[Previous] [Next] [Up] [Title]

2. The EU Directive's data export prohibitions

2.1. Three ways to satisfy the EU's data export requirements

The Directive's data export requirements can be satisfied in three ways, stated in decreasing order of generality: Each of these is examined below, but first it is necessary to consider the scope of the Directive, and its enforcement mechanisms.

2.2. Scope - What types of transfers of data are covered?

It is obvious that wholesale `transfers' of personal data outside Europe, such as when a company or government body outsources its data processing overseas, or when a direct marketeer sells a mailing list to an overseas company, are covered by the data export prohibitions. However, there may be other less obvious types of `transfer' of data between Europe and countries like Australia that could be affected.

Remote access to EU personal data from Australia

A25 refers to `transfer ... to a third country', so the question arises of whether it will be possible to access Europe-based databases from non-European locations. Examples would include an Australian branch of a European or international company accessing the company's own internal database located in Europe. The problem is that any such access would necessarily involve such data as is necessary for the screen display on the user's computer to be `transferred' to the user's computer, and would therefore constitute `transfer ... to a third country'. Remote access would therefore have to come within an exception to A25 before it was permissible. The processing would also have to comply with the law of the European country where it took place, applying the processing test[11].

Collection of personal data from Europeans over the internet

If a company in a country such as Australia enters into transactions over the internet with customers in Europe, then there are at least two ways to analyse this situation. The US National Telecommunications and Information Administration (NTIA) has raised concerns about the effect of the Directive on US-based companies that use the internet[12], and it is easy to see why.

First, the transfer of this personal data from Europe must (in theory) comply with the Directive's data export requirements. Since the `exporter' is the individual concerned, it may be that the exception for `unambiguous consent' would apply, but perhaps only if the person knew that the data was being transferred to a country without adequate privacy laws. Although it seems unlikely that national data protection laws could be used to directly stop European individuals from transferring their own personal data to overseas companies on the internet, there could be indirect consequences. For example, if the same company is seeking to show the European Commission that it provides `adequate safeguards' in another type of transaction, then its internet transactions may complicate its position. Complications for enforcement of such transactions in European courts might also require consideration.

More likely, however, is the possibility that the collection of the personal data could be considered to be governed by the national law of the European country concerned, since it is `processing of personal data' (which includes collection) which `makes use of equipment' (the user's computer) `situated on the territory' of the European country (A4(1)(c)). The Directive requires such processing to be covered by national data protection laws. In this case, the act of collection (at least) would have to comply with all the national requirements or the overseas company would be in breach, not of the export prohibitions but the collection requirements. In this case there is an additional procedural hurdle and compliance cost, because A 4(2) then requires the overseas controller to `designate a representative established in the territory of the Member State'. Appointing local representatives in every EU country is not exactly what one associates with global commerce over the internet!

Imports of personal data from Australia into the EU

There are no explicit equivalent restrictions on the import of personal data from a third country into an EU Member State. A26 only refers to transfers `to' a third country, and not transfers `from' a third country. However, the importing of the data may constitute `collection' and therefore `processing', so that the importer must comply with national laws of the EU state into which the import takes place, applying the processing test[13], including all conditions relating to fair collection. If personal data is collected in a country which has no privacy laws governing fair collection, how can its transfer to a European country be guaranteed to comply with European fair collection standards? If this is so, then objections to data imports from countries such as Australia could be made to the relevant national data protection authority and also to the European Commission, and the same enforcement mechanisms as discussed below brought into play.

European companies based in, or outsourcing to, Australia

European companies which operate in Australia, or are considering doing so, will have to pay particular regard to all of the complexities listed above, because of likely complexities in their legal position in their home country.

However, they may face the additional complication that any processing they do in Australia could be considered to be 'carried out in the context of the activities of an establishment of the controller on the territory of a Member State' (the `control test') and therefore required by the Directive to be governed by the national data protection law of the Member State (A 4(1)(a)). In other words, they may have to comply fully with the European privacy principles in relation to data processed in Australia - including the data export restrictions on transferring data to other Australian companies within Australia!

2.3. EU enforcement mechanisms - supervision of the Directive

In the first instance, the implementation and supervision of the Directive's contents is carried out by the national data protection authorities in the Member States, once their privacy laws have been amended to incorporate the Directive's requirements.

The 'EU-level' supervision of the Directive is distributed between four bodies: the Commission of the EU (via D-G XV); a Committee of representatives of EU Member States (and in some circumstances, the EU Council itself) (the `A31 Committee'); and an advisory Working Party of the national data protection authorities (the `A29 Working Party'). The following comments relate principally to the data export aspects of the Directive, where all four bodies may have a role.

The EU Commission's role (D-G XV)

The European Commission's role in supervision of the Directive is carried out by Directorate-General XV, Internal Market and Financial Services, Unit D1 - Free Movement of Information and Data Protection, Including International Aspects (`D-G XV').

The Commission is to report to the Council and the Parliament at regular intervals on the implementation of the Directive, with any proposals for amendment. The Commission is also required to advise the Working Party of what action it has taken concerning its opinions and recommendations (A30(5)), and to negotiate with non-EU countries concerning 'adequate protection' (A25(5)). The Commission does not have delegated legislative powers[14].

The Committee of Member States, and the EU Council

Chapter VII ('Community implementing measures') provides for a Committee comprised of representatives of each Member State and chaired by a non-voting Commission representative (A31(1))[15].

The EU Commission's main role in the Directive is to submit to this `A31 Committee' a draft of the 'community implementing measures' it considers should be taken (A31(1)). The A31 Committee can decide to implement the recommended measures, but if it disagrees with the Commission then the Council decides[16].

The types of 'implementing measures' which will be dealt with by this process include decisions on adequacy of third country laws (A25(4)), and proposed authorisations of data transfers on the grounds of `adequate safeguards' (A26(3), (4)). As they are formal decisions on these matters under the Directive, national authorities would be expected to adhere to the approach decided under the A31 procedure.

The Working Party of supervising authorities

The Working Party on the Protection of Individuals with regard to the Processing of Personal Data (the `A29 Working Party') is composed of representatives of national data protection authorities (one for each EU state), a representative of EU institutions (in future, presumably the new EU `Data Protection Commissioner'), and a representative of the Commission (A29)[17]. It takes decisions by simple majority.

The Working Party's functions include examining issues of uniformity in EU national laws, giving opinions on the level of protection in the EU and in third countries, advising the Commission on any proposed additional measures, and giving opinions on codes of conduct drawn up at community level (A29(1)). It can also, on its own initiative, make recommendations on all matters concerning processing of personal data in the EU (A29(3)). The Commission is required to produce an annual report on the responses it has made to the Working Party's opinions and recommendations (A29(5)), and the Working Party is to publish an annual report concerning the processing of personal data in Europe and in third countries (A29(6)).

It seems, therefore, that the Working Party, which is likely to be the body best informed and concerned about the state of privacy laws in non-EU countries, will be able to bring the inadequacy of the laws in particular countries to the attention of the Commission.

`White lists' of countries with adequate data protection

In the Working Party's `First Orientations' paper it proposes the formulation of `White Lists' of third countries that provide adequate data protection. While admitting that it has `no explicit role in making decisions about particular data transfers' (that is the role of the A31 procedure), it interprets its explicit role in `giving the Commission an opinion on the level of protection in third countries' as meaning that it is `well within the remit' of the Working Party `to examine the situation in particular third countries in the light of some individual cases, and come to a provisional view as to the adequacy of protection'. They then note that:

Where such decisions are positive they could constitute parts of the white list envisaged. The list could then be distributed widely and used by data controllers, supervisory authorities and Member States as a guide to their own decisions.

The A29 Working Party does not propose to produce a `black list'. They say that this is politically very sensitive, and suggest only that an absence from the `white list' means that no general guidance is available concerning that country.

In `First Orientations' the Working Party also states that it will produce a further paper outlining which categories of transfer it considers pose particular risks to privacy. Where such a transfer was proposed to a country not on the white list, this document would provide guidance to national data protection authorities on:

`First Orientations' only deals with A25 and `adequate protection', but the A29 Working Party does intend to produce further papers dealing with A26 `adequate safeguards' and other matters.

Who will exercise real power? - A29 vs A31

The formal decision-making power about adequate protection rests with the A31 Committee of representatives of member states, but the A29 Working Party of representatives of national data protection Commissioners is clearly intent on taking an activist role. It would not be surprising if the experts committed to the value of data protection were more willing to prohibit data transfers than governments preoccupied with good relations with trading partners.

There are, however, a number of factors which may give the A29 Working Party an influence beyond its formal role:

It may also be significant that the Commission (D-G XV), in its tender documents for development of a methodology for assessing `adequacy', indicates that the A29 Working Party's `First Orientations' is a starting point for the development of the Commission's own methodology. This may indicate an intention by the Commission to ensure consistency by all EU organs in their approach to the Directive, but it also indicates that the significance of the A29 Working Party has extended beyond what appears from the mere words of the Directive.

11] Member states are required to apply the national provisions they adopt to processing of personal data in two principal situations (A4): (i) where it is 'carried out in the context of the activities of an establishment of the controller on the territory of a Member State'; and (ii) the controller is not established on the territory of an EU Member State, but makes use of equipment situated in a Member State for purposes of processing (except mere transit). Berthold characterises this as a 'control test' supplemented by a 'processing test' (M Berthold 'Hong Kong's data privacy proposals' (1994) 1 PLPR 188)

Under the control test, a company which carries out activities in an EU Member State (even if it is not based there), but which processes personal data relating to those activities in a non-EU state, will find that its activities are subject to the privacy laws of the EU state.

Under the processing test, a company based in a non-EU state which merely uses processing facilities in an EU Member State will still find itself bound by the EU state's privacy law. Not surprisingly, Europe cannot be used as a 'data haven' to avoid the reach of privacy laws.

[12] Report of speech by Barbara Wellbury, Chief Counsel NTIA, July 1996 - Privacy Laws & Business, December 1996, p15

[13] ibid

[14] The Commission proposed it should have a rule-making power to adopt such `technical measures' as are necessary to apply the Directive, including drawing up sectoral applications of the Directive (1992 draft A33), but the 1995 Directive does not provide for any delegated legislation.

[15] The Committee acts by majority, but the votes of each representative are weighted according A148(2) of the Treaty establishing the European Community (A31(2)).

[16] If the Committee approves the proposed measures, the Commission must then adopt them. If the Committee disapproves, or fails to approve them within the time limit set by the Chairman, then the proposed measures are to be referred to the Council of Ministers of the EU (which is to vote by qualified majority) (A31(2)).

[17] The Parliament recommended the Working Party's expansion into, in effect, a supra-national data protection agency, comprising representatives of business and civil liberties groups as well as national authorities, and with a right to be heard on a wide range of issues and to take various independent initiatives, but this approach has not been adopted.

[Previous] [Next] [Up] [Title]