The Thesis focuses on the legal perspective of Transnational Data Protection. Here, the scope of the thesis is limited to the provisions and interdependencies of the European Union (EU). Matters of national legislation of EU Member States are implicitly mentioned or characterized but not within the scope of the thesis.
Within the current business as well as administrative environment the topic of data protection is a crucial factor for business, public reception and security. The Snowden incident, the Safe Harbor Ruling of the European Court of Justice and ultimately the introduction of the new European General Data Protection Regulation in May 2018 poses potential threat scenarios for businesses and require responsive actions on the respective management level. While the importance of data protections is now an omnipresent and a commonly known issue, it is still a rather neglected topic. It often bears the stigma of nuisance and implies costly implementation of measures and processes.
Nonetheless, corporations, companies, businesses and governmental agencies have to adhere to data protection regulations, the demands of the digitalization and social pressure. Therefore, the abidance by Data Protection Law has incrementally gained a more essential role within company’s and administration’s structures during the last years. This is especially true for transnational contexts. Here, Data Protection Management encompasses privacy compliance and organizational privacy management as part of the information security risk management. Essentially the objective and responsibility of Data Protection Management in the context of transnational data flows in the EU are based in its the legal framework.
Within the current business environment the topic of data protection is a crucial factor for business, public reception and security. Businesses and governmental agencies have to adhere to data protection regulations. Therefore, the abidance by Data Protection Law has gained a more essential role within company’s and administration’s structures. This is especially true for transnational contexts. Data Protection encompasses privacy compliance and management as part of the information security risk management.
Table of content
1. Introduction
2. The economic relevance of data protection
2.1 Economic Analysis
2.2 Digitalization and hyper-connectivity
2.3 Big Data and Data Analytics
2.4 Economics of Cyber Crime and the Counter-Market of Security
2.5 Future Scenarios of the Management Project
2.5.1 Scenario: Medical Data
2.5.2 Scenario: Financial Data
2.6 Implication for Businesses: Compliance with legal standards can be a unique selling point
3. Data Protection Traditions - protecting and securing data
3.1 Origin of Data Protection
3.2 Approaches to Data Protection
3.2.1 Comprehensive Laws
3.2.2 Sectoral Laws
3.2.3 Self-Regulation
3.2.4 Regulation through technology
3.3 Implication for Businesses: Clash of legislations and need for harmonization
4. Legal Grounds for processing and transfer – Data Protection in the European Union
4.1 Overview of the legal system in regard to Data Protection
4.1.1 The European Convention on Human Rights
4.1.2 Council of Europe Convention 108
4.1.3 Interim Conclusion: Direct impact of ECHR and Convention 108 on international data flow regulation
4.1.4 European Union data protection law
4.1.5 Implication for Businesses: Data protection framework influences the construction and development of the European Data Protection legislation
4.1.6 European Data Protection Directive
4.1.7 General Data Protection Regulation
4.2 Implication for Businesses: Transnational applicability and comprehensive framework of requirements
5. Applicable law and Conflict-of-law for data protection issues
5.1 Rome I
5.1.1 Territorial Scope
5.1.2 Conflict-of-Law
5.2 Rome II
5.2.1 Territorial Scope
5.2.2 Conflict-of-Law
5.3 Data Protection Directive and Rome I and II Regulations
5.3.1 Differentiation by nature and scope
5.3.2 Lex Specialis
5.4 General Data Protection Regulation and Rome I and II Regulations
5.5 Brussels I Regulation
5.5.1 Territorial Scope
5.5.2 Conflict-of-law
5.6 General Data Protection Regulation and Brussels I
5.7 Implication for Businesses: The Market Place Principle opens the world-wide applicability of European Data Protection
6. International transfer of personal identifiable data
6.1 Adequacy Decision and accepted treaty
6.2 Excursus: Transfer of personal identifiable data between the EU and the US
6.2.1 Safe Harbor
6.2.2 EU-U.S. Privacy Shield
6.2.3 Intermediary Results of the Analysis
6.3. Contractual Clauses
6.4. Binding Corporate Rules
6.6. Implication for Businesses: International transfer of customer data and employee data
7. Further practical implication of Transnational Data Protection
7.1. Transnational Negotiations – Always implied Data Protection issues?
7.2. Competencies necessary for Transnational Data Protection
8. Conclusion
Literature/References
Appendix I – STEP
Transnational Data Protection - The implication of the European General Data Protection Regulation for transnational business models and their data transfer
1. Introduction
Within the current business as well as administrative environment the topic of data protection is a crucial factor for business, public reception and security. The Snowden incident, the Safe Harbor Ruling of the European Court of Justice and ultimately the introduction of the new European General Data Protection Regulation in May 2018 poses potential threat scenarios for businesses and require responsive actions on the respective management level. While the importance of data protections is now an omnipresent and a commonly known issue, it is still a rather neglected topic. It often bears the stigma of nuisance and implies costly implementation of measures and processes.
Nonetheless, corporations, companies, businesses and governmental agencies have to adhere to data protection regulations, the demands of the digitalization and social pressure. Therefore, the abidance by Data Protection Law has incrementally gained a more essential role within company’s and administration’s structures during the last years. This is especially true for transnational contexts. Here, Data Protection Management encompasses privacy compliance and organizational privacy management as part of the information security risk management. Essentially the objective and responsibility of Data Protection Management in the context of transnational data flows in the EU are based in its the legal framework.
The Master Thesis focuses on the legal perspective of Transnational Data Protection. Here, the scope of the thesis is limited to the provisions and interdependencies of the European Union (EU). Matters of national legislation of EU Member States are implicitly mentioned or characterized but not within the scope of the thesis. The thesis is divided into eight chapters.
The first chapter encompasses the introduction and presentation of the research question for the Master Thesis.
The second chapter is concerned with the economic relevance of data protection. Here, the thesis will establish the economic value of data protection endeavors within organizations based upon an economic analysis. Furthermore, the impact of digitalization, hyper-connectivity, big data analytics as well as the cyber-crime market are indicated.
The third chapter introduces data protection traditions and different approaches to data protection.
The fourth chapter is concerned with the legal grounds for processing and transferring personal data. Here, an overview over the data protection system of the European Union is given and supplemented by an analysis of the different regulations, provisions and their implications for transnational data flows and subsequent business models.
The fifth chapter addresses the issue of applicable law and conflict-of-law. Here, the Rome I Regulation, Rome II Regulation and Brussels I Regulation are contextualized with the GDPR.
The sixth chapter is concerned with different methods of transferring personal data. Here, the role of adequacy decisions by the European Commission, contractual clauses as well as binding corporate rules is discussed.
The seventh chapter encompasses further practical implications of GDPR.
Finally, the eight chapter summarizes the findings and offers an conclusion.
Subsequently the Master Thesis aims to answer the Research Question:
“Transnational Data Protection – How does the European General Data Protection Regulation impact transnational business models and their data transfer?”
2. The economic relevance of data protection
While the regulatory nature of Data Protection Law is self-evident, these regulations have a direct impact on business environments. As such they exhibit an economic relevance and form business cases. In light of modern technology development, especially the digitalization and hyper connectivity of modern society, these business cases encompass transboarder, transnational as well as international data transfers.
2.1 Economic Analysis
To ensure a precise description of the existing or expected business cases and new business models the market can be analyzed through four categories: Sociological, technological, economic and political/legal variables. This approach follows the analysis framework of the STEP analysis (Antoo et. alt., 2015). An overview of the analysis is given in “Appendix I – STEP”.
Notwithstanding the macro-economic perspective of the STEP analysis, a micro-economic perspective focuses on identifying the inner structure of the market for data protection. The approach of Porter’s Five Forces is such a tool for a micro-analysis of a given market (Rice, 2010). An overview of the analysis is given in “Appendix II – Porter’s Five Forces”.
The preliminary findings and results of the abovementioned methods lead to the development of business cases. The demonstrated issues within a macro- as well as micro-economic perspective clearly indicate a growing economic value and impact of data protection and cyber-security for international data transfers. Subsequently, the two analyses indicate a strong business relevance of data protection. (For more elaborative information please refer to the Appendices I and II.)
The issue of personal identifiable data and its management seemingly developed into a key issue for modern society. As such, Data Protection legislation and management became a vital issue as well. Subsequently, the influencing factors for the management project are the digitalization with special focus on hyper-connectivity, big data and data analytics as well as the developing market for data protection and cyber-security.
2.2 Digitalization and hyper-connectivity
Due to the technical advancement, it is possible for individuals to create, access, transfer, and delete more and more amounts of data through various devices and platforms. This poses a challenge for the businesses.
The challenge and subsequent key issue arises, in part, through the introduction of hyper-connectivity. Hyper-connectivity is defined as the use of multiple means of communication (Wellmann, 2001). It is concerned with the accumulation and exchange of information via different media, encompassing but not limited to: email, instant messaging, phone, and Web 2.0 information services (ibid). This also encompasses traditional communication via face-to-face communication. In all instances, this might encompass international data transfers via modern means of communication.
Hyper-connectivity introduced new ways of communication, extended its reach through mobile technologies and in recent years through the introduction of the Internet of Things (ibid). Now it is possibility to communicate from person to person, person to machine, and machine to machine, resulting in an immense network of communication that harbors immense data capacities.
2.3 Big Data and Data Analytics
Thus, the digitalization created new capacities to accumulated and use data. These capacities for information are commonly called Big Data. The focus of Data Protection Management Systems (DPMS) in particular are on possible uses of Big Data. As such, the issue of Big Data and data analytics can be used both as a tool as well as being subject to the Data Protection Management.
The use of Big Data approaches, which use data analytics to extract valuable information from the accumulated data, is subject to complex algorithm development and application.
2.4 Economics of Cyber Crime and the Counter-Market of Security
The described tendencies allocate a high value to personal identifiable data. Subsequently, the accumulation and use of data are prone to missuses and even criminal actives. While crime is not considered something that is abstinent from the business world, it is also seldom realized as its own economy. Furthermore, it is – as a market – not necessarily associated with digitalization.
A criminal act is considered any behavior that deviates from societal norms, crosses the boundaries of ethical and lawful behavior, and is sanctioned by a governmental authority. As such criminal behavior is often associated with the aspect of punishment, fines, and imprisonment.
Any association to economics and business is often limited to crime happening in a certain business environment. However, crime in itself can be considered a market and thus bound to economic principles.
Within the “crime market” any individual player is motivated by the rational maximization of utility (Eide et alt., 2006). This assumption is based upon the principle of rational choice, meaning that any individual acts rationally to maximize expected utility and that this utility is “a positive function of income” (ibid). This leads to a very simplistic economic model: Any endeavor that has a greater income than zero after subtraction of costs is profitable (Segura & Lahuerta, 2010). It is a simple cost-benefit principle (Li et alteri, 2006). This model transfers the rational choice assumptions to criminal activity.
Thus, a criminal will commit a criminal act “if the expected utility is positive, and he will not if it is negative” (Eide et alteri, 2006).
A modern example of this economically efficient behavior can be found in the market of cybercrime. Cybercrime is a growing industry and byproduct of the digitalization. Internet based crime comes varies and evolved into a lucrative business (Li et alteri, 2006).
One of the prominent forms of cybercrime botnets (Li et alteri, 2006). Botnets are comprised of high-jacked computer systems, the so called “slaves” (ibid). These form a “net” that is controlled by an individual, called the “master” (Seguera & Lahuerta, 2010). The master offers the botnet to interested parties, the “attacker” (ibid). These use botnets to initiate attacks on websites or, and this is pertinent, to collect massive amounts of personal identifiable data. The attacker can generate profit through extortion (ibid) or the “ripple effects”, e.g. break-down in sales, damage to perception or image, and similar.
The first overall indicator that there is a market and thus economical motivation for botnets is provided by the study of Li et alteri (2006). The study has shown through “basic” market research that botnets are rentable on underground markets (ibid). The mere existence of such a rental market is an indicator as for the application of economic principles.
Within such a market economic principles dictate the existence of costs and benefits. These determine the profitability of any endeavor (Eide et al., 2006). Essentially, individuals will not allocate time and effort to an activity “until marginal benefits equal marginal costs” (ibid).
As in every market benefits and costs are individually decided. The costs to enter or exit a market (opportunity costs) must be considered. The same is true of criminal activities. In the case of cybercrime, the benefits encompass monetary gain through extortion as well as individual satisfaction. The costs, on the other hand, encompasses everything from equipment to individual feelings of anxiety or guilt (ibid). It is, however, important to realize, why the deviation from law-abiding behavior can be considered lucrative.
This deviation can only be considered favorable if the individual opportunity costs are low enough. The opportunity costs of criminal behavior can be calculated through the net benefit “of the legal activity forgone while planning, performing and concealing the criminal act” (ibid). This implies that any criminal activity that promises to be more profitable (gross benefits minus costs) than any lawful activity is economically more efficient. Additionally, it indicates that “[the] lower an individual’s level of income [is], the lower is his opportunity cost of engaging in illegal activity” (ibid).
It is often argued that cybercrime originated from political activism (Li et al., 2006). While this might be true, the indications of an existing market for – in particular botnets – is evident through media coverage as well as the study of Segura & Lahuerta. Thus, even if the origin of cybercrime was political activism, it is now a global market.
Consequently, cybercrime, and in particular botnets are part of an economic system governed by rational choice. Criminal behavior follows similar principles and provisions as the legal market. As a result, it was necessary to create models and approaches to encounter criminal behavior.
These models can disrupt the economic efficiency of botnets and render them virtually inefficient. Furthermore, they make a “counter-market” for data protection and cyber security necessary. Thus, while the digitalization leads to the emergent market for cybercrime, it subsequently led to the need for a market to protect from cyber criminality – encompassing data protection.
2.5 Future Scenarios of the Management Project
Resulting from the aforementioned technological developments and practical implication, data protection management is heavily impacted by the development in business environments.
Technological advancement, regulatory hurdles and innovative entrepreneurship are going to be the defining factors. For the sake of this analysis two scenarios for two different sectors will be illustrated briefly.
2.5.1 Scenario: Medical Data
Current projects concerned with medical data are often focused on storing medical data. Subsequently, data protection has to be guaranteed by establishing an effective Data Protection Management System.
The future of medical data and corresponding Data Protection Management Systems lie within the exchange of medical data between medical professionals and patients. While this might be called the future of medical data, respective projects are currently undertaken. Often by utilizing Cloud Computing solutions, i.e. National Health Cloud Systems in the UK.
These projects in question focus on utilizing medical data from different National Health Clouds. These medical data are evidently personal data in accordance with Art. 9 (2)(i) GDPR.
Solutions utilizing National Health Clouds are part of an eHealth approach. The abbreviation eHealth stands for electronic health. Essentially, it describes the use of information and communication technologies (ICT) within the scope of the health sector. This considers the different applications, functions and facets of the whole sector (Callens, 2010).
The idea behind these projects is to centralize all the relevant medical data accessible for the public use within a National Health Cloud of a country via an application. Thus, the targeted end users are medical professionals as well as patients. These users are able to upload medical data of their patients in the National Health Cloud. This data is uploaded via an application that ensures the anonymization of the personal data of the patient.
Additionally, it is ensured that the anonymized data can only be de-anonymized within the respective practice or clinic or through the transferal of the respective key through patient request.
The patient as a user will be able to utilize the application. He will be enabled to upload personal information regarding her physical or psychological data through the application.
Ideally, the application would push the following data to the cloud to be saved. The application will generate the information and services through different media in order to acquire the desired data sets.
The structural designs of such solutions often indicate a constant “push” and “pull” – essentially an exchange of personal data. This can only be ensured through an interface for data flow between the clinic’s native system and the application. Further, in depth technological description will be omitted here.
Furthermore, the cloud technology will open the door to an opportunity for private practices to have access the application without the need for a local host instance on-site. The patient as a user of the applications will be able to download the application from the online mobile stores, add their demographics and upload them to the National Health Cloud.
The medical professional as a user, then, can request an online portal access to access the application or to view details of her respective / participating patient.
The collected data will – at a later point in time – be available for the generation of reports and statistics of the individual patient file. Additionally, anonymized data sets can be used for statistical analysis or research and hence be shared.
Currently, these projects face concern regarding the type of data sets, their generation and their usage. These implications are directly linked to the legal implication and restrictions of data protection in the different National Health Clouds.
The use of such data is highly regulated and holds integral data protection implications. Additionally, legal authorities have to “provide a framework in which any failure to implement the duties that arise from those ethical principles may be addressed” (Callens, 2010). Essentially, the goal of legislation in healthcare is to ensure legal certainty and the provision and protection of public healthcare systems.
To achieve this goal, rules to ensure the protection of privacy and data protection are in place. The underlying concepts are universally applied, subsequently they are also utilized in the eHealth sector (WHO,2012).
2.5.2 Scenario: Financial Data
Another sector that is currently heavily impacted by digitalization and especially hyper-connectivity is the financial sector. A future scenario in this context could encompass the issue of blockchain and its intersections with data protection.
Blockchain utilizes the possibilities of network effects. While in many industries, e.g. In the trade, direct transactions between the business partners occur, the financial sector does not build upon the same principle. Here, financial processes often still run through several intermediaries before, for example, a payment can be concluded. The complexity increases in international context.
Commonly individual countries have their individual payment systems by means of which the clearing and settlement of the transactions is conducted. The EU, as a supranational body, differs in the regard that it already operates within a common system.
However, there is still the problem of financial transaction with third parties, i.e. financial institutions outside of the EU. Here, an intermediary bank that has a Correspondence Banking System – meaning that it can transfer processes from the European (named Target) to another banking System (e.g. the US system Fedwire) and vice versa.
To ensure the operability of an individual system, the financial institutions must heavily invest in security measures. They must secure the integrity, the confidentiality and the accessibility of the data. Therefore, an interface as the institution of a correspondence bank introduces operational risks. A centralized banking system, like Target or Fedwire, can be considered a single point of failure. Thus, the accumulation of these single points of failure in correspondence banks increases the risks exponentially, like a bottleneck if you will.
Thus, direct financial transactions between the business partners offers a more secure approach. The problem with these approaches however is the high risk of fraud through problems like the Double-Spending-problem. In a peer-to-peer network, new information is not always available to all junctions/access points at the same point in time. They must always be distributed in the network, since they are attached to the network at one point. This is a process that needs time.
The blockchain technology solves this problem by implementing a transaction book. This lists all the transactions that have ever taken place. Thus, it operates as collective, public ledger, which is accessible to all participants of the system but is not controlled by anyone. The ledger is not stored centrally. It is stored as a local copy.
This system made Bitcoin, a crypto-currency system, so popular. The blockchain technology is not only limited to the financial sector. While its benefits can be transferred to other sectors in regards to budgetary controlling, it can also be applied to IoT approaches. It is currently rather popular in the discussion for its possible application in the energy sector. Here, the regulation and servicing of microgrids or even transnational grids is envisioned to be conducted via blockchain technology.
Blockchain technology tries to balance flexibility and accountability. Thus, it has to work in congress with data protection regulations. It comes with costly investments (especially in regards to existing grid structures, and an overall change in the conducting of business. Essentially, Blockchain technology epitomizes consumer autonomy. The idea is not only to become independent from a corporate entity but to share and exchange suppliers in any regard without any intermediary, from peer to peer and in a data-secure manner.
Such an approach of peer-to-peer transaction must be met by changes in legislation and jurisdictions. Additionally, the introduction of blockchain technology does not only occur on a virtual level, like with bitcoin, but must be applied to a market of physical goods. Furthermore, there are various issues like transparency, data security and It security.
Nonetheless, there are various applications that are currently being developed based upon Blockchain technology in the Financial Sector. Transaction on a peer-to-peer basis with constant transparency is appealing to small businesses, the non-profit sector as well as administration.
2.6 Implication for Businesses: Compliance with legal standards can be a unique selling point
It is evident that the technological development of the digitalization, hyper-connectivity as well as subsequent tools put businesses under pressure to develop new business models. These business models naturally are concerned with transnational data transfer and personal (identifiable) information as modern businesses are acting within a globalized society and market.
A very prominent example might be the implementation of a new software or operating system. The German Federal Research Network (Deutsches Forschungsnetz) conducted a study on the data protection related implications of the implementation of operating systems (DFN, 2016). The study found significant problems within the functionality of an operating system, These problems directly linked to the compliance with data protection law in Germany (ibid).
This proves to show that data protection is a crucial part of (legal) compliance. Compliance on the other hand is like Bird & Park put it “a core concern for corporate governance” (Bird & Park, 2017). The compliance with normative and regulatory mandates focuses and binds resources in business environments.
While this compliance might increase spending, create barriers for implementation (ibid) or in product/service design and development, data protection and compliance also offer a unique opportunity for businesses to incorporate security as a feature in their product, services and processes. This is especially supported by the Art. 25 GDPR.
As explained in the following paragraphs, the GDPR offers potential for including data protection consideration deep within the business case itself. The obligation is thus also a unique selling point.
3. Data Protection Traditions - protecting and securing data
To build upon the evident need for (transnational) solutions in data protection and cyber-security, it is necessary to identify the legal structures, environments and processes of data protection.
3.1 Origin of Data Protection
The origin of data protection in its various appearances dates back more than a century. It was as early as 1890, that Warren and Brandeis already contextualized the advancing technological changes with the Right to Privacy or as they called it the right “to be let alone” (Warren/Brandeis, 1890:2).
The Right to Privacy is widely considered one of the cornerstones of democratic societies due to the safeguarding function regarding fundamental principles like honor and personal dignity. It encompasses all aspects of personal and family life as well as personal, religious, sexual, political and social preferences or beliefs. Furthermore, it protects personnel communication and data. Therefore, Data Protection is a fundamental part of the Right to Privacy.
On the level of International Public Law, this protection is codified in Art.12 United Nations Declaration of Human Rights of 1948 which states:
“No one shall be subjected to arbitrary interference with his privacy, family home or correspondence, nor to attack upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Additionally, the Right to Privacy is reflected in Article 17 of the International Covenant on Social and Political Rights as well as Article 16 of the United Nations Convention on the Rights of the Child.
In a latest attempt to further the Right to Privacy the General Assembly passed a resolution for “The right to privacy in the digital age” (Human Rights Council, 2014). Within this resolution, the Member States reaffirm the right to privacy and deems it necessary of protection within a wider scope.
3.2 Approaches to Data Protection
While the Right to Privacy is already based in International Public Law as well as national laws, there are various approaches to data protection on the transnational and national level. In this regard, various models and approaches were developed.
The transformation of these methods into national legislation occurs in a variety of combinations – seldom a legislator solely relies on only one protective approach and often the approaches differ between national legislations. The design, chosen by the individual legislator, is greatly influenced by the perception and interpretation of privacy and data protection. This influences lead to the following four approaches to data protection.
3.2.1 Comprehensive Laws
First of all, there is the protection through comprehensive laws: Within this approach, laws are used to create a comprehensive legislative framework for collecting, processing, and using personnel data. Additionally, official institutions are bestowed with the purpose of enforcing the compliance with the set framework. It is considered a more proactive approach (Charlesworth, 2000; Linxweiler, 2012).
3.2.2 Sectoral Laws
The protection through comprehensive laws is fundamentally different from the protection through sectoral laws. While the first is to be considered a proactive one, protection through sectoral laws is more of a reactive approach. It deals with specialized or problematic singular aspects of privacy and data protection through individual legislative acts (Charlesworth, 2000; Linxweiler, 2012).
3.2.3 Self-Regulation
Another very prominent approach is the protection through industrial self-regulation. It is considered the most flexible and opportunistic approach. The reason for that is the self-imposition of rules by members of the economic system (Charlesworth, 2000; Linxweiler, 2012).
3.2.4 Regulation through technology
Finally, privacy-enhancing technologies are considered an approach for themselves. They encompass cryptographic encoding, digital currencies as well as similar technologies (Long/Pang Quek, 2002; Linxweiler, 2012).
3.3 Implication for Businesses: Clash of legislations and need for harmonization
It is evident that these approaches fundamentally differ from each other. Some are polar opposites. However, it is possible for a national legislator to harmonize different approaches within a singular framework. The resulting national legislations naturally is influenced by its own perception of data protection and privacy as well as the influence of technology and business on the legislative process.
In general, businesses might both benefit and are pressured by the individual approaches. While comprehensive laws offer a very clear frame of regulatory reference and regulatory zeal of authorities, they also restrict the development and implementation of products and solutions through the provisions of their laws. This approach increases the complexity while providing transparency.
Sectoral laws on the other hand provide businesses with a lot of maneuverability regarding product and service provision. The complexity decreases in comparison with comprehensive laws. However, sectoral laws offer transparency only through the addressed provisions. Legal certainty is not always granted, especially if the new development of a business deviates from the precedent.
Self-regulation and regulation through technology offers by far the most flexibility regarding product and service development or provision. However, while these approaches are often industry standards or accredited standards of technology, this approach does not offer legal certainty and is mostly regulated through ex-post-facto sanctioning.
Ultimately, an international or transnational data transfer will be addressed by very different legislative regimes. As a result, the harmonization of data protection standards seems a logical necessity. Nonetheless, such a harmonization is far from a reality in the international legal environment. Therefore, the current differences in the data protection regimes strongly impact international data transfers and connected business models.
Subsequently, any individual, business or organization seeking to transfer data across boarders has to determine
- legal grounds for data processing;
- legal grounds for data transfer; and
- the applicable law.
4. Legal Grounds for processing and transfer – Data Protection in the European Union
Within the European Union, the issue of harmonization of data protection is already addressed. The typology of different approaches allows for a comprehensive analysis of the legal framework of the European Union regarding data protection and transnational data flows.
4.1 Overview of the legal system in regard to Data Protection
It becomes evident that the EU framework for Data Protection heavily relies upon the construct provided by the aforementioned United Nation Declaration on Human Rights (UDHR). The Art.12 UDHR constitutes the “right to protection of an individual’s private sphere against intrusion from others” (Council of Europe, 2014). As previously indicated, this Right to Privacy is a fundamental influence for the construction of data protection laws.
Building upon this foundation, the EU comprised the following legal framework.
4.1.1 The European Convention on Human Rights
The first pillar of the data protection framework within the European Union is Article 8 of the European Convention on Human Rights (ECHR).
The ECHR was adopted by the Council of Europe and since has been joined by various partnering state. The general purpose of the ECHR – and the founding principle of the Council of Europe – is the promotion of “the rule of law, democracy, human rights and social development” (Council of Europe, 2014). It entered into force in 1953.
Any Member State to the ECHR is bound by its content and obligated to follow it (Council of Europe, 2014). The provisions of the ECHR have to be transformed or incorporated into the national law of the Member States. The enforcing authority of these provisions is not the European Court of Justice (CJEU) but the European Court of Human Rights (ECtHR). The differentiated jurisdiction is based upon the fact that the Council of Europe is not part of the European Union.
Additionally, the European Union is not part of the ECHR and subsequently does not fall under the jurisdiction of the ECHR.
Currently the Council of Europe is comprised of 47 Member States – 28 of these are EU Member States (Council of Europe, 2014). These 47 Member States are bound by the provision of the ECHR. Any violation of the ECHR can be brought to the attention of the ECtHR by an individual, a group of individuals or a Member State (Council of Europe, 2014). Additionally, an applicant claiming a violation of the ECHR before the ECtHR does not have to be a citizen of a Member States. Thus, the ECHR offers universal protection within its jurisdiction.
Within this scope, Article 8 of the ECHR is concerned with “right to protection of personal data”. It offers protection regarding the right to respect for private and family life, home and correspondence, and conditions for restricting the rights granted under Article 8 ECHR.
Subsequent decisions of the ECtHR focused upon on data protection issues that were concerned with
- interception of communication (ECHR, Copland v. the United Kingdom, No. 62617/00, 3 April 2007),
- communication surveillance (ECHR, Klass and Others v. Germany, No. 5029/71, 6 September 1978) and
- storage of data (ECHR, S. and Marper v. the United Kingdom, Nos. 30562/04 and 30566/04, 4 December 2008).
4.1.2 Council of Europe Convention 108
Another instrument of Data Protection that not originated within the EU legal framework but was subsequently included, is the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe, CETS No. 108, 1981). Commonly called Convention 108, it was adopted by the Council of Europe in 1981.
While being based upon Article 8 of the ECHR, Convention 108 focuses on the “protection of individuals with regard to the automatic processing of personal data” (Convention 108). Its material scope encompasses “all data processing carried out by both the private and public sector, such as data processing by the judiciary and law enforcement authorities” (Council of Europe, 2014). Thus, it focuses on the protection regarding the automated data collection, processing, transferal and storage.
The Convention 108 introduced common principles of Data Protection, the definition of sensitive data, the right to self-information, and the principle of free flow of data.
In accordance with the convention personal data is only allowed to be collected, processed and stored for a specific legitimate purpose. For the duration of the purpose and within its scope the data is allowed to be collected, processed and even transferred. Additionally, the Convention introduced the prospect of adequate, relevant, proportional and accurate data collection.
Furthermore, the Convention identified data “on a person’s race, politics, health, religion, sexual life or criminal record” as “sensitive data” (Convention 108; Council of Europe, 2014). These kinds of data set are only allowed to be collected and processed in the presence of legitimate purpose and sufficient safeguards.
The Convention 108 implemented the right to self-information. In accordance with this right, any individual, that is objected to his/her personal data being processed, has the right to be informed on the extend, the duration and the accuracy of the data in question.
Finally, the Convention also introduces the principle of free flow of data “between State Parties to the convention” (Council of Europe, 2014).
These provisions were amended in 2001. The Additional Protocol to Convention 108 is concerned with third countries. These third countries are defined as not being party to the Convention. It also obliges the Member States to establishment national data protection supervisory authorities.
4.1.3 Interim Conclusion: Direct impact of ECHR and Convention 108 on international data flow regulation
The provisions of the ECHR and the Convention 108 subsequently have an impact on the regulation of data protection and transnational data flows. Both sources of law provide the foundation for subsequent legislation and have to be considered in a transnational and national legislation of their member states.
Specifically, the principles introduced in the ECHR and the Convention 108 are to be transferred and introduced into the legislation of the EU and other member states.
4.1.4 European Union data protection law
While the aforementioned provisions are not originally based in the law of the European Union, the following provisions are. However, it is pertinent to understand the framework of European Union Law before focusing on the data protection legislation.
4.1.4.1 Principles of European Union Law
As a basic principle, European Union Law is to be considered its own legal order. As such it is not part of National Law but rather autonomous from it. Therefore, it cannot be considered contradictory to any national constitution or be set aside by any national body (cf. Article 267 (3) TFEU).
The European Court of Justice holds the monopoly to any assessment of standards or binding interpretation of the EU law (cf. Article 267 (1) TFEU).
[...]
- Quote paper
- Jan Alexander Linxweiler (Author), 2017, Transnational Data Protection, Munich, GRIN Verlag, https://www.grin.com/document/988690
-
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X. -
Upload your own papers! Earn money and win an iPhone X.