没有合适的资源?快使用搜索试试~ 我知道了~
构建国际数据隐私法.pdf
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
0 下载量 96 浏览量
2024-04-01
10:10:25
上传
评论
收藏 571KB PDF 举报
温馨提示
试读
49页
构建国际数据隐私法.pdf
资源推荐
资源详情
资源评论
Int’l Data Privacy Law 21
Structuring International Data Privacy Law
By Paul M. Schwartz
*
& Karl-Nikolaus Peifer
**
I. Introduction
Due to the significance of international flows of personal information, the
stakes are high today for the European Union and the United States when it comes
to data privacy law. According to one estimate, the U.S.-EU economic relationship
involves $260 billion in annual digital services trade.
1
Cross-border information
flows represent the fastest growing component of U.S. as well as EU trade.
2
In
today’s information economy, moreover, much of this U.S.-EU trade involves
personal data. As one reporter on the tech beat noted, “International data transfers
are the lifeblood of the digital economy.”
3
The sharing and use of personal information now drive many daily activities,
including finances, health care, shopping, telecommunications, and transportation.
Leading U.S. technology companies depend on access to and use of the personal
information of EU citizens to provide data-driven services on the continent. Cloud
providers, which offer decentralized mobile access to computing power throughout
the world, similarly access and use the personal data of EU citizens. Differences in
transatlantic regulations potentially imperil these critical international data flows.
The resulting EU-U.S. dispute has been termed the “transatlantic data war.”
4
The roots of this “war” are found in the differing legal approaches to information
privacy in the two jurisdictions. There has also been a longstanding debate in the
EU about whether U.S. law provides sufficient protections for the personal
information of EU citizens when U.S companies and public authorities collect and
process it.
5
This policy debate has been accompanied by the EU setting strict limits
*
Jefferson E. Peyser Professor of Law at UC Berkeley School of Law; Director, Berkeley Center for
Law & Technology. The authors would like to thank the Thyssen Foundation for their support of
this Article.
**
Professor of Law, University of Cologne, Cologne, Germany; Director, Institute for Media Law and
Communications Law.
1
Penny Pritzker & Andrus Ansip, Making a Difference to the World’s Digital Economy, U.S. DEP’T OF
COM. (Mar. 11, 2016), https://www.commerce.gov/news/blog/2016/03/making-difference-worlds-
digital-economy-transatlantic-partnership.
2
Commission Staff Working Document on the Free Flow of Data and Emerging Issues of the
European Data Economy, SWD (2017) 2 final (Jan. 10, 2017).
3
Robert Levine, Behind the European Privacy Ruling That’s Confounding Silicon Valley, N.Y. TIMES (Oct. 9,
2015), https://www.nytimes.com/2015/10/11/business/international/behind-the-european-privacy-
ruling-thats-confounding-silicon-valley.html?_r=0.
4
Henry Farrell & Abraham Newman, The Transatlantic Data War, FOREIGN AFFAIRS (Feb. 2016),
https://www.foreignaffairs.com/articles/united-states/2015-12-14/transatlantic-data-war.
5
Paul M. Schwartz, European Data Protection Law and Restrictions on International Data Flows, 80 IOWA L.
REV. 471 (1995).
2
on transfers of personal data to any non-EU country that lacks significant privacy
protections.
The restrictions are set by two EU legal mandates. The European Directive
on Data Protection (1995) permits data transfers from the EU to a third party nation
only when it has “adequate” privacy protections.
6
On May 25, 2018, the General
Data Protection Regulation (GDPR) (2016) will take the place of the Directive.
7
Under the GDPR, the adequacy requirement for data transfers continues to be the
legal touchstone. The EU has never considered U.S. data privacy law to have an
adequate level of protection.
8
In response to the EU’s judgment that the privacy protections of U.S. law
were insufficient, the EU and U.S. developed a set of first-generation solutions for
transatlantic exchanges. Due to EU displeasure with the surveillance of the National
Security Agency (NSA), however, these innovative mechanisms are now either
invalid or imperiled.
9
An initial second-generation solution, the EU-US Privacy
Shield, was finalized in June 2016.
10
There are already legal challenges to it in
progress in the EU.
11
Bridging the transatlantic data divide is, therefore, a matter of the greatest
significance. On the horizon is a possible international policy solution around
“interoperable,” or shared legal concepts. The White House and Federal Trade
Commission have promoted this approach. For the White House, there is a need for
a “multistakeholder process” with the international partners of the U.S. to “facilitate
interoperable privacy regimes.”
12
These regimes are to be based on the starting point
of “mutual recognition,” which entails an “embrace of common values surrounding
privacy and personal data protection.”
13
6
Council Directive 95/46, art. 25, 1995 O.J. (L 281) 31, 45–46 (EC) [hereinafter DP Directive].
7
Commission Regulation 2016/679, 2016 O.J. (L 119) 1, 60-62 (EU) [hereinafter GDPR].
8
See, e.g., Working Party on the Protection of Individuals with regard to the Processing of Personal
Data, Opinion 1/99, 2 DG MARKT Doc. 5092/98, WP 15 (Jan. 26, 1999) (stating regarding U.S.
privacy law that “the current patchwork of narrowly-focused sectoral laws and voluntary self-
regulation cannot be relied upon to provide adequate protection” for data transferred from EU).
9
The decisive move was made in 2015 by the European Court of Justice’s Schrems decisions, which
invalidated the Safe Harbor Agreement between the EU and U.S. Case C-362/14, Schrems v. Data
Prot. Comm’r 2015 E.C.R. 650 (Oct. 6, 2015).
10
Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the
European Parliament and of the Council on the adequacy of the protection by the EU-U.S. Privacy
Shield, C (2016) 4176 final [hereinafter Privacy Shield, Implementing Decision],
http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision_en.pdf.
11
Peter Sayer, A Second Privacy Shield Legal Challenge Increases Threat to EU-US Data Flows, PC WORLD
(Nov. 3, 2016), http://www.pcworld.com/article/3138196/cloud-computing/a-second-privacy-
shield-legal-challenge-increases-threat-to-eu-us-data-flows.html.
12
WHITE HOUSE, CONSUMER DATA PRIVACY IN A NETWORKED WORLD 31-32 (Feb. 2012),
https://www.whitehouse.gov/sites/default/files/privacy-final.pdf [hereinafter CONSUMER DATA
PRIVACY].
13
Id. at 31. In similar tones, the FTC has noted, “Efforts underway around the world … indicate an
interest in convergence on overarching principles and a desire to develop greater interoperability.”
FTC, PROTECTING CONSUMER PRIVACY IN AN ERA OF RAPID CHANGE 10 (Mar. 2012),
https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-
protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf.
3
The extent of EU-U.S. data privacy interoperability, however, remains to be
seen. In exploring this issue, this Article analyzes the respective legal identities
constructed around data privacy in the EU and U.S. It identifies profound
differences in the two system’s image of the individual as bearer of legal interests.
The EU has created a privacy culture around “rights talks” that serves to protect
“data subjects.”
14
In the U.S. in contrast, the focus is on “marketplace discourse”
about personal information and the safeguarding of “privacy consumers.”
15
In the
EU, moreover, “rights talk” forms a critical part of the post-war European project of
creating the identity of a European citizen. As Jürgen Habermas argues, this task is a
constitutional one that is central to the EU’s survival.
16
In the U.S., in contrast, data
privacy law is based on the idea of consumers whose interests merit governmental
protection in a marketplace marked by deception and unfairness.
This Article uses its models of “rights talk” and “marketplace discourse” to
analyze how the EU and the U.S. protect their respective data subjects and privacy
consumers. A particular focus is on the respective doctrines of consent and contract
in the two legal systems, which reflect profoundly different perspectives. Even if the
differences are great, there is still a path forward. A new set of institutions and
processes can play a central role in developing mutually acceptable standards of data
privacy. This Article argues that the future of international data privacy rests not in
unilateralism, whether from the EU or U.S., but in these myriad new venues for
collaboration. Both the GDPR and Privacy Shield require regular interactions
between the EU and U.S. to create points for harmonization, coordination, and
cooperation. The future of transatlantic data trade turns on developing shared
understandings of privacy within these new structures.
II. Different Visions of Data Privacy
This Part considers how the two systems of data privacy law, EU and U.S.,
envision the individual. From the perspective of an anthropologist, law is “a species
of social imagination.”
17
As Clifford Geertz observes, “legal thought is constructive
of social realities” and not merely “reflective of them.”
18
In his 1921 Storrs lecture,
Benjamin Cardozo similarly observed, “There is in each of us a stream of tendency,
whether you choose to call it philosophy, or not, which gives coherence and
direction to thought and action.”
19
This shared cultural background forms a key part
of juridical decision-making. He notes, “In this mental background every problem
finds its setting.”
20
14
See infra Section II.B.
15
See infra Section II.C.
16
JÜRGEN HABERMAS, ZUR VERFASSUNG EUROPAS 66 (2011).
17
CLIFFORD GEERTZ, LOCAL KNOWLEDGE: FURTHER ESSAYS IN INTERPRETIVE ANTHROPOLOGY
232 (1983).
18
Id.
19
BENJAMIN N. CARDOZO, THE NATURE OF THE JUDICIAL PROCESS 12 (1921).
20
Id. at 13.
4
This Part examines how two legal orders construct contrasting “legal
identities” for individuals as bearer of data privacy interests.
21
To sketch our overall
argument regarding the “mental background” of these areas of law, we find that the
EU system protects the individual by granting her fundamental rights pertaining to
data protection. This language of rights creates a connection between “data
subjects” and the EU institutions that safeguard these interests. In the U.S., in
contrast, the law protects the individual as a “privacy consumer.” The view is of a
person as a participant in market relations. In this market-driven discourse, the
individual is a trader of a commodity, namely, her personal data. As a consequence
of these two versions of legal identity, the status of the individual within the
respective legal systems is different. To illustrate this point, this Article compares the
EU’s data subject and the U.S.’s privacy consumer across three dimensions: (1) her
constitutional protections; (2) her statutory protections; and (3) and her relative legal
status compared to the entities that collect and process her personal data. Part II.A
and Part II.B infra examine the respective visions in the EU and U.S. for the
individual as rights-bearer.
Before we begin, some brief points about terminology and scope would be
helpful. This Article adopts the respective terminology of each legal system in
identifying their similar zones of activity. Hence, when we address EU privacy law,
we speak of “data protection” and refer to the similar area of U.S. law as
“information privacy law.”
22
When we desire a neutral term, this Article refers to
“data privacy law.”
23
We now turn to the different models of the individual as rights-
bearer in the two systems.
A. “Rights Talk” in the EU
This Article uses the term “data subject” to refer to the rights-bearer in the
EU’s data protection law. A feature of the EU is its “multi-linguism.” All its official
documents are translated into the twenty-four languages of the Member States, and
all versions are of equal legitimacy.
24
In English Euro-speak, EU data protection law
uniformly calls the individual whose data are processed the “data subject,” and we
therefore adopt this term.
25
Linguistics also teaches us that the subject is the most
prominent active agent of a sentence. In a similar fashion, the EU privileges the
prominence of the individual whose personal information is processed. It engages in
a rights-focused legal discourse centered on the data subjects.
21
On the question of how law constructs a “legal identity,” see James Q. Whitman, Consumerism Versus
Producerism, 117 YALE L.J. 340, 394 (2007)
22
As examples of this terminology, see DANIEL SOLOVE & PAUL SCHWARTZ, INFORMATION
PRIVACY LAW (5th ed. 2015). For a continental example, see AXEL VON DEM BUSSCHE & MARKUS
STAMM, DATA PROTECTION IN GERMANY (2013).
23
For an early adoption of this term in a report commissioned by the European for the Commission
of the European Communities, see PAUL M. SCHWARTZ & JOEL R. REIDENBERG, DATA PRIVACY
LAW (1996).
24
For a discussion of multi-lingualism in data protection law, see GLORIA GONZÁLEZ FUSTER, THE
EMERGENCE OF PERSONAL DATA PROTECTION AS A FUNDAMENTAL RIGHT OF THE EU 9 (2014).
25
See, e.g., DP Directive, supra note 6, at 33; GDPR, supra note 7, at 2.
5
1. Constitutional Protections and “Rights Talk.” In the EU, data
protection is a fundamental right anchored in interests of dignity, personality, and
self-determination. The path to creation of this right began before World War II, as
different national legal systems recognized rights of dignity and personality within
their constitutional law. The post-war constitutions of Italy (1947) and Germany
(1949) were in the front ranks of this development.
26
From their devastating
experience with fascism and Nazism, these countries drew the lesson of safeguarding
human dignity. At the transnational level after World War II and as an essential part
of the creation of a post-war identity, Europeans also developed a supranational
system of fundamental rights. These interests are now protected by institutions both
within the European Union, such as the European Court of Justice, and outside of it,
such as the European Court of Human Rights.
The trend of supra-national rights in the post-war European order extends
the already significant role of “constitutional politics” within European nations. In
the description of Alec Stone Sweet, this process involved the enactment of
extensive postwar constitutional rights in Europe as well as a subsequent privileging
of the judicial role in the policy-making environment.
27
The European Convention
of Human Rights and the Charter of Fundamental Rights function as the two pillars
of fundamental rights in Europe. As Frederico Fabbrini summarizes, there is a
“plurality of constitutional sources enshrining constitutional rights” and a “plurality
of constitutional views on human rights.”
28
There is also a plurality of judicial
bodies, national and transnational, involved in interpreting, enhancing and extended
these different sources. Over time, the European rights regime came to include not
only privacy, but an explicit right to data protection. Both interests now have the
status of a fundamental right in Europe.
The European Convention of Human Rights (1950) is an international treaty
drafted by the Council of Europe. In Article 8, it grants the individual a “right to
respect for his private and family life.”
29
The Convention established the European
Court of Human Rights, which has built on Article 8 to identify specific rights
regarding data protection.
Within the EU, the key constitutional document is the Charter of
Fundamental Rights (2000). With the signing of the Lisbon treaty by EU Member
States, the Charter became binding constitutional law for the EU in 2009.
30
It makes
explicit the protections of Community law for human rights and builds on the
requirement, as expressed by the European Court of Justice as early as 1969, that,
“respect for human rights ... is a condition of the lawfulness of Community acts.”
31
The Charter protects privacy, like the Convention, and also contains an explicit right
26
GRUNDGESETZ [GG] [Basic Law], Art. 1–2, translation at https://www.gesetze-im-
internet.de/englisch_gg/; Art. 2–3 Constituzione [Const.] (It.).
27
ALEC STONE SWEET, GOVERNING WITH JUDGES 3 (2000).
28
FEDERICO FABBRINI, FUNDAMENTAL RIGHTS IN EUROPE 26 (2014).
29
THE EUROPEAN CONVENTION ON HUMAN RIGHTS art. 8 (1950).
30
JEAN-CLAUDE PIRIS, THE LISBON TREATY 146 (2010).
31
Id.
剩余48页未读,继续阅读
资源评论
百态老人
- 粉丝: 1641
- 资源: 2万+
下载权益
C知道特权
VIP文章
课程特权
开通VIP
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功