Academic journal article Chicago Journal of International Law

Regulation of Borderless High-Technolgoy Economies: Managing Spillover Effects

Academic journal article Chicago Journal of International Law

Regulation of Borderless High-Technolgoy Economies: Managing Spillover Effects

Article excerpt

In October of 1998, the European Union Data Privacy Directive ("Directive") became effective.1 Consistent with Europe's serious approach to consumer privacy, the Directive mandates that Member States adopt the most rigorous privacy legislation the world has seen. The specific requirements of the Directive are complex, and I have discussed them in some detail in another article.2 Very generally, the Directive places obligations on data collectors and provides rights to data subjects. The most significant of these protections from a global privacy perspective is the Directive's "opt-in" approach, which presumes an expectation of data privacy as the default position, and (with certain exceptions) allows the processing of personal information only if "the data subject has unambiguously given his consent."3

Beyond this substantive provision, which differs from the "opt-out" presumption that underlies US privacy policy, the Directive contains an interesting data-flow restriction. Because of its potential effect on other nations that interact with or do business in Europe, it may be the most controversial feature of the Directive.4 According to Article 25 of the Directive:

The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.5

Section 2 of Article 25 enumerates circumstances that help determine whether adequate protection is provided by a given third country. These include

the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.6

Countries that fail to ensure adequate protection under the provisions of Article 25 may still receive personal data transfers under the following conditions:

1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that:

(a) the data subject has given his consent unambiguously to the proposed transfer; or

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subjects request; or

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or

(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or

(e) the transfer is necessary in order to protect the vital interests of the data subject; or

the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses. …

Author Advanced search

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.