The 1995 Directive is in stark contrast in this respect to the two previous major international privacy instruments, the OECD privacy Guidelines and the Council of Europe privacy Convention of the early 1980s. Neither of these agreements require their signatories to impose export restrictions on non-signatory countries, or on countries which do not provide an equivalent degree of protection. They do not contain any positive requirement to restrict exports, but leave this up to the signatory countries.
New sources of interpretation of the Directive and its implementation are now available:
Similar arguments apply to the insistence on minimum standards of protection for intellectual property as a condition of other aspects of bilateral relations, for which the American government has been an insistent advocate in its dealings with various Asian countries in recent years, willing to resort to trade sanctions to achieve its aim of protecting American intellectual property. The European demand for minimum standards of data protection where European personal data is exported is very similar.
The inconsistency of American government objections to laws with extra-territorial effect is noted by Swire and Litan in their examples of American application of anti-trust laws, the Helms-Burton law imposing sanctions against countries trading with Cuba, and elsewhere[65]http://www.osu.edu/units/law/swire1/noyb.htm].
All of the fifteen EU member states have now implemented national data protection laws binding both the public and privacy sectors, with the recent laws in Italy and Greece completing the set. The Greek law is the first in Europe to seek to implement all the requirements of the EU Directive in its domestic law (as all other EU members must do by October 1998).
Outside the EU, data protection laws are now commonplace in Central and Eastern Europe, with Hungary, the Czech Republic, Estonia, Lithuania, Poland and Slovenia all enacting data protection laws, most in the last couple of years[67].
The EU has now legally bound its own institutions by the provisions of the Directive, through A213b of the Treaty of Amsterdam, a modification of the treaty constituting the European Community[68]. This Article also requires the EU to establish its own data protection supervisory body by 1999, so there will now be a pan-European `Data Protection Commissioner' (the name is not determined) who will no doubt have an influential voice in the future direction of data protection in Europe. There is also a draft decision before the Council of the EU to authorise the EU Commission to negotiate EU accession to the Council of Europe privacy Convention (Convention 108)[69]. Accession would give the EU a formal role in the future development of the Convention, which has a broader international coverage than the Directive.
Swire and Litan point out that the `history and philosophy of the Directive are strongly influenced by its mainframe roots'[70], and we could add that it predates pervasive telecommunications. The world of computing has of course shifted from such a relatively centralised model of large computers and `data controllers' to a far more decentralised paradigm thanks to the inter-relation of personal computers and the internet (and their cousins, intranets and extranets). The Directive is an end-point of a legislative history with its origins in the 1960s. This means that it is necessary to look carefully at the terms of the Directive, and implementing national legislation, in order to work out just which types of transfers are and are not covered. How the Directive may apply to personal information contained in e-mail, web browsing, backup of information in multi-national corporate networks, are all complex issues. Swire and Litan point out that even bringing laptop computers and personal organisers out of Europe could cause problems. The following comments cover some of the more obvious forms of transfer, but many others may need consideration[71].
First, the transfer of this personal data from Europe must (in theory) comply with the Directive's data export requirements. Since the `exporter' is the individual concerned, it may be that the exception for `unambiguous consent' would apply, but perhaps only if the person knew that the data was being transferred to a country without adequate privacy laws. Although it seems unlikely that national data protection laws could be used to directly stop European individuals from transferring their own personal data to overseas companies on the internet, there could be indirect consequences. For example, if the same company is seeking to show the European Commission that it provides `adequate safeguards' in another type of transaction, then its internet transactions may complicate its position. Complications for enforcement of such transactions in European courts might also require consideration.
More likely, however, is the possibility that the collection of the personal data could be considered to be governed by the national law of the European country concerned, since it is `processing of personal data' (which includes collection) which `makes use of equipment' (the user's computer) `situated on the territory' of the European country (A4(1)(c)). The Directive requires such processing to be covered by national data protection laws. In this case, the act of collection (at least) would have to comply with all the national requirements or the overseas company would be in breach, not of the export prohibitions but the collection requirements. In this case there is an additional procedural hurdle and compliance cost, because A 4(2) then requires the overseas controller to `designate a representative established in the territory of the Member State'. Appointing local representatives in every EU country is not exactly what one associates with global commerce over the internet!
In a related development, French law is prohibiting the sale of computers in France which do not have `cookie stoppers' in their internet browsers, to help reduce inadvertent disclosure of personal information by French users of the internet. The French approach of dictating privacy-friendly technologies will not be the last example of governments attempting to control the `code' of cyberspace.
However, they may face the additional complication that any processing they do in Australia could be considered to be 'carried out in the context of the activities of an establishment of the controller on the territory of a Member State' (the `control test') and therefore required by the Directive to be governed by the national data protection law of the Member State (A 4(1)(a)). In other words, they may have to comply fully with the European privacy principles in relation to data processed in Australia - including the data export restrictions on transferring data to other Australian companies within Australia!
The 'EU-level' supervision of the Directive is distributed between four bodies: the Commission of the EU (via D-G XV); a Committee of representatives of EU Member States (and in some circumstances, the EU Council itself) (the `A31 Committee'); and an advisory Working Party of the national data protection authorities (the `A29 Working Party'). The following comments relate principally to the data export aspects of the Directive, where all four bodies may have a role.
The Commission is to report to the Council and the Parliament at regular intervals on the implementation of the Directive, with any proposals for amendment. The Commission is also required to advise the Working Party of what action it has taken concerning its opinions and recommendations (A30(5)), and to negotiate with non-EU countries concerning 'adequate protection' (A25(5)). The Commission does not have delegated legislative powers[75].
The EU Commission's main role in the Directive is to submit to this `A31 Committee' a draft of the 'community implementing measures' it considers should be taken (A31(1)). The A31 Committee can decide to implement the recommended measures, but if it disagrees with the Commission then the Council decides[77].
The types of 'implementing measures' which will be dealt with by this process include decisions on adequacy of third country laws (A25(4)), and proposed authorisations of data transfers on the grounds of `adequate safeguards' (A26(3), (4)). As they are formal decisions on these matters under the Directive, national authorities would be expected to adhere to the approach decided under the A31 procedure.
The Working Party's functions include examining issues of uniformity in EU national laws, giving opinions on the level of protection in the EU and in third countries, advising the Commission on any proposed additional measures, and giving opinions on codes of conduct drawn up at community level (A29(1)). It can also, on its own initiative, make recommendations on all matters concerning processing of personal data in the EU (A29(3)). The Commission is required to produce an annual report on the responses it has made to the Working Party's opinions and recommendations (A29(5)), and the Working Party is to publish an annual report concerning the processing of personal data in Europe and in third countries (A29(6)).
It seems, therefore, that the Working Party, which is likely to be the body best informed and concerned about the state of privacy laws in non-EU countries, will be able to bring the inadequacy of the laws in particular countries to the attention of the Commission.
Where such decisions are positive they could constitute parts of the white list envisaged. The list could then be distributed widely and used by data controllers, supervisory authorities and Member States as a guide to their own decisions.The A29 Working Party does not propose to produce a `black list'. They say that this is politically very sensitive, and suggest only that an absence from the `white list' means that no general guidance is available concerning that country.
In `First Orientations' the Working Party also states that it will produce a further paper outlining which categories of transfer it considers pose particular risks to privacy. Where such a transfer was proposed to a country not on the white list, this document would provide guidance to national data protection authorities on:
There are, however, a number of factors which may give the A29 Working Party an influence beyond its formal role:
[56] Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data
[57] 26 June 1997, European Commission, Directorate General XV, XV D/5020/97-EN final
[60] Not yet available on the web: see for availability
[61] For a review of progress in all jurisdictions, see Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (the `Article 29 Working Party') First Annual Report, 25 June 1997, at 2.1.2
[62] Law No 2472 on the protection of individuals with regard to the processing of personal data, 10 April 1997 (Greece), A9 `Cross-border flow of personal data'; See Privacy Laws & Business Newsletter No 39, August 1997, p5 for discussion of the Greek law.
[64] See Lee Bygrave `Data Protection Reform in Scandinavia' Privacy Law & Policy Reporter Vol 5 No 1 (forthcoming)
[65] Peter P. Swire & Robert E. Litan `None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive' (Interim Report Issued for a Conference of the Brookings Institution, October 21, 1997), Footnote 3 -
[66] The collapse in April 1997 of a proposed treaty between Europe and Australia, and its replacement by a lower-level joint declaration, because of European insistence on a clause requiring observance of human rights underlines the extent to which Europe is willing to place human rights considerations before other important economic policy goals.
[67] See Privacy Laws & Business Newsletter No 42, February 1998, p9 and 4 PLPR 192.
[68]Privacy Laws & Business Newsletter No 39, August 1997, p2
[69] Privacy Laws & Business Newsletter No 39, August 1997, p3
[70] Swire and Litan op cit Chapter 4
[71] Swire and Litan op cit Chapter 4 analyse many of these situations.
[72] Member states are required to apply the national provisions they adopt to processing of personal data in two principal situations (A4): (i) where it is 'carried out in the context of the activities of an establishment of the controller on the territory of a Member State'; and (ii) the controller is not established on the territory of an EU Member State, but makes use of equipment situated in a Member State for purposes of processing (except mere transit). Berthold characterises this as a 'control test' supplemented by a 'processing test' (M Berthold 'Hong Kong's data privacy proposals' (1994) 1 PLPR 188)
Under the control test, a company which carries out activities in an EU Member State (even if it is not based there), but which processes personal data relating to those activities in a non-EU state, will find that its activities are subject to the privacy laws of the EU state.
Under the processing test, a company based in a non-EU state which merely uses processing facilities in an EU Member State will still find itself bound by the EU state's privacy law. Not surprisingly, Europe cannot be used as a 'data haven' to avoid the reach of privacy laws.
[73] Report of speech by Barbara Wellbury, Chief Counsel NTIA, July 1996 - Privacy Laws & Business, December 1996, p15
[74] ibid
[75] The Commission proposed it should have a rule-making power to adopt such `technical measures' as are necessary to apply the Directive, including drawing up sectoral applications of the Directive (1992 draft A33), but the 1995 Directive does not provide for any delegated legislation.
[76] The Committee acts by majority, but the votes of each representative are weighted according A148(2) of the Treaty establishing the European Community (A31(2)).
[77] If the Committee approves the proposed measures, the Commission must then adopt them. If the Committee disapproves, or fails to approve them within the time limit set by the Chairman, then the proposed measures are to be referred to the Council of Ministers of the EU (which is to vote by qualified majority) (A31(2)).
[78] The Parliament recommended the Working Party's expansion into, in effect, a supra-national data protection agency, comprising representatives of business and civil liberties groups as well as national authorities, and with a right to be heard on a wide range of issues and to take various independent initiatives, but this approach has not been adopted.