Christopher Kuner

Data Protection Law and International Jurisdiction on the Internet(Part 1)

As the global economy has become interconnected and the Internet ubiquitous, jurisdictional conflicts involving States, private actors, and regulatory agencies are becoming increasingly common. States also frequently assert their jurisdiction over conduct occurring outside their own territory, particularly with regard to conduct on the Internet.1 During this time, data protection law has evolved from a niche area to one that has application to nearly any field. Data protection law gives rights to individuals in how data identifying them or pertaining to them are processed, and subjects such processing to a defined set of safeguards. Following enactment of the first data protection laws in Europe in the 1970s,2 the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data3 was adopted,

Transborder data flows and data privacy law

1. Background and Introduction 2. International Regulation of Transborder Data Flows 3. Typology of Regulatory Approaches 4. National, Rrivate-Sector, and Technological Approaches 5. Analysis of Underlying Policies 6. Applicable Law, Extraterritoriality, and Transborder Data Flows 7. Compliance and Enforcement 8. A Global Regulatory Framework for Transborder Data Flows Appendix: Data Protection and Privacy Law Instruments Regulating Transborder Data Flows

Developing an Adequate Legal Framework for International Data Transfers

With the EU Data Protection Directive having been in force now for nearly ten years, it is wise to examine the basic concepts and assumptions on which the Directive is based, to determine whether it is functioning properly. It is the thesis of this paper that the present EU legal framework for “adequacy” decisions for the international transfer of personal data is inadequate, in both a procedural and substantive sense, and needs reform. The framework was created for a world in which the Internet was not widely used, and in which data did not flow as easily across national borders as they do now. The present system of adequacy decisions has been grievously overloaded by the great increase in data flows in the past few years, and also drains resources that could better be used in other areas of data protection. European policymakers should take a hard look at the current adequacy system and its present failings, and reform the system in a way that more effectively protects the interests of data controllers, individuals, and data protection supervisory authorities.

Google spain in the EU and international context

Th e Google Spain1 judgment handed down by the Court of Justice of the European Union (CJEU or ‘the Court’) has caused a great deal of controversy, with nearly every interested constituency (academics, activists, companies, governments, politicians, regulators and others) having expressed an opinion about it. Th e editors thus made a timely choice in selecting the judgment to be the subject of a debate between Christopher Wolf, Hielke Hijmans, and Giovanni Sartor in volume 21, issue 3 of this journal. Each of the three contributors deals with a particular set of issues raised by the judgment. Wolf expresses concern about its impact on the internet and on the freedom of expression online. Hijmans focuses on its implications under EU law, and welcomes it as a further affi rmation of the fundamental right of data protection under the Lisbon framework. Sartor deals with the CJEU’s classifi cation of Google as a data controller, and criticizes the lack of consistency between the judgment’s liability regime and that of the E-Commerce Directive 2000/31.2 Without revisiting the detailed analysis that I have provided elsewhere,3 and keeping in mind the contributions of the three authors, I will focus on a few key issues illustrating the legal implications of the judgment at the EU and international levels. In particular, I believe that it exemplifi es the clash between constitutional cultures on

Foreign Nationals and Privacy Protection: A Comparative Transatlantic Analysis

Since the Internet has made it easier for governmental authorities in one State to access data of individuals who are citizens of another State, questions about whether the same privacy protections should apply to citizens and aliens are occurring with increasing frequency. This is evidenced by the controversy that erupted in the summer of 2013 regarding access to electronic communications data by intelligence agencies on both sides of the Atlantic. The law of the European Union and the United States demonstrate some important differences in the privacy protection they grant to non-citizens, though both of them tend to prioritize the protection of the privacy rights of citizens. As data processing becomes increasingly globalized, it is not justifiable to base privacy protection solely on an individual’s nationality. For the US, this means that constitutional protections should extend to governmental actions that affect the personal data of non-citizens, and that statutory gaps in protection that discriminate against foreigners should be closed. For the EU, it means that legislation at the national level should not undermine respect for the universality of data protection as contained in fundamental rights law. Legal protection for privacy should be based as much as possible on universal values; removing limits on privacy protection based on nationality would be an important step towards achieving this aim.

The business of privacy

Over the last decade, privacy has become big business. Company executives hobnob with data protection regulators at conferences held all over the world; associations of privacy officers are experiencing exponential growth in membership; data protection has become a money-maker for consultancies and law firms (as well as for academics who provide consulting services); and lobbyists engage policy-makers in an effort to influence data protection and privacy regulation. In the past, data protection was seen mainly as a cost factor, but now it is increasingly becoming a way to make money, and to ensure the continued trust of customers, employees, and business partners. The economic importance of data processing makes it natural that the business of privacy would expand as well. Viewing privacy as a business opportunity can result in increased attention and resources being devoted to its protection. In recent years, governments and regulators have emphasized that respect for data protection and privacy should be seen as a way to strengthen confidence in online commerce, and have encouraged the growth of the professional side of privacy; indeed, there is evidence that viewing privacy as a business enabler can itself be a powerful factor to encourage respect for regulation. All of this has led more and more companies to take steps to protect privacy as a way to strengthen their brands and enhance customer confidence through measures such as appointing internal privacy compliance officers and taking the impact of business decisions on privacy into account before they are implemented, developments that are all to the good. At the same time, these developments raise questions. Most countries with data protection laws regard privacy as a fundamental right, and viewing the protection of a fundamental right as a money-making opportunity may seem distasteful. The number and cost of conferences and seminars covering privacy issues often seems excessive (not to mention the environmental implications of privacy experts travelling all over the world to attend them). The increasing number of professional firms offering consulting or legal services may have contributed to the emerging view of privacy compliance as a complex and costly exercise. And many smalland medium-sized companies struggle to afford the high cost of the privacy compliance industry, with the result that many simply ignore compliance altogether. It would be hypocritical for the editors to paint the ‘privacy industry’ in too negative a light, since each of us is involved in it in one way or another. On the contrary, we believe that creating economic incentives is one of the most effective ways to further privacy and data protection, and that the growth of privacy as a business area holds the potential to motivate compliance with privacy regulation and individual expectations not just as a matter of law, but for pragmatic economic reasons as well. We see nothing wrong per se with making money from data protection and privacy, as long as the monetary rewards are kept in proportion to the reasons that privacy is protected in the first place. Data protection is not purely a money-making activity like investment banking, but exists to protect fundamental values cherished by societies around the world. This means that everyone involved in the business of data privacy should ask not just how to make it more profitable for themselves, but also how they can use it to give something back to society. Making such contributions need not be a grandiose endeavour, and can include things such as writing articles to explain complicated legal issues to a wider audience; teaching data privacy law to students; and engaging in pro bono activities on behalf of individuals and small organizations. Indeed, we regard IDPL as a forum for discussing important issues of data protection and privacy law, and thus as a way to give something back to what we regard as one of the most fascinating and important areas of law.

The end of the beginning

As readers of IDPL are no doubt aware, on 25 January 2012 the European Commission published a proposal to reform the EU legal framework for data protection that has captured the attention of the data protection and privacy community around the world as have few other legislative initiatives in recent decades. The attention given to the proposal began even before it was officially released, as a ‘leaked’ preliminary draft found its way onto the Internet in late 2011 and precipitated a veritable feeding frenzy of attention. Since then, there have been numerous conferences, articles, blog entries, etc. devoted to the proposal, which will no doubt only increase as it works its way through the EU legislative process over the next few years. The intense attention given to the European Commission proposal is certainly justified. With the possible exception of the relevant provisions of the Lisbon Treaty, it is the biggest development in EU data protection law since enactment of Directive 95/46 in 1995. It is not just a redraft of the existing Directive, but an attempt to radically remake the EU legal framework. While individuals faced with increasing difficulty in asserting their data protection rights, and companies frustrated with the difficulty of complying with 27 divergent member state laws, had long known that the EU legal framework for data protection was broken, the realization took longer to dawn on member state governments and EU bureaucrats in Brussels. The jury is still out as to whether the proposal meets its intended objectives, and it is too early for any sort of definitive opinion on the details, given that numerous details of it will no doubt change substantially over time (indeed, it is possible that political factors may even cause the entire proposal to fall apart). But no matter what one thinks of it, at least the Commission has recognized the necessity of a root-and-branch revision of the law. Beyond the obvious data protection implications, the proposal serves as a laboratory to illustrate the current political tensions in the EU, and the compromises that will have to be made if a more pan-European conception of data protection law is to arise. The Commission’s decision to aim for complete harmonization of data protection law applicable to public authorities and the private sector via a regulation means that some member states are now faced with the prospect of having, as they see it, their existing national standards ‘watered down’, while others are concerned that the standards are being raised too high. This debate is an inevitable consequence of the changes brought by the Lisbon Treaty leading to a greater harmonization of fundamental rights law; since the data protection proposal is one of the first and most visible manifestations of these changes, it is proving to be a catalyst that will force governments and citizens to decide how much harmonization they really want. For years, many in the data protection community had been calling for greater harmonization, but some of the same actors are now also expressing concern about the loss of the special characteristics of their national data protection law, thus proving the truth of the adage ‘be careful what you wish for’. The proposal has important implications not only for the EU, but also for actors in both the public and private sectors around the world. Among just a few groups outside the EU affected by the proposal are non-EU governments seeking to share data with their counterparts in Europe, companies selling goods and services via the Internet to Europeans, and countries planning to enact data protection legislation based on the EU model. This last group deserves special attention, since in the last few years EU Directive 95/46 has found increasing favour as a model for numerous countries in other regions to use in drafting their own data protection legislation. The Directive has had the great advantage that it is a single legislative text that has also been analysed and used in practice for several years, thus making it an easy choice for countries

Privacy—an elusive concept

It is interesting to consider how difficult it is to describe what ‘privacy’ is. Attempts at defining privacy date back, at least, to Warren and Brandeis’ 1890’s description of it as the ‘right to be let alone’. Another, more recent, definition is that privacy is ‘The interest of a person in sheltering his or her life from unwanted interference or public scrutiny.’ Perhaps an even more sophisticated definition would be to say that privacy relates to ‘[m]aterial that so closely pertains to a person to his[/her] innermost thoughts, actions and relationships that he[/she] may legitimately claim the prerogative of deciding whether, with whom and under what circumstances he[she] will share it.’ None of these definitions could necessarily be said to be more correct than the others, but taken together they provide a useful composite view of what we mean when we talk about privacy. While it is notoriously difficult to define ‘privacy’, the other side of the coin is that virtually everyone thinks they know what privacy is, or instinctively has ideas as to what it entails. Privacy is also often described in terms of its tension with other objectives or interests, in particular the following three types of tension:

The Role of Private Lawyers in the Data Protection World

While much attention has been given to the role of data protection authorities (DPAs), other governmental authorities involved in data protection (such as the European Commission), and company privacy officers (CPOs), the role of data protection lawyers in law firms seems by comparison to be unappreciated. However, private lawyers do in fact play a crucial role in the data protection world. This chapter focusses on their role.

Global Data Transfers on the Internet: Lessons from the Ancient World

The Internets global reach greatly complicates the task of determining which courts and regulators should have jurisdiction over acts of data processing, and under which legal standards such processing should be judged. Challenges to data protection law concerning jurisdiction and applicable law caused by the Internet may seem completely novel. In fact, legal systems have had to grapple with difficult issues of jurisdiction and applicable law for thousands of years, and interesting parallels to some of the issues that the Internet presents can be found in the law of the ancient world. These lessons in turn lead to reflection about whether there are not more similarities between various systems of data protection law (such as those in the EU and in APEC) than is often assumed.