Skip to main content

2024 | OriginalPaper | Buchkapitel

4. Data Protection and Data Protectionism in International Trade

verfasst von : Roman Pascal Kalin

Erschienen in: Digital Trade and Data Privacy

Verlag: Springer Nature Switzerland

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Cross-border data flows, which encompass a broad and diverse range of economic and non-economic dimensions, raise a number of new trade policy issues. However, as the status of data and data flows in International Economic Law remains ill-defined, no effective multilateral governance is currently exercised with respect to the digital transformation of trade. Notably, the proliferation of national data governance frameworks is a critical element for regulating trade in the digital economy, but one that receives only limited consideration under WTO law. As digital globalisation accelerates, a patchwork of country-specific data governance frameworks threatens to fragment the global data sphere and thus increase barriers to digital trade. The debate on transnational data governance is particularly pronounced with regard to data privacy laws, as these are a common element of domestic data governance and the global landscape of data privacy regulations is characterised by considerable heterogeneity. As a result, the impact of national data privacy laws on the cross-border flow of personal data is one of the most contentious issues associated with digital trade. This chapter provides an in-depth examination of the regulation of data flows through data privacy rules and explores the rationale behind a contemporary data privacy collision in digital trade.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Anhänge
Nur mit Berechtigung zugänglich
Fußnoten
1
Kuner (2011), p. 14; Svantesson (2011).
 
2
Bygrave (2014), p. 123. See for a brief review of the evolution of the debate on cross-border data flows Drake (2016).
 
3
See further for an EU-US perspective Schwartz (2013), p. 1971. The confluence of safeguarding fundamental human rights to privacy and facilitating the free flow of data across borders for reasons of economic activity is reflected in a number of data privacy frameworks, for example in the OECD Privacy Guidelines and the EU’s data protection framework, see infra Sect. 4.3. See also Drake (2016).
 
4
As an example, published by Edward Snowden in 2013, NSA surveillance practices have recently disrupted the political landscape, Aaronson and Maxim (2013); Hill (2014). See further OECD (2015a), pp. 210–215.
 
5
Cf. UNCTAD (2024).
 
6
Bygrave (2014), p. 5.
 
7
See only Aaronson (2019); Burri (2021), pp. 35–43; Mishra (2015); Pasadilla (2020); Yakovleva (2020b); Yakovleva and Irion (2020), pp. 202–203.
 
8
Attention may be drawn here again to the inherent complexities of measuring cross-border data flows, see supra Sect. 2.​3.​2.​3. See on the weak link between the measurement of data flows and personal data Yakovleva and Irion (2020), p. 205.
 
9
See in particular Naef (2023), pp. 237–242.
 
10
See for further examples Casalini and López González (2019), pp. 28–34.
 
11
Cf. Chander and Schwartz (2023).
 
12
See further with regard to an argument that modern regimes of data privacy law and trade law were built in full contemplation of each other Chander and Schwartz (2023), pp. 56–70.
 
13
See with further references Kuner (2013), pp. 26–27; OECD (2006), p. 6.
 
14
Bygrave (2014), pp. 9–10; Gasser (2016).
 
15
See generally Gasser (2016), p. 63; OECD (2006), p. 8.
 
16
Bygrave (2014), p. 8.
 
17
See in this regard Bygrave (2014), pp. 23–29; Kuner (2009a), pp. 308–309.
 
18
See for example Solove (2002), pp. 1088–1089: “All up, the field shows bewildering conceptual and terminological diversity. […] The most famous case in point is ‘privacy’”. See also Bygrave (2014), p. 27 with further references to the debate. See further Solove (2006), pp. 479–483.
 
19
Bygrave (2014), pp. 82–98. See for a critical appraisal of the genesis of privacy as a human right Diggelmann and Cleis (2014). See further infra Sect. 4.4.1.2.1.
 
20
Holvast (2009), pp. 15–16.
 
21
Cf. Warren and Brandeis (1890) manifesting privacy as a “right to be let alone”. For a discussion of the article and its perception in common law, see Solove and Schwartz (2018), p. 10.
 
22
Holvast (2009), p. 16. See with further references to the debate on the remit of privacy Bygrave (2014), p. 27.
 
23
With further references Bygrave (2014), p. 28.
 
24
See with further references Bygrave (2014), pp. 24–25; Gasser (2016) See in general with regard to the evolutionary conceptualisation of privacy Solove (2002), who notes at p. 1142: “A conception of privacy must be responsive to social reality since privacy is an aspect of social practices. Since practices are dynamic, we must understand their historical development”.
 
25
Solove (2001), p. 1423. See also Schwartz and Solove (2011), pp. 1819–1828.
 
26
See with regard to introduction of data privacy legislation and the regulation of cross-border data flows further infra Sect. 4.3.
 
27
See for an introduction Schwartz (2009), pp. 906–907; Solove and Schwartz (2018), p. 1. See also Gasser (2016), p. 62.
 
28
Bygrave (2014), pp. 25–26.
 
29
See with further examples and references Kuner (2011), p. 14; Schwartz (2013), pp. 1969–1970.
 
30
See with further references Kuner (2009a), p. 308: “The concepts ‘data protection’ and ‘privacy’ are ‘twins but not identical’.”.
 
31
Council of Europe (1981), p. 2. See also further infra Sect. 4.3.1.2.
 
32
Recital 11 of the EU’s DPD states: “Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981”.
 
33
The EU’s dual approach to a normative foundation of the fundamental rights character of data privacy has led to difficulties in delineating the respective scope of protection. Although there is much overlap between the right to privacy on the one hand and a right to data protection on the other, an evaluation of the case law of the European Court of Justice and the European Court of Human Rights reveals differences in their scope, see Kokott and Sobotta (2013). See also Naef (2023), pp. 42–47.
 
34
Cf. European Union (2007).
 
35
See with further references to the jurisprudence of the European Court of Human Rights Kokott and Sobotta (2013), p. 223. See also Bygrave (2014), pp. 82–98.
 
36
See further Bygrave (2014), p. 28.
 
37
Bygrave (2014), p. 29. See for example Schwartz (2019), p. 775.
 
38
See also Chander and Schwartz (2023), p. 55; Schwartz (2019), p. 775. In this text, reference is also made in part to “information privacy” or “data protection” when specifically addressing the respective legal context.
 
39
See only Cukier (2010); Mayer-Schönberger and Cukier (2014); Manyika et al. (2011).
 
40
Roessler (2015), pp. 141–142.
 
41
Roessler (2015), pp. 146–150; Schwartz (2004), pp. 2069–2076.
 
42
Zuboff (2019).
 
43
World Economic Forum (2011).
 
44
Schwartz (2004), pp. 2072–2073; Yakovleva and Irion (2020), pp. 7–8.
 
45
Roessler (2015), pp. 146–150.
 
46
Yakovleva (2018), pp. 481–487. See with regard to “constitutive privacy” Solove (2006), p. 487 and for a EU perspective on the foundational values of data protection Naef (2023), pp. 31–37. See also infra Sect. 4.4.1.2.
 
47
Roessler (2015), pp. 144–145; Yakovleva (2018), pp. 481–487.
 
48
Yakovleva and Irion (2020), p. 202.
 
49
Acquisti et al. (2016), p. 445.
 
50
See also Yakovleva (2018), p. 487.
 
51
Bygrave (2014), p. 1.
 
52
Some of the challenges in developing a robust typology for data and data flows have already been addressed above, see supra Sect. 2.​3.​2.​3.
 
53
Sen (2018), p. 343.
 
54
OECD (2013a), pp. 7–9.
 
55
OECD (2013a), pp. 7–9.
 
56
See for example OECD (2013a), p. 8.
 
57
Solove and Schwartz (2018), p. 794.
 
58
Solove and Schwartz (2018), p. 794.
 
59
With further references Schwartz and Solove (2011), p. 1828.
 
60
U.S. Department of Commerce (2010), p. 2-1. See for an account of the current typology and a plaidoyer for a PII 2.0 Schwartz and Solove (2011), pp. 1865–1892.
 
61
OECD (2013a), p. 8.
 
62
Kuner et al. (2020), Art. 4, pp. 105–108.
 
63
Cf. Article 3 Sec. 1 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union.
 
64
OECD (2013b), p. 13, para. 1. b).
 
65
Cf. Madrid Resolution (2009), Article 2 a).
 
66
Cf. Chinese Cybersecurity Law, Article 76 Sec. 5, see for a translation DigiChina (2018).
 
67
Personal Information Protection Law of the People’s Republic of China, passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021, see for a translation DigiChina (2021c).
 
68
APEC (2005), p. 9. See further infra Sect. 4.3.1.4.
 
69
California Consumer Privacy Act, Title 1.81.5 of the California Civil Code added by Stats. 2018, Chapter 55, Sec. 3., Sec. 1798.140.
 
70
See for example Casalini and López González (2019), p. 12; Schwartz and Solove (2011), p. 1835. Generally, the scope of personally identifiable information is considered to be narrower than the scope of personal data.
 
71
Bygrave (2014), p. 126.
 
72
National Board of Trade (2014), p. 6.
 
73
See for example Article 9 of the GDPR stating in Sec. 1 “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”. Article 9 Sec. 2 GDPR contains several exceptions to the prohibition of Sec. 1.
 
74
OECD (2013a), p. 8.
 
75
Ohm (2010); Rubinstein (2013).
 
76
Burri (2021), p. 39. See also European Commission (2020b), pp. 11–12.
 
77
See further Finck and Pallas (2020), pp. 13–20.
 
78
Purtova (2018).
 
79
See further infra Sect. 5.​2.​2.​2.
 
80
Therefore, trade agreements increasingly take on the task of regulating data and data flows, see supra Sect. 3.​4.​2.
 
81
Aaronson (2015), pp. 679–685.
 
82
Drake (2016). See with regard to a changing environment for international data flows supra Sect. 2.​3.​2.​1.
 
83
Drake (2016), p. 5; Svantesson (2011), pp. 180–181.
 
84
Gunasekara (2007), p. 153; OECD (2015b), p. 15. See for a discussion of the basic principles of data privacy law, Bygrave (2014), pp. 145–167. See further with regard to possibilities for interoperability of data privacy data transfer regimes infra Sect. 6.​3.
 
85
See Chander and Schwartz (2023), pp. 76–80.
 
86
Cf. Kuner (2013), p. 63, pp. 133–138; Weber (2013), p. 119.
 
87
Hon (2017), pp. 24–25; Svantesson (2011), p. 180.
 
88
See for example Kuner (2011, 2013, 2015).
 
89
Cf. in detail Kuner (2013), pp. 107–120. See also Naef (2023), pp. 129–135.
 
90
Hon (2017), p. 26.
 
91
The following sections outline key international frameworks and selected national regulations. The section does not address private sector and technological approaches or regulations related to security or law enforcement, see for example Kuner (2013), pp. 81–99.
 
92
Kuner (2013), pp. 25–26. In this respect, a number of international instruments are intended to serve as the basis for national legislation. See for example with regard to the Convention 108 drafted by the Council of Europe infra Sect. 4.3.1.2.
 
93
Technically, international instruments encompass data privacy legislation within the European Union consisting of 27 member states. However, the EU is considered here as a single jurisdiction; a discussion of EU data privacy legislation and its impact on cross-border flows of personal data is therefore provided infra Sect. 4.3.2.1.
 
94
Cf. Article 19 UDHR and Article 19 Sec. 2 ICCPR. See with further references Kuner (2013), p. 32.
 
95
UN (1990).
 
96
Bygrave (2014), p. 53.
 
97
Weber (2013), p. 119.
 
98
Council of Europe (1949), Chapter I, Article 1, a, b.
 
99
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS 108, 28 January 1981 entered into force 1 December 1985.
 
100
This version of Convention 108 explicitly refers to the territories of the contracting parties. For the later versions of Convention 108, which conceptually permit extraterritorial application, cf. de Hert and Czerniawski (2016), p. 232.
 
101
Bygrave (2014), pp. 31–36. In 2013, Uruguay became the first non-European country to accede to the convention. Currently, 55 countries have ratified Convention 108.
 
102
Cf. Council of Europe (1981), p. 8 para. 38. Para. 39 explains: “The “measures within its domestic law” can take different forms, depending on the legal and constitutional system of the State concerned: apart from laws they may be regulations, administrative guidelines, etc. […]”.
 
103
However, Christopher Kuner points out that there is no direct judicial enforcement as the jurisdiction of the ECtHR does not extend to Convention 108. In this respect, the author references the possibility of an extensive interpretation of Article 8 ECHR, see Kuner (2013), p. 37.
 
104
Cf. Article 2 of the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, ETS 181, 8 November 2001.
 
105
Wagner (2018), p. 327.
 
106
Cf. for details Council of Europe (2018). See also Kuner (2013), pp. 39–40.
 
107
Council of Europe (2018), p. 4.
 
108
OECD (2002).
 
109
See with further references Drake (2016), p. 5.
 
110
Bygrave (2014), p. 50; Solove and Schwartz (2018), p. 1098.
 
111
APEC (2005), p. 5: “The previous version of the Framework (2005) was modelled upon the OECD Guidelines (1980) which at that time represented the international consensus on what constitutes fair and trustworthy treatment of personal information. The updated Framework (2015) draws upon concepts introduced into the OECD Guidelines (2013) with due consideration for the different legal features and context of the APEC region.”
 
112
OECD (2013b), pp. 19–23.
 
113
The Foreword to the 2013 OECD Privacy Guidelines governing the protection of privacy and transborder data flows of personal data lists a number of such changes, such as for example, the volume of personal data being collected, used and stored and the extent of threats to privacy, OECD (2013b), pp. 3–4.
 
114
OECD (2013b), pp. 29–31. See further Bygrave (2014), pp. 48–49.
 
115
See OECD (2002), p. 13, Part I, para. 1(c); OECD (2013b), p. 13, Part I, para. 1 e).
 
116
OECD (2013b), p. 16, Part IV para. 17 [emphasis added by the author].
 
117
OECD (2013b), p. 16, Part IV para. 18 [emphasis added by the author].
 
118
OECD (2013b), p. 61; Wagner (2018), p. 329.
 
119
APEC (2005), Foreword.
 
120
APEC (2005), p. 7. See further on the APEC Framework Greenleaf (2009).
 
121
APEC (2015).
 
122
APEC (2015), Part III, Principle 9.
 
123
APEC (2015), p. 23.
 
124
APEC (2015), p. 9. Even the qualification that exceptions should be “limited and proportional to meeting the objectives to which the exceptions relate” cannot outweigh the broad and open nature of the exceptions. On the contrary, there are uncertainties as to what “limited” and “proportional” are in reference to.
 
125
APEC (2005), p. 31.
 
126
Bygrave (2014), p. 78.
 
127
Currently there are nine participating economies: the US, Mexico, Japan, Canada, Singapore, Republic of Korea, Australia, Chinese Taipei, Philippines.
 
128
See further Solove and Schwartz (2018), p. 1204.
 
129
Voskamp et al. (2013). See further Article 29 Data Protection Working Party (2014). See further infra Sect. 4.3.2.2.
 
130
Wall (2017).
 
131
Greenleaf (2009), pp. 29–33.
 
132
Kuner (2013), p. 51.
 
133
Kuner (2013), pp. 58–59.
 
134
Madrid Resolution (2009), Article 1, b).
 
135
Bygrave (2014), pp. 99–116; Kuner (2013), p. 26.
 
136
Hon (2017), pp. 28–29; UNCTAD (2016), p. 3.
 
137
See with further references Kuner (2011), p. 14.
 
138
Cf. Swedish Data Protection Act, Datalag (1973:289), 11 May 1973. See also originally Svantesson (2011), p. 180.
 
139
See with further references Kuner (2011), p. 14; Kuner (2013), p. 27.
 
140
Kuner (2013), p. 27.
 
141
Kuner (2013), p. 27.
 
142
See for example Chander and Lê (2015); Kuner (2013), pp. 83–91.
 
143
Schwartz (2013), p. 1974. See for a helpful overview of the sources of the current “patchwork” of privacy protection in the US as well as the debate regarding a federal privacy law in the US Fischer (2021).
 
144
See further Schwartz (2009), pp. 922–931; Solove and Schwartz (2018), pp. 665–684.
 
145
Gunasekara (2007), p. 153; Humerick (2018), pp. 83–99.
 
146
Solove and Schwartz (2019), p. 2.
 
147
See with regard to PII Schwartz and Solove (2011), pp. 1828–1836.
 
148
See further Chander et al. (2021).
 
149
See with regard to the American Data Privacy and Protection Act (ADPPA) Edelman (2022).
 
150
Bracy (2024).
 
151
Humerick (2018), p. 83, pp. 88–99.
 
152
Schwartz (2013), p. 1967.
 
153
Schwartz and Pfeifer (2017), pp. 132–138.
 
154
See for the FTC’s role with regard to data privacy, Hoofnagle (2016); Humerick (2018), pp. 84–93.
 
155
Sedgewick (2017), p. 1522.
 
156
Whitman (2004), pp. 1160–1164. See also Petkova (2019).
 
157
Schwartz (2013), p. 1973. Schwartz further refers to a failed Congressional initiative aimed at introducing an export limit in the 1970s.
 
158
Naef (2023), pp. 31–37; Schwartz and Pfeifer (2017), pp. 122–132.
 
159
See Kuner (2013), p. 36.
 
160
Kokott and Sobotta (2013), pp. 222–223. Cf. also Article 16 Sec.1 TFEU.
 
161
See on the relationship between the Charter, the Convention and the general principles developed by the case law of the ECJ in the field of privacy Kokott and Sobotta (2013). See also Naef (2023), pp. 19–31.
 
162
Solove and Schwartz (2018), p. 1094.
 
163
See Schwartz (2013), p. 1972 citing Spiros Simitis. The European Commission started to conduct studies on diverging levels of data protection between member states and the resulting trade barriers already in 1973, cf. with further references Kuner et al. (2020), Article 44, pp. 758–759.
 
164
Gunasekara (2007), p. 164; Kuner et al. (2020), Article 44, pp. 775–777.
 
165
Burri and Schär (2016), p. 480.
 
166
ECJ, C-131/12, Google Spain, 13 May 2014, ECLI:EU:C:2014:317.
 
167
ECJ, C-362/14, Schrems I, 6 October 2015, ECLI:EU:C:2015:650.
 
168
Burri (2021), pp. 49–50; Burri and Schär (2016), pp. 480–488.
 
169
See Burri and Schär (2016), p. 489. Cf. in detail European Commission (2010).
 
170
Buttarelli (2016).
 
171
Burri (2021), pp. 49–50; Burri and Schär (2016), pp. 488–497; Schwartz (2013), pp. 1994–2001.
 
172
Humerick (2018), pp. 99–108; Schwartz and Pfeifer (2017), pp. 129–132.
 
173
ECJ, Opinion 1/15, 26 July 2017, ECLI:EU:C:2016:656.
 
174
ECJ, C-311/18, Schrems II, 16 July 2020, ECLI:EU:C:2020:55.
 
175
Naef (2023), pp. 55–64.
 
176
Svantesson (2011), pp. 191–193. See further on the development of Article 44 et seq. GDPR Kuner et al. (2020), Article 44, pp. 756–761.
 
177
See further Kuner et al. (2020), Article 45, pp. 774–775.
 
178
According to Article 45 Sec. 1 first sentence GDPR: “[a] transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.”.
 
179
Wagner (2018), pp. 320–323.
 
180
Wagner (2018), pp. 321–322.
 
181
Chander and Schwartz (2023), pp. 71–73; Kuner et al. (2020), Article 45, pp. 779–782.
 
182
ECJ, C-362/14, Schrems I, 6 October 2015, ECLI:EU:C:2015:650, para. 73.
 
183
ECJ, C-362/14, Schrems I, 6 October 2015, ECLI:EU:C:2015:650, para. 74.
 
184
ECJ, C-311/18, Schrems II, 16 July 2020, ECLI:EU:C:2020:55.
 
185
Cf. recital 108 to the GDPR stating: “Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country”. See further Naef (2023), pp. 148–155.
 
186
The Commission released the latest version of the SCCs under the GDPR on 4 June 2021, replacing the three sets of SCCs adopted under the DPD.
 
187
Article 4 Sec. 20 GDPR defines BCRs as: “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.”.
 
188
See further Kuner et al. (2020), Article 49, pp. 843–846.
 
189
See generally Gao (2021).
 
190
See for a helpful overview Davis Polk (2021).
 
191
Casalini and López González (2019), p. 22.
 
192
See Hufbauer and Zhiyao (2019), pp. 3–7.
 
193
Sacks et al. (2021).
 
194
Skadden, Arps, Slate, Meagher & Flom LLP (2021).
 
195
While “important” data are not defined, “core national” data are defined in Article 21 of the DSL as data “related to national security, the lifelines of the national economy, important aspects of people’s livelihoods, major public interests, etc.”, see for a translation DigiChina (2021d).
 
196
See for a translation DigiChina (2021c).
 
197
See for a translation DigiChina (2021c).
 
198
Li et al. (2023).
 
199
Luo and Dan (2024).
 
200
See Casalini and López González (2019), pp. 16–24; Kuner (2013), pp. 61–79; Rotenberg (2020), pp. 94–97. See also for data localisation measures in particular supra Sect. 2.​3.​2.​4.
 
201
Kuner (2013), p. 61.
 
202
Kuner (2013), pp. 64–76.
 
203
Svantesson (2011), pp. 190–194.
 
204
Casalini and López González (2019), p. 16.
 
205
Casalini and López González (2019), p. 16.
 
206
Weber (2013), p. 121. See further infra Sect. 4.3.3.5.
 
207
See generally Alhadeff et al. (2012).
 
208
Kuner (2013), p. 71; Weber (2013), p. 122.
 
209
Centre for Information Policy Leadership (2009), p. 10.
 
210
Crompton et al. (2009), p. 5.
 
211
Kuner (2013), p. 72.
 
212
See for a sample of measures Article 29 Data Protection Working Party (2010), p. 11; Centre for Information Policy Leadership (2018), pp. 4–10.
 
213
See supra Sect. 4.3.1.4.
 
214
See OECD (2013b), p. 16, Part IV, para. 16: “A data controller remains accountable for personal data under its control without regard to the location of the data.”.
 
215
Cf. Madrid Resolution (2009), Article 11: “The responsible person shall: Take all the necessary measures to observe the principles and obligations set out in this Document and in the applicable national legislation, and have the necessary internal mechanisms in place for demonstrating such observance both to data subjects and to the supervisory authorities in the exercise of their powers, as established in section 23.”.
 
216
Rotenberg (2020), pp. 106–107.
 
217
Kuner (2013), pp. 64–66; Weber (2013), p. 122.
 
218
Kuner (2013), pp. 64–66; Svantesson (2011), p. 191.
 
219
Weber (2013), p. 122.
 
220
Kuner (2013), pp. 66–71.
 
221
Chander and Schwartz (2023), pp. 71–76.
 
222
UNCTAD (2016), p. 13. Examples of the regulation of the latter exceptions are provided by Article 49 GDPR, or Article 15 lit. 3 of the Madrid Resolution (2009).
 
223
See with further examples Chander and Schwartz (2023), pp. 126–134, Appendix A; Rotenberg (2020), pp. 103–105.
 
224
See with examples Chander and Lê (2015), pp. 718–721; Mishra (2019), p. 8.
 
225
See also Casalini and López González (2019), p. 16.
 
226
Poskauer (2015).
 
227
See for a distinction between “conditional” and “strict” forms of data localization supra Sect. 2.​3.​2.​4.
 
228
Cf. Article 77 of the My Health Records Act 2012. No. 63, 2012.
 
229
Casalini and López González (2019), p. 22; Svantesson (2020), p. 25.
 
230
See further Naef (2023), pp. 77–100.
 
231
Chander (2020), pp. 777–778; Christakis (2020).
 
232
Svantesson (2011), pp. 190–191; Weber (2013), p. 121.
 
233
Weber (2013), pp. 120–121.
 
234
See with further references Svantesson (2011), p. 190.
 
235
Svantesson (2011), p. 191.
 
236
Kuner (2013), p. 76.
 
237
See further Svantesson (2011), p. 193.
 
238
Svantesson (2011), p. 194.
 
239
Crompton et al. (2009), p. 5.
 
240
See for example Wagner (2018); Weber (2013), pp. 123–127.
 
241
Svantesson (2011), p. 191.
 
242
See infra Sect. 4.4.2.2.1 with regard to the conflation of political and economic considerations under the EU’s GDPR against the backdrop of the role of data protection in the digital economy.
 
243
With further references Chander and Lê (2015), pp. 718–721.
 
244
Mishra (2019), pp. 4–7.
 
245
Hon (2017), p. 316.
 
246
Weber (2013), pp. 122–123.
 
247
See supra Sect. 4.3.2.2. See also Kuner (2013), p. 72.
 
248
OECD (2013b), p. 17, Part V, para. 19 d).
 
249
See also Kuner (2013), p. 76.
 
250
See with further references regarding the “obscurity” of aims of data privacy law Bygrave (2014), pp. 117–118.
 
251
Bygrave (2014), pp. 118–125.
 
252
Chander and Schwartz (2023), pp. 105–113; Yakovleva (2020b), pp. 500–507. This applies in particular to the EU data protection framework, in the design of which the economic rationale of the internal market clearly figured prominently, but in which the preservation of data protection as a fundamental right, especially vis-à-vis third countries, also plays an important role, see supra Sect. 4.3.2.2. Similarly, the OECD privacy guidelines aim to protect fundamental rights while minimizing the economic distortions caused by different data privacy regimes, see supra Sect. 3.​2.​1.​1.​2.
 
253
With further references to the work of Professors Radim Polčák and Dan Jerker B. Svantesson, see Yakovleva (2020b), p. 503.
 
254
See further Burri (2021), pp. 35–43; Chander and Schwartz (2023), pp. 105–113; Yakovleva (2020a); Yakovleva (2020b), pp. 499–515.
 
255
See Chander and Schwartz (2023), pp. 105–113.
 
256
See further Yakovleva (2020b), pp. 464–499.
 
257
See further regarding this “moral value approach” Yakovleva (2020b), pp. 500–506.
 
258
See for a brief introduction to the economic theory of privacy put forth by the Chicago School Acquisti (2010), pp. 5–10.
 
259
Manyika et al. (2016), pp. 101–102.
 
260
UNCTAD (2016), p. 20.
 
261
Swire and Litan (2010), pp. 77–78.
 
262
Chander and Schwartz (2023), pp. 81–82.
 
263
See further supra Sect. 4.3.1.4.
 
264
See further supra Sect. 4.3.2.2.
 
265
Mishra (2019), p. 5.
 
266
This is the case for example with the European data protection regime under the GDPR, see Fabbrini and Celeste (2021); Kuner (2015). See further infra Sect. 4.4.2.2.1.
 
267
Yakovleva (2020b), pp. 473–481. See generally on digital industrial policies through data restrictions, Mitchell and Mishra (2019), pp. 396–397.
 
268
See for a comprehensive review of the concept of protectionism with regard to digital trade Aaronson (2019), pp. 545–550; Yakovleva (2020b), pp. 429–463.
 
269
Bygrave (2014), pp. 123–126. See further with regard to the interplay with sovereignty considerations infra Sect. 4.4.1.2.2.
 
270
See Aaronson (2015), p. 683; Yakovleva (2020b), pp. 475–476. However, the US approach towards digital protectionism seems to evolve, see Aaronson (2017), p. 232. See also supra Sect. 4.3.2.1.
 
271
See further Naef (2023), pp. 133–135.
 
272
Cory and Dascoli (2021); Mitchell and Mishra (2019), pp. 111–112. See also with regard to the discussions in the WTO Work Programme on Electronic Commerce supra Sect. 3.​3.​1.​1.
 
273
van der Marel et al. (2014), p. 13.
 
274
Aaronson (2019), pp. 548–549. See in particular the extensive research of Svetlana Yakovleva on this matter who questions among other things, whether the digital protectionism label is a trigger to redefine barriers to trade in the digital era, Yakovleva (2020b), pp. 473–481; pp. 496–499.
 
275
OECD (2015a), pp. 209–234; UNCTAD (2016), pp. 3–4.
 
276
See with further references Casalini and López González (2019), p. 29; OECD (2015a), p. 211. See in particular for the EU with further references, Yakovleva and Irion (2020), p. 207.
 
277
Reidenberg (1995).
 
278
See regarding a potential role for the WTO in fostering consumer trust, Mitchell and Mishra (2019), p. 403.
 
279
This is notably the case for the data privacy framework of the US, see for example Schwartz and Pfeifer (2017), pp. 132–138.
 
280
See with further references UNCTAD (2016), p. 103.
 
281
See for example Yakovleva and Irion (2020), pp. 207–208.
 
282
Swire and Litan (2010), pp. 79–85.
 
283
See with further references Acquisti (2010), pp. 4–5; Swire and Litan (2010), p. 86.
 
284
Burri (2017), pp. 13–14; Yakovleva and Irion (2020), pp. 207–208. See also Mitchell and Mishra (2019), p. 403.
 
285
In this context, the wording of some provisions on data protection in recent EU trade agreements reveals the underlying notion that data privacy rules are actually eliminating barriers to data flows, cf. Willemyns (2020), p. 237 referring to Article 45 of the EU–Algeria agreement.
 
286
See further Yakovleva and Irion (2020), p. 208.
 
287
Cf. Yakovleva (2020b), pp. 500–515.
 
288
Bygrave (2014), p. 82.
 
289
Bygrave (2014), pp. 82–99; Kuner (2013), p. 33.
 
290
Article 12 UDHR reads: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Similarly, the ICCPR stipulates in Article 17 that “no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation.”.
 
291
In retrospect, however, it is obscure why the concept of privacy gained such broad recognition so quickly, given its relative novelty and the lack of a settled constitutional tradition in many countries, see Diggelmann and Cleis (2014).
 
292
Bygrave (2014), p. 83.
 
293
UN General Assembly, Human Rights Council, The promotion, protection and enjoyment of human rights on the Internet, 29 June 2012, A/HRC/20/L.13.
 
294
Nyst and Falchetta (2017), pp. 105–107. See also Hill (2014).
 
295
UN (2013). See further UN (2014a).
 
296
UN (2014b), para. 1. See also Nyst and Falchetta (2017), pp. 105–110.
 
297
UN (2015).
 
298
Yakovleva (2018), pp. 481–482.
 
299
See with further references Yakovleva and Irion (2020), p. 208.
 
300
See with further references Chander and Schwartz (2023), pp. 108–110; Solove (2006).
 
301
See with further references Schwartz (1999), p. 1665.
 
302
Cf. Zuboff (2016). See also Yakovleva (2018), p. 482; Yakovleva and Irion (2020), p. 208.
 
303
Gasser (2021), p. 199.
 
304
Yakovleva (2020b), pp. 507–508.
 
305
Svantesson (2020), p. 17.
 
306
Mitchell and Mishra (2019), pp. 395–396. See also Cory and Dascoli (2021), p. 6.
 
307
See for example Mitchell and Samlidis (2022); Fleming (2021).
 
308
With further references Hon (2017), pp. 26–27.
 
309
See with further references Gasser (2021), p. 200.
 
310
Lauf (2021), p. 11.
 
311
Cited according to Hon (2017), pp. 27–28.
 
312
Hon (2017), p. 27; Mitchell and Samlidis (2022), p. 375; Fleming (2021).
 
313
Kuner (2013), pp. 28–31.
 
314
The Economist (2012).
 
315
See for example Aaronson and Leblond (2018); Mitchell and Mishra (2018), pp. 1081–1088.
 
316
Bygrave (2014), pp. 124–125; Kuner (2013), pp. 28–31. See with regard to the extraterritorial application of data privacy laws infra Sect. 4.4.2.2.1.
 
317
Svantesson (2020), pp. 17–19. See with regard to China’s data governance approach Erie and Streinz (2021), pp. 24–35.
 
318
Andrews (1999). See further Chander and Schwartz (2023), pp. 110–113.
 
319
See further Yakovleva (2018), pp. 482–487; Yakovleva (2020b), pp. 508–513. In this context the author analyses the limits of the economic approach to data privacy and calls for a “broader multidisciplinary discourse”.
 
320
Swire and Litan (2010), pp. 85–88.
 
321
Acquisti (2010), p. 19.
 
322
Acquisti et al. (2016), pp. 483–484.
 
323
Swire and Litan (2010), p. 89.
 
324
Kuner (2010), p. 178.
 
325
See generally Casalini and López González (2019), p. 16.
 
326
Cf. Yakovleva (2018), pp. 482–484.
 
327
Cf. Yakovleva (2020b), p. 511.
 
328
See infra Sect. 5.​2 for more details on the review of data privacy laws in the context of WTO law.
 
329
Schwartz (2019); Yakovleva and Irion (2020), p. 215.
 
330
Article 1 Sec. 1 DPD states: “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.” Sec. 2 reads: “Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1”. Moreover, Recital 8 to the DPD reads: “Whereas, in order to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data must be equivalent in all Member States; whereas this objective is vital to the internal market but cannot be achieved by the Member States alone, especially in view of the scale of the divergences which currently exist between the relevant laws in the Member States and the need to coordinate the laws of the Member States so as to ensure that the cross-border flow of personal data is regulated in a consistent manner that is in keeping with the objective of the internal market as provided for in Article 7a of the Treaty; whereas Community action to approximate those laws is therefore needed”.
 
331
Kokott and Sobotta (2013), p. 223; Wagner (2018), p. 320.
 
332
Yakovleva (2020b), p. 502.
 
333
European Commission (2017), p. 6, para. 3.1.
 
334
European Commission (2020a), p. 25.
 
335
Schwartz (2019), p. 774.
 
336
Humerick (2018), pp. 103–107; Schwartz (2013), pp. 1994–2001.
 
337
See with further references Chander and Schwartz (2023), pp. 90–94; Yakovleva and Irion (2020).
 
338
See generally with regard to the concept of extraterritoriality as it relates to regulation of international data transfers under the EU’s DPD Kuner (2015).
 
339
Schwartz (2013), p. 1973. Schwartz cites Spiros Simitis: “Data protection does not stop at national borders. Transfers of information must be bound to conditions that attempt in a targeted fashion to protect the affected parties.” Consequently, Recital 2 of the GDPR states: “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data”.
 
340
Cf. ECJ, C-131/12, Google Spain, 13 May 2014, ECLI:EU:C:2014:317, para. 54. See further Fabbrini and Celeste (2021), pp. 18–19.
 
341
See further Recitals 23 and 24 to the GDPR. Recital 23 first sentence reads: “In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.”.
 
342
See with further references de Hert and Czerniawski (2016), pp. 239–240.
 
343
de Hert and Czerniawski (2016), pp. 239–240.
 
344
Kuner (2010), p. 178.
 
345
Svantesson (2015), p. 234.
 
346
Kuner (2009b), pp. 4–8. See for an explanation of jurisdictional bases most relevant for data privacy law Kuner (2010), pp. 188–189.
 
347
Fabbrini and Celeste (2021), pp. 21–23; Kuner (2010), p. 191.
 
348
European Commission (2017), p. 8, para. 3.1.
 
349
Kuner (2017), p. 911. See further with regard to an assessment of the adequacy mechanism under WTO law infra Sect. 5.​2.​2.​2.
 
350
Admitting the legitimacy of such an approach invites trade war upon trade war as nations take turns standing in judgment of one another’s internal regulatory regimes.” See Singelton (2002).
 
351
Bradford (2020). See with regard to the EU’s data protection law Schwartz (2019), pp. 778–783.
 
352
Svantesson (2011), p. 184.
 
353
Cf. Article 45 Sec. 2 (a) GDPR “When assessing the adequacy of the level of protection, the Commission shall, in particular, take account […] rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation”.
 
354
Bygrave (2014), p. 123.
 
355
Gunasekara (2007), p. 164; Schwartz (2013), pp. 1973–1979. See further Greenleaf (2012), pp. 72–79.
 
356
Greenleaf (2012), p. 70.
 
357
Kuner (2017), pp. 917–918.
 
358
Chander and Schwartz (2023), pp. 70–76.
 
359
Chander and Schwartz (2023), p. 111.
 
360
Cf. also with further references to the legal relationship between international agreements and adequacy decisions Kuner et al. (2020), Article 45, pp. 777–778.
 
361
European Commission (2017), p. 9, para. 3.1.
 
362
Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information, C/2019/304/, OJ L 76, 19 March 2019.
 
363
Commission Implementing Decision of 17 December 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the Republic of Korea under the Personal Information Protection Act, C(2021) 9316 final.
 
364
Commission Implementing Decision of 28 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final.
 
365
See for example Chander and Schwartz (2023), pp. 92–94; Schwartz (2019), pp. 786–803.
 
366
Schwartz (2013), p. 1980.
 
367
See only Schwartz (2013), p. 1968, Schwartz and Pfeifer (2017).
 
368
See only Andrews (1999). See further Working Party on the Protection of Individuals (1999), para. 1 states: “[…] the Working Party takes the view that the current patchwork of narrowly-focussed sectoral laws and voluntary self-regulation cannot at present be relied upon to provide adequate protection in all cases for personal data transferred from the European Union.”
 
369
Chander and Schwartz (2023), pp. 100–105; Schwartz (2013), pp. 1980–1985.
 
370
Cf. Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Safe Harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, 2000/520/EC, OJEC, 25 August 2000, L 215/7.
 
371
ECJ, C-362/14, Schrems I, 6 October 2015, ECLI:EU:C:2015:650.
 
372
ECJ, C-311/18, Schrems II, 16 July 2020, ECLI:EU:C:2020:55. See further European Commission (2016), pp. 7–12, para. 3.
 
373
Gunasekara (2007), p. 165.
 
374
Schwartz (2013), p. 1967.
 
375
Schwartz (2013), pp. 1987–1989.
 
376
Yakovleva (2018), p. 478.
 
377
ECJ, C-311/18, Schrems II, 16 July 2020, ECLI:EU:C:2020:55, para. 133.
 
378
Burri (2021), pp. 59–62. See further Congressional Research Service (2021).
 
379
See further European Commission (2024).
 
380
European Commission (2023)
 
381
See with further explanations to the discrepancies in the discourse on digital trade policy between the US and the EU Aaronson (2015), pp. 685–694; Yakovleva (2020b), pp. 464–466. See for a decidedly US centric perspective Singelton (2002). See on the relationship of data protection to other objectives of EU data protection law and the resulting relationship between data subject and data processor Schwartz and Pfeifer (2017), pp. 129–132.
 
382
Yakovleva and Irion (2020), p. 214.
 
383
See from a perspective of AI regulation Hervé (2021).
 
384
See for example Gordon and Ram (2018). See with more references to media coverage Schwartz (2019), pp. 776–778.
 
385
Ross (2018).
 
386
See with further references Burri and Schär (2016), p. 502. See also Burgess (2022). See further European Commission (2020c).
 
387
Farrell (2015).
 
388
Mishra (2015), pp. 144–151.
 
389
See for example Aaronson (2019), pp. 548–550; Yakovleva (2020b), pp. 473–482. See also supra Sect. 4.4.1.1.1.
 
390
See with regard to US business interests in digital trade discourse Yakovleva (2020b), p. 482.
 
391
See further Chander and Schwartz (2023), pp. 85–86.
 
392
Yakovleva (2020b), p. 476.
 
393
See for example WTO (2018), p. 1, para. 1.3: “Meaningful trade rules can support the role of the digital economy in promoting global economic growth and development while also allowing governments to address the growing concerns of Internet users about the security and privacy of their personal data.”.
 
394
Centre for Information Policy Leadership (2020). See also Congressional Research Service (2020), pp. 20–21. See further supra Sect. 4.3.2.1.
 
395
Lawder (2023).
 
396
See generally Erie and Streinz (2021).
 
397
Sacks et al. (2021).
 
398
See for a translation DigiChina (2021b).
 
399
See generally Gao (2021).
 
400
See further DigiChina (2021a).
 
401
Sacks et al. (2021).
 
402
World Economic Forum (2022).
 
403
Kuner (2013), pp. 33–34.
 
404
Yakovleva (2018), p. 478.
 
405
Peng (2011), p. 765.
 
406
Yakovleva (2020b), p. 515.
 
407
Yakovleva (2020b), p. 517.
 
408
See further Schwartz (2013).
 
409
See for example with regard to the transatlantic EU-US relations Schwartz (2013).
 
410
Yakovleva (2020a), p. 882.
 
Literatur
Zurück zum Zitat Acquisti A (2010) The economics of personal data and the economics of privacy: background paper #3 joint WPISP-WPIE roundtable. The economics of personal data and privacy: 30 years after the OECD privacy guidelines Acquisti A (2010) The economics of personal data and the economics of privacy: background paper #3 joint WPISP-WPIE roundtable. The economics of personal data and privacy: 30 years after the OECD privacy guidelines
Zurück zum Zitat Alhadeff J, van Alsenoy B, Dumortier J (2012) The accountability principle in data protection regulation: origin, development and future directions. In: Guagnin D et al (eds) Managing privacy through accountability. Palgrave Macmillan UK, London, pp 49–82CrossRef Alhadeff J, van Alsenoy B, Dumortier J (2012) The accountability principle in data protection regulation: origin, development and future directions. In: Guagnin D et al (eds) Managing privacy through accountability. Palgrave Macmillan UK, London, pp 49–82CrossRef
Zurück zum Zitat Article 29 Data Protection Working Party (2010) Opinion 3/2010 on the principle of accountability. 00062/10/EN. Adopted on 13 July 2010 Article 29 Data Protection Working Party (2010) Opinion 3/2010 on the principle of accountability. 00062/10/EN. Adopted on 13 July 2010
Zurück zum Zitat Bradford A (2020) The Brussels effect: how the European Union rules the world. Oxford University Press, New YorkCrossRef Bradford A (2020) The Brussels effect: how the European Union rules the world. Oxford University Press, New YorkCrossRef
Zurück zum Zitat Burri M (2021) Interfacing privacy and trade. Case West Res J Int Law 53:35–88 Burri M (2021) Interfacing privacy and trade. Case West Res J Int Law 53:35–88
Zurück zum Zitat Bygrave LA (2014) Data privacy law: an international perspective. Oxford University PressCrossRef Bygrave LA (2014) Data privacy law: an international perspective. Oxford University PressCrossRef
Zurück zum Zitat Centre for Information Policy Leadership (2020) What does the USMCA mean for a US Federal Privacy Law. White paper Centre for Information Policy Leadership (2020) What does the USMCA mean for a US Federal Privacy Law. White paper
Zurück zum Zitat Chander A, Lê UP (2015) Data nationalism. Empory Law J 64:677–739 Chander A, Lê UP (2015) Data nationalism. Empory Law J 64:677–739
Zurück zum Zitat Chander A, Schwartz PM (2023) Privacy and/or trade. Univ Chic Law Rev 90:49–135 Chander A, Schwartz PM (2023) Privacy and/or trade. Univ Chic Law Rev 90:49–135
Zurück zum Zitat Chander A, Kaminski ME, McGeveran W (2021) Catalyzing privacy law. Minn Law Rev 105:1733–1802 Chander A, Kaminski ME, McGeveran W (2021) Catalyzing privacy law. Minn Law Rev 105:1733–1802
Zurück zum Zitat Congressional Research Service (2020) Data flows, online privacy, and trade policy. R45584 Congressional Research Service (2020) Data flows, online privacy, and trade policy. R45584
Zurück zum Zitat Congressional Research Service (2021) EU data transfer requirements and U.S. intelligence laws: understanding Schrems II and its impact on the EU-U.S. privacy shield. R46724 Congressional Research Service (2021) EU data transfer requirements and U.S. intelligence laws: understanding Schrems II and its impact on the EU-U.S. privacy shield. R46724
Zurück zum Zitat Council of Europe (1981) Explanatory report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Council of Europe (1981) Explanatory report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
Zurück zum Zitat Crompton M, Cowper C, Jefferis C (2009) The Australian Dodo Case: an insight for data protection regulation. World Data Prot Rep 9(1):3–9 Crompton M, Cowper C, Jefferis C (2009) The Australian Dodo Case: an insight for data protection regulation. World Data Prot Rep 9(1):3–9
Zurück zum Zitat Erie MS, Streinz T (2021) The Beijing effect: China’s digital silk road as transnational data governance. N Y Univ J Int Law Polit 54(1):1–92 Erie MS, Streinz T (2021) The Beijing effect: China’s digital silk road as transnational data governance. N Y Univ J Int Law Polit 54(1):1–92
Zurück zum Zitat European Commission (2010) Communication from the Commission: a comprehensive approach on personal data protection in the European Union. COM(2010) 609 final European Commission (2010) Communication from the Commission: a comprehensive approach on personal data protection in the European Union. COM(2010) 609 final
Zurück zum Zitat European Commission (2016) Transatlantic data flows: restoring trust through strong safeguards. Communication from the Commission, COM/2016/0117 final European Commission (2016) Transatlantic data flows: restoring trust through strong safeguards. Communication from the Commission, COM/2016/0117 final
Zurück zum Zitat European Commission (2017) Communication from the Commission to the European Parliament and the Council Exchanging and Protecting Personal Data in a Globalised World. COM(2017)7final European Commission (2017) Communication from the Commission to the European Parliament and the Council Exchanging and Protecting Personal Data in a Globalised World. COM(2017)7final
Zurück zum Zitat European Commission (2020a) Communication from the Commission: a European strategy for data. COM(2020) 66 final European Commission (2020a) Communication from the Commission: a European strategy for data. COM(2020) 66 final
Zurück zum Zitat European Commission (2020b) On artificial intelligence - a European approach to excellence and trust. White paper European Commission (2020b) On artificial intelligence - a European approach to excellence and trust. White paper
Zurück zum Zitat European Commission (2020c) Communication from the Commission to the European Parliament and the Council: data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation. COM(2020) 264 final European Commission (2020c) Communication from the Commission to the European Parliament and the Council: data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation. COM(2020) 264 final
Zurück zum Zitat European Union (2007) Explanations relating to the Charter of Fundamental Rights (2007/C303/02) European Union (2007) Explanations relating to the Charter of Fundamental Rights (2007/C303/02)
Zurück zum Zitat Fabbrini F, Celeste E (2021) EU data protection law between extraterritoriality and sovereignty. In: Fabbrini F, Celeste E, Quinn J (eds) Data protection beyond borders: transatlantic perspectives on extraterritoriality and sovereignty. Hart, Oxford Fabbrini F, Celeste E (2021) EU data protection law between extraterritoriality and sovereignty. In: Fabbrini F, Celeste E, Quinn J (eds) Data protection beyond borders: transatlantic perspectives on extraterritoriality and sovereignty. Hart, Oxford
Zurück zum Zitat Fischer JL (2021) The challenges and opportunities for a US Federal Privacy Law. In: Fabbrini F, Celeste E, Quinn J (eds) Data protection beyond borders: transatlantic perspectives on extraterritoriality and sovereignty. Hart, Oxford, pp 27–44 Fischer JL (2021) The challenges and opportunities for a US Federal Privacy Law. In: Fabbrini F, Celeste E, Quinn J (eds) Data protection beyond borders: transatlantic perspectives on extraterritoriality and sovereignty. Hart, Oxford, pp 27–44
Zurück zum Zitat Gao HS (2021) Data regulation with Chinese characteristics. In: Burri M (ed) Big data and global trade law. Cambridge University Press, Cambridge, pp 245–267CrossRef Gao HS (2021) Data regulation with Chinese characteristics. In: Burri M (ed) Big data and global trade law. Cambridge University Press, Cambridge, pp 245–267CrossRef
Zurück zum Zitat Gasser U (2016) Recoding privacy law: reflections on the future relationship among law. Technol Privacy Harv Law Rev Forum 130(2):61–70 Gasser U (2016) Recoding privacy law: reflections on the future relationship among law. Technol Privacy Harv Law Rev Forum 130(2):61–70
Zurück zum Zitat Gasser U (2021) Futuring digital privacy. In: Burri M (ed) Big data and global trade law. Cambridge University Press, Cambridge, pp 195–211CrossRef Gasser U (2021) Futuring digital privacy. In: Burri M (ed) Big data and global trade law. Cambridge University Press, Cambridge, pp 195–211CrossRef
Zurück zum Zitat Hervé A (2021) Data protection and artificial intelligence. In: Peng S, Lin C-F, Streinz T (eds) Artificial intelligence and international economic law: disruption, regulation, and reconfiguration. Cambridge University Press, Cambridge, pp 193–214CrossRef Hervé A (2021) Data protection and artificial intelligence. In: Peng S, Lin C-F, Streinz T (eds) Artificial intelligence and international economic law: disruption, regulation, and reconfiguration. Cambridge University Press, Cambridge, pp 193–214CrossRef
Zurück zum Zitat Holvast J (2009) History of privacy. In: Matyáš V et al (eds) The future of identity in the information society: 4th IFIP WG 9.2, 9.6, 11.6, 11.7/FIDIS International Summer School, Brno, Czech Republic, September 1–7, 2008; revised selected papers, vol 298. Springer, Berlin, pp 13–42 Holvast J (2009) History of privacy. In: Matyáš V et al (eds) The future of identity in the information society: 4th IFIP WG 9.2, 9.6, 11.6, 11.7/FIDIS International Summer School, Brno, Czech Republic, September 1–7, 2008; revised selected papers, vol 298. Springer, Berlin, pp 13–42
Zurück zum Zitat Hon WK (ed) (2017) Data localization laws and policy: the EU data protection international transfers restriction through a cloud computing lens. Edward Elgar, Cheltenham Hon WK (ed) (2017) Data localization laws and policy: the EU data protection international transfers restriction through a cloud computing lens. Edward Elgar, Cheltenham
Zurück zum Zitat Hoofnagle CJ (2016) Federal trade commission privacy law and policy. Cambridge University Press, New YorkCrossRef Hoofnagle CJ (2016) Federal trade commission privacy law and policy. Cambridge University Press, New YorkCrossRef
Zurück zum Zitat Humerick M (2018) The tortoise and the hare of international data privacy law: can the United States catch up to rising global standards? Catholic Univ J Law Technol 27:1 Humerick M (2018) The tortoise and the hare of international data privacy law: can the United States catch up to rising global standards? Catholic Univ J Law Technol 27:1
Zurück zum Zitat Kuner C (2013) Transborder data flows and data privacy law. Oxford University Press, OxfordCrossRef Kuner C (2013) Transborder data flows and data privacy law. Oxford University Press, OxfordCrossRef
Zurück zum Zitat Kuner C (2017) Reality and illusion in EU data transfer regulation post Schrems. German Law J 18(4):881–918CrossRef Kuner C (2017) Reality and illusion in EU data transfer regulation post Schrems. German Law J 18(4):881–918CrossRef
Zurück zum Zitat Kuner C, Bygrave LA, Docksey C, Drechsler L (2020) The EU General Data Protection Regulation (GDPR): a commentary, 1st edn. Oxford University Press, OxfordCrossRef Kuner C, Bygrave LA, Docksey C, Drechsler L (2020) The EU General Data Protection Regulation (GDPR): a commentary, 1st edn. Oxford University Press, OxfordCrossRef
Zurück zum Zitat Mayer-Schönberger V, Cukier K (2014) Big data: a revolution that will transform how we live, work and think, 1. Mariner Books edition Mayer-Schönberger V, Cukier K (2014) Big data: a revolution that will transform how we live, work and think, 1. Mariner Books edition
Zurück zum Zitat Mishra N (2015) Data localization laws in a digital world: data protection or data protectionism? NUS Centre for International Law Research paper no. 19/05. The Public Sphere Mishra N (2015) Data localization laws in a digital world: data protection or data protectionism? NUS Centre for International Law Research paper no. 19/05. The Public Sphere
Zurück zum Zitat Mitchell AD, Mishra N (2018) Data at the docks: modernizing international trade law for the digital economy. Vanderbilt J Entertain Technol Law 20:1073–1134 Mitchell AD, Mishra N (2018) Data at the docks: modernizing international trade law for the digital economy. Vanderbilt J Entertain Technol Law 20:1073–1134
Zurück zum Zitat Naef T (2023) Data protection without data protectionism, European yearbook of international economic law. Springer International Publishing, ChamCrossRef Naef T (2023) Data protection without data protectionism, European yearbook of international economic law. Springer International Publishing, ChamCrossRef
Zurück zum Zitat National Board of Trade (2014) No transfer, no trade: the importance of cross-border data transfers for companies based in Sweden National Board of Trade (2014) No transfer, no trade: the importance of cross-border data transfers for companies based in Sweden
Zurück zum Zitat OECD (2015b) The governance of globalized data flows - current trends and future challenges: working party on security and privacy in the digital economy. DSTI/ICCP/REG(2015)3 OECD (2015b) The governance of globalized data flows - current trends and future challenges: working party on security and privacy in the digital economy. DSTI/ICCP/REG(2015)3
Zurück zum Zitat Ohm P (2010) Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Rev 57:1701–1777 Ohm P (2010) Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Rev 57:1701–1777
Zurück zum Zitat Pasadilla GO (2020) Next generation non-tariff measures: emerging data policies and barriers to digital trade. ARTNeT working paper series no. 187 Pasadilla GO (2020) Next generation non-tariff measures: emerging data policies and barriers to digital trade. ARTNeT working paper series no. 187
Zurück zum Zitat Peng S (2011) Digitalization of services, the GATS and the protection of personal data. In: Sethe R, Heinemann A, Hilty RM (eds) Kommunikation: Festschrift für Rolf H. Weber zum 60. Geburtstag. Stämpfli, Bern, pp 753–769 Peng S (2011) Digitalization of services, the GATS and the protection of personal data. In: Sethe R, Heinemann A, Hilty RM (eds) Kommunikation: Festschrift für Rolf H. Weber zum 60. Geburtstag. Stämpfli, Bern, pp 753–769
Zurück zum Zitat Reidenberg JR (1995) The fundamental role of privacy and confidence in the network. Wake Forest Law Rev 30(105):105–125 Reidenberg JR (1995) The fundamental role of privacy and confidence in the network. Wake Forest Law Rev 30(105):105–125
Zurück zum Zitat Roessler B (2015) Should personal data be a tradable good? On the moral limits of markets in privacy. In: Roessler B, Mokrosinska D (eds) Social dimensions of privacy. Cambridge University Press, Cambridge, pp 141–161CrossRef Roessler B (2015) Should personal data be a tradable good? On the moral limits of markets in privacy. In: Roessler B, Mokrosinska D (eds) Social dimensions of privacy. Cambridge University Press, Cambridge, pp 141–161CrossRef
Zurück zum Zitat Rotenberg J (2020) Privacy before trade: assessing the WTO-consistency of privacy-based cross-border data flow restrictions. Univ Miami Int Comp Law Rev 28(1):91–120 Rotenberg J (2020) Privacy before trade: assessing the WTO-consistency of privacy-based cross-border data flow restrictions. Univ Miami Int Comp Law Rev 28(1):91–120
Zurück zum Zitat Schwartz PM (1999) Privacy and democracy in cyberspace. Vanderbilt Law Rev 52(6):1609–1702 Schwartz PM (1999) Privacy and democracy in cyberspace. Vanderbilt Law Rev 52(6):1609–1702
Zurück zum Zitat Schwartz PM (2004) Property, privacy, and personal data. Harv Law Rev 117(7):2056–2128CrossRef Schwartz PM (2004) Property, privacy, and personal data. Harv Law Rev 117(7):2056–2128CrossRef
Zurück zum Zitat Schwartz PM (2009) Preemption and privacy. Yale Law J 118(5):902–947 Schwartz PM (2009) Preemption and privacy. Yale Law J 118(5):902–947
Zurück zum Zitat Schwartz PM (2013) The EU-U.S. privacy collision: a turn to institutions and procedures. Harv Law Rev 126:1966–2009 Schwartz PM (2013) The EU-U.S. privacy collision: a turn to institutions and procedures. Harv Law Rev 126:1966–2009
Zurück zum Zitat Schwartz PM (2019) Global data privacy: the EU way. N Y Univ Law Rev 94(4):772–818 Schwartz PM (2019) Global data privacy: the EU way. N Y Univ Law Rev 94(4):772–818
Zurück zum Zitat Schwartz PM, Pfeifer K-N (2017) Transatlantic data privacy law. Georgetown Law J 106(1):117–179 Schwartz PM, Pfeifer K-N (2017) Transatlantic data privacy law. Georgetown Law J 106(1):117–179
Zurück zum Zitat Schwartz PM, Solove DJ (2011) The PII problem: privacy and a new concept of personally identifiable information. N Y Univ Law Rev 86:1814–1894 Schwartz PM, Solove DJ (2011) The PII problem: privacy and a new concept of personally identifiable information. N Y Univ Law Rev 86:1814–1894
Zurück zum Zitat Solove DJ (2001) Privacy and power: computer databases and metaphors for information privacy. Stanf Law Rev 53:1393–1462CrossRef Solove DJ (2001) Privacy and power: computer databases and metaphors for information privacy. Stanf Law Rev 53:1393–1462CrossRef
Zurück zum Zitat Solove DJ (2002) Conceptualizing privacy. Calif Law Rev 90(4):1087–1155CrossRef Solove DJ (2002) Conceptualizing privacy. Calif Law Rev 90(4):1087–1155CrossRef
Zurück zum Zitat Solove DJ (2006) A taxonomy of privacy. Univ Pa Law Rev 154(3):477–560CrossRef Solove DJ (2006) A taxonomy of privacy. Univ Pa Law Rev 154(3):477–560CrossRef
Zurück zum Zitat Solove DJ, Schwartz PM (2018) Information privacy law, Aspen casebook series, 6th edn. Wolters Kluwer Law & Business, New York Solove DJ, Schwartz PM (2018) Information privacy law, Aspen casebook series, 6th edn. Wolters Kluwer Law & Business, New York
Zurück zum Zitat Swire PP, Litan RE (2010) None of your business: world data flows, electronic commerce, and the European privacy directive. Brookings Institution Press, Washington Swire PP, Litan RE (2010) None of your business: world data flows, electronic commerce, and the European privacy directive. Brookings Institution Press, Washington
Zurück zum Zitat U.S. Department of Commerce (2010) Guide to protecting the confidentiality of Personally Identifiable Information (PII): recommendations of the National Institute of Standards and Technology. Special publication 800-122 U.S. Department of Commerce (2010) Guide to protecting the confidentiality of Personally Identifiable Information (PII): recommendations of the National Institute of Standards and Technology. Special publication 800-122
Zurück zum Zitat UN (1990), Guidelines for the regulation of computerised personal data files, E/CN.4/1990/72, 14 December 1990 UN (1990), Guidelines for the regulation of computerised personal data files, E/CN.4/1990/72, 14 December 1990
Zurück zum Zitat UN (2013) General Assembly, Human Rights Council, Resolution 68/167 The Right to Privacy in the Digital Age, 13. December 2013, A/RES/68/167 UN (2013) General Assembly, Human Rights Council, Resolution 68/167 The Right to Privacy in the Digital Age, 13. December 2013, A/RES/68/167
Zurück zum Zitat UN (2014a) General Assembly, Human Rights Council, Resolution 69/166 The Right to Privacy in the Digital Age, 18 December 2014, A/RES/69/166 UN (2014a) General Assembly, Human Rights Council, Resolution 69/166 The Right to Privacy in the Digital Age, 18 December 2014, A/RES/69/166
Zurück zum Zitat UN (2014b) Report of the High Commissioner for Human Rights, The Right to Privacy in the Digital Age, 30 June 2014, A/HRC/27/37 UN (2014b) Report of the High Commissioner for Human Rights, The Right to Privacy in the Digital Age, 30 June 2014, A/HRC/27/37
Zurück zum Zitat UN (2015) UN General Assembly, Human Rights Council, Resolution 28/16 The right to privacy in the digital age, 1 April 2015, A/HRC/RES/28/16 UN (2015) UN General Assembly, Human Rights Council, Resolution 28/16 The right to privacy in the digital age, 1 April 2015, A/HRC/RES/28/16
Zurück zum Zitat Warren SD, Brandeis LD (1890) The right to privacy. Harv Law Rev 4(5):193–220CrossRef Warren SD, Brandeis LD (1890) The right to privacy. Harv Law Rev 4(5):193–220CrossRef
Zurück zum Zitat Whitman JQ (2004) The two western cultures of privacy: dignity versus liberty. Yale Law J 113(6):1151–1221CrossRef Whitman JQ (2004) The two western cultures of privacy: dignity versus liberty. Yale Law J 113(6):1151–1221CrossRef
Zurück zum Zitat Working Party on the Protection of Individuals (1999) Opinion 1/99 concerning the level of data protection in the United States and the ongoing discussions between the European Commission and the United States Government. 5092/98/EN/final WP15 Working Party on the Protection of Individuals (1999) Opinion 1/99 concerning the level of data protection in the United States and the ongoing discussions between the European Commission and the United States Government. 5092/98/EN/final WP15
Zurück zum Zitat WTO (2018) Joint Statement on Electronic Commerce Initiative, Communication from the United States, JOB/GC/178, 12 April 2018 WTO (2018) Joint Statement on Electronic Commerce Initiative, Communication from the United States, JOB/GC/178, 12 April 2018
Zurück zum Zitat Yakovleva S (2020b) Privacy protection(ism): the latest wave of trade constraints on regulatory autonomy. Univ Miami Law Rev 74:416–519 Yakovleva S (2020b) Privacy protection(ism): the latest wave of trade constraints on regulatory autonomy. Univ Miami Law Rev 74:416–519
Zurück zum Zitat Zuboff S (2019) The age of surveillance capitalism: the fight for a human future at the new frontier of power, 1st edn. PublicAffairs, New York Zuboff S (2019) The age of surveillance capitalism: the fight for a human future at the new frontier of power, 1st edn. PublicAffairs, New York
Metadaten
Titel
Data Protection and Data Protectionism in International Trade
verfasst von
Roman Pascal Kalin
Copyright-Jahr
2024
DOI
https://doi.org/10.1007/978-3-031-73857-9_4

Premium Partner