Hostname: page-component-78c5997874-t5tsf Total loading time: 0 Render date: 2024-11-14T22:07:54.823Z Has data issue: false hasContentIssue false
  • English
  • Français

Incomplete Data Protection Law

Published online by Cambridge University Press:  06 March 2019

Kunbei Zhang

Extract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

The European legal system governing data protection issues is widely regarded as an adequate blueprint for late developers to follow. According to this position, host countries will benefit from receiving the ready-made data protection law because it has already gone through a process of trial and error in Europe. For example, China follows the traditional civil law measures on data protection, such as contractual and tort liability. No Chinese legislation deals specifically with the right to protection of personal data. In China, researchers paid attention to the European legal system, which is regarded as the milestone for data protection. Some vigorously suggest that China should quickly move to enact data protection law based on the model provided by European law.

When Chinese researchers strongly promote the European legal system over data protection issues, they send an underlying message that the quality of European laws is good enough to sufficiently deter violations: Individuals would be prohibited from carrying out harmful actions as soon as the expected law is transplanted to China. From a Chinese perspective, our country could quickly move to enact a similar law following the tone of Europe in order to enhance the efficiency of data protection. But is this a compelling position? Will European data protection laws indeed regulate unambiguously and prospectively? Will European data protection laws provide clear guidance to Chinese judges for resolving data protection-related cases? And will the court-enforced laws sufficiently solve the broad spectrum of problems on data use? Understanding the European enforcement mechanism covering data protection issues, and thereby assessing its efficacy on deterrence, is vital to answering these questions.

Type
Articles
Information
German Law Journal , Volume 15 , Issue 6 , 01 October 2014 , pp. 1071 - 1104
Copyright
Copyright © 2014 by German Law Journal GbR 

References

1 Pistor, Katharina & Xu, Chenggang, Incomplete Law, 35 N. Y. U. J. Int'l L. & Pol. 931, 931 (2002– 2003).Google Scholar

2 Pistor, Katharina & Xu, Chenggang, Beyond Law Enforcement: Governing Financial Markets in China and Russia, in Building a Trustworthy State: Problems of Post-Socialist Transition 167, 176 (Janos Kornai et al. eds., 2004).Google Scholar

3 I take this phrase from Jeff Howard's paper, Environmental Nasty Surprise, Post-Normal Science, and the Troubled Role of Experts in Sustainable Democratic Environmental Decision Making, 43 Futures 182, 182 (2011). The phrase is rather commonly used in papers exploring environmental law issues such as Daniel Farber, Probabilities Behaving Badly: Complexity Theory and Environmental Uncertainty, 37 U.C. Davis L. Rev. 145, 146 (2003). Although there are differences, the surprises happening in data protection are equally nasty as what happens in environmental law.Google Scholar

4 Pistor, & Xu, , supra note 1, at 937.Google Scholar

5 The phenomenon that law is incomplete has been long recognized. For instance, Hart argues that law is indeterminate. In fact, indeterminacy of law and incomplete law are different in expression, but equal in argumentation. See Herbert Hart, The Concept of Law 128 (1994); Xu & Pistor, supra note 1, at 957.Google Scholar

6 See, e.g., Pistor, Katharina & Xu, Chenggang, Fiduciary Duty in Transitional Civil Law Jurisdictions: Lessons from the Incomplete Law Theory (ECGI Law, Working Paper No. 01/2002, 2002); Katharina Pistor & Chenggang Xu, Law Enforcement Failure Under Incomplete Law: Theory and Evidence from Financial Market Regulation (LSE STICERD, Working Paper No. TE/02/442, 2002).Google Scholar

7 Pistor, & Xu, , supra note 1, at 938.Google Scholar

8 Id. Google Scholar

9 Id. at 938–39.Google Scholar

10 Pistor, & Xu, , supra note 2, at 170.Google Scholar

11 See id. at 175.Google Scholar

12 Hart, , supra note 5, at 128.Google Scholar

13 In the words of Hart:Google Scholar

If the world in which we live were characterized only by a finite number of features, and these together with all the modes in which they could combine were known to us, then provision could be made in advance for every possibility. He adds, plainly this world is not our world.Google Scholar

Id. Google Scholar

14 See Pistor, & Xu, , supra note 2, at 175.Google Scholar

15 Pistor, & Xu, , supra note 1, at 932.Google Scholar

16 Id. at 938–39.Google Scholar

17 Id. at 939.Google Scholar

18 Id. Google Scholar

19 See id. at 941.Google Scholar

20 Id. Google Scholar

21 Id. Google Scholar

22 Id. Google Scholar

23 Id. Google Scholar

24 Id. at 938.Google Scholar

25 See id. at 935.Google Scholar

26 Id. at 933.Google Scholar

27 Pistor, Katharina & Xu, Chenggang, The Challenge of Incomplete Law and How Different Legal Systems Respond to It, in Bijuralism: An Economic Approach 71, 78 (Andre Breton & Anne des Ormeaux, eds., 2006).Google Scholar

28 See Pistor, & Xu, , supra note 1, at 946.Google Scholar

29 See id. Google Scholar

30 See id. at 961.Google Scholar

31 See id. at 946.Google Scholar

32 Id. at 947. The two authors mentioned that there is a substantial debate on whether common law judges actually make law or whether they find the law based on legal principles. See, e.g., Jack G. Day, Why Judges Must Make Law, 26 Case W. Res. L. Rev. 563, 563–65 (1976). Incomplete law theory remains neutral to the debate. The authors consider that what judges in common law countries do is to make legally binding precedents, which fill in some gaps in the law. This lawmaking power is one of their major functions. See Pistor & Xu, supra note 1, at 947.Google Scholar

33 See Pistor, & Xu, , supra note 1, at 947.Google Scholar

34 Id. at 948.Google Scholar

35 See id. at 949; Paul R. Milgrom, Douglass C. North & Barry R. Weingast, The Role of Institutions in the Revival of Trade: The Law Merchant, Private Judges, and the Champagne Fairs, 2 Econ. & Pol. 1, 56 (1990).Google Scholar

36 See Pistor, & Xu, , supra note 1, at 948.Google Scholar

37 Id. Google Scholar

38 See id. Google Scholar

39 This relates to the problem of legitimate pro-active regulatory behavior, which is resolved in the practice in politics (both Europe and China), a topic beyond this paper's scope.Google Scholar

40 See Pistor, & Xu, , supra note 1, at 951–952.Google Scholar

41 Id. at 949.Google Scholar

42 The two authors note that courts can also be asked to prevent harmful actions from taking place: For example, to file a motion for preliminary injunction. However, this procedure is still based on another party's motion. See id. Google Scholar

43 See id. at 950.Google Scholar

44 See id. at 1012.Google Scholar

45 Id. at 951.Google Scholar

46 Id. The two authors illustrate that the direct costs of regulation include the funds needed to hire monitors and investigators, to maintain filing systems, and to launch lawsuits. The indirect costs of regulation are comprised of the costs market participants incur because they have to comply with regulations and the costs society incurs when regulators either over- or under-enforce the law. See id. Google Scholar

47 Id. Google Scholar

48 Id. Google Scholar

49 See id. at 961. On the tradeoff between monitoring and investigating, and the cost implications of these regulatory enforcement mechanisms, see Dilip Mookherjee & Ivan P. L. Png, Monitoring vis-á-vis Investigation in Enforcement of Law, 82 Am. Econ. Rev. 556, 557 (1992). Using a formal model to compare the tradeoffs, Mookherjee and Png conclude that the use of these alternative enforcement devices should be tailored to the severity of the offense. Smaller offenses should not be investigated, but merely monitored. Larger offenses should be investigated in accordance with their severity, and fines should be maximized. See id. Google Scholar

50 Pistor, & Xu, , supra note 1, at 952.Google Scholar

51 Id. at 953–54.Google Scholar

52 Of course (yet, off-topic for my research), the deployment of residual LMLEP competencies must be monitored and exercised within the constraints as set by the legal system that erect the regulator, as all powers have to respect checks and balances.Google Scholar

53 See Pistor, & Xu, , supra note 2.Google Scholar

54 Council Directive 95/46, 1995 O.J. (L 281) 31 (EC).Google Scholar

55 See Birnhack, Michael, The EU Data Protection Directive: An Engine of a Global Regime, 24 Computer L. & Security Rep. 508 (2008).Google Scholar

56 Pistor, & Xu, , supra note 1, at 938.Google Scholar

57 See id. at 939.Google Scholar

58 See id. at 933.Google Scholar

59 Id. Google Scholar

60 Id. at 949.Google Scholar

61 See id. Google Scholar

62 See id. Google Scholar

63 The information about the ECJ is harvested from its official website. See European Union, Court of Justice of the European Union, http://europa.eu/about-eu/institutions-bodies/court-justice/.Google Scholar

64 According to a European data protection officer, case law decided by ECJ is a significant building block of the legal framework for data protection law in Europe. See European Comm'n, Data Protection Officer (Nov. 4, 2012), http://ec.europa.eu/dataprotectionofficer/legal_framework_en.htm.Google Scholar

65 Joined Cases Rechnungshof v. Rundfunk, CJEU Case C-465/00, Neukomm v. Rundfunk, CJEU Case C-138/01, and Lauermann v. Rundfunk, CJEU Case C-139/01, 2003 E.C.R. I-04989 [hereinafter Joined CJEU Cases C-465/00, C-138/01, and C-139/01].Google Scholar

66 See Council Directive 95/46, supra note 54, at para. 3.Google Scholar

67 See Joined CJEU Cases C-465/00, C-138/01, and C-139/01, supra note 65, at paras. 31–47.Google Scholar

68 Id. at paras. 48–101.Google Scholar

69 See id. at para. 100.Google Scholar

70 Lindqvist, , CJEU Case C-101/01, 2003 E.C.R. I-12971. Reference for a preliminary ruling from the Göta hovrätt in the criminal proceedings against Bodil Lindqvist.Google Scholar

71 Id. at paras. 12–17.Google Scholar

72 Id. at paras. 19–99.Google Scholar

73 Joined Cases Asociación Nacional de Establecimientos Financieros de Crédito v. Administración del Estado, CJEU Case C-468/10, and Federación de Comercio Electrónico y Marketing Directo v. Administración del Estado, CJEU Case C-469/10, 2011 E.C.R. I-12181. In the case, Spain's Royal Decree 1720/2007 was believed to impose the extra conditions relating to the legitimate interest in data processing without the data subject's consent, which does not exist in Directive 95/46, to the effect that the data should appear in public sources. The Tribunal Supremo (Supreme Court, Spain) asked the ECJ to interpret Article 7(f) of Directive 95/46. The contents in this section are cited from the judgment.Google Scholar

74 Id. at para. 49.Google Scholar

75 European Comm'n v. Fed. Republic of Ger., CJEU Case C-518/07, 2010 E.C.R. I-01885.Google Scholar

76 See Council Directive 95/46, supra note 54.Google Scholar

77 College van burgemeester en wethouders van Rotterdam v. Rijkeboer, CJEU Case C-553/07, 2009 E.C.R. I-03889 [hereinafter Rijkeboer, CJEU Case C-553/07].Google Scholar

78 Council Directive 95/46, supra note 54.Google Scholar

79 Rijkeboer, CJEU Case C-553/07, supra note 77, at para. 28.Google Scholar

80 See id. Google Scholar

81 Id. at para. 70.Google Scholar

82 See id. Google Scholar

83 Huber v. Bundesrepublik Deutschland, CJEU Case C-524/06, 2008 E.C.R. I-09705 [hereinafter Huber, CJEU Case C-524/06].Google Scholar

84 Council Directive 95/46, supra note 54.Google Scholar

85 See Huber, CJEU Case C-524/06, supra note 83, at para. 2.Google Scholar

86 Id. at para. 82.Google Scholar

87 Tietosuojavaltuutettu v. Oy, CJEU Case C-73/07, 2008 E.C.R. I-09831 [hereinafter Tietosuojavaltuutettu, CJEU Case C-73/07].Google Scholar

88 Council Directive 95/46, supra note 54.Google Scholar

89 See Tietosuojavaltuutettu, CJEU Case C-73/07, supra note 87, at para. 2.Google Scholar

90 Id. at para. 61.Google Scholar

91 Joined Cases European Parliament v. Council of the European Union, CJEU Case C-317/04, and European Parliament v. Comm'n of the European Cmtys., CJEU Case C-318/04, 2006 E.C.R. I-04721 [hereinafter Joined CJEU Cases C-317/04 and C-318/04].Google Scholar

92 Council Directive 95/46, supra note 54.Google Scholar

93 See Joined CJEU Cases C-317/04 and C-318/04, supra note 91, at para. 2.Google Scholar

94 Id. at para. 57.Google Scholar

95 Council Directive 95/46/EC, art. 2(d), 1995 O.J. (L 281) (EC).Google Scholar

96 Id. at 2(b).Google Scholar

97 See Widmer, Ursula, Cloud Computing and Data Protection, Law Business Research Ltd. (July 2009), http://whoswholegal.com/news/features/article/18246/.Google Scholar

98 See Council Directive 95/46/EC.Google Scholar

99 Upcoming EU Cloud Strategy Announced: Application of Local Privacy Laws Remain an Issue, To Be Explored at IAPP Navigate on September 14, Hogan Lovells Chronicle of Data Protection (Sept. 1, 2011), http://www.hldataprotection.com/2011/09/articles/international-eu-privacy/upcoming-eu-cloud-strategy-announced-application-of-local-privacy-laws-remain-an-issue-to-be-explored-at-iapp-navigate-on-september-14/ [hereinafter Upcoming EU Cloud Strategy Announced].Google Scholar

100 For example, when they determine the “means” of processing. W Kuan Hon & Christopher Millard, Cloud Computing and EU Data Protection Law, Part One: Understanding the International Issues, ComputerWorldUK (Sept. 28, 2011), http://www.computerworlduk.com/blogs/cloud-vision/-cloud-computing-and-eu-data-protection-law–3570958/.Google Scholar

101 For example, when they determine the “means” of processing. See id. Google Scholar

102 Widmer, , supra note 97.Google Scholar

103 See Reding, Viviane, Vice-President, Eur. Comm'n & EU Justice Comm'r, Review of the EU Data Protection Framework (Mar. 16, 2011).Google Scholar

104 See Windmer, , supra note 97. See also, Upcoming EU Cloud Strategy Announced, supra note 99.Google Scholar

105 See Windmer, , supra note 97.Google Scholar

106 See id. Google Scholar

107 Pistor, & Xu, , supra note 1, at 943.Google Scholar

108 Id. at 979.Google Scholar

109 Id. at 989.Google Scholar

110 Id. Google Scholar

111 Id. at 949.Google Scholar

112 In this paper, what seems to me to be the most important aspect of the “data regulator” concept is that parts of the regulatory powers as identified in incomplete law theory are delegated by the legislator and the administration to institutions that have thus gained regulatory agency that allows them to react more adequately, quickly, and with expertise to emerging (mal)practices.Google Scholar

113 The position was set up according to the Article 286 of the Treaty of Amsterdam and Regulation (EC) No 45/2001 of the European Parliament. See Treaty of Amsterdam Amending the Treaty on European Union, the Treaties Establishing the European Communities and Certain Related Acts, Oct. 2, 1997, 1997 O.J. (C 340) art. 286.; Commission Regulation 45/2001, 2001 O.J. (L 8/1).Google Scholar

114 See Kuner, Christopher, Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future 7, OECD (Dec. 8, 2011), http://www.oecd-ilibrary.org/science-and-technology/regulation-of-transborder-data-flows-under-data-protection-and-privacy-law_5kg0s2fk315f-en.Google Scholar

115 See Members & Missions, European Data Protection Supervisors (Sept. 15, 2014) https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/Membersmission.Google Scholar

116 See id. Google Scholar

117 See id. Google Scholar

118 See Kuner, , supra note 114, at 9.Google Scholar

119 See id. Google Scholar

120 See Article 29 Working Party, European Comm'n (Aug. 6, 2014) http://ec.europa.eu/justice/data-protection/article-29/index_en.htm.Google Scholar

121 See Commission Regulation 45/2001, 2001 O.J. (L 8/1).Google Scholar

122 See Data Protection Officer of the EU, European Comm'n (July 16, 2013), http://ec.europa.eu/justice/data-protection/bodies/officer/index_en.htm.Google Scholar

123 See Council Directive 95/46/EC, art. 28, 1995 O.J. (L 281) (EC).Google Scholar

124 See id. Google Scholar

125 The Article 29 working group has a well-organized website: Article 29 Working Party, supra note 120.Google Scholar

126 See Council Directive 95/46/EC, art. 29.Google Scholar

127 See id. Google Scholar

128 See id. art. 30.Google Scholar

129 As Pollute concluded, “Since 1996, more than 120 documents on different but important topics have been issued by the Art 29 W.P., which testifies tremendous and intense activities.” Yves Poullet & Serge Gutwirth, The Contribution of the Article 29 Working Party to the Construction of a Harmonized European Data Protection System: An Illustration of “Reflexive Governance”? in Challenges of Privacy and Data Protection Law 570, 575 (Verónica Perez Asinari & Pablo Palazzi eds., 2008).Google Scholar

130 See Council Directive 95/46/EC, art. 30, 1995 O.J. (L 281) (EC).Google Scholar

131 See id. The Working Party may, on its own initiative, make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the Community. As Pollute and Gutwirth analyzed, this provision could be “underlined insofar that the Article 29. W.P. could not only advise, but also could intervene and de facto intervenes very freely and broadly about any topic related to data protection. Even the matters that are not covered by data protection directive may be included.” Pollute & Gutwirth, supra note 129, at 576.Google Scholar

132 See Kuner, , supra note 114, at 7.Google Scholar

133 See Poullet, & Gutwirth, , supra note 129.Google Scholar

134 See Council Directive 95/46/EC, art. 25, 1995 O.J. (L 281) (EC).Google Scholar

135 Pistor, & Xu, , supra note 1, at 933.Google Scholar

136 See Article 29 Data Protection Working Party, Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive (European Comm'n, Working Paper No. 12, DG XV D/5025/98, 1998).Google Scholar

137 Poullet, & Gutwirth, , supra note 129, at 585.Google Scholar

138 See id. Google Scholar

139 See id. Google Scholar

140 See Article 29 Data Protection Working Party, Opinion 11/2011 on the Level of Protection of Personal Data in New Zealand (European Comm'n, Working Paper No. 182, 2011).Google Scholar

141 See Article 29 Data Protection Working Party, Opinion 6/2010 on the Level of Protection of Personal Data in the Eastern Republic of Uruguay (European Comm'n, Working Paper No. 177, 2009).Google Scholar

142 See Article 29 Data Protection Working Party, Opinion 7/2009 on the Level of Protection of Personal Data in the Principality of Andorra 2009 (European Comm'n, Working Paper No. 166, 2009).Google Scholar

143 See Article 29 Data Protection Working Party, Opinion 6/2009 on the Level of Protection of Personal Data in Israel (European Comm'n, Working Paper No. 165, 2009).Google Scholar

144 See Article 29 Data Protection Working Party, Opinion 9/2007 on the Level of Protection of Personal Data in the Faroe Islands (European Comm'n, Working Paper No. 142, 2007).Google Scholar

145 See Article 29 Data Protection Working Party, Opinion 8/2007 on the Level of Protection of Personal Data in Jersey (European Comm'n, Working Paper No. 141, 2007).Google Scholar

146 See Article 29 Data Protection Working Party, Opinion 6/2003 on the Level of Protection of Personal Data in the Isle of Man (European Comm'n, Working Paper No. 82, 2003).Google Scholar

147 See Article 29 Data Protection Working Party, Opinion 5/2003 on the Level of Protection of Personal Data in Guernsey (European Comm'n, Working Paper No. 79, 2003).Google Scholar

148 See Article 29 Data Protection Working Party, Opinion 4/2002 on Adequate Level of Protection of Personal Data in Argentina (European Comm'n, Working Paper No. 63, 2002).Google Scholar

149 See Article 29 Data Protection Working Party, Opinion 3/2001 on the Level of Protection of the Australian Privacy Amendment (Private Sector) Act 2000 (European Comm'n, Working Paper No. 40, 2000); See Article 29 Data Protection Working Party, Opinion 1/2004 on the Level of Protection Ensured in Australia for the Transmission of Passenger Name Record Data from Airlines (European Comm'n, Working Paper No. 85, 2004).Google Scholar

150 See Article 29 Data Protection Working Party, Opinion 2/2001 on the Adequacy of the Canadian Personal Information and Electronic Documents Act (European Comm'n, Working Paper No. 39, 2001); Article 29 Data Protection Working Party, Opinion 1/2005 on the Level of Protection Ensured in Canada for the Transmission of Passenger Name Record and Advance Passenger Information from Airlines (European Comm'n, Working Paper No. 103, 2005); Article 29 Data Protection Working Party, Opinion 1/97 on Canadian Initiatives Relating to Standardization in the Field of Protection of Privacy (European Comm'n, Working Paper No. 2, 1997).Google Scholar

151 See Article 29 Data Protection Working Party, Opinion 6/99 Concerning the Level of Personal Data Protection in Hungary (European Comm'n, Working Paper No 24, 1999).Google Scholar

152 See Article 29 Data Protection Working Party, Opinion 5/99 on the Level of Protection of Personal Data in Switzerland (European Comm'n, Working Paper No 22, 1999).Google Scholar

153 See Poullet, & Gutwirth, , supra note 129, at 580.Google Scholar

154 In 2009, the Article 29 W.P. published Opinion 5/2009 on Online Social Networking to clarify SNS issues. See Article 29 Working Party, Opinion 5/2009 on Online Social Networking (European Comm'n, Working Paper No. 163, 2009).Google Scholar

155 See id. Google Scholar

156 See Irish Data Protection Commission, Facebook Ireland Ltd. Report Audit, 2011 O.J. (EC).Google Scholar

157 The Irish Data Protection Commissioner adopted the standards set by the Article 29. W. P. to evaluate Facebook's data protection level.Google Scholar

158 Pistor, & Xu, , supra note 1, at 950 to 954.Google Scholar

159 Poullet, & Gutwirth, , supra note 129, at 572.Google Scholar

160 Id. Google Scholar

161 See Council Directive 95/46/EC, 1995 O.J. (L 281) (EC).Google Scholar

162 Schuppert, Stefan, German Data Protection Authority Imposes 200000 Euros Fine for Targeted Advertising Without Adequate Consent, Hogan Lovells (Dec. 7, 2010). http://www.hldataprotection.com/2010/12/articles/international-compliance-inclu/german-data-protection-authority-imposes-a200000-fine-for-targeted-advertising-without-adequate-consent/index.html.Google Scholar

163 Schuppert, Stefan, German DPAs Issue Rules for Cloud Computing Use, Hogan Lovells (Oct. 13, 2011), http://www.hldataprotection.com/2011/10/articles/international-eu-privacy/german-dpas-issue-rules-for-cloud-computing-use/.Google Scholar

164 Pistor, & Xu, , supra note 1, at 996.Google Scholar

165 See id. at 968.Google Scholar

166 The two authors illustrate that environmental, safety, food, and drug regulation are fitting fields to adopt this analytical framework. See id. at 936.Google Scholar

167 Id. at 935.Google Scholar

168 See id. at 966–1011.Google Scholar

169 See id. Google Scholar

170 See id. Google Scholar

171 See id. Google Scholar

172 See id. Google Scholar

173 See id. at 1012.Google Scholar

174 Id. Google Scholar