First, the transfer of this personal data from Europe must (in theory) comply with the Directive's data export requirements. Since the `exporter' is the individual concerned, it may be that the exception for `unambiguous consent' would apply, but perhaps only if the person knew that the data was being transferred to a country without adequate privacy laws. Although it seems unlikely that national data protection laws could be used to directly stop European individuals from transferring their own personal data to overseas companies on the internet, there could be indirect consequences. For example, if the same company is seeking to show the European Commission that it provides `adequate safeguards' in another type of transaction, then its internet transactions may complicate its position. Complications for enforcement of such transactions in European courts might also require consideration.
More likely, however, is the possibility that the collection of the personal data could be considered to be governed by the national law of the European country concerned, since it is `processing of personal data' (which includes collection) which `makes use of equipment' (the user's computer) `situated on the territory' of the European country (A4(1)(c)). The Directive requires such processing to be covered by national data protection laws. In this case, the act of collection (at least) would have to comply with all the national requirements or the overseas company would be in breach, not of the export prohibitions but the collection requirements. In this case there is an additional procedural hurdle and compliance cost, because A 4(2) then requires the overseas controller to `designate a representative established in the territory of the Member State'. Appointing local representatives in every EU country is not exactly what one associates with global commerce over the internet!
However, they may face the additional complication that any processing they do in Australia could be considered to be 'carried out in the context of the activities of an establishment of the controller on the territory of a Member State' (the `control test') and therefore required by the Directive to be governed by the national data protection law of the Member State (A 4(1)(a)). In other words, they may have to comply fully with the European privacy principles in relation to data processed in Australia - including the data export restrictions on transferring data to other Australian companies within Australia!
The 'EU-level' supervision of the Directive is distributed between four bodies: the Commission of the EU (via D-G XV); a Committee of representatives of EU Member States (and in some circumstances, the EU Council itself) (the `A31 Committee'); and an advisory Working Party of the national data protection authorities (the `A29 Working Party'). The following comments relate principally to the data export aspects of the Directive, where all four bodies may have a role.
The Commission is to report to the Council and the Parliament at regular intervals on the implementation of the Directive, with any proposals for amendment. The Commission is also required to advise the Working Party of what action it has taken concerning its opinions and recommendations (A30(5)), and to negotiate with non-EU countries concerning 'adequate protection' (A25(5)). The Commission does not have delegated legislative powers[14].
The EU Commission's main role in the Directive is to submit to this `A31 Committee' a draft of the 'community implementing measures' it considers should be taken (A31(1)). The A31 Committee can decide to implement the recommended measures, but if it disagrees with the Commission then the Council decides[16].
The types of 'implementing measures' which will be dealt with by this process include decisions on adequacy of third country laws (A25(4)), and proposed authorisations of data transfers on the grounds of `adequate safeguards' (A26(3), (4)). As they are formal decisions on these matters under the Directive, national authorities would be expected to adhere to the approach decided under the A31 procedure.
The Working Party's functions include examining issues of uniformity in EU national laws, giving opinions on the level of protection in the EU and in third countries, advising the Commission on any proposed additional measures, and giving opinions on codes of conduct drawn up at community level (A29(1)). It can also, on its own initiative, make recommendations on all matters concerning processing of personal data in the EU (A29(3)). The Commission is required to produce an annual report on the responses it has made to the Working Party's opinions and recommendations (A29(5)), and the Working Party is to publish an annual report concerning the processing of personal data in Europe and in third countries (A29(6)).
It seems, therefore, that the Working Party, which is likely to be the body best informed and concerned about the state of privacy laws in non-EU countries, will be able to bring the inadequacy of the laws in particular countries to the attention of the Commission.
Where such decisions are positive they could constitute parts of the white list envisaged. The list could then be distributed widely and used by data controllers, supervisory authorities and Member States as a guide to their own decisions.
The A29 Working Party does not propose to produce a `black list'. They say that this is politically very sensitive, and suggest only that an absence from the `white list' means that no general guidance is available concerning that country.
In `First Orientations' the Working Party also states that it will produce a further paper outlining which categories of transfer it considers pose particular risks to privacy. Where such a transfer was proposed to a country not on the white list, this document would provide guidance to national data protection authorities on:
There are, however, a number of factors which may give the A29 Working Party an influence beyond its formal role:
11] Member states are required to apply the national provisions they adopt to processing of personal data in two principal situations (A4): (i) where it is 'carried out in the context of the activities of an establishment of the controller on the territory of a Member State'; and (ii) the controller is not established on the territory of an EU Member State, but makes use of equipment situated in a Member State for purposes of processing (except mere transit). Berthold characterises this as a 'control test' supplemented by a 'processing test' (M Berthold 'Hong Kong's data privacy proposals' (1994) 1 PLPR 188)
Under the control test, a company which carries out activities in an EU Member State (even if it is not based there), but which processes personal data relating to those activities in a non-EU state, will find that its activities are subject to the privacy laws of the EU state.
Under the processing test, a company based in a non-EU state which merely uses processing facilities in an EU Member State will still find itself bound by the EU state's privacy law. Not surprisingly, Europe cannot be used as a 'data haven' to avoid the reach of privacy laws.
[12] Report of speech by Barbara Wellbury, Chief Counsel NTIA, July 1996 - Privacy Laws & Business, December 1996, p15
[13] ibid
[14] The Commission proposed it should have a rule-making power to adopt such `technical measures' as are necessary to apply the Directive, including drawing up sectoral applications of the Directive (1992 draft A33), but the 1995 Directive does not provide for any delegated legislation.
[15] The Committee acts by majority, but the votes of each representative are weighted according A148(2) of the Treaty establishing the European Community (A31(2)).
[16] If the Committee approves the proposed measures, the Commission must then adopt them. If the Committee disapproves, or fails to approve them within the time limit set by the Chairman, then the proposed measures are to be referred to the Council of Ministers of the EU (which is to vote by qualified majority) (A31(2)).
[17] The Parliament recommended the Working Party's expansion into, in effect, a supra-national data protection agency, comprising representatives of business and civil liberties groups as well as national authorities, and with a right to be heard on a wide range of issues and to take various independent initiatives, but this approach has not been adopted.