G Greenleaf 'The EU privacy Directive: New orientations ...' (1997) IBC Conferences

6. Conclusions

6.1. The Directive offers few easy options
6.2. `Compliance costs' - Is `adequate protection' the cheaper option?

6.1. The Directive offers few easy options

Comprehensive privacy legislation which covers the six `core' principles and contains serious enforcement mechanisms something like those in Australia's Privacy Act 1988 seems to be the only certain way to obtain ready inclusion in the proposed `white list' of countries providing `adequate protection' for A25. The scheme proposed in the Attorney-General's 1996 Discussion Paper may well have covered all required elements. Ratification of Convention 108, even in advance of legislation, may be another route (and one that is in principle open to Australia).

Alternative approaches are all likely to result in considerable difficulties for companies and agencies wishing to obtain personal data from Europe:

Voluntary codes of conduct, and technical standards, are unlikely to be regarded in themselves as `adequate protection', although they could well contribute to such a finding when they are supported by legislation. `Adequacy' requires not only the inclusion of `best practice' privacy principles but also independent supervision, serious sanctions and a high level of proven compliance. The existence of adequate protection can only be established after investigation of a number of test cases.
The mandatory exceptions to `adequate protection' in A26(1) are likely to prove far less useful than they appear at first. They depend entirely on implementation in fifteen national statutes, where they are likely to be interpreted narrowly, with conditions, and in different terms.
The use of contractual solutions to provide `adequate safeguards' is not even available unless each of the fifteen national legislatures so decides (as Greece has not). Where it is available, contracts between the individual concerned and the exporter or the importer may be able to meet all the conditions for `adequacy'. It is unlikely that contracts between exporter and importer can do so, although it is possible that this may contribute to a broader scheme of industry self-regulation. However, such adequacy will have to be established on a case-by-case basis in each jurisdiction.

6.2. `Compliance costs' - Is `adequate protection' the cheaper option?

At least insofar as companies wishing to obtain personal information from Europe are concerned, the Australian government's argument that national privacy protection should be abandoned because of compliance costs appears specious:

Anything other than national legislation will result in great complexity, and consequent costs, at the European end.
A national scheme of voluntary self-regulation such as proposed by the Privacy Commissioner, while unlikely to avoid compliance costs at the European end, passes the full burden of paying for the compliance structure to those industry bodies participating in the scheme. These `compliance costs' are normally largely borne by the State (ultimately the taxpayer) as they are functions carried out by the Privacy Commissioner.

[Previous] [Next] [Up] [Title]