No CrossRef data available.
Published online by Cambridge University Press: 06 March 2019
The European legal system governing data protection issues is widely regarded as an adequate blueprint for late developers to follow. According to this position, host countries will benefit from receiving the ready-made data protection law because it has already gone through a process of trial and error in Europe. For example, China follows the traditional civil law measures on data protection, such as contractual and tort liability. No Chinese legislation deals specifically with the right to protection of personal data. In China, researchers paid attention to the European legal system, which is regarded as the milestone for data protection. Some vigorously suggest that China should quickly move to enact data protection law based on the model provided by European law.
When Chinese researchers strongly promote the European legal system over data protection issues, they send an underlying message that the quality of European laws is good enough to sufficiently deter violations: Individuals would be prohibited from carrying out harmful actions as soon as the expected law is transplanted to China. From a Chinese perspective, our country could quickly move to enact a similar law following the tone of Europe in order to enhance the efficiency of data protection. But is this a compelling position? Will European data protection laws indeed regulate unambiguously and prospectively? Will European data protection laws provide clear guidance to Chinese judges for resolving data protection-related cases? And will the court-enforced laws sufficiently solve the broad spectrum of problems on data use? Understanding the European enforcement mechanism covering data protection issues, and thereby assessing its efficacy on deterrence, is vital to answering these questions.
1 Pistor, Katharina & Xu, Chenggang, Incomplete Law, 35 N. Y. U. J. Int'l L. & Pol. 931, 931 (2002– 2003).Google Scholar
2 Pistor, Katharina & Xu, Chenggang, Beyond Law Enforcement: Governing Financial Markets in China and Russia, in Building a Trustworthy State: Problems of Post-Socialist Transition 167, 176 (Janos Kornai et al. eds., 2004).Google Scholar
3 I take this phrase from Jeff Howard's paper, Environmental Nasty Surprise, Post-Normal Science, and the Troubled Role of Experts in Sustainable Democratic Environmental Decision Making, 43 Futures 182, 182 (2011). The phrase is rather commonly used in papers exploring environmental law issues such as Daniel Farber, Probabilities Behaving Badly: Complexity Theory and Environmental Uncertainty, 37 U.C. Davis L. Rev. 145, 146 (2003). Although there are differences, the surprises happening in data protection are equally nasty as what happens in environmental law.Google Scholar
4 Pistor, & Xu, , supra note 1, at 937.Google Scholar
5 The phenomenon that law is incomplete has been long recognized. For instance, Hart argues that law is indeterminate. In fact, indeterminacy of law and incomplete law are different in expression, but equal in argumentation. See Herbert Hart, The Concept of Law 128 (1994); Xu & Pistor, supra note 1, at 957.Google Scholar
6 See, e.g., Pistor, Katharina & Xu, Chenggang, Fiduciary Duty in Transitional Civil Law Jurisdictions: Lessons from the Incomplete Law Theory (ECGI Law, Working Paper No. 01/2002, 2002); Katharina Pistor & Chenggang Xu, Law Enforcement Failure Under Incomplete Law: Theory and Evidence from Financial Market Regulation (LSE STICERD, Working Paper No. TE/02/442, 2002).Google Scholar
7 Pistor, & Xu, , supra note 1, at 938.Google Scholar
8 Id. Google Scholar
9 Id. at 938–39.Google Scholar
10 Pistor, & Xu, , supra note 2, at 170.Google Scholar
11 See id. at 175.Google Scholar
12 Hart, , supra note 5, at 128.Google Scholar
13 In the words of Hart:Google Scholar
If the world in which we live were characterized only by a finite number of features, and these together with all the modes in which they could combine were known to us, then provision could be made in advance for every possibility. He adds, plainly this world is not our world.Google Scholar
Id. Google Scholar
14 See Pistor, & Xu, , supra note 2, at 175.Google Scholar
15 Pistor, & Xu, , supra note 1, at 932.Google Scholar
16 Id. at 938–39.Google Scholar
17 Id. at 939.Google Scholar
18 Id. Google Scholar
19 See id. at 941.Google Scholar
20 Id. Google Scholar
21 Id. Google Scholar
22 Id. Google Scholar
23 Id. Google Scholar
24 Id. at 938.Google Scholar
25 See id. at 935.Google Scholar
26 Id. at 933.Google Scholar
27 Pistor, Katharina & Xu, Chenggang, The Challenge of Incomplete Law and How Different Legal Systems Respond to It, in Bijuralism: An Economic Approach 71, 78 (Andre Breton & Anne des Ormeaux, eds., 2006).Google Scholar
28 See Pistor, & Xu, , supra note 1, at 946.Google Scholar
29 See id. Google Scholar
30 See id. at 961.Google Scholar
31 See id. at 946.Google Scholar
32 Id. at 947. The two authors mentioned that there is a substantial debate on whether common law judges actually make law or whether they find the law based on legal principles. See, e.g., Jack G. Day, Why Judges Must Make Law, 26 Case W. Res. L. Rev. 563, 563–65 (1976). Incomplete law theory remains neutral to the debate. The authors consider that what judges in common law countries do is to make legally binding precedents, which fill in some gaps in the law. This lawmaking power is one of their major functions. See Pistor & Xu, supra note 1, at 947.Google Scholar
33 See Pistor, & Xu, , supra note 1, at 947.Google Scholar
34 Id. at 948.Google Scholar
35 See id. at 949; Paul R. Milgrom, Douglass C. North & Barry R. Weingast, The Role of Institutions in the Revival of Trade: The Law Merchant, Private Judges, and the Champagne Fairs, 2 Econ. & Pol. 1, 5–6 (1990).Google Scholar
36 See Pistor, & Xu, , supra note 1, at 948.Google Scholar
37 Id. Google Scholar
38 See id. Google Scholar
39 This relates to the problem of legitimate pro-active regulatory behavior, which is resolved in the practice in politics (both Europe and China), a topic beyond this paper's scope.Google Scholar
40 See Pistor, & Xu, , supra note 1, at 951–952.Google Scholar
41 Id. at 949.Google Scholar
42 The two authors note that courts can also be asked to prevent harmful actions from taking place: For example, to file a motion for preliminary injunction. However, this procedure is still based on another party's motion. See id. Google Scholar
43 See id. at 950.Google Scholar
44 See id. at 1012.Google Scholar
45 Id. at 951.Google Scholar
46 Id. The two authors illustrate that the direct costs of regulation include the funds needed to hire monitors and investigators, to maintain filing systems, and to launch lawsuits. The indirect costs of regulation are comprised of the costs market participants incur because they have to comply with regulations and the costs society incurs when regulators either over- or under-enforce the law. See id. Google Scholar
47 Id. Google Scholar
48 Id. Google Scholar
49 See id. at 961. On the tradeoff between monitoring and investigating, and the cost implications of these regulatory enforcement mechanisms, see Dilip Mookherjee & Ivan P. L. Png, Monitoring vis-á-vis Investigation in Enforcement of Law, 82 Am. Econ. Rev. 556, 557 (1992). Using a formal model to compare the tradeoffs, Mookherjee and Png conclude that the use of these alternative enforcement devices should be tailored to the severity of the offense. Smaller offenses should not be investigated, but merely monitored. Larger offenses should be investigated in accordance with their severity, and fines should be maximized. See id. Google Scholar
50 Pistor, & Xu, , supra note 1, at 952.Google Scholar
51 Id. at 953–54.Google Scholar
52 Of course (yet, off-topic for my research), the deployment of residual LMLEP competencies must be monitored and exercised within the constraints as set by the legal system that erect the regulator, as all powers have to respect checks and balances.Google Scholar
53 See Pistor, & Xu, , supra note 2.Google Scholar
54 Council Directive 95/46, 1995 O.J. (L 281) 31 (EC).Google Scholar
55 See Birnhack, Michael, The EU Data Protection Directive: An Engine of a Global Regime, 24 Computer L. & Security Rep. 508 (2008).Google Scholar
56 Pistor, & Xu, , supra note 1, at 938.Google Scholar
57 See id. at 939.Google Scholar
58 See id. at 933.Google Scholar
59 Id. Google Scholar
60 Id. at 949.Google Scholar
61 See id. Google Scholar
62 See id. Google Scholar
63 The information about the ECJ is harvested from its official website. See European Union, Court of Justice of the European Union, http://europa.eu/about-eu/institutions-bodies/court-justice/.Google Scholar
64 According to a European data protection officer, case law decided by ECJ is a significant building block of the legal framework for data protection law in Europe. See European Comm'n, Data Protection Officer (Nov. 4, 2012), http://ec.europa.eu/dataprotectionofficer/legal_framework_en.htm.Google Scholar
65 Joined Cases Rechnungshof v. Rundfunk, CJEU Case C-465/00, Neukomm v. Rundfunk, CJEU Case C-138/01, and Lauermann v. Rundfunk, CJEU Case C-139/01, 2003 E.C.R. I-04989 [hereinafter Joined CJEU Cases C-465/00, C-138/01, and C-139/01].Google Scholar
66 See Council Directive 95/46, supra note 54, at para. 3.Google Scholar
67 See Joined CJEU Cases C-465/00, C-138/01, and C-139/01, supra note 65, at paras. 31–47.Google Scholar
68 Id. at paras. 48–101.Google Scholar
69 See id. at para. 100.Google Scholar
70 Lindqvist, , CJEU Case C-101/01, 2003 E.C.R. I-12971. Reference for a preliminary ruling from the Göta hovrätt in the criminal proceedings against Bodil Lindqvist.Google Scholar
71 Id. at paras. 12–17.Google Scholar
72 Id. at paras. 19–99.Google Scholar
73 Joined Cases Asociación Nacional de Establecimientos Financieros de Crédito v. Administración del Estado, CJEU Case C-468/10, and Federación de Comercio Electrónico y Marketing Directo v. Administración del Estado, CJEU Case C-469/10, 2011 E.C.R. I-12181. In the case, Spain's Royal Decree 1720/2007 was believed to impose the extra conditions relating to the legitimate interest in data processing without the data subject's consent, which does not exist in Directive 95/46, to the effect that the data should appear in public sources. The Tribunal Supremo (Supreme Court, Spain) asked the ECJ to interpret Article 7(f) of Directive 95/46. The contents in this section are cited from the judgment.Google Scholar
74 Id. at para. 49.Google Scholar
75 European Comm'n v. Fed. Republic of Ger., CJEU Case C-518/07, 2010 E.C.R. I-01885.Google Scholar
76 See Council Directive 95/46, supra note 54.Google Scholar
77 College van burgemeester en wethouders van Rotterdam v. Rijkeboer, CJEU Case C-553/07, 2009 E.C.R. I-03889 [hereinafter Rijkeboer, CJEU Case C-553/07].Google Scholar
78 Council Directive 95/46, supra note 54.Google Scholar
79 Rijkeboer, CJEU Case C-553/07, supra note 77, at para. 28.Google Scholar
80 See id. Google Scholar
81 Id. at para. 70.Google Scholar
82 See id. Google Scholar
83 Huber v. Bundesrepublik Deutschland, CJEU Case C-524/06, 2008 E.C.R. I-09705 [hereinafter Huber, CJEU Case C-524/06].Google Scholar
84 Council Directive 95/46, supra note 54.Google Scholar
85 See Huber, CJEU Case C-524/06, supra note 83, at para. 2.Google Scholar
86 Id. at para. 82.Google Scholar
87 Tietosuojavaltuutettu v. Oy, CJEU Case C-73/07, 2008 E.C.R. I-09831 [hereinafter Tietosuojavaltuutettu, CJEU Case C-73/07].Google Scholar
88 Council Directive 95/46, supra note 54.Google Scholar
89 See Tietosuojavaltuutettu, CJEU Case C-73/07, supra note 87, at para. 2.Google Scholar
90 Id. at para. 61.Google Scholar
91 Joined Cases European Parliament v. Council of the European Union, CJEU Case C-317/04, and European Parliament v. Comm'n of the European Cmtys., CJEU Case C-318/04, 2006 E.C.R. I-04721 [hereinafter Joined CJEU Cases C-317/04 and C-318/04].Google Scholar
92 Council Directive 95/46, supra note 54.Google Scholar
93 See Joined CJEU Cases C-317/04 and C-318/04, supra note 91, at para. 2.Google Scholar
94 Id. at para. 57.Google Scholar
95 Council Directive 95/46/EC, art. 2(d), 1995 O.J. (L 281) (EC).Google Scholar
96 Id. at 2(b).Google Scholar
97 See Widmer, Ursula, Cloud Computing and Data Protection, Law Business Research Ltd. (July 2009), http://whoswholegal.com/news/features/article/18246/.Google Scholar
98 See Council Directive 95/46/EC.Google Scholar
99 Upcoming EU Cloud Strategy Announced: Application of Local Privacy Laws Remain an Issue, To Be Explored at IAPP Navigate on September 14, Hogan Lovells Chronicle of Data Protection (Sept. 1, 2011), http://www.hldataprotection.com/2011/09/articles/international-eu-privacy/upcoming-eu-cloud-strategy-announced-application-of-local-privacy-laws-remain-an-issue-to-be-explored-at-iapp-navigate-on-september-14/ [hereinafter Upcoming EU Cloud Strategy Announced].Google Scholar
100 For example, when they determine the “means” of processing. W Kuan Hon & Christopher Millard, Cloud Computing and EU Data Protection Law, Part One: Understanding the International Issues, ComputerWorldUK (Sept. 28, 2011), http://www.computerworlduk.com/blogs/cloud-vision/-cloud-computing-and-eu-data-protection-law–3570958/.Google Scholar
101 For example, when they determine the “means” of processing. See id. Google Scholar
102 Widmer, , supra note 97.Google Scholar
103 See Reding, Viviane, Vice-President, Eur. Comm'n & EU Justice Comm'r, Review of the EU Data Protection Framework (Mar. 16, 2011).Google Scholar
104 See Windmer, , supra note 97. See also, Upcoming EU Cloud Strategy Announced, supra note 99.Google Scholar
105 See Windmer, , supra note 97.Google Scholar
106 See id. Google Scholar
107 Pistor, & Xu, , supra note 1, at 943.Google Scholar
108 Id. at 979.Google Scholar
109 Id. at 989.Google Scholar
110 Id. Google Scholar
111 Id. at 949.Google Scholar
112 In this paper, what seems to me to be the most important aspect of the “data regulator” concept is that parts of the regulatory powers as identified in incomplete law theory are delegated by the legislator and the administration to institutions that have thus gained regulatory agency that allows them to react more adequately, quickly, and with expertise to emerging (mal)practices.Google Scholar
113 The position was set up according to the Article 286 of the Treaty of Amsterdam and Regulation (EC) No 45/2001 of the European Parliament. See Treaty of Amsterdam Amending the Treaty on European Union, the Treaties Establishing the European Communities and Certain Related Acts, Oct. 2, 1997, 1997 O.J. (C 340) art. 286.; Commission Regulation 45/2001, 2001 O.J. (L 8/1).Google Scholar
114 See Kuner, Christopher, Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future 7, OECD (Dec. 8, 2011), http://www.oecd-ilibrary.org/science-and-technology/regulation-of-transborder-data-flows-under-data-protection-and-privacy-law_5kg0s2fk315f-en.Google Scholar
115 See Members & Missions, European Data Protection Supervisors (Sept. 15, 2014) https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/Membersmission.Google Scholar
116 See id. Google Scholar
117 See id. Google Scholar
118 See Kuner, , supra note 114, at 9.Google Scholar
119 See id. Google Scholar
120 See Article 29 Working Party, European Comm'n (Aug. 6, 2014) http://ec.europa.eu/justice/data-protection/article-29/index_en.htm.Google Scholar
121 See Commission Regulation 45/2001, 2001 O.J. (L 8/1).Google Scholar
122 See Data Protection Officer of the EU, European Comm'n (July 16, 2013), http://ec.europa.eu/justice/data-protection/bodies/officer/index_en.htm.Google Scholar
123 See Council Directive 95/46/EC, art. 28, 1995 O.J. (L 281) (EC).Google Scholar
124 See id. Google Scholar
125 The Article 29 working group has a well-organized website: Article 29 Working Party, supra note 120.Google Scholar
126 See Council Directive 95/46/EC, art. 29.Google Scholar
127 See id. Google Scholar
128 See id. art. 30.Google Scholar
129 As Pollute concluded, “Since 1996, more than 120 documents on different but important topics have been issued by the Art 29 W.P., which testifies tremendous and intense activities.” Yves Poullet & Serge Gutwirth, The Contribution of the Article 29 Working Party to the Construction of a Harmonized European Data Protection System: An Illustration of “Reflexive Governance”? in Challenges of Privacy and Data Protection Law 570, 575 (Verónica Perez Asinari & Pablo Palazzi eds., 2008).Google Scholar
130 See Council Directive 95/46/EC, art. 30, 1995 O.J. (L 281) (EC).Google Scholar
131 See id. The Working Party may, on its own initiative, make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the Community. As Pollute and Gutwirth analyzed, this provision could be “underlined insofar that the Article 29. W.P. could not only advise, but also could intervene and de facto intervenes very freely and broadly about any topic related to data protection. Even the matters that are not covered by data protection directive may be included.” Pollute & Gutwirth, supra note 129, at 576.Google Scholar
132 See Kuner, , supra note 114, at 7.Google Scholar
133 See Poullet, & Gutwirth, , supra note 129.Google Scholar
134 See Council Directive 95/46/EC, art. 25, 1995 O.J. (L 281) (EC).Google Scholar
135 Pistor, & Xu, , supra note 1, at 933.Google Scholar
136 See Article 29 Data Protection Working Party, Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive (European Comm'n, Working Paper No. 12, DG XV D/5025/98, 1998).Google Scholar
137 Poullet, & Gutwirth, , supra note 129, at 585.Google Scholar
138 See id. Google Scholar
139 See id. Google Scholar
140 See Article 29 Data Protection Working Party, Opinion 11/2011 on the Level of Protection of Personal Data in New Zealand (European Comm'n, Working Paper No. 182, 2011).Google Scholar
141 See Article 29 Data Protection Working Party, Opinion 6/2010 on the Level of Protection of Personal Data in the Eastern Republic of Uruguay (European Comm'n, Working Paper No. 177, 2009).Google Scholar
142 See Article 29 Data Protection Working Party, Opinion 7/2009 on the Level of Protection of Personal Data in the Principality of Andorra 2009 (European Comm'n, Working Paper No. 166, 2009).Google Scholar
143 See Article 29 Data Protection Working Party, Opinion 6/2009 on the Level of Protection of Personal Data in Israel (European Comm'n, Working Paper No. 165, 2009).Google Scholar
144 See Article 29 Data Protection Working Party, Opinion 9/2007 on the Level of Protection of Personal Data in the Faroe Islands (European Comm'n, Working Paper No. 142, 2007).Google Scholar
145 See Article 29 Data Protection Working Party, Opinion 8/2007 on the Level of Protection of Personal Data in Jersey (European Comm'n, Working Paper No. 141, 2007).Google Scholar
146 See Article 29 Data Protection Working Party, Opinion 6/2003 on the Level of Protection of Personal Data in the Isle of Man (European Comm'n, Working Paper No. 82, 2003).Google Scholar
147 See Article 29 Data Protection Working Party, Opinion 5/2003 on the Level of Protection of Personal Data in Guernsey (European Comm'n, Working Paper No. 79, 2003).Google Scholar
148 See Article 29 Data Protection Working Party, Opinion 4/2002 on Adequate Level of Protection of Personal Data in Argentina (European Comm'n, Working Paper No. 63, 2002).Google Scholar
149 See Article 29 Data Protection Working Party, Opinion 3/2001 on the Level of Protection of the Australian Privacy Amendment (Private Sector) Act 2000 (European Comm'n, Working Paper No. 40, 2000); See Article 29 Data Protection Working Party, Opinion 1/2004 on the Level of Protection Ensured in Australia for the Transmission of Passenger Name Record Data from Airlines (European Comm'n, Working Paper No. 85, 2004).Google Scholar
150 See Article 29 Data Protection Working Party, Opinion 2/2001 on the Adequacy of the Canadian Personal Information and Electronic Documents Act (European Comm'n, Working Paper No. 39, 2001); Article 29 Data Protection Working Party, Opinion 1/2005 on the Level of Protection Ensured in Canada for the Transmission of Passenger Name Record and Advance Passenger Information from Airlines (European Comm'n, Working Paper No. 103, 2005); Article 29 Data Protection Working Party, Opinion 1/97 on Canadian Initiatives Relating to Standardization in the Field of Protection of Privacy (European Comm'n, Working Paper No. 2, 1997).Google Scholar
151 See Article 29 Data Protection Working Party, Opinion 6/99 Concerning the Level of Personal Data Protection in Hungary (European Comm'n, Working Paper No 24, 1999).Google Scholar
152 See Article 29 Data Protection Working Party, Opinion 5/99 on the Level of Protection of Personal Data in Switzerland (European Comm'n, Working Paper No 22, 1999).Google Scholar
153 See Poullet, & Gutwirth, , supra note 129, at 580.Google Scholar
154 In 2009, the Article 29 W.P. published Opinion 5/2009 on Online Social Networking to clarify SNS issues. See Article 29 Working Party, Opinion 5/2009 on Online Social Networking (European Comm'n, Working Paper No. 163, 2009).Google Scholar
155 See id. Google Scholar
156 See Irish Data Protection Commission, Facebook Ireland Ltd. Report Audit, 2011 O.J. (EC).Google Scholar
157 The Irish Data Protection Commissioner adopted the standards set by the Article 29. W. P. to evaluate Facebook's data protection level.Google Scholar
158 Pistor, & Xu, , supra note 1, at 950 to 954.Google Scholar
159 Poullet, & Gutwirth, , supra note 129, at 572.Google Scholar
160 Id. Google Scholar
161 See Council Directive 95/46/EC, 1995 O.J. (L 281) (EC).Google Scholar
162 Schuppert, Stefan, German Data Protection Authority Imposes 200000 Euros Fine for Targeted Advertising Without Adequate Consent, Hogan Lovells (Dec. 7, 2010). http://www.hldataprotection.com/2010/12/articles/international-compliance-inclu/german-data-protection-authority-imposes-a200000-fine-for-targeted-advertising-without-adequate-consent/index.html.Google Scholar
163 Schuppert, Stefan, German DPAs Issue Rules for Cloud Computing Use, Hogan Lovells (Oct. 13, 2011), http://www.hldataprotection.com/2011/10/articles/international-eu-privacy/german-dpas-issue-rules-for-cloud-computing-use/.Google Scholar
164 Pistor, & Xu, , supra note 1, at 996.Google Scholar
165 See id. at 968.Google Scholar
166 The two authors illustrate that environmental, safety, food, and drug regulation are fitting fields to adopt this analytical framework. See id. at 936.Google Scholar
167 Id. at 935.Google Scholar
168 See id. at 966–1011.Google Scholar
169 See id. Google Scholar
170 See id. Google Scholar
171 See id. Google Scholar
172 See id. Google Scholar
173 See id. at 1012.Google Scholar
174 Id. Google Scholar