Development of Electronic Data Flows

growth of Electronic entropy Flows1. IntroductionThe current development on the lam of electronic selective discipline, e peculiar(a)ly those relating to privateized info across nations is increasing daily. Most of the devolves ar related to business impressivities whereas services atomic number 18 provided to litigate the enquires of pack. It besides leads to the transformation of commerce, which regulate outs worldwide and increasingly inter topic. The transplant of huge quantities of entropy, relating to customers and employees, be demand and oftentimes occurred among entities that dictated in different countries. An example would be the system of outsourcing, a practice in which companies and governments charter an external service provider in a nonher dry land to deliver a course of study or provide a service, such as managing entropybase of human resources or customers. This laughingstock often pass on in improved efficiencies and manage aims of services. Further, the advancement of global nedeucerks, such as the profit, provides the possibilities to collect, process, and distribute single(prenominal) entropy on an incomparable scale.However, the trans-b localize operate of individualized entropy is non only performed by companies or governments but similarly behaveed by individuals in everyday life as intumesce. When the entropy is utilize by companies or government, this terminate rede a high volume of entropy, such as in the form of the conveying of developmentbases. at that office staff testament be a quite different volume of information when it is provided by individuals when they disclose their individualised entropy while participating in particular activities, such as browsing the internet or registering on various websites to find nonpareilself definite services.Addition totallyy, thither is a strong possibility for individuals, who be winning in information transfer activities to lack of full sense concerning what could be d unitary to their in the flesh(predicate)ised information. In or so instances, they do non realize that they have disclosed their in the flesh(predicate) entropy and it is subject to transmitting and ask upon deep down countries non offering the same take of apology as their own country. For example, a bookman physically located in the Netherlands may complete an online game registration form, containing several spaces soliciting his/her identities, non penetrating that the actual service provider is registered in India. An another(prenominal) example, a social worker residing within the joined Kingdom mightiness disclose his/her individualised selective information on a web masking for an internet banking service provided by a bank based in the United extracts.From the short definition above, the trans-border flow of own(prenominal) data exists in everyday life on a daily tush and it becomes a vital need of every s catchholder, whether governments or private fields, including individuals. Nevertheless, while the flow has led to great efficiencies and stinting benefits, on the other chip in this kind of flow has also raised concerns that some instruction could annul up in the hands of people for whom it was not think. Worse evening is the situation when no one has realized the flow has taken trust, spawning a great opportunity for infringement upon ones retirement practiceds. whatsoever overlooks concerning hatch and data justification have been set up at topic, regional, and international take aims to guarantee seclusion as one of the human great powerfuls is not harmed by all activity, including data processing as the last social occasion of trans-border flow. Consequently, the trans-border flow of ain data has to be conducted in a policeful fashion.In this brinytain, a sanctioned material on trans-border flow of personal data has been enacted in Europe by the European counseling (EC) downstairs two directives. The head start one is directing 95/46/EC concerning the aegis of Individuals with find out to the bear on of Personal selective information and on the Free Movement of Such Data. This leading has been advertise furnish by the second directive, directing 2002/58/EC concerning the processing of personal data and the security measures of solitude in the electronic communications sector ( directional on retirement and electronic communications). In simile to the explore intent of this thesis, directional 95/46/EC is the most relevant and on that supermanfore, leading 2002/58/EC go away be referred to when needful. It should be noted that whenever a term the Directive is being utilise in this thesis, the term shall refer to Directive 95/46/EC.Under the Directive, a main rule concerning the trans-border flow of personal data has been set up. These include the obligation of data ascendence to use personal data for specified, explicit, and legitimate designings, to collect only relevant and necessary data, to guarantee the security of the data against accidental or unauthorized access or manipulation, and in particular proposition cases to notify the competent self-sufficing supervisory clay before carrying out all or certain types of data processing operations. On the other hand, on that point is a series of proficients for individuals as data subject, such as the cover to receive certain information whenever data is collected, to access and correct the data, and to object to certain types of data processing.Nevertheless, all of the practice of these rights and obligations donation a remarkable problem when the trans-border flow of personal data takes place from the European Union/European sparing Area (the EU/EEA) outgrowth conjure ups to countries outside the EU/EEA, for the movement that the Directive requires an passable take of surety in the destination countries . The transfer of personal data to a one- one- tertiary gear country is require when the terce country does not have an adapted take of bulwark to run into that the processing of personal data pass on not cause any violation to the rights of data subjects.The screen power of the Directive to the EU/EEA subdivision States requires for each one of the fragment States to embed the provisions in the Directive into their national legal system. Thus, there is a free order where trans-border flow of personal data dejection take place freely among the member States because they provide the becoming direct of protective addressing. Any approval, qualified safeguard, or additional indispensability is not necessary to any further outcome.As far as public international law is concerned, by applying the extra-territoriality linguistic rule, the need of the adaptedness is automatically fulfilled at the official representatives of the EU/EEA Member States in the third coun try, such as the Embassy or Consulate General because of the drawn-out jurisdiction of the Member States. However, this linguistic rule is not extended to private sectors, since subsidiary offices of multinational companies, belt up have to abide to the national law in the third country although the base of operations of the conjunction is located in the EU/EEA Member States. In this case, the tolerable take of apology is still required even though the transfer is conducted internally among the subsidiaries of the company located in third countries.Currently, the EC has conducted some enough determinations and has compiled a dust coat key out of countries providing an adequate take of justification. This approval direction the trans-border flow of personal data can take place as in the free zone in the midst of the EU/EEA Member States. However, to date, the white lean covers a contain leaning of countries, seven to be exact. This list might not prove too decent fr om the suggest of compute of multinational companies in accommodating their interest, as it does not include umteen countries of growing moneymaking(prenominal) interest.From this point of view, there is a need to harmonize various privacy and data tribute regulations in many countries through the establishment of an internationally congruent legal material for privacy and data guard. Unfortunately, it pull up stakes take some sudor and time for the establishment, while a fast resolvent is needed. By considering the Directive therefore far the strictest legal framework comp atomic number 18d with other existing legal framework on privacy and data surety, obviously, there is a need for countries outside the EU/EEA Member States to improve their legal framework to become compliance with adequate level of shield requirement under the Directive.Since Indonesia is neither a Member State of the EU/EEA nor included in the white list of enough finding, the requirement of ade quate level of surety is applied to Indonesia as a third country. The trans-border flow of personal data only can take place after the data lookant is certain that the protection level of personal data in Indonesia is adequate under the Directive. App bently, Indonesia is needed to criticize, whether or not its legal framework providing an adequate level of protection.Moreover, Indonesia as a Member State of the Asia-Pacific Economic Cooperation (APEC) has received a cart to provide a sufficient level of protection on trans-border flow of personal data, in relation to the existence of the APEC solitude Framework. This pressure has become heavier because of Indonesia position as the Association of South East Asian Nations/ASEAN Member States. on that pointfore, the main objective of this thesis is to take aparthow Indonesia can improve its legal framework to comply with the adequate level of protection in view of Directive 95/46/EC.Conducting this examination is important in d etermining ship canal Indonesia might be developed into an attractive destination country for international commerce activities. In order to solution the objective of this thesis, three look for passs have to be answered beginningly,currently, why Directive 95/46/EC is being acknowledged as the strictest legal instrument concerning privacy and data protection on conducting trans-border flow of personal data comp atomic number 18d with other existing legal instruments. Secondly, how the European Commission determines the adequate level of protection in the third country in interrogation under Directive 95/46/EC. Then, thirdly, to what extent legal framework of data protection in Indonesia measures up to the adequate level of protection in Indonesia under Directive 95/46/EC.In line with the effort to answer the startle explore motion, this thesis pass on try to identify any possibility for improvement towards the current adequacy decision system. Hence, a balance accommodation might be obtained and maintained between the one who requires the adequate level of protection and the one who has to fulfill it.This thesis provide be structured as follows. The early chapter is the ledger entry in which the objective of this thesis is explained. In the second chapter, there pass on be a skeleton comparison between the Directive with other legal instruments concerning privacy and data protection. Afterwards, some explanations on the requirement of the adequate level of protection in the sparkle of the Directive will be provided, including the measure to be utilise in conducting the adequacy finding and will explore any possible solution if there is no adequate level of protection in the third country in question. Further, this chapter will cover the current problems within the Directive as well(p) as possible suggestions to overcome them. Thus, tell the depression and second question question.In the third chapter, relevant issues surrounding Indonesian legal framework will be discussed, including a brief explanation on how Indonesia regulates privacy and data protection as well as a number of the difficulties experienced in doing so.The findings in the second and third chapters shall be active to carry out the examination in the fourth chapter, which objective is to answer the third research question. The chapter serves to tumble the adequate level of protection of Indonesian legal framework by applying the measurements in the light of the Directive. The synopsis will include various potential problems faced by Indonesia on its effort to improve protection of personal data along with several suggestions on how to overcome them. At the nett stage, there will be a conclusion, to what extent Indonesia can be deemed as providing an adequate level of protection. As a result, a solution on how Indonesia might improve its legal framework under the Directive to twain avoid a lack of protection and offer an adequate level of protecti on will be achieved.2. The EU Legal Framework experienceing trans-border flow of Personal DataThe trans-border flow of personal data is stipulated by regulations concerning data protection. Since the early eighties, several regulations, drawn up by different organizations, have been print in this respect.The first initiative was performed by Organization for Economic Co-operation and Development (OECD) by establishing the Guidelines on the egis of concealing and Trans-border Flows of Personal Data (the OECD Guidelines) in 1980. The intention of the Guidelines is to prevent any conflicts between national laws, which can oppose the free flow of personal data between the OECD Member States. This establishment brought an aw arness of the greatness protection of the trans-border flow of personal data.A similar purpose with the OECD Guidelines has brought the Member States of the Council of Europe (the CoE) to publish a rule on their interest in the avocation year. They agreed th at it is needed to reconcile the fundamental set of the respect for privacy and the free flow of information between them. The agreement is say in the shape for the shelter of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), with purpose to take into account the right of privacy and the increasing flow across frontiers of personal data in regards of automatic processing, as a way to extend the safeguards for everyones rights and fundamental freedoms.In 1990, by considering the UN has more Member States comp ared with the OECD and the CoE, Guidelines concerning Computerized Personal Data Files (the UN Guidelines) was launch as a way to bring the rulers on privacy and data protection being implemented wider among countries. The UN General Assembly through Resolution No. A/RES/45/95 on 14 December 1990, requests the Governments of every Member States to take into account this Guidelines in their legislation. Further, the governmental, intergovernm ental, and non-governmental organizations are also pass along to respect the Guidelines in carrying out the activities within their field of competence.Nonetheless, the OECD Guidelines, the CETS No. 108, and the UN Guidelines still have some flunkes. thither are some principles of data protection, which are required to be embedded in national laws of each of the Member States but there is no fuddleds for ensuring their strong application. For examples, there are no supervisory authority provision in the CETS No. 108 and a lack of procedural clauses in the OECD Guidelines. In other(prenominal) case, concerning the adhere power of the instrument, the OECD Guidelines is voluntarily binding to its Member States as well as the UN Guidelines, even though the UN Guidelines has the supervision and sanction provisions. therefore, Directive 95/46/EC on the security measure of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data has been estab lished by the European Union (the EU) to overcome the limited effect of the two Guidelines and the Convention as mentioned above. Good level of compliance, sponsor and help to individual data subject, and appropriate redress to the injured parties are the means used by the Directive for ensuring the effective application of the content of the rules.Apart from the compliance issue, the obligations and rights set down in the Directive are built upon the OECD Guidelines, the CETS No. 108, and the UN Guidelines. These three legal instruments contain similar principles, except for lawfulness, fairness, and non-discrimination principles are from the UN Guidelines and special categories of data and additional safeguards for the data subject principles are from the ECTS No. 108. While the rest of the pick out principles are collection limitation, data quality, purpose unique(predicate)ation, use limitation, security safeguard, openness, individual participation, and accountability.Furthe r, the aims of the Directive can be seen from two perspectives. The first one is the economical perspective, in relation to the establishment and functioning of an internal market, in which to ensure the free movement of goods, persons, services, and capital, including the free movement of personal data. The second is from the fundamental rights perspective, in which to set the rules for upper-level data protection to ensure the protection of the fundamental rights of the individuals.The newest legal instrument concerning privacy and data protection is the APEC Privacy Framework 2004 (the Framework), established by Asia-Pacific Economic Cooperation (APEC). The purpose of the Framework is to ensure there are no barriers for information flows among the APEC Member Economies by promoting a consistent approach to data protection. There are nine principles in the Framework that are built based on the OECD Guidelines. In brief, the select principles are preventing harm, notice, collecti on limitation, uses of personal information, choice, integrity of personal information, security safeguard, access and correction, and accountability. However, this Framework has the same weakness as the earlier legal instruments on privacy and data protection before the Directive, which is the absent of means for ensuring the effective application of the principles. Additionally, it should be noted that APEC is a forum that established based on a voluntary basis, without any constitution or legally binding obligations for the Member Economies. Hence, the Framework is not binding to the Member Economies.From the brief analysis above, currently, the Directive posses the highest level of protection compared with other existing legal instruments on privacy and data protection. In this respect, to achieve the objective of this thesis as stated in the first chapter, the research questions will be answered by focusing on the Directive.Therefore, in the next section, there will be an exp lanation on the legal bases of trans-border flow of personal data to third countries under the Directive, followed by a rationalization on how the European Commission (EC) determines whether or not an adequate level of protection exists in the third country in question. Subsequently, the means for ensuring the effective application of the content of rules will be enlarge upon a description on a series of possibilities if the third country in question is not deemed to provide an adequate level of protection. Although currently, the Directive provides high-level of protection, some problems and suggestions will be provided, as an effort to address input for improvement. The findings in this chapter will be used to carry out the adequacy finding of Indonesia as a third country (in the fourth chapter) by doing a comparison with the findings on Indonesian legal framework in chapter three.2. The Legal Bases of Trans-border Flows of Personal Data to Third CountriesThe trans-border flow of personal data to a third country to be acknowledged as lawful, it has to be conducted in congruity with the national data protection law of the EU/EEA Member States. It is applicable to the data controllers established in the EU, both(prenominal) at the time when data is being collected and bear on. In general, the law consists of a conclave between the obligations of data controllers and the rights of data subject.Before the establishment of the Directive, these rights and obligations were regulated under some national data protection laws with different level of protection. In the light of the functioning of internal market in the EU/EEA, all these obligations and rights, including certain procedures to be applied in case of trans-border flow of personal data to a third country, are regulated in the Directive. Whereas the Directive is legally binding to the EU/EEA Member States, an adequate level of protection is fulfilled and consequently trans-border flow of personal data i s able to take place among them. Further, when the personal data is used for electronic communication purposes, then the rights and obligations as lay down in Directive 2002/58/EC shall take place.There are three possible types of transfer under the Directive. The first and second types are a communication of personal data by a data controller based in the EU/EEA Member States to another data controller or to a processor based in a third country. Another possibility type is a communication of personal data by a data subject based in the EU/EEA Member States to a data controller based in a third country. Nevertheless, it should noted that the Directive does not cover transfers of personal data in the course of judicial and police cooperation activities falling within Titles V and VI of the Treaty on European Union.The main regulation in the Directive concerning trans-border flow of personal data to a third country is article 25. The first paragraph of the word sets out the princip le that the EU/EEA Member States shall allow the transfer of personal data only if the third country in question ensures an adequate level of protection. From this provision, it is necessary to explain further on the subject of the transfer of personal data and an adequate level of protection.First, what the Directive means by the transfer of personal data. Undoubtedly, it is often associated with the act of displace or transmitting personal data from one country to another, for instance by displace penning or electronic documents containing personal data by post or e-mail. By visual perception from a different perspective, the situation where one conducts a certain activity with the purpose to make data open for others, besides the owner of the data (the data subject), and located in another country, is included as a trans-border flow of personal data.However, by making data accessible for everyone who connects to internet by uploading any personal data on internet web pages, e ven though that person is located in another country, is not included in the meaning of transfer of personal data to another country. The reason for the previous statement is this kind of activity is properly acknowledged as publishing activity, not transferring activity. This riddance is stated clearly by the Court of Justice in the Bodil Lindqvist Case as there is no transfer of personal data to a third country where an individual in a Member State loads personal data onto an internet page making those data accessible to anyone who connects to the internet, including people in a third country.Subsequently, since the Directive is binding to 27 EU Member States, including three countries (Norway, Liechtenstein, and Iceland), which are frame in by the Directive by virtue of the European Economic Area agreement (EEA), personal data can flow freely among them. In other words, there is a free zone among the EU/EEA member states. Therefore, transfer in the light of the Directive has t o be seen as transfer of personal data from EU/EEA member states to other countries outside EU/EEA, which are recognized as third countries, and the adequate level of protection in those third countries has to be assessed.There is a so-called white list of countries, which have been assessed by the EC and affirmed to provide an adequate level of protection agree to the Directive. Currently, the list consists of seven countries as follows Argentina, Canada (limited to private sector data), Switzerland, United States (Safe Harbor and specific type of transfer rider Name Record/PNR), the Bailiwick of Guernsey, the Isle of Man, and the Bailiwick of Jersey. The approval of adequacy shall be study more carefully because once a country is listed in the white list, does not automatically mean that personal data can flow to the country freely. One should pay attention whether the affirmation is assumption for the good legal framework or only for certain part of it in a specific field, se ctor (public or private), or regarding a specific type of transfer.Insofar, even though the result of adequacy finding shows that the data protection level in certain countries is not adequate, the EC will not force a black list for that negative finding because of political consequences. Instead of the black list, the EC tends to count on into negotiation with the certain country in order to find a solution. It can be cogitate from the foregoing, that the adequacy finding is temporary and subject to be reviewed.Procedure of the Adequacy FindingIn acknowledging the adequacy finding, the EC has to follow certain procedure, which has been determined in oblige 25 dissever (6) of the Directive and is cognise as comitology. At first, there will be a proposal from the EC, followed by an survey from name 29 working Party and an opinion from Article 31 Management Committee, which needs to be delivered by a qualified majority of member states. Afterwards, the EC submits the proposed finding to the European Parliament (EP), who will examine whether the EC has used its executing powers correctly and comes up with recommendation if necessary. As a final point, the EC then can formally issue the result of the adequacy finding. In the next section, the measurements used by the EC in conducting the finding will be explained in detail.3. Assessing the Adequate Level of ProtectionThe Article 29 Working Party has given an obvious statement thatany meaningful analysis of adequate protection must comprise the two basic elements the content of the rules applicable and the means for ensuring their effective application.According to WP 12 of the European Commission (EC), a set of content principles that should be embodied in the existing regulations are the followingPurpose limitation principle data should be processed for a specific purpose and after used or further communicated only if it is compatible with the purpose of the transfer.Data quality and counterpoise princi ple data should be accurate and, where necessary, kept up to date.Transparency principle individuals should be provided with information as to the purpose of the processing, the identity of the data controller in the third country and other necessary information to ensure fairness.Security principle technical and organizational measures should be taken by the data controller that are appropriate to the trys presented by the processing.Rights of access, rectification and opposition the data subject have the right to obtain a copy of all data relating to him/her that are processed, to rectification of those data that are shown to be inaccurate, and be able to object to the processing of the data.Restrictions on onwards transfers to non-parties to the contract further transfers of the personal data by the recipient of the melodic phraseal data transfer only permitted if the second recipient provides an adequate level of protection.In addition to these content principles, another set of the means for ensuring the effective application of the principles, whether judicial or non-judicial, are required in order to fulfill the following objectivesGood level of compliance with the rules the level of awareness of controllers and data subjects and the existence of effective and dissuasive sanctions are the measurements to examine the compliance level, including direct check mark by authorities, auditors, or strong-minded data protection officials.Support and help to individual data subjects an individual should be able to enforce his/her rights rapidly and effectively without prohibitive cost. Institutional mechanism is needed to conduct independent investigation of complaints.Appropriate redress to the injured parties where rules are not complied, redress to the injured party with independent adjudication or arbitration is provided, including compensation and sanction impose.Beyond the content principles, some additional principles are still needed to consider when it comes to certain types of processing. Additional safeguards when sensitive categories of data are involved and a right to opt-out when data are processed for direct marketing purposes should be in place. Another principle is the right for the data subject not to be a subject to an automated individual decision that intended to evaluate certain aspects, which can give any legal effects and have a prodigious effect to the data subject.These content principles, including additional principles, and the means for ensuring their effectiveness should be viewed as a negligible requirement in assessing the adequate level of protection in all cases. However, according to Article 25 Paragraph 2 of the Directive, in some cases, there will be two possibilities. There is a need to add the list with more requirements or to reduce it.To determine whether some requirements need to be added or reduced, the degree of risk that the transfer poses to the data subject becomes an important factor. T he Article 29 Working Party has provided a list of categories of transfer, which poses particular risks to privacy, as mentioned belowTransfers involving certain sensitive categories of data as defined by Article 8 of the DirectiveTransfers which carry the risk of financial difference (e.g., extension card payments over the internet)Transfers carrying a risk to personal safetyTransfers made for the purpose of making a decision which significantly affects the individual (e.g., recruitment or promotion decisions, the granting of credit, etc)Transfers which carry a risk of good embarrassment or tarnishing of an individuals reputationTransfers which may result in specific actions which constitute a significant intrusion into an individuals private life (e.g., unsolicited telephone calls)Repetitive transfers involving massive volumes of data (e.g., transactional data processed over telecommunications networks, the Internet, etc.)Transfers involving the collection of data in a particul arly covert or underground manner (e.g., internet cookies)To sum up, the circumstances should be taken into account when assessing adequacy in a specific case, beingthe nature of the datathe purpose and duration of the proposed processing operationsthe country of origin and the country of final destinationthe rules of law, both general and sectoral, in force in the country in questionthe sea captain rules and the security measures which are complied with in that country.Self -regulationFrom the circumstances as referred to Article 25 Paragraph 2 of the Directive, it can be seen that the assessments of the adequate level of protection is conducted according to the rules of law as well as the professional rules and the security measures. In other words, it has to be examined from a self-regulation perspective as well.The Article 29 Working Party presents a broad meaning of self-regulation asany set of data protection rules applying to a plurality of the data controllers from the sam e profession or exertion sector, the content of which has been determined originally by members of the industry or profession concerned.This wide definition offers the possibility to on the one hand a voluntary data protection code developed by a small industry tie-up with only a few members and on the other hand a set of codes of professional ethical motive with quasi judicial force for a certain profession, such as doctors or bankers.Still, one should bear in mind, to be considered as an appropriate legal instrument to be analyzed, it has to have binding power to its members and has to provide adequate safeguards if the personal data are transferred again to non-member entities. ObDevelopment of Electronic Data FlowsDevelopment of Electronic Data Flows1. IntroductionThe current development on the flow of electronic data, especially those relating to personal data across nations is increasing daily. Most of the flows are related to business activities whereas services are provid ed to fulfill the needs of people. It also leads to the transformation of commerce, which becomes worldwide and increasingly international. The transfer of huge quantities of data, relating to customers and employees, are required and often occurred among entities that located in different countries. An example would be the system of outsourcing, a practice in which companies and governments hire an external service provider in another country to deliver a program or provide a service, such as managing database of human resources or customers. This can often result in improved efficiencies and levels of services. Further, the advancement of global networks, such as the internet, provides the possibilities to collect, process, and distribute personal data on an unprecedented scale.However, the trans-border flow of personal data is not only performed by companies or governments but also conducted by individuals in everyday life as well. When the data is used by companies or government , this can represent a high volume of data, such as in the form of the transfer of databases. There will be a quite different volume of data when it is provided by individuals when they disclose their personal data while participating in particular activities, such as browsing the internet or registering on various websites to obtain certain services.Additionally, there is a strong possibility for individuals, who are engaging in data transfer activities to lack of full awareness concerning what could be done to their personal data. In some instances, they do not realize that they have disclosed their personal data and it is subject to transmission and processing within countries not offering the same level of protection as their own country. For example, a student physically located in the Netherlands may complete an online game registration form, containing several spaces soliciting his/her identities, not knowing that the actual service provider is registered in India. Another example, a social worker residing within the United Kingdom might disclose his/her personal data on a web application for an internet banking service provided by a bank based in the United States.From the short description above, the trans-border flow of personal data exists in everyday life on a daily basis and it becomes a vital need of every stakeholder, whether governments or private sectors, including individuals. Nevertheless, while the flow has led to greater efficiencies and economic benefits, on the other hand this kind of flow has also raised concerns that some information could end up in the hands of people for whom it was not intended. Worse even is the situation when no one has realized the flow has taken place, spawning a great opportunity for infringement upon ones privacy rights.Some rules concerning privacy and data protection have been set up at national, regional, and international levels to guarantee privacy as one of the human rights is not harmed by any activit y, including data processing as the final purpose of trans-border flow. Consequently, the trans-border flow of personal data has to be conducted in a lawful manner.In this respect, a legal framework on trans-border flow of personal data has been enacted in Europe by the European Commission (EC) under two directives. The first one is Directive 95/46/EC concerning the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. This Directive has been further equipped by the second directive, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). In relation to the research objective of this thesis, Directive 95/46/EC is the most relevant and therefore, Directive 2002/58/EC will be referred to when necessary. It should be noted that whenever a term the Directive is being used in this thesis, the term sha ll refer to Directive 95/46/EC.Under the Directive, a main rule concerning the trans-border flow of personal data has been set up. These include the obligation of data controller to use personal data for specified, explicit, and legitimate purposes, to collect only relevant and necessary data, to guarantee the security of the data against accidental or unauthorized access or manipulation, and in specific cases to notify the competent independent supervisory body before carrying out all or certain types of data processing operations. On the other hand, there is a series of rights for individuals as data subject, such as the right to receive certain information whenever data is collected, to access and correct the data, and to object to certain types of data processing.Nevertheless, all of the practice of these rights and obligations present a significant problem when the trans-border flow of personal data takes place from the European Union/European Economic Area (the EU/EEA) Member States to countries outside the EU/EEA, for the reason that the Directive requires an adequate level of protection in the destination countries. The transfer of personal data to a third country is prohibited when the third country does not have an adequate level of protection to ensure that the processing of personal data will not cause any violation to the rights of data subjects.The binding power of the Directive to the EU/EEA Member States requires each of the Member States to embed the provisions in the Directive into their national legal system. Thus, there is a free zone where trans-border flow of personal data can take place freely among the Member States because they provide the adequate level of protection. Any approval, adequate safeguard, or additional requirement is not necessary to any further extent.As far as public international law is concerned, by applying the extra-territoriality principle, the requirement of the adequacy is automatically fulfilled at the official representatives of the EU/EEA Member States in the third country, such as the Embassy or Consulate General because of the extended jurisdiction of the Member States. However, this principle is not extended to private sectors, since subsidiary offices of multinational companies, still have to abide to the national law in the third country although the base of operations of the company is located in the EU/EEA Member States. In this case, the adequate level of protection is still required even though the transfer is conducted internally among the subsidiaries of the company located in third countries.Currently, the EC has conducted some adequacy findings and has compiled a white list of countries providing an adequate level of protection. This approval means the trans-border flow of personal data can take place as in the free zone between the EU/EEA Member States. However, to date, the white list covers a limited list of countries, seven to be exact. This list might not prove too suff icient from the point of view of multinational companies in accommodating their interest, as it does not include many countries of growing commercial interest.From this point of view, there is a need to harmonize various privacy and data protection regulations in many countries through the establishment of an internationally congruent legal framework for privacy and data protection. Unfortunately, it will take some effort and time for the establishment, while a fast solution is needed. By considering the Directive thus far the strictest legal framework compared with other existing legal framework on privacy and data protection, obviously, there is a need for countries outside the EU/EEA Member States to improve their legal framework to become compliance with adequate level of protection requirement under the Directive.Since Indonesia is neither a Member State of the EU/EEA nor included in the white list of adequacy finding, the requirement of adequate level of protection is applied to Indonesia as a third country. The trans-border flow of personal data only can take place after the data controller is certain that the protection level of personal data in Indonesia is adequate under the Directive. Apparently, Indonesia is needed to criticize, whether or not its legal framework providing an adequate level of protection.Moreover, Indonesia as a Member State of the Asia-Pacific Economic Cooperation (APEC) has received a pressure to provide a sufficient level of protection on trans-border flow of personal data, in relation to the existence of the APEC Privacy Framework. This pressure has become heavier because of Indonesia position as the Association of South East Asian Nations/ASEAN Member States. Therefore, the main objective of this thesis is to examinehow Indonesia can improve its legal framework to comply with the adequate level of protection in view of Directive 95/46/EC.Conducting this examination is important in determining ways Indonesia might be developed into an attractive destination country for international commerce activities. In order to answer the objective of this thesis, three research questions have to be answered firstly,currently, why Directive 95/46/EC is being acknowledged as the strictest legal instrument concerning privacy and data protection on conducting trans-border flow of personal data compared with other existing legal instruments. Secondly, how the European Commission determines the adequate level of protection in the third country in question under Directive 95/46/EC. Then, thirdly, to what extent legal framework of data protection in Indonesia measures up to the adequate level of protection in Indonesia under Directive 95/46/EC.In line with the effort to answer the first research question, this thesis will try to identify any possibility for improvement towards the current adequacy finding system. Hence, a balance accommodation might be obtained and maintained between the one who requires the adequate level o f protection and the one who has to fulfill it.This thesis will be structured as follows. The first chapter is the introduction in which the objective of this thesis is explained. In the second chapter, there will be a brief comparison between the Directive with other legal instruments concerning privacy and data protection. Afterwards, some explanations on the requirement of the adequate level of protection in the light of the Directive will be provided, including the measurement to be used in conducting the adequacy finding and will explore any possible solution if there is no adequate level of protection in the third country in question. Further, this chapter will cover the current problems within the Directive as well as possible suggestions to overcome them. Thus, answering the first and second research question.In the third chapter, relevant issues surrounding Indonesian legal framework will be discussed, including a brief explanation on how Indonesia regulates privacy and dat a protection as well as a number of the difficulties experienced in doing so.The findings in the second and third chapters shall be employed to carry out the examination in the fourth chapter, which objective is to answer the third research question. The chapter serves to analyze the adequate level of protection of Indonesian legal framework by applying the measurements in the light of the Directive. The analysis will include various potential problems faced by Indonesia on its effort to improve protection of personal data along with several suggestions on how to overcome them. At the final stage, there will be a conclusion, to what extent Indonesia can be deemed as providing an adequate level of protection. As a result, a solution on how Indonesia might improve its legal framework under the Directive to both avoid a lack of protection and offer an adequate level of protection will be achieved.2. The EU Legal Framework regarding trans-border flow of Personal DataThe trans-border f low of personal data is stipulated by regulations concerning data protection. Since the early eighties, several regulations, drawn up by different organizations, have been published in this respect.The first initiative was performed by Organization for Economic Co-operation and Development (OECD) by establishing the Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data (the OECD Guidelines) in 1980. The intention of the Guidelines is to prevent any conflicts between national laws, which can hamper the free flow of personal data between the OECD Member States. This establishment brought an awareness of the importance protection of the trans-border flow of personal data.A similar purpose with the OECD Guidelines has brought the Member States of the Council of Europe (the CoE) to publish a convention on their interest in the following year. They agreed that it is needed to reconcile the fundamental values of the respect for privacy and the free flow of informa tion between them. The agreement is stated in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), with purpose to take into account the right of privacy and the increasing flow across frontiers of personal data in regards of automatic processing, as a way to extend the safeguards for everyones rights and fundamental freedoms.In 1990, by considering the UN has more Member States compared with the OECD and the CoE, Guidelines concerning Computerized Personal Data Files (the UN Guidelines) was established as a way to bring the principles on privacy and data protection being implemented wider among countries. The UN General Assembly through Resolution No. A/RES/45/95 on 14 December 1990, requests the Governments of every Member States to take into account this Guidelines in their legislation. Further, the governmental, intergovernmental, and non-governmental organizations are also requested to respect the Guidelines in ca rrying out the activities within their field of competence.Nonetheless, the OECD Guidelines, the CETS No. 108, and the UN Guidelines still have some weaknesses. There are some principles of data protection, which are required to be embedded in national laws of each of the Member States but there is no means for ensuring their effective application. For examples, there are no supervisory authority provision in the CETS No. 108 and a lack of procedural clauses in the OECD Guidelines. In another case, concerning the binding power of the instrument, the OECD Guidelines is voluntarily binding to its Member States as well as the UN Guidelines, even though the UN Guidelines has the supervision and sanction provisions.Therefore, Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data has been established by the European Union (the EU) to overcome the limited effect of the two Guidelines and the Convention as me ntioned above. Good level of compliance, support and help to individual data subject, and appropriate redress to the injured parties are the means used by the Directive for ensuring the effective application of the content of the rules.Apart from the compliance issue, the obligations and rights set down in the Directive are built upon the OECD Guidelines, the CETS No. 108, and the UN Guidelines. These three legal instruments contain similar principles, except for lawfulness, fairness, and non-discrimination principles are from the UN Guidelines and special categories of data and additional safeguards for the data subject principles are from the ECTS No. 108. While the rest of the adopted principles are collection limitation, data quality, purpose specification, use limitation, security safeguard, openness, individual participation, and accountability.Further, the aims of the Directive can be seen from two perspectives. The first one is the economical perspective, in relation to the establishment and functioning of an internal market, in which to ensure the free movement of goods, persons, services, and capital, including the free movement of personal data. The second is from the fundamental rights perspective, in which to set the rules for high-level data protection to ensure the protection of the fundamental rights of the individuals.The newest legal instrument concerning privacy and data protection is the APEC Privacy Framework 2004 (the Framework), established by Asia-Pacific Economic Cooperation (APEC). The purpose of the Framework is to ensure there are no barriers for information flows among the APEC Member Economies by promoting a consistent approach to data protection. There are nine principles in the Framework that are built based on the OECD Guidelines. In brief, the adopted principles are preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguard, access and correction, and accountability. However, this Framework has the same weakness as the previous legal instruments on privacy and data protection before the Directive, which is the absent of means for ensuring the effective application of the principles. Additionally, it should be noted that APEC is a forum that established based on a voluntary basis, without any constitution or legally binding obligations for the Member Economies. Hence, the Framework is not binding to the Member Economies.From the brief analysis above, currently, the Directive posses the highest level of protection compared with other existing legal instruments on privacy and data protection. In this respect, to achieve the objective of this thesis as stated in the first chapter, the research questions will be answered by focusing on the Directive.Therefore, in the next section, there will be an explanation on the legal bases of trans-border flow of personal data to third countries under the Directive, followed by a rationaliza tion on how the European Commission (EC) determines whether or not an adequate level of protection exists in the third country in question. Subsequently, the means for ensuring the effective application of the content of rules will be elaborated upon a description on a series of possibilities if the third country in question is not deemed to provide an adequate level of protection. Although currently, the Directive provides high-level of protection, some problems and suggestions will be provided, as an effort to address input for improvement. The findings in this chapter will be used to carry out the adequacy finding of Indonesia as a third country (in the fourth chapter) by doing a comparison with the findings on Indonesian legal framework in chapter three.2. The Legal Bases of Trans-border Flows of Personal Data to Third CountriesThe trans-border flow of personal data to a third country to be acknowledged as lawful, it has to be conducted in accordance with the national data prote ction law of the EU/EEA Member States. It is applicable to the data controllers established in the EU, both at the time when data is being collected and processed. In general, the law consists of a combination between the obligations of data controllers and the rights of data subject.Before the establishment of the Directive, these rights and obligations were regulated under some national data protection laws with different level of protection. In the light of the functioning of internal market in the EU/EEA, all these obligations and rights, including certain procedures to be applied in case of trans-border flow of personal data to a third country, are regulated in the Directive. Whereas the Directive is legally binding to the EU/EEA Member States, an adequate level of protection is fulfilled and consequently trans-border flow of personal data is able to take place among them. Further, when the personal data is used for electronic communication purposes, then the rights and obligat ions as lay down in Directive 2002/58/EC shall take place.There are three possible types of transfer under the Directive. The first and second types are a communication of personal data by a data controller based in the EU/EEA Member States to another data controller or to a processor based in a third country. Another possibility type is a communication of personal data by a data subject based in the EU/EEA Member States to a data controller based in a third country. Nevertheless, it should noted that the Directive does not cover transfers of personal data in the course of judicial and police cooperation activities falling within Titles V and VI of the Treaty on European Union.The main regulation in the Directive concerning trans-border flow of personal data to a third country is Article 25. The first paragraph of the Article sets out the principle that the EU/EEA Member States shall allow the transfer of personal data only if the third country in question ensures an adequate level of protection. From this provision, it is necessary to explain further on the subject of the transfer of personal data and an adequate level of protection.First, what the Directive means by the transfer of personal data. Undoubtedly, it is often associated with the act of sending or transmitting personal data from one country to another, for instance by sending paper or electronic documents containing personal data by post or e-mail. By seeing from a different perspective, the situation where one conducts a certain activity with the purpose to make data available for others, besides the owner of the data (the data subject), and located in another country, is included as a trans-border flow of personal data.However, by making data accessible for everyone who connects to internet by uploading any personal data on internet web pages, even though that person is located in another country, is not included in the meaning of transfer of personal data to another country. The reason for the previous statement is this kind of activity is properly acknowledged as publishing activity, not transferring activity. This exception is stated clearly by the Court of Justice in the Bodil Lindqvist Case as there is no transfer of personal data to a third country where an individual in a Member State loads personal data onto an internet page making those data accessible to anyone who connects to the internet, including people in a third country.Subsequently, since the Directive is binding to 27 EU Member States, including three countries (Norway, Liechtenstein, and Iceland), which are bound by the Directive by virtue of the European Economic Area agreement (EEA), personal data can flow freely among them. In other words, there is a free zone among the EU/EEA member states. Therefore, transfer in the light of the Directive has to be seen as transfer of personal data from EU/EEA member states to other countries outside EU/EEA, which are recognized as third countries, and the adequate level of protection in those third countries has to be assessed.There is a so-called white list of countries, which have been assessed by the EC and affirmed to provide an adequate level of protection according to the Directive. Currently, the list consists of seven countries as follows Argentina, Canada (limited to private sector data), Switzerland, United States (Safe Harbor and specific type of transfer Passenger Name Record/PNR), the Bailiwick of Guernsey, the Isle of Man, and the Bailiwick of Jersey. The approval of adequacy shall be analyzed more carefully because once a country is listed in the white list, does not automatically mean that personal data can flow to the country freely. One should pay attention whether the affirmation is given for the entire legal framework or only for certain part of it in a specific field, sector (public or private), or regarding a specific type of transfer.Insofar, even though the result of adequacy finding shows that the data protection lev el in certain countries is not adequate, the EC will not create a black list for that negative finding because of political consequences. Instead of the black list, the EC tends to enter into negotiation with the certain country in order to find a solution. It can be concluded from the foregoing, that the adequacy finding is temporary and subject to be reviewed.Procedure of the Adequacy FindingIn acknowledging the adequacy finding, the EC has to follow certain procedure, which has been determined in Article 25 Paragraph (6) of the Directive and is known as comitology. At first, there will be a proposal from the EC, followed by an opinion from Article 29 Working Party and an opinion from Article 31 Management Committee, which needs to be delivered by a qualified majority of member states. Afterwards, the EC submits the proposed finding to the European Parliament (EP), who will examine whether the EC has used its executing powers correctly and comes up with recommendation if necessary . As a final point, the EC then can formally issue the result of the adequacy finding. In the next section, the measurements used by the EC in conducting the finding will be explained in detail.3. Assessing the Adequate Level of ProtectionThe Article 29 Working Party has given an obvious statement thatany meaningful analysis of adequate protection must comprise the two basic elements the content of the rules applicable and the means for ensuring their effective application.According to WP 12 of the European Commission (EC), a set of content principles that should be embodied in the existing regulations are the followingPurpose limitation principle data should be processed for a specific purpose and subsequently used or further communicated only if it is compatible with the purpose of the transfer.Data quality and proportionality principle data should be accurate and, where necessary, kept up to date.Transparency principle individuals should be provided with information as to the pur pose of the processing, the identity of the data controller in the third country and other necessary information to ensure fairness.Security principle technical and organizational measures should be taken by the data controller that are appropriate to the risks presented by the processing.Rights of access, rectification and opposition the data subject have the right to obtain a copy of all data relating to him/her that are processed, to rectification of those data that are shown to be inaccurate, and be able to object to the processing of the data.Restrictions on onwards transfers to non-parties to the contract further transfers of the personal data by the recipient of the original data transfer only permitted if the second recipient provides an adequate level of protection.In addition to these content principles, another set of the means for ensuring the effective application of the principles, whether judicial or non-judicial, are required in order to fulfill the following objecti vesGood level of compliance with the rules the level of awareness of controllers and data subjects and the existence of effective and dissuasive sanctions are the measurements to examine the compliance level, including direct verification by authorities, auditors, or independent data protection officials.Support and help to individual data subjects an individual should be able to enforce his/her rights rapidly and effectively without prohibitive cost. Institutional mechanism is needed to conduct independent investigation of complaints.Appropriate redress to the injured parties where rules are not complied, redress to the injured party with independent adjudication or arbitration is provided, including compensation and sanction impose.Beyond the content principles, some additional principles are still needed to consider when it comes to certain types of processing. Additional safeguards when sensitive categories of data are involved and a right to opt-out when data are processed for direct marketing purposes should be in place. Another principle is the right for the data subject not to be a subject to an automated individual decision that intended to evaluate certain aspects, which can give any legal effects and have a significant effect to the data subject.These content principles, including additional principles, and the means for ensuring their effectiveness should be viewed as a minimum requirement in assessing the adequate level of protection in all cases. However, according to Article 25 Paragraph 2 of the Directive, in some cases, there will be two possibilities. There is a need to add the list with more requirements or to reduce it.To determine whether some requirements need to be added or reduced, the degree of risk that the transfer poses to the data subject becomes an important factor. The Article 29 Working Party has provided a list of categories of transfer, which poses particular risks to privacy, as mentioned belowTransfers involving certain sens itive categories of data as defined by Article 8 of the DirectiveTransfers which carry the risk of financial loss (e.g., credit card payments over the internet)Transfers carrying a risk to personal safetyTransfers made for the purpose of making a decision which significantly affects the individual (e.g., recruitment or promotion decisions, the granting of credit, etc)Transfers which carry a risk of serious embarrassment or tarnishing of an individuals reputationTransfers which may result in specific actions which constitute a significant intrusion into an individuals private life (e.g., unsolicited telephone calls)Repetitive transfers involving massive volumes of data (e.g., transactional data processed over telecommunications networks, the Internet, etc.)Transfers involving the collection of data in a particularly covert or clandestine manner (e.g., internet cookies)To sum up, the circumstances should be taken into account when assessing adequacy in a specific case, beingthe nature of the datathe purpose and duration of the proposed processing operationsthe country of origin and the country of final destinationthe rules of law, both general and sectoral, in force in the country in questionthe professional rules and the security measures which are complied with in that country.Self -regulationFrom the circumstances as referred to Article 25 Paragraph 2 of the Directive, it can be seen that the assessments of the adequate level of protection is conducted according to the rules of law as well as the professional rules and the security measures. In other words, it has to be examined from a self-regulation perspective as well.The Article 29 Working Party presents a broad meaning of self-regulation asany set of data protection rules applying to a plurality of the data controllers from the same profession or industry sector, the content of which has been determined primarily by members of the industry or profession concerned.This wide definition offers the possibili ty to on the one hand a voluntary data protection code developed by a small industry association with only a few members and on the other hand a set of codes of professional ethics with quasi judicial force for a certain profession, such as doctors or bankers.Still, one should bear in mind, to be considered as an appropriate legal instrument to be analyzed, it has to have binding power to its members and has to provide adequate safeguards if the personal data are transferred again to non-member entities. Ob