Post on 10-Mar-2016
description
Transborder Data Flows A Discussion of Their Regulation
1992
Tom Ogaranko, BA, LLB
1/1/1992
TRANSBORDER DATA
FLOWS:
A DISCUSSION OF THEIR REGULATION
By Tom Ogaranko, BA, LLB
CONTENTS
Chapter 1: Introduction ........................................................................ 4
1.1 The current technology .............................................................. 5
1.1.1 Informatics Technology (IT) ................................................. 5
1.1.2 Communications Technology .............................................. 5
1.1.3 Effects of Converging Technologies..................................... 6
1.2 The technology stakeholders ..................................................... 6
1.2.1 National Governments ........................................................ 6
1.2.2 Multinational Corporations ................................................. 7
1.2.3 Less Developed Countries (LDCs) ........................................ 8
Chapter 2: What is Transborder Data Flow? ........................................ 9
2.1 Issues of definition ..................................................................... 9
2.1.1 What is information? Is it a service or commodity? ............ 9
2.1.1 The Definition of Transborder Data Flows .......................... 9
2.2 What type of data is collected and transmitted? ..................... 10
2.2.1 Personal Data .................................................................... 10
2.2.2 Business Data .................................................................... 10
2.3 What type of data flows occur? ............................................... 10
2.3.1 One-Way Flows ................................................................. 10
Transborder Data Flows 3
2.3.1 Two-Way Flows ................................................................. 11
2.4 Main characteristics of transborder data flows ....................... 12
Chapter 3: Regulation of Transborder Data Flows ............................. 12
3.1 Reasons for regulation ............................................................. 12
3.1.1. Privacy .............................................................................. 13
3.1.2 Security ............................................................................. 13
3.1.3 Sovereignty ....................................................................... 14
3.1.4 Economics ......................................................................... 15
3.2 Types of regulation possible .................................................... 17
3.2.1 Regulation of Data or Flows .............................................. 17
3.2.2 Regulation of Communications Technology ..................... 18
3.3 Methods of regulation ............................................................. 18
3.3.1 National Legislation ........................................................... 19
3.3.2 International Agreements ................................................. 19
Chapter 4: Regulating Principles and Stakeholder Interests .............. 23
4.1 Regulating Principles ................................................................ 23
4.1.1 Principles governing personal data ................................... 23
3.1.2 Principles governing non-personal data ........................... 25
3.2 Impact on stakeholders ............................................................ 26
3.2.1 Multinational Corporations ............................................... 26
3.2.2 Governments of Developed Countries .............................. 27
3.2.3 Governments of Less Developed Countries ...................... 27
Bibliography ....................................................................................... 29
Notes .................................................................................................. 31
CHAPTER 1: INTRODUCTION
Since distance, time of day, and the crossing of national
boundaries are no longer issues for today's advanced technology,
it is apparent that access to and dissemination, collection and
control of information can become a major national and
international policy issue.[1]
When defined in the broadest possible sense, the subject of
international data flows, although not yet widely recognized as
such, could be one of the paramount issues in the closing years of
the 20th century. Technology transfer, cultural dominance,
industrial strength, full employment, mass education are only a
few of the issues lying beneath the surface.[2]
As these two quotes imply, computer technology and its recent union with
telecommunications technology have sent societies reeling from its effects
on thought and action. This is demonstrated in the way in which we relate
to space and time.[3] The space required for engineers to simulate reality,
or for business and government to store and keep records is physically
reduced to a series of electronic bits and their manipulation on computers
can drastically increase processing time to attain the desired results.
Through such technology we are extending space and time into dimensions
of our own creation. We talk of extracting a file or document, sharing files
over a network and performing simulations or searches on overseas
computers. The new telecommunications and network technologies
extend our immediate space and time to other places around the globe.
Consequently, computer and telecommunications technologies have little
regard for governments and their laws. Effective regulation of
transnational communication between computers and the storage,
processing, and sharing of information has been a problematic area in
international legal community for the last twenty years. There have been
numerous attempts to establish common regulatory principles and to
harmonize national laws and regulatory schemes. But these efforts have
had limited success.
There are many reasons why these efforts have proved fruitless. The
constant changes in technology and the uses for which it has been
employed are not fully understood by regulators and policymakers. They
never shall be, as there is a lag between the introduction of a technology,
the discovery of uses for which it can be usefully employed, the realization
that regulation is needed and the formation of guiding principles and
policies.
Two themes become apparent when exploring this phenomenon in
relation to transborder data flows (TBDF or TDF). First, multinational
corporations control the bulk of the information and the technology
required for TBDFs. They rely on their national governments to defend
their interests in national and international forums of regulation. The
governments of developing countries[4] rely on the multinationals to
provide them with the needed technology for national economic
development and see regulation as central to this goal. The second theme
concerns the influence of multinational corporations on the regulatory
debate. They have successfully moved the negotiations away from privacy
protection and economic protectionism to trade in services, and in so
doing, have moved the forum of discussion out of traditional international
agencies like the ITU and UNCTAD to trade forums like GATT.
To demonstrate these themes, this paper is written in five parts. Part I
explores the current technology and owners and stakeholders of that
technology, while Part II searches for a definition of transborder data flow
by exploring the different types of data and flows. Part III asks why
governments regulate TBDFs, how they regulate effectively, and by what
authority they regulate. Part IV examines the main principles of
Transborder Data Flows 5
international agreements and how the opinions of the stakeholders have
shaped their application. Part V concludes the paper by looking at who
benefits most from TBDF and whether the international policymaking
framework is adequate to deal with issues like TBDF.
1.1 THE CURRENT TECHNOLOGY
Transborder flows of information are not a recent phenomenon. Only with
the application of computer technology have they come to the attention of
policymakers. This did not occur over night, however. Both computer
technology and telecommunications technology had to evolve before they
could be united to allow for effective transnational sharing of information.
Once achieved, this technology was soon applied to aid in economic,
social, and political development. This phenomenon has become known as
'telematics.'[5]
1.1.1 INFORMATICS TECHNOLOGY (IT)
Informatics Technology includes advances in both hardware and software
that has increased the processing speed, storage capacity and data entry
method of today's computers. IT developments over the last 25-30 years
may be simplified into a three step progression.[6]
The first generation systems were simple databases of information, such as
social insurance, health insurance and tax records. These remain the most
widely used systems. At this stage though, users filled out paper forms the
information from which was punched onto cards and read into the
computer for storage and processing. Computing occurred in the
"background".
The second generation of IT was on-line information processing. Using
terminals, people began to communicate with the system. Forms and
punch cards were by-passed. Built-in mechanisms confirmed consistency
and guard against duplication. Rules were introduced as programs in the
system were executed automatically.
The most recent generation emphasizes knowledge-based technology. This
development coincides with the introduction of the personal computer.
These systems move an increased amount of decision making from people
to the machines. For example, electronic data interchange (EDI)
technology can conduct simultaneous inventory and accounting functions
while automatically invoicing suppliers taking into account shipping time
and the current rate of sales of the item.
1.1.2 COMMUNICATIONS TECHNOLOGY
The most recent generation of computers would not have been possible
without communications technology. Though initially data was transmitted
through conventional telephone systems, large users began demanding a
variety of telecommunications services that would facilitate fast and easy
transfer and processing of data. Telecommunications companies have
responded by offering a wide assortment of services besides regular
telephone and telex, such as facsimile (fax), call waiting, call forwarding,
conference calling, video conferencing, automatic calling, data
transmission, dedicated digital circuits, integrated services digital networks
(ISDN) and packet-switched data transmission.[7] Transmission now occurs
over landline (coaxial cable, fiber optics), microwave, radio, satellite data
links, remote sensing satellite, private processing and data transmission
networks.[8] Services such as these are offered also through banks and
multinational corporations (MNCs) as part of the services they provide
their clients and customers.
1.1.3 EFFECTS OF CONVERGING TECHNOLOGIES
In a recent UNESCO report it was asserted that "the merger of computer
and telecommunications technologies is, in fact, the precondition for the
emergence of transborder data flows."[9] TBDF created the opportunity to
share information across vast distances to provide instant access to
information or information processing facilities. Everyone and everything
have become affected by TBDFs. The integration of the two industries has
created several products not widely available until recently, such as on-line
electronic databases and information systems, processing services such as
airline reservation systems, inter-banking systems and electronic fund
transfers and messaging services such as electronic mail and electronic
data interchange (EDI).[10] Now there is a burgeoning international trade
in information and data processing services that include several traditional
products and many new ones. For example, news, health services,
education, agriculture, manufacturing, transportation, marketing, credit,
banking and finance, accounting, insurance, law enforcement, and every
government function from security to weather prediction and disaster
relief are now available through on-line networks.[11]
In August of 1991, VAN vendors agreed to a uniform international standard
for Value Added Networks (VANs) that provide easy, transparent, efficient
exchange of information. ANSI X12 Mailbag is now "the" transparent global
switch between all network systems.[12]
With this development EDI will become more feasible and useful for
business. EDI is the standards-based computer-to-computer exchange of
inter-company business documents and information.[13] In a recent Globe
and Mail supplement, it was stated that "[t]he world is moving toward EDI.
Like it or not, if Canada is to remain competitive, we have to move
too."[14] Trade in technologically advanced nations has moved to a
transparent, instant marketplace and has left other national behind in
traditional market mechanisms.
1.2 THE TECHNOLOGY STAKEHOLDERS
There are several people involved in the rapidly evolving and changing field
of telematics. Nation states, intergovernmental (for example, ITU, IBI,
INTELSAT, Council of Europe, OECD) and nongovernmental organizations
such as private communication carriers, data processing service bureaux,
MNCs, and transnational associations all have a stake in the development
and direction this technology takes.[15] The battle and alliances between
these stakeholders are played out in national and international arenas. In
this article, I wish to focus on national governments of developed and
developing countries, MNCs, and their involvement in the ownership or
regulation of the technology and TBDFs.
At the risk of overgeneralization, I exclude intergovernmental associations
as they are collections of national governments acting in concert.[16]
Private communications carriers and service bureaux are included in MNCs
as many are owned in whole or in part by MNCs. Moreover, many of their
corporate interests are similar.
1.2.1 NATIONAL GOVERNMENTS
National governments are involved in the telematics industry in several
ways. Much of the administration of governments today is done
extensively with computer technology. Data is often shared between
departments, different levels of government, and between the
governments of different countries. That data may be personal records or
technical and scientific information. In many countries, computer
communications networks are operated by government owned Post,
Telegraph and Telephone (PTT) authorities. Many international systems
are cooperative efforts of governments and are organized as a service,
such as GEISCO EDI service, UN Secretariat systems, and most academic
research networks like INTERNET.[17] Governments often back new
Transborder Data Flows 7
ventures and later sell the technology to private industry, such as is
currently happening in the USA with remote-sensing satellite technology.
1.2.2 MULTINATIONAL CORPORATIONS
Though it is obvious why governments are stakeholders in the regulation
of information, it is not so obvious in the case of MNCs. Economists such as
Galbraith and Drucker argue that as a society grows and becomes more
technologically advanced, it furthers its goals and values through
institutions. "In a pluralist society, all institutions are of necessity political
institutions"[18] for they all must justify themselves in terms of their
impacts on society and the satisfaction of all their respective
"constituencies". Thus, corporations have become activists in politics,
setting goals and creating visions rather than merely cooperating,
responding and reacting.[19] They want to create a vision in which they are
free to prosper and grow as well as aid their domestic support industries.
However, they must not act to be rejected and opposed by national
governments. In short, they must "satisfice"[20] their constituents,
balancing their business needs with the interests of various national
governments.[21]
In the private sector, those most involved with computerization are the
most important information industries, namely, those involved with the
acquisition, transfer and protection of property. Thus, banking and credit,
brokerage, insurance, accounting, legal services, and advertising together
account for the bulk of informational services.[22] In fact, MNCs in their
endless "search for new markets, raw materials, and maximum profitability
[are] the engine[s] powering the international transformation now
proceeding."[23] To maintain profitability, MNC's have come to require
information in the following areas:[24]
• information about competitor's behaviour, which becomes
increasingly complex as the degree of transnationalization
increases. A key area of information here is technological
(product) development related.
• Consumer behaviour in the market sectors where the corporation
operates is essential.
• Technical/scientific information that relates to the specific
products the company produces.
• Information about the economic, fiscal, legal and political
environments in which the corporation operates.
To obtain this information, modern MNCs have made TBDF a basic
requirement of their operations and of those that service them.[25] In fact,
the infrastructure of MNCs has created most of the transnational
computing systems through which seventy percent of world trade is
conducted.[26] Business has come to require TBDFs in several areas of
their operations. A 1983 OECD survey revealed that:
• Crucial to managing international operations is the availability of
accurate and timely information with the flow of information
paralleling the increasing flow of goods and services.
• From basic design and research, through production, marketing
and distribution to after sales-service, TDF have been used to
reduce costs and increase productivity.
• In some cases the improvements in performance allowed by TDF
is so great as to make it possible for the firm to reorganize its
operating structure in a more efficient way.
• TDF allow firms to offer entirely new products.
• The improved information flows made possible by TDF broaden
and deepen the world market and make it increasingly
interdependent. The communications network takes on the
aspect of a nervous system, both for international firms and for
the world economy in general.
• Telecommunications policy is going to have to have an increasing
impact on the behaviour of MNEs and therefore the development
of world trade and foreign investment.[27]
Essentially, MNCs use IT for coordinating activities between parent and
subsidiary, providing corporate intelligence, internalizing market
transactions, increasing processing efficiency, providing technology based
firm-specific advantages, and simplifying the bargaining relationship
between host countries and MNCs.[28]
1.2.3 LESS DEVELOPED COUNTRIES (LDCS)
Many host countries with which MNCs deal are developing or less
developed nations (LDCs). LDCs rely largely, through licensing
arrangements for transfers of technology, on MNCs to supply the required
technology for TBDFs. This endeavour is supported by the Draft Code of
Conduct on Transnational Corporations,[29] which will require the MNC to
aid the development of the scientific and technological capacity of the
developing nation with which it is dealing.
Currently, LDCs are not able to effectively use TBDFs or the information to
which they would gain access. MNCs and the governments of developed
nations can raise the needed funds for the required hardware and
software and transmission costs, and can mobilize the required skills and
industrial networks through which data can be most effectively used,
whereas most LDCs cannot. Thus, TBDFs “add yet another component to
the large discrepancies in the information capacities, and by implication in
the trading capacities, of developed and developing countries.”[30]
This information and trade gap, exacerbated by dependency on MNCs for
the technology required for TBDF, has left developing countries' ability for
self-reliant development hampered. Self-reliant development connotes the
ability to make autonomous allocative decisions. Independent
development creates unique information requirements. Currently, TBDFs
do not meet such requirements. According to one UNESCO study,
[t]hey are oriented towards the needs of the transnational
corporations and do not provide the developing countries with
their needs and priorities. They weaken, in fact, the developing
countries' national capacity for decision making about their own
resources.[31]
Throughout this paper, I shall refer to the impact the regulation of TBDF
has on these three stakeholders. It shall become evident how the
definition of TBDF is instrumental to determining the ultimate beneficiaries
of the technology and the data flows.
Transborder Data Flows 9
CHAPTER 2: WHAT IS TRANSBORDER DATA FLOW?
2.1 ISSUES OF DEFINITION
2.1.1 WHAT IS INFORMATION? IS IT A SERVICE OR
COMMODITY?
Some scholars question whether information and data are synonyms.
Some argue that data constitute the raw material for information; that
processing is required to transform one to the other. Olga Estadella-Yuste
questions whether there is a difference between data and information.
She asserts that 'data' is a term from the computer era and 'information' is
a term from the pre-computer era. I agree, as all raw data is itself
processed from machine-readable format to appear as written text on the
screen. Maintaining two separate terms complicates the debate
unnecessarily.[32] Accordingly, the terms information and data are used
interchangeably in this paper.
Is the information accessible through network systems a service or a
commodity? The answer determines the nature of the rules that apply to
the regulation of information trade or exchange. It will determine the
nature of the legal obligations and duties of the parties involved. For
example, if information is a commodity then is can be expropriated,
whereas an information service cannot be appropriated.[33]
More specifically, this determination will be crucial in determining the
need to regulate certain TBDFs and the type of regulation used.
2.1.1 THE DEFINITION OF TRANSBORDER DATA FLOWS
Defining TBDF is not as easy as one might assume. There is a division in the
literature between two possible definitions. Adherence to one or the other
of these definitions will expand or contract the reach of TBDF legislation.
TRANSFER AND STORAGE OF DATA.
Transborder data flow "may be broadly defined as the transfer of
computerized data across national borders."[34] This definition requires
that data not only be transmitted across national borders, but that it also
be stored outside the originating jurisdiction.[35]
STORAGE OR TRANSFER AND PROCESSING OF DATA.
This second definition, purposed by Novotny, requires a transborder data
flow to both store and process data outside the originating jurisdiction.[36]
Traditional telephony allows for transmission, but not storage or
processing. Storage facilitates the manipulation through forms and orders
of databases of information. This excludes all mass diffusion products such
as media, and conventional (basic) telecommunications products.
Millard criticizes this as being too narrow, "as much of the concern about
transborder data flow arises where data is simply stored in a foreign
jurisdiction, out of reach of an interested individual, corporation or
government."[37] However, if all that Novotny requires is the processing to
convert data into digital signals, and convert it back into machine-readable
format and human-readable format, then Millard's concern may be
misplaced. However, if Novotny requires more extensive processing than
this, Millard's point is valid. It would exclude one-way transfers of data
across borders and only be applicable to transnational and multinational
flows (discussed below). Before settling on a definition the type of data
sent and the manner in which it is sent must be examined.
2.2 WHAT TYPE OF DATA IS COLLECTED AND
TRANSMITTED?
There is a wide assortment of data kept around the world. It can be broken
down into four basic categories: personal data, business data, technical
data, and organizational data. These groupings are not discrete. One kind
of data may be included as part of any one of the other three. This
classification is used to elucidate the issues involved in TBDF regulation of
different data, as the nature of the information sent abroad becomes
important when determining the rules applied to the TBDF.[38]
2.2.1 PERSONAL DATA
Personal data is the most sensitive type of data. It includes data such as
plane reservations, medical or criminal records, and credit card billings.[39]
Most countries have recognized or are recognizing the need to provide
some protection against unauthorized processing of sensitive personal
data. The main international instruments for regulation of TBDF are
concerned with personal data, even though it makes up only ten percent of
all TBDFs.[40]
2.2.2 BUSINESS DATA
Business data is that by which financial and business transactions are
conducted and contracts are executed. For example, the banking
community has created the Society for Worldwide Interbank Financial
Telecommunications (SWIFT) whereby they provide electronic fund
transfer (EFT) services through a steadily expanding network of
systems.[41] With the automation of the financial and corporate sectors
"the computerized supply of financial and commercial information has
become a major and growing source of profit."[42] Hence, governments
are beginning to regulate them. They wish either to tax these profits or
protect domestic industries.[43]
2.2.3 TECHNICAL DATA
Technical or scientific data includes weather forecasting, geological
exploration, market research, product specifications and experimental
results. This information is usually of considerable economic and strategic
importance, and is usually central to any transfer of technology
arrangement.[44] Some of this information is now gathered by remote
sensing satellites.
2.2.4 ORGANIZATIONAL DATA
Organizational data is sometimes called "operational data" as it relates to
the administrative functions or decisions of transnational organizations,
usually between a corporation and its subsidiaries, foreign distributors, or
licensees. These are regulated for not only the protection of personnel
records and their personal information, but also for political or economic
reasons.[45]
2.3 WHAT TYPE OF DATA FLOWS OCCUR?
All data types are used generally within four major contexts: intra-
company information, inter-company information, governmental
information needs, and transnational pursuit of information resources, i.e.,
use of remote databases.[46] For all the applications of telematics
technology, there are two different types of flows: one way and two way
flows. These are shown in Diagram 1.
2.3.1 ONE-WAY FLOWS
Transborder Data Flows 11
One way flows either consolidate or distribute information from sources in
other countries. Hence, there are two types of one way flows.
CONSOLIDATION FLOWS
Consolidation flows demonstrate a simple subsidiary reporting
relationship. For example, the headquarters in country B gathers all
information from subsidiary offices such as that in country A. This includes
such information flows as operational management and credit
transactions.[47]
DISTRIBUTION FLOWS
Where a centralized operation distributes data to several subsidiary
organizations there is a distribution flow. Examples include sending
information updates to local files and databases, and distributing
organizational instructions, financial reports, product orders,[48] and
meteorological information to several countries.[49]
2.3.1 TWO-WAY FLOWS
Two-way transfers of data occur for two reasons: lack of processing
capacity in the home country; or, where databases are shared
internationally (such as a credit reporting agency).[50] There are also two
types of subflows: transnational and multinational.
TRANSNATIONAL NETWORK FLOWS
Transnational network flows exist where users in one country connect to a
host computer in another to use either the host computer's facilities or
databases. These are exemplified by a shortage of information or
computational facilities on behalf of the user, such as in service bureau
arrangements.[51]
MULTINATIONAL NETWORK FLOWS
Multinational network flows are characterized by multiple users and hosts
where data storage and processing may be centralized, decentralized, or
both. Large service bureau and time sharing networks operate in such
fashion.[52]
DIAGRAM 1: Patterns of Transborder Data Flow Movements
Although there have been few attempts to measure the aggregate volume
and direction of TBDFs, heavy concentration of satellite and submarine
cable in the North Atlantic and between the USA and Japan indicate the
predominance of TBDF within the industrialized west. Yet smaller
industrialized countries, such as Canada, Sweden, and France, feel
threatened by their growing dependency on the American collection and
dissemination of information.
The direction of the flow is reinforced by the uneven distribution of
computer processing and communication technologies among nations.
"Computer poor" countries, especially those in the developing world, often
have to export raw data for processing and re-import the processed data.
With the data outflows go data processing related jobs, revenues, and
business. This however, is not new. It is analogous to trade in other
industries where LDCs export raw materials to purchase finished goods at
higher cost. Noticeably lacking is the exchange of information among
developing nations to integrate and represent their interests. This further
exasterbates their dependency on the developed world.[53]
2.4 MAIN CHARACTERISTICS OF TRANSBORDER DATA
FLOWS
By way of summary, the main characteristics of a TBDF can be
demonstrated by an example. If data from country A is transported
through country B without processing or usage occurring on route, it does
not count as a TBDF. However, if the data is stored in country B while
awaiting retransmission, then a TBDF has occurred.[54] The act of storing
the data requires the data be processed, which qualifies it even under the
more strict definition of TBDF required by Novotny. Information
transmitted may be of a personal, business, organizational, or technical
nature and may be transmitted in a one- or two-way flows. TBDFs are
usually based on contractual relationships and are proprietary in
nature.[55]
CHAPTER 3: REGULATION OF TRANSBORDER DATA FLOWS
3.1 REASONS FOR REGULATION
When governments and international bodies regulate TBDFs, it is often
stated that it is done for the protection of personal privacy, national
security, or national sovereignty. Seldom will it be admitted that the
rationale behind regulation is national economic welfare. Often those
Transborder Data Flows 13
subjected to regulation accuse regulators of using privacy, security or
sovereignty to hide protectionist motives. They are often correct in making
such accusations.
3.1.1. PRIVACY
Computers have facilitated the amassing of information about individuals
for a large number of purposes. Communications technology has allowed
the rapid and easy transfer of information within and between countries.
This has caused concern over the reasons for which personal information is
collected, how it is stored, and its possible applications that may be
adverse to individual interests. This has led many countries to pass privacy
legislation to protect a persons'[56] privacy. However, most legislation is
plagued by technical issues of enforcement.[57] Moreover, there still exists
a fear that
protective provisions will be undermined if there are no
restrictions on the removal of data to other jurisdictions for
processing or storage. Just as money tends to gravitate toward tax
havens, so sensitive personal data will be transferred to countries
with the most lax, or no, data protection standards. There is thus a
possibility that some jurisdictions will become 'data havens' or
'data sanctuaries' for the processing or 'data vaults' for the
storage of sensitive information.[58]
Some countries have dealt with this fear by restricting outflows of data.
For example, Sweden does not allow TBDF of personal information unless
expressly authorized by their Data Inspection Board. The rationale is that
the Swedish government does not trust the Data Acts in other countries
and feels unprotected. Brazil does not allow information to leave the
country unless the government approves the purposes for its transmission.
"Thus, on an ad hoc basis, privacy conscious countries are effectively
censoring the data processing regulations of other, less protective
states."[59]
3.1.2 SECURITY
Some countries may feel their national security is threatened by excessive
reliance on and use of TBDFs. They may introduce legislation to ensure
that the critical mass of national data is not held outside the state; fearing
that data stored and processed in another state may become inaccessible
in a time of political confrontation.
Such interference did occur when President Reagan, over a dispute
regarding the Siberian gas pipeline, ordered Dallas-based Dresser
Industries to halt technical communications with its French subsidiary, a
compressor manufacturer. Since the French company no longer had access
to important technical databases, they lost an Australian contract worth
$3.5 million.[60]
There is also a fear that nationally sensitive information may be removed
from the country without permission. This is why the US National Security
Agency (NSA) regulates all encryption techniques and develops encryption
standards with International Business Machines (IBM). The NSA asserts
that unrestrained data encryption threatens national security, but more
than likely it also hampers their own international communications
monitoring activities.[61]
International organizations have sanctioned such interception and
interference practices. For example, The International Telecommunications
Union's (ITU) International Telecommunications Convention of Malaga
Torreminos, sanctions the interception, monitoring and ceasing of
international communications in the name of national security.[62]
3.1.3 SOVEREIGNTY
Loosely defined, "sovereignty" seems to concern a nation's ability to
protect its political autonomy and cultural integrity. The Canadian Clyne
Committee defined sovereignty as "The ability of Canadians (both in
government and in the private sector) to exercise control over the
direction of economic, social, cultural, and political change."[63]
Telematics has altered the concept of economic, social, cultural and
political sovereignty from geographic terms to information terms. As
information expands its role in management, it is something over which
states feel they must exert control, but to date, any attempts have met
with limited success.[64]
There are several areas in which states are feeling threats to their
sovereignty. First, a specific fear of Europeans is that data moved via
communications technology, outside the state could become the target of
espionage. This fear may motivate a government to regulate outflows of
such sensitive data as sanctioned by the ITU, even though such regulation
may not prevent espionage.[65]
Second, a state's sovereignty is threatened by MNCs, the most powerful
non-state actors involved in TBDF. A primary threat is international
currency speculation. Empowered with an automated global banking
system, MNCs can now bypass national fiscal and monetary policies. A
French government study reported nations have lost control of
international cash flow and credit as distributed through specialized
networks. They conclude that "it was impossible to implement 'a coherent
financial policy' because worldwide electronic currency transfer makes
exchange systems 'volatile'."[66]
Third, the dependence of developing nations on foreign data processing
services is seen as a threat to a nation's sovereign control over natural
resources, security considerations, and culture.[67]
For example, the United States government has installed a series of
remote sensing satellites that it may one day privatize. These satellites can
survey the natural resources and land formations of countries without
obtaining their permission. This has increased the fear of developing
nations that they might be disadvantaged by the ability of developed
countries to exploit the natural resources of developing countries. This has
motivated many developing countries to assert sovereignty over
information and data concerning natural resources that is in the hands of
others. The Americans refuse to acknowledge the position put forward by
developing nations. Hence, technologically advanced countries assume
rights over information obtained by remote sensing, while denying those
rights of those countries over whose territories have been surveyed to
claim sovereignty over its natural information.[68]
To protect national sovereignty over information and control dependency
on other nations for technology and information, some countries have
developed telematics policies that regulate the collection, use and
dissemination of information. For instance, Brazil, perhaps more than any
other nation, has developed a coherent policy framework to manage the
new technologies and with them TBDFs.[69] This has been done to
maximize national control over the technologies and their employment,
access to information, and control the impact on Brazil's cultural and
political environment.[70]
It must be emphasized that even though LDCs fear that the information
revolution may serve to widen the gap between rich and poor nations,
TBDFs have become a crucial part in an LDCs development. TBDFs are seen
as "bridging the gap between nations by contributing to a transfer of such
data resources as computer hardware, databases and information
Transborder Data Flows 15
jobs."[71]
Louis Joinet, French Magistrate of Justice extracts the real issue in the
regulation of TBDFs when he said that
[i]nformation is power, and economic information is economic
power. Information has an economic value and the ability to store
and process certain types of data may well give one country
political and technological advantages over other countries. This
in turn may lead to a loss of national sovereignty through
supranational data flow.[72]
Even though a country's telematics policies have overlapping political and
economic concerns, there can be a theoretical distinction drawn between
the a state's security or sovereignty and that state's policies for economic
advantage.[73]
3.1.4 ECONOMICS
The status of data-processing operations can have significant economic
consequences for nations, since it creates high paying technical jobs in
data-processing countries, leaving low paying jobs and key punch
operations in data exporting countries. TBDFs are becoming national
economic indicators, as important as balance of trade and
employment.[74] It is not surprising then, that the pursuit of economic
advantage has become the driving force in the erection of barriers to
TBDFs. American MNCs, heavily dependent on free information flows, have
been complaining that "other countries are using privacy concerns as a
smokescreen for what are essentially protectionist economic policies"[75]
However, it is interesting that countries place restrictions on TBDFs for
different reasons. More technologically advanced countries place
restrictions on flows to protect their own industries, whereas developing
countries regulate data flows as part of a larger development strategy. This
warrants more extensive examination, as this is crucial to understanding
the reasons behind the shift in direction of the TBDF debate.
ECONOMICS AS USED BY DEVELOPED COUNTRIES
The political and economic mechanism of late-twentieth century capitalism
shows the paramount role of government in developing, maintaining, and
assuring the profitmaking interests of the corporate sector in new
economic developments.[76]
The regulation of TBDFs by advanced industrial nations is done for political
and economic reasons. Within a state, the advanced technology industries
and associated and dependent industries are strong lobbies, especially if
they are large multinational corporations. Their desire to ensure stable
economic growth and profit leads them to demand that their governments
place restrictions on other MNCs or technology importers. Often, the
means used to restrict foreign business is to prevent easy access to
information about the activities of subsidiaries, licensees, or clients. One of
the restrictive means employed against these businesses is the regulation
of TBDF in the guise of privacy protection or national sovereignty.[77] The
real economic motive is not disclosed. It has only recently been
understood in economic theory.
The pervasive use of technology in a country has led to a drastic rethinking
of economic theory. The standard understanding of economics typified by
the neoclassical supply and demand curves (Diagram 2) becomes
fallacious. A new understanding of supply and demand has emerged in the
high-technology industry (Diagram 3). As a new technology is developed, a
great deal of capital must be invested in R & D. Consequently, cost-per-unit
production is high as compared with the neoclassical view of low costs.
However, as improvements are made in production techniques and
product design, the cost per unit production decreases. The slight plateau
in the supply curve in diagram 3 is due to the cost of investing in mass
production of the technology; the final drop in the curve exists at a point
where investment allows for the development of a new technology,
making this technology outdated. This notion is foreign to neoclassic
economic theory. Moreover, in the high-technology model, "undersupply
lowers prices and oversupply raises prices (precisely the opposite of the
classical conclusion)."[78] This is a result of increased production in a time
of undersupply, increasing the rate at which a firm moves down the supply
curve. Oversupply evokes the opposite response, thereby slowing
technological progress.
DIAGRAM 2: Classical picture of the supply-demand equilibrium
DIAGRAM 3: High-Technology revision of classical supply-demand
equilibrium
It is not surprising that these two models lead to very different policy
considerations. Note the points of equilibrium on both diagrams. The
neoclassic model has only one smooth point of equilibrium that wipes out
a record of all prior history of market activity. The high-technology model
has several points of equilibrium, bringing in prior market history as a basic
determinant:
a society can find itself in one or the other of two possible
competitive states, either competitive or entirely overwhelmed,
depending on the prior economic history of itself and its
competitors. Furthermore, a small shift in either the supply or the
demand curve can move crucial parts of one of the curves entirely
out of contact with the other. This represents the total collapse of
an industry overwhelmed by an initially small but persistent price
or other advantage accruing to or seized by a competitor.[79]
The rightmost equilibrium (B) is a healthy industrial sector, the leftmost
equilibrium (A) represents an industry that, having lost its mass market,
can maintain only enough R&D to keep itself surviving at a minimal level.
When it comes to regulation of TBDFs, countries with high technology
sectors at equilibrium B will impose regulation to prevent foreign
competitors from developing a strong presence in the domestic market,
thereby threatening domestic producers and MNCs who rely on a strong
Transborder Data Flows 17
domestic market to fund foreign ventures.
Countries with technology sectors at equilibrium A will regulate TBDF to
protect infant industries while they move down the supply curve to
equilibrium B, or if they wish to save a technology industry on the brink of
being overtaken by foreign competition.
LDCs, if they have a high-technology industry often regulate to protect
their infant industries from foreign competition. Brazil is a case in point.
However this is not the only economic rationale for TBDF regulation by
LDCs.
ECONOMICS AS USED BY DEVELOPING COUNTRIES
Developing nations see telematics as essential to development. The
technology facilitates both the acquisition and use of technical and
scientific data which can improve developmental policymaking. LDCs can
use the databases of advanced countries to save on the costs of doing
extensive research on their own, while still formulating their own
economic and technological policies. Likewise, the education required to
implement and utilize the technology fosters social and political
development.[80]
However, the ability of developing countries to achieve self-reliant
development in a highly technological world has meant increasing
dependency upon their ability to obtain and utilize telematics technology.
As a result, many LDCs have implemented national telematics policies
which reflect their desire to gain access to the economic and technical
information required for development. Consequently, these policies create
restrictions on the international flow of data that may hamper or deter
MNCs attempting to enter LDC markets.[81]
LDCs lack informatics infrastructure for several reasons. They lack the
required technology for local R & D and innovation. LDCs lack the
institutional framework to effectively amass, analyze, and disseminate
information to its users. Lastly, as the technology is always changing, LDCs
often lack the financial resources and trained personnel to keep pace with
developments and changing requirements.[82]
In an effort to develop telematic resources, LDCs have created a series of
initiatives, policies and regulations which have partly led to the
development of barriers on unrestricted TBDF. These restrictions are
aimed at reducing the dependency on foreign technology, data-processing
facilities, and information. As technology often enters developing nations
as MNC foreign direct investment, the degree to which developing nations
wish to regulate TBDF often depends on their relationships with MNCs.[83]
3.2 TYPES OF REGULATION POSSIBLE
Legislative and administrative restrictive practices that influence on TBDF
are many. Effective regulation is done through either regulation of the
nature of the data and the other is access to telecommunications
technology to engage in TBDF.[84]
3.2.1 REGULATION OF DATA OR FLOWS
Legislative and administrative restrictive practices that influence on TBDF
are many. Some countries impose requirements that 'domestic'
information and transactions be processed in the home country. For
example, Germany requires that private leased lined with international
access carry out 'substantial' local processing before transmission. The
1980 Canada Bank Act requires all 'basic' financial data to be processed
and maintained in Canada. Measures like these restrict business
opportunities for foreign data processing service firms.[85]
Other countries place restrictions on data content. For example, the
Swedish Data Inspectorate in 1988 refused to allow a company to send
potential customer files to the US for direct marketing purposes. They also
require that all data bases be registered with the Inspectorate.[86] Other
countries require proper security measures[87] and national control over
data while abroad.
France, too, affects the ability of TNCs to obtain information they need for
their foreign operations by restricting the flow of information through their
data protection laws.[88]
Nigeria requires forty percent local ownership in data-processing service
companies and communications equipment manufacturers. This
discriminates against foreign investment.[89]
The USA's National Security Agency worked closely "with IBM on the
development of computer encryption equipment and, in particular, the
creation of the Data Encryption Standard (DES), designed by IBM and
certified for use by the National Bureau of Standards. Moreover, the DES is
standard for all exported equipment,"[90] which aids in international
industrial espionage efforts, already alluded to.
3.2.2 REGULATION OF COMMUNICATIONS TECHNOLOGY
Within the telecommunications area there are presently two competing
plans for development. On the one side, a postal-industrial coalition of
companies define the issue as one of monopoly control over services
versus market integration. The coalition argues that monopoly service
provision will provide users with equal access to services, standardized
protocols, procedures, and technologies, and economies of scale with the
lower overall investment cost.
Conversely, the telematics coalition of companies and service providers
wants to see market segmentation and greater competition. This would
facilitate faster technological progress, customized networks, and lower
costs for larger users.[91]
The number of initial commitments for liberalization of
telecommunications regulation by many GATT member countries indicate
the telecommunications sector is in a state of transition, from a state of
monopoly control to a more competitive environment.[92] This does not,
however, mean that countries do not regulate TBDFs through their
telecommunications policies, many do.
For example, Japan increases the cost to large users of data
communications, thereby making data communications unfeasible. This is
done by discouraging or denying the leasing of private circuits. Germany
refuses to connect international leased lines to public networks unless the
connection is made via a computer which carries out at least some
processing. This increases the cost to users, especially smaller users.[93] At
one time, Germany required companies to lease a minimum of four lines if
they wished to conduct TBDFs.
Other restrictive practices that influence TBDF have also been employed.
The imposition of narrow or inconsistent technical standards on both
telecommunications service providers and users make technical
connection to appropriate VANs and network facilities impossible. The
threat of taxing value-added data processing has reduced the willingness
of business to engage in TBDFs. The French government has studied the
feasibility of measuring TBDF to apply such measures.[94]
3.3 METHODS OF REGULATION
The various types of flows and data already discussed will influence
regulatory conditions, as the location of the user, the direction of the flow,
Transborder Data Flows 19
and the geographic location of storage and processing functions will
determine the effectiveness of regulation.[95] This is true whether the
regulatory instrument is of a national or international character.
3.3.1 NATIONAL LEGISLATION
Currently fifteen countries have data protection legislation on their statute
books, and bills are proposed in eight more states. All were passed within
the past twenty years, Sweden being the first in 1974. Most of the laws
have been passed in Europe, and have not produced a uniform standard of
regulation.[96]
States have focused on two issues: the sending of personal data across
national borders and the protection of individual rights. Thus, the laws
passed cover personal data only. Some legislation includes personal data
held by legal persons,[97] though most states have excluded legal persons
from their legislation because of the strong lobby of the business
community and their criticism of any regulation.[98]
ISSUE: DOES THE LEGISLATION HAVE AN EXTRA-TERRITORIAL
EFFECT?
Whether national legislation can apply extra-territorially depends on its
wording. There are two cases where the wording may create compliance
problems. First, where data is collected in country A and transferred to
country B, a citizen of country B has no protection under country A's laws,
unless country A's domestic laws extend to country B's citizens. Second,
where data is collected in country A, then transferred for storage or
processing to country B, country A's transborder transfer restrictions will
apply, and country B's domestic laws may apply to protect a citizen of
country A while that data is in country B.[99]
Even with this confusing state of affairs, compliance is simple to determine
in one-way flows. Compliance with the home country's laws is all that in
needed. The situation becomes more difficult with two-directional flows.
Where the processing is a transnational or multi-national flow, the location
of the user is crucial to enforcement.[100] "The criterion of the application
of the national regulation is thus the location of the user and no more the
location of the system."[101] This criterion extends the scope of regulation
in an important way. As most of systems located abroad are accessible
from another country via telecommunication systems they would be
subjected to at least two national regulations, "the regulation available in
the country where the system is located and those available in the country
where the system is used."[102]
To overcome the possible restrictive nature of such regulation, the
European Community's (EC) Council of Europe has drafted the European
Draft Privacy Directive, which spells out that the laws of a jurisdiction
control records only within that jurisdiction but do not have extraterritorial
effect.[103]
3.3.2 INTERNATIONAL AGREEMENTS
The international community has tried to reconcile the two requirements
of respect for personal information and encouragement of free and open
trade between nations in a number of international agreements.[104]
ISSUE: ARE INTERNATIONAL AGREEMENTS LEGALLY
ENFORCEABLE?
A controversy has developed over whether international agreements on
TBDF are legally enforceable. None of the agreements created to date is a
treaty, except for the COE Convention. Thus, the only area of international
law that these agreements may be binding under is international
customary law. Customary international law contains two requirements:
first, a consistent and general international practice must exist amongst
states, and second, the international community must accept the practice
as law. "This subjective element of acceptance as law is often known as
opinio juris."[105] This was formulated in the North Sea Continental Shelf
Cases, Federal Republic of Germany v. Denmark v. Netherlands [1969] I.C.J.
Rep. 3.106 Judge ad hoc Sorenson (dissenting) commented that the
majority has reserved the possibility of
recognizing the rapid emergence of a new rule of customary law based on
the recent practices of States. This is particularly important in view of the
extremely dynamic process of evolution in which the international
community is engaged at the present stage of history. Whether the
mainspring of this evolution is to be found in the development of ideas, in
social and economic factors, or in new technology, it is characteristic of our
time that new problems and circumstances incessantly arise and
imperatively call for legal regulation. In situations of this nature, a
convention adopted as part of the combined process of codification and
progressive development of international law may well constitute, or come
to constitute, the decisive evidence of generally accepted new rules of
international law. [Emphasis added.] [107]
The issue of codification of existing international law or progressive
development of it through the activities of international associations and
organizations was also addressed by Judge ad hoc Sorenson, at supra, 242-
43. He said that the two notions, though theoretically distinct, are in
practice overlapping. The very act of formulating or restating an existing
customary rule in an international agreement may define its contents
more precisely than previously understood, while at the same time the
rule may be adapted to contemporary circumstances, factual or legal, in
the international community. However, he also states that a treaty may be
based on state practice and doctrinal opinion which has not yet crystallized
into international customary law.[108]
With this framework in mind, what is the legal status of the existing
international agreements? These documents shall be discussed with
reference to the time they came into force, their structure, their objective
and scope, and their legal effect as international law.
OECD GUIDELINES[109]
The Guidelines were developed by government experts under the direction
of The Hon. Justice M.D. Kirby, Chairman of the Australian Law Reform
Commission. A Recommendation was made to the Council of the OECD
which was adopted and became applicable on 23 September, 1980.[110] In
total, there are 24 signatories to the Guidelines.[111]
The Guidelines are in five parts and are followed by an Explanatory
Memorandum that is to guide interpretation and application of the
Guidelines. Part Three deals specifically with TBDF under the heading
"Basic Principles of International Application: Free Flow and Legitimate
Restrictions".
The objective of the Guidelines is to remove any unjustified obstacle to
TBDF, allowing only the principles of privacy protection and individual
rights to be taken into account in national legislation. The scope of the
document encompasses personal data that is processed or that which may
be used and therefore poses a threat to privacy in both the private and
public sectors.[112]
The most fundamental limitation of the Guidelines is that they are not
legally enforceable. Though they may represent a broad and significant
consensus on TBDFs and may influence the direction of domestic
lawmaking, the open textured language means they can only serve as a
loose framework for regulatory harmonization. Both the Guidelines and
the accompanying Memorandum leave a lot unspecified and unresolved,
Transborder Data Flows 21
such as the conflict of laws problem, specific parameters limiting
regulation in the name of privacy, sovereignty, or security, trade relations,
tariff policies, employment and internal data traffic conditions.[113]
According to Estadella-Yuste, the guidelines are neither legally binding nor
a source of international law per se, but that "does not preclude the
possibility that they may have legal implications" as other signatory states
will rely on other signatories to fulfill the obligations in the
agreement.[114] The Guidelines are not international law as they took the
form of a Recommendation by the Council, which is a non-binding nature
in contrast with decisions or declarations.[115]
OECD DECLARATION
The Guidelines on MNCs formed part of a Declaration, passed in 1985 by
the Council of the OECD. They stress the economic issues, rather than the
technical ones, raised by the internationalization of modern
telecommunications, data processing, and information services.[116] This
was the first international instrument to deal with TBDFs of non-personal
data [117] and was a reaction to the strong lobby of business communities
in member nations to allow free flow and access of information across
borders.[118]
The Declaration has three sections. The first states general facts about
computerized data and TBDFs. The second section states the intentions of
the parties; namely, promote accessibility to data, make regulation
transparent, find common policies and solutions, and consider the
international impact of national policies. The last section states the
projects to be undertaken by the OECD members. There is a strong
emphasis on commercial and economic concerns, such as data flows
accompanying international trade, computer services and information, and
organizational flows.
As the form of a Declaration is not included within the decisional process
of the OECD, but has developed through practice, its effect is considered
the same as Decisions of the Council of the OECD. The Declaration
expresses the willingness of states to be bound by certain practices, but
because it contains the wishes of several countries and is not a unilateral
declaration, it lacks the subjective element required to constitute a valid
opinio juris.[119] As the Declaration is not a declaration of international
customary law, it can be viewed as a means by which rules of law may be
detected to resolve disputes. In the absence of express rules, the
Declaration provides the means to determine fair and equitable
solutions.[120] It can be characterized as establishing a minimum
framework for developed countries on the negotiation of trade in
services.[121]
COUNCIL OF EUROPE CONVENTION
The Council of Europe's Committee of Ministers adopted the final text of
the Convention for the Protection of Individuals with Regard to Automatic
Processing of Personal Data,[122] on 28 January 1981. To become binding,
it needed ratification by five member states. On 1 October, 1985, the
United Kingdom became the fifth state in the EC to ratify the
Convention.[123]
The purpose of the COE Convention is to ensure respect for individual
rights and freedoms of everyone within the COE with respect to automatic
personal data. Thus, the scope of the convention is limited to automated
personal data files and automatic processing of personal data in both the
private and public sectors. It permits extension to legal persons and any
group of persons that may lack legal personality.[124] The convention is
divided into seven chapters, the third of which deals with TBDF.[125]
Accompanying the text of the Convention is an Explanatory Report
which states that Chapter III 'aims at reconciling the simultaneous and
sometimes competing requirements of free flow of information and data
protection, the main rule being that transborder data flows between
Contracting States should not be subject to any special controls.'[126]
The Convention is criticized on the grounds that the text of Chapter III is so
vague that it is cannot provide guidance in truly reconciling the conflicting
priorities contained therein. Moreover, Paragraph Two of Article 12 makes
no provision for restricting TBDFs on grounds other than privacy.[127] This
is unrealistic and shows the limited awareness of the true scope of the
nature of TBDFs. Under Article 12(3a), it states that a member can prevent
the transfer of data to another member if that country does not have
'equivalent' data protection legislation. Does 'equivalent' mean 'identical'
or 'similar', and who decides in the event of a dispute?[128] Despite these
shortfalls, the Convention is binding international customary law restricted
in application to the COE region. However, the Convention does provide in
Article 23 for non-member states of the Council of Europe [to] be invited
by the Committee of Ministers to accede to the Convention. This could
include countries such as USA, Canada and Australia. It could also include
the European Economic Community! [129]
Should another nation declare their intent to be bound by the agreed
practice, arguably there would be sufficient grounds to find an opinio juris,
especially after the COE allowed the country to formally accede to the
terms of the Convention.
UNITED NATIONS GUIDELINES
The UN Guidelines were adopted in final form during the 45th session of
the General Assembly of the United Nations.[130] The Guidelines on
"Computerized Personal Data Files" purport to be the minimum
guarantees to be implemented into national legislation. The principles
contained are very similar to the OECD Guidelines and the COE
Convention.[131]
This agreement does not constitute a treaty or declaration of international
customary law. Being a multilateral resolution to consider a course of
action, it lacks opinio juris and an acknowledged international practice. It
could not be considered customary law, though may aid in its
definition.[132]
GENERAL AGREEMENT ON TARIFFS AND TRADE (GATT) & GENERAL
AGREEMENT ON TRADE IN SERVICES (GATS)
Though not formally completed, the GATT and GATS agreements of the
Uruguay Round are included here for an important reason. They
demonstrate the change in focus of the TBDF debate from privacy
concerns to trade in services.
One of the central objectives of the Uruguay round is to reach an
agreement among all the participants which would establish multilaterally
agreed rules and disciplines to govern international trade in services
currently values at over US$800 billion annually, a significant portion of
which is in the area of telecommunications services. Long-standing
national service monopolies are challenged, not by deregulation per se,
but by commitments to regulate in ways that are not prejudicial to foreign
suppliers. Market forces are to play a greater role providing better services
at lower costs.[133]
Agreement has been achieved through General Agreement on Trade in
Services (GATS), which establishes for the first time a set of multilateral
rules and disciplines for trade in all commercial services as well as
commitment to liberalize and expand such trade. To this end, negotiations
have occurred in three areas: (a) establishing a draft multilateral
framework of rules and disciplines; (b) liberalizing services trade through
Transborder Data Flows 23
governmental commitments which will be annexed to the articles forming
an integral part of the agreement; and, (c) preparing draft annexes on
special problem areas in certain sectors such as telecommunications and
financial services that will be included in the final agreement.
Two sectoral annexes have been proposed for trade in
telecommunications services. The first deals with access to and use of
public networks and services. The objective of the annex is to ensure
service providers have access to and use of services under transparent,
reasonable, and non-discriminatory conditions. The second annex would
provide for an exception from the Most Favoured Nation (MFN) principle
for basic telecommunications. Though all parties want a strong MFN
provision, this has become a source of disagreement between the
developed and developing countries in the negotiations.[134]
The GATT forum has become a battle between different conceptions of
liberalizing TBDFs in the developed world. The Americans and the
Europeans have purposed different methods for handling liberalization of
trade in services (including TBDF).
The United States urges general liberalization but would allow reservations
and special agreements for specified areas. The EC advocates a general
multilateral framework agreements with sector-by-sector
liberalization.[135]
For example, banking has proven to be a major point of contention. The
United States wants a special or separate agreement, whereas the EC
advocates complete liberalization of the financial industry.[136]
Developing countries naturally insist on keeping the focus of GATT on
trade in goods, as that is where their main interest and needs lie. Their fear
is that trade in services, a topic of growing importance to developed
countries, will overshadow negotiations on trade in goods. Moreover,
some developing countries fear that a liberalized service market would
hinder the development of domestic service industries because
international competition could be overwhelming and the domestic
markets eventually dominated by MNCs. Other LDCs see trade in services
as only a bargaining chip to get agreements in trade in goods. Yet others
fear they may be forced by developed countries to agree to services trade
agreements to get what they need in goods agreements.[137]
The GATT and GATS agreements are contractual and therefore do not
qualify as customary international law.
CHAPTER 4: REGULATING PRINCIPLES AND STAKEHOLDER
INTERESTS
There are several common principles regulating personal and non-personal
data that are contained in all of the international regulatory instruments.
After discussing these principles, the impact on the stakeholders shall be
assessed.
4.1 REGULATING PRINCIPLES
4.1.1 PRINCIPLES GOVERNING PERSONAL DATA
There are ten principles central to the OECD Guidelines, COE Convention,
and the UN Guidelines that govern the storage of personal data.
DATA QUALITY PRINCIPLE
Personal data ought to be current, accurate and complete. The
Convention, article 5(c) requires that "[p]ersonal data undergoing
automatic processing shall be adequate, relevant and not excessive in
relation to the purposes for which they are stored." The Guidelines state in
paragraphs 8 and 10 that "[p]ersonal data should be relevant to the
purposes for which they are to be used, and, to the extent necessary for
the purposes, should be accurate, complete and kept up-to-date."
PURPOSE SPECIFICATION PRINCIPLE
The purpose for which data is collected should be specified and all use of
that data ought not to be inconsistent with enumerated purposes.[138]
The Convention requires storage for "legitimate purposes"[139] while the
OECD Guidelines requires that the purpose of collection be "specified no
later than the time of data collection."[140] The UN Guidelines place time
limitation, use and disclosure, openness, and social justification principles
under the rubric of purpose specification.
LIMITED USE OR DISCLOSURE PRINCIPLE
Only with consent of the data subject, authorization of law, or publicly
known and accepted practice should data be made available.[141] The
OECD sanction this view at paragraph 9. The COE Convention merely
requires at Article 5(b) that "processed personal data be stored for
specified and legitimate purposes and not be used in ways incompatible
with those purposes."
SECURITY PRINCIPLE
Personal Data must be safeguarded from loss, destruction, alternation,
dissemination, or unauthorized access. The OECD Guidelines require, in
paragraph 11, a test of reasonableness be employed to determine this. The
Convention is silent on the degree of flexibility that can be allowed here.
The UN Guidelines suggest that measures should be taken to protect
against natural dangers, unauthorized access or fraudulent use.[142]
OPENNESS PRINCIPLE
Any policies, developments or practices that develop with regards to
personal data should be openly accessible. Specifically, it should be
possible to identity the location and identity of the data controller and any
applicable practices, policies, and practices associated with that controller.
This is asserted in paragraph 12 of the OECD Guidelines. The Convention,
however, refers to this principle as the right of any person to establish the
existence and contents of a data file, as well as the residence and identity
of the data controller.[143]
COLLECTION LIMITATION PRINCIPLE
Collection of personal data should be restricted to the minimum amount
necessary. The Guidelines require that "such data should be obtained by
lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject"[144] or with the authority of law. The
convention states: "Personal data undergoing automatic processing shall
be obtained and processed fairly and lawfully."[145] Only the Convention
requires that data pertaining to "racial origin, political opinions or religious
or other beliefs, as well as personal data concerning health or sexual life
and data relating to criminal convictions"[146] shall only be processed if
appropriate safeguards exist in national legislation. The UN Guidelines
require that personal data not be used for ends in contravention to the UN
Charter.
INDIVIDUAL PARTICIPATION PRINCIPLE
According to the Convention, OECD Guidelines and the UN Guidelines,
which put in almost the same term, individuals must have several rights.
The must be free (a) to get from the data controller confirmation of
whether there exist data about him; (b) to learn what that data is within a
reasonable time; (c) to require that personal data be corrected, completed,
amended, or possibly erased; and, (d) to be notified for the reasons for the
Transborder Data Flows 25
denial of a request for information with a route to appeal the decision. The
only difference in the OECD Guidelines and the COE Convention is their
degree of emphasis of various points.[147]
ACCOUNTABILITY PRINCIPLE
For every data record there should be an identifiable data controller
accountable in law for the enforcement of personal data principles. The
Convention states as much in Article 8(a) and the OECD Guidelines assert
this principle at paragraph 14.[148]
SOCIAL JUSTIFICATION PRINCIPLE
Personal data ought to be for general purposes and specific uses that are
socially acceptable. The OECD omits this principle, but it is arguably
contained in the Convention's requirement to store data for legitimate
ends.[149]
TIME LIMITATION PRINCIPLE
This principle also does not appear in the Guidelines but does appear in
the Convention. Article 5(e) requires personal data to be "preserved in
form that permits identification of the data subject for no longer than the
amount of time necessary for the purposes for which those data are
stored."[150]
3.1.2 PRINCIPLES GOVERNING NON-PERSONAL DATA
Some academics suggest that the aforementioned principles could be
applicable to the regulation of transborder flows of non-personal data if
they were formulated in more general terms. To illustrate, the scope of the
security principle could effectively cover economic and technical data. "A
reasonableness criteria could determine to what extent [it] could be
formulated in more general terms."[151] It may be necessary to add
additional standards to effectively extend these principles to protect other
types of TBDF data. However, this is unlikely, as data is coming to be seen
as a service rather than a commodity, it is less likely that it will become
subject to additional restrictive regulation. The debate over non-personal
data is moving towards trade liberalization, consequently, there are new
guiding principles used in negotiations.
ACCESSIBILITY PRINCIPLE
Service providers and data users ought to have the minimum of
restrictions placed upon their activities. The Declaration includes this
principle at section (a). The GATS agreement includes this principle in the
application of the Most-Favoured Nation status to trade in services. MFN
status guarantees non-discriminatory conduct among and between
signatory states. As already mentioned, one of the annexes to the
agreement has excluded basic telephony from MFN status. In addition, the
GATT principle of National Treatment or non-discrimination between
foreign and domestic products is also included in the GATS
agreement.[152]
TRANSPARENCY PRINCIPLE
All rules, regulations, and procedures affecting trade in services and the
free flow of information ought to be public knowledge. Both the
Declaration (in section Two) and the GATS agreement stress this principle.
This is central to trade in telecommunications services.
INTERNATIONAL IMPACT PRINCIPLE
As all nations do not start at common levels of development, there ought
to be consideration of the impact liberalization will have on other
countries. The OECD Declaration adopts this principle in the fourth
category of issues under section Two. The GATS agreement acknowledges
this principle by allowing progressive reductions in trade barriers,
recognizing that parties to the agreement negotiate from very different
starting points. More time will be allowed for countries with a less
advanced telecommunications sector to prepare for and get used to
international competition. [153]
FREE FLOW PRINCIPLE
The free flow principle is the central underlying concept in current
discussions regarding TBDF. All information ought to be able to flow as
freely as possible between countries. This is somewhat misleading as the
real issue in regulation is not one of the free flow of information, but
rather of access to it on behalf of those who wish its gathering and
processing. The ICC has offered four reasons for the free flow of
information:[154]
• the vital importance of efficient information exchange in the
development and growth of modern international trade and
production.
• the right of business to communicate freely within and outside its
corporate structure.
• the right of business to access and utilize national and
international communications fairly, competitively, and non-
discriminatorily.
• the necessity of recognizing the worldwide interdependence of
business communications.
The OECD Declaration supports this principle in its attempt to seek a
balance between access to data with the creation of unjustified barriers to
the international exchange of data. This is crucial as it provides grounds for
requests made by a country or MNC for access to data stored in
information systems in another country.[155] The GATS agreement
supports this principle with its call for the general liberalization of trade in
services. The hope is that with liberalization will come unrestricted TBDFs.
The beneficial value of the free flow of information is being increasingly
questioned. There are selectors and controllers who shift and shape the
messages in society. The use of the market mechanism makes this all the
more evident. The fears and frustrations of developing nations are
exacerbated by MNCs who now select and control large segments of world
data flows.[156]
3.2 IMPACT ON STAKEHOLDERS
The following discussion runs the risk of over-generalizing the positions of
the parties involved. Nation-state governments will differ on principles
according to their degree of industrialization, the amount of involvement
of the government in the high-technology industry, and the degree to
which the country feels its sovereignty and security is threatened.
Multinationals shall differ on these principles according to their economic
sector of involvement, dependence on technology and TBDF, and the
amount of business and assets existing outside domestic markets.
3.2.1 MULTINATIONAL CORPORATIONS
MNCs have always needed to become increasingly competitive to survive.
They face stiffer international competition, greater regulation, and greater
involvement of foreign governments in supporting their domestic business
community. Consequently, MNCs have turned to technology to aid them in
expanding their influence, holding off competition, and consolidating their
global position. This has led to attempts at industrial concentration.
The basic processes through which industrial concentration takes place,
namely diversification, horizontal and vertical integration, can be
facilitated through the use of transnational data flows. These all imply
Transborder Data Flows 27
complex coordinating tasks and [the] need [for] fast and reliable
monitoring of dispersed markets. The large transnational data flow users
have important stakes in the free flow of data across borders and are likely
to attempt to influence their environment for the appropriate
deregulation.[157]
And they have done so. The international business community, through
the International Chamber of Commerce (ICC) was actively involved in the
drafting of both the OECD Guidelines and the COE Convention.[158] These
agreements effectively limited regulation to personal data flows. The bulk
of information flow was not greatly affected. To assure their market
dominance and effectively prevent competition from infant telematics
industries, the business community of developed countries has lobbied
vigorously to deregulate trade in services and data flows.
Furthermore, the trade of technical or scientific information has provided
further economic benefits to MNCs. As technical or scientific information
contains little or no personal data it is very free from regulation. Compiling
technical data about other nations through remote sensing satellites such
as LANDSAT and ERTS provides vital information to its collector about crop
conditions, fish stocks and migration, forestation, and geological
formations and deposits that can be used to formulate trade and
investment policies. Both the governments and MNCs with this
information have a foreknowledge of sorts, and hence a distinct advantage
over others. Those sensed nations want access to the primary data as well
as the analyzed information. However, the sensing nation or MNC refuses
saying that it was through its labour that this property was created. Thus,
the analyzed data should not be treated in the same manner as sensed
data.[159]
3.2.2 GOVERNMENTS OF DEVELOPED COUNTRIES
As the different international regulatory instruments demonstrate,
governments of developed countries have proven extremely responsive to
the wishes of their business community. Initially concerned with the effect
of telematics technology on personal privacy and national security, they
became concerned over the use of regulation to protect their own MNCs
and those industries dependent on the health of the MNCs. Threats to
economic survival and prosperity forced the governments of developed
countries to change the way they see information. Domestically produced
information could not be a commodity in other countries, for then its free
flow could be stopped, or it could even be expropriated. The countries
with greater dependency on TBDF argued they were offering information
services which could not be subjected to regulation and restriction.
Altering the definition of data led to calls for deregulation of trade in such
services. Hence, the debate moved from forums of international
governmental associations to international trade forums.
3.2.3 GOVERNMENTS OF LESS DEVELOPED COUNTRIES
This shift in focus by the developed nations and MNCs has not gone
unnoticed in the developing world. The governments of developing nations
have objected in three ways: by arguing that deregulation is adverse to
their development, that deregulation will increase their dependency on
developed nations for technology and information, and that this lack of
development and dependency threatens their cultural and social survival.
It was not until the mid-1980s that it was realized by official donors and
international organizations that the aid provisions for the development of
infrastructure of LDCs ought to include telecommunications technologies
and not just things like roads and bridges.[160] This realization has led to
the refusal of LDCs to liberalize international telecommunications
regulations (through the ITU for example) until advanced nations agree to
subsidize the telecommunications developments of countries that cannot
afford basic systems or newer, more advanced ones. In effect, the LDCs are
demanding a "right to technology". Their justification for this position is
that all members of the international community have to exploit a shared
resource and all should have access to an equal, or at least minimal, share
of this resource (i.e., telecommunications technologies).[161]
Developing countries know they play a very small role in the process of
"informatization". As telecommunications investments are more
predictable than computer investments due to longer planning cycles, the
possibility of optimizing systems, increasing productivity, and increasing
capital savings becomes possible. Developing countries have come to see
informatization as possible way to leap-frog into the 'information age'.
However, with deregulation of the industry through agreements like GATS,
the control over domestic telecommunications industries will be reduced,
as will the control over telematic development. "This implies that the
relative position of the developing countries in terms of leapfrogging into
the 'information age' is even lower than thought if taking traditional
indicators of the 'industrial age'."[162]
As the developing nations have little or no development of manufacturing
of IT, they are the most sensitive to unregulated infusions of IT into their
fragile economic and political systems through MNCs and meager
development projects. This has led some LDCs to support deregulation in
the hopes that this will aid in development.
There is considerable evidence that developing countries can use
transactions with transnational corporations as a means of securing
effective technology transfer and development. This type of strategy is
characterized by the active management and control over the processes of
importing and assimilating technical knowledge, complemented by the
development of indigenous technological capabilities.[163]
For example, Brazil's approach will not be followed by other developing
nations in Africa. Many African nations are more in favour of free flow of
information as they do not have information technology or data processing
industries to protect. "Since for development purposes they are dependent
on access to foreign service bureaux, they also have potentially much to
lose from restrictions on the international free flow of data."[164]
However, many more LDCs argue that IT is being used to solidify the
stranglehold of the neo-imperialist system by concentrating control over
data processing and information creation in the developed countries, while
keeping the developing countries dependent.[165] Many LDCs would point
to the growing dependency of Mexico on the United States as an example.
Ninety-five percent of Mexico's TBDFs occur between Mexico and the USA.
The large number of American MNC affiliates along the Mexico side of the
Mexico-US border are responsible for these flows. They require a large
amount of advanced telecommunications technology and services that the
government's two national telecommunications companies (now
privatized) have had to develop. Most of the hardware and software used
in this infrastructural development came from American firms, as domestic
firms lacked the capacity to develop the technology. These developments
are essential to keeping FDI in Mexico while attracting more
investment.[166]
Furthermore, IT deregulation threatens cultural identities because
international telecommunications systems could be used to export
database services which had been created in a market system that will
create alien systems for arrangement and classification of knowledge. If IT
is controlled by a few countries, other nations would succumb to some
type of cultural-homogenization without some type of regulation.[167]
Hence, an important question for developing countries lacking computer
technology is whether or not it is in their best interest to subscribe to an
international data network in which they will clearly play a client role.
Transborder Data Flows 29
Opinion is divided. It is argued that using the information networks of
developed countries offers LDCs cheaper, and more effective access to the
latest scientific and technical know-how from the developed world.
Conversely, it is argued that the developing world will find themselves in
dependency relationships with access to information that is suited to
neither the needs nor the resources of the developing world. Only one
percent of current research is being directed to the special problems of the
developing nations.[168]
Chart: Legislation on the protection of personal data in OECD countries,
1991
ADP=Automatic Data Processing
PP=Physical Person
LP=Legal Person
L= Legislation
PL=Pending Legislation
BIBLIOGRAPHY
Bing, Jon. "IT and the Rule of Law." Transnational Data and
Communications Report (Jan./Feb. 1992),13-16.
Bolter, Jay David. "The Computer in a Finite World." Computer/Law Journal
6:349 [1985].
Bortnick, Jane. "International Information Flow: The Developing World
Perspective." Cornell. Int'l. L.J. 14: 333 [1981].
Bruce, Robert R. et al. From Telecommunications to Electronic Services: A
Global Spectrum of Definitions, Boundary Lines, and Structures.
Washington, DC: Debevoise & Plimpton, 1986.
Drucker, Peter F. Managing in Turbulent Times. New York: Harpers & Row,
Publishers, 1980.
Dunkel, Arthur. "Telcom Services and the Uruguay Round." Transnational
Data and Communications Report (Jan./Feb. 1992), 17-19.
Edwards, Chris and Nigel Savage et al. Information Technology and the
Law, 2nd Edition. United Kingdom: MacMillan Publishers, 1990.
Estadella-Yuste, Olga. "Transborder Data Flows and the Sources of Public
International Law." N.C.J. Int'l L. & Comm. Reg. 16:379 [1991].
Globe & Mail. Issues for Canada's Future: EDI or Die. June 1992.
International Chamber of Commerce (ICC). "International Business
Criticizes EC Data Protection Proposal." Transnational Data and
Communications Report (Jan./Feb. 1992), 37-41.
Jay, Rosemary Patricia. "Transborder Data Flows." New Law Journal (Feb
22, 1991),241.
Kindred, Hugh M. et al. International Law: Chiefly as Interpreted and
Applied in Canada, Fourth Edition. Canada: Emond Montgomery
Publications Ltd., 1987.
Kirby, Honourable Justice Michael. "Legal Aspects of Transborder Data
Flows." Computer/Law Journal 9:233 [1991].
Millard, Christopher J. Legal Protection of Computer Programs and Data.
Toronto: Carswell, Co., 1985.
Mowlana, Hamid. International Flow of Information: A Global Report and
Analysis. Paris: UNESCO, 1985.
Novotny, Eric J. "Transborder Data Flow Regulation: Technical Issues of
Legal Concern." Computer/Law Journal 3:105 [1981].
O.E.C.D. Guidelines on the Protection of Privacy and Transborder Data
Flows of Personal Data. Paris: OECD, 1981.
O.E.C.D. Information Technology Outlook 1992. Paris, OECD, 1992.
Pavlic, Breda and Cees J. Hamelink. The New International Economic Order:
Links between Economics and Communications. Paris: UNESCO, 1985.
Ploman, Edward W. International Law Governing Communications and
Information: A Collection of Basic Documents. Westport, CT: Greenwood
Press, 1982.
Poullet, Y. "Privacy Protection and Transborder Data Flow; Recent Legal
Issues." G.P.V. Vandenberghe, ed. Advanced Topics of Law and Information
Technology. Deventer, Netherlands: Kluwler Law and Taxation Publishers,
1989, 29.
Rada, Juan. "Information Technology and the Third World." M. David
Ermann et al, eds. Computers, Ethics & Society. New York: Oxford
University Press, 1992, 262.
Reguly, Bob. "No spies, please, we're Canadian." Financial Times of Canada
(October 24, 1992) at 22.
Ritter, Jeffery B. "Defining International Electronic Commerce." NWJ of Int'l
L & B 13:1(1992).
Roche, Edward M. "The Landscape of International Computing: A Personal
View." Transnational Data and Communications Report (Jan./Feb. 1992),
24-27.
Schiller, Herbert I. Who Knows: Information in the Age of the Fortune 500.
Norwood, NJ: ABLEX Publishing Crop., 1981.
Schwartz, Jacob T. "America's Economic-Technological Agenda for the
1990's." Dædalus: A New Era in Computation (Winter 1992), 139.
Simmonds, Kenneth R. and Brian H.W. Hill, eds. Law and Practice Under
the GATT, 2 vols. New York: Oceana Publications, 1992.
Transnational Data and Communication Report. "Many Countries Commit
to GATS Telecom Coverage." Sept-Oct. 1992 at 8.
Trubow, George B. "The European Harmonization of Data Protection Laws
Threatens U.S. Participation in Trans Border Data Flow." NWJ of Int'l L & B
13:159 (1992).
Transborder Data Flows 31
United Nations Centre on Transnational Corporations. Transborder Data
Flows and Brazil. ST/CTC/40.
United Nations Centre on Transnational Corporations. Transborder Data
Flows and Mexico. ST/CTC/72.
United Nations Centre on Transnational Corporations. Transnational
Corporations, Services and the Uruguay Round. ST/CTC/103.
NOTES
1 Rolf T. Wigand quoted in Chris Edwards and Nigel Savage et al.,
Information Technology and the Law, 2nd Edition (United Kingdom:
MacMillan Publishers, 1990) at 122. [back]
2 William L. Fishman, formerly Assitant Director for International
Communications, Office of Telecommunications Policy, Executive Office of
the President; now, Senior Policy Advisor, National Telecommunications
Information Agency. Quoted in Herbert I. Schiller, Who Knows: Information
in the Age of the Fortune 500 (Norwood, NJ: ABLEX Publishing Corp., 1981)
at 99. [back]
3 Jay David Bolter, "The Computer in a Finite World" (1985) 6
Computer/Law Journal 349 at 352. This introductory discussion is loosely
extrapolated from his article. [back]
4 The use of the terms "developing nation" or "developed nation"
throughout this paper refers only to the level of technological complexity
of countries, not the level of cultural, moral, intellectual or political
development. The terms "North" and "South" are inappropriate as
countries such as Brazil and Australia have extensive telematics industries
and legislation. We need a vocabulary to describe this technological
phenomenon that is not as ethnocentric and pjorative as the terms
currently available. [back]
5 This definition was developed by the Intergovernmental Bureau for
Informatics. "Informatics: Its Political Impact" IBI Doc. D.G. 1-04 at 2. [back]
6 Jon Bing, "IT and the Rule of Law" Transnational Data and
Communications Report (Jan./Feb. 1992), 13-16, at 13. [back]
7 United Nations Centre on Transnational Corporations, Transnational
Corporations, Services and the Uruguay Round, (ST/CTC/103) at 44. [back]
8 Christopher J. Millard, Legal Protection of Computer Programs and Data.
(Toronto: Carswell, Co., 1985) at 227. [back]
9 Hamid Mowlana, International Flow of Information: A Global Report and
Analysis (Paris: UNESCO, 1985) at 45. [back]
10 United Nations CTC, Uruguay Round, supra , at 44. [back]
11 Millard, supra, at 227. [back]
12 Globe & Mail, Issues for Canada's Future: EDI or Die (June 1992) at 18.
[back]
13 Ibid., at 3. [back]
14 Ibid., at 4. [back]
15 Mowlana, supra , at 47. [back]
16 This view is supported by Olga Estadella-Yuste, "Transborder Data Flows
and the Sources of Public International Law" N.C.J. Int'l L. & Comm. Reg.
16:379 [1991] at 409n. [back]
17 Jeffery B. Ritter, "Defining International Electronic Commerce" NWJ of
Int'l L & B 13:1(1992), at 24. [back]
18 Peter F. Drucker, Managing in Turbulent Times (New York: Harpers &
Row, Publishers, 1980) at 207. [back]
19 Ibid., at 154. [back]
20 "Satisfice" is a term taken from formal decision theory. It was coined in
the late 1940's by American management scientist, Herbert Simon of
Carnegie Mellon. It was used to show that solutions to problems were
found in institutions in a pluralistic framework not with a view to optimize
or maximize results, but to find the minimal acceptable results. [back]
21 Drucker, supra, at 210. [back]
22 Schiller, supra, at 142. [back]
23 Ritter, supra, at 13. [back]
24 Breda Pavlic and Cees J. Hamelink, The New International Economic
Order: Links between Economics and Communications (Paris: UNESCO,
1985) at 37-8. [back]
25 The Honourable Justice Michael Kirby, "Legal Aspects of Transborder
Data Flows" Computer/Law Journal 9:233 (1991) at 236. [back]
26 Ritter, supra, at 24. [back]
27 O.E.C.D. Document DSTI/ICCP/83.23 as quoted in Chris Edwards and
Nigel Savage et al., supra, at 122. [back]
28 Ritter, supra, at 25. [back]
29 See section 36, which refers to the transfer of technology. It reads:
36 (a) Transnational corporations shall conform to the transfer-of-
technology laws and regulations of the countries in which they
operate. They shall co-operate with the competent authorities of these
countries in assessing the impact of international transfers of
technology in their economies and consult with them regarding the
various technological options which might help those countries,
particularily developing countries, to attain their economic and social
development.
(b) Transnational corporations in their transfer of technology
transactions should, in accordance with the criteria set forth in the Set
of Multilaterally Agreed Equitable Principles and Rules for the Control
of Restrictive Business Practices, avoid restrictive practices which
adversely affect the international flow of technology, or otherwise
hinder the economic and technological developments of countries,
particularly developing countries.
(c) Transnational corporations should contribute to the strengthening
of the scientific and technological capacities of developing countries, in
accordance with the science and technology established policies and
priorities of those countries. Transnational corporations should
undertake substantial research and development activities in
development activities in developing countries and should make full
use of local resources and personnel in this process.
Transborder Data Flows 33
This was reproduced in Annex IV of United Nations CTC, Uruguay Round,
supra, at 231. [back]
30 Pavlic, supra, at 40. [back]
31 Ibid. [back]
32 Estadella-Yuste, supra, at 388n. [back]
33 Ibid., at 388. [back]
34 Kirby, "Legal Aspects", supra, at 235. [back]
35 Millard, supra, at 207. [back]
36 Eric J. Novotny, "Transborder Data Flow Regulation: Technical Issues of
Legal Concern" Computer/Law Journal 3:105 [1981] at . UNESCO
subscribes to what Novotny classifies as a TBDF. See 62, supra, at 45.
[back]
37 Millard, supra, at 207n. [back]
38 Estadella-Yuste, supra, at 389. [back]
39 Millard, supra, at 208. [back]
40 Estadella-Yuste, supra, at 389. [back]
41 Millard, supra, , 208. [back]
42 Mowlana, supra , at 45. [back]
43 Millard, supra, at 208. [back]
44 Ibid., at 209. [back]
45 Ibid. [back]
46 Edwards and Savage et al., supra, at 121. [back]
47 Novotny, supra, at 110-2. [back]
48 Ibid., at 112. [back]
49 Millard, supra, at 209. [back]
50 Ibid. [back]
51 Novotny, supra, at 112. [back]
52 Ibid. [back]
53 Mowlana, supra , at 48. [back]
54 Millard, supra, at 209. [back]
55 Mowlana, supra, at 45. [back]
56 All privacy legislation refers to individual persons. However, some
countries have or are considering including legal persons within the ambit
of their legislation. See Appendix One for the status of privacy legislation
within OECD countries and note 96 for those countries with protection
laws on the books and purposed. [back]
57 See Novotny's article for a thorough discussion of these technical
reasons. [back]
58 Millard, supra, at 211. [back]
59 Ibid., at 211-12. [back]
60 Edwards and Savage et al., supra, at 124. [back]
61 Ibid., at 124-5. [back]
62 This is found in "Article 19: Stoppage of Telecommunications" which
reads:
109 1. Members reserve the right to stop the transmission of any private
telegram which may appear dangerous to the secruty of the State or
contrary to their laws, to public order or to decency, provided that they
immediately notify the office of origin of the stoppage of any such telegram
or any part thereof, except when such notification may appear dangerous
to the security of the State.
110 2. Members also reserve the right to cut off any other private
telecommunications which may appear dangerous to the security of the
State or contrary to their law, to public order to decency.
Reprinted in Edward W. Ploman, International Law Governing
Communications and Information: A Collection of Basic Documents
(Westport, CT: Greenwood Press, 1982), 232 at 238.
63 Millard, supra, at 213 quoting from Telecommunications and Canada
(Ottawa: Minister of Supply and Services, 1979) at 1. [back]
64 Mowlana, supra, at 49. [back]
65 Millard, supra, at 214. Economic espionage was recently discussed in
Bob Reguly, "No spies, please, we're Canadian," Financial Times of Canada
(October 24, 1992) at 22. "Around the world, national security agencies are
doing business in a new way. Less and less are they spying on each other.
More and more they are gathering information to help their country's
firms beat the escalating international competition." Reguly asserts that
the French, Germans, Americans (FBI, CIA, and NSA), British and Russians
are heavily involved in this new area of activity. [back]
66 Mowlana, supra, at 49. [back]
67 Millard, supra, at 214. [back]
68 Schiller, supra, at 118-19. [back]
69 Kirby, "Legal Aspects", supra, at 236n. [back]
70 United Nations Centre on Transnational Corporations, Transborder Data
Flows and Brazil (ST/CTC/40) at 11. [back]
71 UNESCO,E/C.10/1986/16,1986 quoted in 13 at 123. [back]
72 Millard, supra, at 212. [back]
73 Ibid., at 213. [back]
74 Edwards and Savage et al., supra, at 124. [back]
75 Millard, supra, at 215-16. [back]
Transborder Data Flows 35
76 Schiller, supra, at 112. [back]
77 In some cases these points apply equally to developing nations with
telematics industries. For example, Brazil's Special Secretariat of
Informatics (SEI), designed industrial policies for informatics that
encourage foreign affiliates to use their comparative advantage and
advanced R&D facilities to manufacture new high technologies. Once
developed, national capital is invested by SEI, production is phased into
local companies and the infant industry is protected from foreign
competition. In addition, the foreign company is encouraged not to
improve these products and create domestic competition, but rather to
develop new products. See United Nations CTC, TDF and Brazil, supra, at
186-7. [back]
78 Jacob T. Schwartz, "America's Economic-Technological Agenda for the
1990's" Dædalus: A New Era in Computation (Winter 1992), 139 at 144-46.
[back]
79 Schwartz, supra, at 147. [back]
80 Jane Bortnick, "International Information Flow: The Developing World
Perspective" Cornell. Int'l. L.J. 14: 333 [1981] at 334-35. [back]
81 Ibid., at 333. [back]
82 Ibid., at 335-36. [back]
83 Edwards and Savage et al., supra, at 124. [back]
84 Ibid., at 125. [back]
85 Pavlic, supra, at 37. [back]
86 Mowlana, supra, at 50. [back]
87 Poullet, Y. "Privacy Protection and Transborder Data Flow; Recent Legal
Issues." G.P.V. Vandenberghe, ed., Advanced Topics of Law and
Information Technology (Deventer, Netherlands: Kluwler Law and Taxation
Publishers, 1989) 29 at 33. [back]
88 Ibid., at 37. [back]
89 Pavlic, supra, at 37. [back]
90 Schiller, supra, at 109. [back]
91 United Nations CTC,Uruguay Round, supra, at 58. [back]
92 Transnational Data and Communication Report. "Many Countries
Commit to GATS Telecom Coverage." Sept-Oct. 1992 at 8. [back]
93 Pavlic, supra, at 37. [back]
94 Edwards and Savage et al., supra, at 125. [back]
95 Novotny, supra, at 112. [back]
96 Those countries with data protection laws as of February 1991 are:
Australia 1989, France 1978*, Luxembourg 1979*, Austria 1978*, Germany
1977*, Netherlands 1988, Canada 1982, Iceland 1985, Norway 1978*,
Denmark 1978*, Ireland 1988, Sweden 1973*, Finland 1987, Israel 1981,
United Kingdom 1984*
Those countries in which data protection bills are proposed as of February
1991: Belgium, Hungary, Switzerland, Greece, Portugal, United States of
America, Italy, Spain*
* denotes countries which have ratified the COE Convention. Taken from
21 at 241. [back]
97 See Appendix 1 for a chart of the nature of the current legislation.
[back]
98 Estadella-Yuste, supra, at 386. [back]
99 Kirby, "Legal Aspects," supra, at 115. [back]
100 Ibid., at 116-17. [back]
101 Poullet, supra, at 31. [back]
102 Ibid. [back]
103 George B. Trubow, "The European Harmonization of Data Protection
Laws Threatens U.S. Participation in Trans Border Data Flow" NWJ of Int'l L
& B 13:159 (1992) at 165. [back]
104 Rosemary Patricia Jay, "Transborder Data Flows" New Law Journal
(Feb 22, 1991) 241 at 241. [back]
105 Hugh M. Kindred, et al., International Law: Chiefly as Interpreted and
Applied in Canada, Fourth Edition (Canada: Emond Montgomery
Publications Ltd., 1987) at 174. [back]
106 Ibid., at 183. [back]
107 Ibid., at 187. [back]
108 Ibid., at 200. [back]
109 O.E.C.D., Guidelines on the Protection of Privacy and Transborder Data
Flows of Personal Data. (Paris: OECD, 1981). [hereinafter Guidelines] [back]
110 Ibid., at 5. Millard points out that Australia, Canada, Iceland, Ireland,
Turkey and the U.K. abstained from the vote. Millard, supra, 217n. [back]
111 Jay, supra, at 241. [back]
112 Estadella-Yuste, supra, at 394. [back]
113 These last three issues were beyond the mandate of the OECD Expert
Group that developed the Guidelines. See Millard, supra, at 219. [back]
114 Estadella-Yuste, supra, at 393 and 393n. [back]
115 Ibid., at 393n. [back]
116 Ibid., at 383-84. [back]
117 Ibid., at 392. [back]
118 Ibid., at 404. [back]
119 Ibid., at 418-19. [back]
120 Ibid., at 393n. [back]
121 Ibid., at 405. [back]
Transborder Data Flows 37
122 European Treaty Series, No. 108. [back]
123 Sweden, Norway, France, and Spain were the other four nations to
ratify the Convention. It is worth stressing that the Council of Europe in
Strasbourg is not the same as the European Commission in Brussels,
though the two bodies do keep in close contact. [back]
124 Estadella-Yuste, supra, at 394. [back]
125 Millard, supra, at 220. [back]
126 Ibid. [back]
127 Ibid., at 221. [back]
128 Edwards and Savage et al., supra, at 126. [back]
129 Ibid., at 126. [back]
130 UN Doc. A/Res/45/95(1991) The final version of the Guidelines can be
found at E/CN.4/1990/72. [back]
131 Estadella-Yuste, supra, at 385. [back]
132 Kindred, supra, at 201. [back]
133 Arthur Dunkel, "Telcom Services and the Uruguay Round"
Transnational Data and Communications Report (Jan./Feb. 1992) 17-19 at
17. [back]
134 Ibid., at 19. [back]
135 Kenneth R. Simmonds, and Brian H.W. Hill, eds., Law and Practice
Under the GATT, v 1 (New York: Oceana Publications, 1992) III.B.13 at 46.
[back]
136 Ibid., III.B.13. [back]
137 Kenneth R. Simmonds, and Brian H.W. Hill, eds., Law and Practice
Under the GATT, v 2 (New York: Oceana Publications, 1992) IV.B.1 at 13-
15. [back]
138 Estadella-Yuste, supra, at 397. [back]
139 COE Convention, Article 5(b). See Ploman, supra, at 317. [back]
140 OECD Guidelines, supra, paragraph 9 at 10. [back]
141 Estadella-Yuste, supra, at 397-8. [back]
142 Ibid., at 398. [back]
143 COE Convention, supra, Article 8(a) at 317. [back]
144 OECD Guidelines, supra, paragraph 7 at 10. [back]
145 COE Convention, supra, Article 5(a) at 317. [back]
146 Ibid., Article 6 at 317. [back]
147 Estadella-Yuste, supra, at 398-99. [back]
148 Ibid., at 398. [back]
149 Ibid., at 399. [back]
150 Ibid., at 399-400. [back]
151 Ibid., at at 401. [back]
152 Dunkel, supra, at 18. [back]
153 Ibid., at 18. [back]
154 Poullet, supra, at 29. [back]
155 Estadella-Yuste, supra, at 406. [back]
156 Mowlana, supra, at 50. [back]
157 Pavlic, supra, at 40. [back]
158 International Chamber of Commerce (ICC), "International Business
Criticizes EC Data Protection Proposal" Transnational Data and
Communications Report (Jan./Feb. 1992) 37-41 at 38. [back]
159 Schiller, supra, at 131. [back]
160 Edward M. Roche, "The Landscape of International Computing: A
Personal View" Transnational Data and Communications Report (Jan./Feb.
1992) 24-27 at 25. [back]
161 Kindred, supra, at 826. [back]
162 Juan Rada, "Information Technology and the Third World" M. David
Ermann et al, eds., Computers, Ethics & Society (New York: Oxford
University Press, 1992) 262 at 274-75. [back]
163 Roche, supra, at 26. [back]
164 Millard, supra, at 226. [back]
165 Roche, supra, at 25. [back]
166 United Nations Centre on Transnational Corporations, Transborder
Data Flows and Mexico (ST/CTC/72) at 94-6 [back]
167 Roche, supra, at 25. [back]
168 Mowlana, supra, at 45. [back]
169 Schiller, supra, at 15-17. [back]
170 Ibid., at 126-27. [back]
171 Ibid., at 138. [back]
172 Ibid., at 147. [back]
173 Millard, supra, at 227. [back]
174 Ibid., at 227. [back]
175 Robert R. Bruce, et al., From Telecommunications to Electronic
Services: A Global Spectrum of definitions, Boundary Lines, and Structures
(Washington, DC: Debevoise & Plimpton, 1986) at 14-15. [back]
Transborder Data Flows 39
176 Estadella-Yuste, supra, at 386. [back]
177 Bruce, supra, at 15. [back]