The Directive defines 'adequate level of protection' as follows (A26(2)):
'The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the county of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties.'It goes on to state that the Commission may decide that a third country `ensures an adequate level of protection ... by reason of its domestic law or the international commitments it has entered particularly upon conclusion of the negotiations [it has had with the Commission]' (A25(5)).
In `First Orientations' the A29 Working Party considers that A25 `envisages a case by case approach whereby the assessment of adequacy is in relation to individual transfers or individual categories of transfers'. Nevertheless, it says, the impossibility of considering all data exports individually means that mechanisms must be developed `which rationalise the decision-making process for large numbers of cases' - for the benefit of both data controllers and data protection authorities.
The A29 Working Party concludes from the EU Directive and other international privacy instruments that there are six `core' or `basic' principles which are the minimum requirements for protection to be considered adequate are as follows (in summary):
The first five `core' principles are a strong restatement of standard information privacy principles, particularly in that consent is not seen as a basis for reducing protection.
The sixth principle, restrictions on onward transfers, is the logical closing of a loophole which could otherwise be used to circumvent the restrictions on transfers from the EU by an intermediate transfer through a `safe' third country. It is a significant proposal because it weakens the case for adequacy of what is otherwise one of the strongest privacy laws outside Europe, that of New Zealand.
The Working Party does not see this list as `set in stone', and envisages that there can be circumstances where greater or lesser protection was needed, depending in particular on the degree of risk that the transfer poses to the data subject.
The A29 Working Party in `First Orientations' concedes that, while in Europe it is generally considered that data protection principles should be embodied in law, and that there should be an independent supervisory authority, a better starting point is to identify the underlying objectives of data protection procedures. Three objectives are identified:
A25 refers to assessments of adequacy being made `in the light of all the circumstances surrounding a data transfer', so the Working Party is no doubt correct that an a priori exclusion of non-legislative protection is wrong. However, the only types of mechanisms referred to specifically in A25 are `the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties' (A25(1)) and (in relation to A31 decisions) `domestic law or ... international commitments it has entered into'. The Directive therefore leaves the question open.
Entirely voluntary codes of conduct in third countries seem unlikely to constitute adequate protection. A25 does not make specific mention of Codes of Conduct. `Professional rules' are mentioned specifically in A25(2), but the notion of `professional rules' may entail compulsory registration as a condition of practice (as in many professions) and powers in some organisation to `strike off' from the right to practice or impose other penalties. However, the new Greek law does refer to `codes of practice' as one of the factors to be considered, in its implementation of A25.
It is also difficult to see an in industry-developed code as adequate sectoral compliance unless participation was compulsory, because sectoral recognition would protect those industry members who did not comply (sometimes called `free riders'). Even more serious is the problem of those sectors where there are few institutional structures that even allow identification of data controllers and therefore make it very difficult to enrol them in such schemes. The Working Party does not address this issue, or suggest whether of not `adequacy' could be recognised as restricted to participants in a voluntary scheme. The advantage of legislation in relation to the `free rider' problem is that at least where breaches have been identified, ex post facto sanctions may be applied.
The CSA privacy Code may prove to be one 'litmus test' of whether the EU will accept that Codes of Conduct which have no enforceability at law can provide `adequate protection' or even one-off 'adequate safeguards'. This has strong opponents, particularly within Canada. The President of Québec's data protection authority, Paul-André Comeau, praises the Code as 'a step in the right direction', but says[22] that
There is a major flaw in the code, stemming from the philosophy of voluntary compliance: the code does not provide for any form of recourse before an impartial judge. It relies essentially on the good will of those concerned. The authors of the code are counting on the use of audits to compensate for this failing.He is reported to have concluded by urging European privacy commissioners, and the EU, 'to reject private agreements between European and Canadian industrialists and even to withhold recognition of the CSA Model Code as adequate protection, given its voluntary status'[23]. He says that any European acceptance of such a standard will only encourage those in Canada who regard privacy legislation as 'useless and artificial' and unnecessary if the Code suffices for the EU[24]. Federal Canadian Privacy Commissioner Bruce Phillips is advocating the national adoption of the legislation based on Québec's Act.
In terms of its content, it is debatable whether the CSA Model code's principles are strong enough to provide `adequacy' in terms of the content of the EU Directive[25]. However, the main problem with any `standards' approach is that it does not normally provide any enforcement mechanisms that can be used by the individuals concerned, or can provide any remedies for them. Loss of accreditation is a typical sanction, but that provides no benefit to the individuals concerned, and is not a strong sanction provided that the accreditation remains voluntary.
Once again, even if it can constitute `adequate safeguards' in particular cases, the costs of establishing this in each case remain high.
Member States must inform the EU Commission where they consider that an importing third country does not ensure an adequate level of protection (and vice versa) (A25(3)). This notification requirement applies even if the data transfer is allowed under an A26(1) exception, or an A26(2) authorisation because of 'adequate safeguards'.
The Commission is engaging experts to undertake case studies of the adequacy of protection in six countries - Australia, Canada, China (Hong Kong), the USA, Japan and New Zealand - for the purpose of developing a methodology to assess adequacy in third countries [27].
Under the 1992 draft, the Commission could initiate its negotiation process (discussed below) either on the basis of information provided by a Member State, or `on the basis of other information'. This may have left the way open for a form of `complaint' about a third country's laws (either general or sectoral) to be made to the Commission by, for example, national or international organisations of consumer advocates, privacy advocates or civil liberties organisations. This avenue for initiatives by NGOs is not so obviously open under the 1995 Directive, but it remains to be seen what the Commission's practice will be.
Another avenue for NGOs would be to seek to have a sympathetic national data protection Commissioner raise the case of a third county's laws before the A29 Working Party. The Working Party's activist role in the Directive's procedures, as shown in `First Orientations', makes this more likely to be an effective way of bringing a country's laws into the EU processes.
The implementation of Articles 25 and 26 is likely to be unpredictable and politicized, because the determination of `adequacy' rests, not with the data-protection agencies ... but with the Commission itself. Judgments about adequacy will therefore be susceptible to the vagaries of the European political process and are likely to be confused with the resolution of issues that have nothing to do with data protection. Logrolling may therefore override the more predictable and rational pursuit of a data protection standard.Although decisions are more correctly described as being made by the Council and the Commission, not just `the Commission', this may strengthen Bennett's point, as national political interests are even more directly represented on the Council.
It is too early to know whether Bennett's fears are justified, but it is difficult to avoid the conclusion that the nature of the process means that there is likely to be a great deal of uncertainty for data users in non-EU countries which do not have an unambiguously `adequate' level of data protection.
[18] See J Reidenberg `Rules of the Road for Global Electronic Commerce: Merging the Trade and Technical Paradigms' (1993) Harvard Journal of Law & Technology, Vol 6, p287 - `Under the revised draft, national authorities may consider the specific circumstances of each data transfer on a case-by-case basis, rather than an overall country assessment ...'; S McGregor `Australia could be denied access to global super highway' (1993) 2 Telecommunications Law & Policy Review 1 at p4 assumes that Australia's credit sector could have `adequate protection'; M Powell European Information Technology Law, (1994) Computer Law & Security Reporter (Special Supplement) at p46 says the amended proposal takes account of the `sectoral' approach to data protection adopted in the USA.
[19] This is a different question from mandatory grounds for exceptions to adequacy in EU national laws (A26(1)), where consent is a ground.
[20]National Standard of Canada CAN/CSA-Q830-96
[21] L Moisan 'The CSA Model Code: The new bid on the block', Privacy Files, Vol 1 No 2, November 1995, from which the above information is derived.
[22] P-A Comeau, speech to the International Data Protection and Privacy Commissioners' Conference, Copenhagen, September 1995
[23] Moisan, op cit - these reported comments go somewhat beyond the text of Mr Comeau's speech
[24] Comeau, op cit
[25] see G Greenleaf `Stopping surveillance: beyond `efficiency' and the OECD' (1996) 3 PLPR 148
[26] contra Reidenberg op cit p294
[27] Official Journal of the EU, 23/9/97
[28] Privacy Laws & Business Newsletter, No 31, September 1995, p2
[29] Unlike in the 1992 draft, it does not have to first conclude that `the resulting situation is likely to harm the interests of the Community or of a Member State' - presumably the Committee would not agree to act unless this was so.
[30] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p13