Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Kuner/<strong>Regulation</strong> <strong>of</strong> <strong>Transborder</strong> <strong>Data</strong> <strong>Flows</strong> <strong>under</strong> <strong>Data</strong> Protection and Privacy Law 41<br />
In the meantime, increased cooperation between data protection and privacy regulators<br />
can help minimize the problems caused by differences in the approaches to transborder<br />
data flow regulation. Such cooperation already exists, but could be increased to provide<br />
enhanced possibilities for cross-border enforcement <strong>of</strong> the law. In some cases this may<br />
require governments to amend their laws in order to allow the cross-border sharing <strong>of</strong><br />
information between regulatory authorities. 143<br />
B. Determining the default regulatory position<br />
The two default positions either presume that data flows should be allowed, but leave the<br />
possibility for regulators to block or limit them, or presume that such flows should not<br />
take place unless a legal basis for the transfer is present. The OECD Guidelines allow<br />
countries to regulate transborder data flows, but only if this is designed to protect privacy<br />
and is not used as an excuse to restrict data flows for some other reason. However,<br />
deciding whether transborder data flow regulation is designed mainly to protect privacy,<br />
or is being used as a pretext for some other purpose, would seem to be fraught with<br />
difficulty. 144<br />
Neither <strong>of</strong> the two default positions seems inherently better than the other, each one has<br />
inherent advantages and disadvantages, and which one a country selects will largely<br />
depend on its own culture, history, and legal tradition. The first position (allowing<br />
transborder data flows unless specific risks are present) may prove too reactive and allow<br />
enforcement only after data misuse has already occurred, whereas the second one<br />
(requiring a legal basis before transfers take place) may unduly restrict data flows and<br />
prove increasingly futile in light <strong>of</strong> developments such as cloud computing. In order to<br />
minimize these disadvantages, if the first position is adopted, it should be accompanied<br />
by the following measures:<br />
--steps to encourage pro-active compliance with the law (such as the promotion <strong>of</strong><br />
trustmarks and privacy audits);<br />
--granting sufficient resources and enhanced enforcement powers to regulators;<br />
--enactment <strong>of</strong> rules to ensure the legal accountability <strong>of</strong> parties transferring personal<br />
data.<br />
If the second position is adopted, it should be accompanied by measures such as the<br />
following:<br />
--minimization <strong>of</strong> bureaucratic restrictions (such as requiring regulatory filings or<br />
approvals for individual data transfers);<br />
--encouragement <strong>of</strong> organisationally-based data transfer mechanisms (such as binding<br />
corporate rules or cross-border privacy rules);<br />
--prioritization <strong>of</strong> enforcement to focus on those transborder data flows that carry the<br />
greatest risks for individuals.<br />
143 See Law Commission <strong>of</strong> New Zealand, ‘Review <strong>of</strong> the Privacy Act 1993’ (n 130), at 398-399.<br />
144 See David Wright, Paul De Hert, and Serge Gutwirth, ‘Showing their age? The OECD Guidelines on<br />
transborder data flows are three decades old’, Communications <strong>of</strong> the ACM ___ (forthcoming),<br />
.