The Directive defines 'adequate level of protection' as follows (A26(2)):
'The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the county of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties.'
It goes on to state that the Commission may decide that a third country `ensures an adequate level of protection ... by reason of its domestic law or the international commitments it has entered particularly upon conclusion of the negotiations [it has had with the Commission]' (A25(5)).
In `First Orientations' the A29 Working Party considers that A25 `envisages a case by case approach whereby the assessment of adequacy is in relation to individual transfers or individual categories of transfers'. Nevertheless, it says, the impossibility of considering all data exports individually means that mechanisms must be developed `which rationalise the decision-making process for large numbers of cases' - for the benefit of both data controllers and data protection authorities.
In `First Orientations' the A29 Working Party appears willing to presume that data transfers to any non-EU countries that have ratified Convention 108 are allowed under A25(1) provided:
The non-binding nature of the OECD's privacy Guidelines means that their relevance to A25 could only ever be slight, and the Working Party does not bother to mention them.
The A29 Working Party concludes from the EU Directive and other international privacy instruments that there are six `core' or `basic' principles which are the minimum requirements for protection to be considered adequate are as follows (in summary):
The first five `core' principles are a strong restatement of standard information privacy principles, particularly in that consent is not seen as a basis for reducing protection.
The sixth principle, restrictions on onward transfers, is the logical closing of a loophole which could otherwise be used to circumvent the restrictions on transfers from the EU by an intermediate transfer through a `safe' third country. It is a significant proposal because it weakens the case for adequacy of what is otherwise one of the strongest privacy laws outside Europe, that of New Zealand.
The Working Party does not see this list as `set in stone', and envisages that there can be circumstances where greater or lesser protection was needed, depending in particular on the degree of risk that the transfer poses to the data subject.
The A29 Working Party in `First Orientations' concedes that, while in Europe it is generally considered that data protection principles should be embodied in law, and that there should be an independent supervisory authority, a better starting point is to identify the underlying objectives of data protection procedures. Three objectives are identified:
A25 refers to assessments of adequacy being made `in the light of all the circumstances surrounding a data transfer', so the Working Party is no doubt correct that an a priori exclusion of non-legislative protection is wrong. However, the only types of mechanisms referred to specifically in A25 are `the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties' (A25(1)) and (in relation to A31 decisions) `domestic law or ... international commitments it has entered into'. The Directive therefore leaves the question open.
It is also difficult to see an in industry-developed code as adequate sectoral compliance unless participation was compulsory, because sectoral recognition would protect those industry members who did not comply (sometimes called `free riders'). Even more serious is the problem of those sectors where there are few institutional structures that even allow identification of data controllers and therefore make it very difficult to enrol them in such schemes. The Working Party does not address this issue, or suggest whether of not `adequacy' could be recognised as restricted to participants in a voluntary scheme. The advantage of legislation in relation to the `free rider' problem is that at least where breaches have been identified, ex post facto sanctions may be applied.
These problems have now been addressed by the A29 Committee in `Judging Industry self-regulation', which starts from the assumption that various forms of self-regulation could potentially come within the notion of `professional rules'. Their approach is that the comprehensiveness of the industry association responsible for the code (the `free rider problem') is less important than the enforceability of the code. The content of the code must, of course, cover the `core principles' that A25 requires. The effectiveness is to be judged by the criteria suggested in `First Orientation':
The A29 Working Party delivered an `opinion' on these developments in May 1998[83]http://europa.eu.int/comm/dg15/en/media/dataprot/opinion.htm] which says nothing says nothing directly about how such standards contribute to `adequacy', but only that it `takes note of the work undertaken in Canada regarding the creation of quality standards for the protection of privacy; notes the initiative to develop and adopt international standards within the International Standard Organisation (ISO); [and] considers that such initiatives significantly contribute to the protection of fundamental rights and privacy on a world-wide basis'.
Ulf Brühann, head of the D-G XV unit at the European Commission which is responsible for the Directive, says that such standards can make `a real contribution', particularly because they mean that the cost of audits is borne by the data user, not the taxpayer. `External auditing thus introduces the "polluter pays" principle to data protection'[84].
Member States must inform the EU Commission where they consider that an importing third country does not ensure an adequate level of protection (and vice versa) (A25(3)). This notification requirement applies even if the data transfer is allowed under an A26(1) exception, or an A26(2) authorisation because of 'adequate safeguards'.
Under the 1992 draft, the Commission could initiate its negotiation process (discussed below) either on the basis of information provided by a Member State, or `on the basis of other information'. This may have left the way open for a form of `complaint' about a third country's laws (either general or sectoral) to be made to the Commission by, for example, national or international organisations of consumer advocates, privacy advocates or civil liberties organisations. This avenue for initiatives by NGOs is not so obviously open under the 1995 Directive, but it remains to be seen what the Commission's practice will be.
Another avenue for NGOs would be to seek to have a sympathetic national data protection Commissioner raise the case of a third county's laws before the A29 Working Party. The Working Party's activist role in the Directive's procedures, as shown in `First Orientations', makes this more likely to be an effective way of bringing a country's laws into the EU processes.
The implementation of Articles 25 and 26 is likely to be unpredictable and politicized, because the determination of `adequacy' rests, not with the data-protection agencies ... but with the Commission itself. Judgments about adequacy will therefore be susceptible to the vagaries of the European political process and are likely to be confused with the resolution of issues that have nothing to do with data protection. Logrolling may therefore override the more predictable and rational pursuit of a data protection standard.
Although decisions are more correctly described as being made by the Council and the Commission, not just `the Commission', this may strengthen Bennett's point, as national political interests are even more directly represented on the Council.
It is too early to know whether Bennett's fears are justified, but it is difficult to avoid the conclusion that the nature of the process means that there is likely to be a great deal of uncertainty for data users in non-EU countries which do not have an unambiguously `adequate' level of data protection.
The exceptions are where the transfer:
(i) is with the data subject's
unambiguous consent;
(ii) 'is necessary for performance of a contract
between the data subject and the controller, or the implementation of
pre-contractual measures taken in response to the data subject's request';
(iii) 'is necessary for the conclusion or performance of a contract
concluded in the interest of the data subject between the controller and a
third party';
(iv) is `necessary on important public interest grounds' or
for legal claims; and
(v) `is necessary to protect the vital interests of
the data subject'; or
(vi) is from a public register, and in accordance
with its terms of operation.
The only implementation to date is in Part 9 of the new Greek law[91], and it illustrates the potential for considerable divergence, as discussed below. The UK, Norwegian and Danish Bills follows the Directive reasonably closely, but they also have their variations.
The A29 Working Party in `First Orientations' says `the working assumption is that the wording of these exceptions is fairly narrow...'. They will provide guidance on the meaning of these exceptions in future work.
One major unanswered question is whether individual consent to a transfer to a country where there is no adequate protection can be made subject to conditions to protect individuals by the EU national laws. The first example available, the new Greek law, is uninformative in how it interprets `unambiguous' (`except if ... extorted in a way which is contrary to law or bonos mores'), but transfers based on such consent still require `permission granted' by the Greek data protection authority.
This requirement of a permit - which also applies to all the other mandatory exceptions - is not part of the Directive, so the Greek law is in this respect a narrow interpretation, designed to place maximum impediments and exposure in the way of reliance on consent.
The UK Bill drops the word `unambiguous'[92].
A recent case under Swedish law shows how consent requirements are already being enforced in EU national laws, as explained by Simon Davies[93]:
"Sweden has already tested the waters. Last year, in what could well be a sign of things to come, Sweden's privacy watchdog, Anitha Bondestam, instructed American Airlines to delete all health and medical details on Swedish passengers after each flight unless "explicit consent" could be obtained. These details (information about allergies, asthma notification, dietary needs, disabled access, and so on) are routinely collected, but Bondestam's order meant that American would be unable to transmit the information to its SABRE central reservation system in the US.
The airline appealed to Stockholm's District Administrative Court, arguing it was "impractical" to obtain consent. American further argued that people would be inconvenienced if they had to repeat the information each time they flew. The court was unconvinced. Inconvenience, it concluded, does not constitute an exemption from legal rules for the protection of data. American launched a second action in the Administrative Court of Appeal, but the airline lost this case, too, and the matter now rests before Sweden's Supreme Administrative Court. In the meantime, the export and processing of medical data to American's reservation system has been suspended."
The Greek exception is also qualified by a requirement that the data controller `grants sufficient guarantees for the protection of private life and fundamental liberties and the exercise of the relevant rights'. Greece has obviously concluded that A26 mandatory exception can nevertheless be made subject to qualifications which protect individual interests. If this approach is followed by other member States, relying on these exceptions may be a complex matter.
The UK Bill is limited to where the transfer is `necessary for reasons of substantial public interest', but allows the Secretary of State to specify by order circumstances which do come within this, and circumstances (not required by statute) which do not come within this[95]. The Danish draft Bill also specifies some types of public interests that are within this exception[96].
'... a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection ... where the controller adduces adequate safeguards with respect to the protection of the privacy the fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses'.
This last clause seems directed, for example, to a situation where a particular company in a third country provides strong contractual guarantees of privacy to its customers, even where there are no enforceable industry codes and the country does not have overall adequate protection. What might otherwise constitute `adequate safeguards' is not explained.
A26(2) suggests that contractual provisions between a particular company and its clients, as opposed to a sectoral code, cannot amount to an `adequate level of protection' for A25 purposes. It also reinforces the view that an `adequate level of protection' must be found to exist at least at a sectoral level within a jurisdiction, and cannot be found merely at the level of the operations of a particular company, because the alternative view would make A26(2) redundant. This is not, however, free from doubt[98].
The A29 Working Party in `First Orientations' says that the contractual solutions envisaged by A26(2):
have inherent problems, such as the difficulty of a data subject enforcing his rights under a contract to which he is not himself a party ... and are therefore appropriate only in certain specific and probably relatively rare circumstances.
Consistency does not seem likely on the evidence to date:
"8. The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.
9. The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects."
The A29 Working Party stressed in `First Orientations' that `adequate' is used in both A25 and A26(2) and that the substance of its future work on A26(2) is likely to draw significantly on the ideas in `First Orientations', given that both deal with a test of `adequacy'. In `The use of contractual provisions' the Working Party reiterates that all of the `core principles' must be found in a contract, and that `detail is ... imperative where the transfer is based on a contract'. Similarly, all of the procedural safeguards (`good level of compliance', `support and help', and `appropriate redress') must be found in a contractual solution.
If this approach is followed by national Commissioners, as is likely (since they are the A29 Committee), then contractual `adequate safeguards' will have to provide all of the six `core' principles and equivalents of the three procedural protections that are necessary for `adequate protection'.
The European exporter is able to give the data subject a wide range of contractual rights and guarantees, including guarantees of observance of the six core principles by both exporter and importer. The contract can give the data subject a right to damages or other remedies for breach. In order to make such contractual remedies meaningful, the law of the contract can be made the law of the country of domicile of the data subject (if different from the domicile of the exporter), and ancillary rights such as payment of all legal costs in the event of a successful action and limitation of awards of costs against (so as to simulate the situation of complaints to a data protection authority). In some cases, it may be possible for the exporter to give the data subject rights to pursue remedies against the exporter under a European data protection law. Whichever way it is done, it should be possible for the exporter to give the data subject meaningful contractual rights covering almost all of the Working Party's requirements for `adequacy', with the possible exception of the institutional mechanism to investigate complaints (which could come from an industry self-regulatory scheme). In `The use of contractual provisions' the Working Party recognises that this may occur, but assumes that the contract will make the exporter continue to be liable under EU national law even after the export.
Similarly, the data importer could contract with the individual concerned to provide the same rights as discussed above. This may be likely to occur when the individual resides in the same country as the importer. The problems is the importer will not be liable under the EU national law, and therefore cannot provide the individual with a right to seek help and remedies under the EU national law of the exporter. The importer will have to provide other non-statutory adequate means of help and redress, which will be a difficult task.
Any such contracts would of course have to cover all of the content and procedural safeguards required for `adequacy'.
The main `inherent problem' noted by `The use of contractual provisions' paper, recognises that in the laws of many countries (such as Australia) there would be no privity of contract with the data subject, and therefore no legal rights enforceable by the data subject. In Europe, the contract law of some EU states permits contracts to create third party rights, but in other states this is not possible[101].
The A29 Working Party says that its `preferred solution' is for the contract to set out how the importer is to apply the data protection principles in such detail that, in terms of EU national laws, the EU exporter remains the `data controller', so that the law of the EU Member State will still apply to the third country processing, and the individual concerned will therefore have enforceable rights against the exporter. However, it cautions that this solution will be unavailable where the importer is not processing data on behalf of the exporter, but is obtaining it to use it for its own purposes (for example, if it has rented or bought it) and will thus be the `controller'.
A similar approach was used in the German solution to the `Bahncard' data export to Citibank in the USA, explained by Davies as follows[102]:
"In November 1994 Citibank concluded a cobranding agreement with the German National Railway that was to form the basis of the biggest credit card project in German history. It soon emerged, however, that personal data on millions of German citizens would be processed in the US. The news triggered a public outcry, and German data-protection authorities bluntly told Citibank and the railway that the arrangement would be prohibited unless the two companies could devise an acceptable way to protect the privacy of cardholders. The benchmark laid down by local authorities was even stricter than the EU directive's - Citibank must guarantee privacy standards at least equal to those that exist under German law.
After six months of intense negotiations, the companies signed a contractual agreement that required both parties to institute a wide range of privacy protections. The agreement was applauded in Europe as a huge step forward, but it also required Citibank to make significant changes in the way it manages customer information. While Citibank has not calculated the exact cost of these changes, one company representative describes them as having required `a substantial expenditure of resources to implement.' "
The A29 Committee leaves open the possibility that, where the legal system of the exporter or importer allows creation of third party rights, a published exporter/importer contract granting rights to individuals may suffice. A number of organisations are now drafting such contracts, including the International Chamber of Commerce, American interests, and the Confederation of British Industry[103]http://www.privacylaws.co.uk/]
In similar vein, Reidenberg, analysing the problems faced by the US private sector in complying with the EU and other privacy standards, identifies weaknesses in a purely contractual solution[104]:
Individuals may be unable to enforce effectively their protections for the treatment of personal information due to a lack of privity, the need to obtain jurisdiction in a foreign country, or the difficulty establishing foreign law in a local forum. In addition, the terms of the contract are negotiated by the companies themselves with the input of data protection authorities. The exporting company acts, in effect, as the agent for the individual, though the individuals have no direct representation during the contract negotiations.
Reidenberg therefore saw supplier-recipient contracts as only of much value where they are the by-product of an enforceable law in the exporting country, as in the Hong Kong and Québec data export laws discussed below.
It is therefore still uncertain when such supplier/recipient contracts will constitute 'adequate safeguards' for A26(2) purposes, but they are unlikely to be a panacea.
The same may be said for data protection implementation as a technical standard with accreditation schemes (as discussed concerning the CSA and ISO initiatives).
In both cases, all of the problems of whether the scheme or standard meets all of the content and procedural requirements of `adequacy' will apply. It seems more likely that both voluntary codes and technical standards could form part, but only part, of `adequate safeguards'.
The process is therefore not under the control of the company or government department in the importing country, but is one that could be fragmented into applications by every organisation in every EU country from whom the importer wishes to obtain data.
All Member States must then comply with the Commission's decision, including decisions that certain contractual clauses or other relationships do or do not offer 'adequate safeguards' (A26(4)).
Bennett, writing from a Canadian perspective, is sceptical about the extent to which data users can rely on A26[106]:
Clearly, there is sufficient latitude in the directive for North American data users to convince their European counterparts that a combination of contracts and 'professional rules' (ie codes of practice) and security measures affords 'adequate' data protection. But this does anticipate a series of case-by-case battles, and favoured treatment for the larger multinationals that can afford to fight for their interests.
Alternative approaches are all likely to result in considerable difficulties for companies and agencies wishing to obtain personal data from Europe:
The alternative of ignoring privacy may make the costs unreasonably high.
[79] Bygrave, op cit
[80] Bygrave, op cit
[81] This is a different question from mandatory grounds for exceptions to adequacy in EU national laws (A26(1)), where consent is a ground.
[82] Article 27 requires Member States to encourage the development of national and European codes of conduct, but these cannot be a substitute for legally binding provisions in EU member states.
[83] OPINION 1/97 on Canadian initiatives relating to standardisation in the field of protection of privacy. -
[84] Ulf Brühann `The EU Data Protection Directive and its impact on flows of personal data between the European Union and the Asia-Pacific region' First Asia-Pacific Forum on Privacy and Personal Data Protection, Hong Kong, 13-14 April 1998
[85] contra Reidenberg op cit p294
[86] Privacy Laws & Business Newsletter, No 31, September 1995, p2
[87] United States, Canada, Australia, New Zealand, Hong Kong and Japan - See G Greenleaf `European Commission tests adequacy of our privacy laws' 4 PLPR 141
[88] Unlike in the 1992 draft, it does not have to first conclude that `the resulting situation is likely to harm the interests of the Community or of a Member State' - presumably the Committee would not agree to act unless this was so.
[89] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p13
[90] The exceptions may be broader in some respects than the exceptions found in A8 of the European Convention on Human Rights, which could lead to some interesting decisions.
[91] Law No 2472 on the protection of individuals with regard to the processing of personal data, 10 April 1997 (Greece), A9 `Cross-border flow of personal data'
[92] Schedule 4, Clause 1
[93] Simon Davies "Europe to US: No privacy, no trade" WIRED 6.05 (May 1998), p 135
[94] See the definition of `controller' and its distinction from `recipient' (A2)
[95] Schedule 4, Clause 4
[96] Bygrave op cit
[97] Previous versions of the Directive used the expression `sufficient guarantees' instead of `adequate safeguards'. In some of my earlier papers on this subject I have not reflected this terminological change.
[98] Reidenberg op cit seems to assume that `adequate protection' can be found in `the specific circumstances of each data transfer on a case-by-case basis'.
[99] The A26(1) provisions for transfers to third countries by `unambiguous consent' may have this effect in some cases.
[100] The US government pushed for maximum recognition for supplier-recipient contracts (TDR, Sept/Oct 1991, p37), and the French data protection authority, CNIL, has allowed a number of transfers from France to countries then without data protection laws (Italy and Belgium) on condition that such contracts were entered into (see 65 ALJ 560). The International Chamber of Commerce (ICC) was also promoting such an approach and prepared a model contract (Privacy Laws and Business, October 1991, p6).
[101] A29 Working Party `The use of contractual provisions' p6
[102] Simon Davies "Europe to US: No privacy, no trade" WIRED 6.05 (May 1998), page 135
[103] See the programme for the Privacy Laws & Business 11th Annual Conference, to be held on 13-14 July 1998, where these approaches will be compared -
[104] J Reidenberg 'Setting standard for fair information practices in the US private sector', (1995) Iowa Law Review, Vol 80 No 3 497 at 546
[105] In contrast with 'its proposal to grant authorization' as the 1992 Draft required
[106] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p14