[Previous] [Next] [Up] [Title]

3. Compliance test (1) - `Adequate protection'

3.1. Does a country provide an `adequate level of protection'?

The Directive provides that `Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing may take place only if ... the third country in question ensures an adequate level of protection' (A25(1)) (emphasis added). 'Equivalent' protection is not required, only 'adequate' protection.

The Directive defines 'adequate level of protection' as follows (A26(2)):

'The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the county of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties.'
It goes on to state that the Commission may decide that a third country `ensures an adequate level of protection ... by reason of its domestic law or the international commitments it has entered particularly upon conclusion of the negotiations [it has had with the Commission]' (A25(5)).

In `First Orientations' the A29 Working Party considers that A25 `envisages a case by case approach whereby the assessment of adequacy is in relation to individual transfers or individual categories of transfers'. Nevertheless, it says, the impossibility of considering all data exports individually means that mechanisms must be developed `which rationalise the decision-making process for large numbers of cases' - for the benefit of both data controllers and data protection authorities.

3.2. Sectoral compliance

Although it is not completely clear from A25 whether the requirement of an `adequate level of protection' must be satisfied by a country's overall privacy laws, or whether it is sufficient to prevent the banning of a particular transfer if there is an adequate level of protection in relation to information from that sector (eg credit or insurance information, or criminal records), the better view is that sectoral compliance is possible. The references to sectoral legislation and `professional rules' could be seen as supporting this interpretation. Other commentators have reached the conclusion that an `overall country assessment' is not necessary[18]. In `First Orientations' the A29 Working Party is of this view, commenting that `nothing would prevent the partial white listing of a third country'.

3.3. `Core' principles for `adequate protection'

Need there be 'adequate' compliance with each EU Directive requirement, or just most of them? The use of `adequate' suggests that only some partial compliance is required.

The A29 Working Party concludes from the EU Directive and other international privacy instruments that there are six `core' or `basic' principles which are the minimum requirements for protection to be considered adequate are as follows (in summary):

Any exceptions to these core principles must be consistent with those in A13 (`Exemptions and restrictions') which provide for legislative exceptions necessary to safeguard important state interests, or `the protection of the data subject or the rights or freedoms of others'. Individual consent is not explicitly included in the permitted grounds for exemption[19].

The first five `core' principles are a strong restatement of standard information privacy principles, particularly in that consent is not seen as a basis for reducing protection.

The sixth principle, restrictions on onward transfers, is the logical closing of a loophole which could otherwise be used to circumvent the restrictions on transfers from the EU by an intermediate transfer through a `safe' third country. It is a significant proposal because it weakens the case for adequacy of what is otherwise one of the strongest privacy laws outside Europe, that of New Zealand.

The Working Party does not see this list as `set in stone', and envisages that there can be circumstances where greater or lesser protection was needed, depending in particular on the degree of risk that the transfer poses to the data subject.

3.4. Procedural rights to ensure protection

A related question is whether `adequacy' need only be measured against the principles in the Directive (Chapter II), or is it also to be measured against the types of enforcement measures required by the Directive (including data protection authorities, enforceable rights and damages). The latter is the better view. It would be anomalous for A26(2) to require 'adequate safeguards' of enforcement if A25 did not. However, it might be expected that there could be adequate protection provided by either individual enforceability or enforcement via a supervising authority.

The A29 Working Party in `First Orientations' concedes that, while in Europe it is generally considered that data protection principles should be embodied in law, and that there should be an independent supervisory authority, a better starting point is to identify the underlying objectives of data protection procedures. Three objectives are identified:

Ratification of the European privacy Convention (Convention 108)

In `First Orientations' the A29 Working Party appears willing to presume that data transfers to any non-EU countries that have ratified Convention 108 are allowed under A25(1) provided:

Can there be `adequate protection' without legislation?

The Working Party's approach leaves open, in principle at least, the possibility of non-legislative mechanisms providing adequate protection, as it frames the criteria in terms of underlying objectives. However, `First Orientations' leaves as a completely open question whether industry self-regulation or technical `standards' could ever meet these requirements.

A25 refers to assessments of adequacy being made `in the light of all the circumstances surrounding a data transfer', so the Working Party is no doubt correct that an a priori exclusion of non-legislative protection is wrong. However, the only types of mechanisms referred to specifically in A25 are `the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties' (A25(1)) and (in relation to A31 decisions) `domestic law or ... international commitments it has entered into'. The Directive therefore leaves the question open.

Industry 'codes of conduct'

What role can industry self-regulation through codes of conduct play? Article 27 requires Member States to encourage the development of national and European codes of conduct, but these cannot be a substitute for legally binding provisions in EU member states.

Entirely voluntary codes of conduct in third countries seem unlikely to constitute adequate protection. A25 does not make specific mention of Codes of Conduct. `Professional rules' are mentioned specifically in A25(2), but the notion of `professional rules' may entail compulsory registration as a condition of practice (as in many professions) and powers in some organisation to `strike off' from the right to practice or impose other penalties. However, the new Greek law does refer to `codes of practice' as one of the factors to be considered, in its implementation of A25.

It is also difficult to see an in industry-developed code as adequate sectoral compliance unless participation was compulsory, because sectoral recognition would protect those industry members who did not comply (sometimes called `free riders'). Even more serious is the problem of those sectors where there are few institutional structures that even allow identification of data controllers and therefore make it very difficult to enrol them in such schemes. The Working Party does not address this issue, or suggest whether of not `adequacy' could be recognised as restricted to participants in a voluntary scheme. The advantage of legislation in relation to the `free rider' problem is that at least where breaches have been identified, ex post facto sanctions may be applied.

Data protection as a technical `standard'

The Canadian Standards Association (CSA) Model Code for the Protection of Personal Information was adopted in 1996. The Code is based on the OECD Guidelines, and involves a certification scheme[20]. The CSA is now pushing for the Code to be adopted by the International Standards Organisation (ISO)[21], and the first meeting of representatives from countries including Canada, the USA and Australia took place in New York in May 1997, and Brussels in September 1997, attended by Australia's Privacy Commissioner as part of the Australian delegation.

The CSA privacy Code may prove to be one 'litmus test' of whether the EU will accept that Codes of Conduct which have no enforceability at law can provide `adequate protection' or even one-off 'adequate safeguards'. This has strong opponents, particularly within Canada. The President of Québec's data protection authority, Paul-André Comeau, praises the Code as 'a step in the right direction', but says[22] that

There is a major flaw in the code, stemming from the philosophy of voluntary compliance: the code does not provide for any form of recourse before an impartial judge. It relies essentially on the good will of those concerned. The authors of the code are counting on the use of audits to compensate for this failing.
He is reported to have concluded by urging European privacy commissioners, and the EU, 'to reject private agreements between European and Canadian industrialists and even to withhold recognition of the CSA Model Code as adequate protection, given its voluntary status'[23]. He says that any European acceptance of such a standard will only encourage those in Canada who regard privacy legislation as 'useless and artificial' and unnecessary if the Code suffices for the EU[24]. Federal Canadian Privacy Commissioner Bruce Phillips is advocating the national adoption of the legislation based on Québec's Act.

In terms of its content, it is debatable whether the CSA Model code's principles are strong enough to provide `adequacy' in terms of the content of the EU Directive[25]. However, the main problem with any `standards' approach is that it does not normally provide any enforcement mechanisms that can be used by the individuals concerned, or can provide any remedies for them. Loss of accreditation is a typical sanction, but that provides no benefit to the individuals concerned, and is not a strong sanction provided that the accreditation remains voluntary.

Once again, even if it can constitute `adequate safeguards' in particular cases, the costs of establishing this in each case remain high.

3.5. The EU mechanisms for decisions concerning `adequate protection'

Decision and notification by a Member State

In the first instance, it is the laws of Member States of the EU that must provide that transfers may only take place to third countries with an adequate level of protection (A25(1)), and it is a decision by an authority in the Member State which prohibits the transfer.

Member States must inform the EU Commission where they consider that an importing third country does not ensure an adequate level of protection (and vice versa) (A25(3)). This notification requirement applies even if the data transfer is allowed under an A26(1) exception, or an A26(2) authorisation because of 'adequate safeguards'.

Decisions by the A31 Committee on adequate protection

As explained above in relation to supra-national enforcement of the Directive as a whole, it is the A31 Committee of Member State representatives that decides whether to accept the draft measures proposed by the Commission (A31(2)). The Commission, with the Committee's approval, is therefore able to set a Europe-wide standard for acceptance of transfers to specific third countries[26]. The position is therefore, that Member States make any decisions to prohibit transfers, but the Committee can over-ride such decisions.

The Commission is engaging experts to undertake case studies of the adequacy of protection in six countries - Australia, Canada, China (Hong Kong), the USA, Japan and New Zealand - for the purpose of developing a methodology to assess adequacy in third countries [27].

'Complaints' about adequate protection

Even though it is the Committee that makes the decisions, it is still the Commission that must be first convinced to propose action against a third country, so it is important to ask how claims of 'inadequacy' can be brought to the Commission's attention. Member States are obliged to do so in the course of considering transfers to third countries (A25(3)). The Working Party of supervisory authorities is required to produce an annual report which covers the level of protection in third countries, so the Commission would receive official notification that way. As might be expected, the Commission is reported to be likely to initiate its own studies of the laws and codes of the EU's more important non-EU trading partners[28], and has in 1997 issued a tender for study of such laws in six countries including Australia.

Under the 1992 draft, the Commission could initiate its negotiation process (discussed below) either on the basis of information provided by a Member State, or `on the basis of other information'. This may have left the way open for a form of `complaint' about a third country's laws (either general or sectoral) to be made to the Commission by, for example, national or international organisations of consumer advocates, privacy advocates or civil liberties organisations. This avenue for initiatives by NGOs is not so obviously open under the 1995 Directive, but it remains to be seen what the Commission's practice will be.

Another avenue for NGOs would be to seek to have a sympathetic national data protection Commissioner raise the case of a third county's laws before the A29 Working Party. The Working Party's activist role in the Directive's procedures, as shown in `First Orientations', makes this more likely to be an effective way of bringing a country's laws into the EU processes.

Commission negotiations with third countries

If the Committee accepts measures proposed by the Commission on the basis of the inadequacy of a third county's laws, only then can the Commission enter into negotiations with the third country 'with a view to remedying the situation' (A25(4))[29].

A political or a legal process?

A Canadian commentator interprets this decision-making process as essentially political rather than legal[30]:
The implementation of Articles 25 and 26 is likely to be unpredictable and politicized, because the determination of `adequacy' rests, not with the data-protection agencies ... but with the Commission itself. Judgments about adequacy will therefore be susceptible to the vagaries of the European political process and are likely to be confused with the resolution of issues that have nothing to do with data protection. Logrolling may therefore override the more predictable and rational pursuit of a data protection standard.
Although decisions are more correctly described as being made by the Council and the Commission, not just `the Commission', this may strengthen Bennett's point, as national political interests are even more directly represented on the Council.

It is too early to know whether Bennett's fears are justified, but it is difficult to avoid the conclusion that the nature of the process means that there is likely to be a great deal of uncertainty for data users in non-EU countries which do not have an unambiguously `adequate' level of data protection.

[18] See J Reidenberg `Rules of the Road for Global Electronic Commerce: Merging the Trade and Technical Paradigms' (1993) Harvard Journal of Law & Technology, Vol 6, p287 - `Under the revised draft, national authorities may consider the specific circumstances of each data transfer on a case-by-case basis, rather than an overall country assessment ...'; S McGregor `Australia could be denied access to global super highway' (1993) 2 Telecommunications Law & Policy Review 1 at p4 assumes that Australia's credit sector could have `adequate protection'; M Powell European Information Technology Law, (1994) Computer Law & Security Reporter (Special Supplement) at p46 says the amended proposal takes account of the `sectoral' approach to data protection adopted in the USA.

[19] This is a different question from mandatory grounds for exceptions to adequacy in EU national laws (A26(1)), where consent is a ground.

[20]National Standard of Canada CAN/CSA-Q830-96

[21] L Moisan 'The CSA Model Code: The new bid on the block', Privacy Files, Vol 1 No 2, November 1995, from which the above information is derived.

[22] P-A Comeau, speech to the International Data Protection and Privacy Commissioners' Conference, Copenhagen, September 1995

[23] Moisan, op cit - these reported comments go somewhat beyond the text of Mr Comeau's speech

[24] Comeau, op cit

[25] see G Greenleaf `Stopping surveillance: beyond `efficiency' and the OECD' (1996) 3 PLPR 148

[26] contra Reidenberg op cit p294

[27] Official Journal of the EU, 23/9/97

[28] Privacy Laws & Business Newsletter, No 31, September 1995, p2

[29] Unlike in the 1992 draft, it does not have to first conclude that `the resulting situation is likely to harm the interests of the Community or of a Member State' - presumably the Committee would not agree to act unless this was so.

[30] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p13

[Previous] [Next] [Up] [Title]