[Previous] [Next] [Up] [Title]

4. The EU Directive's data export prohibitions

4.1. Introduction - `equivalence' and `adequacy'

The EU Directive on privacy and free flow of personal data is principally significant to Asia-Pacific countries because it prohibits the transfer of personal data from EU countries to any countries which do not have `adequate' data protection laws. It will therefore place significant international pressure for increased data protection on countries in the Asia-Pacific and elsewhere, particularly in relation to the private sector.

The `principle of equivalence', implemented in the OECD data protection Guidelines (A17) and the Council of Europe data protection Convention (A12), and observed in most European national data protection laws, is that a state shall not impose restrictions on the export of personal data to another state which gives substantially equivalent protection to such data as is provided for in the exporting country[31]. The Directive requires all EU Member States to implement a Europe-wide standard of data protection, and then deems that implementation within the allowed 'margin for manoeuvre' is sufficient for the equivalence principle to apply. However, when it comes to states outside the EU, a somewhat different approach is taken to the 'equivalence' issue.

4.2. Exports of personal data from the EU to third countries

Neither the OECD Guidelines nor the Council of Europe Convention require their signatories to impose export restrictions on non-signatory countries, or on countries which do not provide an equivalent degree of protection. They do not contain any positive requirement to restrict exports, but leave this up to the signatory countries. This is where the 1995 Directive is in stark contrast, because it makes it mandatory for EU countries to prohibit the export of personal data to any countries which do not provide `an adequate level of protection'.

The Directive provides that `Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing may take place only if ... the third country in question ensures an adequate level of protection' (A25(1))[32] (emphasis added). 'Equivalent' protection is not required, only 'adequate' protection[33]

The Parliament had recommended a far less restrictive approach[34], which would not have made it mandatory for such transfers to be prohibited, merely permissible. The Commission's justification[35] for rejecting this approach was that `Without such a provision [prohibiting exports] the Community's efforts to guarantee a high level of protection for individuals could be nullified by transfers to other countries in which the protection provided is inadequate. There is also the fact that the free movement of data between Member States, which the proposal seeks to establish, will mean that there will have to be common rules on transfer to non-community countries'.

The Directive is ambiguous as to whether EU countries must allow exports of personal data to countries which do provide 'adequate protection'. Article 25 requires Member States to provide that such transfers 'may take place only if' there is adequate protection, not 'if and only if'. The preamble only says that the 'Directive does not stand in the way' of such transfers, but does not say they must be allowed. On the other hand, A26 seems at first to require EU countries to allow transfers to third countries where there is no adequate level of protection but the A26 conditions concerning the individual transfer have been met, but it is only a derogation from A25 so this may mean little. The better view is probably that the Directive gives no formal guarantees to third countries that data exports from EU countries will be allowed, irrespective of the level of protection they provide.

Remote access to EU personal data from third countries

A25 refers to `transfer ... to a third country', so the question arises of whether it will be possible to access Europe-based databases from non-European locations. The problem is that any such access would necessarily involve such data as is necessary for the screen display on the user's computer to be `transferred' to the user's computer, and would therefore constitute `transfer ... to a third country'. Remote access would therefore have to come within an exception to A25 before it was permissible. The processing would also have to comply with the law of the European country where it took place, applying the processing test[36].

Imports of personal data from third countries into the EU

There are no explicit equivalent restrictions on the import of personal data from a third country into a Member State. A26 only refers to transfers `to' a third country, and not transfers `from' a third country. However, the importing of the data may constitute `collection' and therefore `processing', so that the importer must comply with national laws of the EU state into which the import takes place, applying the processing test[37].

4.3. The meaning of `adequate level of protection'

The Directive now[38] defines 'adequate level of protection' as follows (A26(2)):

'The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the county of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties.'

It goes on to state that the Commission may decide that a third country `ensures an adequate level of protection ... by reason of its domestic law or the international commitments it has entered particularly upon conclusion of the negotiations [it has had with the Commission]' (A25(5)).

Some non-EU European countries are parties to the Council of Europe Convention, and this would almost certainly constitute 'adequate protection'[39]. The Commission was at one time reported to favour an approach whereby non-European countries would sign the Convention (on the invitation of the Council of Europe: A23) and ratify after passing laws `equivalent' to the Convention[40]. The EU Commission would then declare that the country had `adequate' laws, and the third country would be bound under international law by the Convention. It is not known if this approach is still under consideration.

Although it is not completely clear from A25 whether the requirement of an `adequate level of protection' must be satisfied by a country's overall privacy laws, or whether it is sufficient to prevent the banning of a particular transfer if there is an adequate level of protection in relation to information from that sector (eg credit or insurance information, or criminal records), the better view is that sectoral compliance is possible. The Parliament had recommended that an adequate level of protection need only be provided for `particular categories of specified personal data', and this seems to be the approach taken in the 1992 draft [41]. The references to sectoral legislation and `professional rules' could be seen as supporting this interpretation. Other commentators have reached the conclusion that an `overall country assessment' is not necessary[42].

Need there be 'adequate' compliance with each EU Directive requirement, or just most of them? The use of `adequate' suggests that only some partial compliance is required. A related question is whether `adequacy' need only be measured against the principles in the Directive (Chapter II), or is it also to be measured against the types of enforcement measures required by the Directive (including data protection authorities, enforceable rights and damages - see above). The latter is the better view. It would be anomalous for A26(2) to require 'sufficient guarantees' of enforcement if A25 did not. However, it might be expected that there could be adequate protection provided by either individual enforceability or enforcement via a supervising authority.

Mandatory exceptions to the requirement of adequate protection

Instead of leaving it to the Member States to decide which transfers to countries without an adequate level of protection should be permitted (as recommended by the Parliament), the 1995 Directive requires member States to provide that transfers to a third country which does not ensure an adequate level of protection may take place if one of six[43] conditions is satisfied (provisos to A26(1)).

The exceptions are where the transfer:
(i) is with the data subject's unambiguous consent;
(ii) 'is necessary for performance of a contract between the data subject and the controller[44], or the implementation of pre-contractual measures taken in response to the data subject's request' (eg a credit check);
(iii) 'is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party';
(iv) is `necessary on important public interest grounds' or for legal claims; and
(v) `is necessary to protect the vital interests of the data subject'; or
(vi) is from a public register, and in accordance with its terms of operation.

These exceptions are not as broad as they first appear. The reference to `public interest grounds' is not an explicit reference to the public interest of the third country which is importing the data, and could be implemented so as to refer only to the public interest of the European country concerned. There is no exception referring to the vital interests of the recipient of the information, only those of the data subject. Furthermore, the exceptions will be likely to become more precise as they are implemented in national laws (A5). However, they may be broader in some respects than the exceptions found in A8 of the European Convention on Human Rights, which could lead to some interesting decisions.

4.4. Authorisation of particular transfers without `adequate' protection

In addition to these mandatory exceptions, A26(2) now[45] provides that

'... a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection ... where the controller adduces sufficient guarantees with respect to the protection of privacy ... and as regards the exercise of the corresponding rights; such guarantees may in particular result from appropriate contractual clauses'.

This last clause seems directed, for example, to a situation where a particular company in a third country provides strong contractual guarantees of privacy to its customers, even where there are no enforceable industry codes and the country does not have overall adequate protection. What might otherwise constitute `sufficient guarantees' is not explained.

A26(2) suggests that contractual provisions between a particular company and its clients, as opposed to a sectoral code, cannot amount to an `adequate level of protection' for A25 purposes. It also reinforces the view that an `adequate level of protection' must be found to exist at least at a sectoral level within a jurisdiction, and cannot be found merely at the level of the operations of a particular company, because the alternative view would make A26(2) redundant. This is not, however, free from doubt[46].

The Member State must inform the Commission and the other Member States of 'authorisations granted' under A26(2) (A26(3)), rather than 'its proposal to grant authorization' as the 1992 Draft required. If a Member State or the Commission nevertheless does manage to object before the authorisation takes effect, the Commission is required to take `appropriate measures', after referring the matter to the Committee in accordance with A31(2) (A26(3)). Member States must then comply with the Commission's decision, including decisions that certain contractual clauses offer 'sufficient guarantees' (A26(4)).

The meaning of 'sufficient guarantee' - supplier / recipient contracts

Can private contracts between data suppliers and recipients (as distinct from contracts with data subjects) constitute sufficient guarantee'? The US government pushed for maximum recognition for supplier-recipient contracts[47], and the French data protection authority, CNIL, has allowed a number of transfers from France to countries without data protection laws (Italy and Belgium) on condition that such contracts were entered into[48]. The International Chamber of Commerce (ICC) was also promoting such an approach and prepared a model contract[49]. A25 makes no mention of contractual clauses at all, and it seems unlikely that contractual clauses could constitute 'adequate protection', even on a sectoral basis where they are adopted by an industry. A26(2) does not clarify whether its mention of 'contractual clauses' includes supplier-recipient contracts. As there would be no privity of contract with the data subject, and therefore no legal rights enforceable by the data subject, it is doubtful that such contracts could constitute a 'guarantee' for A26(2) purposes.

Reidenberg, analysing the problems faced by the US private sector in complying with the EU and other privacy standards, identifies weaknesses in a purely contractual solution[50]:

Individuals may be unable to enforce effectively their protections for the treatment of personal information due to a lack of privity, the need to obtain jurisdiction in a foreign country, or the difficulty establishing foreign law in a local forum. In addition, the terms of the contract are negotiated by the companies themselves with the input of data protection authorities. The exporting company acts, in effect, ast he agent for the individual, though the individuals have no direct representation during the contract negotiations.

Reidenberg now sees supplier-recipient contracts as only of much value where they are the by-product of an enforceable law in the exporting country, as in the Hong Kong and Québec data export laws discussed below.

The meaning of 'sufficient guarantee' - industry 'codes of conduct'

What role can industry self-regulation through codes of conduct play? Article 27 requires Member States to encourage the development of national and European codes of conduct, but (as discussed above) these cannot be a substitute for legally binding provisions. Voluntary codes of conduct in third countries are unlikely to constitute adequate protection, although it is possible that a scheme run by an industry body which was shown to have enforcement powers might be sufficient to be regarded as 'professional rules' for the purposes of A25(2) (which does not make specific mention of Codes of Conduct). An industry-developed code backed up by legally binding enforcement procedures may well constitute adequate sectoral compliance (the enforcement provisions would be 'rules of law' for A25(2) purposes). Such enforceable codes might also provide 'sufficient guarantees' for A26(2) purposes.

The Canadian Standards Association (CSA) Technical Committee on Privacy adopted a Model Code for the Protection of Personal Information in September 1995. The Code is based on the OECD Guidelines, and will involve a certification scheme. It is expected to be formally accepted by the Canadian Standards Council (a government body) in early 1996. It is not know at this stage whether the CSA will push for the Code to be adopted by the International Standards Organisation (ISO)[51]. Due to the lack of privacy legislation in the USA, there is considerable private sector interest in the Code in the USA, and it may possibly develop into a North American standard.

It is likely that the CSA privacy Code will prove to be the 'litmus test' of whether the EU's will accept that Codes of Conduct which have no enforceability at law can provide 'sufficient guarantee'. This has strong opponents, particularly within Canada. The President of Québec's data protection authority, Paul-André Comeau, praises the Code as 'a step in the right direction', but says[52] that

There is a major flaw in the code, stemming from the philosophy of voluntary compliance: the code does not provide for any form of recourse before an impartial judge. It relies essentially on the good will of those concerned. The authors of the code are counting on the use of audits to compensate for this failing.

He is reported to have concluded by urging European privacy commissioners, and the EU, 'to reject private agreements between European and Canadian industrialists and even to withold recognition of the CSA Model Code as adequate protection, given its voluntary status'[53]. He says that any European acceptance of such a standard will only encourage those in Canada who regard privacy legislation as 'useless and artificial' and unnecessary if the Code suffices for the EU[54]. Federal Canadian Privacy Commissioner Bruce Phillips is advocating the national adoption of the legislation based on Québec's Act. The battle lines are drawn in Canada.

4.5. Implications for countries without 'adequate' laws

Bennett is skeptical about the extent to which data users can rely on A26[55]:

Clearly, there is sufficient latitude in the directive for North American data users to convince their European counterparts that a combination of contracts and 'professional rules' (ie codes of practice) and security measures affords 'adequate' data protection. But this does anticipate a series of case-by-case battles, and favoured treatment for the larger multinationals that can afford to fight for their interests.

Companies in countries such as Australia or Canada will have to choose whether to support the development of 'adequate' local privacy laws, or to rely on a transaction by transaction basis on either (i) coming within an A25 mandatory exemption or (ii) convincing a European national authority, or the EU authorities (see below) that they can offer 'sufficient guarantees' for that transaction.

4.6. The mechanisms for decisions concerning `adequate protection'

Decision and notification by a Member State

In the first instance, it is the laws of Member States of the EU that must provide that transfers may only take place to third countries with an adequate level of protection (A25(1)), and it is a decision by an authority in the Member State which prohibits the transfer. Member States must inform the EU Commission where they consider that an importing third country does not ensure an adequate level of protection (and vice versa) (A25(3)). This notification requirement applies even if the data transfer is allowed under an A26(1) exception, or an A26(2) authorisation because of 'sufficient guarantees'.

Decisions by the Committee on adequacy

As explained above in relation to supra-national enforcement of the Directive as a whole, it is the Committee of Member State representatives that decides whether to accept the draft measures proposed by the Commission (A31(2)). The Commission, with the Committee's approval, is therefore able to set a Europe-wide standard for acceptance of transfers to specific third countries[56]. The position is therefore, that Member States make any decisions to prohibit transfers, but the Committee can over-ride such decisions.

'Complaints' about adequacy

Even though it is the Committee that makes the decisions, it is still the Commission that must be first convinced to propose action against a third country, so it is important to ask how claims of 'inadequacy' can be brought to the Commission's attention. Member States are obliged to do so in the course of considering transfers to third countries (A25(3)). The Working Party of supervisory authorities is required to produce an annual report which covers the level of protection in third countries, so the Commission would receive official notification that way. As might be expected, the Commission is reported to the likely to initiate its own studies of the laws and codes of the EU's more important non-EU trading partners[57].

Under the 1992 draft, the Commission could initiate its negotiation process (discussed below) either on the basis of information provided by a Member State, or `on the basis of other information'. This may have left the way open for a form of `complaint' about a third country's laws (either general or sectoral) to be made to the Commission by, for example, national or international organisations of consumer advocates, privacy advocates or civil liberties organisations. This avenue for initiatives by NGOs is not so obviously open under the 1995 Directive, but it remains to be seen what the Commission's practice will be. Another avenue for NGOs would be to seek to have a sympathetic national data protection Commissioner raise the case of a third county's laws before the Working Party.

Commission negotiations with third countries

If the Committee accepts measures proposed by the Commission on the basis of the inadequacy of a third county's laws, only then can the Commission enter into negotiations with the third country 'with a view to remedying the situation' (A25(4))[58].

A political or a legal process?

A Canadian commentator interprets this decision-making process as essentially political rather than legal[59]:

The implementation of Articles 25 and 26 is likely to be unpredictable and politicized, because the determination of `adequacy' rests, not with the data-protection agencies ... but with the Commission itself. Judgments about adequacy will therefore be susceptible to the vagaries of the European political process and are likely to be confused with the resolution of issues that have nothing to do with data protection. Logrolling may therefore override the more predictable and rational pursuit of a data protection standard.

Although decisions are more correctly described as being made by the Council and the Commission, not just `the Commission', this may strengthen Bennett's point, as national political interests are even more directly represented on the Council.

It is too early to know whether Bennett's fears are justified, but it is difficult to avoid the conclusion that the nature of the process means that there is likely to be a great deal of uncertainty for data users in non-EU countries which do not have an unambiguously `adequate' level of data protection.

[31] Karim Benyekhlef 'International standards for the protection of personal data and the information highway' , Proceedings of Justice on the Electronic Highway (Conference), Ottawa, January 1995, Federal Department of Justice, Canada

[32] The 1992 Draft referred to 'provide by law that the transfer, whether temporary or permanent'. The changes are not significant.

[33] There were submissions on the original draft (for example, by the European Data Protection Commissioners) that `adequate protection' should be replaced with `equivalent protection' (ie equivalent to the EU Directive).

[34] Namely, that such transfers `may be prohibited in order to prevent damage to data subject's interests from an inadequate level of protection' and `may require the express consent of the data subject'.

[35] Explanatory Memorandum, 1990

[36] See above, 'Reach of national laws'.

[37] See above 'Reach of national laws'.

[38] The 1992 draft was largely the same, but did not refer to 'the county of origin and country of final destination', or 'security measures'. `Adequate level of protection' was not defined in the 1990 draft, and the Explanatory Memorandum simply said that it was `for the Member States, and if necessary for the Commission, to determine'.

[39] Benyekhlef, op cit

[40] Privacy Laws & Business, October 1990, p6

[41] The Explanatory Memorandum to the 1992 draft states only that `As Parliament suggested in its opinion (see amendment No 79) the new paragraph 2 makes it clear that the adequacy of protection is to be assessed with reference to a transfer of data or a set of transfers of data'.

[42] See J Reidenberg `Rules of the Road for Global Electronic Commerce: Merging the Trade and Technical Paradigms' (1993) Harvard Journal of Law & Technology, Vol 6, p287 - `Under the revised draft, national authorities may consider the specific circumstances of each data transfer on a case-by-case basis, rather than an overall country assessment ...'; S McGregor `Australia could be denied access to global super highway' (1993) 2 Telecommunications Law & Policy Review 1 at p4 assumes that Australia's credit sector could have `adequate protection'; M Powell European Information Technology Law, (1994) Computer Law & Security Reporter (Special Supplement) at p46 says the amended proposal takes account of the `sectoral' approach to data protection adopted in the USA.

[43] The 1992 draft had only four exceptions, and the first and second are combined in (ii) here; 1995 exceptions (i), (iii), (vi) are new.

[44] The 1992 draft added 'who has been informed that a transfer of data to a country with inadequate protection is possible'.

[45] The 1992 draft has been rewritten, but the changes do not seem to be of substance.

[46] Reidenberg op cit seems to assume that `adequate protection' can be found in `the specific circumstances of each data transfer on a case-by-case basis'.

[47] TDR, Sept/Oct 1991, p37

[48] 65 ALJ 560

[49] Privacy Laws and Business, October 1991, p6

[50] J Reidenberg 'Setting standard for fair information practices in the US private sector', (1995) Iowa Law Review, Vol 80 No 3 497 at 546

[51] L Moisan 'The CSA Model Code: The new bid on the block', Privacy Files, Vol 1 No 2, November 1995, from which the above information is derived.

[52] P-A Comeau, speech to the International Data Protection and Privacy Commissioners' Conference, Copenhagen, September 1995

[53] Moisan, op cit - these reported comments go somewhat beyond the text of Mr Comeau's speech

[54] Comeau, op cit

[55] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p14; quare whether he means 'sufficient guarantee', not 'adequate' protection.

[56] contra Reidenberg op cit p294

[57] Privacy Laws & Business Newsletter, No 31, September 1995, p2

[58] Unlike in the 1992 draft, it does not have to first conclude that `the resulting situation is likely to harm the interests of the Community or of a Member State' - presumably the Committee would not agree to act unless this was so.

[59] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p13

[Previous] [Next] [Up] [Title]