[Previous]
[Next]
[Up]
[Title]
4. Compliance test (2) - Exceptions to `adequate protection'
Instead
of leaving it completely to the Member States to decide which transfers to
countries without an adequate level of protection should be permitted (as
recommended by the Parliament), the Directive requires member States to provide
that transfers to a third country which does not ensure an adequate level of
protection may take place if one of six conditions is satisfied (provisos to
A26(1)).
The exceptions are where the transfer:
(i) is with the data subject's
unambiguous consent;
(ii) 'is necessary for performance of a contract
between the data subject and the controller, or the implementation of
pre-contractual measures taken in response to the data subject's request';
(iii) 'is necessary for the conclusion or performance of a contract
concluded in the interest of the data subject between the controller and a
third party';
(iv) is `necessary on important public interest grounds' or
for legal claims; and
(v) `is necessary to protect the vital interests of
the data subject'; or
(vi) is from a public register, and in accordance
with its terms of operation.
These exceptions are not as broad as they first appear. It is crucial to
recognise that they are not `self-executing' exceptions: they will only exist
to the extent that they are embodied in the national laws of the fifteen EU
member states. They are also likely to become more precise as they are
implemented in national laws (A5), and are likely at that point to become
subject to different wordings in each national law[31]. The only implementation to date is in Part 9 of the new
Greek law[32], and it illustrates these points
quite nicely.
The A29 Working Party in `First Orientations' says `the working assumption is
that the wording of these exceptions is fairly narrow...'. They will provide
guidance on the meaning of these exceptions in future work.
The consent of the data subject `to the proposed transfer' must be
`unambiguous', where only consent and not a contract with the data subject is
relied upon. However, there seems to be no restriction on the consent being
obtained by the third party recipient of the data (eg the Australian
`importer'), not only by the EU-based `controller'. The requirement that the
proposed transfer be `unambiguous' may imply that the data subject must consent
to his or her personal data being transferred to a country which does not have
adequate privacy laws, on the basis that mere transfer to `another country' is
not normally a matter of concern within the EU because of the Directive. It is
therefore unlikely that EU-based controllers can simply obtain blanket consents
to transfer personal data anywhere they like. It almost certainly implies that
consent must be explicit, not implied, and that mere notice of intent by the
data controller will be ineffective.
One major unanswered question is whether individual consent to a transfer to a
country where there is no adequate protection can be made subject to conditions
to protect individuals by the EU national laws. The first example available,
the new Greek law, is uninformative in how it interprets `unambiguous' (`except
if ... extorted in a way which is contrary to law or bonos mores'), but
transfers based on such consent still require `permission granted' by the Greek
data protection authority.
This requirement of a permit - which also applies to all the other mandatory
exceptions - is not part of the Directive, so the Greek law is in this respect
a narrow interpretation, designed to place maximum impediments and exposure in
the way of reliance on consent.
The reference to `a contract between the controller and the data subject'
appears to only refer a contract with the EU-based controller of the data to be
exported, not a contract with the recipient in the third country such as
Australia[33]. If so, it seems that the
reference to `pre-contractual' measures would be only to contracts made with a
European entity. So, for example, an Australian credit bureau could not use
this proviso to obtain a credit report from Europe, but a European credit
bureau could use it to disclose a European's identity to an Australian bureau
in order to have a check done.
The reference to `public interest grounds' is not an explicit reference to the
public interest of the third country which is importing the data, and could be
implemented so as to refer only to the public interest of the European country
concerned. In the new Greek law, it appears that the only public interest
referred to is that of Greece.
The Greek exception is also qualified by a requirement that the data controller
`grants sufficient guarantees for the protection of private life and
fundamental liberties and the exercise of the relevant rights'. Greece has
obviously concluded that A26 mandatory exception can nevertheless be made
subject to qualifications which protect individual interests. If this approach
is followed by other member States, relying on these exceptions may be a
complex matter.
There is no exception referring to the vital interests of the recipient
(importer) of the information, nor of the exporter, but only those of the data
subject. The existence of a contract between exporter and importer is
insufficient, as it must also be a contract `concluded in the interest of the
data subject'.
[31] The exceptions may be broader in some
respects than the exceptions found in A8 of the European Convention on Human
Rights, which could lead to some interesting decisions.
[32] Law No 2472 on the protection of
individuals with regard to the processing of personal data, 10 April 1997
(Greece), A9 `Cross-border flow of personal data'
[33] See the definition of `controller' and
its distinction from `recipient' (A2)
[Previous]
[Next]
[Up]
[Title]