In relation to personal data, privacy (or data privacy) refers to an individual’s right to be able to control information that relates to him or herself. Data protection, a term derived from the German word Datenschutz, is used in much the same way as privacy in the above sense (Bennett and Raab 2006).¹

There is widespread recognition at least in democratic countries that data privacy needs to be protected (Reidenberg 2000). Indeed, virtually all liberal-democratic states have some form of privacy or data protection laws. In Europe, Sweden led the way and passed its Data Protection Act in 1973; subsequently, West Germany enacted its Federal Data Protection Act in 1977, before France, Norway, Denmark, Austria, the United Kingdom, and other European countries followed suit. In North America, the United States (US) enacted its Privacy Act in 1974 and Canada passed its Personal Information Protection and Electronic Documents Act in 2002. In Asia, South Korea passed its Data Protection Act in 2001 and Japan enacted its Act on the Protection of Personal Information in 2003 (Greenleaf 2013; Gellman and Dixon 2011).

It should be noted that, whatever the name of its governing legislation, data privacy law—and regulation based on it—is about defining, in one way or another, the limits of the processing and use of personal data (Bennett and Raab 2006). For instance, one of the fundamental privacy principles is that data collected for one purpose should not be used for other purposes without the consent of the data subject. In essence, protection of data privacy necessitates some restriction on the use of personal information.

Data privacy law and regulation do not impose total prohibition on the use of personal data because there is need to use such data for economic, social, or other benefits. For instance, personal information is widely used in a variety of business activities. Electronic commerce, for example, cannot be carried out without using consumers’ personal data (such as names, addresses, telephone numbers, credit card numbers, and email addresses). However, the use of personal data is not confined to digital transactions. Non-tech companies also routinely use personal data for marketing, intra-corporate management, and other day-to-day operations. Furthermore, personal data is commonly and increasingly used by public authorities for purposes ranging from the provision of social welfare services, to taxation, and to law enforcement. The rise of “e-government” accelerates this trend. Data privacy law and regulation, therefore, generally allows—even facilitates—the use of personal data while restraining certain data practices to reduce potential harm to individuals (Raab 1999; Bennett and Raab 2006).

In short, data privacy in law and practice pursues two potentially conflicting objectives: protection of personal data and “fair” use of such data. As such, the data privacy policy seeks to strike a balance between competing values and interests typically by regulating how and when personal data should be available, or not available, to accommodate economic, social, or administrative needs. However, “what is acceptable in one country might not do in another” (Raab 1999, p. 73). Countries (or people) differ from one another in their social norms, cultural traditions, political philosophy, historical experience, economic circumstances, and other policy backgrounds. Consequently, there are substantial differences in data privacy law and regulation between countries; even between the US and European countries that share fundamental values.

At the international level, the problem of striking a balance between data privacy and other concerns may be transposed as a problem of striking a balance between privacy protection and the facilitation of the movement and use of data across national borders. How can personal data be protected when transferred and used across borders? Conversely, how can personal data be transferred and used across borders without infringing the data subject’s right to privacy? These questions were first raised in the 1970s in response to computerization and the growth of transnational use of personal data for commercial and economic purposes. Today, they are even more crucial as the increased global integration of the economy and the advent of the global network of networks, that is, the internet, have resulted in exponential increase in transborder data flows (Kuner 2013).

In an information-based and globalizing economy, personal data collected in one country may well be transferred to and used in another country. For example, cross-border movement of information about individual customers is essential for business operations of firms in some sectors (e.g. financial services and tourism); so is transborder movement of personal information about employees for intra-corporation management of transnational corporations (e.g. processing payrolls). Presumably, the fewer—regulatory, technological or other—barriers to the use and movement of personal data, the more efficient transnational economic activities would be.

If given free rein, however, firms may be inclined to develop privacy-invasive practices. For example, firms may evade the strict privacy regulation of one country by transferring data to another country with lax or no privacy regulation (i.e. a so-called “data haven”) and processing data there. In other words, firms may be tempted to take advantage of differences in data protection regulation between jurisdictions. To prevent such practices there needs to be some rules to govern the transfer and use of personal information across borders at national and/or international level.

Privacy and business interests, nonetheless, are not necessarily incompatible with each other. It may be in the interests of business to protect their customers’ data to the extent that the protection of personal data is required to build trust and confidence in commercial transactions. Indeed, without trust and confidence in transactions it would be difficult to promote economic activities that rely on data flows (e.g. electronic commerce).

While, at present, no global framework exists to govern data privacy, international attempts to reconcile privacy concerns and economic needs are notably found in the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Privacy Guidelines),² and the Council of Europe’s (CoE) 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 108).³

The OECD Privacy Guidelines, a leading example of an international framework for privacy, were originally adopted in 1980 with the recognition that “[m]ember countries have a common interest … in reconciling fundamental but competing values such as privacy and the free flow of information.” Convention No. 108, another important international framework for data privacy, was also enacted in recognition of the necessity “to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples” (Preamble).

The OECD Privacy Guidelines and Convention No. 108 are viewed as providing a fundamental framework to protect personal information (Hurley and Mayer-Schönberger 2000). In particular, the OECD Privacy Guidelines have been accepted by a broad range of industrial countries, including the US and the member states of the European Union (EU), which together have the lion’s share of the development and use of information systems. However, neither the OECD Privacy Guidelines nor Convention No. 108 specifies precisely how countries should strike a balance between data privacy and other interests (especially economic interests). Rather, they establish a set of general principles to harmonize national privacy laws and regulations. The assumption is twofold: if countries follow common privacy principles, a sufficient level of data protection will be provided across all the subscribing countries, and if equivalently sufficient levels of protection are provided, data should be allowed to flow freely between these countries.

In the OECD Guidelines, OECD countries are recommended to implement in their domestic legislation the following eight data protection principles.⁴

Similarly, Convention No. 108 requires each member state to take necessary measures in its domestic law to give effect to the basic principles for the data protection it stipulates. For example, it provides that, in relation to the quality of data, personal data undergoing automatic processing shall be: (a) obtained and processed fairly and lawfully; (b) stored for specified and legitimate purposes and not used in a way incompatible with those purposes; (c) adequate, relevant and not excessive in relation to the purposes for which they are stored; (d) accurate and, where necessary, kept up to date; (e) preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored (Article 5). The convention then provides that “[a] Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party” (Article 12).

It should be noted that, in both the OECD Guidelines and Convention No. 108, privacy principles are to be implemented by each state in their domestic context of particular social, cultural, and other values and interests. As a result, there remain—rather than being dissolved—“disparities in national legislations”⁵ on data privacy. This means that tension may arise between countries with different data protection law and regulation when personal data flow across their borders.

As noted, the problem of data privacy was set on the international agenda with the increase in transborder movement and use of personal data for commercial and economic purposes. In recent years, data privacy has become an even more salient issue internationally in the context of law enforcement and public security.

Personal information is widely used for the purposes of law enforcement. Investigation of crimes, for example, cannot be conducted without the use of personally identifiable information. Arguably, the more access law enforcement agencies have to personal information, the more efficient would be their efforts to deal with and prevent crimes. It may even be argued that privacy is not an absolute right and that individuals’ right to data privacy should be overridden by public safety considerations. From the perspective of data privacy, however, there should be certain limits on the use of personal information for public security purposes.

Tension between data privacy and public security is not new. The encryption debate in the 1990s provides an example of such a tense relationship (Deibert 2002). Encryption is a very powerful tool to secure electronic communications from unauthorized access and thereby protect an individual’s right to privacy (Reitinger 2000). However, making encryption products widely available may compromise public or national security because it grants the same level of security to the communication of criminals, terrorists, and foreign intelligence agents (Bessette and Haufler 2001). In other words, the spread of encryption technology and products could be detrimental to public security as they might hamper information gathering by national security and law enforcement authorities.⁶

More recently, use of personal data for public security purposes has been under intensive debate in connection with counterterrorism and surveillance activities. Critics claim that, after the terrorist attacks of September 11, 2001, the world witnessed the general erosion of individual privacy rights (e.g. Klosek 2007). The USA PATRIOT⁷ Act of 2001 is perhaps the most prominent example of the expansion of government surveillance authorities after 9/11 (Rotenberg 2003). US (and other states’) government authorities, in fact, now not only gather information directly but also tap the data collected and held by the private sector (such as individuals’ records on travel, financial transactions, and electronic communication) for counterterrorism and law enforcement purposes. Even in Europe, which is said to be especially sensitive to the potential harm of large-scale collection of records about individuals due to its historical experiences (Hurley and Mayer-Schönberger 2000), the EU enacted the Data Retention Directive in 2007, requiring member countries to mandate the retention by telecommunications companies of records of the sender, recipient, and time of communication, so that law enforcement authorities can use the data when necessary (Roberts and Palfrey 2010). Such interaction between the public and private sectors is one of the developments that have significantly affected the politics of data privacy.

Importantly, in the age of globalization, the use of personal data for public security purposes almost inevitably has an international dimension. This is particularly the case with counterterrorism. Nowadays, terrorism has an increasingly transnational nature as terrorists exploit the seamless flows of goods, money, services, and persons across borders. Accordingly, the “exchange of operational information, especially regarding actions or movements of terrorist persons or networks”⁸ has become an integral part of international efforts to prevent and suppress terrorism. In other words, gathering and sharing of information, including that related to individuals, is a vital component of international counterterrorism cooperation.

The problem from the standpoint of civil liberty is that governments may promote such information gathering and sharing at the expense of the data privacy rights of individuals. How can personal information be shared for public security purposes without infringing the individual’s right to privacy? Conversely, how can data privacy be protected when personal data are shared between law enforcement agencies of different countries? In this connection, it should be noted that one country’s data privacy policy may have an effect on another country’s efforts to gather information, because data privacy in practice means placing...