Enforceability of Rights

Enforceability of right to personal data protection is the hardest feature of implementation because many case studies comprehend different jurisdiction. The compatible sanction and the solution for conflict of laws induced by vast majority legal apparatus will be shown. Most enforcements sanctioned by domestic court but there is some measures can be

291 OECD. Report on the Cross-Border Enforcement of Privacy Laws. 2006, p. 9.

292 European Commission. Data Protection in the European Union Citizens’ perceptions: Analytical Report.

2008, p. 33.

293 Kuner, Christopher. "Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present, and Future." TILT Law & Technology Working Paper No. 016/2010, 2010, p. 33.

163

imposed internationally. Consequently, the survey for available sanction in numerous data protection laws would be useful to the sufferer.

The point of departure for the specific Personal Data Protection enforceability can be found in the United Nations Guidelines for the Regulation of Computerized Personal Data Files In part A, principle 8 Supervision and sanctions,²⁹⁴ as far as it requires every country to prepare for the event of violation of the provisions of the national law. State must be able to enforce criminal or other penalties and should be envisaged together with the appropriate individual remedies.

That requirement has been developed by the Convention 108 which pursues each party to establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to the basic principles for data protection set out in this chapter.²⁹⁵

Specifically within the EU framework, two norms are of interest. First, the EU Directive 95/46/EC urges that Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.²⁹⁶

Second, under the Data Retention Directive, it depends on national court power to dismiss the permission to access. Nonetheless, the procedure and conditions of provoking the permission, remedy the damage or punishment the violator will be diverse due to the different domestic laws of member states.²⁹⁷

As a step towards reciprocity, the US must explore the most appropriate mechanisms to extend at least the legal protection afforded to persons within the US also to Global citizens outside the US, in order to provide an effective legal redress mechanism for Global citizens whose data has been held or accessed by the US authorities and companies.

Most importantly, the reparation to victim violated by US entities especially the US public authorities such as National Security Agency or National Intelligence Agency.

294 UN. A/RES/45/95. 1990, part A.

295 Council of Europe. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data Convention108. 1981, Article 10.

296 EU. Directive 95/46/EC. 1995, Article 24.

297 EU. Directive 2006/24/EC. 2006, Article 9.

164

In between relationship of EU and US, the Safe Harbor Decision, provides procedure for individual‘s remedy due to the eager to comply with the EU Directive 95/46/EC on the protection of personal data.²⁹⁸ The Safe Harbor Procedures are developed to prevent accidental information disclosure or loss. The EU and US private organization can opt into the program as long as they provide effective redress measures.

The Safe Harbor registered Corporation must prepare:

 follow-up procedures, conducted either by self-assessment or outside compliance review, verifying that what the safe harbor company claims about its privacy practices is accurate and in place;²⁹⁹ and

 methods to fix problems, and, for violations, sanctions with teeth.³⁰⁰

There are two options a safe harbor company can build this machinery which are: ³⁰¹

 to buy a prepackaged privacy enforcement program that incorporates the safe harbor principles, or

 submit to legal/regulatory supervisory authorities, such as European data protection authorities (DPAs), that have dispute-resolution machinery already in place.

The enforcement principle urges organization to have effective means of enforcing the rules of Safe Harbor. In order to ensure compliance with the safe harbor provisions, there must be obligations to remedy problems arising out of a failure to comply with the principles.

Sanctions must be sufficiently rigorous to ensure compliance by the organization.³⁰² The Safe Harbor organization must employ data protection officers or agency to investigate

298 U.S. Department of Commerce. Welcome to the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks, 9 Oct.

2015.

299 EU-US. Safe Harbor Agreement. 1998, Annex II, FAQ 7, at 16. For detail on how self-assessment works, see id. Annex II, FAQ 7, pp. 16–17.

300 Ibid, Annex I, at 12. On EU data processing dispute resolution procedures generally, albeit not in the safe harbor context.

301 Ibid, Annex II, FAQ 5 and 11, pp. 14, 21.

302 EU Commission. 2000/520/EC. 2000, Annex 1 Safe Harbor Principles.

165

individual's complaints and disputes so that can be resolved and sanctioned compensation.³⁰³ Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.

The complexities of implementation to Safe Harbor Agreement by company discussed above can obscure the fact that, procedurally, safe harbor status is amazingly easy to get.³⁰⁴All a company need do is log onto the Department of Commerce website and fill out a one-page form, or send a letter self-certifying that it has adequate procedures and protections up and running.³⁰⁵ Specifically, this self-certification merely needs only basic details to disclose but SMEs or Start-up business may found this is hard to follow since they might have not had system to support data protection policy yet.³⁰⁶ Due to the Red-Tape that the Agreement had putted in front of the data transfer across border, some SME companies may loss their opportunity to access EU market. But if SMEs need to prepare for accession, the cost of transaction and set up system might make them less competitive when compare with Multi-national Corporation.

State Members that export personal data across national borders may also not comprehend the ubiquity of trans-border data flows: for example, in a study by the European Commission published in 2008, only a small percentage (10%) of data controllers stated that their companies transferred personal data outside the European Union,³⁰⁷ a figure that must be too low given the widespread use by companies of e-mail and the Internet.

In addition, rules on applicable law and jurisdiction with regard to data protection and privacy law are notoriously unclear,³⁰⁸ which can create problems in particular for individuals, who often may not be able to determine which law applies to the processing

303 Ibid.

304 Bender, David and Larry Ponemon. "Binding Corporate Rules for Cross-Border Data Transfer." Rutgers JL

& Urb. Pol'y, vol. 3, 2006, p. 154.

305 EU-US. Safe Harbor Agreement. 1998, Annex II, FAQ 6, p. 15.

306 Dowling Jr, Donald C. ―International Data Protection and Privacy Law.‖ Practising Law Institute treatise International Corporate Practice, 2009., p. 15.

307 European Commission. Data Protection in the European Union Citizens’ perceptions: Analytical Report.

2008, p. 7.

308 European Commission. ―Comparative Study on Different Approaches to New Privacy Challenges in Particular in the Light of Technological Developments.‖ Final Report, 2010, p. 24.

166

of their personal data, and to which national regulatory authorities they may turn if a problem arises.

Despite the large number of laws regulating trans-border data flows, it is questionable how widely such regulation is enforced because ‗many unauthorised and possibly illegal transfers are being made to destinations or recipients not guaranteeing adequate protection. Yet there is little or no sign of enforcement action by the supervisory authorities‘.³⁰⁹ The fact that some of the largest economies in the world (such as China and Japan) have not been the subject of a formal EU adequacy decision means that there must be substantial non-compliance at least with regard to data flows from the EU to those countries.³¹⁰

2.3. Failures due to limitations of US Domestic System relate to Personal Data