[Previous] [Next] [Title]

3. The EU Directive's data export requirements

The European Union Directive on privacy and free flow of personal data[56] of 1995 (`the Directive') makes it mandatory for EU member countries to prohibits the transfer of personal data to any countries which do not have privacy laws meeting the standards set out in the Directive. These changes to the laws of Member Countries to implement the Directive must be in force by October 1998.

The 1995 Directive is in stark contrast in this respect to the two previous major international privacy instruments, the OECD privacy Guidelines and the Council of Europe privacy Convention of the early 1980s. Neither of these agreements require their signatories to impose export restrictions on non-signatory countries, or on countries which do not provide an equivalent degree of protection. They do not contain any positive requirement to restrict exports, but leave this up to the signatory countries.

3.1. Problems in interpreting the EU's data export restrictions

Until recently there was little guidance available from official bodies of the EU, or even from authoritative spokespersons, to assist in determining the likely impact of the Directive on countries such as Australia, both in terms of how its content will be interpreted, and in the procedures for its administration.

New sources of interpretation of the Directive and its implementation are now available:

One of the main purposes of this part is to analyse these recent interpretative resources concerning the Directive.

3.2. Reactions to the Directive's export prohibitions

Reactions outside Europe to the date export aspects of the Directive range across a wide spectrum, from confrontation to `denial' to exaggeration of its likely effects. Governments outside Europe have adopted an equally wide range of positions, with the United States leading resistance to national privacy laws, recently supported by Japan and (in effect) Australia. Other jurisdictions have adopted strong privacy laws for reasons of domestic policy but with the effect of removing problems of compliance.

`They have no right ...'

Some, particularly the American government, have tended to say that Europeans have no right to impose their privacy standards on the rest of the world. The reply is that Europeans have a right to protect personal data concerning Europeans from leaving Europe if it is likely to be misused, and that is what the Directive requires. The real strength in this argument concerns the methods by which protection is provided, and the question is whether the Europeans are sufficiently flexible about this.

Similar arguments apply to the insistence on minimum standards of protection for intellectual property as a condition of other aspects of bilateral relations, for which the American government has been an insistent advocate in its dealings with various Asian countries in recent years, willing to resort to trade sanctions to achieve its aim of protecting American intellectual property. The European demand for minimum standards of data protection where European personal data is exported is very similar.

The inconsistency of American government objections to laws with extra-territorial effect is noted by Swire and Litan in their examples of American application of anti-trust laws, the Helms-Burton law imposing sanctions against countries trading with Cuba, and elsewhere[65]http://www.osu.edu/units/law/swire1/noyb.htm].

`They can't really be serious ...'

The second form of `denial' is to assume `they can't be serious and won't really enforce this'. It will take until beyond 1998 for the extent of enforcement to become clear, but European experts who have followed the development of the Directive stress that European authorities regard the Directive as a whole as an important element of the protection of human rights and its enforcement as a serious and important matter[66].

Realism is needed

The opposite extreme is to assume that Asia Pacific businesses and government agencies will immediately be refused access to European personal data on the day after the Directive comes into force because of the absence of privacy laws covering the private sector. The reality is more complex. The exceptions to the Directive, and the means by which the practices of specific companies can satisfy its requirements, all require detailed analysis. European authorities are unlikely to act hastily, but equally their hand could be forced by complaints made under national laws.

3.3. European countries and institutions consolidate data protection

The force of the Directive continues to prompt other data protection developments in Europe that indicate just how seriously the Europeans now regard privacy protection.

All of the fifteen EU member states have now implemented national data protection laws binding both the public and privacy sectors, with the recent laws in Italy and Greece completing the set. The Greek law is the first in Europe to seek to implement all the requirements of the EU Directive in its domestic law (as all other EU members must do by October 1998).

Outside the EU, data protection laws are now commonplace in Central and Eastern Europe, with Hungary, the Czech Republic, Estonia, Lithuania, Poland and Slovenia all enacting data protection laws, most in the last couple of years[67].

The EU has now legally bound its own institutions by the provisions of the Directive, through A213b of the Treaty of Amsterdam, a modification of the treaty constituting the European Community[68]. This Article also requires the EU to establish its own data protection supervisory body by 1999, so there will now be a pan-European `Data Protection Commissioner' (the name is not determined) who will no doubt have an influential voice in the future direction of data protection in Europe. There is also a draft decision before the Council of the EU to authorise the EU Commission to negotiate EU accession to the Council of Europe privacy Convention (Convention 108)[69]. Accession would give the EU a formal role in the future development of the Convention, which has a broader international coverage than the Directive.

3.4. Three ways to satisfy the EU's data export requirements

The Directive's data export requirements can be satisfied in three ways, stated in decreasing order of generality: Each of these is examined in detail in the next part, but first it is necessary to consider the scope of the Directive, and its enforcement mechanisms.

3.5. Scope - What types of transfers of data are covered?

It is obvious that wholesale `transfers' of personal data outside Europe, such as when a company or government body outsources its data processing overseas, or when a direct marketeer sells a mailing list to an overseas company, are covered by the data export prohibitions. However, there may be other less obvious types of `transfer' of data between Europe and countries like Australia that could be affected.

Swire and Litan point out that the `history and philosophy of the Directive are strongly influenced by its mainframe roots'[70], and we could add that it predates pervasive telecommunications. The world of computing has of course shifted from such a relatively centralised model of large computers and `data controllers' to a far more decentralised paradigm thanks to the inter-relation of personal computers and the internet (and their cousins, intranets and extranets). The Directive is an end-point of a legislative history with its origins in the 1960s. This means that it is necessary to look carefully at the terms of the Directive, and implementing national legislation, in order to work out just which types of transfers are and are not covered. How the Directive may apply to personal information contained in e-mail, web browsing, backup of information in multi-national corporate networks, are all complex issues. Swire and Litan point out that even bringing laptop computers and personal organisers out of Europe could cause problems. The following comments cover some of the more obvious forms of transfer, but many others may need consideration[71].

Remote access to EU personal data from the Asia Pacific

A25 refers to `transfer ... to a third country', so the question arises of whether it will be possible to access Europe-based databases from non-European locations. Examples would include an Australian branch of a European or international company accessing the company's own internal database located in Europe. The problem is that any such access would necessarily involve such data as is necessary for the screen display on the user's computer to be `transferred' to the user's computer, and would therefore constitute `transfer ... to a third country'. Remote access would therefore have to come within an exception to A25 before it was permissible. The processing would also have to comply with the law of the European country where it took place, applying the processing test[72].

Collection of personal data from Europeans over the internet

If a company in an Asia Pacific country enters into transactions over the internet with customers in Europe, then there are at least two ways to analyse this situation. The US National Telecommunications and Information Administration (NTIA) has raised concerns about the effect of the Directive on US-based companies that use the internet[73], and it is easy to see why.

First, the transfer of this personal data from Europe must (in theory) comply with the Directive's data export requirements. Since the `exporter' is the individual concerned, it may be that the exception for `unambiguous consent' would apply, but perhaps only if the person knew that the data was being transferred to a country without adequate privacy laws. Although it seems unlikely that national data protection laws could be used to directly stop European individuals from transferring their own personal data to overseas companies on the internet, there could be indirect consequences. For example, if the same company is seeking to show the European Commission that it provides `adequate safeguards' in another type of transaction, then its internet transactions may complicate its position. Complications for enforcement of such transactions in European courts might also require consideration.

More likely, however, is the possibility that the collection of the personal data could be considered to be governed by the national law of the European country concerned, since it is `processing of personal data' (which includes collection) which `makes use of equipment' (the user's computer) `situated on the territory' of the European country (A4(1)(c)). The Directive requires such processing to be covered by national data protection laws. In this case, the act of collection (at least) would have to comply with all the national requirements or the overseas company would be in breach, not of the export prohibitions but the collection requirements. In this case there is an additional procedural hurdle and compliance cost, because A 4(2) then requires the overseas controller to `designate a representative established in the territory of the Member State'. Appointing local representatives in every EU country is not exactly what one associates with global commerce over the internet!

In a related development, French law is prohibiting the sale of computers in France which do not have `cookie stoppers' in their internet browsers, to help reduce inadvertent disclosure of personal information by French users of the internet. The French approach of dictating privacy-friendly technologies will not be the last example of governments attempting to control the `code' of cyberspace.

Imports of personal data from Asia Pacific into the EU

There are no explicit equivalent restrictions on the import of personal data from a third country into an EU Member State. A26 only refers to transfers `to' a third country, and not transfers `from' a third country. However, the importing of the data may constitute `collection' and therefore `processing', so that the importer must comply with national laws of the EU state into which the import takes place, applying the processing test[74], including all conditions relating to fair collection. If personal data is collected in a country which has no privacy laws governing fair collection, how can its transfer to a European country be guaranteed to comply with European fair collection standards? If this is so, then objections to data imports from countries such as Australia could be made to the relevant national data protection authority and also to the European Commission, and the same enforcement mechanisms as discussed below brought into play.

European companies based in, or outsourcing to, Asia Pacific

European companies which operate in the Asia Pacific, or are considering doing so, will have to pay particular regard to all of the complexities listed above, because of likely complexities in their legal position in their home country.

However, they may face the additional complication that any processing they do in Australia could be considered to be 'carried out in the context of the activities of an establishment of the controller on the territory of a Member State' (the `control test') and therefore required by the Directive to be governed by the national data protection law of the Member State (A 4(1)(a)). In other words, they may have to comply fully with the European privacy principles in relation to data processed in Australia - including the data export restrictions on transferring data to other Australian companies within Australia!

3.6. EU enforcement mechanisms - supervision of the Directive

In the first instance, the implementation and supervision of the Directive's contents is carried out by the national data protection authorities in the Member States, once their privacy laws have been amended to incorporate the Directive's requirements.

The 'EU-level' supervision of the Directive is distributed between four bodies: the Commission of the EU (via D-G XV); a Committee of representatives of EU Member States (and in some circumstances, the EU Council itself) (the `A31 Committee'); and an advisory Working Party of the national data protection authorities (the `A29 Working Party'). The following comments relate principally to the data export aspects of the Directive, where all four bodies may have a role.

The EU Commission's role (D-G XV)

The European Commission's role in supervision of the Directive is carried out by Directorate-General XV, Internal Market and Financial Services, Unit D1 - Free Movement of Information and Data Protection, Including International Aspects (`D-G XV').

The Commission is to report to the Council and the Parliament at regular intervals on the implementation of the Directive, with any proposals for amendment. The Commission is also required to advise the Working Party of what action it has taken concerning its opinions and recommendations (A30(5)), and to negotiate with non-EU countries concerning 'adequate protection' (A25(5)). The Commission does not have delegated legislative powers[75].

The Committee of Member States, and the EU Council

Chapter VII ('Community implementing measures') provides for a Committee comprised of representatives of each Member State and chaired by a non-voting Commission representative (A31(1))[76].

The EU Commission's main role in the Directive is to submit to this `A31 Committee' a draft of the 'community implementing measures' it considers should be taken (A31(1)). The A31 Committee can decide to implement the recommended measures, but if it disagrees with the Commission then the Council decides[77].

The types of 'implementing measures' which will be dealt with by this process include decisions on adequacy of third country laws (A25(4)), and proposed authorisations of data transfers on the grounds of `adequate safeguards' (A26(3), (4)). As they are formal decisions on these matters under the Directive, national authorities would be expected to adhere to the approach decided under the A31 procedure.

The Working Party of supervising authorities

The Working Party on the Protection of Individuals with regard to the Processing of Personal Data (the `A29 Working Party') is composed of representatives of national data protection authorities (one for each EU state), a representative of EU institutions (in future, presumably the new EU `Data Protection Commissioner'), and a representative of the Commission (A29)[78]. It takes decisions by simple majority.

The Working Party's functions include examining issues of uniformity in EU national laws, giving opinions on the level of protection in the EU and in third countries, advising the Commission on any proposed additional measures, and giving opinions on codes of conduct drawn up at community level (A29(1)). It can also, on its own initiative, make recommendations on all matters concerning processing of personal data in the EU (A29(3)). The Commission is required to produce an annual report on the responses it has made to the Working Party's opinions and recommendations (A29(5)), and the Working Party is to publish an annual report concerning the processing of personal data in Europe and in third countries (A29(6)).

It seems, therefore, that the Working Party, which is likely to be the body best informed and concerned about the state of privacy laws in non-EU countries, will be able to bring the inadequacy of the laws in particular countries to the attention of the Commission.

`White lists' of countries with adequate data protection

In the Working Party's `First Orientations' paper it proposes the formulation of `White Lists' of third countries that provide adequate data protection. While admitting that it has `no explicit role in making decisions about particular data transfers' (that is the role of the A31 procedure), it interprets its explicit role in `giving the Commission an opinion on the level of protection in third countries' as meaning that it is `well within the remit' of the Working Party `to examine the situation in particular third countries in the light of some individual cases, and come to a provisional view as to the adequacy of protection'. They then note that:
Where such decisions are positive they could constitute parts of the white list envisaged. The list could then be distributed widely and used by data controllers, supervisory authorities and Member States as a guide to their own decisions.
The A29 Working Party does not propose to produce a `black list'. They say that this is politically very sensitive, and suggest only that an absence from the `white list' means that no general guidance is available concerning that country.

In `First Orientations' the Working Party also states that it will produce a further paper outlining which categories of transfer it considers pose particular risks to privacy. Where such a transfer was proposed to a country not on the white list, this document would provide guidance to national data protection authorities on:

`First Orientations' only deals with A25 and `adequate protection', but the A29 Working Party does intend to produce further papers dealing with A26 `adequate safeguards' and other matters.

Who will exercise real power? - A29 vs A31

The formal decision-making power about adequate protection rests with the A31 Committee of representatives of member states, but the A29 Working Party of representatives of national data protection Commissioners is clearly intent on taking an activist role. It would not be surprising if the experts committed to the value of data protection were more willing to prohibit data transfers than governments preoccupied with good relations with trading partners.

There are, however, a number of factors which may give the A29 Working Party an influence beyond its formal role:

It may also be significant that the Commission (D-G XV), in its tender documents for development of a methodology for assessing `adequacy', indicates that the A29 Working Party's `First Orientations' is a starting point for the development of the Commission's own methodology. This may indicate an intention by the Commission to ensure consistency by all EU organs in their approach to the Directive, but it also indicates that the significance of the A29 Working Party has extended beyond what appears from the mere words of the Directive.

[56] Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data

[57] 26 June 1997, European Commission, Directorate General XV, XV D/5020/97-EN final

[58]

[59]

[60] Not yet available on the web: see for availability

[61] For a review of progress in all jurisdictions, see Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (the `Article 29 Working Party') First Annual Report, 25 June 1997, at 2.1.2

[62] Law No 2472 on the protection of individuals with regard to the processing of personal data, 10 April 1997 (Greece), A9 `Cross-border flow of personal data'; See Privacy Laws & Business Newsletter No 39, August 1997, p5 for discussion of the Greek law.

[63]

[64] See Lee Bygrave `Data Protection Reform in Scandinavia' Privacy Law & Policy Reporter Vol 5 No 1 (forthcoming)

[65] Peter P. Swire & Robert E. Litan `None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive' (Interim Report Issued for a Conference of the Brookings Institution, October 21, 1997), Footnote 3 -

[66] The collapse in April 1997 of a proposed treaty between Europe and Australia, and its replacement by a lower-level joint declaration, because of European insistence on a clause requiring observance of human rights underlines the extent to which Europe is willing to place human rights considerations before other important economic policy goals.

[67] See Privacy Laws & Business Newsletter No 42, February 1998, p9 and 4 PLPR 192.

[68]Privacy Laws & Business Newsletter No 39, August 1997, p2

[69] Privacy Laws & Business Newsletter No 39, August 1997, p3

[70] Swire and Litan op cit Chapter 4

[71] Swire and Litan op cit Chapter 4 analyse many of these situations.

[72] Member states are required to apply the national provisions they adopt to processing of personal data in two principal situations (A4): (i) where it is 'carried out in the context of the activities of an establishment of the controller on the territory of a Member State'; and (ii) the controller is not established on the territory of an EU Member State, but makes use of equipment situated in a Member State for purposes of processing (except mere transit). Berthold characterises this as a 'control test' supplemented by a 'processing test' (M Berthold 'Hong Kong's data privacy proposals' (1994) 1 PLPR 188)

Under the control test, a company which carries out activities in an EU Member State (even if it is not based there), but which processes personal data relating to those activities in a non-EU state, will find that its activities are subject to the privacy laws of the EU state.

Under the processing test, a company based in a non-EU state which merely uses processing facilities in an EU Member State will still find itself bound by the EU state's privacy law. Not surprisingly, Europe cannot be used as a 'data haven' to avoid the reach of privacy laws.

[73] Report of speech by Barbara Wellbury, Chief Counsel NTIA, July 1996 - Privacy Laws & Business, December 1996, p15

[74] ibid

[75] The Commission proposed it should have a rule-making power to adopt such `technical measures' as are necessary to apply the Directive, including drawing up sectoral applications of the Directive (1992 draft A33), but the 1995 Directive does not provide for any delegated legislation.

[76] The Committee acts by majority, but the votes of each representative are weighted according A148(2) of the Treaty establishing the European Community (A31(2)).

[77] If the Committee approves the proposed measures, the Commission must then adopt them. If the Committee disapproves, or fails to approve them within the time limit set by the Chairman, then the proposed measures are to be referred to the Council of Ministers of the EU (which is to vote by qualified majority) (A31(2)).

[78] The Parliament recommended the Working Party's expansion into, in effect, a supra-national data protection agency, comprising representatives of business and civil liberties groups as well as national authorities, and with a right to be heard on a wide range of issues and to take various independent initiatives, but this approach has not been adopted.

[Previous] [Next] [Title]