RSS

Ignorance or arrogance – A US court claims the right to regulate the Internet world-wide

0 kommentarer Av Sparad i English, freedom of expression, intellectual property, international issues 3 april 2014 @ 4:05

The legal drama that has followed in the wake of the online  publication of the film titled ‘Innocence of Muslims’ may be worthy of being  used as the plot for a movie in its own right. And, given a recent judgment by Chief  Judge Kozinski in the US 9th Circuit, it would no doubt be best as a  horror movie.

The background to the dispute is rather complex, but put  simply, Cindy Lee Garcia was cast in a minor role in a film with the working  title ‘Desert Warrior.’ For the three and a half days of filming she received  $500. However, that film never materialised. Instead, Garcia’s scene was used  in another film – a highly controversial film titled ‘Innocence of Muslims’.  Garcia first saw this latter film after it was uploaded online.  At that time, she discovered that her brief  performance had been partially dubbed over so that she appeared to be making a statement offensive to persons of the Muslim faith.

Garcia sought to have the movie taken down by arguing to  have a copyrightable interest in her brief performance in the movie. Needless  to say, such a claim has a slim prospect of success in most parts of the world,  but Chief Judge Kozinski concluded that Garcia does have such a right.

Copyright lawyers will no doubt find the decision highly  interesting merely by focusing on Chief Judge Kozinski contentious approach to  the copyright issues involved. However, as the title indicates, my interest in the case lies elsewhere. I am concerned about the fact that the Court ordered Google Inc to “take down all copies of ‘Innocence of Muslims’ from YouTube.com and from any other platforms under Google’s control, and take all reasonable steps to prevent further uploads of ‘Innocence of Muslims’ to those platforms.” (emphasis added)

Given Google’s virtually global presence, with various country-specific platforms, the problem is obvious. US copyright law applies in the US, not globally. This fact can scarcely have escaped the Court. Yet, it was not even touched upon by the 9th Circuit on this occasion. Indeed, Chief Judge Kozinski did not even seek to legitimise the approach by putting the court order in terms suggesting that the global take down was necessary to ensure the film was inaccessible in the US.

If we let domestic courts make orders regulating what may and may not be published globally, we will quickly find ourselves in a situation where the only content (legally) available online is such content that is acceptable globally. But how useful would such an Internet be? And where would that leave us when it comes to freedom of speech?

Luckily, it is rare for courts to take such a parochial approach as the 9th Circuit did in this dispute. More commonly, courts have recognised that making court orders with global reach is problematic and typically excessive. An extract from a judgment by the New South Wales Supreme Court is illustrative

An injunction to restrain defamation in NSW s designed to ensure compliance with the laws of NSW, and to protect the rights of plaintiffs, as those rights are defined by the law of  NSW. Such an injunction is not designed to superimpose the law of NSW relating to defamation on every other state, territory and country of the world. Yet that would be the effect of an order restraining publication on the Internet. It is not to be assumed that the law of defamation in other countries is coextensive with that of NSW, and indeed, one knows that it is not. It may very well be that according to the law of the Bahamas, Tazhakistan [sic], or Mongolia, the defendant has an unfettered right to publish the material. To  make an order interfering with such a right would exceed the proper limits of the use of the injunctive power of this court. (Macquarie Bank Limited & Anor v Berg [1999] NSWSC 526, at para 14.)

Thus, a global removal of content that is only unlawful in some countries but not others would arguably infringe the rights of people in those latter countries to access that content. Further, global blocking in such a situation may be seen as a violation of the creator’s right to communicate that content in the countries where doing so is lawful.

It is important that we do not overlook these rights just because there may be a duty not to communicate that content in some countries.

One often sees the adherence to the harshest rules as a proposed solution to the difficulty of variances in legal standards where more than one standard applies to specific conduct. Such suggestions rely on notions such as that expressed by Justice Souter, that: “[n]o conflict exists, […] ‘where a person subject to regulation by two states can comply with the laws of both.” (W. S. Dodge, Extraterritoriality and Conflict-of-Laws Theory: An Argument for Judicial Unilateralism 39 Harv. Int’l. L. J. 101 (1998), at 136.)

I object to this duties-focused approach. Essentially what Justice Souter and others are saying is that we should only focus on the duties imposed by law. If the duties do not conflict, the laws do not conflict. This is a too simplistic perspective. It completely neglects the importance of the rights that laws provide. Importantly, the correlative relationship between rights and duties we may be accustomed to from a domestic law setting does not necessarily survive when transplanted into a cross-border environment; that is, rights provided under one country’s legal system may not necessarily create corresponding duties under other legal systems.

I argue that in assessing whether two (or more) laws are in conflict we need to take account of both the duties and the rights those laws provide for. In other words, even where the duties do not clash, the rights of one country may clash with the duties of another country.

The difference can be illustrated by way of an example. Imagine that the laws of state A specifically provide for a right of religious freedom, while the laws of state B specifically impose a duty of adherence to Norse pagan faith. Where a person, for one reason or another, finds herself bound to comply with both the laws of state A and those of state B, there is no conflict in the view of the reasoning put forward by Justice Souter and others – such a person can comply with the law of both states by adhering to Norse pagan faith.

In contrast, from the perspective I advocate here, there is a conflict since the right provided by the law of state A cannot be freely exercised while at the same time complying with the duty imposed by the law of state B (except, of course, by those who voluntarily chose to exercise their right to worship Odin, Thor, Freya etc).

In light of all this, I argue that calls for compliance with the strictest rules, as a solution to the problem of conflicting laws, are misguided. And, it would seem beyond intelligent dispute that global blocking/removal cannot be the default response to every court order requiring an Internet intermediary to block/remove certain content in a certain country. We need a more measured and more sophisticated approach.

The European Parliament’s vote on extraterritoriality in data privacy – one step forward, and one step back

0 kommentarer Av Sparad i international issues, privacy & data protection 23 mars 2014 @ 10:07

Back in March 2013, I wrote a blog post here at BlawBlaw pointing to an unfortunate error in the structure of Article 3 of the proposed data protection Regulation – outlining the Regulation’s territorial scope.

Essentially my concern was that Article 3(2)(b), as found in the original January 2012 proposal, suggested that EU residents would enjoy the protection of the Regulation worldwide simply by residing in the European Union. Such a result cannot have been the drafters’ intention as it so clearly would take the Regulation’s extraterritorial scope  into the realm of absurdity.

Now the European Parliament has had its say on how the Regulation’s scope of application is to be delineated. And, I am happy to note that the problem I pointed to in the March 2013 posting has been addressed. The European Parliament’s version of Article 3 reads as follows:

 

Article 3: Territorial Scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of such data subjects.

 

While they consequently have addressed the issue above, they have done so in a manner creating another equally, or at least almost equally, serious issue – it is not clear whether the words “in the Union” in Article 3(2) relate to “data subjects” or “processing”.

The latter alternative is perhaps preferable compared to the former. However, if Article 3(2) is meant to regulate the processing taking place “in the Union” by a controller or processor not established in the Union, significantly more guidance is desirable than what we have received so far.

As noted the alternative that “in the Union” in Article 3(2) relate to the location of the “data subjects” is plausible. That would mean that the original proposal’s limitation to “data subjects residing in the Union” has been replaced by a location-focused test. In the absence of further limitations, such an approach would seem to bring the Regulation’s Article 3 back into the realm of absurdity:

Imagine that a US citizen while in the US signs up for a particular US-based web service which places cookies on that person’s browser in a manner that can be seen as “monitoring” the user. As long as that US citizen remains in the US, no drama arises. However, should that person get on a flight, like many people do these days, and travel to Berlin, Stockholm or some other beautiful place in Europe, then the US web service is suddenly bound by the European Regulation as soon as that person starts browsing the web. After all, (1) the US company is clearly a “controller or processor not established in the Union”, (2) the US citizen is a data subject “in the Union” after stepping off the plane in Europe, and (3) once she or he starts surfing the web, she/he is “monitored”.

The scenario described is not fanciful or unusual, and has nothing to do with creating a “level-playing field” – the key aim of the Regulation’s extraterritorial scope. In fact, it demonstrates that, on this interpretation, the Regulation will have an enormously wide scope of application given the mobility associated with modern society – any organisation that reasonable expects to engage with their customers while those customers travel to Europe must seriously consider their position under the Regulation.

In light of this, I think it is necessary for further modifications of the Regulation’s approach to extraterritoriality. I remain convinced that to get this right, we have to stop tinkering around the edges and start fresh as to Article 3 - preferably adopting the “layered approach” to extraterritoriality I keep promoting, for example in another of my previous blog posts here at BlawBlaw.

The extraterritoriality of EU’s Data Privacy Regulation – what does international law say?

0 kommentarer Av Sparad i English, international issues, privacy & data protection 4 mars 2014 @ 10:29

Work on the EU’s proposed new data privacy Regulation continues, and a wide extraterritorial reach remains a key feature of the Regulation. In a recent European Commission Memo titled Data Protection Day 2014: Full Speed on EU Data Protection Reform of 27 January 2014, it was noted that one of the key benefits for businesses was the creation of a ‘level playing field’:

The same rules for all companies – regardless of their establishment: Today European companies have to adhere to stricter standards than companies established outside the EU but also doing business on our Single Market. With the reform, companies based outside of Europe will have to apply the same rules. We are creating a level-playing field.” (p.4)

This is significant, not least when combined with another of the Regulations articulated ‘main innovations’:

European regulators will be equipped with strong enforcement powers: data protection authorities will be able to fine companies who do not comply with EU rules with up to 2% of their global annual turnover. The European Parliament has even proposed to raise the possible sanctions to 5%. Privacy-friendly European companies will have a competitive advantage on a global scale at a time when the issue is becoming increasingly sensitive.” (p.4)

In two previous blog posts, I have pointed to serious concerns with the current proposal (The territorial scope of the proposed EU Data Protection Regulation) and a potential improvement of how it delineates its extraterritorial scope (Re-thinking extraterritoriality in data privacy law). Here I will seek to assess what international law says about the legitimacy of the approach taken by the EU. Is it possible to either justify or object to the EU approach to extraterritoriality by reference to international law?

 

Under International Conventions

There are no treaties directly regulating jurisdictional claims in the data privacy context. However, a close study of the world’s, at least in theory, most significant human rights treaty, the International Covenant on Civil and Political Rights (ICCPR), shows that it arguably makes extraterritorial jurisdictional claims mandatory in the data privacy arena.

Importantly, Article 2(1) of the ICCPR states that:

“Each State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.”

If material originating in state A negatively affects the privacy of a person in state B, state B is arguably failing to provide “an effective remedy against those responsible” (ICCPR General Comment 16) to the affected individual “within its territory and subject to its jurisdiction” unless its laws provide for jurisdictional and legislative claims over the
offender in state A.

It can, of course, be said that even such a jurisdictional claim does not in itself provide “an effective remedy against those responsible” unless it can also be enforced. However, state B in our example can perhaps not be required to do more than what is in its power to do.

In light of the above, it is possible to suggest that the ICCPR is an example of an international convention that supports wide extraterritorial claims in the context of data privacy law.

 

Under International Custom

The 1935 Harvard Research Draft Convention on Jurisdiction with Respect to Crime (hereinafter, the Harvard Draft) is a natural point of departure for any discussion of jurisdiction under customary international law. Despite being dated, and despite being focused on jurisdiction with respect to crime, virtually every single text on public
international law relies upon the grounds for jurisdiction canvassed in the Harvard Draft (with the addition of the so-called ‘effects doctrine’).

So how does the traditional grounds for jurisdiction under customary international law impact the assessment of the extraterritorial claims of jurisdiction that the EU makes through its data privacy law? One thing is clear: in the context of typical data privacy infringements, four of the seven traditional principles for jurisdiction can be ignored. We need not busy ourselves with the subjective territoriality principle, the nationality principle, the protective principle, or the universal principle.

Article 4 of the current EU Data Protection Directive – in its focus on the geographical location of relevant equipment – could be argued to relate to the objective territoriality principle. That is because, as Kuner points out, this ground for jurisdiction “is at least partly based on the performance of an act (the use of equipment) occurring within the EU.”( Christopher Kuner, Data Protection Law and International Jurisdiction on the Internet (Part 1), 18 Int’l.  J. L. & Inf. Tech. 176, 190-191 (2010), at 188).

Article 3 of the proposed EU Data Protection Regulation – in placing focus, for example, on the behavioural monitoring of EU residents – seem likely to fall within the passive personality principle, or at least a permutation of it, even though its focus is on the residency of the data subject rather than on the data subject’s citizenship.

Further, both types of extraterritorial claims seem to fall squarely within the effects doctrine. Regardless of the methods used to connect foreign conduct with the jurisdiction where the data privacy law has been enacted (such as focusing on the use of equipment situated on the territory or on the behavioural monitoring of EU residents), one can
argue that the conduct has an effect within the jurisdiction.  Thus, both the approach taken in Article 4 of the current EU Data Protection Directive and the approach taken in Article 3 of the proposed EU Data Protection Regulation seem to fall within the effects doctrine.

Thus, one can conclude that customary international law is closer to supporting the EU approach to extraterritoriality, than it is to prohibiting it.

 

Under General Principles of Law Recognized by Civilized Nations

Our search for relevant so-called “general principles of law recognized by civilized nations” may be focused in a variety of manners. Here, I will restrict myself to considering whether the EU’s approach to extraterritoriality in data privacy law can be seen as a general principle of law recognized by civilized nations.

There are now more than 100 countries with data privacy laws. Many of those laws such as the laws of Australia, Singapore, the Philippines, Cape Verde, Malaysia, India  and indeed in the US, all have an extraterritorial reach more or less similar to that of EU law. However, examples may also be found of data privacy laws that currently make no extraterritorial claims (see e.g. Israel and Japan). Given this, the conclusion must be that the EU’s approach to extraterritoriality in data privacy law cannot be seen as a
general principle of law recognized by civilized nations. However, with an increasing number of countries implementing or revising data privacy laws, we may have reason to revisit this issue in a not too distant future.

 

Concluding remarks

The above signals that international law is closer to justifying, than it is to objecting to, the EU’s approach to extraterritoriality in data privacy law. This is significant. However, it does not necessarily mean that the EU approach is to be endorsed.

It remains my view that, the current EU Directive’s approach to extraterritoriality is dysfunctional in its unnecessary complexity and that the proposed EU Regulation needs to be refined, and should ideally adopt the ‘layered approach’ I have proposed elsewhere.

 

For more about the extraterritoriality issues in data privacy law raised here, see e.g.: Dan Svantesson, The Extraterritoriality of EU Data Privacy Law – Its Theoretical Justification and Its Practical Effect on U.S. Businesses, 50(1) Stanford Journal of International Law (2014).

Update from the Computer Privacy and Data Protection Conference

0 kommentarer Av Sparad i English, privacy & data protection, Svenska 22 januari 2014 @ 21:31

Today was off to an interesting start at the annual Computer Privacy and Data Protection conference in Brussels.  Here are a few points (not direct quotes) that I glistened from listening to a myriad of terrific speakers:

  • What is on the table now is progress. It is not perfection.  It reflects a lot of compromising. (Paul Nemitz)
  • Law enforcement’s use of data collected from social media providers to profile individuals should not be a situation “caught between pillars.”  This is especially true when Article 16 of the Lisbon Treaty provides the opportunity to create a single instrument to address this pressing issue.  Law enforcement’s reuse of private sector data is a huge gap in the new reform package. (Alba Bosch)
  • The principle of accountability is good because it provides data controllers with the kind of flexibility that they need.  This shift away from bureaucratic requirements should be applauded. (Thomas Boué)
  • If EU institutions are excluded from the Regulation then, at the very least, there must be another instrument which provides for exactly similar rules: there must be consistency at a high level. (Hielke Hijmans)
  • The name of this panel should not be “EU Data Protection Reform: Fixing the Last Bugs” it should be “EU Data Protection Reform: The Attack of the Killer Bees” as there are a lot of major problems that must still be addressed. (Christopher Kuner)
  • There is a serious lack of awareness about data protection rights exhibited on behalf of individuals, lawyers and courts.  Please see the FRA handbook that was just released .  It is a tool to understand data protection in a straight forward way. (Mario Oetheimer)
  • There is a tendency for governments and corporations to seek “clearance” or a “green light.”  Sometimes, however, no official clearance should be possible.  One must be prepared to be responsible for his/her decisions in court.  This is the real world after all. (Paul de Hert).
  • There is a tension between a rights-based notion of regulation and a harms-based notion of regulation.  There is a prevailing wind to think more about the harms-based notion of regulation. (Charles Raab)
  • Defining the object of the risk is the hard question in a risk assessment. When using risk assessment, one must examine his/her own normative commitments.  Take nuclear reactors for example.  What is the object of the risk posed by nuclear reactors?  Is it just the reactor pressure vessel?  What about the uranium mining or the transportation of material or the recycling of the material etc.?  Where does one draw the line? (Brian Wynne)
  • There has been little improvement in the Council over the last few months.  The same questions are repeated and repeated.  The reform package will not be done before the spring elections. Let’s hope the Council reaches a decision by the end of summer.  The worst result would be that the Council does not reach an agreement, which will force the Parliament to put the 4000 amendments back on the table and further delay the reform for many more years. (Wojciech Wiewiórowski)
  • From an American perspective, the EU Commission seems to resemble a black box.  What kind of transparency mechanisms are in place in order to allow individuals to understand what is going on there? (Julie Cohen)

‘Infobesity’ – are we drowning in the wealth of information?

0 kommentarer Av Sparad i access to information & transparency, English, supply of legal information 4 januari 2014 @ 23:40

The Internet gives us access to a volume of research findings unimaginable just some decades ago. Through electronic communications, primarily the Internet, access is no longer limited by distance. Further, in avoiding printing and shipping costs, electronic soft copies are typically cheaper than hard copy materials, contributing further to accessibility.

In addition, there seems to be a strong, and increasing, emphasis on publishing amongst legal academics, and perhaps also amongst legal practitioners. We have witnessed a dramatic increase in the number of available law journals: “It has been calculated that there were eight law journals in Australia in 1960, nine in 1970, fourteen in 1980 and about 50 in 1994” (John Gava, ‘Scholarship and Community’ (1995) 16 Sydney Law Review 443, 459). In 2011, there were “more than 70 Australian law journals” (Dan Svantesson, ‘Truisms about the Australian publishing climate for law journal articles, and some strategies to cope; or “A Feminist perspective on the human rights of vegetarian child-soldiers in
outerspace” (2011) 10(3) Canberra Law Review (Online) 4, 19). Similarly dramatic figures can be found in the US. One study shows that, the number of US law journals have increased from about 90 in the mid 1930s, to around 900 in 2009 (John Doyle, ‘The Law Reviews: Do Their Paths of Glory Lead but to the Grave?’ (2009) 10 Journal of Appellate Practice and Process 179, 180).

This development may partly be due to the ‘publish or perish’ principle commonly in the consciousness of academics. Other reasons may be found in developments such as increased specialisation sparking the need for specialist journals, and of course the possibility of publishing e-journals with lower costs to operate.

Adding further to the wealth of law journal articles available to us is the fact that research output, not least in the form of journal articles, now often is available for free, either in pre-print versions often found e.g. on the Social Science Research Network (SSRN), or in final versions in databases such as the Australasian Legal Information Institute (AustLII) or in university institutional repositories (see e.g. e-publications@bond).

As a result of all this, we are arguably at the risk of drowning in the mass of publications being produced. In more detail, there are two sides to this risk:

1. that the ‘high quality’ work of authors may drown in publications of ‘lower quality’; and
2. that the reader may drown in irrelevant ‘low quality’ content in the search for ‘high quality’ relevant content.

Thus, the risk affects both authors and readers.

It is of course not possible to scientifically assess what content is of ‘high quality’ and what content is of ‘low quality’. However, it is worth noting that one interesting study shows that 43% of law journal articles, notes and so on end up never being cited in any other law review article or indeed in any court decision (Thomas A. Smith, ‘The Web of Law’ (2007) 44 San Diego Law Review 309, 336). Some critics have gone as far as to suggest that the “most serious concern […] with legal scholarship is that too much of it is useless.” (Harry T. Edwards, ‘Reflections (On Law Review, Legal Education, Law Practice, and My Alma Mater)’ (2002) 100 Michigan Law Review 1999, 2001). Be that as it may, it is undeniable that more legal scholarship (including law journal articles) is produced, than what is ‘consumed’. In any such situation, the importance of connecting the right reader with the right content is high.

Search engines have helped alleviate the risk of drowning in the information ocean. However, they can only partially mitigate the problem as the need for human analysis of the content’s relevance and ‘quality’ remains to a great degree. As pointed out by Robertson and Warren searches in a full-text database “has the potential to find articles with the desired terms, yet which have nothing to do with the required topic.” (Tracy Robertson and Dennis Warren, ‘Online legal
indexes: An abstract likeness or a true portrait?’ (2008) 16 Australian Law Librarian 271 2008, 274).

To conclude, it may be said that unless we act now, the enormous advantages that can be gained from the ever increasing wealth of information available may well be lost in the chaos of information overload (also referred to as ‘infobesity’). To adopt a term that overuse has rendered a mere cliché, what we need is a paradigm shift in how we provide potential readers information about the content of the articles we publish.

In an article recently published in the Alternative Law Journal, I argue that such a paradigm shift can be achieved through the widespread adoption of a more advanced method – what we can call Uniform Summary Statements (USS) – for giving potential readers the possibility to evaluate the content of articles they are considering reading (Dan Svantesson, Improving Accessibility to Research Findings in Law: Uniform Summary Statements, Alternative Law Journal 38(4) (2013); pp. 260-264). Such USS could usefully replace the tired, neglected and misused abstract (commonly limited to around 50 to 250 words) that is an ineffective tool to communicate a sufficiently detailed description of the content of an article.

I propose that a USS should include the following eleven types of information:

  1. Title of the article
  2. Name of author(s)
  3. Author affiliation(s);
  4. The subject of the article;
  5. The aim of the article;
  6. The method used;
  7. The results/conclusions reached by the author;
  8. An outline of what jurisdictions the article relate to (where applicable);
  9. A list of key cases (where applicable);
  10. A list of key legislation, international instruments or the like (where applicable); and
  11. A list of key academic publications discussed (where applicable).

For most articles, it ought to be possible to limit the USS to two pages.

Automated reasoning

0 kommentarer Av Sparad i English, technology, teknik 2 januari 2014 @ 13:14

Does this conversation embody artificial intelligence at it’s finest as of today? Perhaps in a near future we could look forward to hearing the parties opinions on the topic of ‘Automation of legal reasoning’ (ref. Wahlgren, P., Automation of legal reasoning; A study on Artificial Intelligence and Law, Kluwer Law and Taxation Publishers, Juristförlaget, Stockholm, 1992).

Sök ADBJ:s stipendium för uppsats!

0 kommentarer Av Sparad i utbildning & lärande 20 december 2013 @ 12:13

Har du skrivit uppsats inom området Juridik och IT under 2013? I så fall, sök ADBJ:s stipendium för uppsats!

Svenska Föreningen för IT och Juridik (ADBJ) välj ut årligen den bästa uppsatsen inom området juridik och IT.

Stipendiet kan sökas av student eller handledare åt student för examensarbete som inte är äldre än ett år räknat från sista ansökningsdag. Stipendiet utgår med 10 000 kronor till en stipendiat.

Sista ansökningsdag: 20 januari 2014
Dokument att bifoga: examensarbetet, ett intyg från handledaren
Skickas till: kansliet@adbj.se med ärenderaden ”Stipendium för uppsats” (gärna i PDF-format)

Mer information finns på ADBJ:s webbplats.

Re-thinking extraterritoriality in data privacy law

1 kommentar Av Sparad i international issues, privacy & data protection 16 december 2013 @ 0:03

The most important question for non-EU businesses and organisations watching the development of the new data privacy framework for the EU is whether that framework will affect those businesses and organisations. It seems clear that the proposed Regulation will do so indirectly in many ways; for example, through restrictions on the export of personal data.

However,  the question of whether the new data privacy framework will directly affect non-EU  businesses and organisations, by being binding on them, has gained surprisingly scant attention.

The approach taken to extraterritoriality, both in the current data privacy Directive and in the proposed Regulation, is binary. All or nothing. If a non-EU business or organisation meets the ‘extraterritoriality test’, it is bound by the full force of the Regulation.

This unsophisticated approach is problematic. It simply does not make sense to apply the same standard of extraterritoriality to provisions such as Article 5 (requiring e.g. that personal data is processed lawfully, fairly and in a transparent manner), and to Article 35 (demanding the designation of a potentially costly data protection officer). While it may be reasonable to ask a foreign company to abide by a country’s rules discouraging or penalising unauthorised and unreasonable disclosure or other use of personal data based on a certain degree of contact between that company and that country (eg a transaction involving the collection of personal data), the same degree of contact may not justify that country imposing on the company the duty of designating a data protection officer. The first type of rule is similar in nature to rules found in other areas of law, such as the law of defamation. In a sense, they are private in nature, while rules such as e.g. requiring a data protection officer are of a, comparatively heavy-handed, public law nature.

In an article recently published in International Data Privacy Law, I have put forward a proposal for an alternative approach to delineating the extraterritorial scope of data privacy laws (Dan Svantesson, A “layered approach” to the extraterritoriality of data privacy laws, International Data Privacy Law (2013) 3(4); pp. 278-286). I will here summarise the key  points of that approach.

  • Data privacy laws always incorporate a diverse range of legal rules. Thus, it is misguided and naive to think that the same rule of extraterritoriality can be applied to all these types of rules.
  • Thus, I propose that we dissect our data privacy law and assign all substantive rules to one of the following three ‘layers’:
    1. The abuse-prevention layer;
    2. The rights layer; and
    3. The administrative layer.
  • As already noted, data privacy laws commonly contain provisions seeking to discourage or even penalise unauthorised and unreasonable disclosure or other use of personal data, in a manner similar to how eg defamation law seeks to prevent abuse. Such rules ought to clearly fall within the abuse-prevention layer.
  • Within the rights layer we can comfortably place data privacy rules such as the right of access and the right of correction commonly found in data privacy laws.
  • As already hinted at, in the administrative layer, we should place data privacy rules such as the requirements of a designated data protection officer found in the proposed EU data privacy Regulation.
  • We can then assign a different extraterritorial test for each layer, with a more restrictive test for layer two than for layer one, and even more restrictive test for layer three.

Experience has taught us that the current approaches to extraterritoriality in data privacy law simply do not work. They are clumsily managing to be both overzealous and inadequate at the same time. Thus, this conundrum must be solved through the development of new approaches, such as the ‘layered approach’ advocated above.

For more about extraterritoriality issues in data privacy law, see e.g.: Dan Svantesson, Extraterritoriality in Data Privacy Law, Ex Tuto Publishing (November 2013)

Upcoming Events

0 kommentarer Av Sparad i education & learning 12 december 2013 @ 14:40

Some interesting events related to the field of IT law in the spring:

Event: International Conference on Multisensory Law
Organised by: University of Zurich
Time & Place: January 27-28 2014, Zurich
More information: http://www.rwi.uzh.ch/oe/zrf/abtrv/brunschwig/konferenzen/2014/Zuerich_en.html

Event: Information Influx Conference
Organised by: Institute for Information Law, University of Amsterdam
Time & Place: 2-4 July 2014, Amsterdam, the Netherlands
More information & call for papers: http://informationinflux.org/

Call for Papers: 10th International Conference on Internet, Law & Politics (IDP 2014) A decade of transformations. Barcelona, 3-4 July, 2014

0 kommentarer Av Sparad i education & learning 11 december 2013 @ 17:33

The 10th International Conference on Internet, Law and Politics is seeking papers about:

(1) Privacy and data protection;
(2) Copyright and industrial property rights;
(3) E-commerce and consumers;
(4) Cybercrimes; and
(5) E-Government Internet and Politics.

You can find more information here.

Läs äldre poster

Copyright © blawblaw
Nyheter om, från och kring institutet för rättsinformatik

Byggt på Notes Blog Core
Powered by WordPress