'... a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection ... where the controller adduces adequate safeguards with respect to the protection of the privacy the fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses'.This last clause seems directed, for example, to a situation where a particular company in a third country provides strong contractual guarantees of privacy to its customers, even where there are no enforceable industry codes and the country does not have overall adequate protection. What might otherwise constitute `adequate safeguards' is not explained.
A26(2) suggests that contractual provisions between a particular company and its clients, as opposed to a sectoral code, cannot amount to an `adequate level of protection' for A25 purposes. It also reinforces the view that an `adequate level of protection' must be found to exist at least at a sectoral level within a jurisdiction, and cannot be found merely at the level of the operations of a particular company, because the alternative view would make A26(2) redundant. This is not, however, free from doubt[35].
The A29 Working Party in `First Orientations' says that the contractual solutions envisaged by A26(2):
have inherent problems, such as the difficulty of a data subject enforcing his rights under a contract to which he is not himself a party ... and are therefore appropriate only in certain specific and probably relatively rare circumstances.
The only implementing law to date, that of Greece, does not recognise any contractual or other forms of adequate safeguards.
If this approach is followed, then contractual `adequate safeguards' will have to provide all of the six `core' principles and equivalents of the three procedural protections that are necessary for `adequate protection' (as discussed above).
The European exporter is able to give the data subject a wide range of contractual rights and guarantees, including guarantees of observance of the six core principles by both exporter and importer. The contract can give the data subject a right to damages or other remedies for breach. In order to make such contractual remedies meaningful, the law of the contract can be made the law of the country of domicile of the data subject (if different from the domicile of the exporter), and ancillary rights such as payment of all legal costs in the event of a successful action and limitation of awards of costs against (so as to simulate the situation of complaints to a data protection authority). In some cases, it may be possible for the exporter to give the data subject rights to pursue remedies against the exporter under a European data protection law. Whichever way it is done, it should be possible for the exporter to give the data subject meaningful contractual rights covering almost all of the Working Party's requirements for `adequacy', with the possible exception of the institutional mechanism to investigate complaints (which could come from an industry self-regulatory scheme).
Similarly, the data importer could contract with the individual concerned to provide the same rights as discussed above. This may be likely to occur when the individual resides in the same country as the importer.
The crucial point is that any such contracts would have to cover all of the content required for `adequacy'. Neither the Directive, not the Working Party', contemplate contracts being used as a device by which individuals can surrender their rights under the Directive. Their can be no `contracting out' of data protection obligations under the Directive.
Reidenberg, analysing the problems faced by the US private sector in complying with the EU and other privacy standards, identifies weaknesses in a purely contractual solution[39]:
Individuals may be unable to enforce effectively their protections for the treatment of personal information due to a lack of privity, the need to obtain jurisdiction in a foreign country, or the difficulty establishing foreign law in a local forum. In addition, the terms of the contract are negotiated by the companies themselves with the input of data protection authorities. The exporting company acts, in effect, as the agent for the individual, though the individuals have no direct representation during the contract negotiations.Reidenberg now sees supplier-recipient contracts as only of much value where they are the by-product of an enforceable law in the exporting country, as in the Hong Kong and Québec data export laws discussed below.
The same may be said for data protection implementation as a technical standard with accreditation schemes.
In both cases, all of the problems of whether the scheme or standard meets all of the content and procedural requirements of `adequacy' will apply. It seems more likely that both voluntary codes and technical standards could form part, but only part, of `adequate safeguards'.
The process is therefore not under the control of the company or government department in the importing country, but is one that could be fragmented into applications by every organisation in every EU country from whom the importer wishes to obtain data.
All Member States must then comply with the Commission's decision, including decisions that certain contractual clauses or other relationships do or do not offer 'adequate safeguards' (A26(4)).
Bennett, writing from a Canadian perspective, is sceptical about the extent to which data users can rely on A26[41]:
Clearly, there is sufficient latitude in the directive for North American data users to convince their European counterparts that a combination of contracts and 'professional rules' (ie codes of practice) and security measures affords 'adequate' data protection. But this does anticipate a series of case-by-case battles, and favoured treatment for the larger multinationals[34] Previous versions of the Directive used the expression `sufficient guarantees' instead of `adequate safeguards'. In some of my earlier papers on this subject I have not reflected this terminological change.
[35] Reidenberg op cit seems to assume that `adequate protection' can be found in `the specific circumstances of each data transfer on a case-by-case basis'.
[36] TDR, Sept/Oct 1991, p37
[37] 65 ALJ 560
[38] Privacy Laws and Business, October 1991, p6
[39] J Reidenberg 'Setting standard for fair information practices in the US private sector', (1995) Iowa Law Review, Vol 80 No 3 497 at 546
[40] In contrast with 'its proposal to grant authorization' as the 1992 Draft required
[41] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p14 that can afford to fight for their interests.