‘Territoriality’ plays a central role under our current paradigm of jurisdictional thinking. Indeed, a State’s rights and responsibilities are largely defined by reference to territoriality. States have exclusive powers in relation to everything that occurs within their respective territories, and this right is combined with a duty to respect the exclusive powers of other States over their respective territories.
The post The concept of ‘extraterritoriality’: widely used, but misguided and useless appeared first on OUPblog.
Defining “privacy” has proven akin to a search for the philosopher’s stone. None of the numerous theories proposed over the years seems to encompass all the varied facets of the concept. In considering the meaning of privacy, it can be fruitful to examine how a great artist of the past has dealt with aspects of private life that retain their relevance in the Internet age.
The post A Chekhovian view of privacy for the internet age appeared first on OUPblog.
Recently Google Inc. was ordered to remove nine search results after the Information Commissioner’s office (ICO) ruled that they linked to information about a person that was no longer relevant. Almost ten years ago, that individual had committed a minor criminal offence and he recently put on a request to Google that related search results be removed, in compliance with the decision of the European Court of Justice in Google Spain.
The post The power of the algorithm appeared first on OUPblog.
The OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) were an early influence on the development of data privacy laws in Asia. Other bodies have since also been influential in the formulation of data privacy laws across Asia, including the 1981 Council of Europe Data Protection Convention, the United Nations Guidelines for the Regulation of Computer Data Files, the European Union’s Data Protection Directive, and the APEC Privacy Guidelines.
This timeline below shows the development of data privacy laws across numerous different Asian territories over the past 35 years. In each case it maps the year a data privacy law or equivalent was created, as well as providing some further information about each. It also maps the major guidelines and pieces of legislation from various global bodies, including those mentioned above.
Featured image credit: Data (scrabble), by justgrimes. CC-BY-SA 2.0 via Flickr.
The post A brief history of Data Privacy Law in Asia appeared first on OUPblog.
By Dan Jerker B. Svantesson
One of the most prominent features of jurisdictional rules is a focus on the location of actions. For example, the extraterritorial reach of data privacy law may be decided by reference to whether there was the offering of goods or services to EU residents, in the EU.
Already in the earliest discussions of international law and the Internet it was recognised that this type of focus on the location of actions clashes with the nature of the Internet – in many cases, locating an action online is a clumsy legal fiction burdened by a great degree of subjectivity.
I propose an alternative: a doctrine of ‘market sovereignty’ determined by reference to the effective reach of ‘market destroying measures’. Such a doctrine can both delineate, and justify, jurisdictional claims in relation to the Internet.
It is commonly noted that the real impacts of jurisdictional claims in relation to the Internet is severally limited by the intrinsic difficulty of enforcing such claim. For example, Goldsmith and Wu note that:
“[w]ith few exceptions governments can use their coercive powers only within their borders and control offshore Internet communications only by controlling local intermediaries, local assets, and local persons” (emphasis added)
However, I would advocate the removal of the word ‘only’. From what unflatteringly can be called a cliché, there is now a highly useful description of a principle well-established at least 400 years ago.
The word ‘only’ gives the impression that such powers are of limited significance for the overall question, which is misleading. The power governments have within their territorial borders can be put to great effect against offshore Internet communications. A government determined to have an impact on foreign Internet actors that are beyond its directly effective jurisdictional reach may introduce what we can call ‘market destroying measures’ to penalise the foreign party. For example, it may introduce substantive law allowing its courts to, due to the foreign party’s actions and subsequent refusal to appear before the court, make a finding that:
- that party is not allowed to trade within the jurisdiction in question;
- debts owed to that party are unenforceable within the jurisdiction in question; and/or
- parties within the control of that government (e.g. residents or citizens) are not allowed to trade with the foreign party.
In light of this type of market destroying measures, the enforceability of jurisdictional claims in relation to the Internet may not be as limited as it may seem at a first glance.
In this context, it is also interesting to connect to the thinking of 17th century legal scholars, exemplified by Hugo de Groot (better known as Hugo Grotius). Grotius stated that:
“It seems clear, moreover, that sovereignty over a part of the sea is acquired in the same way as sovereignty elsewhere, that is, [...] through the instrumentality of persons and territory. It is gained through the instrumentality of persons if, for example, a fleet, which is an army afloat, is stationed at some point of the sea; by means of territory, in so far as those who sail over the part of the sea along the coast may be constrained from the land no less than if they should be upon the land itself.”
A similar reasoning can usefully be applied in relation to sovereignty in the context of the Internet. Instead of focusing on the location of persons, acts or physical things – as is traditionally done for jurisdictional purposes – we ought to focus on marketplace control – on what we can call ‘market sovereignty’. A state has market sovereignty, and therefore justifiable jurisdiction, over Internet conduct where it can effectively exercise ‘market destroying measures’ over the market that the conduct relates to. Importantly, in this sense, market sovereignty both delineates, and justifies, jurisdictional claims in relation to the Internet.
The advantage market destroying measures have over traditional enforcement attempts could escape no one. Rather than interfering with the business operations worldwide in case of a dispute, market destroying measures only affect the offender’s business on the market in question. It is thus a much more sophisticated and targeted approach. Where a foreign business finds compliance with a court order untenable, it will simply have to be prepared to abandon the market in question, but is free to pursue business elsewhere. Thus, an international agreement under which states undertake to only apply market destroying measures and not seek further enforcement would address the often excessive threat of arrests of key figures, such as CEOs, of offending globally active Internet businesses.
Professor Dan Jerker B. Svantesson is Managing Editor of the journal International Data Privacy Law. He is author of Internet and E-Commerce Law, Private International Law and the Internet, and Extraterritoriality in Data Privacy Law. Professor Svantesson is a Co-Director of the Centre for Commercial Law at the Faculty of Law (Bond University) and a Researcher at the Swedish Law & Informatics Research Institute, Stockholm University.
Combining thoughtful, high level analysis with a practical approach, International Data Privacy Law has a global focus on all aspects of privacy and data protection, including data processing at a company level, international data transfers, civil liberties issues (e.g., government surveillance), technology issues relating to privacy, international security breaches, and conflicts between US privacy rules and European data protection law.
Subscribe to the OUPblog via email or RSS.
Subscribe to only law articles on the OUPblog via email or RSS.
Image credit: Ethernet cable with a padlock symbolising internet security. © SKapl via iStockphoto.
The post A doctrine of ‘market sovereignty’ to solve international law issues on the Internet? appeared first on OUPblog.
By Christopher Kuner
Tension between different regulatory systems has long existed in certain areas (think of the disagreements between EU and US competition regulators regarding the aborted GE-Honeywell merger in the early 2000s). A similar power struggle is currently underway between different legal regimes regulating the collection, processing, and transfer of personal data (variously referred to in different legal systems as “data protection”, “data privacy”, or “information privacy” law), one that will shape the world in the 21st century.
Data protection law has traditionally been viewed as a dreary subject of interest only to a few specialists. But whether it involves filling out government forms, purchasing items on the web, communicating with friends and relatives online, or checking in for a flight, almost every activity we engage in nowadays involves the processing of personal data. The growing importance of data processing is reflected in the large number of countries (approximately 100) around the world that have enacted data protection laws, and the countries and international organisations (including the European Union, the OECD, and the United States) that are currently in the process of revising them to meet the challenges posed by globalisation and the rapid growth of the Internet.
Much personal data routinely flows across national borders, and the same data processing may result in the application of multiple laws. The ease with which data flows internationally also means that data privacy law has become a point of competition between different legal systems, with each one striving to achieve the seemingly impossible goal of simultaneously protecting the privacy of individuals, striking a balance between privacy and other important values (e.g., public security), and furthering economic growth.
This competition has been most pronounced between the European Union, which has recently asserted that other countries should follow the “gold standard” of its data protection legislation, and the United States, which believes that its system is even better. Such international regulatory spats illustrate that nations too often view the subject largely as a way to score political points, and that they have failed to grasp some basic facts about the processing of personal data:
- Protection of data privacy is not just a transatlantic issue. Data protection laws have been enacted all over the world, including by regional organizations (APEC, ECOWAS, and others) and dozens of nations in Africa, Latin America, and Asia.
- It is also not just an online issue. Nearly every economic and social activity nowadays involves the processing of personal data, including the most basic ones. Too often regulatory attention focuses on the online “flavour of the month” (e.g., social networks, search engines, etc.), and fails to recognize that data processing has become embedded in every aspect of society.
- And it is not just an economic issue, but one that can help further important developmental goals as well. For example, the UN Secretary General has begun an initiative called “Global Pulse” involving projects such as the use of data analytics to better understand the global state of various infectious diseases, and using a centralized text messaging system to allow mobile phone users to report on people trapped under buildings following an earthquake, among others. Data protection law is currently not conceived to facilitate the large-scale use of data mining for purposes related to development, public health, and similar goals, but these uses will greatly increase in coming years, and will challenge our assumptions about the purposes and structure of regulation.
Part of the problem is that while data protection and privacy issues have global ramifications, the legal framework for them is still very much a matter of local or, at best, regional regulation. While some regional organizations (in particular the Council of Europe) are attempting to become more global, there are substantial differences in the way the subject is viewed in different countries and legal systems. In contrast to some other areas of the law, there is also a lack of legal instruments and institutions of a global scope covering privacy and data protection.
Legal regulation of data processing often stands in tension with economic pressures that encourage the processing and transfer of personal data, and political pressures that inhibit the development of coordinated and coherent regulation. States are only too happy to adopt legal requirements for the private sector that they are unwilling to comply with themselves (e.g., with regard to data processing for law enforcement purposes), and technology to process personal data advances faster than the law can keep up with.
From being considered a niche area, data protection law has evolved to the point that it is hard to find areas of human endeavour that it does not concern. The way that the struggles over data protection are resolved in the coming years will determine the kind of world we live in, and the kind of Internet we have.
Dr. Christopher Kuner is editor-in-chief of the journal International Data Privacy Law. He is author of European Data Protection Law: Corporate Compliance and Regulation, and the forthcoming book Transborder Data Flow Regulation and Data Privacy Law in which he elaborates some of the topics discussed here. Dr. Kuner is Senior Of Counsel at Wilson Sonsini Goodrich & Rosati in Brussels, and an Honorary Fellow of the Centre for European Legal Studies, University of Cambridge.
Combining thoughtful, high level analysis with a practical approach, International Data Privacy Law has a global focus on all aspects of privacy and data protection, including data processing at a company level, international data transfers, civil liberties issues (e.g., government surveillance), technology issues relating to privacy, international security breaches, and conflicts between US privacy rules and European data protection law.
Subscribe to the OUPblog via email or RSS.
Subscribe to only law and politics articles on the OUPblog via email or RSS.
Image credit: Laptop keyboard with fingerprint enlarged by magnifying glass – computer criminality concept. Image by Jirsak, iStockphoto.
The post The global data privacy power struggle appeared first on OUPblog.
