Few people personify the field they work in as much as Christopher Kuner. As a lawyer, European-American, academic and professor, and longtime leader of the ICC, Kuner straddles the fault lines of the privacy world with ease. With Robert Musil’s 2,000-page tome in German in one hand and a marked-up draft of binding corporate rules in the other hand, Kuner breezes from Palo Alto, CA, through Washington, DC, and Brussels all the way to the ivory towers of Cambridge. His three academic degrees in the U.S. as well as a doctorate in Tilburg, and current role as a Brussels-based senior of counsel at Silicon Valley powerhouse Wilson Sonsini Goodrich & Rosati are a testament to his cultural and professional versatility.

Kuner’s life work, thus far, is no doubt the study of the emergent and constantly evolving regulatory framework governing international data flows. That’s why his latest work, Transborder Data Flows and Data Privacy Law (Oxford University Press, 2013), is a must-have item not only in any privacy lawyer’s library but also on his or her desk.

As one might expect from Kuner’s background, his book is as useful and practical as it is deep and thought-provoking. It recognizes that as much as data protection is considered to be a field of market regulation, it also impacts fundamental, indeed philosophical, dilemmas in human rights law, globalization and our response to the shape-shifting chimera of the Internet. It is a foray into private international law, where Kuner explores the challenges and practical intricacies of national regulation in a globalized environment. As Peter Hustinx writes in the book’s foreword, it is “an inconvenient truth that national borders still play a key role in legal regulations, although data flows may cross those same borders a million times every second.”

The book neatly transitions from Kuner’s previous works, both staple volumes in a privacy law library, European Data Privacy Law and Online Business (Oxford University Press, 2003) and European Data Protection Law: Corporate Compliance and Regulation (Oxford University Press, 2007, also published in Chinese). It reflects the struggle of the law to keep up with the cutthroat pace of developments in technology and business, including the emergence of cloud computing, Big Data and social networks.

The book comprises eight chapters covering different aspects of transborder data flows. It provides both a detailed exposition as well as pointed critique of current regulatory models ranging from the OECD Privacy Guidelines to the APEC Privacy Framework. It suggests useful typologies for forms of regulation, including national, international, self-regulatory and technological approaches (Chapter Four). It distinguishes, for example, between “geographic-based approaches,” such as the European adequacy model, and “organizational-based approaches,” such as the Canadian “accountability” model (p. 64-76). It delves behind the scenes of policymaking to unearth the logic and rationales underlying both existing and emergent regulation (p. 107-20). It is this deep dive that distinguishes Kuner’s work from most other practitioners’ resources. Many lawyers know the requisite details to consult clients on a regulatory framework, yet only a select few can navigate the policymaking discussion to actually shape the frameworks that govern their clients’ activities.

Kuner clearly has a soft spot for private international law. Chapter Six of the book, titled “Applicable Law, Extraterritoriality and Transborder Data Flows” addresses this topic, featuring some of the thorniest legal questions in play today, including conflicts of laws and online personal jurisdiction. Kuner, a seasoned diplomat who has helped his clients weather the storm in circumstances ranging from conflicts between EU data protection law and U.S. law enforcement requirements to the negotiation of a reasonable, practical set of “model” data transfer clauses, adds texture and practical context to foundational texts such as Peter Swire’s 1998 “Of Elephants, Mice, and Privacy: International Choice of Law and the Internet” and Michael Geist’s 2001 classic “Is There a There There? Toward Greater Certainty for Internet Jurisdiction.” His conclusion that “transborder data flow regulation performs much the same function as applicable law rules, namely extending the protection of national law extraterritorially” (at p. 141) has profound implications for the emerging global privacy framework and particularly the currently heated trans-Atlantic debate. Kuner states that “transborder data flow regulation is still often viewed as a way to protect the rights and interests of a state’s own citizens.” This can help explain some of the shrill tones in the current discussions around the FISA, which distinguishes between “U.S.-persons” and “non-U.S. persons.”

The book goes on to discuss compliance and enforcement (Chapter Seven), stating that, “the level of [data protection] compliance is low in proportion to the amount of data being transferred and that enforcement is highly selective” (p. 146). It recognizes the well-documented, deep deficit in enforcement of data protection law, positing that, ironically, the companies most likely to comply are large, U.S.-based technology vendors. These companies internalize data protection obligations not because of risk of regulatory enforcement in Europe but rather as a result of multiple U.S. regulations, such as the Sarbanes-Oxley Act or the Federal Sentencing Guidelines. In this vein, other commentators have pointed out that, paradoxically, those most likely to be protected by the EU framework are European consumers of U.S. corporations.

Taking a step back from a narrow regulatory focus, Kuner explains that the risks posed by transborder data flows have come to overshadow the benefits they can bring, particularly their role in facilitating freedom of expression and economic development in previously authoritarian regimes. Pushing back against protectionist sentiment, he argues that the goal of transborder data flow regulation should be to promote the universality of fundamental rights, not just to ensure the application of local values outside national borders. To this end, he suggests principles for a new approach to transborder data flow regulation based on theories of legal pluralism. If anything, the Snowden revelations and ensuing crisis of trust have proven that, absent collaborative efforts, the online economy risks splintering and balkanization.

As one reviewer writes, “this study will be one of the starting points for any student or professional researcher of data privacy and will be well-appreciated for its detail and referenced documentation by anyone genuinely interested in the subject.” I dare add that it will no doubt constitute one of the building blocks for a new legal edifice being designed and erected these very days, a regulatory model for a technologically borderless world.

Written By

Omer Tene


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»