資料跨境

Cross-border data flows: data governance and international trade

Information

Date: Sep 8 (Wed.) 2021, 14:00-16:00

Speakers:

  • Tsai-Fang Chen, Associate Professor of Law & Director of Legal Center for Enterprise & Entrepreneurship, National Yang Ming Chiao Tung University.
  • Chen-hao Ku, Acting Director, Legal Research & Resource Development Center in the Science & Technology Law Institute, Institute for Information Industry

(1)

The basic idea of data across borders is ‘computer-generated and machine-readable digital data being transmitted electronically between different countries.’ The importance of data across borders has grown because of the expansion of traditional business operation models and the emergence of innovated business models; it also encompasses critical impacts on modern global trade. However, the Snowden incident in 2013 has dawned on many states that the national security measures the United States employs could potentially harm the data security of other countries. Since then, state governments have been paying more attention to regulating data across borders and focusing their policies on data protection. Some might argue Trump’s bashing on Tiktok for the latter’s data leak incidents was one example of such trends. 

Some countries implement data localization policies to restrict free data flow. The idea of data localization is basically making the transmission of local data to other jurisdictions illegal. To comply with such regulations, companies will have to either establish data centers locally or employ local vendors to store and process data locally.

The European Union’s General Data Protection Regulation (GDPR) has become the standard of data protection regulations after coming into effect in May 2018. The baseline of GDPR regarding data protection is ‘prohibit in principle but allow exceptions.’ This is also an illustration of how EU deems data protection as a basic human right. EU also principally prohibits member states from transferring data to outside of EEA due to the concerns that data protection laws in other jurisdictions are not as powerful as GDPR. The high standard GDPR imposes on companies in regards to data protection practices has a visible impact on global trade. Many companies have since moved their data servers to countries within the EEA to comply with GDPR; this has negative effects on the openness of trade in services. Moreover, the legal obligations of retaining certain data also increase companies’ operational costs, thus preventing them from providing services internationally.

Whether the data flow is free has an essential impact on the free trade of services and products. Regulating measures regarding data localization listed in the General Agreement on Trade in Services (GATS) include Most-Favoured-Nation (MFN) Treatment (Article II), Market Access (Article XVI), and National Treatment (Article XVII). All countries have to comply with the MFN requirements. Many items listed under MFN requirements will be impacted by regulations of cross-border data; global financial services, for example, is one of them. Services involving substantial data processing activities are the most impacted. As suggested above, GDPR restricts data transmission across borders; however, it does not prohibit data processing services. The two obviously conflict with each other. According to GATS, EU can pose restrictions on data transmission in order to protect citizen privacy, but such restrictions cannot be discriminative in respect of different countries.

Currently, most international trade agreements are primarily bi-literal agreements. Most agreements seek to allow data flow while protecting personal data; in other words, they apply a ‘principally allow but prohibit in exception’ approach. However, different countries hold distinct views regarding data flow. The US, whose economic power largely attributes to the global enterprises in the country, is a strong advocate for free data flow. The EU, on the other hand, values data protection more than free data flow. China is another model where the state wants free trade without free data flow due to its so-called national security reasons. Trade agreements such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), Digital Economy Partnership Agreement (DEPA), United States-Mexico-Canada Agreement (USMCA) all include requirements ensuring free data flow while allowing exceptions. For example, CPTPP allows members to adopt or maintain measures to restrict free data flow for legitimate public policy objectives, provided that the measures are ‘not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.’ Regional Comprehensive Economic Partnership (RCEP) also allows member states to adopt or maintain restricting measures if they are considered necessary to achieve a legitimate public policy objective or to protect the country’s essential security interests.

(2)

e-commerce, digital transmission, and products, services, and financial services across borders have created huge economic benefits through global trade. As a result, some might argue that free data flow is the foundation of free trade and globalization. Just like the first speaker has elaborated, many regional trade agreements have specifications aiming to ensure free data flow. Free data flow and data localization are on two opposite sides of the spectrum, and state governments will have to weigh the benefits and risks when moving on the spectrum.

On the one hand, excessive regulations on data flow across borders will have a negative impact on global and national economic development; on the other hand, a lack of regulations can harm individual rights. It is clear that the need for regulations regarding cross-border data flow is now a global consensus, but every state has its own perspective and interpretation of the content and implementation of such regulations. To ensure an ever-prospering global economy, we have to devote effort to communicate and negotiate between different regulating regimes to reach a global consensus. The expected outcome is a global trade agreement, and eventually, globally common practices.  

There are two common causes of the obstacle and controversies when it comes to data flow across borders. One is the gap in data protection regulations within the country; the other is the different regulating measures between the original jurisdiction of the data and receiving one. In the latter case, it would be a challenge to decide which jurisdiction’s law should apply to protect the parties’ rights. Moreover, in cases of cross-border rights infringement cases, it is also important to take into account the problems of liability and compensation enforcement.

Currently, there are two main approaches to enforce data localization. One is requiring companies to store data locally through regulations; the other is posing restrictions on cross-border data transfer, which as a result, retains data within the border. Countries that take the former measures include China, Russia, Indonesia, India, and Vietnam. On the other hand, countries that have restrictions on data flow include UK, Japan, Hong Kong, Singapore, and Malaysia. Needless to say, different countries impose different specifications on different kinds of data.  

The countries mentioned above regulate cross-border data transfer utilizing the model of ‘principally prohibit and allow exceptions.’ There are also countries that prefer a different model, allowing data free flow in principle while prohibiting exceptions. In the case of China, the government’s regulation concerning cross-border data transfer is the “Data Security Law”. The law is developed to protect Internet security and in connection with Internet Security Law and Personal Data Protection Law, regulating the collecting, retention, utilization, processing, transfer, provision, and publication of data.

EU’s GDPR is recognized as the strictest data protection regulation globally. For the EU, they want to protect data within the EEA borders with a focus on individual rights. In the APAC region, the Asia-Pacific Economic Cooperation (APEC) has developed the Cross-Border Privacy Rules (CBPR). Through CBPR, APEC aims to establish trust between consumers and regulatory authorities. APEC members should comply with CBPR and have third parties verify their compliance. Unlike GDPR, the ultimate objective of DBPR is to encourage free trade; protecting personal data is only the means to the end. Rumors have it that APEC is considering extending CBRP to non-APEC members, but the plan is still in an early stage while they gather members’ input.

In Taiwan, the regulating premise of data flow across borders is ‘principally allow, prohibit in exceptions.’ The authority can impose restrictions on data transfer under the circumstances as below:

  1. where major national interests are involved;
  2. where an international treaty or agreement so stipulates;
  3. where the country receiving the personal data lacks proper regulations on protection of personal data and the data subjects’ rights and interests may consequently be harmed; or
  4. where the cross-border transfer of the personal data to a third country (territory) is carried out to circumvent the PDPA.

In addition, different specifications apply to particular types of data, for example, data containing biological or financial information. The law also prohibits media communication enterprises from transferring user data to China. Taiwan’s data protection law is in compliance with APEC’s data protection principles.

In conclusion, different states have different objectives for the implementation of data localization. The objectives can vary from protecting citizens’ personal data, national security, criminal investigation and mitigation, and assisting industry growth. The data types state choose to restrict also vary, ranging from personal data, sensitive/critical to specific types of data (e.g., financial and medical records). There is also a lot more to take into account when it comes to designing and implementing data localization measures. For EU and Japan, the strength of data protection of the receiving countries is one major factor. They also pay a lot of attention to the protection measures taken by the enterprises transferring the data, which is also something the Australia government focus on.

資料治理與國際貿易 — 談跨境資料流通

活動訊息

日期:2021年9月8日(三)14:00 – 16:00

14:00 – 14:50 專題演講一:國際貿易協定處理跨境資料流通之困境與機會

講者:陳在方 副教授(國立陽明交通大學科技法律研究所)

14:50 – 15:00 現場Q&A

15:00 – 15:50 專題演講二:我國跨境資料流通政策制定之限制與發展

講者:顧振豪 副所長(資策會科技法律研究所)

15:50 – 16:00 現場Q&A

國際貿易協定處理跨境資料流通之困境與機會 / 陳在方 副教授 【簡報下載】

跨境資料流通的基本概念是在不同國家之間,以電子方式傳輸由電腦產生且可由機器讀取的數位資料,其重要性因傳統商業運行型態的擴大與升級以及嶄新商業模式的興起而提升,對當代國際貿易有至關重要的影響力。然而,在2013年史諾登(Edward Snowden)事件爆發後,許多國家意識到美國維護國家安全的方式可能會侵害他國資料安全,因此跨境資料管制議題漸受重視,資料安全保護開始成為各國政策焦點,美國前總統川普以資料外洩為由打擊TikTok也是一例。

部分國家透過資料在地化限制資料流通,主要方法是利用法律強制要求企業不得將特定資料傳遞至境外,或強制企業將資料儲存於境內,因此企業必須在該國境內設置資料中心,或請當地業者協助儲存與處理資料。

目前歐盟《通用資料保護規則》(General Data Protection Regulation,GDPR)為國際間最高規格的資料保護規範,對於資料保護,GDPR採「原則禁止,例外開放」之原則,顯見歐盟已將資料保護視為人權。此外,鑒於擔憂國外個資保護效力不足,因此歐盟限制成員國將資料傳輸至境外。GDPR的嚴格規範已對國際貿易構成影響,許多企業將伺服器設在歐盟境內以符合規範,這有損於服務貿易的開放,且保留特定資訊也增加企業成本負擔,妨礙企業提供跨境服務。

資料是否能流通與貨品或服務能否順利運行息息相關,服務貿易總協定(GATS)也將規範資料在地化的措施寫入,其中包括最惠國待遇、市場進入與國民待遇,其中最惠國待遇是所有國家都必須遵守的。包括國際金融服務在內的許多項目皆受資料跨境傳輸影響,但受直接衝擊者非資料處理服務莫屬,目前歐盟限制跨境資料傳輸卻未限制資料處理服務,兩者有所矛盾。根據GAT條款,歐盟可以保護用戶隱私為由限制資料傳輸,但不得對不同國家採歧視措施。

目前國際貿易協定以雙邊協議為主,大多在不放棄個資保護的情形下允許資料傳輸,因此大多採「原則允許,例外禁止」之模式,而各國對資料傳輸的看法不盡相同,美國由於有許多跨國企業因此支持資料流通;歐盟對個資保護的重視勝於資料流通;中國重視電子商務,但出於國安理由嚴格限制跨境資料流通。 包括「跨太平洋夥伴全面進步協定」(Comprehensive and Progressive Agreement for Trans-Pacific Partnership,CPTPP)、「數位經濟夥伴協定」(Digital Economy Partnership Agreement,DEPA)、「美國-墨西哥-加拿大協議」(United States-Mexico-Canada Agreement,USMCA)等貿易協定都有促進資料流通之相關規範,但也都設有例外原則。例如CPTPP就規定,若因特殊情形管制資料流通,則須符合以下規範:管制須符合合法公共政策目的;不得歧視;管制措施不能對貿易隱藏性構成限制;對資料流通之限制不超過達成政策目標所需要;區域全面經濟夥伴協定(Regional Com-prehensive Economic Partnership,RCEP)也規範,國家可出於保護必要安全利益限制資料流通,且其他國家不得提出異議;在電子商務聯合聲明倡議(Joint Statement Initiative,JSI)中,歐盟也提出諸多資料在地化限制,但未限制境外傳輸;中國則提案讓各國可出於國家安全限制資料傳輸。

我國跨境資料流通政策制定之限制與發展 / 顧振豪 副所長

電子商務、數位傳輸和跨境產品、金融和服務已透過全球貿易創造大量經濟效益,資料流通已然是自由貿易和全球化趨勢之基礎。承陳老師上課內容,許多區域貿易協定也都有促進資料流通的規範,若要促進資料流通,各國必須禁止資料在地化。

過度管制跨境資料流通可能有害經濟發展,但管制不足又可能傷害個人權利,目前跨境資料管制已是國際共識,但各國對具體管制方式看法不盡相同,未來須達成國際共識並進一步簽署相關國際公約,最終慢慢形成國際慣例。

國內個資保護規範落差以及資料傳輸地和接收地法規標準不一致的情形可能形成資料流通障礙與爭議,當權益爭端產生,要援引哪項法規以保障當事人權益將產生爭議,這使當事人權利不易主張。此外,跨國侵權行為所形成的責任歸屬和賠償執行問題也應納入考量。

目前資料在地化有兩種方式,其一是直接透過法規強制資料留在本地;其二是限制資料跨境流動,產生資料留存在國內之結果。直接要求資料境內儲存的國家包括中國、俄羅斯、印尼、印度和越南;透過立法限制資料流動的國家包括:英國、日本、香港、新加坡和馬來西亞,且針對不同資料種類,各國亦設定不同規範。

目前主要國家是採「原則禁止,例外允許」之原則規範跨境資料流通,另有部分國家採「原則允許,例外禁止」之原則,就中國而言,直接規範跨境資料流通的法規是《數據安全法》,該法與《網絡安全法》和《個人信息保護法》有銜接關係、規範數據蒐集、儲存、使用、加工、傳輸、提供與公開等活動,立法目的是維護網路安全。

目前歐盟GDPR是全球公認的最嚴格資料保護規範,歐盟立場是希望資料能在歐盟境內受到保障,其核心圍繞在當事人權利,而亞太經濟合作會議(Asia-Pacific Economic Cooperation,APEC)也設有跨境隱私規則(Cross-Border Privacy Rules,CBPR),APEC透過CBPR建立消費者與監管機構之間的信任,參與國必須落實APEC相關要求,並由第三方進行驗證是否合規。相對於GDPR,CBPR的設置目的是以保護個資為手段,促進商業流通才是真正目的。目前APEC有將CBPR擴展適用至非APEC成員國的企圖,但仍處在尋求成員國共識之階段。

我國跨境資料流通是採「原則允許,例外禁止」之原則,主管機管於下列情況,得限制資料傳輸:

  • 涉及國家重大利益。
  • 國際條約或相關協定有特別規定。
  • 接受國對於資料保護未有完善之法規,致使有損當事人權益之虞。
  • 以迂迴方法向第三國(地區)傳輸個人資料規避本法。

此外,我國對於生物檢體和金融作業等特定類型資料另設規範,並限制通訊傳播事業經營者將所屬用戶個資傳輸至大陸地區,目前我國規範符合APEC隱私保護原則。 各國實行資料在地化之主要目的包括公民個資保護、國家安全、犯罪偵防與扶植產業,限制之資料種類包括個資、敏感/重要資料與特殊種類(金融、醫療等)資料,各國對資料在地化的考量點也不盡相同,包括資料接收國對個資的保護程度(歐盟、日本),資料傳送之企業對個資的保護程度(歐盟、日本與澳洲),需經過當事人同意以及特殊考量(中國)等。

提問與回應

Q1:中國《數據安全法》與GDPR的差距為何?

陳在方副教授:GDPR以保護公民個資為目的,但《數據安全法》並不完全著重隱私權,更重要的目的是保障中國國家安全。

Q2:目前去識別化仍屬於臺灣個資法管轄範疇,不知各國如何看待與處理去識別化?若去識別化不夠完整是否將影響資料境外傳輸?若個資保護涉及產業發展與國家安全,僅用個資法是否足夠?在資料量日益龐大的數位時代,又該如何管制資料擷取?

顧振豪副所長:去識別化技術已非國際主流,不僅目前缺乏適切認證標準,在未取得當事人同意的情況下進行去識別化也可能產生爭議,若要進行去識別化,最好的方式是經過當事人同意。雖然當代資料量的確日益龐大,但越能識別的資料價值越高,從人身安全的視角來看,應針對這些資料嚴加管制。