This is a guest post by Yoon Sukbe, a member of the South Korea Ministry of Science, ICT and Future Planning and visiting scholar at the University of Washington School of Law.
The paradigm of data protection is being changed due to the advancement of network technology. Decentralization and effectiveness of Internet technologies enhance convenience of access and user’s benefit. However, the development of technologies increases the risk of data security breaches. Especially, clouding computing enables to transfer computer resources (e.g., networks, servers, storages, software, applications and services) to another place. The borderless nature of cloud computing causes controversy regarding jurisdiction between nations which have different regulations as well as the complexity of the protection of data protection. Generally, data protection systems could be classified into two categories. One is the horizontal and comprehensive approach of the EU and the other is the vertical and sectoral approach of the U.S. In the cloud computing context, it is very important to review the EU’s opinion on the limitation of data center for applying EU’s law on other country’s cloud computing service. Also, it is helpful for Korea to review the problem of its current data protection legal system and to suggest alternative system for strengthening the protection of personal data.
1. Is EU’s approach on data protection consistent with its position in world trade discussion?
High ranking officials of European Commission have said the necessity of regulation governing the location of cloud computing data center for data protection and industry development. Viviane Reding, the EU’s Commissioner for Justice, said that European government could promote the development of European clouds by making sure that data processed by European companies are only stored in clouds to which EU data protection laws and European jurisdiction applies. European Commissioner Digital Agenda Neelie Kroes posed a series of principles for the regulations of EU data located in clouds on EC’s website. Are these statements compatible with EU’s commitment in WTO?
In 1994 EU (fomerly EC) committed to the liberalization of computer and relation services, except the movement of natural person (mode 4) , during the Uruguay round of negotiation. This means that there is not any limitation of market access and there is national treatment of cross border supply of service (mode 1) and supply through commercial presence (mode 3) in this sector including data processing services, data base services. Mode 1 indicates that a user receives services from other countries through its telecommunication or postal infrastructure. Thus the country liberalizing the mode 1 of Computer and related services sector is not able to establish the incompatible regulation.
Computer and related services under the General Agreement on Trade in Services (GATS) is composed of the Consultancy Services related to the Installation of Computer Hardware (CPC 841), Software Implementation Services (CPC 842), Data Processing Services (CPC 843), Data Base Services (CPC 844), Maintenance and Repair (CPC 845) and other Computer Services (CPC 849). If clouding computing service is defined as the delivery of computational resources from a location other than the one from which the user is computing , it corresponds to the Data Processing Services and Data Base Services.
However, there could be an argument that the clouding computing service is included in the scope of the commitment of the EU, because this kind service was not feasible in 1990s when the Uruguay round was negotiated. With this perspective, it would be helpful for our understanding to consider Oracle’s CEO Larry Ellison’s statement that the redefinition of cloud computing is just for incorporating everything what we already do.
In the current world trade regime, it has been suggested that the principle of “technology neutrality” applies under the GATS. Application of this principle would mean ensuring a level playing field for all services irrespective of the technological platform used to deliver them . Particularly, in 2002 EU officially requested all WTO Member countries make commitments in Computer and related services at the highest possible level (i.e. the two-digit level – Provisional CPC Division 84) for minimizing the risk of the confusion in seeking to determine whether a particular Computer and Related Service has been committed when the service actually offered involves services covered in a number of different subsectors, and so help to better reflect technological developments and commercial realities in this sector .
Local presence obligations are a clear limitation of cross border supply of services (mode 1). Thus, if WTO Member countries which have already committed Computer and related services establish regulation on the place of cloud data center, it would be a breach of GATS rules. In this context, it is needed for EU to review whether its scheme would be compatible with its commitment or not.
2. Suggestion for reformation of Korean data protection legal system
When it comes to the data protection legal system, Korea takes comprehensive approach. All kinds of transactions are covered by relevant laws. But there are important differences compared with European system.
Korean data protection regulation is similar to that of the EU, taking comprehensive approach. But Korea has multiple laws on data protection. Besides “Data Protection Law” as a basic law, there are “Telecommunication Network Act” for telecommunication sector, “Use and Protection of Credit Information Act” & “Electronic Financial Transaction Act” for financial service sector, and so on. Enforcement of many laws could cause confusion and weaken the law abiding attitude. For example, if there were an accident of financial data leak online, more than four kinds laws mentioned above would apply to the accident. As a country taking comprehensive approach, it would be logical to maintain single law for data protection in private transaction.
With regards to the data protection, there are two relations. One is between government and people, and the other is between company and its customer. Higher level of data protection is required in former than latter because government is able to collect extensively. Sometimes personal data collection is done against information holder’s will or without the knowledge of him or her. While, company is permitted to collect personal information on the ground of customers’ consent and customers provide their information for benefit. Thus it is generally accepted that more strict regulation should applied to relations between government and people. But there are little differences in Korean Data Protection Law. It is desirable to separate the data protection legal system into government and private.
Korean data protection regulations are not enough strong compared with the U.S, EU or Canada. Even though access of own information is widely accepted in many countries, in Korea for instance, data controller holds no liability for refusing access of customer without customer’s loss. Companies in Korea actually do not have any responsibility to permit the access of personal data provider because the burden of proof for damage is on customers. It is true that the Korean government tends to favor siding with companies than individuals. However, as the globalization is rapidly evolved especially through online, Korean companies should abide by foreign data protection laws. Considering the current trend, strengthening the level of data protection would not be new pressure to companies. Rather it could be helpful for them to possess competitiveness in global market.
References
(1) Carol. Celestine, “Cloudy” Skies, Brighter Future? In Defense of a Private Regulatory Scheme for Policing Cloud Computing, Univ. of Illinois Journal of Law, Technology & Policy (2013)
(2) Peter Swire & Kenesa Ahmad, Foundation of Information Privacy and Data Protection, IAPP (2012)
(3) Sebastian Zimmeck, The Information Privacy Law of Web Applications and Cloud Computing, Santa Clara Computer & High Technology Law Journal (2013)
(4) Bruce Schneider, Liars & Outliers: Enabling the Trust That Society Needs to Thrive, John Wiley & Sons, Inc. (2012)
(5) Eduardo Ustaran, European Privacy: Law and Practice for Data Protection Professionals, IAPP (2012)