Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

New ways forward for inter- national transfers [1998] PLBIRp 38; (1998) 46 Privacy Laws and Business International Report 14

New ways forward for international transfers

WHAT COULD BE DONE to avoid conflicts on international data transfers, especially between the European Union and the United States? Professor Joel Reidenberg from the United States suggests a new intergovernmental treaty on privacy, and urges data protection authorities to use technical solutions.

International data transfers, particu- larly between the EU and the United States, are perhaps the most difficult problem data protectors face at the moment. The explosive growth of the Internet, and emerging electronic commerce, have multiplied the number of data transfers that take place every day between countries. At the same time, the data protection environment is rapidly changing, not least because of the new EU Data Protection Directive and its restric- tions on transferring data to countries without adequate data protection. Professor Joel Reidenberg of Fordham University, New York, who addressed the International Conference of Data Protection Authorities in Spain in September, made several suggestions on how to avoid conflicts between different jurisdictions. He suggested a series of legal instruments for international co-operation, and proposed several strategies to achieve

a high level of protection.

CURRENT TRENDS IN DATA COLLECTION

Professor Reidenberg started by looking at the trends in data collec- tion. A typical method of collecting data from Internet users is the capture of clickstream data, left behind on a network by every click of the computer’s mouse. Professor Reidenberg explained that this type of data is increasingly sought, for example, by employers, who can now buy software to monitor employees’ clickstream data at the workplace. Another current trend is multina- tional sourcing. When on the network, the physical location of the computer user is irrelevant. Data collection may take place in one location, processing elsewhere, and storage on yet another site.

With the costs of processing and data storage diminishing all the time, data warehousing – the storage of millions of bits of personal informa- tion for future analysis – is also becoming popular. A phenomenon connected to this activity is the increase in the commercial use of data for secondary purposes.

TRENDS IN DIRECT CONFLICT WITH POLICIES

The current trends in data transfers, in particular the pressures for commercial use, fight against data protection rules and practices. According to Professor Reidenberg, different data protection rules pose the central problem. Even in Europe, where the EU Data Protection Directive is being adopted, there are differences in the national laws that may cause problems for data con- trollers. For example, slight differ- ences in the requirements to notify individuals prior to the collection of their data means that data controllers cannot simply use the same wording in different jurisdictions. Professor Reidenberg predicted that this type of problem will be especially difficult in the field of electronic commerce.

Professor Reidenberg also pointed out that we may soon have a situation where non-EU countries are asked to comply with rules that are not being complied with even by companies based in Europe. He gave the example of many European websites that capture information about the persons visiting the sites. Furthermore, he suspected that the number of transfer requests made to data protection authorities cannot reflect the actual situation. With this background in mind, he wondered whether it could be considered dis- crimination, if data protection principles are only applied stringent- ly to international data flows.

ROLE OF INTERNATIONAL ORGANISATIONS

As the organiser of two conferences on electronic commerce (Finland in February and Canada in October) the OECD has taken an active role in privacy protection. Other organisa- tions, such as the World Trade Organisation (WTO), the World Intellectual Property Organisation (WIPO), the Council of Europe, the World Wide Web Consortium, and the Internet Engineering Task Force, are forming their own data protection policies. The EU, of course, has already taken a clear position of trying to stop data transfers to coun- tries without adequate protection. Professor Reidenberg sees that these organisations can serve different purposes. While the OECD focuses

on the economic perspective of data protection, the Council of Europe looks after citizens’ rights. The WTO, on the other hand, will hear complaints against any national restraint on transborder data flows. In order to enable a dialogue between governments, data protec- tion authorities, experts and industry, Professor Reidenberg suggested that the OECD start organising multi- interest privacy summits. The summits, which could be organised every second year, would enable interest group participation, and provide business with a channel to present its views to governments.

HARMONISATION NEEDED

Given all these different interests and the nature of data flows, Professor Reidenberg summarised that interna- tional co-operation is imperative for effective data protection. It could facilitate international data flows in two ways:

1. By promoting the co-existence and eventual harmonisation of standards of fair information practice, and

2. By confirming the creation and implementation of a data protection infrastructure.

Professor Reidenberg believes that these objectives can be achieved with a new instrument for data protection. He suggested that a General Agreement on Information Privacy

(GAIP) be drafted. This agreement could also be signed by the United States, which is unlikely to adopt a data protection law. GAIP would not only facilitate the co-existence of different data protection regimes, but also contribute towards harmonising these regimes.

Professor Reidenberg proposed that a model similar to the 1947

GATT negotiations would be used. The process would encourage coun- tries without data protection author- ities to designate counterparts for dis- cussions. In the US, there has not been just one government agency responsible for privacy issues, but several. Regular rounds of negotia- tions between established parties would eventually lead to a consensus.

MORE EMPHASIS ON TECHNICAL STANDARDS

Professor Reidenberg thought that in addition to any legal instruments, international co-operation must focus on technical standards. He said that technical standards, when implement- ed, offer a direct guarantee of pro- tection in any transfers.

Technical standards should also be used to smooth over the differences between national data protection laws. He urged the data protection authorities to treat technical standards as codes of conduct, and encouraged them to use the opportunity provided by the EU Data Protection Directive to approve industry codes of conduct (p.2 ).Professor Reidenberg also criti- cised the authorities for not having been more actively involved in tech- nical discussions. Technical organisations and their clients are unlikely to implement standards in a manner that actively promote data protection, unless the authorities pressurise them to do so. However, he recognised that some authorities may simply lack staff that are knowledgeable enough about the latest technical issues.

Professor Reidenberg mentioned the Internet domain name systems as an example of an area with which the data protection authorities should be involved. Policy debates would have offered an opportunity to build data protection options into the architec- ture of the Internet. He stressed that the authorities could use their position to insist, for example, that a certain standard become a prerequi- site for the use of a technology.

DPA’S PLAY A VITAL ROLE

Data protection authorities have a vital role in Professor Reidenberg’s model of solving international conflicts on transborder flows. He suggested that they issue more declarations which could be built, over time, into a clear set of standards for international data flows. These declarations are already being made by the EU Data Protection Working Party and the Berlin Working Group on Data Protection in Telecommunications, but Professor Reidenberg would like to see them being made after the authorities’ international conferences as well.

A more confrontational method of promoting data protection stan- dards could be to use the threat of data flow restrictions. This approach has already been successfully used by the EU in negotiations with business groups in the United States. The well known case of the German Citibank Bahncard, where exporting data to the United States was only allowed when a contractual solution was in place, is an example of what can be achieved by confrontation (PL&B Dec ‘96 pp. 6-10).

RECOMMENDATIONS

Professor Reidenberg concluded by explaining that all these instruments and strategies must be used together. His recommendations to the data protection authorities for resolving international data transfer conflicts were:

1. Launch treaty negotiations for a general agreement on information privacy.

2. Participate in the development and approval of technical codes of conduct.

3. Promote biennial summits through an OECD process.

4. Pursue combined representation and advocacy strategies for the devel- opment of standards. In practice this means representing the data protec- tion perspective in a variety of international contexts and actively promoting specific standards.

This report is based on Professor Joel Reidenberg’s presentation at the Data Protection Authorities International Conference on

16-18 September in Santiago de Compostela, Spain. Contact him at the Fordham University School of Law, 140 West 62nd Street, New York, NY 10023, United States, Tel: + 1 212 636 6843,

Fax: + 1 212 636 6899