Is there any likelihood that voluntary self-regulation will satisfy the EU requirements? If not, what must Australian businesses do if they wish to obtain personal information from Europe? Should Australian businesses support privacy legislation to help resolve this dilemma? These issues are the subject of this paper.
The Commonwealth opposes such proposals which will further increase compliance costs for all Australian businesses, large and small. At a time when all heads of government acknowledge the need to reduce the regulatory burden, proposals for new compulsory regimes would be counterproductive. On these grounds, the Commonwealth will not be implementing privacy legislation for the private sector.The Prime Minister also said that he had told the Premiers that the Commonwealth had offered `the services of the Federal Privacy Commissioner to assist business in the development of voluntary codes of conduct and to meet privacy standards'.
The Privacy Commissioner has now issued a Consultation Paper Information privacy in Australia - A national scheme for fair information practices in the private sector[2]. The Commissioner is now commencing consultations. Many, perhaps most, privacy advocates and consumer organisations are declining to be involved, intent on continuing to push for comprehensive legislation.
Apart from the possibility of collapse of the self-regulation process, there are many other reasons why the Commonwealth may abandon voluntary self regulation before October 1998[3].
By focussing on the implications for Australia of the EU privacy Directive we explore one of these reasons, by examining what will be necessary for Australian businesses and government agencies in order to obtain transfers of personal data from Europe. The different consequences of Australia having comprehensive legislation, a comprehensive voluntary code such as proposed by the Privacy Commissioner, and the status quo of neither (a distinct possibility) will become apparent. In particular, the likely `compliance costs' which will flow from a lack of comprehensive privacy laws in Australia will become more clear.
The 1995 Directive is in stark contrast in this respect to the two previous major international privacy instruments, the OECD privacy Guidelines and the Council of Europe privacy Convention of the early 1980s. Neither of these agreements require their signatories to impose export restrictions on non-signatory countries, or on countries which do not provide an equivalent degree of protection. They do not contain any positive requirement to restrict exports, but leave this up to the signatory countries.
New sources of interpretation of the Directive and its implementation are now available:
Exactly the same argument applies to the international insistence on minimum standards of protection for intellectual property, for which the Americans have been the most strident advocates and the most willing to resort to trade sanctions to achieve their aim of protecting American intellectual property. The European demand for minimum standards of data protection where European personal data is exported is very similar.
The realistic reply is that this time for this argument ended in 1995 when the EU made its decision to adopt the Directive.
Furthermore, Australia was considering enacting similar restrictions, proposed in the Attorney-General's 1996 Discussion Paper (see Appendix 3 to this paper for details).
The collapse in April 1997 of the proposed treaty between Europe and Australia, and its replacement by a lower-level joint declaration, because of European insistence on a clause requiring observance of human rights underlines the extent to which Europe is willing to place human rights considerations before other important economic policy goals.
The reality is more complex. The exceptions to the Directive, and the means by which the practices of specific companies can satisfy its requirements, all require detailed analysis. Much remains unknown because EU authorities have not until recently provided significant further interpretation of the Directive, either as to how assessments of `adequacy' will be made in relation to countries like Canada, the USA or Australia, or the procedural steps that will have to be taken and what compliance costs these will imply for organisations outside Europe.
The main purpose of this paper is to assess how the emerging interpretations of the Directive shed light on its likely impact on Australia.
All of the fifteen EU member states have now implemented national data protection laws binding both the public and privacy sectors, with the recent laws in Italy and Greece completing the set. The Greek law is the first in Europe to seek to implement all the requirements of the EU Directive in its domestic law (as all other EU members must do by October 1998). As will be discussed later, its data export restrictions take the strictest possible interpretation of the Directive, making no provision for contractual solutions in the absence of `adequate protection' and requiring permits for transfers of data even where mandatory exceptions apply.
The EU has now legally bound its own institutions by the provisions of the Directive, through A213b of the Treaty of Amsterdam, a modification of the treaty constituting the European Community[8]. This Article also requires the EU to establish its own data protection supervisory body by 1999, so there will now be a pan-European `Data Protection Commissioner' (the name is not determined) who will no doubt have an influential voice in the future direction of data protection in Europe.
There is a draft decision before the Council of the EU to authorise the EU Commission to negotiate EU accession to the Council of Europe privacy Convention (Convention 108)[9]. Accession would give the EU a formal role in the future development of the Convention, which has a broader international coverage than the Directive. It is expected that some countries from Eastern Europe and Central Europe will become parties to the Convention. It is also possible for non-members of the Council of Europe to become parties to the Convention, and this could assist when decisions are made concerning whether a non-EU country has `adequate' laws.
The A29 Working Party in `First Orientations' considers that a transfer to a country which is a party to Convention 108 could be considered to be to a country with `adequate protection' provided the country has appropriate institutional mechanisms for enforcement, and provided it is the final destination of the date.
[1] Prime Minister, Press Release `Privacy Legislation', 21 March 1997
[2] August 1997; Most important parts are reproduced in a special issue of Privacy Law & Policy Reporter, Vol 4 No 3.
[3] See G Greenleaf `Commonwealth abandons privacy - for now' (1997) 4 PLPR 1 for a catalogue.
[4] Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data
[5] 26 June 1997, European Commission, Directorate General XV, XV D/5020/97-EN final
[6] Law No 2472 on the protection of individuals with regard to the processing of personal data, 10 April 1997 (Greece), A9 `Cross-border flow of personal data'; See Privacy Laws & Business Newsletter No 39, August 1997, p5 for discussion of the Greek law.
[7] For a review of progress in all jurisdictions, see Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (the `Article 29 Working Party') First Annual Report, 25 June 1997, at 2.1.2
[8]Privacy Laws & Business Newsletter No 39, August 1997, p2
[9] Privacy Laws & Business Newsletter No 39, August 1997, p3