Search Results

This chapter considers how restrictions on cross-border transfers of data work, or perhaps don't work, in cloud environments and how they might be improved. The concept of ‘transfer’ and the prohibition on transfers of personal data to countries that fail to provide an adequate level of protection for personal data are explained. Various exception to, and derogations from, the transfer prohibition rule are evaluated, including consent, the US Safe Harbor, model contract clauses, and Binding Corporate Rules (BCR).

This chapter introduces the Binding Corporate Rules (BCR) regime as developed by the Working Party 29, recognizing corporate self-regulation as an alternative method for multinationals to comply with the EU data transfer rules. It discusses the European BCR approval procedure as well as its shortcomings. It is further discussed in which non-EU countries BCR are (potentially) recognized as a valid data transfer tool also for data transfers from these non-EU countries. Recommendations are made to recognize BCR as a valid tool for data transfers in the proposal for a Regulation on Data Protection and to streamline the BCR authorization procedure.

A number of international instruments such as the Council of Europe Convention 108, the OECD Privacy Guidelines, and the EU Data Protection Directive 95/46, regulate the flow of personal data across national borders. International regulation exists largely at the regional level, and as yet there is no multinational instrument of truly global scope dealing with the subject. The various international instruments demonstrate a number of similarities, but there are also important differences between them (e.g., as to whether they are legally binding, and whether they treat data protection as a fundamental right). International human rights law protects the free flow of data across national borders, but governments have sometimes restricted such transfers under the guise of informational sovereignty. The most influential model has been the EU Directive, which has significantly influenced regulation in other regions, but other regional models are currently gaining influence.

The international transfer of personal data has had a positive impact around the world, while subjecting the privacy of individuals to new and increased risks. Regulation of transborder data flows is now a subject of strategic importance as data flows have become integral to economic and social development, free expression, cultural activities, and other basic values. Before widespread use of the Internet began, it was assumed that transborder data flows were an exceptional occurrence, but transborder flows of personal data are now the rule, and there is now more sharing of personal data between governments (often for law enforcement purposes) than ever before. There is a lack of clarity regarding issues such as what constitute ‘transborder data flows’; what are personal data; what the distinction should be between data controllers and data processors; and the legal status of data transfers of their own personal data initiated online by individuals.

Transborder data flow regulation is best regarded as a form of legal pluralism, since there is no hierarchical legal structure that can provide an overall, authoritative governance framework for it. However, the framework could be improved by adopting a default position allowing transborder data flows without a separate legal basis; using an organizational approach that includes geography as a relevant factor; ensuring the continued accountability of data controllers; better adjusting regulation to technological realities; promoting international legal interoperability; exercising jurisdictional restraint and furthering greater acceptance of international values; increasing regulatory transparency; and improving regulatory compliance by States. There has been an undervaluation of the benefits of data flows, and regulation has focused too much on securing application of local standards to personal data transferred outside national borders, while neglecting policies that are in the interest of the international community.

This introductory chapter contains a description of the subject matter, scope, and aim of the book: an assessment of the suitability of corporate self-regulation of data protection as an instrument to regulate global data transfers within a group of companies. It mentions the accountability principle and also discusses corporate self-regulation.

Since the 1970s, over seventy countries in all regions of the world have enacted national data protection and privacy laws regulating transborder data flows, which is largely based on the various international and regional instruments; regulation also exists at the state and local levels. In addition, private sector-instruments such as contractual clauses, internal company policies, and codes of practice are becoming more widely used to structure and protect international data transfers. The role that technology can play in protecting and regulating transborder data flows has not been sufficiently recognized.

This chapter studies the regulation of international data transfers in clouds. The General Data Protection Regulation (GDPR) stipulates that any transfer of personal data from the European Union (EU) (as well as other European Economic Area (EEA) countries) to a third country or an international organisation is subject to restrictions to ensure that the level of protection provided by the GDPR is not undermined. The GDPR requires either adequate protection or appropriate safeguards for transfers of personal data to third countries. When assessing a data transfer to a third country, a number of factors must be considered. First, it is necessary to establish whether the processing of personal data falls within the scope of the GDPR. Second, the GDPR may apply either to the cloud provider or its customer, or to both. Third, it is necessary to establish when a 'transfer' of personal data from an EU Member State to a third country is taking place and how the protection of the data can be ensured. Fourth, in some circumstances, there may be an exception to the requirement to ensure continued protection following a data transfer.

There are a variety of different approaches under which transborder data flow regulation can be classified, such as that many of them regard data protection as a fundamental right, while some do not; some are based on the level of protection in the geographic entity to which data are transferred (the ‘adequacy’ approach), while others focus on the protections implemented in the organizations that process the data (the ‘accountability’ approach); and some have a default rule that does not allow data transfers absent a separate legal basis, while others generally allow transfers but give regulators the power to intervene. These approaches are not mutually exclusive, and some regulation can be classified in more than one category. There is a lack of overall global harmonization, with different types of regulation and a variety of institutions to deal with them.

Regulation of transborder data flows often functions as a kind of conflict of laws regime that seeks to apply the forum’s law to data processed abroad, with the applicable law attaching to data and following them as they are transferred around the world. This reflects the fact that regulation is often viewed as a way to protect the rights and interests of a State’s own citizens, rather than as a matter of international importance. This has led in turn to an increase in conflicts between data protection regimes, and between rules of data protection law and those of other legal regimes. The application of data protection law to data processing abroad is further complicated by its status in many States as a fundamental right, which brings with it a protective duty of the State towards individuals.

The main purposes of transborder data flow regulation are most often articulated as preventing circumvention of the law, guarding against data protection risks abroad, ameliorating the difficulty of asserting rights abroad, and enhancing confidence. These policies have shifted over the years; for example, concerns about circumvention of the law have receded as more countries have enacted data protection laws, while worries about data protection risks abroad have become more acute as governments have increased the amount of personal data they process. States have also sometimes enacted transborder data flow regulation as a way to further their sovereignty, and there is a risk that regulation of transborder data flows may be used by States to thwart rather than to promote individual rights.

This chapter chronicles the attempts by US agencies to collect uniform crime data from thousands of precincts and courts. Federal surveys such as the National Criminal Victimization Survey (NCVS) provide essential periodic information on crime levels at different geographic units, but also are the basis for criminal career research. Currently many national statistical systems are facing serious challenges with increasing costs and not meeting the demands of policymakers, researchers, and the public at large. For example, the NCVS is dogged by decreasing response rates and poor documentation of different forms of crime. The chapter makes the case that improvements are needed before administrative data are analyzed, including establishing data transfer agreements with the administrative agencies; developing a detailed understanding of the structure, logic and content of the administrative database; and creating programs able to extract the needed statistical information from the administrative databases.

This chapter delves into data protection, which is considered a cross-cutting issue and relevant for bilateral economic and security relations. It examines the ad hoc transitional solution set in the Trade and Cooperation Agreement (TCA) that secures the continuing transfer of data between the UK and the EU. It also assesses the Commission adequacy decision that is designed to regulate commercial data transfers from June 2021 onwards. The chapter discusses the fate of the new EU-UK data protection framework, which is dependent on action by the EU Court of Justice (ECJ). It aims to reconstruct how the UK data protection framework has evolved in the last four years, from the time of the Brexit referendum to the conclusion of the TCA.

This chapter takes an interest in what counts as valuable in the coordinative practices of large-scale research. The focus is motivated by how values are sometimes understood as part of what can hold large research endeavours together. Here, however, the topic of values is raised without presuming those values to be fully shared and part of what is holding the overall endeavour together. Empirically the focus is on clinical registries, which analyse data relating to a large number of patients visiting different clinics. Examining how data are gathered and transferred in three registries, the study found a rich and diversified set of arrangements in use. Each registry can be understood as accommodating a few different modes for the gathering and transfer of data, where each enacts somewhat dissimilar values. Hence, the registries examined here are not bound together by exchanges repetitively reinforcing a single set of widely shared values.

Edward Snowden’s surveillance revelations in 2013 raised the issue of privacy and security in the public spotlight. These revelations underlined the need for a strong data protection framework. At the same time, the pressing demand to address security concerns and the threat of terrorist attacks might weaken privacy and data protection standards. Two landmark judgments of the Court of Justice of the European Union, namely the Digital rights Ireland judgment (which invalidates the Data Retention Directive) and the Schrems judgment (which invalidates the Safe Harbour Decision forming a legal basis for transatlantic data transfers) are of great significance in strengthening the rights to privacy and data protection in the context of digital mass surveillance. They continue to have far-reaching implications for EU and national data retention mechanisms, as well on the cross-border data transfer framework. Through the lens of the CJEU, the chapter reveals the key challenges that data protection law faces both at national and EU level that have to be addressed in response to mass surveillance in order to maintain a proper balance between privacy and national security.

Formatted data transferred to or from an external medium require the exact formatting of the data to be specified. All aspects of how this may be achieved are fully described in this chapter. The various types of data edit and control descriptor are listed, together with methods to control file connection modes and to manage the formatting of entities of a derived-data type.

The means whereby data are transferred to or from an internal or external file are fully described. The definitions of a file and/or unit are introduced, and the various forms of data transfer (sequential, direct, asynchronous, and stream) are described. Formatted and unformatted data are differentiated. Non-advancing and namelist input/output are introduced.