In the global information economy, personal data have become the fuel driving much of current online activity. Every day, vast amounts of information are transmitted, stored and collected across the globe enabled by massive improvements in computing and communication power. Some broadband packages of today are 36,000 times faster than what dial-up Internet connections could offer when the first Internet browser was introduced two decades ago. In developing countries, online social, economic and financial activities have been facilitated through mobile phone uptake and greater Internet connectivity. The transborder nature of the Internet as well as the speed and sheer volume of communications pose problems to cyber security such as those related to the identification, investigation, jurisdiction, criminalization and prosecution of those who commit security and data breaches. In this environment, security of information is a concern for governments, businesses and consumers alike.
Protecting data and privacy rights online is a significant and increasingly urgent challenge for policymakers.
Data protection regulation is high on the political agenda at the time of writing, as evidenced by a number of current developments.
- The United Nations in 2015 appointed a Special Rapporteur on the right to privacy.
- The European Union is finalizing a new General Data Protection Regulation to replace the European Directive on Data Protection, which has been a prominent source of regulation for twenty years.
- Data protection has been included in several international trade agreements.
- Data protection regulation has been considered in several high profile court cases in relation to national surveillance issues.
- Numerous countries are drafting new data protection laws or are reviewing existing ones.
- The European Union and the United States have re-negotiated a long standing cross- border data protection agreement (the former EU-US Safe Harbor Framework, now to be known as the EUUS Privacy Shield).
- Several global and regional organizations have issued (or are developing) multiparty agreements and/or guidelines on data protection.
Article XIV ( c) (ii) of the WTO’s General Agreement on Trade in Services (GATS) permits trade restrictions
that are necessary for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts”, specifying that “such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services”.
Article XIV of the WTO General Agreement on trade in Services. Article 14.11 allows restrictions on cross border transfers if they satisfy four requirements:
(i) the law must be necessary “to achieve a legitimate public policy objective” – this appears to be very straightforward requirement;
(ii) the law must not be “applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination
(iii) the law must not be “a disguised restriction on trade”; and
(iv) the law must “not impose restrictions on transfers of information greater than are required to achieve the objective”.
This is a very high level provision that recognizes the positive aspects of data protection regulation.
However, it is also well recognized that if data protection regulations go ‘too far’ they may have a negative impact on trade, innovation and competition. While the potential need to control cross-border flows of data for privacy purposes is clear, the application of such controls in an increasingly interconnected world is very challenging. ICT developments, such as cloud services, are making things even more complex, with processing entities not necessarily aware about where data are located.