Abstract
It took us only a few decades from the introduction of publicly open and printed telephone-number registers to approach the utopian idea of Laudon’s digital information market for personal data. Through the journey concerning data protection we must face challenges in the fields of technological development as well as jurisdictional and legislative issues such as extraterritorial law-making. This paper attempts to provide a brief composition of the economic aspects of personal data given real commercial and strategic value. Additionally, a focus is on conceptual, procedural and applicability aspects of a new legal institution called binding corporate rules, which can offer a new approach for companies to ensure an adequate level of protection not only in the cases of data transfer to third countries but also in general business interests.
Bianka Maksó, dr. jur., is a PhD candidate of the Deák Ferenc Doctoral School of Law, University of Miskolc.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Laudon (1996), pp. 92-104.
- 2.
ECJ, Google Spain and Google, C-131/12; ECLI:EU:C:2014:317.
- 3.
ECJ, Maximillian Schrems v. Data Protection Commissioner, C-362/14, ECLI:EU:C:2015:650.
- 4.
Moorhead (2011).
- 5.
European Commission (2015).
- 6.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ [2016] L 119/1.
- 7.
Kuner (2015).
- 8.
Samuelson (2000).
- 9.
It is noteworthy that there is still a current scientific debate over the balance of moral rights and interests.
- 10.
Szabó (2005), pp. 44-54.
- 11.
Finn / Wright / Friedewald (2013).
- 12.
Acquisti (2013).
- 13.
Warren / Brandeis (1890).
- 14.
- 15.
- 16.
An American would pay 50 cents more for a good which is provided by a business which applies data protection measures; Acquisti (2013).
- 17.
Critics say that this would lead to a world in which there is no privacy at all and discrimination would aggravate the gap between rich and poor people.
- 18.
Laudon (1996), pp. 92-104.
- 19.
Posner (1978).
- 20.
European Commission (2011).
- 21.
Posner (1978).
- 22.
Huang (1998).
- 23.
Huang (1998).
- 24.
Varian (1996).
- 25.
Acquisti (2010).
- 26.
European Commission (2016).
- 27.
Note: with reference to data protection, ‘EU’ stands for the European Economic Area (EEA).
- 28.
Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, signed at Lisbon, 13 December 2007, OJ [2007] C 306/1.
- 29.
Charter of Fundamental Rights of the European Union, OJ [2016] C 202/389.
- 30.
Oros / Szurday (2003).
- 31.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OL [1995] L 281/31.
- 32.
Ibid., Article 32(1).
- 33.
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ [2016] L 119/89.
- 34.
ECJ, Criminal proceedings against Bodil Lindqvist, C-101/01, ECLI:EU:C:2003:596, paras 56, 59, 60, 70.
- 35.
Special Eurobarometer 431 / Wave EB83.1: Data protection, Fieldwork: March 2015, Publication: June 2015 http://ec.europa.eu/public_opinion/archives/eb_special_439_420_en.htm#431.
- 36.
Ryngaert (2015).
- 37.
List of countries can be found here: http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/. Note: Hungary was declared among these countries before its accession to the EU.
- 38.
ECJ, Maximillian Schrems v. Data Protection Commissioner, C-362/14, ECLI:EU:C:2015:650, para 73.
- 39.
ECJ, Maximillian Schrems v. Data Protection Commissioner, C-362/14, ECLI:EU:C:2015:650, para 29.
- 40.
2001/497/EC: Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (Text with EEA relevance) OJ [2001] L 181/19; 2004/915/EC: Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries OJ [2004] L 385/74; 2010/87/EC Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council OJ [2010] L 39/5.
- 41.
See for details: Article 29 Data Protection Working Party: National filing requirements for controller BCR (“BCR-C”), available at: http://ec.europa.eu/justice/data-protection/international-transfers/files/table_nat_admin_req_en.pdf.
- 42.
Note: the legal basis of BCRs came into effect on 1 Oct 2015 in Hungary.
- 43.
Wright / de Hert (2016).
- 44.
- 45.
In connection with BCRs the relevant working papers are the following: WP 74, WP 108, WP 153, WP 154, WP 155, WP 176, WP 195, WP 204.
- 46.
Directive 95/46/EC Article 19 point e) declares that proposed transfers of data to third countries may be subject to notification in advance for the national DPA.
- 47.
Article 29 Data Protection Working Party: (2003) Working Document: Transfers of personal data to third countries: Applying Article 26(2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, available at: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf.
- 48.
Baker (2006).
- 49.
List of companies, for which the EU BCR cooperation procedure is closed, available at: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm.
- 50.
List of companies available at: https://www.oecd.org/sti/ieconomy/46968784.pdf.
- 51.
For further substantive issues see: WP74 and WP 153.
- 52.
Hewlett Packard’s BCRs are available at: http://www8.hp.com/uk/en/binding-corporate-rules.html.
- 53.
eBay’s BCRs are available at: http://www.ebayprivacycenter.com/sites/default/files/user_corporate_rules_11-2-09_v1-01.pdf.
- 54.
WP 153 point 6.4.
- 55.
WP 108.
- 56.
Horváth-Egri Katalin (2015). However, it is noteworthy that according to the draft modification of Hungarian Data Protection Act the authorizing process will be administered according to the rules of the general administrative procedure.
- 57.
See the country-specific details in the table, available at: http://ec.europa.eu/justice/data-protection/international-transfers/files/table_nat_admin_req_en.pdf.
- 58.
Until October 2017 the Hungarian DPA has not act as lead authority.
- 59.
See the full list of factors in WP 108 point 3.3.
- 60.
So far 21 countries take part in this process. See the list: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/mutual_recognition/index_en.htm.
- 61.
Currency rate available at: https://www.mnb.hu/arfolyamok.
- 62.
- 63.
- 64.
Szőke (2015).
- 65.
An example of its application is listed in Article 27 of Council Regulation (EC) No 1083/2006 of 11 July 2006 laying down general provisions on the European Regional Development Fund, the European Social Fund and the Cohesion Fund and repealing Regulation (EC) No 1260/1999, OJ [2006] L 210/25 (no longer in force).
- 66.
Such as Bulgaria, the Slovak Republic and certain states of Germany.
- 67.
The Hungarian national DPA in its annual control plans in 2013 and in 2014 put the focus on claim management and debt collector companies because of the high rate of complaints on their activity, available at: http://www.naih.hu/files/NAIH-ellenorzesi-terv-2013.pdf; https://www.naih.hu/files/NAIH_ell_terv_2014.pdf.
- 68.
Article 29 Data Protection Working Party: Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents, Adopted on 27 February 2014, WP212, 538/14/EN.
References
Acquisti, A. (2010), The Economics of Personal Data and the Economics of Privacy, Background Paper #3, OECD, OECD Conference Centre 1 Dec. 2010, available at: https://www.oecd.org/sti/ieconomy/46968784.pdf
Acquisti, A. (2013), The Economics of Privacy: Theoretical and Empirical Aspects, Carnegie Mellon University, first page, available at: https://pdfs.semanticscholar.org/4807/d80005a2dfc8af1d149ddb77096bcc26e488.pdf.
Baker, R.K. (2006), Offshore IT Outsourcing and the 8th Data Production Principle - Legal and Regulatory Requirements - with Reference to Financial Services, 14 International Journal of Law and Information Technology Issue 1, 1 March 2006, pp 1–27.
Csegődi, T. L. (1979), A jog pozitivitása mint a modern társadalom feltétele, In: Jog és szociológia., Válogatott tanulmányok KJK, pp. 123-142.
Finn, R.L. / Wright, D. / Friedewald, M. (2013), Seven Types of Privacy, in: S. Gutwirth et al. / R. Leenes / P. de Hert / Y. Poullet (Eds.), European Data Protection: Coming of Age, Springer, pp 3-32.
Horváth-Egri Katalin (2015), A kötelező szervezeti szabályok (Binding Corporate Rules, BCR) és az együttműködési eljárási lehetőségei, Infokommunikáció és Jog, Vol XII, No 64, HVG Orac Lap- és Könyvkiadó Kft, Budapest, 2015. pp. 143 – 147.
Huang, P.H. (1998), The Law and Economics of Consumer Privacy Versus Data Mining, University of Pennsylvania, available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=94041
Kuner, C. (2015), Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law, University of Cambridge Faculty of Law Research Paper No. 49/2015, 2015, available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2644237
Laudon, K.C. (1996), Markets and Privacy, Association for Computing Machinery, Communications of the ACM, Sep 1996, Vol 39, No 9, 92-104, ABI/INFORM Global
Luhmann, N. (1979), The unity of the legal system, in: G. Teubner (Ed.), Autopoietic Law: A new approach to law and society, Gruyter
Moorhead P.: Why Your Personal Data Is The New Oil (2011), please give a sourceOros / Szurday (2003), Európai Füzetek 35.: Adatvédelem az Európai Unióban – Szakmai összefoglaló a magyar csatlakozási tárgyalások lezárt fejezetiből, A Miniszterelnöki Hivatal Kormányzati Stratégiai Elemző Központ és a Külügyminisztérium közös kiadványa.
Oros P. / Szurday K. (2003), Adatvédelem az Európai Unióban – Szakmai összefoglaló a magyar csatlakozási tárgyalások lezárt fejezeteiből, A Miniszterelnöki Hivatal Kormányzati Stratégiai Elemző Központ és a Külügyminisztérium közös kiadványa, Európai Füzetek 35., Budapest, 2003.
Posner, R.A. (1978), The Right of Privacy, 12 Georgia Law Review first page.
Posner, R.A. (2011), Economic Analysis of Law, Aspen Publisher
Tóth, J.Z. (2004), Richard Posner és a gazdasági jogelmélet, Jogelméleti Szemle, 2004/1.szám, available at: http://jesz.ajk.elte.hu/toth17.html
Ryngaert, C. (2015) Symposium issue on extraterritoriality and EU data protection, International Data Privacy Law, Volume 5, Issue 4, 1 November 2015, Pages 221–225, Oxford University Press, https://academic.oup.com/idpl/article/5/4/221/2404465
Samuelson, P. (2000), Privacy As Intellectual Property?, Stanford Law Review, Vol. 52, No. 5, Symposium: Cyberspace and Privacy: A New Legal Paradigm? (May, 2000), pp. 1125-1173 available at: http://people.ischool.berkeley.edu/~pam/papers/privasip_draft.pdf
Szabó, M.D. (2005), Kísérlet a privacy fogalmának meghatározására a magyar jogrendszer fogalmaival, Információs társadalom, 44-54.
Szőke, G.L. (2015), Az európai adatvédelmi jog megújítása – Tendenciák és lehetőségek az önszabályozás területén, HVG-ORAC Lap- és Könyvkiadó Kft
Varian, H.R. (1996), Economic aspects of Personal Privacy, In: Lehr W., Pupillo L. (eds) Internet Policy and Economics. Springer, Boston, MA, available at: http://people.ischool.berkeley.edu/~hal/Papers/privacy/
Warren, S.D. / Brandeis, L.D. (1890), The Right to Privacy, Harvard Law Review, Vol. 4, No. 5. (Dec. 15, 1890), pp. 193-220.
Wright, D. / de Hert, P. (2016), Enforcing Privacy: Regulatory, Legal and Technological Approaches Law, Governance and Technology Series, Volume 25, Springer International Publishing
Additional Sources
Article 29 Data Protection Working Party: (2003) Working Document: Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, available at: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf
Article 29 Data Protection Working Party: Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents, Adopted on 27 February 2014, WP212, 538/14/EN
Article 29 Data Protection Working Party: WP 74, WP 108, WP 133, WP 153, WP 154, WP 155, WP 176, WP 195, WP 204
European Commission (2015), Commission proposes a comprehensive reform of data protection rules to increase users’ control of their data and to cut costs for businesses, Press Release Database, available at: http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en
European Commission (2011), Social Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union, available at: http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf
European Commission (2016), Digital Privacy, available at: https://ec.europa.eu/digital-single-market/online-privacy
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer-Verlag GmbH Germany, part of Springer Nature
About this chapter
Cite this chapter
Maksó, B. (2018). Binding Corporate Rules As a New Concept for Data Protection in Data Transfers. In: Bakhoum, M., Conde Gallego, B., Mackenrodt, MO., Surblytė-Namavičienė, G. (eds) Personal Data in Competition, Consumer Protection and Intellectual Property Law. MPI Studies on Intellectual Property and Competition Law, vol 28. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-57646-5_18
Download citation
DOI: https://doi.org/10.1007/978-3-662-57646-5_18
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-57645-8
Online ISBN: 978-3-662-57646-5
eBook Packages: Law and CriminologyLaw and Criminology (R0)