of the APEC Privacy Framework reveals that the terms
‘fundamental right’ and ‘human right’ are not used at all in the document, and the
purpose of the Framework is defined in terms of realizing the benefits of electronic
commerce rather than of protecting human rights. 86
The characterization of data protection as a human right has important legal implications,
since it means that the law may be more difficult to change and a higher value may be
placed on the rights of individuals than in jurisdictions where the subject is seen more
from the point of view of economic efficiency. Differences in the legal nature of data
protection and privacy law between cultures and legal systems have made it more
difficult to reach an international consensus on the subject. 87
Even when data protection is considered to be a human right, the regulation of
transborder data flows is generally not considered to be a fundamental principle of data
protection and privacy law. For example, in the Madrid Resolution, regulation of
transborder data flows is not included in Part II, which lists ‘basic principles’ of data
protection (lawfulness and fairness, purpose specification, proportionality, data quality,
openness, and accountability), but is contained in a separate section (section 15).
Similarly, in the EU Directive, the provisions on transborder data flows are not included
in the section containing the core rules of data processing (‘Chapter II: General Rules on
the Lawfulness of the Processing of Personal Data’), but in a separate section (‘Chapter
IV: Transfer of Personal Data to Third Countries’).
Regulation of transborder data flows focuses on policies such as preventing
circumvention of the law and guarding against data processing risks where the data are
83
See Article 1, referring to the individual’s ‘right to privacy, with regard to automatic processing of
personal data relating to him’.
84
Article 8, together with case law interpreting it, such as Rotaru v Romania (App no 28341/95) ECHR
2000-V.
85
Article 8, [2000] 2000/C364/01.
86
See APEC Privacy Framework (n 2), at 3, stating that ‘APEC economies realize that a key part of efforts
to improve consumer confidence and ensure the growth of electronic commerce must be cooperation to
balance and promote both effective information privacy protection and the free flow of information in the
Asia Pacific region’.
87
See Michael Kirby, ‘The History, Achievement and Future of the 1980 OECD Guidelines on Privacy’, 1
International Data Privacy Law ___ (forthcoming in 2011) regarding the impact of such factors on the
drafting of the OECD Guidelines.