International Personal Data Protection and Its Redress

I. Introduction

Personal data protection may be of concern anywhere, anytime in this information society.  It is common to submit personal information to create digital identification or authorization to perform certain kinds of online activities, such as an electronic transaction. [1] In addition, all Internet traffic may be automatically tracked and restored by the visited website controller using Cookies technology or equivalent softwares. [2]  There is a strong incentive to collect and store the data because it is valuable for business purposes in offering customized service and it is easy and cheap to do so. [3]  However, it has not been guaranteed that data collectors manage the personal data in an appropriate manner.  Thus, it has drawn the interests of the international society to establish personal data protection principles and have an effective redress or resolution method in case of breach.

II. Background on Data Protection Disputes

The goal of collecting data is reasonable for business purposes: business entities may provide better service by customizing their website and services.  However, the collected information data may be inappropriately secured and used for secondary purposes, [4] which would be even more serious if the information were collected without the users’ consent.  Moreover, the personal information may be sold to solicitors or spammers.

Disputes arising out of personal data protection are related to the infringement of privacy as well as the violation of property rights on personal data. [5] Thus there are two approaches in resolving the disputes: the first is the privacy or socio-rights approach, dealing with data protection disputes as a privacy issue of human rights and relying on legislation to regulate these rights. [6] The second is the market or liberalism approach, dealing with data protection disputes as a property right in the market and relying on the market efficiency of self regulation to regulate these rights. [7]

III. International Efforts to Establish Personal Data Protection Principles

There is some international consensus on what personal data is and how it should be protected.  The Organization for Economic Cooperation and Development (OECD) enacted the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980 [8] and the United Nations (UN) also published the United Nations Guideline Concerning Computerized Personal Data Files in 1990. [9] However, although these guidelines may be the result of international consensus on the protection of personal data, the provisions do not have legal effects and are too vague to be applicable to the disputes related to personal data protection.

Thus, when European Parliament and the Council of the European Union formally adopted Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data in 1995 [10], it was sensational in the field of personal data protection. [11] Applying this directive to personal data processing by automatic means, [12] it mandated member states to enact the necessary laws, regulations and administrative provisions following its principles. [13]

Even though the 1995 Directive is a regional agreement, it has affected the entire international society because it permits the transfer of personal data to a third country only if the third country has an “adequate level of protection” on the personal data. [14]   Responding to the 1995 Directive, the U.S. Government, which prefers the liberal approach and self-regulation modality, established the Safe Harbor agreement to meet the standard of the 1995 Directive. [15]

In considering the international principles on personal data protection, human rights should not be disregarded.  Article 17 of the International Covenant on Civil and Political Rights (ICCPR) [16], which specified article 12 of the Universal Declaration of Human Rights [17], provides relief if the international minimum standard fails to satisfy the ICCPR.[18] As a result, the proposed international standard is a mere scrap of paper, if it fails to satisfy the ICCPR.  It therefore seems that a balance of privacy rights and market efficiency would be the most effective equilibrium in resolving the data protection disputes. [19]

IV. Redress/Dispute Resolution for Data Protection Disputes

The data protection principles require the “establishment of enforcement remedies and mechanism,” [20] since a smooth transaction is usually ensured by the appropriate dispute resolution mechanism.  The ideal dispute resolution mechanism should be effective, efficient, fair, and transparent. [21]

In the field of data protection, alternative dispute resolution (ADR) is suggested as an appropriate dispute resolution method. [22] ADR is, although it is variously defined depending on the context, all private alternatives to litigation. [23] There are countless types of ADR, including negotiation, mediation, and arbitration. [24] As a substitute for litigation, ADR methods share these common characteristics: ADR is flexible, speedy, and inexpensive.

V. Promises and Concerns of ADR for Personal Data Protection Disputes

The international flow of data occurs with the Internet and E-Commerce.  It is desirable to resolve disputes arising from the Internet and E-Commerce through ADR because of its unique cyberspace norms and complicated conflicts of laws issues. [25]  ADR can provide online alternative dispute resolution to those who want to stay in the online realm in resolving their disputes. ADR also promises confidentiality.  Parties engaged in the data disputes would be reluctant to litigate because some private data could be revealed in the trial proceedings.  However, ADR could provide confidentiality for both parties.  ADR is less expensive and more speedy than litigation due to its simple procedure and private nature. [26] The flexibility and autonomy may be major benefits to using ADR.

As a private mechanism, ADR is independent from national courts and laws so that it is suitable to resolve disputes arising from international transactions. [27] As long as there is a valid ADR agreement between the parties, ADR can resolve the jurisdiction and choice of laws issues, which are inseparable but insoluble in disputes arising out of international or transnational transactions. [28] In addition, ADR could prevent potential bias for the nation’s citizens by providing a neutral forum. [29]

ADR could also serve as a better means of enforcement.  Although there are international efforts to make a convention for the enforcement of foreign court decisions, the enforcement of judicial decisions in a foreign jurisdiction has not been guaranteed. [30] However, an international ADR mechanism would increase the probability of enforcement.  If ADR is the enforcement mechanism of choice under the United Nations Convention on the Recognition and Enforcement of Foreign Arbitral Awards, its enforcement is guaranteed under the convention. [31]

As with most things, ADR has both benefits and problems.  The criticisms of ADR stem from the lack of human interaction, inadequate authenticity, inability to meet writing requirements, insufficient accessibilities, inadequate discovery, and the limited range of disputes that it can resolve. [32]

In response to the concerns, there may be ways to make ADR more effective.  The first solution is self-regulation, [33] which relies on the ADR provider themselves or the third-party evaluation companies using trust marks.  The second is to develop a centralized ADR system [34] to manage the quality of ADR services.  The third is security technology [35] to provide stable service and secure confidentiality.  Lastly, the fourth is the development of incentives for the enforcement of ADR agreements and its decisions.

VI. Conclusion

The international protection of personal data is complete when disputes or conflicts are assured to be effectively resolved and enforced. [36]  Moreover, the protection should be internationally harmonized to prevent any conflicts from different protection standards which could potentially cause obstacles in international commerce and data transfer. [37] Even though the Safe Harbor agreements of the U.S. have been effective in satisfying the standard of the 1995 Directive, [38] the international information society has raised new issues on personal data protection. [39]  Because it is impossible to establish principles responding to all arising issues, it would be a good safety net for the society to have an effective redress for personal data disputes.

Sources

[1] Ethan Katsh, et al., E-Commerce, E-Disputes, and E-Dispute Resolution: Is the Shadow of “eBay Law”, 15 Ohio St. J. Disp. Resol. 705, 730 (2000).

[2] See Privacygrade.com, Internet Fraud – How to Protect Yourself, http://www.privacygrade.com/ (last visited Oct. 30, 2007) (introducing the details on online safety tips); Shubhankar Dam, Remedying a Technological Challenge: Individula Privacy and Market Efficiency; Issues and Perspectives on the Law Relating to Data Protection, 15 Alb. L. J. Sci. & Tech. 337, 343-344 (2005).

[3] Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace, 52 Stan. L. Rev. 1315, 1323 (2000).

[4] Id. at 1324.

[5] See Lionel M. Lavenue, Database Rights and Technical Data Rights: The Expansion of Intellectual Property for the Protection of Databases, 38 Santa Clara L. Rev. 1 (1997) (proposing to protect the database by extending the intellectual property laws).

[6] See Lee A. Bygrave, Data Protection Pursuant to the Right to Privacy in Human Rights Treaties, 6 Int’l J. L. & Info. Tech. 247 (1998); Neil M. Richards, The Information Privacy Law Project, 94 Geo. L. J. 1087 (2006).

[7] Dam, supra note 2, at 347-350.

[8] Organisation for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html (last visited Oct. 30, 2007).

[9] G.A. Res. 45/95, U.N. Doc. A/RES/45/94 (Dec. 14, 1990), available at http://www.un.org/documents/ga/res/45/a45r095.htm.

[10] Council Directive 95/46, 1995 O.J. (L 281) 31 (EC), available at http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=en&type_doc=Directive&an_doc=1995&nu_doc=46 [hereinafter 1995 Directive].

[11] Chuan Sun, The European Union Privacy Directive and its Impact on the U.S. Privacy Protection Policy: A Year 2003 Perspective, 2 NW. J. Tech. & Intell. Prop. 5, ¶ 6 (2003).

[12] 1995 Directive, supra note 10, at art. 3.1.

[13] Id. at art. 32.1.

[14] Id. at art. 25. 1.

[15] Export.gov, Welcome to the Safe Harbor, http://www.export.gov/safeharbor/doc_safeharbor_index.asp (last visited Oct. 30, 2007).

[16] G.A. Res. 2200A (XXI), U.N. Doc. A/6316 (Dec. 16, 1966).

[17] G.A. Res. 217A, U.N. Doc. A/810 (Dec. 12, 1948).

[18] Bygrave, supra note 6, at 248-249.

[19] Dam, supra note 2, at 350.

[20] Reidenberg, supra note 3, at 1327.

[21] See European Commission, Commission Recommendation of April 4, 2001 on the Principles for Out-of-Court Bodies Involved in the Consensual Resolution of Consumer Disputes, 2001 O.J. (C 1016).

[22] See Aashit Shah, Using ADR to Resolve Online Disputes, 10 Rich. J. L. & Tech. 25 (2004).

[23] Thomas O. Main, ADR: The New Equity, 74 U. Cin. L. Rev. 329, 329 (2005).

[24] Id., at 341.

[25] Shah, supra note 22, at ¶13-14.

[26] Id. at ¶ 19-21.

[27] See Edward C. Anderson & Timothy S. Cole, The UDRP – A Model for Dispute Resolution in E-Commerce?, 6 J. Small & Emerging Bus. L. 235, 252 (2002).

[28] Shah, supra note 22, at ¶ 25-26.

[29] Id. at ¶ 24.

[30] Hague Conference on Private International Law, Status Table, http://www.hcch.net/index_en.php?act=conventions.status&cid=78 (last visited Oct. 30, 2007) (showing only four countries signed on the Convention of 1 February 1971 on the Recognition and Enforcement of Foreign Judgment in Civil and Commercial Matters).

[31] United Nations Convention on the Recognition and Enforcement of Foreign Arbitral Awards art. 3, June 10, 1958, 330 U.N.T.S. 3.

[32] Shah, supra note 22, at ¶ 28-38.

[33] Id.at ¶ 40.

[34] Id. at ¶ 44.

[35] Id. at ¶ 48.

[36] Reidenberg, supra note 3, at 1327.

[37] Id. at 1336.

[38] Sun, supra note 11, at ¶ 25.

[39] E.g., Francesca Bignami, Privacy and Law Enforcement in the European Union: The Data Retention Directive, 8 Chi. J. Int’l J. 233 (2007) (presenting the conflicts between national security and privacy on personal data).