- Email: [email protected]
Managing personal data flows to third countries
Data
Protection
- II
DATA PROTECTION-II MANAGING PERSONAL DATA FLOWS TO THIRD COUNTRIES Jo Greenfield and Graham Pearce
Rapid developments in information and communication technologies (ICT), including the commercialization of the Internet and the exploitation of other technologies are already having a profound impact on business and personal life styles. At the same time, however, developments in ICT are focusing attention on the need for policies to prevent the erosion of personal privacy and there is growing recognition that the global nature of the emerging information architecture requires regulation. This article explores the legal issues governing personal data flows to third countries.
INTRODUCTION The European C o m m u n i t y has adopted a raft of initiatives over the past few years, the most r e c e n t b e i n g the Action p l a n o n p r o m o t i n g safe use o f the I n t e r n e t (EC 1997a). However, p e r h a p s the most ambitious aspect of EU policy has b e e n in the field of data protection. The EC Data Protection Directive was adopted in 1995 and will be transp o s e d into national legislation in each Member State b y the 24 O c t o b e r 1998 (EC 1995). In the UK a Bill aimed at reforming data p r o t e c t i o n law in accordance with the Directive was p u b l i s h e d o n the 14 January 1998 (House of Lords 1998). The Directive represents a definitive statement of the E u r o p e a n data p r o t e c t i o n m o d e l in its c u r r e n t form. However, in addition to this regulatory response a second strand of EC policy has b e g u n to emerge in the form of Privacy Enhancing Technologies (PETs). This is a term that includes a n o n y m o u s m e c h a n i s m s for online payments and identity protectors based u p o n cryptographic techniques. The EC's Fifth Framework Research Programme makes specific reference to the part these technologies can play in safeguarding personal privacy. The acquis in the field of data p r o t e c t i o n is currently provided in the form of the Data Protection Directive, while a c o m p l e m e n t a r y T e l e c o m m u n i c a t i o n s Directive 97/66, adopted o n 1 D e c e m b e r 1997, sets out specific sectoral rules to be applied to data p r o t e c t i o n in the context of t e l e c o m m u n i c a t i o n networks, including the regulation of unsolicited calls, the use of billing data and call line identific a t i o n (EC 1997). T h e r e c e n t E u r o p e a n C o m m i s s i o n C o m m u n i c a t i o n , A E u r o p e a n initiative in electronic commerce (EC 1997b), also leaves o p e n the possibility that further measures may be n e e d e d to address specific data p r o t e c t i o n c o n c e r n s emerging from the d e v e l o p m e n t of electronic commerce. The European data p r o t e c t i o n model is, therefore, constantly evolving.
DATA TRANSFERS TO THIRD COUNTRIES U N D E R T H E NEW REGIME In many respects the Directive matches the substantive principles of existing UK law, comprising a mixture of obligations o n those w h o control the processing of personal data, together with rights for individuals w h o are the subject of data processing. However, in addition to protecting the right to privacy in respect of personal data, the significance of the Directive lies in the adoption of a European model of data protection that will remove barriers to the free flow of personal data across the Community. Effectively the transposition of the Directive into national law will lead to a c o m m o n data protection space being established which will enable the unrestricted transfer of personal data across the EC. At the same time the effect of the Directive is to make a clear distinction b e t w e e n data transfers within the EC and those to third cotmtries; in future the latter will be subject to more systematic a n d precise regulation. Thus, the Eighth Data Protection Principle in Schedule 1 of the UK Bill states that "personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data". Judging w h e t h e r 'adequate' protection is present in the case of third c o u n t r y transfers poses a n u m b e r of problems, central to which is an assessment of t h e risks attached to such a transfer. Current UK law requires data users in the UK to notify the Registrar of those countries to which transfers may be made.The user or controller may indicate that the destination of transfers will be 'worldwide', together with some explanation of the use of this category. Subsequent transfers must fall within the boundaries of this notification. If the Data Protection Registrar considers that the Data Protection Principles may be breached registration may be refused. Existing constraints on data transfers outside the UK are,
Computer Law & Security Report Vol. 14 no.3 1998 © 1998, Elsevier Science Ltd.
185
Data
Protection-
II
therefore, relatively b e n i g n and the duties placed u p o n data controllers in the Data Protection Bill (Clause 15) are not dissimilar to current arrangements. Data controllers will need to provide the Commissioner with the names, or a description of any territories outside the European Economic Area (EEA) to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer personal data. However, this is only the first step in determining w h e t h e r the transfer should proceed. It is c o m m o n practice for data to be transferred to states outside the EC for processing. However, many of these states do not possess any form of data protection legislation and even where regulation has b e e n introduced it may be limited in scope or execution. For example, by contrast to the European model, the US approach is far more fragmented and relies extensively u p o n private solutions, based u p o n sectoral initiatives and contracts. The scale of personal data transfers to third countries, particularly in the context of the Internet, therefore, represents a major challenge to European legislators.To combat these dangers the EC Directive included specific provisions inArticles 25 and 26 relating to third c o u n t r y transfers.Article 25(1) provides that transfers of data that are undergoing processing or are i n t e n d e d for processing after transfer will only be permitted if the country or territory in question provides an adequate level of protection. Article 25(2) offers guidance o n the criteria to be employed in judging the adequacy of protection in third countries. These include the circumstances surrounding the data transfer, the nature of the data, the purpose and duration of the processing, the c o u n t r y of origin and fmal destination and the general and sectoral rules of law in the third country. Since many categories of transfers will be unique in some respect this suggests that a case b y case approach will be required. However, the Commission may declare a country as ensuring adequate protection for all foreseeable cases. Article 26, however, allows the possibility of exceptions where the requirement for adequate protection is not met. The exact extent of these exemptions is o p e n to some conjecture, but the Commission's view is that they should be used sparingly. However, the implication is that data may be transferred to a third c o u n t r y even where the required standard of protection is n o t reached. Nonetheless, this is dependent u p o n certain criteria being met. In line w i t h the Directive, Schedule 4 of the UK Biil reflects these conditions and provides for data transfers where. the data subject has given his consent, • it is necessary for the conclusion of a contract b e t w e e n the controller and a person other than the data subject, either at the request of the data subject or is i n t h e interests of the data subject, for the performance of such a contract, ° it is deemed necessary by the Secretary of State for reasons of public interest, • it is necessary for the purposes of, or in c o n n e c t i o n with, any legal proceedings, for the p u r p o s e of obtaining legal advice or is otherwise necessary for the purpose of establishing, exercising or defending legal rights, • it is necessary in order to protect the vital interests of the data subject, • the data forms part of the personal data o n a public register w h i c h is o p e n to inspection, or
186
Computer Law & Security Report Vol. 14 no. 3 1998 © 1998, Elsevier Science Ltd.
•
it is made o n terms that are of a kind approved or authorized by the Commissioner as ensuring adequate safeguards for the rights and freedoms of the data subject. In addition, u n d e r Articles 26(2) Member States may authorize the transfer if the controller adduces adequate safeguards, particularly if taking the form of contractual agreements.Thus, whilst Article 25 lays d o w n strict requirem e n t s for third c o u n t r y transfers, Article 26 softens this blow. Some countries will already be seen to possess adequate p r o t e c t i o n and, while others may not, transfers may still be possible, subject to the provisions of Article 26.Thus, a particular c o u n t r y may provide adequate p r o t e c t i o n for some transfers b u t not others.This may be because of strong self-regulation tied to a specific industry or the existence of contractual terms b e t w e e n controller and processor. In addition, Member States may p e r m i t an ad hoc contractual solution in those cases w h e r e there is n o adequate protection in the third country, provided that the contract provides adequate safeguards. However, while such a solution may be useful as a means of dealing with one-off cases, it is a very complex and time c o n s u m i n g process, carrying a very significant b u r d e n for organizations. The issue of'adequacy' is complex in that it appears to be a standard contingent o n the circumstances of the individual transfer. The EC Working Party d o c u m e n t First Orientations on transfers o f personal data to third countries: Possible ways f o r w a r d in assessing adequacy, adopted o n 26 June 1997 (EC 1997c), sets out a prototype approach to judging adequacy. Because of the n u m b e r of transfers to third countries, the d o c u m e n t advocated the holding of a 'white list' to give guidance o n a provisional basis. The list would include third countries to w h o m it could be assumed transfers of personal data would be safe. Beyond this, it was indicated that each supervisory body may wish to establish procedures for risk assessment of specific transfers. The Working Party d o c u m e n t e d principles to be used in appraising the adequacy of protection in a third country. These fall into two categories, reflecting the flmctional approach envisaged by the EC data protection model - - the c o n t e n t of laws protecting personal data and the procedural mechanisms to ensure their effective application. The objective is to assess the fundamental elements of the protection afforded, rather than impose the European model. The suggested c o n t e n t principles are purpose limitation, data quality and proportionality, transparency, security, rights of access, rectification and opposition and restrictions o n onward transfers to other third countries.The latter is intended to prevent controllers from using a country w i t h ' a d e q u a t e ' provisions as a 'staging post' for onward transfers to a c o u n t r y without an adequate data protection regime, in an attempt to evade the protection afforded by the Directive. Enforcement mechanisms are viewed in terms of the achievement of data protection objectives rather than a list of features that must be present to provide effective protection. Three fundamental objectives were defined; to deliver a good level of compliance with the rules, render support and help to individual data subjects in the exercise of their rights and provide appropriate redress to the injured party where rules are not observed. The Bill reflects these principles and defines an adequate level of protection as one which is adequate in all the circumstances in the case, having regard in particular to:
Data
• •
the nature of the personal data, the c o u n t r y or territory of origin of the information contained in the data, • the c o u n t r y or territory of fmal destination of that information, • the purposes for w h i c h and the period during w h i c h the data are i n t e n d e d to be processed, • the law in force in the c o u n t r y or territory in question, • the international obligations of that c o u n t r y or territory, • any relevant codes of c o n d u c t or other rules w h i c h are in force in that country, and • any security measures taken in respect of the data in that c o u n t r y or territory. Although the criteria are defined quite explicitly, it is apparent that the intention is to provide the Commissioner with discretion, in the light of the circumstances surrounding each case. However good these principles in theory, the question remains as to h o w they will be monitored and policed to ensure compliance. In some respects the Member States have considerable discretion; some may elect to pass o n this obligation to data controllers; most envisage some form of apriori or ex post facto verification role for the supervisory authority. In the UK the Home Office and the Data Protection Registrar favour the duty to comply with Article 25 being i m p o s e d directly o n t h e controller and this is provided for in Schedule 1 of the Bill. Thereafter, at a national level, policing of data transfers will b e effected by the Commissioner, as the indep e n d e n t supervisory body. Ultimately, the UK courts and/or the European Court of Justice will have the fmal say o n any particular case, if a decision either to permit or prohibit a transfer is challenged. O n e further i m p o r t a n t aspect of the Bill w h i c h bears u p o n third c o u n t r y transfers are the provisions dealing with the relationship b e t w e e n the Commissioner, other Member States and the European Commission. The Directive clearly envisaged that Member States w o u l d cooperate, t h r o u g h the exchange o f information o n data transfers to third countries. Thus, Article 25 requires that Member States notify each other and the Commission of cases w h e r e transfers have b e e n blocked due to inadequate protection. Similarly, Member States must notify b o t h Commission and other Member States of each authorization granted u n d e r the provisions of Article 26. In cases where disagreements arise about the conditions of transfer for the purposes of Articles 26(3) or (4), the European Commission will decide w h e t h e r the decision of the individual supervisory authority was correct and if it should b e applied in all Member States. Moreover, the Commission is authorized to negotiate with a third c o u n t r y where its protection has b e e n found to be inadequate, with a view t o remedying the situation. In practice such decisions are likely to be taken after hearing the advice of the Data Commissioners (Article 29) but both the Directive and the Bill confirm an e n h a n c e d role for the Commission. The Bill also e n d o r s e s the Commissioner's duty to inform the European Commission and supervisory authorities in other EC States of any approvals or authorizations of third c o u n t r y transfers.The latter are provided for u n d e r Schedule 4 (Paras 8 and 9) and are i n t e n d e d to cover transfers made o n terms w h i c h are approved or authorized by the Commissioner as
Protection
- II
being made in such a m a n n e r so as to ensure adequate safeguards for the rights and freedoms of the data subject.
THE CHALLENGE OF CYBERSPACE The difficulties associated with data protection, in the context of transnational transfers, by traditional regulatory mechanisms have b e e n c o m p o u n d e d by the speed of development in ICT, particularly the Internet. Indeed, while the n e w technologies offer considerable benefits b y accessing information and purchasing c o n s u m e r goods or conducting business online, they raise serious threats to personal privacy.The globalization of commtmications and developments in ICT are often viewed as remote from g o v e r n m e n t intervention, indeed responsibility for data security and protection has b e c o m e diffused. Because the Internet is largely unregulated, the risks of breaches of security and protection are multipiled.The dangers are manifest in the nature of the Internet, including messages being intercepted and manipulated, the validity of documents being denied and personal data being illicitly collected using technologies such as 'cookies'. Concerns such as these were aired in a survey conducted b y Harris and Westin (1997) and are n o w widely accepted b y government and industry alike. In the context of multiple databases located in many different countries that can be easily accessed to create personal profiles the cosy regulatory e n v i r o n m e n t appears increasingly deficient. The EC Directive seeks to respond to these difficulties b u t it is widely acknowledged that enforcem e n t of the Data Protection Principles will remain an outstanding issue. For data transfers to some countries adequacy will be determined speedily, enabling transfers to proceed. More generally, however, the adequacy criteria will n e e d to be applied o n a case by case basis in order to assess the risks associated w i t h d i f f e r e n t types of p e r s o n a l data transfer. Authorization of a transfer will be required in advance but, even if the transfer is blocked, it is ingenuous to assume that this decision will be complied with, particularly if the data is already o n the Internet and can be downloaded to any destination in the world. In part the Directive and the Bill provide a solution to this problem by extending the data protection principles to data controllers established outside the EC w h o collect data from t h e system of a data subject. However, as Terwangne and Louveaux (1997) observe in the case of'hidd e n data flows', involving electronic traces in w h i c h the controller is located outside the EC, the data s u b j e c t will be left without the protection of the regulatory framework. In reviewing these issues, France ( 1 9 9 7 ) h a s suggested that one of the flmdamental problems lies in identifying the data controller responsible for alleged breaches in the law. She concludes that a solution to the problem may be found in framing the n e w UK law to provide for, where necessary, e n f o r c e m e n t action against I n t e r n e t access and service providers, since they have a crucial role to play as intermediaries. The Bill meets this objective by applying its requirements not only to data controllers established in the UK where the data are processed in the context of that establishment, b u t also to controllers established neither in the UK n o r in any other EC state but w h o use e q u i p m e n t in the UK for processing data otherwise than for the purposes of transit through the UK (Clause 5).
Computer Law & Security Report Vol. 14 no. 3 1998 © 1998, Elsevier Science Ltd.
187
Data
Protection
- I!
Alongside regulatory solutions the search has n o w b e g u n for effective measures to minimize or eradicate these risks, but a major p r o b l e m exists in the culturally different approaches of key players.The EC model of data protection advocates regulation, s u p p o r t e d b y the use of PETs. The United States, o n the other hand, is reluctant to s u p p o r t gove r n m e n t i n t e r v e n t i o n and favours, instead, industry self-regu l a t i o n a n d c o n t r a c t u a l solutions. Whilst d i s c u s s i o n s c o n t i n u e as to the optimal international solution to this global problem, all parties are c o n t i n u i n g to develop parallel technologies that seek to minimize the risk of security breaches to the individual. For example, the EC Action Plan, adopted in 1997, aimed at tackling the illegal and harmful c o n t e n t o n the Internet, included the d e v e l o p m e n t of filtering and rating systems, encouraging public awareness and other s u p p o r t measures. Similarly, in the field of electronic commerce the n e e d for anonymity and security is real and there are strong arguments in favour of public monitoring to prevent illegal and harmful material being transferred via the Internet and to encourage effective commerce. Various governments are in favour of e n c r y p t i o n keys to be held by escrow organizations k n o w n as 'voluntary key m a n a g e m e n t infrastructures' in the United States or 'trusted third parties' in the EC.The adoption by the OECD (1997) of guidance for cryptographic policy, which deals specifically with the protection of privacy and personal data, is indicative of the consensus that is beginning to emerge at the international level. Within Europe, a European Commission C o m m u n i c a t i o n on electronic commerce (EC 1997b), included a proposal guaranteeing the free m o v e m e n t of e n c r y p t i o n technologies and products and proposed a specific initiative o n digital signatures.This has b e e n followed by proposals aimed at "establishing a c o m m o n framework for digital signatures, ensuring the ffmctioning of the internal market for cryptographic services and products, stimulating a European industry for cryptographic services and products and enabling users in all economical sectors to benefit from the opportunities of the global information society" (EC 1997d). Detailed proposals are expected during 1998. Similar documents have b e e n issued by the United States Government, to establish a coordinated strategy to meet both national and international developments in this field (Clinton and Gore 1997).The first moves towards overcoming difficulties of differences in international standards have b e e n illustrated b y the I n f o r m a t i o n Technology Agreement (ITA) and the Mutual Recognition Agreements of conformity assessment (MRA) which provide for the gradual elimination of tariffs and non-tariff barriers respectively o n IT products by the year 2000, and the WTO Agreement o n Basic Telecommunications, which contains c o m m i t m e n t s from 69 countries with regard to market access and national treatment (see EC 1997b).
THE EMERGING AGENDA The past decade has witnessed a dramatic increase in concerns about data privacy. This is a c o n s e q u e n c e of the internationalization of business and data flows, the pervasive role of personal computers, technological advance, reductions in the cost of data processing and the creation of markets in personal information.These trends have set the legislative agenda
188
Computer Law & Security Report Vol. 14 no. 3 1998 © 1998, Elsevier Science Ltd.
but, as is often the case, the pace of these changes has outstripped the capacity of policy makers and legislators.The EC Directive emerged as a c o n s e q u e n c e of the need to harmotlize legislation in each Member State as part of the Internal Market Programme and reflected a response to data protection issues that was essentially regulatory. More recently, however, a n e w element in European data protection policy has appeared in the form of technological solutions to data protection problems. Rapid progress has b e e n made but the crucial question is w h e t h e r the European model is sufficiently robust to protect personal data, meet the needs of European business and respond to the twin threats of technological change and giobalization. In m a n y respects the EC Directive and the Data Protection Bill currently before Parliament highlight these issues in the context of their provisions relating to third country transfers. Following the passage of the Bill in the UK, third countries that do not presently provide adequate dat a protection may fred that data transfers will be blocked. For data controllers undertaking third c o u n t r y transfers the potential implications could be considerable. Transfers to some countries may be prohibited entirely o n the grounds that neither the rules of law n o r the 'professional rules and security measures' are met. Nonetheless, it seems likely that the criteria governing transfers will be employed flexibly providing non-legal rllles are in place, including industry serf regulation, and these are being applied effectively. Thus, transfers may still be possible. Alternatively, individual contractual solutions may be appropriate. However, exemptions and contractual solutions can only ever be part of the answer to the problem. Restrictions could still be imposed since transfers may remain limited to individual or group of organizations The Bill sets out clear criteria for judging the adequacy of protection in third countries. Nonetheless, difficulties will u n d o u b t e d l y arise in judging those elements of a data protection regime that are indispensable and the guiding line b e t w e e n adequate and not adequate. Further problems may be posed b y the natttre of the data to be transferred, for example a supervisory body may wish to constrain high-risk transfers. Moreover, the assessment of adequacy and the need to review transfers o n a case by case basis will take time.These dilemmas may be c o m p o u n d e d since, if a Member State blocks a transfer, this decision may be upheld or overturned by the European Commission. The n e e d for agreements o n third c o u n t r y transfers in advance of the transposition of the Directive into UK law is, therefore, imperative. Even if some of these difficulties can be resolved the problems attached to online networks remain outstanding. In a c c o r d a n c e w i t h the s e c o n d strand of EC policy, the Commission is seeking to develop PETs through the ESPRIT and Fifth Framework Programme. Moreover, US industry, inspired by a desire to avoid g o v e r n m e n t intervention, has b e e n active in the research and development of technological means to address privacy issues. For example, Microsoft has recently joined Netscape and other companies in support of an ' o p e n profiling standard' that seeks to provide Internet users with control over h o w m u c h personal information is collected and used online. Technological solutions can provide Web users with greater control over the personal information they share, however, despite the availability of filters, agents and profilers, the use of such techniques remains
Data
restricted and the privacy o f the majority of users will continue to b e at risk (Taylor 1998). These examples clearly illustrate the role of technological solutions in privacy p r o t e c t i o n b u t t h e y are predominantly voluntary in nature. In contrast to the European a p p r o a c h that regards the p r o t e c t i o n of individual privacy as a right, technological solutions place a responsibility on individuals to secure and d e m a n d privacy protection. Moreover, lack of o p e n n e s s and transparency about the w a y personal data is accumulated, manipulated, b o u g h t and resold as a tradeable c o m m o d i t y means that individuals are often in a state of ignorance. Technological solutions can, therefore, contribute to solving some of the emerging p r o b l e m s b u t it is unlikely that unregulated business interests will a d o p t adequate levels of data protection. Serf-regulation, t h r o u g h sectoral initiatives, and privacy e n h a n c i n g t e c h n o l o g i e s have a p a r t to play in managing
References Clinton, W. J. and Gore, A. (1997) A f r a m e w o r k for global electronic commerce, United States Administration, Washington. Commission of the European Communities. (1997a) Action plan on promoting safe use o f the Internet, Brussels. Commission of the European Communities. (1997b) A European initiative in electronic commerce, COM(97)157, Brussels. Commission of the European Communities. (1997c) First Orientations on transfers o f personal data to third countries: Possible ways f o r w a r d in assessing adequacy, Discussion d o c u m e n t a d o p t e d b y t h e Working Party, Brussels. C o m m i s s i o n o f t h e E u r o p e a n C o m m u n i t i e s . (1997d) Ensuring security a n d trust in electronic communication, COM (97) 503, Brussels. European Community. (1995) Directive on the protection o f
Protection
- II
global information flows. However, a far m o r e desirable outc o m e is a multilateral a g r e e m e n t involving a large n u m b e r of countries.This should include m a n y e m e r g i n g e c o n o m i e s that are often favoured b y c o m p a n i e s wishing to transfer their data p r o c e s s i n g o p e r a t i o n s to destinations w h e r e wage costs are low. Such an a r r a n g e m e n t w o u l d h e l p avoid many o f t h e p r o b l e m s that are likely arise as a c o n s e q u e n c e of the d e v e l o p m e n t o f different data p r o t e c t i o n m o d e l s and w h i c h may restrict data flows and inhibit w o r l d trade. The establishment of a European data p r o t e c t i o n m o d e l r e p r e s e n t s a considerable a c h i e v e m e n t b u t the e m e r g i n g challenges infer that whilst solutions m a y take different forms the preferred o u t c o m e requires increased international collaboration.
Jo Greenfield and Graham Pearce Aston Business School, Birmingham. UK, B4 7ET individuals with regard to the processing of personal data a n d on the free m o v e m e n t o f such data, 95(46), Luxembourg. European Community.(1997) Directive concerning the processing o f personal information and the protection o f privacy in the telecommunications sector, 97(66), Luxembourg. France, E. (1997) Can data p r o t e c t i o n survive in cyberspace, Computers and Law, 8 (2). Harris, L 'and Westin, A, E (1997) Commerce, communication a n d privacy online, Privacy Laws and Business Conference, Cambridge. House of Lords. (1998) Data Protection Bill, HMSO. OECD. (1997) Guidelines for cryptography policy, Paris. Taylor, E (1998) Fears rise over personal privacy, Financial Times Information Technology Review, February 4th. Terwangne, C and Louveaux, S. (1997) Data p r o t e c t i o n and online networks, Computer Law a n d Security Report, 13 (4).
BOOK REVIEW Intellectual Property Law Intellectual Property Laws of East Ash, edited by Alan S. Gutterman and Robert Brown, 1997, soft-cover, Sweet & Maxwell, Asia, 564 pp., £85.00, ISBN 0 421 55050 3 The main contribution of this text is to provide a series of country summaries of the rules governing intellectual property within East Asia.The c o n t e x t is the g r o w t h of intellectual p r o p e r t y as one of the driving forces o f e c o n o m i c g r o w t h and global business competition.The focus of this text is the analysis of rules dealing w i t h the p r o t e c t i o n and exploitation of legal rights in innovations, c o p y r i g h t e d works and trademarks. The b o o k begins w i t h three i n t r o d u c t o r y chapters, w h i c h explain the role of intellectual p r o p e r t y in the global market place; an overview of intellectual p r o p e r t y law itself; and the main considerations to take into account w h e n negatiating t e c h n o l o g y transactions.Thereafter, there are a series of cotmtry reports, w h i c h deal w i t h the general legal and business conditions; the relevant intellectual p r o p e r t y laws; and any special considerations. Countries covered are Cambodia, Hong Kong, Indonesia, Malaysia, The People's Republic of China, Philippines, Singapore, South Korea, Taiwan, Thailand and Vietnam. T h e ' b o o k is i n t e n d e d to serve as a resource for business people, lawyers, accountants and policy makers, as well as students in the region and around the world. Available from: Sweet & Maxwell Ltd, Cheriton House, North Way, Andover, I-Iants, SPIO 5BE; UK customer service, tel: 01264 342899 o r fax: 01264 342723; international customer service, tel: *.*A 1264 342828 o r fax: #xx 1264 342761.
Computer Law & Security Report Vol. 14 no. 3 1998 © 1998, Elsevier Science Ltd.
189
Protection
- II
DATA PROTECTION-II MANAGING PERSONAL DATA FLOWS TO THIRD COUNTRIES Jo Greenfield and Graham Pearce
Rapid developments in information and communication technologies (ICT), including the commercialization of the Internet and the exploitation of other technologies are already having a profound impact on business and personal life styles. At the same time, however, developments in ICT are focusing attention on the need for policies to prevent the erosion of personal privacy and there is growing recognition that the global nature of the emerging information architecture requires regulation. This article explores the legal issues governing personal data flows to third countries.
INTRODUCTION The European C o m m u n i t y has adopted a raft of initiatives over the past few years, the most r e c e n t b e i n g the Action p l a n o n p r o m o t i n g safe use o f the I n t e r n e t (EC 1997a). However, p e r h a p s the most ambitious aspect of EU policy has b e e n in the field of data protection. The EC Data Protection Directive was adopted in 1995 and will be transp o s e d into national legislation in each Member State b y the 24 O c t o b e r 1998 (EC 1995). In the UK a Bill aimed at reforming data p r o t e c t i o n law in accordance with the Directive was p u b l i s h e d o n the 14 January 1998 (House of Lords 1998). The Directive represents a definitive statement of the E u r o p e a n data p r o t e c t i o n m o d e l in its c u r r e n t form. However, in addition to this regulatory response a second strand of EC policy has b e g u n to emerge in the form of Privacy Enhancing Technologies (PETs). This is a term that includes a n o n y m o u s m e c h a n i s m s for online payments and identity protectors based u p o n cryptographic techniques. The EC's Fifth Framework Research Programme makes specific reference to the part these technologies can play in safeguarding personal privacy. The acquis in the field of data p r o t e c t i o n is currently provided in the form of the Data Protection Directive, while a c o m p l e m e n t a r y T e l e c o m m u n i c a t i o n s Directive 97/66, adopted o n 1 D e c e m b e r 1997, sets out specific sectoral rules to be applied to data p r o t e c t i o n in the context of t e l e c o m m u n i c a t i o n networks, including the regulation of unsolicited calls, the use of billing data and call line identific a t i o n (EC 1997). T h e r e c e n t E u r o p e a n C o m m i s s i o n C o m m u n i c a t i o n , A E u r o p e a n initiative in electronic commerce (EC 1997b), also leaves o p e n the possibility that further measures may be n e e d e d to address specific data p r o t e c t i o n c o n c e r n s emerging from the d e v e l o p m e n t of electronic commerce. The European data p r o t e c t i o n model is, therefore, constantly evolving.
DATA TRANSFERS TO THIRD COUNTRIES U N D E R T H E NEW REGIME In many respects the Directive matches the substantive principles of existing UK law, comprising a mixture of obligations o n those w h o control the processing of personal data, together with rights for individuals w h o are the subject of data processing. However, in addition to protecting the right to privacy in respect of personal data, the significance of the Directive lies in the adoption of a European model of data protection that will remove barriers to the free flow of personal data across the Community. Effectively the transposition of the Directive into national law will lead to a c o m m o n data protection space being established which will enable the unrestricted transfer of personal data across the EC. At the same time the effect of the Directive is to make a clear distinction b e t w e e n data transfers within the EC and those to third cotmtries; in future the latter will be subject to more systematic a n d precise regulation. Thus, the Eighth Data Protection Principle in Schedule 1 of the UK Bill states that "personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data". Judging w h e t h e r 'adequate' protection is present in the case of third c o u n t r y transfers poses a n u m b e r of problems, central to which is an assessment of t h e risks attached to such a transfer. Current UK law requires data users in the UK to notify the Registrar of those countries to which transfers may be made.The user or controller may indicate that the destination of transfers will be 'worldwide', together with some explanation of the use of this category. Subsequent transfers must fall within the boundaries of this notification. If the Data Protection Registrar considers that the Data Protection Principles may be breached registration may be refused. Existing constraints on data transfers outside the UK are,
Computer Law & Security Report Vol. 14 no.3 1998 © 1998, Elsevier Science Ltd.
185
Data
Protection-
II
therefore, relatively b e n i g n and the duties placed u p o n data controllers in the Data Protection Bill (Clause 15) are not dissimilar to current arrangements. Data controllers will need to provide the Commissioner with the names, or a description of any territories outside the European Economic Area (EEA) to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer personal data. However, this is only the first step in determining w h e t h e r the transfer should proceed. It is c o m m o n practice for data to be transferred to states outside the EC for processing. However, many of these states do not possess any form of data protection legislation and even where regulation has b e e n introduced it may be limited in scope or execution. For example, by contrast to the European model, the US approach is far more fragmented and relies extensively u p o n private solutions, based u p o n sectoral initiatives and contracts. The scale of personal data transfers to third countries, particularly in the context of the Internet, therefore, represents a major challenge to European legislators.To combat these dangers the EC Directive included specific provisions inArticles 25 and 26 relating to third c o u n t r y transfers.Article 25(1) provides that transfers of data that are undergoing processing or are i n t e n d e d for processing after transfer will only be permitted if the country or territory in question provides an adequate level of protection. Article 25(2) offers guidance o n the criteria to be employed in judging the adequacy of protection in third countries. These include the circumstances surrounding the data transfer, the nature of the data, the purpose and duration of the processing, the c o u n t r y of origin and fmal destination and the general and sectoral rules of law in the third country. Since many categories of transfers will be unique in some respect this suggests that a case b y case approach will be required. However, the Commission may declare a country as ensuring adequate protection for all foreseeable cases. Article 26, however, allows the possibility of exceptions where the requirement for adequate protection is not met. The exact extent of these exemptions is o p e n to some conjecture, but the Commission's view is that they should be used sparingly. However, the implication is that data may be transferred to a third c o u n t r y even where the required standard of protection is n o t reached. Nonetheless, this is dependent u p o n certain criteria being met. In line w i t h the Directive, Schedule 4 of the UK Biil reflects these conditions and provides for data transfers where. the data subject has given his consent, • it is necessary for the conclusion of a contract b e t w e e n the controller and a person other than the data subject, either at the request of the data subject or is i n t h e interests of the data subject, for the performance of such a contract, ° it is deemed necessary by the Secretary of State for reasons of public interest, • it is necessary for the purposes of, or in c o n n e c t i o n with, any legal proceedings, for the p u r p o s e of obtaining legal advice or is otherwise necessary for the purpose of establishing, exercising or defending legal rights, • it is necessary in order to protect the vital interests of the data subject, • the data forms part of the personal data o n a public register w h i c h is o p e n to inspection, or
186
Computer Law & Security Report Vol. 14 no. 3 1998 © 1998, Elsevier Science Ltd.
•
it is made o n terms that are of a kind approved or authorized by the Commissioner as ensuring adequate safeguards for the rights and freedoms of the data subject. In addition, u n d e r Articles 26(2) Member States may authorize the transfer if the controller adduces adequate safeguards, particularly if taking the form of contractual agreements.Thus, whilst Article 25 lays d o w n strict requirem e n t s for third c o u n t r y transfers, Article 26 softens this blow. Some countries will already be seen to possess adequate p r o t e c t i o n and, while others may not, transfers may still be possible, subject to the provisions of Article 26.Thus, a particular c o u n t r y may provide adequate p r o t e c t i o n for some transfers b u t not others.This may be because of strong self-regulation tied to a specific industry or the existence of contractual terms b e t w e e n controller and processor. In addition, Member States may p e r m i t an ad hoc contractual solution in those cases w h e r e there is n o adequate protection in the third country, provided that the contract provides adequate safeguards. However, while such a solution may be useful as a means of dealing with one-off cases, it is a very complex and time c o n s u m i n g process, carrying a very significant b u r d e n for organizations. The issue of'adequacy' is complex in that it appears to be a standard contingent o n the circumstances of the individual transfer. The EC Working Party d o c u m e n t First Orientations on transfers o f personal data to third countries: Possible ways f o r w a r d in assessing adequacy, adopted o n 26 June 1997 (EC 1997c), sets out a prototype approach to judging adequacy. Because of the n u m b e r of transfers to third countries, the d o c u m e n t advocated the holding of a 'white list' to give guidance o n a provisional basis. The list would include third countries to w h o m it could be assumed transfers of personal data would be safe. Beyond this, it was indicated that each supervisory body may wish to establish procedures for risk assessment of specific transfers. The Working Party d o c u m e n t e d principles to be used in appraising the adequacy of protection in a third country. These fall into two categories, reflecting the flmctional approach envisaged by the EC data protection model - - the c o n t e n t of laws protecting personal data and the procedural mechanisms to ensure their effective application. The objective is to assess the fundamental elements of the protection afforded, rather than impose the European model. The suggested c o n t e n t principles are purpose limitation, data quality and proportionality, transparency, security, rights of access, rectification and opposition and restrictions o n onward transfers to other third countries.The latter is intended to prevent controllers from using a country w i t h ' a d e q u a t e ' provisions as a 'staging post' for onward transfers to a c o u n t r y without an adequate data protection regime, in an attempt to evade the protection afforded by the Directive. Enforcement mechanisms are viewed in terms of the achievement of data protection objectives rather than a list of features that must be present to provide effective protection. Three fundamental objectives were defined; to deliver a good level of compliance with the rules, render support and help to individual data subjects in the exercise of their rights and provide appropriate redress to the injured party where rules are not observed. The Bill reflects these principles and defines an adequate level of protection as one which is adequate in all the circumstances in the case, having regard in particular to:
Data
• •
the nature of the personal data, the c o u n t r y or territory of origin of the information contained in the data, • the c o u n t r y or territory of fmal destination of that information, • the purposes for w h i c h and the period during w h i c h the data are i n t e n d e d to be processed, • the law in force in the c o u n t r y or territory in question, • the international obligations of that c o u n t r y or territory, • any relevant codes of c o n d u c t or other rules w h i c h are in force in that country, and • any security measures taken in respect of the data in that c o u n t r y or territory. Although the criteria are defined quite explicitly, it is apparent that the intention is to provide the Commissioner with discretion, in the light of the circumstances surrounding each case. However good these principles in theory, the question remains as to h o w they will be monitored and policed to ensure compliance. In some respects the Member States have considerable discretion; some may elect to pass o n this obligation to data controllers; most envisage some form of apriori or ex post facto verification role for the supervisory authority. In the UK the Home Office and the Data Protection Registrar favour the duty to comply with Article 25 being i m p o s e d directly o n t h e controller and this is provided for in Schedule 1 of the Bill. Thereafter, at a national level, policing of data transfers will b e effected by the Commissioner, as the indep e n d e n t supervisory body. Ultimately, the UK courts and/or the European Court of Justice will have the fmal say o n any particular case, if a decision either to permit or prohibit a transfer is challenged. O n e further i m p o r t a n t aspect of the Bill w h i c h bears u p o n third c o u n t r y transfers are the provisions dealing with the relationship b e t w e e n the Commissioner, other Member States and the European Commission. The Directive clearly envisaged that Member States w o u l d cooperate, t h r o u g h the exchange o f information o n data transfers to third countries. Thus, Article 25 requires that Member States notify each other and the Commission of cases w h e r e transfers have b e e n blocked due to inadequate protection. Similarly, Member States must notify b o t h Commission and other Member States of each authorization granted u n d e r the provisions of Article 26. In cases where disagreements arise about the conditions of transfer for the purposes of Articles 26(3) or (4), the European Commission will decide w h e t h e r the decision of the individual supervisory authority was correct and if it should b e applied in all Member States. Moreover, the Commission is authorized to negotiate with a third c o u n t r y where its protection has b e e n found to be inadequate, with a view t o remedying the situation. In practice such decisions are likely to be taken after hearing the advice of the Data Commissioners (Article 29) but both the Directive and the Bill confirm an e n h a n c e d role for the Commission. The Bill also e n d o r s e s the Commissioner's duty to inform the European Commission and supervisory authorities in other EC States of any approvals or authorizations of third c o u n t r y transfers.The latter are provided for u n d e r Schedule 4 (Paras 8 and 9) and are i n t e n d e d to cover transfers made o n terms w h i c h are approved or authorized by the Commissioner as
Protection
- II
being made in such a m a n n e r so as to ensure adequate safeguards for the rights and freedoms of the data subject.
THE CHALLENGE OF CYBERSPACE The difficulties associated with data protection, in the context of transnational transfers, by traditional regulatory mechanisms have b e e n c o m p o u n d e d by the speed of development in ICT, particularly the Internet. Indeed, while the n e w technologies offer considerable benefits b y accessing information and purchasing c o n s u m e r goods or conducting business online, they raise serious threats to personal privacy.The globalization of commtmications and developments in ICT are often viewed as remote from g o v e r n m e n t intervention, indeed responsibility for data security and protection has b e c o m e diffused. Because the Internet is largely unregulated, the risks of breaches of security and protection are multipiled.The dangers are manifest in the nature of the Internet, including messages being intercepted and manipulated, the validity of documents being denied and personal data being illicitly collected using technologies such as 'cookies'. Concerns such as these were aired in a survey conducted b y Harris and Westin (1997) and are n o w widely accepted b y government and industry alike. In the context of multiple databases located in many different countries that can be easily accessed to create personal profiles the cosy regulatory e n v i r o n m e n t appears increasingly deficient. The EC Directive seeks to respond to these difficulties b u t it is widely acknowledged that enforcem e n t of the Data Protection Principles will remain an outstanding issue. For data transfers to some countries adequacy will be determined speedily, enabling transfers to proceed. More generally, however, the adequacy criteria will n e e d to be applied o n a case by case basis in order to assess the risks associated w i t h d i f f e r e n t types of p e r s o n a l data transfer. Authorization of a transfer will be required in advance but, even if the transfer is blocked, it is ingenuous to assume that this decision will be complied with, particularly if the data is already o n the Internet and can be downloaded to any destination in the world. In part the Directive and the Bill provide a solution to this problem by extending the data protection principles to data controllers established outside the EC w h o collect data from t h e system of a data subject. However, as Terwangne and Louveaux (1997) observe in the case of'hidd e n data flows', involving electronic traces in w h i c h the controller is located outside the EC, the data s u b j e c t will be left without the protection of the regulatory framework. In reviewing these issues, France ( 1 9 9 7 ) h a s suggested that one of the flmdamental problems lies in identifying the data controller responsible for alleged breaches in the law. She concludes that a solution to the problem may be found in framing the n e w UK law to provide for, where necessary, e n f o r c e m e n t action against I n t e r n e t access and service providers, since they have a crucial role to play as intermediaries. The Bill meets this objective by applying its requirements not only to data controllers established in the UK where the data are processed in the context of that establishment, b u t also to controllers established neither in the UK n o r in any other EC state but w h o use e q u i p m e n t in the UK for processing data otherwise than for the purposes of transit through the UK (Clause 5).
Computer Law & Security Report Vol. 14 no. 3 1998 © 1998, Elsevier Science Ltd.
187
Data
Protection
- I!
Alongside regulatory solutions the search has n o w b e g u n for effective measures to minimize or eradicate these risks, but a major p r o b l e m exists in the culturally different approaches of key players.The EC model of data protection advocates regulation, s u p p o r t e d b y the use of PETs. The United States, o n the other hand, is reluctant to s u p p o r t gove r n m e n t i n t e r v e n t i o n and favours, instead, industry self-regu l a t i o n a n d c o n t r a c t u a l solutions. Whilst d i s c u s s i o n s c o n t i n u e as to the optimal international solution to this global problem, all parties are c o n t i n u i n g to develop parallel technologies that seek to minimize the risk of security breaches to the individual. For example, the EC Action Plan, adopted in 1997, aimed at tackling the illegal and harmful c o n t e n t o n the Internet, included the d e v e l o p m e n t of filtering and rating systems, encouraging public awareness and other s u p p o r t measures. Similarly, in the field of electronic commerce the n e e d for anonymity and security is real and there are strong arguments in favour of public monitoring to prevent illegal and harmful material being transferred via the Internet and to encourage effective commerce. Various governments are in favour of e n c r y p t i o n keys to be held by escrow organizations k n o w n as 'voluntary key m a n a g e m e n t infrastructures' in the United States or 'trusted third parties' in the EC.The adoption by the OECD (1997) of guidance for cryptographic policy, which deals specifically with the protection of privacy and personal data, is indicative of the consensus that is beginning to emerge at the international level. Within Europe, a European Commission C o m m u n i c a t i o n on electronic commerce (EC 1997b), included a proposal guaranteeing the free m o v e m e n t of e n c r y p t i o n technologies and products and proposed a specific initiative o n digital signatures.This has b e e n followed by proposals aimed at "establishing a c o m m o n framework for digital signatures, ensuring the ffmctioning of the internal market for cryptographic services and products, stimulating a European industry for cryptographic services and products and enabling users in all economical sectors to benefit from the opportunities of the global information society" (EC 1997d). Detailed proposals are expected during 1998. Similar documents have b e e n issued by the United States Government, to establish a coordinated strategy to meet both national and international developments in this field (Clinton and Gore 1997).The first moves towards overcoming difficulties of differences in international standards have b e e n illustrated b y the I n f o r m a t i o n Technology Agreement (ITA) and the Mutual Recognition Agreements of conformity assessment (MRA) which provide for the gradual elimination of tariffs and non-tariff barriers respectively o n IT products by the year 2000, and the WTO Agreement o n Basic Telecommunications, which contains c o m m i t m e n t s from 69 countries with regard to market access and national treatment (see EC 1997b).
THE EMERGING AGENDA The past decade has witnessed a dramatic increase in concerns about data privacy. This is a c o n s e q u e n c e of the internationalization of business and data flows, the pervasive role of personal computers, technological advance, reductions in the cost of data processing and the creation of markets in personal information.These trends have set the legislative agenda
188
Computer Law & Security Report Vol. 14 no. 3 1998 © 1998, Elsevier Science Ltd.
but, as is often the case, the pace of these changes has outstripped the capacity of policy makers and legislators.The EC Directive emerged as a c o n s e q u e n c e of the need to harmotlize legislation in each Member State as part of the Internal Market Programme and reflected a response to data protection issues that was essentially regulatory. More recently, however, a n e w element in European data protection policy has appeared in the form of technological solutions to data protection problems. Rapid progress has b e e n made but the crucial question is w h e t h e r the European model is sufficiently robust to protect personal data, meet the needs of European business and respond to the twin threats of technological change and giobalization. In m a n y respects the EC Directive and the Data Protection Bill currently before Parliament highlight these issues in the context of their provisions relating to third country transfers. Following the passage of the Bill in the UK, third countries that do not presently provide adequate dat a protection may fred that data transfers will be blocked. For data controllers undertaking third c o u n t r y transfers the potential implications could be considerable. Transfers to some countries may be prohibited entirely o n the grounds that neither the rules of law n o r the 'professional rules and security measures' are met. Nonetheless, it seems likely that the criteria governing transfers will be employed flexibly providing non-legal rllles are in place, including industry serf regulation, and these are being applied effectively. Thus, transfers may still be possible. Alternatively, individual contractual solutions may be appropriate. However, exemptions and contractual solutions can only ever be part of the answer to the problem. Restrictions could still be imposed since transfers may remain limited to individual or group of organizations The Bill sets out clear criteria for judging the adequacy of protection in third countries. Nonetheless, difficulties will u n d o u b t e d l y arise in judging those elements of a data protection regime that are indispensable and the guiding line b e t w e e n adequate and not adequate. Further problems may be posed b y the natttre of the data to be transferred, for example a supervisory body may wish to constrain high-risk transfers. Moreover, the assessment of adequacy and the need to review transfers o n a case by case basis will take time.These dilemmas may be c o m p o u n d e d since, if a Member State blocks a transfer, this decision may be upheld or overturned by the European Commission. The n e e d for agreements o n third c o u n t r y transfers in advance of the transposition of the Directive into UK law is, therefore, imperative. Even if some of these difficulties can be resolved the problems attached to online networks remain outstanding. In a c c o r d a n c e w i t h the s e c o n d strand of EC policy, the Commission is seeking to develop PETs through the ESPRIT and Fifth Framework Programme. Moreover, US industry, inspired by a desire to avoid g o v e r n m e n t intervention, has b e e n active in the research and development of technological means to address privacy issues. For example, Microsoft has recently joined Netscape and other companies in support of an ' o p e n profiling standard' that seeks to provide Internet users with control over h o w m u c h personal information is collected and used online. Technological solutions can provide Web users with greater control over the personal information they share, however, despite the availability of filters, agents and profilers, the use of such techniques remains
Data
restricted and the privacy o f the majority of users will continue to b e at risk (Taylor 1998). These examples clearly illustrate the role of technological solutions in privacy p r o t e c t i o n b u t t h e y are predominantly voluntary in nature. In contrast to the European a p p r o a c h that regards the p r o t e c t i o n of individual privacy as a right, technological solutions place a responsibility on individuals to secure and d e m a n d privacy protection. Moreover, lack of o p e n n e s s and transparency about the w a y personal data is accumulated, manipulated, b o u g h t and resold as a tradeable c o m m o d i t y means that individuals are often in a state of ignorance. Technological solutions can, therefore, contribute to solving some of the emerging p r o b l e m s b u t it is unlikely that unregulated business interests will a d o p t adequate levels of data protection. Serf-regulation, t h r o u g h sectoral initiatives, and privacy e n h a n c i n g t e c h n o l o g i e s have a p a r t to play in managing
References Clinton, W. J. and Gore, A. (1997) A f r a m e w o r k for global electronic commerce, United States Administration, Washington. Commission of the European Communities. (1997a) Action plan on promoting safe use o f the Internet, Brussels. Commission of the European Communities. (1997b) A European initiative in electronic commerce, COM(97)157, Brussels. Commission of the European Communities. (1997c) First Orientations on transfers o f personal data to third countries: Possible ways f o r w a r d in assessing adequacy, Discussion d o c u m e n t a d o p t e d b y t h e Working Party, Brussels. C o m m i s s i o n o f t h e E u r o p e a n C o m m u n i t i e s . (1997d) Ensuring security a n d trust in electronic communication, COM (97) 503, Brussels. European Community. (1995) Directive on the protection o f
Protection
- II
global information flows. However, a far m o r e desirable outc o m e is a multilateral a g r e e m e n t involving a large n u m b e r of countries.This should include m a n y e m e r g i n g e c o n o m i e s that are often favoured b y c o m p a n i e s wishing to transfer their data p r o c e s s i n g o p e r a t i o n s to destinations w h e r e wage costs are low. Such an a r r a n g e m e n t w o u l d h e l p avoid many o f t h e p r o b l e m s that are likely arise as a c o n s e q u e n c e of the d e v e l o p m e n t o f different data p r o t e c t i o n m o d e l s and w h i c h may restrict data flows and inhibit w o r l d trade. The establishment of a European data p r o t e c t i o n m o d e l r e p r e s e n t s a considerable a c h i e v e m e n t b u t the e m e r g i n g challenges infer that whilst solutions m a y take different forms the preferred o u t c o m e requires increased international collaboration.
Jo Greenfield and Graham Pearce Aston Business School, Birmingham. UK, B4 7ET individuals with regard to the processing of personal data a n d on the free m o v e m e n t o f such data, 95(46), Luxembourg. European Community.(1997) Directive concerning the processing o f personal information and the protection o f privacy in the telecommunications sector, 97(66), Luxembourg. France, E. (1997) Can data p r o t e c t i o n survive in cyberspace, Computers and Law, 8 (2). Harris, L 'and Westin, A, E (1997) Commerce, communication a n d privacy online, Privacy Laws and Business Conference, Cambridge. House of Lords. (1998) Data Protection Bill, HMSO. OECD. (1997) Guidelines for cryptography policy, Paris. Taylor, E (1998) Fears rise over personal privacy, Financial Times Information Technology Review, February 4th. Terwangne, C and Louveaux, S. (1997) Data p r o t e c t i o n and online networks, Computer Law a n d Security Report, 13 (4).
BOOK REVIEW Intellectual Property Law Intellectual Property Laws of East Ash, edited by Alan S. Gutterman and Robert Brown, 1997, soft-cover, Sweet & Maxwell, Asia, 564 pp., £85.00, ISBN 0 421 55050 3 The main contribution of this text is to provide a series of country summaries of the rules governing intellectual property within East Asia.The c o n t e x t is the g r o w t h of intellectual p r o p e r t y as one of the driving forces o f e c o n o m i c g r o w t h and global business competition.The focus of this text is the analysis of rules dealing w i t h the p r o t e c t i o n and exploitation of legal rights in innovations, c o p y r i g h t e d works and trademarks. The b o o k begins w i t h three i n t r o d u c t o r y chapters, w h i c h explain the role of intellectual p r o p e r t y in the global market place; an overview of intellectual p r o p e r t y law itself; and the main considerations to take into account w h e n negatiating t e c h n o l o g y transactions.Thereafter, there are a series of cotmtry reports, w h i c h deal w i t h the general legal and business conditions; the relevant intellectual p r o p e r t y laws; and any special considerations. Countries covered are Cambodia, Hong Kong, Indonesia, Malaysia, The People's Republic of China, Philippines, Singapore, South Korea, Taiwan, Thailand and Vietnam. T h e ' b o o k is i n t e n d e d to serve as a resource for business people, lawyers, accountants and policy makers, as well as students in the region and around the world. Available from: Sweet & Maxwell Ltd, Cheriton House, North Way, Andover, I-Iants, SPIO 5BE; UK customer service, tel: 01264 342899 o r fax: 01264 342723; international customer service, tel: *.*A 1264 342828 o r fax: #xx 1264 342761.
Computer Law & Security Report Vol. 14 no. 3 1998 © 1998, Elsevier Science Ltd.
189