Anyone working in privacy and data protection law is familiar with the restrictions on transferring data outside the European Union contained in the EU Data Protection Directive. But did you know that non-EU countries as diverse as Israel, Mexico, Russia and South Korea have similar restrictions? And that since the 1970s, over 70 countries all over the world have enacted data protection and privacy laws regulating transborder data flows?
The regulation of data flows across national and regional borders under the data privacy laws of dozens of countries and international and regional regulatory instruments is the topic of my new book entitled Transborder Data Flows and Data Privacy Law, which will be published in May by Oxford University Press. European Data Protection Supervisor Peter Hustinx was kind enough to write a foreword to the book.
The subject is too complex to discuss in detail here, but I can share the gist of some of my conclusions:
- Regulation of transborder data flows has spread far beyond its original roots in Europe and now includes many countries in Africa, Asia and Latin America as well.
- The adequacy approach typified by the EU Directive has been and is likely to remain the most influential model, though other ones—such as the accountability approach—have emerged in recent years.
- Technological developments—particularly the growth of the Internet—and globalization raise important questions about transborder data flow regulation. For example, does it make sense anymore to distinguish between “transborder data flows” and any other kind of online data processing, given that data flows on the Internet without regard to national borders?
- The types of data transferred across borders have also changed over time. There is now much more data containing information about identifiable persons (i.e., personal data) being transferred than ever before as well as more sharing of personal data between governments—often for law enforcement purposes.
- Providing protection to personal data as they are accessed and transferred around the world has attained considerable economic importance and private-sector instruments—such as contractual clauses and internal corporate rules and policies—are increasingly used for this purpose.
- There is a need for greater transparency about how data are transferred internationally and for greater interoperability between regulatory approaches.
- Regulation tends to focus too much on applying local standards to personal data transferred outside national borders, rather than on the global implications of restricting transborder data flows.
- A major theme of the book is the tension between regulation of transborder data flows and other legal requirements. As such regulation has spread, it has increasingly led to conflicts with legal obligations in other areas. Moreover, other important interests—such as freedom of expression and ensuring the free flow of data—are sometimes not sufficiently taken into account.
- There is also a disproportionate relationship between the increasing flood of personal data now being transferred online and the limited possibility to enforce transborder data flow regulation by traditional legal means.
Where is the regulation of transborder data flows headed?
The number of countries enacting it will continue to grow and agreement on an international treaty dealing with the subject is highly unlikely, given the different approaches taken in different countries.
However, countries could take certain steps to produce an improved regulatory framework. For instance, if they are going to enact such regulation, then governments should themselves comply with it, which is often not the case. Transborder data flow regulation will continue to spread around the world and to create conflicts with other requirements, which companies and other organizations will have to come to terms with as a permanent feature of the global privacy landscape.