Abstract
Transnational data processing and the protection of data subjects between international private law and the perspective of common principles of private law given at international level
Among the current most problematic issues about the protection of personal data are the transnational processing of personal data and the cross-border flows of personal data. This is a consequence of the massive use of the Internet for commercial relationships, which are often transnational, and the development of new information and communication technologies like cloud computing, big data and the Internet of Things that imply the transnational processing of personal data and their transfer abroad. The legal regulation of these situations comes from the dir. EC/95/46 and will soon come from the Reg. (EU) 2016/679 that incorporates some important decisions of the ECJ on the abovementioned topics. The new Reg. (EU) 2016/679 does not ground the implementation of the European protection of the personal data on the fact that the processing takes place in Europe – as it was under the EU dir. 95/46 - but on the fact that the offering of goods and services is directed to subjects settled in Europe or whose behaviour is monitored in Europe. The cross-border flow of personal data is grounded on the principle of adequacy of the protection of personal data in the specific foreign country and on its recognition by the European Commission through its decisions of adequacy. Furthermore, the cross-border flow can be lawful even under appropriate safeguards given by the controller or the processor.
Despite the next future implementation of the new Reg. (EU) 2016/679, a growing awareness is raising at the international level – within European and international Conferences of the Data Protection Authorities - that an effective solution for the protection of personal data can only be based upon a regulation which is given at the same international level and structured in international principles and rules. In fact, several initiatives are going on towards that objective: the renovation of the Council of Europe Convention n. 108, the OCSE Guidelines, the APEC Privacy Framework for the Asian-Pacific area, the UNCTAD Core Principles about some worldwide common core principles on data protection. The Reg. (EU) 2016/679 offers itself a set of rules which have been thought also as a proposal for the elaboration of a common instrument for privacy protection at international level. This ongoing process shows an interesting and important development for the protection of personal data moving from rules of international private law - which are also the rules of the Reg. (EU) 2016/679 governing the transnational processing of personal data and their cross-border transfers - towards principles and rules of substantive private law protecting data created at the international level.