Transborder data transfers: Concepts, regulatory approaches and new legislative initiatives

International Data Privacy Law

Volumn 3, Issue 2, 2013, Pages 117-130

  Weber, Rolf H ^a,b  

^a UNIVERSITY OF HONG KONG   (Hong Kong)

^b UNIVERSITY OF ZURICH   (Switzerland)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 85071229756     PISSN: 20443994     EISSN: 20444001     Source Type: Journal    
DOI: 10.1093/idpl/ipt001     Document Type: Article

References (41)

1. Paul Schwartz, Managing Global Data Privacy: Cross-Border Information Flows in a Networked Environment 4 (2009), available at,http://theprivacyprojects.org/wp-content/uploads/2009/08/ The-Privacy-Projects-Paul-Schwartz-Global-Data-Flows-20093.pdf. accessed 30 November 2012.
2. See also the discussion of factors by Christopher Kuner, Regulation of Transborder Data Flows under Data Protection and Privacy Laws, 187 OECD Digital Economy Papers, 10-11 (2011); an earlier (slightly longer) version of this report is available under Christopher Kuner, Regulation of Transborder Data Flows under Data Protection Privacy Law: Past, Present, and Future, 016/2010 TILT Law & Technology Working Paper (2010), available at,http://ssrn.com/abstract=1689483. accessed 30 November 2012.
3. See,http://youthink.worldbank.org/issues/globalization/. accessed 30 November 2012.
4. See the Section below entitled 'Available legal frameworks'.
5. This section is based on Gehan Gunasekara, 'The “Final” Privacy Frontier? Regulating Trans-Border Data Flows' (2007) 17 International Journal of Law and Information Technology 147, 154 et seq.
6. World Economic Forum, Global Information Technology Report 2009-2010, vii, available at:,http://www.weforum.org/pdf/GITR10/GITR% 202009-2010_Full%20Report%20final.pdf. accessed 30 November 2012.
7. See Bodil Lindqvist decision of European Court of Justice, Case 101/01 (2003), ECR 2003 I-12971, paras 69-70.
8. The Madrid Resolution, International Standards on the Protection of Personal Data (2009).
9. OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).
10. See the Section below entitled 'New concept of the proposed EU Data Protection Regulation'.
11. See ,http://www.apec.org/Groups/Committee-on-Trade-and-Investment/. accessed 30 November 2012.
12. For further details see Warren B. Chik, 'The Lion, the Dragon and the Wardrobe Guarding the Doorway to Information and Communications Privacy on the Internet: A Comparative Case Study of Hong Kong and Singapore-Two Differing Asian Approaches' (2005) 14 IJLIT 47.
13. In general on the strengths of self-regulation see Rolf H. Weber, Regulatory Models for the Online World 83 et seq. (Schulthess, Zurich 2002).
14. See the Section below entitled 'Safe Harbour agreements'.
15. See also the detailed overview, given by Yves Poullet, 'The Directive 95/ 46/EC: Ten years after' (2006) 22 Computer Law and Security Review 206.
16. See also Christopher Kuner, 'An international legal framework for data protection: Issues and prospects' (2009) 25 Computer Law and Security Review 307.
17. For a defailled discussion of the respective problems see Rolf H.Weber, 'Regulatory Antonomy and Privacy Standards under the GATS' (2012) 7 Asian Journal of WTO & International Health Law and Policy 26.
18. Declaration on Transborder Data Flows, 11 April 1985, available at:,http://www.oecd.org/document/32/0,3343,en_2649_34255_1888153_ 1_1_1_1,00.htm. accessed 30 November 2012.
19. See the Section below entitled 'Safe Harbour agreements'.
20. For further details see Rolf H. Weber, 'Can Data Protection be Improved through Privacy Impact Assessments?', Weblaw Jusletter IT of 18 September 2012, available at,http://www.jusletter-it.eu. accessed 30 November 2012.
21. See the subsections below entitled 'Binding corporate rules', 'Standardized contractual rules', and 'Individual contractual rules'.
22. Alexandra Engel, Reichweite und Umsetzung des Datenschutzes gemäss der Richtlinie 95/46/EG für aus der Europäischen Union exportierte Daten am Beispiel der USA 94 (Berlin 2005).
23. See also Ulrich Wuermeling, Handelshemmnis Datenschutz: die Drittländerregelung der Europäischen Datenschutzrichtlinie 107 (Heymanns, Köln 2000).
24. See Article 29 Data Protection Working Party, Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, DG XV, D75025/98 WP 12, 1998, note 6.
25. See SWIFT press release of 4 October 2007, available at:,http://www. swift.com/about_swift/legal/compliance/statements_on_compliance/ swift_board_approves_messaging_re_arcitecture/index.page?. accessed 30 November 2012.
26. See Kuner (n 2), at 28; see also Peter P. Swire, 'Elephants and Mice Revisited: Law and Choice of Law on the Internet' (2005) 153 University of Pennsylvania Law Review 1975-2001.
27. 61,http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:215:0004:0006:EN:PDF. accessed 30 November 2012.
28. 62,http://export.gov/safeharbor/eu/eg_main_018493.asp.. accessed 30 November 2012.
29. Alexander Genz, Datenschutz in Europa und den USA 151 (Dt. Univ.-Verl. Wiesbaden 2004).
30. See Article 29 Working Party, Opinion 4/2000 on the level of protection provided by the 'Safe Harbor Principles',,http://ec.europa.eu/justice/ data-protection/article-29/documentation/opinion-recommendation/ index_en.htm. accessed 30 November 2012.
31. Spiros Simitis, 'Kommentar zum Bundesdatenschutzgesetz' § 4b N 73 in Spiros Simitis et al. (eds), Bundesdatenschutzgesetz (6th ed. Nomos, Baden-Baden 2006).
32. Ninja Marnau and Eva Schlehan, 'Cloud Computing und Safe Harbour' (2011) 35 Datenschutz und Datensicherheit 311.
33. Chris Connolly, The Safe Harbor-Fact or Fiction?, 2 December 2008, Galexia, 4,,http://www.galexia.com/public/research/assets/ safe_harbor_fact_or_fiction_2008/. accessed 30 November 2012.
34. Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, 25 January 2012.
35. See Peter Traung, 'The Proposed New EU General Data Protection Regulation-Further Opportunities' (2012) 2 Computer Law Review international 47 fn 97.
36. For further details see Lokke Moerel, Binding Corporate Rules-Corporate Self-regulation of Global Data Transfers (2012);
37. Miriam Wugmeister, Karin Retzer, and Cynthia Rich, 'Global Solution for Cross-Border Data Transfers: Making the Case for Corporate Privacy Rules' (2007) 38 Georgetown Journal of International Law 449.
38. Christopher Kuner, 'The European Commission's Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law' (February 2012) Bloomberg BNA Privacy and Security Law Report, 10.
39. See Christian Drechsler, 'Data Transfers Within Europe: contractual Data Protection Clauses in Practice: why contract clauses in countries with adequate level of data protection provide more difficulties' (2011) 6 Computer Law Review international 163-4.
40. See the subsections above entitled 'Binding corporate rules' and 'Standardized contractual rules'.
41. Article 29 Working Party, Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 153, 24 June 2008, 4.