Few people personify the field they work in as much as Christopher Kuner. As a lawyer, European-American, academic and professor, and longtime leader of the ICC, Kuner straddles the fault lines of the privacy world with ease. With Robert Musil’s 2,000-page tome in German in one hand and a marked-up draft of binding corporate rules in the other hand, Kuner breezes from Palo Alto, CA, through Washington, DC, and Brussels all the way to the ivory towers of Cambridge. His three academic degrees in the U.S. as well as a doctorate in Tilburg, and current role as a Brussels-based senior of counsel at Silicon Valley powerhouse Wilson Sonsini Goodrich & Rosati are a testament to his cultural and professional versatility.
Kuner’s life work, thus far, is no doubt the study of the emergent and constantly evolving regulatory framework governing international data flows. That’s why his latest work, Transborder Data Flows and Data Privacy Law (Oxford University Press, 2013), is a must-have item not only in any privacy lawyer’s library but also on his or her desk.
As one might expect from Kuner’s background, his book is as useful and practical as it is deep and thought-provoking. It recognizes that as much as data protection is considered to be a field of market regulation, it also impacts fundamental, indeed philosophical, dilemmas in human rights law, globalization and our response to the shape-shifting chimera of the Internet. It is a foray into private international law, where Kuner explores the challenges and practical intricacies of national regulation in a globalized environment. As Peter Hustinx writes in the book’s foreword, it is “an inconvenient truth that national borders still play a key role in legal regulations, although data flows may cross those same borders a million times every second.”
The book neatly transitions from Kuner’s previous works, both staple volumes in a privacy law library, European Data Privacy Law and Online Business (Oxford University Press, 2003) and European Data Protection Law: Corporate Compliance and Regulation (Oxford University Press, 2007, also published in Chinese). It reflects the struggle of the law to keep up with the cutthroat pace of developments in technology and business, including the emergence of cloud computing, Big Data and social networks.
The book comprises eight chapters covering different aspects of transborder data flows. It provides both a detailed exposition as well as pointed critique of current regulatory models ranging from the OECD Privacy Guidelines to the APEC Privacy Framework. It suggests useful typologies for forms of regulation, including national, international, self-regulatory and technological approaches (Chapter Four). It distinguishes, for example, between “geographic-based approaches,” such as the European adequacy model, and “organizational-based approaches,” such as the Canadian “accountability” model (p. 64-76). It delves behind the scenes of policymaking to unearth the logic and rationales underlying both existing and emergent regulation (p. 107-20). It is this deep dive that distinguishes Kuner’s work from most other practitioners’ resources. Many lawyers know the requisite details to consult clients on a regulatory framework, yet only a select few can navigate the policymaking discussion to actually shape the frameworks that govern their clients’ activities.
Kuner clearly has a soft spot for private international law. Chapter Six of the book, titled “Applicable Law, Extraterritoriality and Transborder Data Flows” addresses this topic, featuring some of the thorniest legal questions in play today, including conflicts of laws and online personal jurisdiction. Kuner, a seasoned diplomat who has helped his clients weather the storm in circumstances ranging from conflicts between EU data protection law and U.S. law enforcement requirements to the negotiation of a reasonable, practical set of “model” data transfer clauses, adds texture and practical context to foundational texts such as Peter Swire’s 1998 “Of Elephants, Mice, and Privacy: International Choice of Law and the Internet” and Michael Geist’s 2001 classic “Is There a There There? Toward Greater Certainty for Internet Jurisdiction.” His conclusion that “transborder data flow regulation performs much the same function as applicable law rules, namely extending the protection of national law extraterritorially” (at p. 141) has profound implications for the emerging global privacy framework and particularly the currently heated trans-Atlantic debate. Kuner states that “transborder data flow regulation is still often viewed as a way to protect the rights and interests of a state’s own citizens.” This can help explain some of the shrill tones in the current discussions around the FISA, which distinguishes between “U.S.-persons” and “non-U.S. persons.”
The book goes on to discuss compliance and enforcement (Chapter Seven), stating that, “the level of [data protection] compliance is low in proportion to the amount of data being transferred and that enforcement is highly selective” (p. 146). It recognizes the well-documented, deep deficit in enforcement of data protection law, positing that, ironically, the companies most likely to comply are large, U.S.-based technology vendors. These companies internalize data protection obligations not because of risk of regulatory enforcement in Europe but rather as a result of multiple U.S. regulations, such as the Sarbanes-Oxley Act or the Federal Sentencing Guidelines. In this vein, other commentators have pointed out that, paradoxically, those most likely to be protected by the EU framework are European consumers of U.S. corporations.
Taking a step back from a narrow regulatory focus, Kuner explains that the risks posed by transborder data flows have come to overshadow the benefits they can bring, particularly their role in facilitating freedom of expression and economic development in previously authoritarian regimes. Pushing back against protectionist sentiment, he argues that the goal of transborder data flow regulation should be to promote the universality of fundamental rights, not just to ensure the application of local values outside national borders. To this end, he suggests principles for a new approach to transborder data flow regulation based on theories of legal pluralism. If anything, the Snowden revelations and ensuing crisis of trust have proven that, absent collaborative efforts, the online economy risks splintering and balkanization.
As one reviewer writes, “this study will be one of the starting points for any student or professional researcher of data privacy and will be well-appreciated for its detail and referenced documentation by anyone genuinely interested in the subject.” I dare add that it will no doubt constitute one of the building blocks for a new legal edifice being designed and erected these very days, a regulatory model for a technologically borderless world.