Cross-border privacy enforcement

Cross-border privacy enforcement (국제적인 개인정보보호의 시행) means the cooperative enforcement practices of data protection and privacy rules among contracting states.

The Personal Information Protection Act calls for the government's responsibility for international cooperation and the personal information processors' requirements relating to transborder data flow.

The Korean government and government agencies including the Korea Internet Security Agency (KISA) have actively participated in the international arrangements for cross-border enforcement of privacy laws.

Key words
trans-border data flow (TBDF), cross-border enforcement, privacy rule, BCRs

Cross-border Cooperation in the Privacy Enforcement
Here are some examples why cross-border cooperation in the privacy enforcement is necessary:
 * Data processing in a third country such as operation of call centers is on the increase and in need of on-site inspection;
 * Standard contractual clauses are included in the increasing number of international contracts for data processing and other transactions;
 * The European Union allows transborder data flow subject to the Data Protection Directive (Directive 95/46/EC) only when data protecetion standard of a third country is adequate. The application of Israeli government was put on the shelf because its government agency was supposed to be involved in the forgery of passports issued by the United Kingdom and Ireland;
 * Between the EU member states and the United States, transborder data flow has been governed by the Safe Harbor Principles;
 * EU has implemented the Binding Corporate Rules (BCRs) for multinational corporations operating in and out of its territory; and
 * The U.S. Department of Homeland Security demands passenger name record (PNR) from airliners prior to their arrival in the United States.

International Efforts to Enhance Cross-border Privacy Enforcement
The Asia Pacific Economic Cooperation (APEC) has been actively engaged to establish the Cross-Border Privacy Rule (CBPR). In endorsing the APEC Privacy Framework in 2004, APEC leaders recognised the importance of developing effective privacy protections that avoid barriers to information flows and ensure continued trade and economic growth in the APEC region. In addition, in 2007, APEC economies endorsed a ‘pathfinder’ for international implementation of the APEC Privacy Framework.

The APEC Cross-border Privacy Enforcement Arrangement (CPEA) has created a framework for regional cooperation in the enforcement of Privacy Laws.

Current Issues

 * Who is responsible for what?
 * - During the past few years, customers' data were leaked or transferred from Swiss and Liechtenstein private banks to outside tax authories. In 2008, Liechtenstein's LGT Group disclosed that the data were stolen from its subsidiary, LGT Treuhand, by a former employee who sold confidential banking customer details to foreign authorities. The LGT bank was ordered by a court to pay a German client compensation for not warning him of the data theft earlier.
 * - When Google announced lauching of its own social networking services, Google Buzz, based upon Gmail users' database, data protection authorities of 10 states pointed out the use of Gmail customers' information without the consent of users is illegal, and urged Google Buzz services to be conducted observing the data protection regime of each country.
 * - In 2007, at the recommendation of OECD, the U.S. Federal Trade Commission (FTC) initiated to establish Global Privacy Enforcement Network (GPEN) with eight states.


 * International Conference of Data Protection and Privacy Commissioners resolved the Madrid Privacy Declaration on November 3, 2009, which calls for the establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions.


 * Here is the list of privacy issues which have been discussed world-wide:
 * - OECD and APEC agreed to take measures to cooperate each other for data protection.
 * - Data breach notification is mandatory in an increasing number of countries. For instance, the EU e-Privacy Directive (Directive 2002/58/EC) has been revised to urge member states to legislate the Directive expeditiously. Germany and Austria has already implemented such notification.
 * - Data protection standards might be approved by International Standardization Organization (ISO).
 * - Data protection infrasructure is requisitely set up for the sites of cloud computing, social networking services (SNS), etc.
 * - Privacy Impact Assessment (PIA) could be required when adopting imbedded RFID and other privacy-sensitive technolgies.