This is a thorough book on a fast-evolving topic. The law surrounding transborder data transfers is complex, involving state and national law, regional and other international conventions, and private law. More complex still is the reality of transborder data flows, as globalization, advances in technology and shifting national interests constantly change the applicability and effectiveness of the laws. The book is global in scope (p. 19), without delving into too much detail for any one jurisdiction, but offers a comprehensive analysis of the main policy, regulatory and jurisprudential issues surrounding transborder data flows.
The work has two parts. The main part consists of eight chapters, described below, and the book also includes an appendix with a compendium of relevant regulations from many jurisdictions, all made accessible in English. The first chapter offers an introduction to the topic. Apart from the obvious point that international data flows have grown dramatically, the author makes several important observations that set the tone for an analysis of this area of law which, simply put, is not close to keeping up with the reality it regulates. He notes, for example, that technological complexity of data flows, and the effort required to track those data's movements, make it barely feasible even to distinguish transborder data flows from those that remain within a jurisdiction (p. 6). Indeed, ‘transfer’ is used by the EU Directive, while the OECD and Council of Europe use ‘flow’, though neither term is defined, and both are largely dated, as we should today perhaps speak of data being made ‘available’ in another jurisdiction (pp. 11–14).
In the second chapter the author provides a legislative history of transborder data flow regulation, and surveys the relevant international instruments with an emphasis on the EU directive. Kuner notes that the first regulation of transborder data flow was the 1970 law in the German federal state of Hessen (p. 26), though he also observes that in the international sphere the International Telegraph Convention of 1865 (p. 31) was specific about how and under what circumstances states could restrict the transfer of telegrams at their national borders. This area of law really emerged in the 1970s, and at that time a transborder data flow was very much an exception, with data generally staying in their jurisdiction of origin (p. 27). The author discusses the two main justifications for transborder data flow regulation: protection of the privacy of the data subjects, and protection of sovereign, national interests (pp. 28–32). Kuner goes on to examine in detail the international law instruments regulating transborder data flows. These include: various international human rights covenants and documents; the OECD Privacy Guidelines, 1980; the Council of Europe convention 108; EU Data Protection Directive 95/46; and additional regional frameworks such as the Asia-Pacific Economic Cooperation group's Privacy Framework, and an instrument promulgated by the Economic Community of West African States and others. Of particular interest here is the author's critique of the proposed changes to the EU directive, and especially his conclusion that the proposal does not sufficiently address the needs of cloud computing (pp. 48–49). For example, the controller's legitimate interest is a derogation from transborder data flow prohibition, but that derogation does not apply to “frequent or massive” transfers of the kind that characterize cloud-computing services.
In the third chapter, the author delves into a most interesting discussion of one of the higher-level topics in connection with transborder data flows, namely the merits of geographically-based versus organizationally-based regulation (pp. 64–76). The former is premised on the notion that irrespective of where data is transferred, it must remain subject to adequate protection. This is reflected by adequacy requirements in the EU Directive (art. 25), the Council of Europe convention 108 and the laws of such diverse jurisdictions as Senegal and Andorra. Kuner highlights the difficulties involved in assessing the adequacy of another jurisdiction, and the way international relations can affect granting such recognition.
An alternative to geographically-based regulation is an organizationally-based approach. This shifts the accountability from regulators in various countries to the data controllers. Several private-law tools are available, including: the Safe Harbor – which allows transfer from within the EU to US corporations who have bound themselves contractually to meet EU data protection standards; Binding Corporate Rules which allow transfer between related companies; and Standard Clauses which, like the Safe Harbor, contractually bind companies to meet EU data protection law and suffice to allow international transfer to those companies. This accountability approach does not necessarily stipulate a given standard, but shifts much of the responsibility and liability for compliance from the regulator to the data controller (pp. 74–76). Kuner notes that current regulation, such as the EU directive, allows transborder data flows both through geographically-based adequacy, and through organizationally-based accountability, and posits that only a combination of these two approaches will be capable of dealing with the increasingly complex data transfer issues raised by the evolution of the internet (p. 76).
The fourth chapter runs through various approaches in the many jurisdictions with transborder data flow regulation. The author highlights some of the different national implementations of the EU directive (p. 86), and different conditions and presumptions of the many jurisdictions, grouped by region. There follows an analysis of private-sector initiatives for regulating transborder data flows – the Safe Harbor, Binding Corporate Rules, and Standard Contractual Clauses (pp. 92–96). Kuner then argues that much more should be made of technology to regulate and facilitate transborder data flows. The European Commission's proposed General Data Protection Regulation requires data controllers to apply “privacy by design” which could be implemented for transborder data flows by using technologies such as geolocation of servers and users, and encryption of data (pp. 96–99).
In the fifth chapter the author examines in detail the policies underlying transborder data flow regulation. Notably, the risk and rewards associated with transborder data flows have changed since regulations were made in this area, but regulations and their policy underpinnings have not kept up with reality. For example, the dramatic growth of online services and social networks, which generally involve transborder data flows, shows that most users are indifferent to, or unaware of, the risks (p. 119). Conversely, China provides a particular concern – “trepidation” is the author's word (p.114) – that data stored in that country will be available to law enforcement. In most cases the concerns raised by data flow across borders is with the lower protection provided in the importer's jurisdiction; however, the United Arab Emirates threatened to terminate the Blackberry service in its country because data were going back to the company servers in Canada, where those data are governed by stricter regulations with less government access (pp. 107, 109), an example in which sovereignty trumped data protection as an interest behind transborder data flow regulation. The book was written before the PRISM and Tempora revelations in 2013, and the author's opinions on how these revelations may influence policy in the future would be an interesting addition.
In the sixth chapter Kuner again addresses a general topic as applied to this area – that of jurisdiction and applicable law (though their discussion could have been more carefully separated). The doctrine of personality – meaning that the law that applies to a person follows that person across borders, and the “effects doctrine” – allowing jurisdiction wherever the effects of a particular act are felt (p. 123), both have merit, but data protection law has particularly applied the personality doctrine, with a twist. The law that first applies to the data – not the data subject – continues to follow the data wherever they are processed; the author notes the example of Ghanaian law, which mandates that the law that applies to data will continue to apply after that data is imported into Ghana (p. 124). Ultimately, notes Kuner, states want their laws applied globally, whilst also wanting seamless transborder data sharing (p. 142), but this is not practical without harmonization of the various national laws.
The seventh chapter contends with enforcement and compliance. The author shows that both have been poor and suggests several reasons for that. He notes that businesses without considerable business risk associated with a compliance failure will do the minimum to comply (p. 148). He further notes that the complexity and opacity of the regulation, as well as lack of enforcement on account of the slender resources at the disposal of data protection authorities, reduce compliance levels (pp. 148–150, 154–5).
In the eighth and final chapter, Kuner provides an excellent, insightful summary of the trends and issues that have emerged in transborder data flow regulation in recent years. He then shares what was, to this reviewer, the most interesting insight about the topic. He suggests that transborder data flow regulation “is best understood as a form of legal pluralism” (p. 160). There is a multiplicity of approaches and regulations, with no higher authority, instrument or institution overseeing the many elements. No one element of transborder data flow governance can contend with the plurality of approaches: “national governance is too parochial, international governance would not provide for sufficient public involvement, and technological or private sector solutions could lack democratic legitimation” (ibid). Kuner notes that a global solution would need to be “constitutional”, meaning an agreed hierarchy of rules to resolve conflicts of authority (p. 161). The author then proposes a framework for regulating transborder data flows.
An important insight surfaces here, that much “of the confusion concerning transborder data flow regulation results from the difficulty of separating the risks of transferring data to third parties in general from those of transferring data across borders” (p. 167). The author believes that transborder data flows should not, ultimately, require a separate legal basis from the basis for data processing in general. He supports the organizational approach; the risks and responsibilities that go with transborder data flows ought to be borne by the organizations, and retained by them throughout. For example, it would be for the exporter to investigate the risks associated with a particular transfer, to ameliorate them and to ensure the data subjects are informed (p. 173). Kuner advocates a larger role for technology, and for “privacy by design” generally, in ensuring protection of data during transborder flows (pp. 174–5), as well as supporting several concrete steps for harmonization of relevant regulations across jurisdictions.
The appendix is a useful resource for anyone interested in examining the various regulations across different national and international jurisdictions and organizations, including every jurisdiction in which the author has found specific regulatory treatment of transborder data flows, and also major, non-binding international instruments.
This is an important book for any with an interest, academic or professional, in data protection and information privacy, and particularly in transborder data flows. Though this book is probably not for a general law reader, the author has done an admirable job of addressing the general legal questions that arise in this context, such as: theories of accountability, jurisdiction and choice of law, compliance and enforcement, and pluralism. His focus on the potential role of technology in protecting data privacy is enlightening, and this reviewer was sorry that Kuner did not elaborate further on the potential for technology to enhance privacy whilst facilitating transborder data flows. Hopefully he will do so in future.
Perhaps most important will be Kuner's proposed framework for international data transfer collaboration and governance. As an experienced practitioner and academic thought-leader, his opinion carries considerable gravitas, and he has articulated his vision and solution clearly and concisely. His view cannot be ignored and, on the contrary, forms an excellent springboard for an international framework for data transfer governance. Hopefully global DPAs will give due consideration to Kuner's proposals, and these could form a basis, or at least a catalyst, for some form of harmonization.