Adequate Level of Data Protection and ADR in Cross-border Data Disputes — International Trade Law Perspective

Chinese Taipei - 31 October 2023

Trade topics: Trade Dispute Settlement Systems, Data Protection, International Trade

Regulatory measures on cross-border data flows are essential to personal data protection laws. The General Data Protection Regulation (“GDPR”) of the European Union (“EU”) is one of such influential personal data protection regimes, which has become a model and has been adopted by many countries. The GDPR aims to ensure the protection of natural persons regarding the processing of personal data. To protect personal data outside the EU, the GDPR provides certain safeguards for its movement across the EU border. Under the GDPR, the European Commission can make a finding that a third country ensures an adequate level of protection, and the transfer of personal information to that country does not require specific authorization (“the adequacy approach”). Adequacy decisions are critical for the operation of digital trade, considering the costs and uncertainty associated with other conditions of cross-border transfer of personal data. Many countries have adopted the adequacy approach. The approach, however, creates serious trade concerns of trade barriers, discrimination, and necessity issues. While the costs of the adequacy mechanism to the free flow of data are concrete, it is questionable whether the adequacy approach would provide adequate protection for data subjects who would like to exercise their rights of data protection abroad, even in a country with adequacy status once disputes regarding the subject’s data arise. This paper argues that the adequacy approach should be improved by adopting effective ADR mechanisms, including arbitration. Adopting an effective data dispute ADR mechanism would mean that the adequacy approach could be relaxed to reduce trade concerns.