'Three Scenarios for International Governance of Data Privacy: Towards an International Data Privacy Organization, Preferably a UN Agency?' by Paul De Hert and Vagelis Papakonstantinou in (2013) 9(2)
I/S: A Journal of Law & Policy 271 argues that
Data privacy regulation has reached a crossroads: while three out of the four intergovernmental organizations that have released relevant regulations (the OECD, the Council of Europe, and the EU) are amending their respective texts, each one is implementing its own agenda. The Internet and cloud computing are making the need for international governance more evident than ever. Three scenarios may be foreseen: 1) the status quo remains, and technology intervenes to address public concerns; 2) the EU General Data Protection Regulation, which is expected to replace the EU Data Protection Directive by mid-2014, comes into effect and then goes on to set the international data privacy standard; or, 3) as suggested in this paper, an international data privacy organization, preferably a UN agency, is established to promote data privacy issues and warrant international data privacy governance, similar to how the World Intellectual Property Organization advances the purposes of intellectual property protection. The establishment of an international organization does not necessarily mean that a new, comprehensive international data privacy framework also needs to be introduced (at least at this stage). Instead, international instruments already in effect could be used. The globally accepted but perhaps under-used 1990 UN Guidelines for the Regulation of Computerized Personal Data Files are an obvious choice.
The authors state that
Data privacy, since the appearance of the first relevant regulatory texts, may be listed among those few and relatively new fields of law that were developed across national borders. Within a single decade, beginning in the late 1960s, data privacy laws that implemented similar approaches appeared in several countries around the world. This informal transborder development was quickly followed by formal international instruments. In the early 1980s, when many countries that processed personal information had already introduced relevant legislation or were seriously considering doing so in the near future, international organizations entered the scene. The regulatory instruments they introduced attempted to converge the existing approaches that had, until that point, been implemented on the national level. These instruments became the common point of reference for subsequent new or amended national data privacy norms.
The international element that accompanied data privacy since its inception should be attributed—like the development of data protection as a separate field of law—to a single reason: the emergence of information technology. Until the late sixties, when the first data privacy laws were introduced, privacy issues were well identified (the now-famous Warren/Brandeis paper of 18901 was written when journalistic photography emerged) but did not lead to any specialized legislation on how to treat personal information. Instead, international treaties and only some national jurisdictions made reference to a general right to privacy. The exponential increase of the data processing ability computers provided to governments that could afford them necessitated the release of the first data privacy acts. The acts’ provisions were aimed at regulating the way such automated and mass processing was to take place; a general reference to the right to
privacy was no longer considered sufficient to protect individual rights.
During the years that followed, data protection, (at least in Europe) developed, gaining, independence from its origins: the general right to privacy. However, the link between data privacy and information technology developments remained unbroken, and was actually further enforced. In fact, information technology developments form one of the two external factors, along with political developments, such as 9/11 and its aftermath, that set the international data privacy agenda.
Information technology converged with telecommunications, creating the current interconnected and internationalized environment of personal data processing, the Internet. Processing of personal information is no longer performed locally, or even within well-defined physical borders. The original “transborder flows of personal data,” which by definition included transmission of data from one jurisdiction to another, were soon replaced by borderless continuous personal data processing, in which personal data are processed somewhere in the “cloud,” that is, in indistinguishable server-farms installed around the world.
In addition, transborder personal data processing became individualized. Local data controllers are no longer needed to transmit their data subjects’ data across borders to other data controllers in order for transborder exchanges to occur. Today, Web 2.0 applications enable individuals to upload their personal data to the “cloud,” going to and from unidentified destinations.
Consequently, the need for international governance of data privacy is more important than ever. However, the means to achieve this still seem to be missing—or at least the ones at hand do not meet with the necessary international consensus.
The first part of this paper will highlight the history of international governance of data privacy. It will also briefly describe the current state of governance to demonstrate that international norms followed data privacy legislation from the inception. International norms remain very much relevant today, through an exponential multiplication of sources.
The second part will elaborate upon the complexities of the contemporary processing environment by referring to two case studies, cloud computing and location-based services. These two examples will demonstrate that the transborder personal data flows model, as accommodated and implemented, has substantially changed in the past few years, at both the national and international level. Contemporary global and complex personal data processing makes international governance of data privacy more necessary than ever.
The third part of this paper elaborates upon the three plausible scenarios for the future. First, the status quo could remain. In this case, we suggest that technology will step in by offering technology- based solutions, such as Privacy By Design system architecture or Privacy Enhancing Technologies, to address the concerns of individuals about the best way to protect their private data. The second scenario considers the amendment process of the European data protection framework and the EU Data Protection Directive in particular. It predicts that an improved and updated version (likely in the form of the currently-developing EU General Data Protection Regulation) could constitute the international standard for data privacy either indirectly or directly, through streamlined application of its adequacy criterion. The third scenario recommended by the authors proposes the establishment of an international data privacy organization, preferably a UN agency, to govern international data privacy. The appropriate regulatory vehicle is perhaps already in place: the globally-accepted, but probably undeservedly underused, 1990 UN Guidelines for the Regulation of Computerized Personal Data Files. The field could also benefit from the examples of other sectors that achieved international governance status after decades of persistent efforts, despite the fact that they fostered similarly pervasive legislation, such as copyright.
