Privacy Law and Policy Reporter
What could be done to avoid conflicts on international data transfers, especially between the EU and the US? Professor Joel Reidenberg of Fordham University suggests a new intergovernmental treaty on privacy, and urges data protection authorities to use technical solutions. Laura Linkomies analyses recent proposals by Professor Reidenberg.
International data transfers, particularly between the European Union (EU) and the US, are perhaps the most difficult problem that data protectors face at the moment. The explosive growth of the internet and emerging electronic commerce have multiplied the data transfers that take place every day between countries. At the same time, the data protection environment is rapidly changing, not least because of the new EU Data Protection Directive and its restrictions on transferring data to countries without adequate data protection.
Professor Joel Reidenberg, who addressed the international conference of Data Protection Authorities in Spain on 17 September 1998, made suggestions on how to avoid conflicts between different jurisdictions. He suggested a series of instruments for international co-operation, and proposed a set of strategies to achieve a high level of protection.
Professor Reidenberg started by looking at the trends in data transfers. A typical method of collecting data from ordinary internet users is the capture of clickstream data, left behind on a network by every click of the computer’s mouse. Professor Reidenberg explained that this type of data is increasingly sought — for example employers can now buy software to monitor employees’ clickstream data at the workplace. Another current trend is multinational sourcing. When on the network, the physical location of participants is irrelevant. Data collection may take place in one location, processing elsewhere, and storage on yet another site.
With the costs of processing and data storage diminishing all the time, ‘data warehousing’, the storage of millions of bits of personal information for future analysis, is also becoming popular. A phenomenon connected to this activity is the increased commercial use of the data for secondary purposes.
The current trends in data transfers, in particular the pressures for commercial use, fight against data protection rules and practices. According to Professor Reidenberg, a central problem is different data protection rules. Even in Europe, where the EU Data Protection Directive is being adopted, there are differences in the national laws that may cause problems for data controllers. For example, slight differences in the requirements to notify individuals prior to the collection of their data means that data controllers cannot simply use the same wording in different jurisdictions. Professor Reidenberg predicted that this type of problem will be especially difficult in the field of electronic commerce.
Professor Reidenberg also pointed out that we may soon have a situation where non-EU countries are asked to comply with rules that even Europe-based companies are not complying with. He took the example of many European websites that capture information about the persons visiting the sites. Furthermore, he suspected that the number of transfer requests made to data protection authorities cannot reflect the actual situation. With this background in mind, he wondered whether there is a case of discrimination if data protection principles are only applied stringently to international data flows.
As the organiser of the conferences on electronic commerce in Finland in February and in Canada in October 1998 the OECD has taken an active role in privacy protection. Other actors, such as the World Trade Organisation (WTO), the World Intellectual Property Organisation (WIPO), the Council of Europe, the World Wide Web Consortium and the Internet Engineering Task Force, are each forming data protection policies. The EU, of course, already has a clear position of trying to stop data transfers to countries without adequate protection.
Professor Reidenberg sees that these organisations can serve different purposes. While the OECD focuses on the economic perspective of data protection, the Council of Europe looks after citizens’ rights. The WTO will hear complaints against any national restraint on transborder data flows and so on.
In order to enable a dialogue between governments, data protection authorities, experts and industry, Professor Reidenberg suggested that the OECD start organising multi-interest privacy summits. The summits, which could be organised every second year, would enable interest group participation and provide business with a channel to represent its views to governments.
Given all these different interests and nature of flows, Professor Reidenberg summed up by saying that international co-operation is imperative for effective data protection. International co-operation could facilitate inter-national data flows in two ways. First, by promoting the co-existence and eventual harmonisation of standards of fair information practice, and second, by assuring the creation and implementation of a data protection infrastructure.
Professor Reidenberg believes that these objectives can be achieved with some new instruments for data protection. He suggested that a General Agreement on Information Privacy could be drafted. This agreement could also be signed by the US, which is unlikely to adopt a data protection law. Such an agreement would not only facilitate the co-existence of different data protection regimes, but would also contribute towards harmonising these regimes.
Professor Reidenberg proposed that a model similar to the 1947 GATT negotiations be used. The process would encourage countries without existing data protection authorities (DPAs) to designate counterparts for these discussions. In the US, there has not been just one government agency responsible for privacy issues, but several. Regular rounds of negotiations between established parties would eventually lead to a consensus, he said.
Professor Reidenberg thought that in addition to any legal instruments, international co-operation must focus on technical standards. He said that technical standards combined with their implementation offer a direct guarantee of protection in any transfers.
Technical standards should also be used to smooth the differences between national data protection laws. He urged the DPAs to treat technical standards as codes of conduct, and encouraged the EU DPAs to use the opportunity provided by the EU Data Protection Directive to approve industry codes of conduct. He also criticised the DPAs for not having been more actively involved in the technical discussion. Technical organisations and their clients are unlikely to implement standards in a manner that actively promote data protection unless the authorities pressure them to do so. However, Professor Reidenberg recognised that some authorities may simply lack staff that is knowledgeable enough about the latest technical issues.
Professor Reidenberg mentioned the internet domain name systems as an example of an area in which the DPAs should be involved. Policy debates would have offered an opportunity to build data protection options into the internet’s architecture. He stressed that the authorities could use their position to insist, for example, that a certain standard become a prerequisite for the use of a technology.
DPAs have a vital role in Reidenberg’s model of solving international conflicts over transborder flows. He suggested that the authorities could issue more declarations which would build, over the time, into a clear set of standards for international data flows. These declarations are already being made by the EU Data Protection Working Party and the Berlin Working Group on Data Protection in Telecommunications, but Reidenberg would like to see them being made after the authorities’ international conferences as well.
A more confrontational way of promoting data protection standards could be to use the threat of data flow restrictions. This approach has already been successfully used by the EU in negotiations with US business groups. Many companies have recently established data protection policies. The well known case of the German Citibank Bahncard, where exporting data to the US was only allowed when a contractual solution was in place, is another example of what can be achieved by confrontation (Privacy Laws & Business December 1996, pp 6-10).
Professor Reidenberg concluded by explaining that all these instruments and strategies must be used together. His recommendations for the DPAs for resolving international data transfer conflicts were as follows.
Laura Linkomies is the Editor of Privacy Laws & Business.
This report appeared in the November 1998 issue of Privacy Laws & Businesss and is reprinted with permission (http://www.privacylaws.co.uk). It is based on Professor Reidenberg’s presentation at the International Data Protection and Privacy Commissioners’ Conference 16-18 September 1998 in Santiago de Compostela, Spain. Joel Reidenberg is a Professor at the Fordham University School of Law, New York.