At the seminar, leading experts on privacy and data protection from Asia, Australia and Europe will discuss the efforts of the EU to ensure an “adequate” level of data protection overseas under the GDPR.
Although data-driven goods and services at the edge of interconnected computer networks are provided to consumers and end-users in physical places, the digital representation of information can be exchanged in terms of electromagnetic signals between data processing equipment around the world. However, rules and regulations that apply in the place where the seller or buyer is located can prevent data transfers and impede the development of the internet of things (“IoT”) and digital services. A case in point is the European Union (“EU”) data protection regime, and primarily the General Data Protection Regulation (“GDPR”), which applies to natural and legal persons in the Union. Whereas cyberspace knows no geographical boundaries, data-driven trade and competition on the EU internal market is subject to EU law irrespective of where in the world the suppliers are located. Indisputably, the EU is in favour of digital globalisation but the tension between economic freedom and data protection becomes palpable as the distinction between the regulation of the internal market and EU external trade relations collapses in the context of the IoT and digital services. As the world is brought together by interconnected computer networks the frictions increase. Considering the cultural, political and socio-economic differences, multilateral consensus on data protection seems utopian for the time being, and even if the EU and the United States could recently agree on yet another data privacy framework, history shows that it is difficult even for polities that share basic values to align their protection of personal data through bilateral agreements. Perhaps the current state of overlapping jurisdictions in cyberspace is inescapable when taking the enforcement of rights into account, but to harness the great potential of free trade in the digital era it is important to understand why trading partners take different approaches to data protection.
Megan Richardson: Why Countries Like Australia Fail to Achieve Adequacy under EU Data Protection Laws
Bio: Professor of Law at the Melbourne Law School, the University of Melbourne, advisor on privacy matters to the Australian Law Reform Commission etc, Barrister and Solicitor High Court of New Zeeland, PI and Co-PI for several projects on intellectual property rights, privacy and personal rights law reform and legal theory, and is associated with the ARC Centre of Excellence in Automated Decision Making and Society, Intellectual Property Research Institute of Australia, Melbourne Centre for Commercial Law. Professor Megan Richardson has written extensively in these fields of law and will connect the arguments regarding the stalled privacy law reform to Australian cultures of privacy and surveillance.
In 2001 Australia failed in its attempt to achieve adequacy status under the EU Data Protection Directive 1995. Despite its move the year before to extend the Privacy Act 1988 beyond the government sector to encompass the private sector there were three broad carve-outs which sealed Australia’s fate in the eyes of the Article 29 Working Party. The first was Australia’s substantial small business exemption for businesses with $3m or less annual turnover, subject to limited exceptions. The second was its blanket employee records exemption. The third – less widely noticed in Australia – was the Act’s allowance for ‘information to be used or disclosed for a secondary purpose where the use or disclosure is required or authorised by or under law’, which the Working Party considered to be so unqualified as to “risk undermining legal certainty and devoid the content of the basic protection”. In 2023 these carve-outs remain as barriers to any adequacy decision under the EU General Data Protection Regulation 2016. I suggest that they are emblematic of a more basic normative feature of this former British colony: viz rather weak support for data rights coupled with strong support for surveillance for what are seen as legitimate public good ends, including here business efficacy, employer freedom, and efficient policing and security. While this feature may be aligned to Australia’s Benthamite utilitarian tradition (Bentham being notoriously anti-rights and pro-surveillance), I argue that in today’s world utility as well as rights favour a different approach. Moreover, Australians are coming to see this, ie cultures around data rights and surveillance are evolving here as elsewhere, and we may hope that ultimately Australia’s policymakers will follow.
Christopher Kuner: Is EU data transfer regulation fit for purpose? A critical view
Bio: Affiliate Professor at the University of Copenhagen and Senior Privacy Council at the Brussels office of Wilson Sonsini & Rosati. He has taught at the University of Cambridge, the European University Institute, and the Hague Academy of International Law, and is a member of the European Commission’s Multisectoral Stakeholder Group on the GDPR. Dr. Kuner is editor-in-chief of International Data Privacy Law.
Despite the success of the GDPR in terms of increasing enforcement of data transfer rules and greater political and public attention to them, important questions remain about the legal foundations of data transfer rules and their implementation. These concerns relate to matters such as the EU’s strategic vision; the institutional role of the Commission; the reliance on formalistic mechanisms; and interaction between the GDPR and other data transfer systems around the world. Attention to these issues is important to realize the GDPR’s vision of global data protection.
Simone Fisher-Hübner: Bridging the gaps by privacy enhancing technologies
Bio: Professor at the Computer Science Department at Karlstad University, guest professor at the Computer Science Department at Chalmers University of Technology, Coordinator of the Swedish IT Security network for PhD Students, Swedish representative for the International Federation for Information Processing, Member of the Privacy Enhancing Technology Symposium Advisory Board, Member of the Swedish Cyber security Council etc., PI and co-PI for several projects on privacy and security.
While the European Court of Justice has in its so-called “Schrems II decision” (16 Juli 2020) further restricted transfers to third countries, it was emphasized that Standard Contractual clauses (SCC) in combination with effective supplementary protection measures can still legitimized personal data transfers. This talk will discuss how Privacy Enhancing Technologies can contribute to such protection measure, as pointed out by the European Data Protection Board, and what challenges remain to be addressed.
Normann Witzleb (The Chinese University of Hong Kong): Cross-border data transfers within and from China’s Greater Bay Area – New harmonisation challenges
Bio: Associate Professor at The Chinese University of Hong Kong and an Adjunct Associate Professor at Monash University in Australia. His research focus is on privacy law, data protection, obligations law and comparative law. He acted as a consultant to the Australian Attorney-General’s Department and the Office of the Australian Information Commissioner on issues of privacy and information law reform.
The ambitious Greater Bay Area (GBA) agenda pursues the deeper economic cooperation amongst the Chinese mainland province of Guangdong and China’s special administrative regions of Hong Kong and Macau. However, the free flow of data within the GBA economies is currently hampered by stark differences in data protection and cyber security regimes. While the Mainland increasingly restricts data exports outside its jurisdiction, Hong Kong does not specifically regulate cross-border data exchanges and Macau relies on a data protection regime that is based on the EU Data Protection Directive 95/46/EC. The concern that the divergence of these three data regimes stands in the way of closer integration and regional development within China is evocative of the situation within the EU before harmonisation took place. This presentation explores the current legal landscape and the potential for greater coordination and harmonisation of data privacy laws between Hong Kong, Macau and Mainland China.
Moderator and commentator Assoc. Prof Claes Granmar
Please register by September 29th.
Registered participants will receive Zoom link on October 2nd.
There will also be a possibility to participate on campus at Stockholm University, Stockholm Centre for Commercial Law, Universitetsvägen 10 C, Library building, 6th floor.
Institute of European Law