1992
Transborder Data Flows A Discussion of Their Regulation
Tom Ogaranko, BA, LLB 1/1/1992
TRANSBORDER DATA FLOWS: A DISCUSSION OF THEIR REGULATION
CONTENTS Chapter 1: Introduction ........................................................................ 4 1.1 The current technology .............................................................. 5 1.1.1 Informatics Technology (IT) ................................................. 5 1.1.2 Communications Technology .............................................. 5 1.1.3 Effects of Converging Technologies..................................... 6 1.2 The technology stakeholders ..................................................... 6 1.2.1 National Governments ........................................................ 6 1.2.2 Multinational Corporations ................................................. 7 1.2.3 Less Developed Countries (LDCs) ........................................ 8 Chapter 2: What is Transborder Data Flow? ........................................ 9 2.1 Issues of definition ..................................................................... 9
By Tom Ogaranko, BA, LLB 2.1.1 What is information? Is it a service or commodity? ............ 9 2.1.1 The Definition of Transborder Data Flows .......................... 9 2.2 What type of data is collected and transmitted? ..................... 10 2.2.1 Personal Data .................................................................... 10 2.2.2 Business Data .................................................................... 10 2.3 What type of data flows occur? ............................................... 10 2.3.1 One-Way Flows ................................................................. 10
Transborder Data Flows 2.3.1 Two-Way Flows ................................................................. 11
3.2 Impact on stakeholders ............................................................ 26
2.4 Main characteristics of transborder data flows ....................... 12
3.2.1 Multinational Corporations ............................................... 26
Chapter 3: Regulation of Transborder Data Flows ............................. 12
3.2.2 Governments of Developed Countries .............................. 27
3.1 Reasons for regulation ............................................................. 12
3.2.3 Governments of Less Developed Countries ...................... 27
3.1.1. Privacy .............................................................................. 13
Bibliography ....................................................................................... 29
3.1.2 Security ............................................................................. 13
Notes .................................................................................................. 31
3.1.3 Sovereignty ....................................................................... 14 3.1.4 Economics ......................................................................... 15 3.2 Types of regulation possible .................................................... 17 3.2.1 Regulation of Data or Flows .............................................. 17 3.2.2 Regulation of Communications Technology ..................... 18 3.3 Methods of regulation ............................................................. 18 3.3.1 National Legislation ........................................................... 19 3.3.2 International Agreements ................................................. 19 Chapter 4: Regulating Principles and Stakeholder Interests .............. 23 4.1 Regulating Principles ................................................................ 23 4.1.1 Principles governing personal data ................................... 23 3.1.2 Principles governing non-personal data ........................... 25
3
CHAPTER 1: INTRODUCTION Since distance, time of day, and the crossing of national boundaries are no longer issues for today's advanced technology, it is apparent that access to and dissemination, collection and control of information can become a major national and international policy issue.[1] When defined in the broadest possible sense, the subject of international data flows, although not yet widely recognized as such, could be one of the paramount issues in the closing years of the 20th century. Technology transfer, cultural dominance, industrial strength, full employment, mass education are only a few of the issues lying beneath the surface.[2]
As these two quotes imply, computer technology and its recent union with telecommunications technology have sent societies reeling from its effects on thought and action. This is demonstrated in the way in which we relate to space and time.[3] The space required for engineers to simulate reality, or for business and government to store and keep records is physically reduced to a series of electronic bits and their manipulation on computers can drastically increase processing time to attain the desired results. Through such technology we are extending space and time into dimensions of our own creation. We talk of extracting a file or document, sharing files over a network and performing simulations or searches on overseas computers. The new telecommunications and network technologies extend our immediate space and time to other places around the globe. Consequently, computer and telecommunications technologies have little regard for governments and their laws. Effective regulation of transnational communication between computers and the storage, processing, and sharing of information has been a problematic area in
international legal community for the last twenty years. There have been numerous attempts to establish common regulatory principles and to harmonize national laws and regulatory schemes. But these efforts have had limited success. There are many reasons why these efforts have proved fruitless. The constant changes in technology and the uses for which it has been employed are not fully understood by regulators and policymakers. They never shall be, as there is a lag between the introduction of a technology, the discovery of uses for which it can be usefully employed, the realization that regulation is needed and the formation of guiding principles and policies. Two themes become apparent when exploring this phenomenon in relation to transborder data flows (TBDF or TDF). First, multinational corporations control the bulk of the information and the technology required for TBDFs. They rely on their national governments to defend their interests in national and international forums of regulation. The governments of developing countries[4] rely on the multinationals to provide them with the needed technology for national economic development and see regulation as central to this goal. The second theme concerns the influence of multinational corporations on the regulatory debate. They have successfully moved the negotiations away from privacy protection and economic protectionism to trade in services, and in so doing, have moved the forum of discussion out of traditional international agencies like the ITU and UNCTAD to trade forums like GATT. To demonstrate these themes, this paper is written in five parts. Part I explores the current technology and owners and stakeholders of that technology, while Part II searches for a definition of transborder data flow by exploring the different types of data and flows. Part III asks why governments regulate TBDFs, how they regulate effectively, and by what authority they regulate. Part IV examines the main principles of
Transborder Data Flows international agreements and how the opinions of the stakeholders have shaped their application. Part V concludes the paper by looking at who benefits most from TBDF and whether the international policymaking framework is adequate to deal with issues like TBDF.
1.1 THE CURRENT TECHNOLOGY Transborder flows of information are not a recent phenomenon. Only with the application of computer technology have they come to the attention of policymakers. This did not occur over night, however. Both computer technology and telecommunications technology had to evolve before they could be united to allow for effective transnational sharing of information. Once achieved, this technology was soon applied to aid in economic, social, and political development. This phenomenon has become known as 'telematics.'[5]
1.1.1 INFORMATICS TECHNOLOGY (IT) Informatics Technology includes advances in both hardware and software that has increased the processing speed, storage capacity and data entry method of today's computers. IT developments over the last 25-30 years may be simplified into a three step progression.[6] The first generation systems were simple databases of information, such as social insurance, health insurance and tax records. These remain the most widely used systems. At this stage though, users filled out paper forms the information from which was punched onto cards and read into the computer for storage and processing. Computing occurred in the "background". The second generation of IT was on-line information processing. Using terminals, people began to communicate with the system. Forms and
5
punch cards were by-passed. Built-in mechanisms confirmed consistency and guard against duplication. Rules were introduced as programs in the system were executed automatically. The most recent generation emphasizes knowledge-based technology. This development coincides with the introduction of the personal computer. These systems move an increased amount of decision making from people to the machines. For example, electronic data interchange (EDI) technology can conduct simultaneous inventory and accounting functions while automatically invoicing suppliers taking into account shipping time and the current rate of sales of the item.
1.1.2 COMMUNICATIONS TECHNOLOGY The most recent generation of computers would not have been possible without communications technology. Though initially data was transmitted through conventional telephone systems, large users began demanding a variety of telecommunications services that would facilitate fast and easy transfer and processing of data. Telecommunications companies have responded by offering a wide assortment of services besides regular telephone and telex, such as facsimile (fax), call waiting, call forwarding, conference calling, video conferencing, automatic calling, data transmission, dedicated digital circuits, integrated services digital networks (ISDN) and packet-switched data transmission.[7] Transmission now occurs over landline (coaxial cable, fiber optics), microwave, radio, satellite data links, remote sensing satellite, private processing and data transmission networks.[8] Services such as these are offered also through banks and multinational corporations (MNCs) as part of the services they provide their clients and customers.
1.1.3 EFFECTS OF CONVERGING TECHNOLOGIES
1.2 THE TECHNOLOGY STAKEHOLDERS
In a recent UNESCO report it was asserted that "the merger of computer and telecommunications technologies is, in fact, the precondition for the emergence of transborder data flows."[9] TBDF created the opportunity to share information across vast distances to provide instant access to information or information processing facilities. Everyone and everything have become affected by TBDFs. The integration of the two industries has created several products not widely available until recently, such as on-line electronic databases and information systems, processing services such as airline reservation systems, inter-banking systems and electronic fund transfers and messaging services such as electronic mail and electronic data interchange (EDI).[10] Now there is a burgeoning international trade in information and data processing services that include several traditional products and many new ones. For example, news, health services, education, agriculture, manufacturing, transportation, marketing, credit, banking and finance, accounting, insurance, law enforcement, and every government function from security to weather prediction and disaster relief are now available through on-line networks.[11]
There are several people involved in the rapidly evolving and changing field of telematics. Nation states, intergovernmental (for example, ITU, IBI, INTELSAT, Council of Europe, OECD) and nongovernmental organizations such as private communication carriers, data processing service bureaux, MNCs, and transnational associations all have a stake in the development and direction this technology takes.[15] The battle and alliances between these stakeholders are played out in national and international arenas. In this article, I wish to focus on national governments of developed and developing countries, MNCs, and their involvement in the ownership or
In August of 1991, VAN vendors agreed to a uniform international standard for Value Added Networks (VANs) that provide easy, transparent, efficient exchange of information. ANSI X12 Mailbag is now "the" transparent global switch between all network systems.[12] With this development EDI will become more feasible and useful for business. EDI is the standards-based computer-to-computer exchange of inter-company business documents and information.[13] In a recent Globe and Mail supplement, it was stated that "[t]he world is moving toward EDI. Like it or not, if Canada is to remain competitive, we have to move too."[14] Trade in technologically advanced nations has moved to a transparent, instant marketplace and has left other national behind in traditional market mechanisms.
regulation of the technology and TBDFs. At the risk of overgeneralization, I exclude intergovernmental associations as they are collections of national governments acting in concert.[16] Private communications carriers and service bureaux are included in MNCs as many are owned in whole or in part by MNCs. Moreover, many of their corporate interests are similar.
1.2.1 NATIONAL GOVERNMENTS National governments are involved in the telematics industry in several ways. Much of the administration of governments today is done extensively with computer technology. Data is often shared between departments, different levels of government, and between the governments of different countries. That data may be personal records or technical and scientific information. In many countries, computer communications networks are operated by government owned Post, Telegraph and Telephone (PTT) authorities. Many international systems are cooperative efforts of governments and are organized as a service, such as GEISCO EDI service, UN Secretariat systems, and most academic research networks like INTERNET.[17] Governments often back new
Transborder Data Flows ventures and later sell the technology to private industry, such as is currently happening in the USA with remote-sensing satellite technology.
•
1.2.2 MULTINATIONAL CORPORATIONS • Though it is obvious why governments are stakeholders in the regulation of information, it is not so obvious in the case of MNCs. Economists such as Galbraith and Drucker argue that as a society grows and becomes more technologically advanced, it furthers its goals and values through institutions. "In a pluralist society, all institutions are of necessity political institutions"[18] for they all must justify themselves in terms of their impacts on society and the satisfaction of all their respective "constituencies". Thus, corporations have become activists in politics, setting goals and creating visions rather than merely cooperating, responding and reacting.[19] They want to create a vision in which they are free to prosper and grow as well as aid their domestic support industries. However, they must not act to be rejected and opposed by national governments. In short, they must "satisfice"[20] their constituents, balancing their business needs with the interests of various national governments.[21] In the private sector, those most involved with computerization are the most important information industries, namely, those involved with the acquisition, transfer and protection of property. Thus, banking and credit, brokerage, insurance, accounting, legal services, and advertising together account for the bulk of informational services.[22] In fact, MNCs in their endless "search for new markets, raw materials, and maximum profitability [are] the engine[s] powering the international transformation now proceeding."[23] To maintain profitability, MNC's have come to require information in the following areas:[24]
• •
7
information about competitor's behaviour, which becomes increasingly complex as the degree of transnationalization increases. A key area of information here is technological (product) development related. Consumer behaviour in the market sectors where the corporation operates is essential. Technical/scientific information that relates to the specific products the company produces. Information about the economic, fiscal, legal and political environments in which the corporation operates.
To obtain this information, modern MNCs have made TBDF a basic requirement of their operations and of those that service them.[25] In fact, the infrastructure of MNCs has created most of the transnational computing systems through which seventy percent of world trade is conducted.[26] Business has come to require TBDFs in several areas of their operations. A 1983 OECD survey revealed that: •
•
•
• •
Crucial to managing international operations is the availability of accurate and timely information with the flow of information paralleling the increasing flow of goods and services. From basic design and research, through production, marketing and distribution to after sales-service, TDF have been used to reduce costs and increase productivity. In some cases the improvements in performance allowed by TDF is so great as to make it possible for the firm to reorganize its operating structure in a more efficient way. TDF allow firms to offer entirely new products. The improved information flows made possible by TDF broaden and deepen the world market and make it increasingly interdependent. The communications network takes on the
•
aspect of a nervous system, both for international firms and for the world economy in general. Telecommunications policy is going to have to have an increasing impact on the behaviour of MNEs and therefore the development of world trade and foreign investment.[27]
Essentially, MNCs use IT for coordinating activities between parent and subsidiary, providing corporate intelligence, internalizing market transactions, increasing processing efficiency, providing technology based firm-specific advantages, and simplifying the bargaining relationship between host countries and MNCs.[28]
1.2.3 LESS DEVELOPED COUNTRIES (LDCS) Many host countries with which MNCs deal are developing or less developed nations (LDCs). LDCs rely largely, through licensing arrangements for transfers of technology, on MNCs to supply the required technology for TBDFs. This endeavour is supported by the Draft Code of Conduct on Transnational Corporations,[29] which will require the MNC to aid the development of the scientific and technological capacity of the developing nation with which it is dealing. Currently, LDCs are not able to effectively use TBDFs or the information to which they would gain access. MNCs and the governments of developed nations can raise the needed funds for the required hardware and software and transmission costs, and can mobilize the required skills and industrial networks through which data can be most effectively used, whereas most LDCs cannot. Thus, TBDFs “add yet another component to the large discrepancies in the information capacities, and by implication in the trading capacities, of developed and developing countries.”[30] This information and trade gap, exacerbated by dependency on MNCs for the technology required for TBDF, has left developing countries' ability for
self-reliant development hampered. Self-reliant development connotes the ability to make autonomous allocative decisions. Independent development creates unique information requirements. Currently, TBDFs do not meet such requirements. According to one UNESCO study, [t]hey are oriented towards the needs of the transnational corporations and do not provide the developing countries with their needs and priorities. They weaken, in fact, the developing countries' national capacity for decision making about their own resources.[31] Throughout this paper, I shall refer to the impact the regulation of TBDF has on these three stakeholders. It shall become evident how the definition of TBDF is instrumental to determining the ultimate beneficiaries of the technology and the data flows.
Transborder Data Flows CHAPTER 2: WHAT IS TRANSBORDER DATA FLOW? 2.1 ISSUES OF DEFINITION
9
Defining TBDF is not as easy as one might assume. There is a division in the literature between two possible definitions. Adherence to one or the other of these definitions will expand or contract the reach of TBDF legislation. TRANSFER AND STORAGE OF DATA.
2.1.1 WHAT IS INFORMATION? IS IT A SERVICE OR COMMODITY? Some scholars question whether information and data are synonyms. Some argue that data constitute the raw material for information; that processing is required to transform one to the other. Olga Estadella-Yuste questions whether there is a difference between data and information. She asserts that 'data' is a term from the computer era and 'information' is a term from the pre-computer era. I agree, as all raw data is itself processed from machine-readable format to appear as written text on the screen. Maintaining two separate terms complicates the debate unnecessarily.[32] Accordingly, the terms information and data are used interchangeably in this paper. Is the information accessible through network systems a service or a commodity? The answer determines the nature of the rules that apply to the regulation of information trade or exchange. It will determine the nature of the legal obligations and duties of the parties involved. For example, if information is a commodity then is can be expropriated, whereas an information service cannot be appropriated.[33] More specifically, this determination will be crucial in determining the need to regulate certain TBDFs and the type of regulation used.
2.1.1 THE DEFINITION OF TRANSBORDER DATA FLOWS
Transborder data flow "may be broadly defined as the transfer of computerized data across national borders."[34] This definition requires that data not only be transmitted across national borders, but that it also be stored outside the originating jurisdiction.[35] STORAGE OR TRANSFER AND PROCESSING OF DATA. This second definition, purposed by Novotny, requires a transborder data flow to both store and process data outside the originating jurisdiction.[36] Traditional telephony allows for transmission, but not storage or processing. Storage facilitates the manipulation through forms and orders of databases of information. This excludes all mass diffusion products such as media, and conventional (basic) telecommunications products. Millard criticizes this as being too narrow, "as much of the concern about transborder data flow arises where data is simply stored in a foreign jurisdiction, out of reach of an interested individual, corporation or government."[37] However, if all that Novotny requires is the processing to convert data into digital signals, and convert it back into machine-readable format and human-readable format, then Millard's concern may be misplaced. However, if Novotny requires more extensive processing than this, Millard's point is valid. It would exclude one-way transfers of data across borders and only be applicable to transnational and multinational flows (discussed below). Before settling on a definition the type of data sent and the manner in which it is sent must be examined.
2.2 WHAT TYPE OF DATA IS COLLECTED AND TRANSMITTED?
are beginning to regulate them. They wish either to tax these profits or protect domestic industries.[43]
There is a wide assortment of data kept around the world. It can be broken down into four basic categories: personal data, business data, technical data, and organizational data. These groupings are not discrete. One kind of data may be included as part of any one of the other three. This classification is used to elucidate the issues involved in TBDF regulation of different data, as the nature of the information sent abroad becomes important when determining the rules applied to the TBDF.[38]
2.2.3 TECHNICAL DATA
2.2.1 PERSONAL DATA
2.2.4 ORGANIZATIONAL DATA
Personal data is the most sensitive type of data. It includes data such as plane reservations, medical or criminal records, and credit card billings.[39] Most countries have recognized or are recognizing the need to provide some protection against unauthorized processing of sensitive personal data. The main international instruments for regulation of TBDF are concerned with personal data, even though it makes up only ten percent of all TBDFs.[40]
Organizational data is sometimes called "operational data" as it relates to the administrative functions or decisions of transnational organizations, usually between a corporation and its subsidiaries, foreign distributors, or licensees. These are regulated for not only the protection of personnel records and their personal information, but also for political or economic reasons.[45]
Technical or scientific data includes weather forecasting, geological exploration, market research, product specifications and experimental results. This information is usually of considerable economic and strategic importance, and is usually central to any transfer of technology arrangement.[44] Some of this information is now gathered by remote sensing satellites.
2.3 WHAT TYPE OF DATA FLOWS OCCUR? 2.2.2 BUSINESS DATA Business data is that by which financial and business transactions are conducted and contracts are executed. For example, the banking community has created the Society for Worldwide Interbank Financial Telecommunications (SWIFT) whereby they provide electronic fund transfer (EFT) services through a steadily expanding network of systems.[41] With the automation of the financial and corporate sectors "the computerized supply of financial and commercial information has become a major and growing source of profit."[42] Hence, governments
All data types are used generally within four major contexts: intracompany information, inter-company information, governmental information needs, and transnational pursuit of information resources, i.e., use of remote databases.[46] For all the applications of telematics technology, there are two different types of flows: one way and two way flows. These are shown in Diagram 1.
2.3.1 ONE-WAY FLOWS
Transborder Data Flows
11
One way flows either consolidate or distribute information from sources in other countries. Hence, there are two types of one way flows.
computational facilities on behalf of the user, such as in service bureau arrangements.[51]
CONSOLIDATION FLOWS
MULTINATIONAL NETWORK FLOWS
Consolidation flows demonstrate a simple subsidiary reporting relationship. For example, the headquarters in country B gathers all information from subsidiary offices such as that in country A. This includes such information flows as operational management and credit transactions.[47]
Multinational network flows are characterized by multiple users and hosts where data storage and processing may be centralized, decentralized, or both. Large service bureau and time sharing networks operate in such fashion.[52]
DISTRIBUTION FLOWS Where a centralized operation distributes data to several subsidiary organizations there is a distribution flow. Examples include sending information updates to local files and databases, and distributing organizational instructions, financial reports, product orders,[48] and meteorological information to several countries.[49]
2.3.1 TWO-WAY FLOWS Two-way transfers of data occur for two reasons: lack of processing capacity in the home country; or, where databases are shared internationally (such as a credit reporting agency).[50] There are also two types of subflows: transnational and multinational. TRANSNATIONAL NETWORK FLOWS Transnational network flows exist where users in one country connect to a host computer in another to use either the host computer's facilities or databases. These are exemplified by a shortage of information or
DIAGRAM 1: Patterns of Transborder Data Flow Movements
computer processing and communication technologies among nations. "Computer poor" countries, especially those in the developing world, often have to export raw data for processing and re-import the processed data. With the data outflows go data processing related jobs, revenues, and business. This however, is not new. It is analogous to trade in other industries where LDCs export raw materials to purchase finished goods at higher cost. Noticeably lacking is the exchange of information among developing nations to integrate and represent their interests. This further exasterbates their dependency on the developed world.[53]
2.4 MAIN CHARACTERISTICS OF TRANSBORDER DATA FLOWS By way of summary, the main characteristics of a TBDF can be demonstrated by an example. If data from country A is transported through country B without processing or usage occurring on route, it does not count as a TBDF. However, if the data is stored in country B while awaiting retransmission, then a TBDF has occurred.[54] The act of storing the data requires the data be processed, which qualifies it even under the more strict definition of TBDF required by Novotny. Information transmitted may be of a personal, business, organizational, or technical nature and may be transmitted in a one- or two-way flows. TBDFs are usually based on contractual relationships and are proprietary in nature.[55] Although there have been few attempts to measure the aggregate volume and direction of TBDFs, heavy concentration of satellite and submarine cable in the North Atlantic and between the USA and Japan indicate the predominance of TBDF within the industrialized west. Yet smaller industrialized countries, such as Canada, Sweden, and France, feel threatened by their growing dependency on the American collection and dissemination of information. The direction of the flow is reinforced by the uneven distribution of
CHAPTER 3: REGULATION OF TRANSBORDER DATA FLOWS 3.1 REASONS FOR REGULATION When governments and international bodies regulate TBDFs, it is often stated that it is done for the protection of personal privacy, national security, or national sovereignty. Seldom will it be admitted that the rationale behind regulation is national economic welfare. Often those
Transborder Data Flows
13
subjected to regulation accuse regulators of using privacy, security or sovereignty to hide protectionist motives. They are often correct in making such accusations.
"Thus, on an ad hoc basis, privacy conscious countries are effectively censoring the data processing regulations of other, less protective states."[59]
3.1.1. PRIVACY
3.1.2 SECURITY
Computers have facilitated the amassing of information about individuals for a large number of purposes. Communications technology has allowed the rapid and easy transfer of information within and between countries. This has caused concern over the reasons for which personal information is collected, how it is stored, and its possible applications that may be adverse to individual interests. This has led many countries to pass privacy legislation to protect a persons'[56] privacy. However, most legislation is plagued by technical issues of enforcement.[57] Moreover, there still exists a fear that
Some countries may feel their national security is threatened by excessive reliance on and use of TBDFs. They may introduce legislation to ensure that the critical mass of national data is not held outside the state; fearing that data stored and processed in another state may become inaccessible in a time of political confrontation.
protective provisions will be undermined if there are no restrictions on the removal of data to other jurisdictions for processing or storage. Just as money tends to gravitate toward tax havens, so sensitive personal data will be transferred to countries with the most lax, or no, data protection standards. There is thus a possibility that some jurisdictions will become 'data havens' or 'data sanctuaries' for the processing or 'data vaults' for the storage of sensitive information.[58] Some countries have dealt with this fear by restricting outflows of data. For example, Sweden does not allow TBDF of personal information unless expressly authorized by their Data Inspection Board. The rationale is that the Swedish government does not trust the Data Acts in other countries and feels unprotected. Brazil does not allow information to leave the country unless the government approves the purposes for its transmission.
Such interference did occur when President Reagan, over a dispute regarding the Siberian gas pipeline, ordered Dallas-based Dresser Industries to halt technical communications with its French subsidiary, a compressor manufacturer. Since the French company no longer had access to important technical databases, they lost an Australian contract worth $3.5 million.[60] There is also a fear that nationally sensitive information may be removed from the country without permission. This is why the US National Security Agency (NSA) regulates all encryption techniques and develops encryption standards with International Business Machines (IBM). The NSA asserts that unrestrained data encryption threatens national security, but more than likely it also hampers their own international communications monitoring activities.[61] International organizations have sanctioned such interception and interference practices. For example, The International Telecommunications Union's (ITU) International Telecommunications Convention of Malaga
Torreminos, sanctions the interception, monitoring and ceasing of international communications in the name of national security.[62]
Third, the dependence of developing nations on foreign data processing services is seen as a threat to a nation's sovereign control over natural resources, security considerations, and culture.[67]
3.1.3 SOVEREIGNTY Loosely defined, "sovereignty" seems to concern a nation's ability to protect its political autonomy and cultural integrity. The Canadian Clyne Committee defined sovereignty as "The ability of Canadians (both in government and in the private sector) to exercise control over the direction of economic, social, cultural, and political change."[63] Telematics has altered the concept of economic, social, cultural and political sovereignty from geographic terms to information terms. As information expands its role in management, it is something over which states feel they must exert control, but to date, any attempts have met with limited success.[64] There are several areas in which states are feeling threats to their sovereignty. First, a specific fear of Europeans is that data moved via communications technology, outside the state could become the target of espionage. This fear may motivate a government to regulate outflows of such sensitive data as sanctioned by the ITU, even though such regulation may not prevent espionage.[65] Second, a state's sovereignty is threatened by MNCs, the most powerful non-state actors involved in TBDF. A primary threat is international currency speculation. Empowered with an automated global banking system, MNCs can now bypass national fiscal and monetary policies. A French government study reported nations have lost control of international cash flow and credit as distributed through specialized networks. They conclude that "it was impossible to implement 'a coherent financial policy' because worldwide electronic currency transfer makes exchange systems 'volatile'."[66]
For example, the United States government has installed a series of remote sensing satellites that it may one day privatize. These satellites can survey the natural resources and land formations of countries without obtaining their permission. This has increased the fear of developing nations that they might be disadvantaged by the ability of developed countries to exploit the natural resources of developing countries. This has motivated many developing countries to assert sovereignty over information and data concerning natural resources that is in the hands of others. The Americans refuse to acknowledge the position put forward by developing nations. Hence, technologically advanced countries assume rights over information obtained by remote sensing, while denying those rights of those countries over whose territories have been surveyed to claim sovereignty over its natural information.[68] To protect national sovereignty over information and control dependency on other nations for technology and information, some countries have developed telematics policies that regulate the collection, use and dissemination of information. For instance, Brazil, perhaps more than any other nation, has developed a coherent policy framework to manage the new technologies and with them TBDFs.[69] This has been done to maximize national control over the technologies and their employment, access to information, and control the impact on Brazil's cultural and political environment.[70] It must be emphasized that even though LDCs fear that the information revolution may serve to widen the gap between rich and poor nations, TBDFs have become a crucial part in an LDCs development. TBDFs are seen as "bridging the gap between nations by contributing to a transfer of such data resources as computer hardware, databases and information
Transborder Data Flows jobs."[71] Louis Joinet, French Magistrate of Justice extracts the real issue in the regulation of TBDFs when he said that [i]nformation is power, and economic information is economic power. Information has an economic value and the ability to store and process certain types of data may well give one country political and technological advantages over other countries. This in turn may lead to a loss of national sovereignty through supranational data flow.[72] Even though a country's telematics policies have overlapping political and economic concerns, there can be a theoretical distinction drawn between the a state's security or sovereignty and that state's policies for economic advantage.[73]
3.1.4 ECONOMICS The status of data-processing operations can have significant economic consequences for nations, since it creates high paying technical jobs in data-processing countries, leaving low paying jobs and key punch operations in data exporting countries. TBDFs are becoming national economic indicators, as important as balance of trade and employment.[74] It is not surprising then, that the pursuit of economic advantage has become the driving force in the erection of barriers to TBDFs. American MNCs, heavily dependent on free information flows, have been complaining that "other countries are using privacy concerns as a smokescreen for what are essentially protectionist economic policies"[75] However, it is interesting that countries place restrictions on TBDFs for different reasons. More technologically advanced countries place
15
restrictions on flows to protect their own industries, whereas developing countries regulate data flows as part of a larger development strategy. This warrants more extensive examination, as this is crucial to understanding the reasons behind the shift in direction of the TBDF debate. ECONOMICS AS USED BY DEVELOPED COUNTRIES The political and economic mechanism of late-twentieth century capitalism shows the paramount role of government in developing, maintaining, and assuring the profitmaking interests of the corporate sector in new economic developments.[76] The regulation of TBDFs by advanced industrial nations is done for political and economic reasons. Within a state, the advanced technology industries and associated and dependent industries are strong lobbies, especially if they are large multinational corporations. Their desire to ensure stable economic growth and profit leads them to demand that their governments place restrictions on other MNCs or technology importers. Often, the means used to restrict foreign business is to prevent easy access to information about the activities of subsidiaries, licensees, or clients. One of the restrictive means employed against these businesses is the regulation of TBDF in the guise of privacy protection or national sovereignty.[77] The real economic motive is not disclosed. It has only recently been understood in economic theory. The pervasive use of technology in a country has led to a drastic rethinking of economic theory. The standard understanding of economics typified by the neoclassical supply and demand curves (Diagram 2) becomes fallacious. A new understanding of supply and demand has emerged in the high-technology industry (Diagram 3). As a new technology is developed, a great deal of capital must be invested in R & D. Consequently, cost-per-unit
production is high as compared with the neoclassical view of low costs. However, as improvements are made in production techniques and product design, the cost per unit production decreases. The slight plateau in the supply curve in diagram 3 is due to the cost of investing in mass production of the technology; the final drop in the curve exists at a point where investment allows for the development of a new technology, making this technology outdated. This notion is foreign to neoclassic economic theory. Moreover, in the high-technology model, "undersupply lowers prices and oversupply raises prices (precisely the opposite of the classical conclusion)."[78] This is a result of increased production in a time of undersupply, increasing the rate at which a firm moves down the supply curve. Oversupply evokes the opposite response, thereby slowing technological progress. DIAGRAM 2: Classical picture of the supply-demand equilibrium
It is not surprising that these two models lead to very different policy considerations. Note the points of equilibrium on both diagrams. The neoclassic model has only one smooth point of equilibrium that wipes out a record of all prior history of market activity. The high-technology model has several points of equilibrium, bringing in prior market history as a basic determinant: a society can find itself in one or the other of two possible competitive states, either competitive or entirely overwhelmed, depending on the prior economic history of itself and its competitors. Furthermore, a small shift in either the supply or the demand curve can move crucial parts of one of the curves entirely out of contact with the other. This represents the total collapse of an industry overwhelmed by an initially small but persistent price or other advantage accruing to or seized by a competitor.[79]
DIAGRAM 3: High-Technology revision of classical supply-demand equilibrium
The rightmost equilibrium (B) is a healthy industrial sector, the leftmost equilibrium (A) represents an industry that, having lost its mass market, can maintain only enough R&D to keep itself surviving at a minimal level. When it comes to regulation of TBDFs, countries with high technology sectors at equilibrium B will impose regulation to prevent foreign competitors from developing a strong presence in the domestic market, thereby threatening domestic producers and MNCs who rely on a strong
Transborder Data Flows domestic market to fund foreign ventures. Countries with technology sectors at equilibrium A will regulate TBDF to protect infant industries while they move down the supply curve to equilibrium B, or if they wish to save a technology industry on the brink of being overtaken by foreign competition. LDCs, if they have a high-technology industry often regulate to protect their infant industries from foreign competition. Brazil is a case in point. However this is not the only economic rationale for TBDF regulation by LDCs. ECONOMICS AS USED BY DEVELOPING COUNTRIES Developing nations see telematics as essential to development. The technology facilitates both the acquisition and use of technical and scientific data which can improve developmental policymaking. LDCs can use the databases of advanced countries to save on the costs of doing extensive research on their own, while still formulating their own economic and technological policies. Likewise, the education required to implement and utilize the technology fosters social and political development.[80] However, the ability of developing countries to achieve self-reliant development in a highly technological world has meant increasing dependency upon their ability to obtain and utilize telematics technology. As a result, many LDCs have implemented national telematics policies which reflect their desire to gain access to the economic and technical information required for development. Consequently, these policies create restrictions on the international flow of data that may hamper or deter MNCs attempting to enter LDC markets.[81]
17
LDCs lack informatics infrastructure for several reasons. They lack the required technology for local R & D and innovation. LDCs lack the institutional framework to effectively amass, analyze, and disseminate information to its users. Lastly, as the technology is always changing, LDCs often lack the financial resources and trained personnel to keep pace with developments and changing requirements.[82] In an effort to develop telematic resources, LDCs have created a series of initiatives, policies and regulations which have partly led to the development of barriers on unrestricted TBDF. These restrictions are aimed at reducing the dependency on foreign technology, data-processing facilities, and information. As technology often enters developing nations as MNC foreign direct investment, the degree to which developing nations wish to regulate TBDF often depends on their relationships with MNCs.[83]
3.2 TYPES OF REGULATION POSSIBLE Legislative and administrative restrictive practices that influence on TBDF are many. Effective regulation is done through either regulation of the nature of the data and the other is access to telecommunications technology to engage in TBDF.[84]
3.2.1 REGULATION OF DATA OR FLOWS Legislative and administrative restrictive practices that influence on TBDF are many. Some countries impose requirements that 'domestic' information and transactions be processed in the home country. For example, Germany requires that private leased lined with international access carry out 'substantial' local processing before transmission. The 1980 Canada Bank Act requires all 'basic' financial data to be processed and maintained in Canada. Measures like these restrict business
opportunities for foreign data processing service firms.[85] Other countries place restrictions on data content. For example, the Swedish Data Inspectorate in 1988 refused to allow a company to send potential customer files to the US for direct marketing purposes. They also require that all data bases be registered with the Inspectorate.[86] Other countries require proper security measures[87] and national control over data while abroad. France, too, affects the ability of TNCs to obtain information they need for their foreign operations by restricting the flow of information through their data protection laws.[88] Nigeria requires forty percent local ownership in data-processing service companies and communications equipment manufacturers. This discriminates against foreign investment.[89] The USA's National Security Agency worked closely "with IBM on the development of computer encryption equipment and, in particular, the creation of the Data Encryption Standard (DES), designed by IBM and certified for use by the National Bureau of Standards. Moreover, the DES is standard for all exported equipment,"[90] which aids in international industrial espionage efforts, already alluded to.
3.2.2 REGULATION OF COMMUNICATIONS TECHNOLOGY Within the telecommunications area there are presently two competing plans for development. On the one side, a postal-industrial coalition of companies define the issue as one of monopoly control over services versus market integration. The coalition argues that monopoly service provision will provide users with equal access to services, standardized protocols, procedures, and technologies, and economies of scale with the lower overall investment cost.
Conversely, the telematics coalition of companies and service providers wants to see market segmentation and greater competition. This would facilitate faster technological progress, customized networks, and lower costs for larger users.[91] The number of initial commitments for liberalization of telecommunications regulation by many GATT member countries indicate the telecommunications sector is in a state of transition, from a state of monopoly control to a more competitive environment.[92] This does not, however, mean that countries do not regulate TBDFs through their telecommunications policies, many do. For example, Japan increases the cost to large users of data communications, thereby making data communications unfeasible. This is done by discouraging or denying the leasing of private circuits. Germany refuses to connect international leased lines to public networks unless the connection is made via a computer which carries out at least some processing. This increases the cost to users, especially smaller users.[93] At one time, Germany required companies to lease a minimum of four lines if they wished to conduct TBDFs. Other restrictive practices that influence TBDF have also been employed. The imposition of narrow or inconsistent technical standards on both telecommunications service providers and users make technical connection to appropriate VANs and network facilities impossible. The threat of taxing value-added data processing has reduced the willingness of business to engage in TBDFs. The French government has studied the feasibility of measuring TBDF to apply such measures.[94]
3.3 METHODS OF REGULATION The various types of flows and data already discussed will influence regulatory conditions, as the location of the user, the direction of the flow,
Transborder Data Flows and the geographic location of storage and processing functions will determine the effectiveness of regulation.[95] This is true whether the regulatory instrument is of a national or international character.
3.3.1 NATIONAL LEGISLATION Currently fifteen countries have data protection legislation on their statute books, and bills are proposed in eight more states. All were passed within the past twenty years, Sweden being the first in 1974. Most of the laws have been passed in Europe, and have not produced a uniform standard of regulation.[96] States have focused on two issues: the sending of personal data across national borders and the protection of individual rights. Thus, the laws passed cover personal data only. Some legislation includes personal data held by legal persons,[97] though most states have excluded legal persons from their legislation because of the strong lobby of the business community and their criticism of any regulation.[98] ISSUE: DOES THE LEGISLATION HAVE AN EXTRA-TERRITORIAL EFFECT? Whether national legislation can apply extra-territorially depends on its wording. There are two cases where the wording may create compliance problems. First, where data is collected in country A and transferred to country B, a citizen of country B has no protection under country A's laws, unless country A's domestic laws extend to country B's citizens. Second, where data is collected in country A, then transferred for storage or processing to country B, country A's transborder transfer restrictions will apply, and country B's domestic laws may apply to protect a citizen of country A while that data is in country B.[99]
19
Even with this confusing state of affairs, compliance is simple to determine in one-way flows. Compliance with the home country's laws is all that in needed. The situation becomes more difficult with two-directional flows. Where the processing is a transnational or multi-national flow, the location of the user is crucial to enforcement.[100] "The criterion of the application of the national regulation is thus the location of the user and no more the location of the system."[101] This criterion extends the scope of regulation in an important way. As most of systems located abroad are accessible from another country via telecommunication systems they would be subjected to at least two national regulations, "the regulation available in the country where the system is located and those available in the country where the system is used."[102] To overcome the possible restrictive nature of such regulation, the European Community's (EC) Council of Europe has drafted the European Draft Privacy Directive, which spells out that the laws of a jurisdiction control records only within that jurisdiction but do not have extraterritorial effect.[103]
3.3.2 INTERNATIONAL AGREEMENTS The international community has tried to reconcile the two requirements of respect for personal information and encouragement of free and open trade between nations in a number of international agreements.[104] ISSUE: ARE INTERNATIONAL AGREEMENTS LEGALLY ENFORCEABLE? A controversy has developed over whether international agreements on TBDF are legally enforceable. None of the agreements created to date is a
treaty, except for the COE Convention. Thus, the only area of international law that these agreements may be binding under is international customary law. Customary international law contains two requirements: first, a consistent and general international practice must exist amongst states, and second, the international community must accept the practice as law. "This subjective element of acceptance as law is often known as opinio juris."[105] This was formulated in the North Sea Continental Shelf Cases, Federal Republic of Germany v. Denmark v. Netherlands [1969] I.C.J. Rep. 3.106 Judge ad hoc Sorenson (dissenting) commented that the majority has reserved the possibility of recognizing the rapid emergence of a new rule of customary law based on the recent practices of States. This is particularly important in view of the extremely dynamic process of evolution in which the international community is engaged at the present stage of history. Whether the mainspring of this evolution is to be found in the development of ideas, in social and economic factors, or in new technology, it is characteristic of our time that new problems and circumstances incessantly arise and imperatively call for legal regulation. In situations of this nature, a convention adopted as part of the combined process of codification and progressive development of international law may well constitute, or come to constitute, the decisive evidence of generally accepted new rules of international law. [Emphasis added.] [107] The issue of codification of existing international law or progressive development of it through the activities of international associations and organizations was also addressed by Judge ad hoc Sorenson, at supra, 24243. He said that the two notions, though theoretically distinct, are in practice overlapping. The very act of formulating or restating an existing customary rule in an international agreement may define its contents more precisely than previously understood, while at the same time the rule may be adapted to contemporary circumstances, factual or legal, in the international community. However, he also states that a treaty may be based on state practice and doctrinal opinion which has not yet crystallized
into international customary law.[108] With this framework in mind, what is the legal status of the existing international agreements? These documents shall be discussed with reference to the time they came into force, their structure, their objective and scope, and their legal effect as international law. OECD GUIDELINES[109] The Guidelines were developed by government experts under the direction of The Hon. Justice M.D. Kirby, Chairman of the Australian Law Reform Commission. A Recommendation was made to the Council of the OECD which was adopted and became applicable on 23 September, 1980.[110] In total, there are 24 signatories to the Guidelines.[111] The Guidelines are in five parts and are followed by an Explanatory Memorandum that is to guide interpretation and application of the Guidelines. Part Three deals specifically with TBDF under the heading "Basic Principles of International Application: Free Flow and Legitimate Restrictions". The objective of the Guidelines is to remove any unjustified obstacle to TBDF, allowing only the principles of privacy protection and individual rights to be taken into account in national legislation. The scope of the document encompasses personal data that is processed or that which may be used and therefore poses a threat to privacy in both the private and public sectors.[112] The most fundamental limitation of the Guidelines is that they are not legally enforceable. Though they may represent a broad and significant consensus on TBDFs and may influence the direction of domestic lawmaking, the open textured language means they can only serve as a loose framework for regulatory harmonization. Both the Guidelines and the accompanying Memorandum leave a lot unspecified and unresolved,
Transborder Data Flows such as the conflict of laws problem, specific parameters limiting regulation in the name of privacy, sovereignty, or security, trade relations, tariff policies, employment and internal data traffic conditions.[113] According to Estadella-Yuste, the guidelines are neither legally binding nor a source of international law per se, but that "does not preclude the possibility that they may have legal implications" as other signatory states will rely on other signatories to fulfill the obligations in the agreement.[114] The Guidelines are not international law as they took the form of a Recommendation by the Council, which is a non-binding nature in contrast with decisions or declarations.[115] OECD DECLARATION The Guidelines on MNCs formed part of a Declaration, passed in 1985 by the Council of the OECD. They stress the economic issues, rather than the technical ones, raised by the internationalization of modern telecommunications, data processing, and information services.[116] This was the first international instrument to deal with TBDFs of non-personal data [117] and was a reaction to the strong lobby of business communities in member nations to allow free flow and access of information across borders.[118] The Declaration has three sections. The first states general facts about computerized data and TBDFs. The second section states the intentions of the parties; namely, promote accessibility to data, make regulation transparent, find common policies and solutions, and consider the international impact of national policies. The last section states the projects to be undertaken by the OECD members. There is a strong emphasis on commercial and economic concerns, such as data flows accompanying international trade, computer services and information, and
21
organizational flows. As the form of a Declaration is not included within the decisional process of the OECD, but has developed through practice, its effect is considered the same as Decisions of the Council of the OECD. The Declaration expresses the willingness of states to be bound by certain practices, but because it contains the wishes of several countries and is not a unilateral declaration, it lacks the subjective element required to constitute a valid opinio juris.[119] As the Declaration is not a declaration of international customary law, it can be viewed as a means by which rules of law may be detected to resolve disputes. In the absence of express rules, the Declaration provides the means to determine fair and equitable solutions.[120] It can be characterized as establishing a minimum framework for developed countries on the negotiation of trade in services.[121] COUNCIL OF EUROPE CONVENTION The Council of Europe's Committee of Ministers adopted the final text of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data,[122] on 28 January 1981. To become binding, it needed ratification by five member states. On 1 October, 1985, the United Kingdom became the fifth state in the EC to ratify the Convention.[123] The purpose of the COE Convention is to ensure respect for individual rights and freedoms of everyone within the COE with respect to automatic personal data. Thus, the scope of the convention is limited to automated personal data files and automatic processing of personal data in both the private and public sectors. It permits extension to legal persons and any group of persons that may lack legal personality.[124] The convention is
divided into seven chapters, the third of which deals with TBDF.[125] Accompanying the text of the Convention is an Explanatory Report which states that Chapter III 'aims at reconciling the simultaneous and sometimes competing requirements of free flow of information and data protection, the main rule being that transborder data flows between Contracting States should not be subject to any special controls.'[126] The Convention is criticized on the grounds that the text of Chapter III is so vague that it is cannot provide guidance in truly reconciling the conflicting priorities contained therein. Moreover, Paragraph Two of Article 12 makes no provision for restricting TBDFs on grounds other than privacy.[127] This is unrealistic and shows the limited awareness of the true scope of the nature of TBDFs. Under Article 12(3a), it states that a member can prevent the transfer of data to another member if that country does not have 'equivalent' data protection legislation. Does 'equivalent' mean 'identical' or 'similar', and who decides in the event of a dispute?[128] Despite these shortfalls, the Convention is binding international customary law restricted in application to the COE region. However, the Convention does provide in Article 23 for non-member states of the Council of Europe [to] be invited by the Committee of Ministers to accede to the Convention. This could include countries such as USA, Canada and Australia. It could also include the European Economic Community! [129] Should another nation declare their intent to be bound by the agreed practice, arguably there would be sufficient grounds to find an opinio juris, especially after the COE allowed the country to formally accede to the terms of the Convention. UNITED NATIONS GUIDELINES The UN Guidelines were adopted in final form during the 45th session of the General Assembly of the United Nations.[130] The Guidelines on "Computerized Personal Data Files" purport to be the minimum
guarantees to be implemented into national legislation. The principles contained are very similar to the OECD Guidelines and the COE Convention.[131] This agreement does not constitute a treaty or declaration of international customary law. Being a multilateral resolution to consider a course of action, it lacks opinio juris and an acknowledged international practice. It could not be considered customary law, though may aid in its definition.[132] GENERAL AGREEMENT ON TARIFFS AND TRADE (GATT) & GENERAL AGREEMENT ON TRADE IN SERVICES (GATS) Though not formally completed, the GATT and GATS agreements of the Uruguay Round are included here for an important reason. They demonstrate the change in focus of the TBDF debate from privacy concerns to trade in services. One of the central objectives of the Uruguay round is to reach an agreement among all the participants which would establish multilaterally agreed rules and disciplines to govern international trade in services currently values at over US$800 billion annually, a significant portion of which is in the area of telecommunications services. Long-standing national service monopolies are challenged, not by deregulation per se, but by commitments to regulate in ways that are not prejudicial to foreign suppliers. Market forces are to play a greater role providing better services at lower costs.[133] Agreement has been achieved through General Agreement on Trade in Services (GATS), which establishes for the first time a set of multilateral rules and disciplines for trade in all commercial services as well as commitment to liberalize and expand such trade. To this end, negotiations have occurred in three areas: (a) establishing a draft multilateral framework of rules and disciplines; (b) liberalizing services trade through
Transborder Data Flows governmental commitments which will be annexed to the articles forming an integral part of the agreement; and, (c) preparing draft annexes on special problem areas in certain sectors such as telecommunications and financial services that will be included in the final agreement. Two sectoral annexes have been proposed for trade in telecommunications services. The first deals with access to and use of public networks and services. The objective of the annex is to ensure service providers have access to and use of services under transparent, reasonable, and non-discriminatory conditions. The second annex would provide for an exception from the Most Favoured Nation (MFN) principle for basic telecommunications. Though all parties want a strong MFN provision, this has become a source of disagreement between the developed and developing countries in the negotiations.[134] The GATT forum has become a battle between different conceptions of liberalizing TBDFs in the developed world. The Americans and the Europeans have purposed different methods for handling liberalization of trade in services (including TBDF). The United States urges general liberalization but would allow reservations and special agreements for specified areas. The EC advocates a general multilateral framework agreements with sector-by-sector liberalization.[135]
23
is that trade in services, a topic of growing importance to developed countries, will overshadow negotiations on trade in goods. Moreover, some developing countries fear that a liberalized service market would hinder the development of domestic service industries because international competition could be overwhelming and the domestic markets eventually dominated by MNCs. Other LDCs see trade in services as only a bargaining chip to get agreements in trade in goods. Yet others fear they may be forced by developed countries to agree to services trade agreements to get what they need in goods agreements.[137] The GATT and GATS agreements are contractual and therefore do not qualify as customary international law.
CHAPTER 4: REGULATING PRINCIPLES AND STAKEHOLDER INTERESTS There are several common principles regulating personal and non-personal data that are contained in all of the international regulatory instruments. After discussing these principles, the impact on the stakeholders shall be assessed.
4.1 REGULATING PRINCIPLES 4.1.1 PRINCIPLES GOVERNING PERSONAL DATA
For example, banking has proven to be a major point of contention. The United States wants a special or separate agreement, whereas the EC advocates complete liberalization of the financial industry.[136] Developing countries naturally insist on keeping the focus of GATT on trade in goods, as that is where their main interest and needs lie. Their fear
There are ten principles central to the OECD Guidelines, COE Convention, and the UN Guidelines that govern the storage of personal data. DATA QUALITY PRINCIPLE
Personal data ought to be current, accurate and complete. The Convention, article 5(c) requires that "[p]ersonal data undergoing automatic processing shall be adequate, relevant and not excessive in relation to the purposes for which they are stored." The Guidelines state in paragraphs 8 and 10 that "[p]ersonal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for the purposes, should be accurate, complete and kept up-to-date." PURPOSE SPECIFICATION PRINCIPLE The purpose for which data is collected should be specified and all use of that data ought not to be inconsistent with enumerated purposes.[138] The Convention requires storage for "legitimate purposes"[139] while the OECD Guidelines requires that the purpose of collection be "specified no later than the time of data collection."[140] The UN Guidelines place time limitation, use and disclosure, openness, and social justification principles under the rubric of purpose specification. LIMITED USE OR DISCLOSURE PRINCIPLE Only with consent of the data subject, authorization of law, or publicly known and accepted practice should data be made available.[141] The OECD sanction this view at paragraph 9. The COE Convention merely requires at Article 5(b) that "processed personal data be stored for specified and legitimate purposes and not be used in ways incompatible with those purposes."
OPENNESS PRINCIPLE Any policies, developments or practices that develop with regards to personal data should be openly accessible. Specifically, it should be possible to identity the location and identity of the data controller and any applicable practices, policies, and practices associated with that controller. This is asserted in paragraph 12 of the OECD Guidelines. The Convention, however, refers to this principle as the right of any person to establish the existence and contents of a data file, as well as the residence and identity of the data controller.[143] COLLECTION LIMITATION PRINCIPLE Collection of personal data should be restricted to the minimum amount necessary. The Guidelines require that "such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject"[144] or with the authority of law. The convention states: "Personal data undergoing automatic processing shall be obtained and processed fairly and lawfully."[145] Only the Convention requires that data pertaining to "racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life and data relating to criminal convictions"[146] shall only be processed if appropriate safeguards exist in national legislation. The UN Guidelines require that personal data not be used for ends in contravention to the UN Charter. INDIVIDUAL PARTICIPATION PRINCIPLE
SECURITY PRINCIPLE Personal Data must be safeguarded from loss, destruction, alternation, dissemination, or unauthorized access. The OECD Guidelines require, in paragraph 11, a test of reasonableness be employed to determine this. The Convention is silent on the degree of flexibility that can be allowed here. The UN Guidelines suggest that measures should be taken to protect against natural dangers, unauthorized access or fraudulent use.[142]
According to the Convention, OECD Guidelines and the UN Guidelines, which put in almost the same term, individuals must have several rights. The must be free (a) to get from the data controller confirmation of whether there exist data about him; (b) to learn what that data is within a reasonable time; (c) to require that personal data be corrected, completed, amended, or possibly erased; and, (d) to be notified for the reasons for the
Transborder Data Flows denial of a request for information with a route to appeal the decision. The only difference in the OECD Guidelines and the COE Convention is their degree of emphasis of various points.[147] ACCOUNTABILITY PRINCIPLE For every data record there should be an identifiable data controller accountable in law for the enforcement of personal data principles. The Convention states as much in Article 8(a) and the OECD Guidelines assert this principle at paragraph 14.[148] SOCIAL JUSTIFICATION PRINCIPLE Personal data ought to be for general purposes and specific uses that are socially acceptable. The OECD omits this principle, but it is arguably contained in the Convention's requirement to store data for legitimate ends.[149] TIME LIMITATION PRINCIPLE This principle also does not appear in the Guidelines but does appear in the Convention. Article 5(e) requires personal data to be "preserved in form that permits identification of the data subject for no longer than the amount of time necessary for the purposes for which those data are stored."[150]
3.1.2 PRINCIPLES GOVERNING NON-PERSONAL DATA Some academics suggest that the aforementioned principles could be applicable to the regulation of transborder flows of non-personal data if they were formulated in more general terms. To illustrate, the scope of the security principle could effectively cover economic and technical data. "A
25
reasonableness criteria could determine to what extent [it] could be formulated in more general terms."[151] It may be necessary to add additional standards to effectively extend these principles to protect other types of TBDF data. However, this is unlikely, as data is coming to be seen as a service rather than a commodity, it is less likely that it will become subject to additional restrictive regulation. The debate over non-personal data is moving towards trade liberalization, consequently, there are new guiding principles used in negotiations. ACCESSIBILITY PRINCIPLE Service providers and data users ought to have the minimum of restrictions placed upon their activities. The Declaration includes this principle at section (a). The GATS agreement includes this principle in the application of the Most-Favoured Nation status to trade in services. MFN status guarantees non-discriminatory conduct among and between signatory states. As already mentioned, one of the annexes to the agreement has excluded basic telephony from MFN status. In addition, the GATT principle of National Treatment or non-discrimination between foreign and domestic products is also included in the GATS agreement.[152] TRANSPARENCY PRINCIPLE All rules, regulations, and procedures affecting trade in services and the free flow of information ought to be public knowledge. Both the Declaration (in section Two) and the GATS agreement stress this principle. This is central to trade in telecommunications services. INTERNATIONAL IMPACT PRINCIPLE As all nations do not start at common levels of development, there ought to be consideration of the impact liberalization will have on other
countries. The OECD Declaration adopts this principle in the fourth category of issues under section Two. The GATS agreement acknowledges this principle by allowing progressive reductions in trade barriers, recognizing that parties to the agreement negotiate from very different starting points. More time will be allowed for countries with a less advanced telecommunications sector to prepare for and get used to international competition. [153] FREE FLOW PRINCIPLE The free flow principle is the central underlying concept in current discussions regarding TBDF. All information ought to be able to flow as freely as possible between countries. This is somewhat misleading as the real issue in regulation is not one of the free flow of information, but rather of access to it on behalf of those who wish its gathering and processing. The ICC has offered four reasons for the free flow of information:[154] •
• •
•
the vital importance of efficient information exchange in the development and growth of modern international trade and production. the right of business to communicate freely within and outside its corporate structure. the right of business to access and utilize national and international communications fairly, competitively, and nondiscriminatorily. the necessity of recognizing the worldwide interdependence of business communications.
The OECD Declaration supports this principle in its attempt to seek a balance between access to data with the creation of unjustified barriers to the international exchange of data. This is crucial as it provides grounds for requests made by a country or MNC for access to data stored in information systems in another country.[155] The GATS agreement
supports this principle with its call for the general liberalization of trade in services. The hope is that with liberalization will come unrestricted TBDFs. The beneficial value of the free flow of information is being increasingly questioned. There are selectors and controllers who shift and shape the messages in society. The use of the market mechanism makes this all the more evident. The fears and frustrations of developing nations are exacerbated by MNCs who now select and control large segments of world data flows.[156]
3.2 IMPACT ON STAKEHOLDERS The following discussion runs the risk of over-generalizing the positions of the parties involved. Nation-state governments will differ on principles according to their degree of industrialization, the amount of involvement of the government in the high-technology industry, and the degree to which the country feels its sovereignty and security is threatened. Multinationals shall differ on these principles according to their economic sector of involvement, dependence on technology and TBDF, and the amount of business and assets existing outside domestic markets.
3.2.1 MULTINATIONAL CORPORATIONS MNCs have always needed to become increasingly competitive to survive. They face stiffer international competition, greater regulation, and greater involvement of foreign governments in supporting their domestic business community. Consequently, MNCs have turned to technology to aid them in expanding their influence, holding off competition, and consolidating their global position. This has led to attempts at industrial concentration. The basic processes through which industrial concentration takes place, namely diversification, horizontal and vertical integration, can be facilitated through the use of transnational data flows. These all imply
Transborder Data Flows complex coordinating tasks and [the] need [for] fast and reliable monitoring of dispersed markets. The large transnational data flow users have important stakes in the free flow of data across borders and are likely to attempt to influence their environment for the appropriate deregulation.[157] And they have done so. The international business community, through the International Chamber of Commerce (ICC) was actively involved in the drafting of both the OECD Guidelines and the COE Convention.[158] These agreements effectively limited regulation to personal data flows. The bulk of information flow was not greatly affected. To assure their market dominance and effectively prevent competition from infant telematics industries, the business community of developed countries has lobbied vigorously to deregulate trade in services and data flows. Furthermore, the trade of technical or scientific information has provided further economic benefits to MNCs. As technical or scientific information contains little or no personal data it is very free from regulation. Compiling technical data about other nations through remote sensing satellites such as LANDSAT and ERTS provides vital information to its collector about crop conditions, fish stocks and migration, forestation, and geological formations and deposits that can be used to formulate trade and investment policies. Both the governments and MNCs with this information have a foreknowledge of sorts, and hence a distinct advantage over others. Those sensed nations want access to the primary data as well as the analyzed information. However, the sensing nation or MNC refuses saying that it was through its labour that this property was created. Thus, the analyzed data should not be treated in the same manner as sensed data.[159]
3.2.2 GOVERNMENTS OF DEVELOPED COUNTRIES
27
As the different international regulatory instruments demonstrate, governments of developed countries have proven extremely responsive to the wishes of their business community. Initially concerned with the effect of telematics technology on personal privacy and national security, they became concerned over the use of regulation to protect their own MNCs and those industries dependent on the health of the MNCs. Threats to economic survival and prosperity forced the governments of developed countries to change the way they see information. Domestically produced information could not be a commodity in other countries, for then its free flow could be stopped, or it could even be expropriated. The countries with greater dependency on TBDF argued they were offering information services which could not be subjected to regulation and restriction. Altering the definition of data led to calls for deregulation of trade in such services. Hence, the debate moved from forums of international governmental associations to international trade forums.
3.2.3 GOVERNMENTS OF LESS DEVELOPED COUNTRIES This shift in focus by the developed nations and MNCs has not gone unnoticed in the developing world. The governments of developing nations have objected in three ways: by arguing that deregulation is adverse to their development, that deregulation will increase their dependency on developed nations for technology and information, and that this lack of development and dependency threatens their cultural and social survival. It was not until the mid-1980s that it was realized by official donors and international organizations that the aid provisions for the development of infrastructure of LDCs ought to include telecommunications technologies and not just things like roads and bridges.[160] This realization has led to the refusal of LDCs to liberalize international telecommunications regulations (through the ITU for example) until advanced nations agree to
subsidize the telecommunications developments of countries that cannot afford basic systems or newer, more advanced ones. In effect, the LDCs are demanding a "right to technology". Their justification for this position is that all members of the international community have to exploit a shared resource and all should have access to an equal, or at least minimal, share of this resource (i.e., telecommunications technologies).[161]
For example, Brazil's approach will not be followed by other developing nations in Africa. Many African nations are more in favour of free flow of information as they do not have information technology or data processing industries to protect. "Since for development purposes they are dependent on access to foreign service bureaux, they also have potentially much to lose from restrictions on the international free flow of data."[164]
Developing countries know they play a very small role in the process of "informatization". As telecommunications investments are more predictable than computer investments due to longer planning cycles, the possibility of optimizing systems, increasing productivity, and increasing capital savings becomes possible. Developing countries have come to see informatization as possible way to leap-frog into the 'information age'. However, with deregulation of the industry through agreements like GATS, the control over domestic telecommunications industries will be reduced, as will the control over telematic development. "This implies that the relative position of the developing countries in terms of leapfrogging into the 'information age' is even lower than thought if taking traditional indicators of the 'industrial age'."[162]
However, many more LDCs argue that IT is being used to solidify the stranglehold of the neo-imperialist system by concentrating control over data processing and information creation in the developed countries, while keeping the developing countries dependent.[165] Many LDCs would point to the growing dependency of Mexico on the United States as an example. Ninety-five percent of Mexico's TBDFs occur between Mexico and the USA. The large number of American MNC affiliates along the Mexico side of the Mexico-US border are responsible for these flows. They require a large amount of advanced telecommunications technology and services that the government's two national telecommunications companies (now privatized) have had to develop. Most of the hardware and software used in this infrastructural development came from American firms, as domestic firms lacked the capacity to develop the technology. These developments are essential to keeping FDI in Mexico while attracting more investment.[166]
As the developing nations have little or no development of manufacturing of IT, they are the most sensitive to unregulated infusions of IT into their fragile economic and political systems through MNCs and meager development projects. This has led some LDCs to support deregulation in the hopes that this will aid in development. There is considerable evidence that developing countries can use transactions with transnational corporations as a means of securing effective technology transfer and development. This type of strategy is characterized by the active management and control over the processes of importing and assimilating technical knowledge, complemented by the development of indigenous technological capabilities.[163]
Furthermore, IT deregulation threatens cultural identities because international telecommunications systems could be used to export database services which had been created in a market system that will create alien systems for arrangement and classification of knowledge. If IT is controlled by a few countries, other nations would succumb to some type of cultural-homogenization without some type of regulation.[167] Hence, an important question for developing countries lacking computer technology is whether or not it is in their best interest to subscribe to an international data network in which they will clearly play a client role.
Transborder Data Flows
29
Opinion is divided. It is argued that using the information networks of developed countries offers LDCs cheaper, and more effective access to the latest scientific and technical know-how from the developed world. Conversely, it is argued that the developing world will find themselves in dependency relationships with access to information that is suited to neither the needs nor the resources of the developing world. Only one percent of current research is being directed to the special problems of the developing nations.[168]
LP=Legal Person L= Legislation PL=Pending Legislation
Chart: Legislation on the protection of personal data in OECD countries, 1991
Bolter, Jay David. "The Computer in a Finite World." Computer/Law Journal 6:349 [1985].
BIBLIOGRAPHY Bing, Jon. "IT and the Rule of Law." Transnational Data and Communications Report (Jan./Feb. 1992),13-16.
Bortnick, Jane. "International Information Flow: The Developing World Perspective." Cornell. Int'l. L.J. 14: 333 [1981]. Bruce, Robert R. et al. From Telecommunications to Electronic Services: A Global Spectrum of Definitions, Boundary Lines, and Structures. Washington, DC: Debevoise & Plimpton, 1986. Drucker, Peter F. Managing in Turbulent Times. New York: Harpers & Row, Publishers, 1980. Dunkel, Arthur. "Telcom Services and the Uruguay Round." Transnational Data and Communications Report (Jan./Feb. 1992), 17-19. Edwards, Chris and Nigel Savage et al. Information Technology and the Law, 2nd Edition. United Kingdom: MacMillan Publishers, 1990. Estadella-Yuste, Olga. "Transborder Data Flows and the Sources of Public International Law." N.C.J. Int'l L. & Comm. Reg. 16:379 [1991]. ADP=Automatic Data Processing PP=Physical Person
Globe & Mail. Issues for Canada's Future: EDI or Die. June 1992.
International Chamber of Commerce (ICC). "International Business Criticizes EC Data Protection Proposal." Transnational Data and Communications Report (Jan./Feb. 1992), 37-41. Jay, Rosemary Patricia. "Transborder Data Flows." New Law Journal (Feb 22, 1991),241. Kindred, Hugh M. et al. International Law: Chiefly as Interpreted and Applied in Canada, Fourth Edition. Canada: Emond Montgomery Publications Ltd., 1987. Kirby, Honourable Justice Michael. "Legal Aspects of Transborder Data Flows." Computer/Law Journal 9:233 [1991]. Millard, Christopher J. Legal Protection of Computer Programs and Data. Toronto: Carswell, Co., 1985. Mowlana, Hamid. International Flow of Information: A Global Report and Analysis. Paris: UNESCO, 1985. Novotny, Eric J. "Transborder Data Flow Regulation: Technical Issues of Legal Concern." Computer/Law Journal 3:105 [1981]. O.E.C.D. Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data. Paris: OECD, 1981.
Poullet, Y. "Privacy Protection and Transborder Data Flow; Recent Legal Issues." G.P.V. Vandenberghe, ed. Advanced Topics of Law and Information Technology. Deventer, Netherlands: Kluwler Law and Taxation Publishers, 1989, 29. Rada, Juan. "Information Technology and the Third World." M. David Ermann et al, eds. Computers, Ethics & Society. New York: Oxford University Press, 1992, 262. Reguly, Bob. "No spies, please, we're Canadian." Financial Times of Canada (October 24, 1992) at 22. Ritter, Jeffery B. "Defining International Electronic Commerce." NWJ of Int'l L & B 13:1(1992). Roche, Edward M. "The Landscape of International Computing: A Personal View." Transnational Data and Communications Report (Jan./Feb. 1992), 24-27. Schiller, Herbert I. Who Knows: Information in the Age of the Fortune 500. Norwood, NJ: ABLEX Publishing Crop., 1981. Schwartz, Jacob T. "America's Economic-Technological Agenda for the 1990's." DĂŚdalus: A New Era in Computation (Winter 1992), 139.
O.E.C.D. Information Technology Outlook 1992. Paris, OECD, 1992.
Simmonds, Kenneth R. and Brian H.W. Hill, eds. Law and Practice Under the GATT, 2 vols. New York: Oceana Publications, 1992.
Pavlic, Breda and Cees J. Hamelink. The New International Economic Order: Links between Economics and Communications. Paris: UNESCO, 1985.
Transnational Data and Communication Report. "Many Countries Commit to GATS Telecom Coverage." Sept-Oct. 1992 at 8.
Ploman, Edward W. International Law Governing Communications and Information: A Collection of Basic Documents. Westport, CT: Greenwood Press, 1982.
Trubow, George B. "The European Harmonization of Data Protection Laws Threatens U.S. Participation in Trans Border Data Flow." NWJ of Int'l L & B 13:159 (1992).
Transborder Data Flows United Nations Centre on Transnational Corporations. Transborder Data Flows and Brazil. ST/CTC/40. United Nations Centre on Transnational Corporations. Transborder Data Flows and Mexico. ST/CTC/72. United Nations Centre on Transnational Corporations. Transnational Corporations, Services and the Uruguay Round. ST/CTC/103.
NOTES 1 Rolf T. Wigand quoted in Chris Edwards and Nigel Savage et al., Information Technology and the Law, 2nd Edition (United Kingdom: MacMillan Publishers, 1990) at 122. [back] 2 William L. Fishman, formerly Assitant Director for International Communications, Office of Telecommunications Policy, Executive Office of the President; now, Senior Policy Advisor, National Telecommunications Information Agency. Quoted in Herbert I. Schiller, Who Knows: Information in the Age of the Fortune 500 (Norwood, NJ: ABLEX Publishing Corp., 1981) at 99. [back] 3 Jay David Bolter, "The Computer in a Finite World" (1985) 6 Computer/Law Journal 349 at 352. This introductory discussion is loosely extrapolated from his article. [back] 4 The use of the terms "developing nation" or "developed nation" throughout this paper refers only to the level of technological complexity of countries, not the level of cultural, moral, intellectual or political development. The terms "North" and "South" are inappropriate as countries such as Brazil and Australia have extensive telematics industries
31
and legislation. We need a vocabulary to describe this technological phenomenon that is not as ethnocentric and pjorative as the terms currently available. [back] 5 This definition was developed by the Intergovernmental Bureau for Informatics. "Informatics: Its Political Impact" IBI Doc. D.G. 1-04 at 2. [back] 6 Jon Bing, "IT and the Rule of Law" Transnational Data and Communications Report (Jan./Feb. 1992), 13-16, at 13. [back] 7 United Nations Centre on Transnational Corporations, Transnational Corporations, Services and the Uruguay Round, (ST/CTC/103) at 44. [back] 8 Christopher J. Millard, Legal Protection of Computer Programs and Data. (Toronto: Carswell, Co., 1985) at 227. [back] 9 Hamid Mowlana, International Flow of Information: A Global Report and Analysis (Paris: UNESCO, 1985) at 45. [back] 10 United Nations CTC, Uruguay Round, supra , at 44. [back] 11 Millard, supra, at 227. [back] 12 Globe & Mail, Issues for Canada's Future: EDI or Die (June 1992) at 18. [back] 13 Ibid., at 3. [back] 14 Ibid., at 4. [back] 15 Mowlana, supra , at 47. [back]
16 This view is supported by Olga Estadella-Yuste, "Transborder Data Flows and the Sources of Public International Law" N.C.J. Int'l L. & Comm. Reg. 16:379 [1991] at 409n. [back]
27 O.E.C.D. Document DSTI/ICCP/83.23 as quoted in Chris Edwards and Nigel Savage et al., supra, at 122. [back] 28 Ritter, supra, at 25. [back]
17 Jeffery B. Ritter, "Defining International Electronic Commerce" NWJ of Int'l L & B 13:1(1992), at 24. [back] 18 Peter F. Drucker, Managing in Turbulent Times (New York: Harpers & Row, Publishers, 1980) at 207. [back] 19 Ibid., at 154. [back] 20 "Satisfice" is a term taken from formal decision theory. It was coined in the late 1940's by American management scientist, Herbert Simon of Carnegie Mellon. It was used to show that solutions to problems were found in institutions in a pluralistic framework not with a view to optimize or maximize results, but to find the minimal acceptable results. [back] 21 Drucker, supra, at 210. [back] 22 Schiller, supra, at 142. [back] 23 Ritter, supra, at 13. [back] 24 Breda Pavlic and Cees J. Hamelink, The New International Economic Order: Links between Economics and Communications (Paris: UNESCO, 1985) at 37-8. [back] 25 The Honourable Justice Michael Kirby, "Legal Aspects of Transborder Data Flows" Computer/Law Journal 9:233 (1991) at 236. [back] 26 Ritter, supra, at 24. [back]
29 See section 36, which refers to the transfer of technology. It reads: 36 (a) Transnational corporations shall conform to the transfer-oftechnology laws and regulations of the countries in which they operate. They shall co-operate with the competent authorities of these countries in assessing the impact of international transfers of technology in their economies and consult with them regarding the various technological options which might help those countries, particularily developing countries, to attain their economic and social development. (b) Transnational corporations in their transfer of technology transactions should, in accordance with the criteria set forth in the Set of Multilaterally Agreed Equitable Principles and Rules for the Control of Restrictive Business Practices, avoid restrictive practices which adversely affect the international flow of technology, or otherwise hinder the economic and technological developments of countries, particularly developing countries. (c) Transnational corporations should contribute to the strengthening of the scientific and technological capacities of developing countries, in accordance with the science and technology established policies and priorities of those countries. Transnational corporations should undertake substantial research and development activities in development activities in developing countries and should make full use of local resources and personnel in this process.
Transborder Data Flows This was reproduced in Annex IV of United Nations CTC, Uruguay Round, supra, at 231. [back]
43 Millard, supra, at 208. [back]
30 Pavlic, supra, at 40. [back]
44 Ibid., at 209. [back]
31 Ibid. [back]
45 Ibid. [back]
32 Estadella-Yuste, supra, at 388n. [back]
46 Edwards and Savage et al., supra, at 121. [back]
33 Ibid., at 388. [back]
47 Novotny, supra, at 110-2. [back]
34 Kirby, "Legal Aspects", supra, at 235. [back]
48 Ibid., at 112. [back]
35 Millard, supra, at 207. [back]
49 Millard, supra, at 209. [back]
36 Eric J. Novotny, "Transborder Data Flow Regulation: Technical Issues of Legal Concern" Computer/Law Journal 3:105 [1981] at . UNESCO subscribes to what Novotny classifies as a TBDF. See 62, supra, at 45. [back]
50 Ibid. [back]
33
51 Novotny, supra, at 112. [back] 52 Ibid. [back]
37 Millard, supra, at 207n. [back] 53 Mowlana, supra , at 48. [back] 38 Estadella-Yuste, supra, at 389. [back] 54 Millard, supra, at 209. [back] 39 Millard, supra, at 208. [back] 55 Mowlana, supra, at 45. [back] 40 Estadella-Yuste, supra, at 389. [back] 41 Millard, supra, , 208. [back] 42 Mowlana, supra , at 45. [back]
56 All privacy legislation refers to individual persons. However, some countries have or are considering including legal persons within the ambit of their legislation. See Appendix One for the status of privacy legislation within OECD countries and note 96 for those countries with protection
laws on the books and purposed. [back] 64 Mowlana, supra, at 49. [back] 57 See Novotny's article for a thorough discussion of these technical reasons. [back] 58 Millard, supra, at 211. [back] 59 Ibid., at 211-12. [back] 60 Edwards and Savage et al., supra, at 124. [back]
65 Millard, supra, at 214. Economic espionage was recently discussed in Bob Reguly, "No spies, please, we're Canadian," Financial Times of Canada (October 24, 1992) at 22. "Around the world, national security agencies are doing business in a new way. Less and less are they spying on each other. More and more they are gathering information to help their country's firms beat the escalating international competition." Reguly asserts that the French, Germans, Americans (FBI, CIA, and NSA), British and Russians are heavily involved in this new area of activity. [back]
61 Ibid., at 124-5. [back] 66 Mowlana, supra, at 49. [back] 62 This is found in "Article 19: Stoppage of Telecommunications" which reads: 109 1. Members reserve the right to stop the transmission of any private telegram which may appear dangerous to the secruty of the State or contrary to their laws, to public order or to decency, provided that they immediately notify the office of origin of the stoppage of any such telegram or any part thereof, except when such notification may appear dangerous to the security of the State. 110 2. Members also reserve the right to cut off any other private telecommunications which may appear dangerous to the security of the State or contrary to their law, to public order to decency.
67 Millard, supra, at 214. [back] 68 Schiller, supra, at 118-19. [back] 69 Kirby, "Legal Aspects", supra, at 236n. [back] 70 United Nations Centre on Transnational Corporations, Transborder Data Flows and Brazil (ST/CTC/40) at 11. [back] 71 UNESCO,E/C.10/1986/16,1986 quoted in 13 at 123. [back] 72 Millard, supra, at 212. [back]
Reprinted in Edward W. Ploman, International Law Governing Communications and Information: A Collection of Basic Documents (Westport, CT: Greenwood Press, 1982), 232 at 238.
73 Ibid., at 213. [back]
63 Millard, supra, at 213 quoting from Telecommunications and Canada (Ottawa: Minister of Supply and Services, 1979) at 1. [back]
75 Millard, supra, at 215-16. [back]
74 Edwards and Savage et al., supra, at 124. [back]
Transborder Data Flows 76 Schiller, supra, at 112. [back]
85 Pavlic, supra, at 37. [back]
77 In some cases these points apply equally to developing nations with telematics industries. For example, Brazil's Special Secretariat of Informatics (SEI), designed industrial policies for informatics that encourage foreign affiliates to use their comparative advantage and advanced R&D facilities to manufacture new high technologies. Once developed, national capital is invested by SEI, production is phased into local companies and the infant industry is protected from foreign competition. In addition, the foreign company is encouraged not to improve these products and create domestic competition, but rather to develop new products. See United Nations CTC, TDF and Brazil, supra, at 186-7. [back]
86 Mowlana, supra, at 50. [back]
35
87 Poullet, Y. "Privacy Protection and Transborder Data Flow; Recent Legal Issues." G.P.V. Vandenberghe, ed., Advanced Topics of Law and Information Technology (Deventer, Netherlands: Kluwler Law and Taxation Publishers, 1989) 29 at 33. [back] 88 Ibid., at 37. [back] 89 Pavlic, supra, at 37. [back] 90 Schiller, supra, at 109. [back]
78 Jacob T. Schwartz, "America's Economic-Technological Agenda for the 1990's" DĂŚdalus: A New Era in Computation (Winter 1992), 139 at 144-46. [back] 79 Schwartz, supra, at 147. [back] 80 Jane Bortnick, "International Information Flow: The Developing World Perspective" Cornell. Int'l. L.J. 14: 333 [1981] at 334-35. [back]
91 United Nations CTC,Uruguay Round, supra, at 58. [back] 92 Transnational Data and Communication Report. "Many Countries Commit to GATS Telecom Coverage." Sept-Oct. 1992 at 8. [back] 93 Pavlic, supra, at 37. [back] 94 Edwards and Savage et al., supra, at 125. [back]
81 Ibid., at 333. [back] 95 Novotny, supra, at 112. [back] 82 Ibid., at 335-36. [back] 83 Edwards and Savage et al., supra, at 124. [back] 84 Ibid., at 125. [back]
96 Those countries with data protection laws as of February 1991 are: Australia 1989, France 1978*, Luxembourg 1979*, Austria 1978*, Germany 1977*, Netherlands 1988, Canada 1982, Iceland 1985, Norway 1978*, Denmark 1978*, Ireland 1988, Sweden 1973*, Finland 1987, Israel 1981, United Kingdom 1984*
Those countries in which data protection bills are proposed as of February 1991: Belgium, Hungary, Switzerland, Greece, Portugal, United States of America, Italy, Spain*
107 Ibid., at 187. [back]
* denotes countries which have ratified the COE Convention. Taken from 21 at 241. [back]
109 O.E.C.D., Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data. (Paris: OECD, 1981). [hereinafter Guidelines] [back]
97 See Appendix 1 for a chart of the nature of the current legislation. [back]
110 Ibid., at 5. Millard points out that Australia, Canada, Iceland, Ireland, Turkey and the U.K. abstained from the vote. Millard, supra, 217n. [back]
98 Estadella-Yuste, supra, at 386. [back]
111 Jay, supra, at 241. [back]
99 Kirby, "Legal Aspects," supra, at 115. [back]
112 Estadella-Yuste, supra, at 394. [back]
100 Ibid., at 116-17. [back]
113 These last three issues were beyond the mandate of the OECD Expert Group that developed the Guidelines. See Millard, supra, at 219. [back]
108 Ibid., at 200. [back]
101 Poullet, supra, at 31. [back] 114 Estadella-Yuste, supra, at 393 and 393n. [back] 102 Ibid. [back] 115 Ibid., at 393n. [back] 103 George B. Trubow, "The European Harmonization of Data Protection Laws Threatens U.S. Participation in Trans Border Data Flow" NWJ of Int'l L & B 13:159 (1992) at 165. [back]
116 Ibid., at 383-84. [back] 117 Ibid., at 392. [back]
104 Rosemary Patricia Jay, "Transborder Data Flows" New Law Journal (Feb 22, 1991) 241 at 241. [back]
118 Ibid., at 404. [back]
105 Hugh M. Kindred, et al., International Law: Chiefly as Interpreted and Applied in Canada, Fourth Edition (Canada: Emond Montgomery Publications Ltd., 1987) at 174. [back]
119 Ibid., at 418-19. [back]
106 Ibid., at 183. [back]
121 Ibid., at 405. [back]
120 Ibid., at 393n. [back]
Transborder Data Flows
37
134 Ibid., at 19. [back] 122 European Treaty Series, No. 108. [back] 123 Sweden, Norway, France, and Spain were the other four nations to ratify the Convention. It is worth stressing that the Council of Europe in Strasbourg is not the same as the European Commission in Brussels, though the two bodies do keep in close contact. [back] 124 Estadella-Yuste, supra, at 394. [back]
135 Kenneth R. Simmonds, and Brian H.W. Hill, eds., Law and Practice Under the GATT, v 1 (New York: Oceana Publications, 1992) III.B.13 at 46. [back] 136 Ibid., III.B.13. [back]
125 Millard, supra, at 220. [back]
137 Kenneth R. Simmonds, and Brian H.W. Hill, eds., Law and Practice Under the GATT, v 2 (New York: Oceana Publications, 1992) IV.B.1 at 1315. [back]
126 Ibid. [back]
138 Estadella-Yuste, supra, at 397. [back]
127 Ibid., at 221. [back]
139 COE Convention, Article 5(b). See Ploman, supra, at 317. [back]
128 Edwards and Savage et al., supra, at 126. [back]
140 OECD Guidelines, supra, paragraph 9 at 10. [back]
129 Ibid., at 126. [back]
141 Estadella-Yuste, supra, at 397-8. [back]
130 UN Doc. A/Res/45/95(1991) The final version of the Guidelines can be found at E/CN.4/1990/72. [back]
142 Ibid., at 398. [back] 143 COE Convention, supra, Article 8(a) at 317. [back]
131 Estadella-Yuste, supra, at 385. [back] 144 OECD Guidelines, supra, paragraph 7 at 10. [back] 132 Kindred, supra, at 201. [back] 145 COE Convention, supra, Article 5(a) at 317. [back] 133 Arthur Dunkel, "Telcom Services and the Uruguay Round" Transnational Data and Communications Report (Jan./Feb. 1992) 17-19 at 17. [back]
146 Ibid., Article 6 at 317. [back] 147 Estadella-Yuste, supra, at 398-99. [back]
148 Ibid., at 398. [back]
162 Juan Rada, "Information Technology and the Third World" M. David Ermann et al, eds., Computers, Ethics & Society (New York: Oxford University Press, 1992) 262 at 274-75. [back]
149 Ibid., at 399. [back] 163 Roche, supra, at 26. [back] 150 Ibid., at 399-400. [back] 164 Millard, supra, at 226. [back] 151 Ibid., at at 401. [back] 165 Roche, supra, at 25. [back] 152 Dunkel, supra, at 18. [back] 153 Ibid., at 18. [back]
166 United Nations Centre on Transnational Corporations, Transborder Data Flows and Mexico (ST/CTC/72) at 94-6 [back]
154 Poullet, supra, at 29. [back]
167 Roche, supra, at 25. [back]
155 Estadella-Yuste, supra, at 406. [back]
168 Mowlana, supra, at 45. [back]
156 Mowlana, supra, at 50. [back]
169 Schiller, supra, at 15-17. [back]
157 Pavlic, supra, at 40. [back]
170 Ibid., at 126-27. [back]
158 International Chamber of Commerce (ICC), "International Business Criticizes EC Data Protection Proposal" Transnational Data and Communications Report (Jan./Feb. 1992) 37-41 at 38. [back]
171 Ibid., at 138. [back]
159 Schiller, supra, at 131. [back]
173 Millard, supra, at 227. [back]
160 Edward M. Roche, "The Landscape of International Computing: A Personal View" Transnational Data and Communications Report (Jan./Feb. 1992) 24-27 at 25. [back]
174 Ibid., at 227. [back]
161 Kindred, supra, at 826. [back]
172 Ibid., at 147. [back]
175 Robert R. Bruce, et al., From Telecommunications to Electronic Services: A Global Spectrum of definitions, Boundary Lines, and Structures (Washington, DC: Debevoise & Plimpton, 1986) at 14-15. [back]
Transborder Data Flows 176 Estadella-Yuste, supra, at 386. [back] 177 Bruce, supra, at 15. [back]
39