68. Paragraph 18 seeks to ensure that the interests of the protection of privacy are balanced against the interests of the free transborder flow of personal data. Its main purpose is to create obstacles to the flow of personal data which are artificial from the point of view of the protection of privacy and individual freedoms and which meet restrictive purposes of a different nature, which are therefore not openly announced. However, paragraph 18 is not intended to restrict the rights of Member States to regulate transborder flows of personal data in areas such as free trade, customs, employment and related economic conditions for intentional flows of data. These are issues that were not addressed by the expert group because they do not fall within its mandate. Which of the following is the correct legal statement? 14. The controller should be responsible for compliance with the measures implementing the abovementioned principles. 15. The European Community has carried out studies on the problems of harmonisation of national legislation within the Community with regard to transborder data flows and possible distortions of competition, data security and confidentiality problems and the nature of transborder data flows. A subcommittee of the European Parliament held a public hearing on data processing and individual rights in early 1978. Their work culminated in a report to the European Parliament in spring 1979. The report, adopted by the European Parliament in May 1979, contains a resolution on the protection of the rights of individuals in the light of technical developments in data processing.

Over the past decade, OECD member states have been characterized by the development of privacy laws. These laws have tended to take different forms in different countries and are still being developed in many countries. Differences in legislation can hinder the free flow of information between countries. These flows have increased sharply in recent years and will continue to increase due to the introduction of new computer and communication technologies. The OECD, which has been active in this field for several years, decided to deal with the problems of differences between national laws and in 1978 commissioned a group of experts to draw up guidelines on the basic rules governing cross-border movements and the protection of personal data and privacy in order to facilitate the harmonisation of national legislation. The group has now completed its work. 41. The terms `personal data` and `data subject` emphasise that the Guidelines concern natural persons. The exact dividing line between personal data, in terms of information on identified or identifiable individuals, and anonymous data can be difficult to trace and must be left to the regulation of each Member State. In principle, personal data transmit information that can be linked to a specific natural person by direct link (e.g. a civil status number) or indirect link (e.g. an address).

75. As regards the question of choice of applicable law, one way of resolving those problems is to identify one or more connecting factors which, at best, point to an applicable law. This is particularly difficult in the case of international computer networks where, due to the distribution of locations, the speed of data traffic and the geographical dispersion of data processing activities, several connecting factors involving novelty elements can arise in complex ways. Moreover, it is not clear what value should currently be attached to legislation which, by mechanical application, determines the specific national law to be applied. On the one hand, the adequacy of such a solution seems to depend both on the existence of similar legal concepts and regulatory structures and on the binding obligation for nations to comply with certain standards of protection of personal data. In the absence of these conditions, an attempt could be made to formulate more flexible principles involving the search for a „proportionate right“ in order to ensure effective protection of privacy and individual freedoms. In a situation where more than one law may be applicable, it was suggested that one solution might be to give preference to national legislation that ensures the best protection of personal data. On the other hand, it could be argued that such solutions leave too much uncertainty, especially from the point of view of controllers, who may want to know in advance which national sets of rules govern an international data-processing system. 19. When implementing the principles set out in Parts Two and Three at national level, Member States should put in place legal, administrative or other procedures or institutions to protect privacy and individual freedoms with regard to personal data. Member States should endeavour in particular to: 17. A Member State should refrain from restricting transborder flows of personal data between itself and another Member State, unless the latter does not already substantially comply with these Guidelines or the re-export of such data would circumvent its national data protection rules.