Regulation of Transborder Data Flows under ... - Tilburg University

More documents

Recommendations

Info

Kuner/Regulation of Transborder Data Flows under Data Protection and Privacy Law 42 Thus, either of the default positions can work, but only if it is accompanied by measures to avoid its inherent disadvantages, otherwise the first position will tend to be too reactive, and the second one will be excessively bureaucratic. C. Evaluating underlying policies Regulation of transborder data flows was originally designed to prevent the circumvention of national data protection law. As the volume of transborder data flows has dramatically increased, the policies behind such regulation have shifted. When the first regulations were enacted, few countries had data protection laws, whereas now many do. Informal cooperation between regulatory authorities is increasing, so that concerns about individuals not being able to exercise their rights outside their own countries may be lessening. As data protection and privacy laws become more harmonised, the rationale for restrictions on transborder data flows may also diminish. 145 On the other hand, there may be greater concern at present about data access by foreign governments than there was when the first transborder data flow regulation was enacted. Policymakers need to consider the rationales behind regulation of transborder data flows more closely. For example, there has never been a detailed explanation of what is considered to be ‘circumvention’ of national data protection laws in the context of transborder data flows. Preventing circumvention of the law is a policy that is recognised in other areas of the law as well (for example, in German conflict of laws doctrine 146 and the German Civil Code 147 ), and examples from other areas of law could be useful in determining the scope of the policy against circumvention in the context of transborder data flows, and in deciding the extent to which it is a policy still worth pursuing. Transborder data flows should also be seen as a phenomenon that may bring both risks and benefits. While the transfer of personal data to countries with lower standards of protection may produce risks for the processing of personal data, the transfer to countries with higher standards may bring benefits. D. Reconciling applicable law and data transfer issues There is often a close connection between regulation of transborder data flows and rules dealing with applicable law and jurisdiction, and applicable law rules are sometimes used to protect data processed abroad in situations where the use of transborder data flow regulation is unavailable. Insufficient attention has been given to the interface between these two sets of issues; expert bodies (such as the Hague Conference on Privacy International Law) could help by clarifying issues of applicable law and jurisdiction as 145 See Spiros Simitis (ed.), Bundesdatenschutzgesetz 123 (Nomos 6 th ed. 2006), remarking that the acceptance of minimum legal standards for data processing can pave the way for increased transborder data flows. 146 See Gerhard Kegel, Internationales Privatrecht (6th ed. Verlag C.H. Beck 1987), at 303, explaining that the fact that actions were taken with the intent to circumvent otherwise applicable law may be taken into account when determining which law to apply to a dispute. 147 § 306a BGB. See Hanns Prütting, Gerhard Wegen, and Gerd Weinreich, BGB Kommentar (Luchterhand 2006), at 457, stating that a prohibition on circumventing the law concerning the application of general terms and conditions of business applies whether or not there is an intent to circumvent.
Kuner/Regulation of Transborder Data Flows under Data Protection and Privacy Law 43 they relate to transborder data flows. 148 Further clarity would also benefit individuals by increasing transparency as to which law governs the processing of their data and which regulatory authorities have jurisdiction. Taking EU law as an example, it seems redundant and inefficient to use two sets of legal provisions (namely those concerning applicable law and transborder data flows) to fulfil the same purpose, namely protecting personal data processed outside the geographic boundaries of the EU. There is also an increasing trend (expressed for example in the APEC Privacy Framework) to apply local law to data processing in other countries, which may lead to conflicts with mandatory legal provisions of the country of import, and will make it necessary to ‘tag’ the data and indicate which ‘home’ data protection regime attaches to it. 149 Countries seem to be using a combination of applicable law rules and transborder data flow regulation to strive for a watertight legal framework under which personal data processing can be protected no matter where the data are transferred. However, they should be careful not to over-extend the jurisdictional reach of their data protection and privacy laws, in order to avoid creating international friction. Countries have in the past refused opportunities to enact global legal instruments protecting consumers in electronic commerce, 150 and it is unrealistic to expect that seamless legal protection around the world can be achieved under data protection and privacy law when this has not been realised in any other area of consumer protection law. E. Furthering regulatory efficiency Technology and data transfer practices will become increasingly complex as time goes by. In particular, the growing popularity of phenomena such as cloud computing will put increasing pressure on regulatory systems for transborder data flows, and make it imperative that they bring about a good level of compliance at a reasonable cost. Thus, it is crucial that efficiency be given priority in the design of regulation for transborder data flows. Since regulators are likely to have limited resources, this means that labourintensive mechanisms such as regulatory approvals and the filing of application and registration forms should be disfavoured; mechanisms such as codes of practice and targeted audits should be encouraged; and regulators should be given enhanced enforcement powers. Certain compliance functions (such as the operation of codes of practice and privacy seal programs) could also in effect be ‘outsourced’ to private parties, with proper regulatory oversight. This is the only way that the regulation of transborder data flows has a chance of keeping up with advances in technology and business processes. The governance of transborder data flows seems to have become increasingly bureaucratised, and it is important that compliance requirements actually serve the purpose of protecting personal data, rather than being enacted for their own sake. 148 See Hague Conference on Private International Law, ‘Cross-Border Data Flows and Protection of Privacy’ (13 March 2010), . 149 See Paula J. Bruening and K. Krasnow Waterman, ‘Data tagging for new models of information governance’ (2010, forthcoming). 150 See, e.g., United Nations Commission on International Trade Law (UNCITRAL), Report of the Working Group IV (Electronic Commerce) on the work of its fortieth session, Vienna, 14-18 October 2002, UN Document A/CN.9/527, at 20, in which countries decided against including consumer matters in the scope of the 2005 United Nations Convention on the Use of Electronic Communications in International Contracts.
Page 1 and 2: TILT (TILBURG INSTITUTE FOR LAW, TE
Page 3 and 4: Kuner/Regulation of Transborder Dat
Page 41: Kuner/Regulation of Transborder Dat

Regulation of Transborder Data Flows under ... - Tilburg University

Create successful ePaper yourself

Delete template?

Save as template?