EU GDPR or APEC CBPR? A comparative analysis of the approach of the EU and APEC to cross border data transfers and protection of personal data in the IoT era

This article examines the two major international data transfer schemes in existence today – the European Union (EU) model which at present is effectively the General Data Protection Regulation (GDPR), and the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system (CBPR), in the context of the Internet of Things (IoT).While IoT data ostensibly relates to things i.e. products and services, it impacts individuals and their data protection and privacy rights, and raises compliance issues for corporations especially in relation to international data flows. The GDPR regulates the processing of personal data of individuals who are EU data subjects including cross border data transfers. As an EU Regulation, the GDPR applies directly as law to EU member nations. The GDPR also has extensive extraterritorial provisions that apply to processing of personal data outside the EU regardless of place of incorporation and geographical area of operation of the data controller/ processor. There are a number of ways that the GDPR enables lawful international transfer of personal data including schemes that are broadly similar to APEC CBPR.APEC CBPR is the other major regional framework regulating transfer of personal data between APEC member nations. It is essentially a voluntary accountability scheme that initially requires acceptance at country level, followed by independent certification by an accountability agent of the organization wishing to join the scheme. APEC CBPR is viewed by many in the United States of America (US) as preferable to the EU approach because CBPR is considered more conducive to business than its counterpart schemes under the GDPR, and therefore is regarded as the scheme most likely to prevail.While there are broad areas of similarity between the EU and APEC approaches to data protection in the context of cross border data transfer, there are also substantial differences. This paper considers the similarities and major differences, and the overall suitability of the two models for the era of the Internet of Things (IoT) in which large amounts of personal data are processed on an on-going basis from connected devices around the world. This is the first time the APEC and GDPR cross-border data schemes have been compared in this way. The paper concludes with the author expressing a view as to which scheme is likely to set the global standard.     

Cross border data transfer: Complexity of adequate protection and its exceptions

The majority of the fear that exists about the cloud arises due to the lack of transparency in the cloud. Fears have persisted in relation to how the data are frequently transferred in a cloud for various purposes which includes storing and processing. This is because the level of protection differs between countries and cloud users who belong to countries which provide a high level of protection will be less in favour of transfers that reduce the protection that was originally accorded to their data. Hence, to avoid client dissatisfaction, the Data Protection Directive has stated that such transfers are generally prohibited unless the country that data is being transferred to is able to provide ‘appropriate safeguards’. This article will discuss the position of the Data Protection Directive and how the new General Data Protection Regulation differs from this Directive. This involves the discussion of the similarity as well as the differences of the Directive and Regulation. In summary, it appears that the major principles of the cross border transfer are retained in the new regulation. Furthermore, the article discusses the exceptions that are provided in the standard contractual clause and the reason behind the transition from Safe Harbor to the new US-EU Privacy Shield. This article subsequently embarks on the concept of Binding Corporate Rule which was introduced by the working party and how the new regulation has viewed this internal rule in terms of assisting cross border data transfer. All the issues that will be discussed in this article are relevant in the understanding of cross border data transfer.     

Editor’s Note

In the context of today’s big data and cloud computing, the global flow of data has become a powerful driver for international economic and investment growth. The EU and the U.S. have created two different paths for the legal regulation of the cross-border flow of personal data due to their respective historical traditions and realistic demands. The requirements for data protection have shown significant differences. The EU advocates localization of data and firmly restricts cross-border flow of personal data. The U.S. tends to protect personal data through industry self-regulation and government law enforcement. At the same time, these two paths also merge and supplement with each other. Based on this, China needs to learn from the legal regulatory paths of the EU and the US, respectively, to establish a legal idea that places equal emphasis on personal data protection and the development of the information industry. In terms of domestic law, the Cybersecurity Law of the People’s Republic of China needs to be improved and supplemented by relevant supporting legislation to improve the operability of the law; the industry self-discipline guidelines should be established; and various types of cross-border data need to be classified and supervised. In terms of international law, it is necessary to participate in international cooperation based on the priority of data sovereignty and promote the signing of bilateral, multilateral agreements, and international treaties on the cross-border flow of personal data.     

Pricing privacy – the right to know the value of your personal data

The commodification of digital identities is an emerging reality in the data-driven economy. Personal data of individuals represent monetary value in the data-driven economy and are often considered a counter performance for “free” digital services or for discounts for online products and services. Furthermore, customer data and profiling algorithms are already considered a business asset and protected through trade secrets. At the same time, individuals do not seem to be fully aware of the monetary value of their personal data and tend to underestimate their economic power within the data-driven economy and to passively succumb to the propertization of their digital identity. An effort that can increase awareness of consumers/users on their own personal information could be making them aware of the monetary value of their personal data. In other words, if individuals are shown the “price” of their personal data, they can acquire higher awareness about their power in the digital market and thus be effectively empowered for the protection of their information privacy. This paper analyzes whether consumers/users should have a right to know the value of their personal data. After analyzing how EU legislation is already developing in the direction of propertization and monetization of personal data, different models for quantifying the value of personal data are investigated. These models are discussed, not to determine the actual prices of personal data, but to show that the monetary value of personal data can be quantified, a conditio-sine-qua-non for the right to know the value of your personal data. Next, active choice models, in which users are offered the option to pay for online services, either with their personal data or with money, are discussed. It is concluded, however, that these models are incompatible with EU data protection law. Finally, practical, moral and cognitive problems of pricing privacy are discussed as an introduction to further research. We conclude that such research is needed to see to which extent these problems can be solved or mitigated. Only then, it can be determined whether the benefits of introducing a right to know the value of your personal data outweigh the problems and hurdles related to it.     

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Cloud computing is an information technology technique that promises greater efficiency and reduced-cost to consumers, businesses and public institutions. However, to the extent it has brought better efficiency and minimal cost, the emergence of cloud computing has posed a significant regulatory challenge on the application of data protection rules particularly on the regime regulating cross-border data flow. The Data Protection Directive (DPD), which dates back to 1995, is at odds with some of the basic technological and business-related features of the cloud. As a result, it is claimed that the Directive hardly offers any help in using the legal bases to ‘process’ and ‘transfer’ data as well as to determine when a transfer to a third country occurs in cloud computing. Despite such assertions, the paper argues that the ECJ's Bodil Lindqvist decision can to a certain extent help to delineate circumstances where transfer should and should not occur in the cloud. Concomitantly, the paper demonstrates that controllers can still make the most of the available possibilities in justifying their ‘processing’ as well as ‘transferring’ of data to a third country in cloud arrangements. In doing so, the paper also portrays the challenges that arise down the road. All legal perspectives are largely drawn from EU level though examples are given from member states and other jurisdictions when relevant.     

Trilemma and tripartition: The regulatory paradigms of cross-border personal data transfer in the EU,the U.S. and China

The regulation of the cross-border transfer of personal data is a major issue of globalization in the digital era. The key point for lawmakers is how to choose two of the following three elements in the trilemma: personal data protection, free transborder flow of information and the expansion of national jurisdiction. The EU, the U.S. and China adopt their own decisions, resulting in three inherently incompatible legislative paradigms, which has led to the restricted flow of personal data around the world as well as the free flow in three different regions, with the EU, the U.S. and China as the center of each region. In this way, the regulating paradigms of cross-border personal data transfer presents a pattern of tripartition.     

CLOUD act agreements from an EU perspective

For many years, transatlantic cooperation between the EU and the US in the area of personal data exchange has been a subject of special interest on the part of lawmakers, courts – including supranational ones – NGOs and the public. When implementing recent reform of data protection law, the European Union decided to further strengthen guarantees of the protection of privacy in cyberspace. At the same time, however, it faced the practical problem of how to ensure compliance with these principles in relation to third countries. The approach proposed in the GDPR, which is based on a newly-defined territorial scope of application, clearly indicates an attempt to apply EU rules extraterritorially in relation to data processors in third countries.Irrespective of EU activity, the United States has also introduced its own regulations addressing the same problem. An example is the federal law adopted in 2018, specifying how to execute national court orders for the transfer of electronic data. The CLOUD Act was established in response to legal doubts raised in the Microsoft v United States case regarding the transfer of electronic data stored in the cloud by US obliged entities to law enforcement authorities, as well as in cases where this data is physically located in another country and its transfer could result in violating the legal norms of a foreign jurisdiction. The CLOUD Act also facilitates bilateral international agreements that enable the cross-border transfer of e-evidence for the purposes of ongoing criminal proceedings. Both the content of the new regulations and the model proposed by the US legislature for future agreements concluded on the basis of the CLOUD Act can be seen as an alternative to regulations arising from EU law.The purpose of this paper is to analyse the CLOUD Act and CLOUD Act Agreements from the perspective of EU law and, in particular, attempt to answer the question as to whether this new legal mechanism brings the EU and the USA closer to finding common ground with regard to a coherent model of exchange and protection of personal data.     

US war on terror EU SWIFT(ly) signs blank cheque on EU data

The EU and the United States signed the Terrorist Finance Tracking Program (also known as SWIFT Agreement) agreement giving the US authorities access to bulk data containing the millions of records in the EU to enable the US authorities to trace financial transactions related to suspected terrorist activity (or to put it bluntly, against US interest). The SWIFT Agreement added some data protection safeguards, but the United States has been found to circumvent the agreement with the aid of the Europol. The EU Commission and the Europol have classified all documents concerning the SWIFT Agreement as secret. EU citizens confront a dark future where unelected EU bureaucrats continue to betray the trust of the people handing out bulk data to “counter terrorism” but at the same time undermining cherished values and violating human right standards and principles.     

我国个人信息匿名化的法律标准与规则重塑

大数据时代,匿名化规范既是个人信息保护中风险预防的手段,也是我国数据经济发展中数字流通的法律基础,但匿名化的法律标准在我国法律中还有待明确。欧盟已通过《一般数据保护条例》提出明确的匿名化标准,但该条例基于流程设置的标准适用于欧盟境内尚可,适用于我国或显得过于严苛,有碍数字经济的发展。我国个人信息匿名化法律标准与规则的重塑应当考虑环境、再识别风险,建议进行功能性匿名化。将比例原则应用到我国匿名化法律标准和规则的重塑之中,并将其引入到评估匿名信息接收者的风险等级,有助于降低个人信息被再识别的风险亦有利于匿名化的法律标准制定和规则构建。     

The mandatory notification of data breaches: Issues arising for Australian and EU legal developments

Public and private sector organisations are now able to capture and utilise data on a vast scale, thus heightening the importance of adequate measures for protecting unauthorised disclosure of personal information. In this respect, data breach notification has emerged as an issue of increasing importance throughout the world. It has been the subject of law reform in the United States and in other jurisdictions. This article reviews US, Australian and EU legal developments regarding the mandatory notification of data breaches. The authors highlight areas of concern based on the extant US experience that require further consideration in Australia and in the EU.     

Identity crisis: Global challenges of identity protection in a networked world

Modern identity is valuable, multi-functional and complex. Today we typically manage multiple versions of self, made visible in digital trails distributed widely across offline and online spaces. Yet, technology-mediated identity leads us into crisis. Enduring accessibility to greater and growing personal details online, alongside increases in both computing power and data linkage techniques, fuel fears of identity exploitation. Will it be stolen? Who controls it? Are others aggregating or analysing our identities to infer new data about us without our knowledge or consent? New challenges present themselves globally around these fears, as manifested by concerns over massive online data breaches and automated identification technologies, which also highlight the conundrum faced by governments about how to safeguard individuals' interests on the Web while striking a fair balance with wider public interests. This paper reflects upon some of these problems as part of the inter-disciplinary, transatlantic ‘SuperIdentity’ project investigating links between cyber and real-world identifiers. To meet the crisis, we explore the relationship between identity and digitisation from the perspective of policy and law. We conclude that traditional models of identity protection need supplementing with new ways of thinking, including pioneering ‘technical-legal’ initiatives that are sensitive to the different risks that threaten our digital identity integrity. Only by re-conceiving identity dynamically to appreciate the increasing capabilities for connectivity between different aspects of our identity across the cyber and the physical domains, will policy and law be able to keep up with and address the challenges that lie ahead in our progressively networked world.     

The European Union's approach to online behavioural advertising: Protecting individuals or restricting business?

The European Union (EU) has firmly set its stall out to protect individuals' data and privacy and has demonstrated this through the rejection of the old opt-out regime and the introduction of the new opt-in rules. These require businesses to obtain individual's prior and informed consent before their data are collected, stored and used for the purposes of online behavioural advertising (OBA). Individuals in the EU are afforded protection from the apparent dangers relating to data privacy and misuse that is associated with OBA, which is beyond the expectation of most Internet users. However, there are some criticisms levelled at the law that the EU has produced. Is simply gaining informed consent sufficient for protecting all types of information? Do certain types of information require a higher level of consent than others? Does the law fulfil its aim of protecting data subject's privacy and data? Is the current law restrictive to business? Do individuals know or care that their information is being collected for the purposes of targeted advertising and is there a better way to ensure that they do? Finally, will proposed new law to be found in the EU Data Protection Regulation solve any of these problems? This article will assess whether, as a policy decision, the EU's current approach has been too cautious in its attempts to protect individuals or restrict business.     

Global Privacy Concerns and Regulation-- Is the United States a World Apart?

The regulatory approach to privacy protection taken by many foreign jurisdictions is markedly different from that of the United States. The European Union (EU) best illustrates the international approach with its comprehensive privacy directive that applies to all EU members. By contrast, the approach regarding data privacy in the United States has been to pass industry-specific laws and often only in response to public outcry over some privacy concern. These fundamental differences have been the source of some conflict in international commercial transacting. Now that the global community is committed to eliminating terrorism, it remains to be seen if these different attitudes toward privacy by the United States and much of the rest of the world will affect global attempts to weed out terrorists. This article discusses the constitutional basis for most US policy approaches to privacy regulation. The article explains how the US constitution is the source for most of the differences between the US and international regulatory approaches to information privacy. Finally, the discussion addresses how new issues regarding privacy in the war on terrorism may be addressed by US Constitutional law.     

后“SchremsⅡ案”时期欧盟数据跨境流动法律监管的演进及我国的因应

“SchremsⅡ案”对以隐私权和数据保护为核心构建的欧盟数据跨境流动规则体系产生重大影响,它要求无论使用何种数据跨境流动工具,都必须确保第三国能够提供与欧盟同等的保护水平。在该案的影响下,《欧盟基本权利宪章》在数据保护领域的地位进一步提高,保障措施的适用愈发严苛,欧洲数据保护委员会在数据保护领域将扮演更重要的角色,数据跨境流动欧盟法规则与国际贸易法的不兼容问题日益凸显。欧盟虽然结合SchremsⅡ案的判决完善了对数据跨境的法律监管,但依然没有减少外界对其监管合理性的质疑。我国对数据跨境流动的监管存在着配套立法不健全、规则可操作性差、多元价值失衡、缺乏内外联动的“中国方案”等问题。对此,应完善我国相关立法,加强中欧国际合作,共同引领构建数据跨境流动的国际规则。     

Police Cooperation across the Irish Border: Familiarity Breeding Contempt for Transparency and Accountability

This article critically examines the practice, methods, and regulation of cross‐border police cooperation between the Republic of Ireland and Northern Ireland. Despite legal and political divisions, police cooperation has survived and flourished in recent years especially among police officers on the ground. By comparison, the development of transparent regulatory and accountability structures and processes has been disappointing. While there have been domestic initiatives at the intergovernmental and legislative levels, these have tended to emphasize the centrality of direct engagement between the police chiefs and senior civil servants at the expense of formal transparent procedures. EU instruments have been marginalized as the police forces and their administrations prefer informal networks and force‐to‐force agreements which, it is argued, shield cross‐border police cooperation from standards of transparency, oversight, and accountability which are essential to its legitimacy. They also highlight the limitations of the current EU legislative approach to cross‐border police cooperation.     

Free Movement of Persons and European Solidarity1

Abstract: This article explores the tension between freedom of movement within the EC/EU and the principle of social solidarity, a tension which has increased in step with the progressive enlargement over the years of the circle of potential beneficiaries of the right to cross‐border access to the social and welfare benefits guaranteed by the social protection systems of the Member States. The article aims to re‐construct the system of Community rules regarding the free movement of persons within the EU from the point of view of the justifying criteria for the cross‐border access to national welfare systems of the different categories of ‘migrants’. The focus of the article is on the different degrees and models of solidarity which, at least at the present stage of the European integration process, justify correspondingly graduated and differentiated forms of cross‐border access to Member States' social and welfare benefits for the various categories of persons who move about within the EU.     

论政府数据开放与政府信息公开的关系

政府数据开放与政府信息公开关系的基本定位为"承继但不取代"。兴起于20世纪60年代的政府信息公开确立了公民的知情权,建构了开放政府的理念和制度,为21世纪大数据时代来临兴起的政府数据开放奠定了基础。政府数据开放在承继政府信息公开的基础上,回应开放数据的基本要求,拓展了开放政府的内涵,形成独立于政府信息公开的制度体系。政...     

“Schrems II”: The return of the Privacy Shield

On 16 July 2020, the Grand Chamber of the European Court of Justice rendered its landmark judgment in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”). The Grand Chamber invalidated the Commission decision on the adequacy of the data protection provided by the EU-US Privacy Shield. It however considered that the decision of the Commission on standard contractual clauses (“SCCs”) issued by the Commission for the transfer of personal data to processors established in third states was legally valid.The legal effects of the judgment should first be clarified. In addition, it has far-reaching implications for companies which transfer personal data from the EU to the US. The judgment of the Grand Chamber has also far-reaching implications for transfers of personal data from the EU to other third states. Last, it has far-reaching implications for the UK in the context of Brexit.© 2020 Published by Elsevier Ltd. All rights reserved.     

The 2013 CLSR-LSPI seminar on electronic identity: The global challenge – Presented at the 8th International Conference on Legal,Security and Privacy issues in IT Law (LSPI) November 11–15, 2013, Tilleke & Gibbins International Ltd., Bangkok,Thailand

We are the middle of a global identity crisis. New notions of identity are made possible in the online world where people eagerly share their personal data and leave ‘digital footprints’. Multiple, partial identities emerge distributed across cyberspace divorced from the physical person. The representation of personal characteristics in data sets, together with developing technologies and systems for identity management, in turn change how we are identified. Trustworthy means of electronic identification is now a key issue for business, governments and individuals in the fight against online identity crime. Yet, along with the increasing economic value of digital identity, there are also risks of identity misuse by organisations that mine large data sets for commercial purposes and in some cases by governments. Data proliferation and the non-transparency of processing practices make it impossible for the individual to track and police their use. Potential risks encompass not only threats to our privacy, but also knowledge-engineering that can falsify digital profiles attributed to us with harmful consequences. This panel session will address some of the big challenges around identity in the digital age and what they mean for policy and law (its regulation and protection). Questions for discussion include: What does identity mean today? What types of legal solutions are fit for purpose to protect modern identity interests? What rights, obligations and responsibilities should be associated with our digital identities? Should identity management be regulated and who should be held liable and for what? What should be the role of private and public sectors in identity assurance schemes? What are the global drivers of identity policies? How can due process be ensured where automated technologies affect the rights and concerns of citizens? How can individuals be more empowered to control their identity data and give informed consent to its use? How are biometrics and location-tracking devices used in body surveillance changing the identity landscape?     

Privacy by design and anonymisation techniques in action: Case study of Match technology

Privacy by Design is now enjoying widespread acceptance. The EU has recently expressly included it as one of the key principles in the revised data protection legal framework. But how does Privacy by design and data anonymisation work in practise? In this article the authors address this question from a practical point of view by analysing a case study on EU Financial Intelligence Units (“FIUs”) using the Ma³tch technology as additional feature to the existing exchange of information via FIU.NET decentralised computer network. They present, analyse, and evaluate Ma³tch technology from the perspective of personal data protection. The authors conclude that Ma³tch technology can be seen as a valuable example of Privacy by Design. It achieves data anonymisation and enhances data minimisation and data security, which are the fundamental elements of Privacy by Design. Therefore, it may not only improve the exchange of information among FIUs and allow for the data processing to be in line with applicable data protection requirements, but it may also substantially contribute to the protection of privacy of related data subjects. At the same time, the case study clearly shows that Privacy by Design needs to be supported and complemented by appropriate organisational and technical procedures to assure that the technology solutions devised to protect privacy would in fact do so.