[Previous] [Next] [Up] [Title]

4. Compliance test (2) - Exceptions to `adequate protection'


4.1. Mandatory exceptions to `adequate protection' requirement

Instead of leaving it completely to the Member States to decide which transfers to countries without an adequate level of protection should be permitted (as recommended by the Parliament), the Directive requires member States to provide that transfers to a third country which does not ensure an adequate level of protection may take place if one of six conditions is satisfied (provisos to A26(1)).

The exceptions are where the transfer:
(i) is with the data subject's unambiguous consent;
(ii) 'is necessary for performance of a contract between the data subject and the controller, or the implementation of pre-contractual measures taken in response to the data subject's request';
(iii) 'is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party';
(iv) is `necessary on important public interest grounds' or for legal claims; and
(v) `is necessary to protect the vital interests of the data subject'; or
(vi) is from a public register, and in accordance with its terms of operation.

4.2. Limits of these exceptions

These exceptions are not as broad as they first appear. It is crucial to recognise that they are not `self-executing' exceptions: they will only exist to the extent that they are embodied in the national laws of the fifteen EU member states. They are also likely to become more precise as they are implemented in national laws (A5), and are likely at that point to become subject to different wordings in each national law[31]. The only implementation to date is in Part 9 of the new Greek law[32], and it illustrates these points quite nicely.

The A29 Working Party in `First Orientations' says `the working assumption is that the wording of these exceptions is fairly narrow...'. They will provide guidance on the meaning of these exceptions in future work.

Unambiguous consent (and a permit?)

The consent of the data subject `to the proposed transfer' must be `unambiguous', where only consent and not a contract with the data subject is relied upon. However, there seems to be no restriction on the consent being obtained by the third party recipient of the data (eg the Australian `importer'), not only by the EU-based `controller'. The requirement that the proposed transfer be `unambiguous' may imply that the data subject must consent to his or her personal data being transferred to a country which does not have adequate privacy laws, on the basis that mere transfer to `another country' is not normally a matter of concern within the EU because of the Directive. It is therefore unlikely that EU-based controllers can simply obtain blanket consents to transfer personal data anywhere they like. It almost certainly implies that consent must be explicit, not implied, and that mere notice of intent by the data controller will be ineffective.

One major unanswered question is whether individual consent to a transfer to a country where there is no adequate protection can be made subject to conditions to protect individuals by the EU national laws. The first example available, the new Greek law, is uninformative in how it interprets `unambiguous' (`except if ... extorted in a way which is contrary to law or bonos mores'), but transfers based on such consent still require `permission granted' by the Greek data protection authority.

This requirement of a permit - which also applies to all the other mandatory exceptions - is not part of the Directive, so the Greek law is in this respect a narrow interpretation, designed to place maximum impediments and exposure in the way of reliance on consent.

Protection of contracts - for EU benefit only

The reference to `a contract between the controller and the data subject' appears to only refer a contract with the EU-based controller of the data to be exported, not a contract with the recipient in the third country such as Australia[33]. If so, it seems that the reference to `pre-contractual' measures would be only to contracts made with a European entity. So, for example, an Australian credit bureau could not use this proviso to obtain a credit report from Europe, but a European credit bureau could use it to disclose a European's identity to an Australian bureau in order to have a check done.

Protection of (which?) public interest

The reference to `public interest grounds' is not an explicit reference to the public interest of the third country which is importing the data, and could be implemented so as to refer only to the public interest of the European country concerned. In the new Greek law, it appears that the only public interest referred to is that of Greece.

The Greek exception is also qualified by a requirement that the data controller `grants sufficient guarantees for the protection of private life and fundamental liberties and the exercise of the relevant rights'. Greece has obviously concluded that A26 mandatory exception can nevertheless be made subject to qualifications which protect individual interests. If this approach is followed by other member States, relying on these exceptions may be a complex matter.

No protection of the importer's interests

There is no exception referring to the vital interests of the recipient (importer) of the information, nor of the exporter, but only those of the data subject. The existence of a contract between exporter and importer is insufficient, as it must also be a contract `concluded in the interest of the data subject'.

[31] The exceptions may be broader in some respects than the exceptions found in A8 of the European Convention on Human Rights, which could lead to some interesting decisions.

[32] Law No 2472 on the protection of individuals with regard to the processing of personal data, 10 April 1997 (Greece), A9 `Cross-border flow of personal data'

[33] See the definition of `controller' and its distinction from `recipient' (A2)


[Previous] [Next] [Up] [Title]