I received a complimentary review copy of this book from the publisher.
Privacy law is a difficult subject to approach, let alone master. The United States has a patchwork of data protection laws at the state and federal level, often restricting government access to data that private enterprises may acquire and combine freely. Extending that analysis internationally is exponentially more difficult, due to both different legal approaches to personal data protection and the details of the laws themselves.
A Well-Qualified Author
In Transborder Data Flows and Data Privacy Law, author Christopher Kuner summarizes international privacy law, details the differing approaches taken by various countries, reports on developments in domestic privacy law and international agreements, and offers a framework for making the laws of the various States more interoperable.
Mr. Kuner is very well qualified to take on this analysis. The brief author bio on the inside of the dust jacket notes that, in addition to his position as Senior Of Counsel with the Brussels office of Wilson Sonsini Goodrich & Rosati, he is Vice-Chairman of the International Chamber of Commerce's Task Force on Privacy and Personal Data Protection, participates in the work of international organizations such as the Organization for Economic Cooperation and Development (OECD), wrote European Data Protection Law: Corporate Compliance and Regulation, and is editor-in-chief of the journal International Data Privacy Law. Any one of those CV entries would be sufficient to convince me of his expertise—taken as a group they are indeed impressive.
Summary and Background
Kuner begins, as is customary in such works, with a historical synopsis of data privacy laws from the 1970s to the present. Other books, such as the Agre and Rotenberg's edited volume Technology and Privacy: The New Landscape (1999) and my own Privacy-Enhanced Business (2001), go into significant detail on the development of data privacy laws in the U.S., Canada, Europe, and elsewhere. Kuner, by virtue of his experience in the field, is able to focus his coverage on the aspects of the laws that will most benefit policy makers and legal practitioners.
Transborder Data Flows and Data Privacy Law focuses on European data protection laws, many of which were drafted or modified in response to the EU Data Protection Directive 95/46. European Union laws tend to be the most restrictive, with idiosyncratic laws such as the U.S. Video Privacy Protection Act (passed in response to private investigators accessing Supreme Court nominee Robert Bork's video rental records) as notable exceptions, so it makes sense to use that regime as the baseline for analysis.
EU laws treat data protection as a fundamental right, on par with constitutional rights in the US. Casting privacy in that light means EU policies must be evaluated against those rights, rather than against the rather more vague protections afforded privacy in the US as a penumbral right implied by certain amendments to the Constitution.
After his overview of privacy policies, Kuner discusses the types of regulatory systems available, the differences among them, and the role of technology in privacy regulation. He points out, quite correctly, that legislation naming specific technologies will become obsolete almost immediately. On the other hand, individuals and institutions can protect personally identifiable information using privacy-enhancing technologies. For example, in addition to encryption technologies, data collectors could use geolocation sensors to pinpoint their location to identify which laws apply. As he notes, however:
Data that has been anonymized, or stripped of links to the individuals whom the data represents, is another tactic to render personally identifiable information safe. The author cites the proposed General Data Protection Regulation of the European Commission, which provides that "the principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable". Unfortunately, at least from the data protection standpoint, there has been significant progress in data de-anonymization. The mostly true folk wisdom that knowing an individual's birthdate and postal code allows US data aggregators to correctly identify 70% of individuals is just the tip of a mammoth analytical iceberg. Reprocessing of medical test data, for example, has allowed researchers to link database records to specific individuals with very high accuracy.
Kuner also examines the role of extraterritoriality in data protection law. Certain policies and conventions, including one proposed by the International Chamber of Commerce, require each Party to the agreement to ensure that data transferred to processors outside the Party's territory in accordance with the originating party's laws. He notes elsewhere in the book that subsequent transfers to other processors don't necessarily create a chain of responsibility back to the originating entity, but where responsibility ends, or even attenuates, is an open question.
Data rarely moves between States without crossing intervening jurisdictions. Kuner cites commentary indicating data transiting across the territory of a State doesn't constitute a transfer, but even there the mechanics of data transmission come into play. Data is often stored on servers for some time as a normal part of transfers, either in a "store and forward" network or in an e-mail system. The US federal government has argued that e-mail stored on a server is no longer "in transit" and is therefore subject to different rules than are applied to "freely flowing" data. How that policy conflict will be resolved, if it is in fact recognized, is uncertain.
Recommendations and Conclusions
Because of the divergent nature of policies and laws among the various States and the difficulty in negotiating treaties, Kuner recommends a pluralistic approach to harmonizing international data protection regimes. Pluralistic harmonization is a slow and uncertain process, but it is the most realistic option at present. The difficulties of negotiating EU data protection agreements, even when granting specific exceptions such as the UK's extended transition from paper to electronic records, argue strongly in favor of a more organic approach.
Transborder Data Flows and Data Privacy Law focuses on commercial and routine governmental activity and, as such, doesn't cover national security law and practice, which the US uses to justify programs such as ECHELON and other National Security Agency programs revealed in the recent past. I was somewhat surprised not to see a discussion of the proposed "right to be forgotten" that has caused so much consternation in the US, but that omission doesn't affect my evaluation of the book.
Kuner provides a comprehensive and useful overview of data protection laws, both in the EU and elsewhere. The author's experience in the field, thorough analysis of existing policies, and policy suggestions are of the highest caliber. I recommend Transborder Data Flows and Data Privacy Law without reservation.
Curtis Frye is the editor of Technology and Society Book Reviews. He is the author of more than 30 books, including Improspectives, his look at applying the principles of improv comedy to business and life. His list includes more than 20 books for Microsoft Press and O'Reilly Media; he has also created more than 20 online training courses for lynda.com. In addition to his writing, Curt is a keynote speaker and entertainer. You can find more information about him at www.curtisfrye.com and follow him as @curtisfrye on Twitter.