On December 2, 2010, Christopher Kuner, partner in Hunton & Williams’ Brussels office, presented his 90-page study entitled “Regulation of Transborder Data Flows Under Data Protection and Privacy Law: Past, Present, and Future” at a meeting of the OECD Working Party on Information Security and Privacy in Paris. The study was written in Mr. Kuner’s capacity as a Visiting Researcher at the Tilburg University Institute of Law, Technology, and Society (“TILT”) in the Netherlands. A revised version of the study will be annexed to the report to be prepared in 2011 by the Working Party on the 30th anniversary of the OECD Privacy Guidelines.
The study describes the historical development of regulation of transborder data flows and its present status in legal systems around the world; evaluates the policies underlying such regulation; and draws some conclusions for the future. The study also contains a comprehensive annex with excerpts from relevant provisions of data protection and privacy instruments and laws dealing with transborder data flows.
In addition to reviewing the regulation of transborder data flows in international instruments (such as the OECD Privacy Guidelines, the Council of Europe Convention 108, the EU Data Protection Directive and the APEC Framework), the study considers such restrictions under the laws of approximately 60 countries. As the study reveals, countries in nearly all regions of the world have adopted data protection or privacy laws regulating transborder data flows, including ones in North America (Canada) and Latin America (Argentina, Colombia, Mexico, Uruguay); the Caribbean (the Bahamas); all EU and EEA Member States and other European countries (Albania, Switzerland, etc.); Africa (Benin, Burkina Faso, Mauritius, Morocco, South Africa, etc.); the Near and Middle East (DIFC and Israel); Eurasia (Armenia); and Asia-Pacific (Australia, Macau, New Zealand, etc.). The study also considers regulation of transborder data flows in private-sector instruments.
Among the topics dealt with in the study are the history of transborder data flow regulation; the legal nature of the various regulatory approaches; compliance and enforcement of such regulation in practice; the benefits and risks of transborder data flows; the different regulatory “default positions” (i.e., either allowing transborder data flows unless regulators block them, or not allowing them unless a legal basis is present); the policies underlying such regulation; the role of legal harmonization, and issues of applicable law and jurisdiction. The study closes with some conclusions and recommendations for future work.