In recent years, the rapid growth of on-line services and the decentralization of information processing arrangements have exponentially increased the flow of personal information across national borders. From the processing of German railway card data in the United States to the sale of French gastronomic products through the Hong Kong web site of Marché de France, personal data is driving the global economy and fair information practices have never been more important for the protection of citizens. Indeed, the Internet and electronic commerce raise the stakes for individuals, businesses and government. Endlessly increasing collections of personal information are coupled with an uncertainty and instability in the application of data protection principles.
International data flows, whether for execution of transactions or intra-corporate data management, force divergent data protection policies and rules to confront each other with ever greater frequency. The present network environment suggests a crucial stage for the protection of individuals and international data flows. In response, this paper offers a series of instruments for international co-operation and proposes a set of strategies and partners to achieve a high level of protection for personal information in international data transfers. The respect of basic data protection principles and the assurance of citizen's rights to fair information practices will require the highest commitment to international co-operation at multiple levels in order to achieve harmonization and co-existence of data protection norms.
International data transfers are in the midst of a critical phase. The robust development of the Internet and on-line services over the last two years represent the most significant era for international flows of personal information since the first wave of computerization in the 1970s. Although cross-border transfers have been occurring for many years, the growth trends in data transfers reflect both a quantitative and qualitative shift. The instability and dynamic nature of these changes mean that rules, policies and practices of different jurisdictions will inevitably cause conflict. At the same time, the alignment of institutions addressing data protection has become unsettled and the political dimensions have re-emerged as an uncertain force.
A. Trends in Transfers
The most salient trends in data transfers range from the actual uses of deployed technologies to the commercial incentives that drive the processing of personal information.
* Clickstream Data
In a network environment, every click of the computer's mouse leaves a data trace. This "clickstream data" is far more robust than the typical "transaction data" from an electronic payment or telephone call. The clickstream reflects not just the existence of interactions, but also includes the content of those interactions. The clickstream information provides continuous, recordable surveillance of individuals and all of their activities.
This clickstream information is increasingly sought. For example, software is now readily available and used to establish monitoring programs for clickstream data in the workplace. On the Internet, most web sites collect some clickstream data in the form of log files. In contrast, service providers, for the moment, are unlikely to retain their subscribers' clickstream information. But, advertising arrangements on the Internet seek to recapture the attributes of the clickstream data that the on-line service providers forgo with the use of 'cookies' technology.
In effect, clickstream data offers a quantitative leap forward in the amount of personal information in circulation. At the same time, the surveillance aspect of clickstream data is also qualitatively different from earlier forms of transaction data. The detail offers a picture that was previously not readily obtainable.
* Multinational Sourcing
The Internet and emerging electronic commerce activities encourage multinational sourcing of information. The entire architecture of the Internet is based on the principle of geographic indeterminacy. Distance and geographic location were designed to be irrelevant for the information processing capabilities of the network. As a result, servers and processing arrangements migrate. Corporate intranets, built using some of the same technology as the Internet, have adopted the same principle. Data collection may take place in one location, processing elsewhere and storage at yet another site. In addition, the open architecture also means that multiple intermediaries have access to data in transit or may perform processing on such data. These arrangements radically increase the complexity of data processing and obscure the responsibility for data protection.
* Data Warehousing and Data Creep
With the costs of computing and storage diminishing rapidly, isolated bits of data that in the past were useless or too expensive to process may now be collected and retained. Since information will always have value in an "Information Society," the almost zero cost of processing incremental bits of data offers a powerful incentive for 'data warehousing.' 'Data warehousing' is the stockpiling of millions of bits of personal information for future analysis. While each isolated piece of information may have little meaning or risk minimal potential harm to the individual, the aggregate collection takes on an entirely different character. The aggregation now yields patterns of behavior, profiles and an intimate slice of the lives of individuals that categorize and segregate individuals in society.
'Data creep' is also closely related to data warehousing. 'Data creep' represents the 'more is better' school of thought. Ever increasing bits of personal information are sought because of a vague belief that somehow the information will have use. Since the cost to collect and process information has dropped and the push for data warehousing grows, more seemingly innocuous information is collected from individuals for storage and future processing. For example, companies now ask for a customer's zip code even if the purchase transaction is conducted with cash. By aggregating innocuous information or seemingly anonymous data, the construction of detailed individual profiles becomes routine.
* Pressures for Secondary Use and Profiling
The ease of collection and storage coupled with the enhanced capability to use personal information create tremendous commercial pressures in favor of secondary use. Additional uses of collected personal information can generate additional value. In the name of efficiency, an existing pool of personal information becomes an attractive source of data for new uses. This diversion of personal information is particularly acute with respect to profiling. Once a substantial database exists, the ability to profile individuals within the database becomes possible and more valuable.
B. Rules, Policies and Practices in Direct Conflict
The trends in data transfers destabilize the fair treatment of personal information. Multinational processing of clickstream information and warehoused data along with the pressures for secondary use place the legal rules, data protection policies and practices of various jurisdictions in direct conflict. The characteristics of these information flows with access, collection and processing in several countries simultaneously offer many nations prescriptive jurisdiction to define the terms and conditions of fair information practices while, at the same time, attenuate the enforcement jurisdiction of each country. This paradox is not readily resolved by traditional 'conflict of law' principles. The overlapping and malleable nature of international data flows present a basic challenge to the localization required for choice of law analysis. In terms of substantive conflicts, a number of different problems arise.
* Systemic Legal Conflicts
Conflicting systems of protection for personal information pose a central problem for international data flows. The most well known conflicts arise from systemic differences in the approach and content of data protection rights. In Europe, comprehensive data protection laws establish rights and obligations for the treatment of personal information. Elsewhere, information privacy may be assured by narrower legal rules, policies or practices or alternatively data protection may even be ignored. In the absence of general data protection legislation, the full range of internationally-recognized principles for fair information practice may be hard to satisfy.
If data protection is taken seriously, then systemic legal conflicts should cause disruption of international data flows. Both the European Union Directive 95/46/EC and existing European member state laws provide for the prohibition on data flows to countries without satisfactory privacy protection. For the United States alone, Europe has justification to restrict the processing of European personal information on the basis of the narrow, but rare American legal rights and the U.S. reliance on self-regulation that has proven itself ineffective. Similar justifications exist for other countries lacking analogous laws and basic data protection rights. Thus, systemic differences in the approach and rules of national data protection regimes place each other in direct conflict.
* Conflicts of Divergence
In addition to systemic conflicts, on-line services face another important risk to international data flows. Seemingly minor divergences in the laws of several countries have significant ramifications for international data flows of personal information. For example, slight differences in the requirements for the contents of notifications to individuals prior to the collection of their personal information mean that data collectors cannot use the same notice for residents of different jurisdictions. Since the network environment obscures the location of users, data collectors often face a difficult choice: either they ignore the requirements or they unwittingly contravene these requirements. These conflicts of divergence become particularly pronounced for intra-corporate data sharing arrangements and for emerging electronic commerce activities.
* Compliance Conflicts
Beyond conflicts created by systemic differences and divergences, compliance deficiencies within a national framework may lead to claims of discrimination. For example, many European web sites surreptitiously capture information about site visitors in violation of the local data protection law; in the United States, the Federal Trade Commission's June 1998 study of on-line services reported dismal adherence to even minimal standards of fair information practice. Even here in Spain, the small number of transfer requests made to the data protection authority must be disproportionate to the reality. This gap between data protection principles and actual practice transforms the terms of international debate on the protection of personal information. In the international context, instead of focussing on the quality of protection afforded to personal information, the debate becomes one of unfair discrimination. The wider the national gap between principle and practice, the stronger the claim of discrimination should the principles only be applied stringently to international data flows.
C. Dynamic Institutional Alignments
While the trends in international data transfers have reached a critical juncture for the protection of personal information, the institutional structure for international co-operation is also entering a new phase. The concerns for the treatment of personal information on the Internet have re-invigorated the efforts of institutions with historical interest in data protection. At the same time, new institutional entrants have a significant stake in the resolution of international data flow conflicts and the formulation of policies for those flows.
* Re-awakening of Institutions
The two principal international organizations with interests in data protection, the O.E.C.D. and the Council of Europe, have each re-awakened to the need for enhanced international co-operation and consensus. With the November 1997 Ministerial Summit in Turku, the February 1998 workshop on privacy and the upcoming Ottawa summit, the O.E.C.D. has re-asserted itself in the business of data protection. However, the focus continues to emphasize the economic perspective on data protection. From the citizen's rights perspective, the Council of Europe has also begun to address the application of privacy principles to the Internet. In May, 1998, the Council of Europe released "Draft Guidelines for the protection of individuals with regard to the collection and processing of personal data on the information highway, which may be incorporated in or annexed to Codes of Conduct." Each of these institutions clearly want to preserve their relevance and secure an important role in the field.
* New Entrants
Despite the re-awakening of the O.E.C.D. and the Council of Europe, these institutions face competition from new entrants to data protection policy. The World Trade Organization, a creation of the GATT 1994, will inevitably become involved in data protection. The services provisions of the new trade accords prohibit restrictions on transborder data flows. While these provisions grant exceptions for privacy-related restrictions, they still preclude each signatory country from taking discriminatory action against other signatories. Consequently, the WTO will have jurisdiction to hear complaints against any national restraint on transborder data flows. The WTO must also initiate studies of issues that affect international trade. Information flows and data protection will clearly be relevant and unavoidable under this mandate.
The other main intergovernmental entrant is the World Intellectual Property Organization. Although the mission of the WIPO is to promote intellectual property rights management, the digital environment merges many intellectual property rights issues with those of data protection. Data protection has implications for the ownership rights to data and the mechanisms for electronic rights management have implications for the fair treatment of personal information. WIPO cannot ignore the study of data protection as it moves toward the adaptation of intellectual property rights for electronic commerce.
Outside of intergovernmental organizations, technical standards bodies have become stealth entrants. These bodies establish technical rules that embed policies for the international flow of personal information. The technical capabilities of new systems have critical ramifications for data protection. For example, the results of reforms to the domain name system for the Internet may make localization of users and servers easy or impossible. Organizations such as the World Wide Web Consortium (W3C), the Internet Society, IANA, the Internet Engineering Task Force are each forming data protection policies, though often in an inadvertent manner.
D. Political Dimensions
The political dimensions are similarly at a critical stage for international data flows. On the one hand, the European Union has taken a strong position in favor of the examination of foreign data protection rules and in support of embargos of data going to destinations with inadequate levels of protection. But, the European Union faces many challenges to the strict enforcement of these rules. The member states are likely to have different views on particular cases and Europe does not appear to seek an impenetrable data fortress.
The internal or national political reality also has consequence for international data flows. Within Europe, for example, the transposition of the European Directive into member state law illustrates the political fluidity of data protection. Bureaucratic squabbles and political maneuvering will determine the specific outcomes of transposition and will set the tone for each country's international posture. Elsewhere, these "turf" battles will be particularly acute in countries without data protection authorities like the United States. Where there is no existing data protection authority, differing government agencies are likely to fight over jurisdiction and hence power. Compromises are likely to result in a series of agencies having pieces of responsibility for data protection policy. In addition, as seen in the United States, industry lobbyists are likely to promote agencies such as the U.S. Department of Commerce who are traditionally more sympathetic to the interests of industry than individuals. These political alignments will complicate efforts for international co-operation
The crucial stage in international data transfers makes international co-operation imperative for effective data protection in any particular country or region. Uncertainty and instability in the protection of individuals will each be harmful to international data flows. To facilitate international flows of personal information and vigilantly assure data protection, international co-operation has a dual mission: to promote the co-existence and eventual harmonization of standards of fair information practice, and to assure the creation and implementation of a data protection infrastructure. These objectives can be achieved with a number of new instruments for data protection.
A. "General Agreement on Information Privacy" (GAIP)
Although the Council of Europe Convention has had some success as an international treaty on data protection, the instrument lacks a sufficiently broad range of signatories. Most notable among the absences is the United States. Since the United States is unlikely to agree in the near term to an obligatory set of data protection principles, the Council of Europe Convention will not be able to expand effectively in North America.
The time has, therefore, come for a new type of international treaty on data protection. This proposal is a variant of the idea launched in September 1997 at the Montreal Conference. Rather than the establishment of an international privacy secretariat composed of interested participants, data protection needs an intergovernmental "General Agreement on Information Privacy" (GAIP) that encompasses a large number and wide range of signatory countries.
GAIP should focus on the establishment of an institutional process of norm development that can facilitate the co-existence of differing regimes and over time promote harmonization of standards.
The GATT compromise in 1947 offers a useful model for this first step toward effective international co-operation. After the failure of the Havana Charter to create an International Trade Organization, the resulting GATT was as important originally for the establishment of an institutional mechanism that allowed countries to address trade disputes as it was for the reductions in tariffs and quotas. Like the GATT concept in 1947, the GAIP treaty should recognize basic principles of data protection and create a high level negotiating forum for consensus based decisions. By institutionalizing such negotiations in a multilateral setting, two important data protection objectives may be achieved. First, counterparts for data protection policy discussions will be clearly designated even in countries without existing data protection authorities. Second, expansive representation and regular negotiations can predictably lead to increased consensus over time on necessary standards. The GATT evolution toward the Uruguay Round accords and the adoption of the GATT 1994 illustrates this latter trend.
B. Technical 'Codes of Conduct'
In addition to any public law instrument, international co-operation must focus on technical standards and private solutions. Technical standards combined with their implementation offer a direct guaranty of fair information practices in any information transfer. For example, if the infrastructure of an on-line payment system only allows anonymous transactions, data protection is absolute. Alternatively, an infrastructure that uses trusted third parties to authenticate and verify the identity of participants in the on-line payment system, may automatically assure fair treatment of personal information by some participants, but not others.
Standards decisions, in effect, mix technical issues with policy choices. From the perspective of data protection authorities, standards as well as their implementation must be treated as 'codes of conduct' just like trade association policy statements. As a consequence, the safeharbors for industry to know how to satisfy its obligations and automated compliance mechanisms which are essential to assure international data flows can be constructed. For example, the more modern data protection laws such as the Dutch law and the European Directive (Article 29) include procedures for the approval of industry codes of conduct. This procedural device should be used to encourage the creation of an infrastructure designed to assure data protection rather than challenge it. Technical codes and implementation configurations may be approved like industry policy guidelines. By incorporating data protection within the infrastructure architecture, technical solutions may also be used to arbitrate among divergences in national laws. W3C's "Platform for Privacy Protection" initiative might, for example, one day serve this purpose if server based filtering can be used to identify and protect against deviations from a jurisdiction's mandatory rules. Intelligent agents might, as another example, be used to protect against the secondary use of stored personal information. In either case, such arbitration can maximize international data flows without compromising data protection.
C. Multi-interest Privacy Summits
Given the effervescent stage of information processing in the on-line environment, national governments must have an on-going dialog with all stakeholders from industry and privacy advocacy groups as well as independent experts and scholars. Such an open dialog is crucial to the future of international data flows and the development of coherent policies.
The O.E.C.D. Workshop on Privacy in February 1998 and the White House conference on privacy in June 1998 are useful models for this form of multi-interest summitry. Though few substantive advances were achieved, dialog and information sharing among the private sector, academic experts, advocates and government helps build consensus on the implementation of data protection practices.
At the international level, the O.E.C.D. is a logical organization to act as a convener for such conferences. The O.E.C.D. has experience in fostering this type of dialog between government and business. More recently, however, the O.E.C.D. has been quite sympathetic to business and less directly concerned with citizen's rights. For example, BIAC is an accredited observer, but no privacy organizations have official observer status. The success of future summits will, thus, depend on the balance achieved between the airing of business views and the critiques of those without commercial interests at stake. For the O.E.C.D. to continue to proceed effectively, it must seek the participation of each of the interest groups. Accreditation for privacy organizations and the formation of a standing expert advisory committee will be necessary. Such multi-interest summits should occur on a biennial basis to assure sufficient frequency and high level participation.
As the instruments and institutions affecting international data flows and the protection of personal information evolve, data protection authorities have a vital role in the resolution of international conflicts. Data protection authorities can act as "emissaries" for fair information practices and they can serve as "advocates" for the rights of individuals. These two key strategies and their corresponding partners offer data protection authorities a powerful means to promote the internationalization of high standards for data protection and the assurance of international data flows.
A. Emissary Strategy
The emissary strategy consists of representing the data protection perspective in a variety of international contexts. By exposing and highlighting fair information practice standards with different governmental and non-governmental partners at the international level, data protection authorities can reduce misunderstandings, find ways to enable the peaceful co-existence of national data protection approaches and move toward consensus on international standards. Three sets of partners are critical to this endeavor: data protection authorities themselves, foreign governments, and international organizations.
* Partnerships among Data Protection Authorities
International co-operation among data protection authorities is well established on both formal and informal levels. The annual Commissioners' meeting, the regular meetings of the Berlin Working Group on Data Protection in Telecommunications, the quarterly sessions of European commissioners under the auspices of the Article 29 Working Party each reflect organized efforts to promote shared data protection interests among national authorities. More informally, direct contacts among Commissioners and discussions at prominent international conferences such as the annual Privacy Laws & Business Cambridge conference have also served an important role in coordinating resources and expertise.
Yet, these 'emissary' contacts should move to the next stage and exploit new opportunities to promote international consensus. 'Emissaries' can take collective policy positions that advance the understanding of fair information practices for international data flows.
The Berlin Group and the Article 29 Working Party have started to issue such declarations and interpretations of data protection principles. These documents help set and define the international agenda. Future Commissioners' Conferences would be well served to issue a final substantive declaration at the conclusion of the Commissioners' session. Such a strategy would focus preparatory work by the host Commission and elicit areas of consensus among the data protection authorities. Over time, such declarations would build a strong and clear set of standards for international data flows.
* Partnerships between Data Protection Authorities and Foreign Governments
Since many countries around the world including the United States do not have a national data protection agency, contacts between data protection authorities and foreign governments must be developed. A number of data protection authorities have pursued this strategy with the United States as has the European Commission. However, the strategy is a complicated one because foreign government counterparts may not be stable. In the United States, for example, each year seems to find a different government agency in charge of the domestic privacy agenda. As many at the Commissioners' conference have noted, when the U.S. government sends observers to the annual meeting, there is little continuity in either the staff or the U.S. government agency being represented.
Since several different government offices in many countries may have jurisdiction over data protection matters, data protection authorities risk beginning caught in the internal disputes of foreign government bureaucracies. This makes emissary contacts more elusive, but no less critical. If a country's internal data protection policy apparatus is not stable, the potential for international conflicts multiplies. Data protection authorities will need to seek the assistance of their own government offices to sort out some of the diplomatic issues and identify the key domestic policy players.
*Partnerships between Data Protection Authorities and International Organizations
As the traditional institutions of data protection, the O.E.C.D. and the Council of Europe, seek to expand their role in international conflict resolution and as the new entrants, the W.T.O. and the W.I.P.O., begin to address fair information practice issues, data protection authorities can offer valuable expertise and insight, while ensuring that their perspectives are not lost. The emissary strategy with international organizations will, in essence, help frame these organization's agenda for international co-operation.
Nevertheless, the avenues for input at most of these organizations are not familiar to data protection authorities. For the O.E.C.D., the W.T.O. and the W.I.P.O., typically commerce departments, finance or economic ministries coordinate national participation. Data protection authorities will need to seek membership on country delegations to these fora. In contrast, at the Council of Europe, foreign affairs ministries are more active and data protection authorities have had regular channels of participation. These must continue.
B. Advocacy Strategy
The advocacy strategy involves the active promotion of specific standards of fair information practice. Paradoxically for international co-operation, this strategy may be confrontational at times. Through a certain degree of confrontation, issues can be clarified as fundamental or easily resolvable. Where the differences are fundamental, advocacy may force compromises and solutions. This advocacy strategy applies to three types of counterparts: foreign governments, technical organizations and foreign organizations (e.g. companies and trade associations.)
* Data Protection Authorities and Foreign Governments
The advocacy strategy is clearly in progress between the United States and Europe over the implementation of Articles 25 and 26 of the European Directive and its equivalents in national laws. Since the start of the process to adopt the European Directive, the international agenda on specific data protection standards has largely been set by the European Union and several of the member state data protection authorities. By setting a minimum threshold of protection as a condition for data exports from Europe, the Directive along with the prior law in several of the member states advocates a strong and potentially confrontational position to foreign governments.
In response, the American position for the past eight years has been largely defensive. At first, the U.S. government firmly asserted that American data protection was equal to that in Europe. Yet, Europeans had access to unfiltered sources of information about the U.S. system and were not persuaded. Continued European advocacy pushed the U.S. government to try to justify reliance on self-regulation and, now, in the face of public failures of industry to implement substantive measures the Federal Trade Commission has urged Congress to enact data protection legislation along the lines of the O.E.C.D. guidelines.
This example illustrates that the confrontational risk of transborder data flow restrictions has worked as an effective negotiating tool and that the agenda setting function is a particularly valuable aspect of the advocacy strategy.
* Data Protection Authorities and Technical Organizations
The advocacy strategy is particularly important to influence the work occurring in technical organizations such as W3C, ISO, ISOC and IANA. Too often, data protection authorities ignore the technical discussions. While the Berlin Group took an important initiative and became involved in consultations with W3C over a privacy transmission protocol, the input appears more advisory than advocacy. As advocates, data protection authorities can insist on certain standards or technical capabilities as a pre-requisite to the permissible use of the technology for processing personal information. France, for example, used this approach with the providers of software for airline reservation systems and has incorporated this strategy in the 1996 Telecommunications Law that imposes liability on service providers who fail to offer content filtering capabilities to their Internet service subscribers.
Nonetheless, the Berlin Group's involvement in technical fora seems exceptional rather than a priority concern of many data protection authorities. Where, for example, have the data protection authorities been while the structure of the Internet domain name system is re-organized? These policy debates offered a significant opportunity to build specific data protection options into the architecture of the Internet. The name system could be structured to both assure anonymity of personal information and to enable the application of data protection principles to on-line activities. In other areas of technical standardization, think of the possibilities to make anonymous use of the Internet more accessible or the establishment of data protection icons, like a Truste logo, that might reflect particular substantive rules, policies and practices. Similarly, technical standards might be developed that enable automation devices to bridge differences across data protection rules. For example, protocols might be used to automate the satisfaction of different notice requirements such as pre-requisite information and different consent mechanisms.
One of the explanations for the hesitance of data protection authorities in the technical arena is that this advocacy strategy changes the personnel dynamic within data protection agencies. Agency staff need greater technical expertise. In particular, staffers must be as comfortable speaking of 'metatags' as they are thinking about 'purpose specifications.' This shift is necessary, but likely to be difficult for some agencies.
In any case, without a strong advocacy strategy from data protection authorities, technical organizations and their clients are unlikely to implement standards in a manner actively promoting basic principles of data protection. W3C provides a useful illustration of the resistance. The technology for filtering Internet content as well as privacy practices has been available for three years. Yet, to date, neither PICS nor P3P have settled standards and wide-spread acceptance. And, the P3P effort is essentially an American-driven exercise. In the absence of an advocacy strategy with a few confrontations, the incentive structure does not exist for the technical organizations to focus on the international dimensions of national standards and for companies to implement privacy technologies that adequately secure citizens' rights.
* Data Protection Authorities and Foreign Organizations
In many countries without data protection agencies, like the United States, the advocacy strategy plays a critical role in persuading foreign organizations to adopt standards of fair information practice. Communications from data protection authorities to foreign organization such as companies or trade associations fills the gap where the data protection authorities have no counterpart. The effectiveness of this strategy is also seen in the European Commission's dialog with U.S. business groups. Many U.S. industries and companies have developed data protection programs during the last several years largely in response to the perceived threat from European Directive.
The expansion of direct advocacy to foreign organizations offers a means for data protection authorities to assure critical standards of the fair treatment of personal information in international data flows. As advocates, data protection officials can use confrontations over transborder data flow prohibitions to find solutions such as contracts stipulating liability of exporters like the Citibank/Bahncard example in Germany. In the long term, direct advocacy to foreign organizations is likely to lead to increased participation by the governments of those countries and an increased centralization of data protection policy toward the establishment of a counterpart for discussions with the data protection authority.
This paper highlights a set of methods for data protection authorities to promote international data flows through international co-operation. None of the instruments and strategies are mutually exclusive. To the contrary, they collectively form an important basis to strengthen international co-operation. The key recommendations to accomplish resolution of international data flow conflicts are:
1. Launch treaty negotiations for a "General Agreement on Information
2.. Participate in the development and approval of technical 'Codes of Conduct'
3. Promote biennial summits through an O.E.C.D. process
4. Pursue combined emissary and advocacy strategies for the development of standards
back to home page