[Previous] [Next] [Title]

4. Compliance with the EU data export requirements


4.1. Compliance test (1) - `Adequate protection'

Does a country provide an `adequate level of protection'?

The Directive provides that `Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing may take place only if ... the third country in question ensures an adequate level of protection' (A25(1)) (emphasis added). 'Equivalent' protection is not required, only 'adequate' protection.

The Directive defines 'adequate level of protection' as follows (A26(2)):

'The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the county of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties.'

It goes on to state that the Commission may decide that a third country `ensures an adequate level of protection ... by reason of its domestic law or the international commitments it has entered particularly upon conclusion of the negotiations [it has had with the Commission]' (A25(5)).

In `First Orientations' the A29 Working Party considers that A25 `envisages a case by case approach whereby the assessment of adequacy is in relation to individual transfers or individual categories of transfers'. Nevertheless, it says, the impossibility of considering all data exports individually means that mechanisms must be developed `which rationalise the decision-making process for large numbers of cases' - for the benefit of both data controllers and data protection authorities.

EU national laws may define an `adequate level of protection'

The meaning of all three ways of satisfying the Directive's data export requirements can only be understood by looking, on a country-by-country basis, on how the Directive is implemented in national laws. The Greek Act and the UK Bill say nothing about the meaning of `adequate level of protection'. The Danish Bill requires it to be interpreted in the terms of the Directive, but the Swedish Bill ignores any direct mention of `adequacy' and instead allows the government to issue a `White List' of countries to which data may be transferred[79].

Ratification of the European privacy Convention (Convention 108)

The mention of `international commitments' in A25(1) clearly applies to the Council of Europe's privacy Convention, a binding international instrument, but it is less clear what other international agreements would be relevant.

In `First Orientations' the A29 Working Party appears willing to presume that data transfers to any non-EU countries that have ratified Convention 108 are allowed under A25(1) provided:

It is expected that some countries from Eastern Europe and Central Europe will become parties to the Convention. It is also possible for non-members of the Council of Europe to become parties to the Convention (although none have done so), and this could assist when decisions are made concerning whether a non-EU country has `adequate' laws. The Norwegian draft Bill to implement the Directive explicitly states that this is so[80]. The UK Bill just automatically assumes that any countries within the `European Economic Area' (broader than the EU, including Norway, Iceland and Liechtenstein) have adequate laws.

The non-binding nature of the OECD's privacy Guidelines means that their relevance to A25 could only ever be slight, and the Working Party does not bother to mention them.

Sectoral compliance

Although it is not completely clear from A25 whether the requirement of an `adequate level of protection' must be satisfied by a country's overall privacy laws, or whether it is sufficient to prevent the banning of a particular transfer if there is an adequate level of protection in relation to information from that sector (eg credit or insurance information, or criminal records), the better view is that sectoral compliance is possible. The references to sectoral legislation and `professional rules' could be seen as supporting this interpretation. In `First Orientations' the A29 Working Party is of this view, commenting that `nothing would prevent the partial white listing of a third country'.

`Core' principles for `adequate protection'

Need there be 'adequate' compliance with each EU Directive requirement, or just most of them? The use of `adequate' suggests that only some partial compliance is required.

The A29 Working Party concludes from the EU Directive and other international privacy instruments that there are six `core' or `basic' principles which are the minimum requirements for protection to be considered adequate are as follows (in summary):

Any exceptions to these core principles must be consistent with those in A13 (`Exemptions and restrictions') which provide for legislative exceptions necessary to safeguard important state interests, or `the protection of the data subject or the rights or freedoms of others'. Individual consent is not explicitly included in the permitted grounds for exemption[81].

The first five `core' principles are a strong restatement of standard information privacy principles, particularly in that consent is not seen as a basis for reducing protection.

The sixth principle, restrictions on onward transfers, is the logical closing of a loophole which could otherwise be used to circumvent the restrictions on transfers from the EU by an intermediate transfer through a `safe' third country. It is a significant proposal because it weakens the case for adequacy of what is otherwise one of the strongest privacy laws outside Europe, that of New Zealand.

The Working Party does not see this list as `set in stone', and envisages that there can be circumstances where greater or lesser protection was needed, depending in particular on the degree of risk that the transfer poses to the data subject.

Procedural rights to ensure protection

A related question is whether `adequacy' need only be measured against the principles in the Directive (Chapter II), or is it also to be measured against the types of enforcement measures required by the Directive (including data protection authorities, enforceable rights and damages). The latter is the better view. It would be anomalous for A26(2) to require 'adequate safeguards' of enforcement if A25 did not. However, it might be expected that there could be adequate protection provided by either individual enforceability or enforcement via a supervising authority.

The A29 Working Party in `First Orientations' concedes that, while in Europe it is generally considered that data protection principles should be embodied in law, and that there should be an independent supervisory authority, a better starting point is to identify the underlying objectives of data protection procedures. Three objectives are identified:

Can there be `adequate protection' without legislation?

The Working Party's approach leaves open, in principle at least, the possibility of non-legislative mechanisms providing adequate protection, as it frames the criteria in terms of underlying objectives. `First Orientations' leaves as an open question whether industry self-regulation or technical `standards' could ever meet these requirements, but later documents provide partial answers.

A25 refers to assessments of adequacy being made `in the light of all the circumstances surrounding a data transfer', so the Working Party is no doubt correct that an a priori exclusion of non-legislative protection is wrong. However, the only types of mechanisms referred to specifically in A25 are `the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties' (A25(1)) and (in relation to A31 decisions) `domestic law or ... international commitments it has entered into'. The Directive therefore leaves the question open.

Industry 'codes of conduct'

What role can industry self-regulation through codes of conduct play? On the face of the Directive, entirely voluntary codes of conduct in third countries[82] seem unlikely to constitute adequate protection. A25 does not make specific mention of Codes of Conduct. `Professional rules' are mentioned specifically in A25(2), but the notion of `professional rules' may entail compulsory registration as a condition of practice (as in many professions) and powers in some organisation to `strike off' from the right to practice or impose other penalties. However, the new Greek law does refer to `codes of practice' as one of the factors to be considered, in its implementation of A25.

It is also difficult to see an in industry-developed code as adequate sectoral compliance unless participation was compulsory, because sectoral recognition would protect those industry members who did not comply (sometimes called `free riders'). Even more serious is the problem of those sectors where there are few institutional structures that even allow identification of data controllers and therefore make it very difficult to enrol them in such schemes. The Working Party does not address this issue, or suggest whether of not `adequacy' could be recognised as restricted to participants in a voluntary scheme. The advantage of legislation in relation to the `free rider' problem is that at least where breaches have been identified, ex post facto sanctions may be applied.

These problems have now been addressed by the A29 Committee in `Judging Industry self-regulation', which starts from the assumption that various forms of self-regulation could potentially come within the notion of `professional rules'. Their approach is that the comprehensiveness of the industry association responsible for the code (the `free rider problem') is less important than the enforceability of the code. The content of the code must, of course, cover the `core principles' that A25 requires. The effectiveness is to be judged by the criteria suggested in `First Orientation':

It is obvious that purely voluntary codes of conduct are entirely irrelevant to these criteria.

Data protection as a technical `standard' - CSA & ISO initiatives

There has been interest in whether technical standards of the types administered by national Standards authorities, and coming within the ISO framework, can satisfy the `adequacy requirement.

The A29 Working Party delivered an `opinion' on these developments in May 1998[83]http://europa.eu.int/comm/dg15/en/media/dataprot/opinion.htm] which says nothing says nothing directly about how such standards contribute to `adequacy', but only that it `takes note of the work undertaken in Canada regarding the creation of quality standards for the protection of privacy; notes the initiative to develop and adopt international standards within the International Standard Organisation (ISO); [and] considers that such initiatives significantly contribute to the protection of fundamental rights and privacy on a world-wide basis'.

Ulf Brühann, head of the D-G XV unit at the European Commission which is responsible for the Directive, says that such standards can make `a real contribution', particularly because they mean that the cost of audits is borne by the data user, not the taxpayer. `External auditing thus introduces the "polluter pays" principle to data protection'[84].

The EU mechanisms for decisions concerning `adequate protection'

Decision and notification by a Member State

In the first instance, it is the laws of Member States of the EU that must provide that transfers may only take place to third countries with an adequate level of protection (A25(1)), and it is a decision by an authority in the Member State which prohibits the transfer.

Member States must inform the EU Commission where they consider that an importing third country does not ensure an adequate level of protection (and vice versa) (A25(3)). This notification requirement applies even if the data transfer is allowed under an A26(1) exception, or an A26(2) authorisation because of 'adequate safeguards'.

Decisions by the A31 Committee on adequate protection

As explained above in relation to supra-national enforcement of the Directive as a whole, it is the A31 Committee of Member State representatives that decides whether to accept the draft measures proposed by the Commission (A31(2)). The Commission, with the Committee's approval, is therefore able to set a Europe-wide standard for acceptance of transfers to specific third countries[85]. The position is therefore, that Member States make any decisions to prohibit transfers, but the Committee can over-ride such decisions.

'Complaints' about adequate protection

Even though it is the Committee that makes the decisions, it is still the Commission that must be first convinced to propose action against a third country, so it is important to ask how claims of 'inadequacy' can be brought to the Commission's attention. Member States are obliged to do so in the course of considering transfers to third countries (A25(3)). The Working Party of supervisory authorities is required to produce an annual report which covers the level of protection in third countries, so the Commission would receive official notification that way. As might be expected, the Commission is reported to be likely to initiate its own studies of the laws and codes of the EU's more important non-EU trading partners[86], and has in 1998 commissioned a study of the methodology of assessing adequacy, with cases studies in six Asia Pacifci countries[87].

Under the 1992 draft, the Commission could initiate its negotiation process (discussed below) either on the basis of information provided by a Member State, or `on the basis of other information'. This may have left the way open for a form of `complaint' about a third country's laws (either general or sectoral) to be made to the Commission by, for example, national or international organisations of consumer advocates, privacy advocates or civil liberties organisations. This avenue for initiatives by NGOs is not so obviously open under the 1995 Directive, but it remains to be seen what the Commission's practice will be.

Another avenue for NGOs would be to seek to have a sympathetic national data protection Commissioner raise the case of a third county's laws before the A29 Working Party. The Working Party's activist role in the Directive's procedures, as shown in `First Orientations', makes this more likely to be an effective way of bringing a country's laws into the EU processes.

Commission negotiations with third countries

If the Committee accepts measures proposed by the Commission on the basis of the inadequacy of a third county's laws, only then can the Commission enter into negotiations with the third country 'with a view to remedying the situation' (A25(4))[88].

A political or a legal process?

A Canadian commentator interprets this decision-making process as essentially political rather than legal[89]:

The implementation of Articles 25 and 26 is likely to be unpredictable and politicized, because the determination of `adequacy' rests, not with the data-protection agencies ... but with the Commission itself. Judgments about adequacy will therefore be susceptible to the vagaries of the European political process and are likely to be confused with the resolution of issues that have nothing to do with data protection. Logrolling may therefore override the more predictable and rational pursuit of a data protection standard.

Although decisions are more correctly described as being made by the Council and the Commission, not just `the Commission', this may strengthen Bennett's point, as national political interests are even more directly represented on the Council.

It is too early to know whether Bennett's fears are justified, but it is difficult to avoid the conclusion that the nature of the process means that there is likely to be a great deal of uncertainty for data users in non-EU countries which do not have an unambiguously `adequate' level of data protection.

4.2. Compliance test (2) - Exceptions to `adequate protection'

Mandatory exceptions to `adequate protection' requirement

Instead of leaving it completely to the Member States to decide which transfers to countries without an adequate level of protection should be permitted (as recommended by the Parliament), the Directive requires member States to provide that transfers to a third country which does not ensure an adequate level of protection may take place if one of six conditions is satisfied (provisos to A26(1)).

The exceptions are where the transfer:
(i) is with the data subject's unambiguous consent;
(ii) 'is necessary for performance of a contract between the data subject and the controller, or the implementation of pre-contractual measures taken in response to the data subject's request';
(iii) 'is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party';
(iv) is `necessary on important public interest grounds' or for legal claims; and
(v) `is necessary to protect the vital interests of the data subject'; or
(vi) is from a public register, and in accordance with its terms of operation.

Limits of these exceptions

These exceptions are not as broad as they first appear. It is crucial to recognise that they are not `self-executing' exceptions: they will only exist to the extent that they are embodied in the national laws of the fifteen EU member states. They are also likely to become more precise as they are implemented in national laws (A5), and are likely at that point to become subject to different wordings in each national law[90].

The only implementation to date is in Part 9 of the new Greek law[91], and it illustrates the potential for considerable divergence, as discussed below. The UK, Norwegian and Danish Bills follows the Directive reasonably closely, but they also have their variations.

The A29 Working Party in `First Orientations' says `the working assumption is that the wording of these exceptions is fairly narrow...'. They will provide guidance on the meaning of these exceptions in future work.

Unambiguous consent (and a permit?)

The consent of the data subject `to the proposed transfer' must be `unambiguous', where only consent and not a contract with the data subject is relied upon. However, there seems to be no restriction on the consent being obtained by the third party recipient of the data (eg the Australian `importer'), not only by the EU-based `controller'. The requirement that the proposed transfer be `unambiguous' may imply that the data subject must consent to his or her personal data being transferred to a country which does not have adequate privacy laws, on the basis that mere transfer to `another country' is not normally a matter of concern within the EU because of the Directive. It is therefore unlikely that EU-based controllers can simply obtain blanket consents to transfer personal data anywhere they like. It almost certainly implies that consent must be explicit, not implied, and that mere notice of intent by the data controller will be ineffective.

One major unanswered question is whether individual consent to a transfer to a country where there is no adequate protection can be made subject to conditions to protect individuals by the EU national laws. The first example available, the new Greek law, is uninformative in how it interprets `unambiguous' (`except if ... extorted in a way which is contrary to law or bonos mores'), but transfers based on such consent still require `permission granted' by the Greek data protection authority.

This requirement of a permit - which also applies to all the other mandatory exceptions - is not part of the Directive, so the Greek law is in this respect a narrow interpretation, designed to place maximum impediments and exposure in the way of reliance on consent.

The UK Bill drops the word `unambiguous'[92].

A recent case under Swedish law shows how consent requirements are already being enforced in EU national laws, as explained by Simon Davies[93]:

"Sweden has already tested the waters. Last year, in what could well be a sign of things to come, Sweden's privacy watchdog, Anitha Bondestam, instructed American Airlines to delete all health and medical details on Swedish passengers after each flight unless "explicit consent" could be obtained. These details (information about allergies, asthma notification, dietary needs, disabled access, and so on) are routinely collected, but Bondestam's order meant that American would be unable to transmit the information to its SABRE central reservation system in the US.
The airline appealed to Stockholm's District Administrative Court, arguing it was "impractical" to obtain consent. American further argued that people would be inconvenienced if they had to repeat the information each time they flew. The court was unconvinced. Inconvenience, it concluded, does not constitute an exemption from legal rules for the protection of data. American launched a second action in the Administrative Court of Appeal, but the airline lost this case, too, and the matter now rests before Sweden's Supreme Administrative Court. In the meantime, the export and processing of medical data to American's reservation system has been suspended."

Protection of contracts - for EU benefit only

The reference to `a contract between the controller and the data subject' appears to only refer a contract with the EU-based controller of the data to be exported, not a contract with the recipient in the third country such as Australia or Japan[94]. If so, it seems that the reference to `pre-contractual' measures would be only to contracts made with a European entity. So, for example, an Australian credit bureau could not use this proviso to obtain a credit report from Europe, but a European credit bureau could use it to disclose a European's identity to an Australian or Japanese bureau in order to have a check done.

Protection of (which?) public interest

The reference to `public interest grounds' is not an explicit reference to the public interest of the third country which is importing the data, and could be implemented so as to refer only to the public interest of the European country concerned. In the new Greek law, it appears that the only public interest referred to is that of Greece.

The Greek exception is also qualified by a requirement that the data controller `grants sufficient guarantees for the protection of private life and fundamental liberties and the exercise of the relevant rights'. Greece has obviously concluded that A26 mandatory exception can nevertheless be made subject to qualifications which protect individual interests. If this approach is followed by other member States, relying on these exceptions may be a complex matter.

The UK Bill is limited to where the transfer is `necessary for reasons of substantial public interest', but allows the Secretary of State to specify by order circumstances which do come within this, and circumstances (not required by statute) which do not come within this[95]. The Danish draft Bill also specifies some types of public interests that are within this exception[96].

No protection of the importer's interests

There is no exception referring to the vital interests of the recipient (importer) of the information, nor of the exporter, but only those of the data subject. The existence of a contract between exporter and importer is insufficient, as it must also be a contract `concluded in the interest of the data subject'.

4.3. Compliance test (3) - `Adequate safeguards'

Authorisation of particular transfers with `adequate safeguards'

In addition to these mandatory exceptions, A26(2) now provides[97] that

'... a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection ... where the controller adduces adequate safeguards with respect to the protection of the privacy the fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses'.

This last clause seems directed, for example, to a situation where a particular company in a third country provides strong contractual guarantees of privacy to its customers, even where there are no enforceable industry codes and the country does not have overall adequate protection. What might otherwise constitute `adequate safeguards' is not explained.

A26(2) suggests that contractual provisions between a particular company and its clients, as opposed to a sectoral code, cannot amount to an `adequate level of protection' for A25 purposes. It also reinforces the view that an `adequate level of protection' must be found to exist at least at a sectoral level within a jurisdiction, and cannot be found merely at the level of the operations of a particular company, because the alternative view would make A26(2) redundant. This is not, however, free from doubt[98].

The A29 Working Party in `First Orientations' says that the contractual solutions envisaged by A26(2):

have inherent problems, such as the difficulty of a data subject enforcing his rights under a contract to which he is not himself a party ... and are therefore appropriate only in certain specific and probably relatively rare circumstances.

EU national legislation determines `adequate safeguards'

As with the A26(1) exceptions to A25, A26(2) `adequate safeguards' cannot be relied upon unless and until they are embodied in the national legislation of the fifteen EU member states. Unlike the A26(1) mandatory exceptions, it is completely up to the national legislatures whether they recognise any forms of `adequate safeguards'.

Consistency does not seem likely on the evidence to date:

"8. The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.
9. The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects."

The necessary content and remedies for 'adequate safeguards'

Neither the Directive, not the Working Party', contemplate contracts being used as a device by which individuals can surrender their rights under the Directive. There can be no `contracting out' of data protection obligations under the Directive[99].

The A29 Working Party stressed in `First Orientations' that `adequate' is used in both A25 and A26(2) and that the substance of its future work on A26(2) is likely to draw significantly on the ideas in `First Orientations', given that both deal with a test of `adequacy'. In `The use of contractual provisions' the Working Party reiterates that all of the `core principles' must be found in a contract, and that `detail is ... imperative where the transfer is based on a contract'. Similarly, all of the procedural safeguards (`good level of compliance', `support and help', and `appropriate redress') must be found in a contractual solution.

If this approach is followed by national Commissioners, as is likely (since they are the A29 Committee), then contractual `adequate safeguards' will have to provide all of the six `core' principles and equivalents of the three procedural protections that are necessary for `adequate protection'.

Possible types of 'adequate safeguards'

A26(2) makes it clear that some contractual provisions can constitute 'adequate safeguards', but this does not mean that all types of contracts can `fix the problem' by insertion of appropriate clauses. `The use of contractual provisions' distinguishes situations where that will be more and less difficult.

Data subjects' contracts with suppliers or recipients

The type of contract that is most likely to be able to provide 'adequate safeguards' is that between the individual concerned and either the European data exporter or the third country data importer, or (in some cases) both.

The European exporter is able to give the data subject a wide range of contractual rights and guarantees, including guarantees of observance of the six core principles by both exporter and importer. The contract can give the data subject a right to damages or other remedies for breach. In order to make such contractual remedies meaningful, the law of the contract can be made the law of the country of domicile of the data subject (if different from the domicile of the exporter), and ancillary rights such as payment of all legal costs in the event of a successful action and limitation of awards of costs against (so as to simulate the situation of complaints to a data protection authority). In some cases, it may be possible for the exporter to give the data subject rights to pursue remedies against the exporter under a European data protection law. Whichever way it is done, it should be possible for the exporter to give the data subject meaningful contractual rights covering almost all of the Working Party's requirements for `adequacy', with the possible exception of the institutional mechanism to investigate complaints (which could come from an industry self-regulatory scheme). In `The use of contractual provisions' the Working Party recognises that this may occur, but assumes that the contract will make the exporter continue to be liable under EU national law even after the export.

Similarly, the data importer could contract with the individual concerned to provide the same rights as discussed above. This may be likely to occur when the individual resides in the same country as the importer. The problems is the importer will not be liable under the EU national law, and therefore cannot provide the individual with a right to seek help and remedies under the EU national law of the exporter. The importer will have to provide other non-statutory adequate means of help and redress, which will be a difficult task.

Any such contracts would of course have to cover all of the content and procedural safeguards required for `adequacy'.

Exporter / importer contracts

Can private contracts between European data exporters and third country data importers (as distinct from their contracts with data subjects) constitute 'adequate safeguards'? There is a long history of attempts to make such contracts satisfy national privacy laws, since at least the early 1990s[100]. A25 makes no mention of contractual clauses at all, and it seems unlikely that contractual clauses could constitute 'adequate protection', even on a sectoral basis where they are adopted by an industry. A26(2) does not clarify whether its mention of 'contractual clauses' includes supplier-recipient contracts.

The main `inherent problem' noted by `The use of contractual provisions' paper, recognises that in the laws of many countries (such as Australia) there would be no privity of contract with the data subject, and therefore no legal rights enforceable by the data subject. In Europe, the contract law of some EU states permits contracts to create third party rights, but in other states this is not possible[101].

The A29 Working Party says that its `preferred solution' is for the contract to set out how the importer is to apply the data protection principles in such detail that, in terms of EU national laws, the EU exporter remains the `data controller', so that the law of the EU Member State will still apply to the third country processing, and the individual concerned will therefore have enforceable rights against the exporter. However, it cautions that this solution will be unavailable where the importer is not processing data on behalf of the exporter, but is obtaining it to use it for its own purposes (for example, if it has rented or bought it) and will thus be the `controller'.

A similar approach was used in the German solution to the `Bahncard' data export to Citibank in the USA, explained by Davies as follows[102]:

"In November 1994 Citibank concluded a cobranding agreement with the German National Railway that was to form the basis of the biggest credit card project in German history. It soon emerged, however, that personal data on millions of German citizens would be processed in the US. The news triggered a public outcry, and German data-protection authorities bluntly told Citibank and the railway that the arrangement would be prohibited unless the two companies could devise an acceptable way to protect the privacy of cardholders. The benchmark laid down by local authorities was even stricter than the EU directive's - Citibank must guarantee privacy standards at least equal to those that exist under German law.
After six months of intense negotiations, the companies signed a contractual agreement that required both parties to institute a wide range of privacy protections. The agreement was applauded in Europe as a huge step forward, but it also required Citibank to make significant changes in the way it manages customer information. While Citibank has not calculated the exact cost of these changes, one company representative describes them as having required `a substantial expenditure of resources to implement.' "

The A29 Committee leaves open the possibility that, where the legal system of the exporter or importer allows creation of third party rights, a published exporter/importer contract granting rights to individuals may suffice. A number of organisations are now drafting such contracts, including the International Chamber of Commerce, American interests, and the Confederation of British Industry[103]http://www.privacylaws.co.uk/]

In similar vein, Reidenberg, analysing the problems faced by the US private sector in complying with the EU and other privacy standards, identifies weaknesses in a purely contractual solution[104]:

Individuals may be unable to enforce effectively their protections for the treatment of personal information due to a lack of privity, the need to obtain jurisdiction in a foreign country, or the difficulty establishing foreign law in a local forum. In addition, the terms of the contract are negotiated by the companies themselves with the input of data protection authorities. The exporting company acts, in effect, as the agent for the individual, though the individuals have no direct representation during the contract negotiations.

Reidenberg therefore saw supplier-recipient contracts as only of much value where they are the by-product of an enforceable law in the exporting country, as in the Hong Kong and Québec data export laws discussed below.

It is therefore still uncertain when such supplier/recipient contracts will constitute 'adequate safeguards' for A26(2) purposes, but they are unlikely to be a panacea.

Voluntary codes of conduct and industry technical `standards'

Voluntary codes of conduct may be more likely to provide `adequate safeguards' for A26(2) purposes than `adequate protection' under A25, since adequacy can be judged in relation to whether the specific importing party in a transaction does actually apply the Code. The downside is that this will involve all the procedural requirements for a `one off' approval in each case, as discussed below.

The same may be said for data protection implementation as a technical standard with accreditation schemes (as discussed concerning the CSA and ISO initiatives).

In both cases, all of the problems of whether the scheme or standard meets all of the content and procedural requirements of `adequacy' will apply. It seems more likely that both voluntary codes and technical standards could form part, but only part, of `adequate safeguards'.

Procedures to determine `adequate safeguards'

At the Member State level

In the first place it is up the law of the Member State to determine how it will grant an export authorisation, but it is clear from A 26(2) that authorisations must be on a `one-off' basis (as the controller is required to `adduce adequate safeguards'), not by some blanket legislative provision. The laws of each Member State are likely to differ in these procedures. It seems that the EU-based `controller' would have to be the applicant for authorisation, and there would need to be a separate application in relation to each EU country from which data is to be exported.

The process is therefore not under the control of the company or government department in the importing country, but is one that could be fragmented into applications by every organisation in every EU country from whom the importer wishes to obtain data.

At the EU level

The Member State must inform the Commission and the other Member States of 'authorisations granted' under A26(2) (A26(3))[105]. If another Member State or the Commission objects to the authorisation, the Commission is required to take `appropriate measures', after referring the matter to the Committee in accordance with A31(2) (A26(3)). Such objection would have to be lodged while the data export is still taking place, but this may easily occur in relation to any ongoing export relationships.

All Member States must then comply with the Commission's decision, including decisions that certain contractual clauses or other relationships do or do not offer 'adequate safeguards' (A26(4)).

Conclusion - Is it safe to rely on `adequate safeguards'?

It appears, therefore, that the process for obtaining authorisations on the basis of `adequate safeguards' is one likely to be uncertain, complex, time consuming and costly.

Bennett, writing from a Canadian perspective, is sceptical about the extent to which data users can rely on A26[106]:

Clearly, there is sufficient latitude in the directive for North American data users to convince their European counterparts that a combination of contracts and 'professional rules' (ie codes of practice) and security measures affords 'adequate' data protection. But this does anticipate a series of case-by-case battles, and favoured treatment for the larger multinationals that can afford to fight for their interests.

4.4. Conclusions - no easy options, no cheap way out

The Directive offers few easy options

Comprehensive privacy legislation which covers the six `core' principles and contains serious enforcement mechanisms seems to be the only certain way to obtain ready inclusion in the proposed `white list' of countries providing `adequate protection' for A25. The novel approach of Ratification of the Council of Europe privacy Convention (Convention 108), even in advance of legislation, may be another route (and one that is in principle open to Australia).

Alternative approaches are all likely to result in considerable difficulties for companies and agencies wishing to obtain personal data from Europe:

`Compliance costs' - Is `adequate protection' the cheaper option?

At least insofar as companies wishing to obtain personal information from Europe are concerned, the Australian government's argument that national privacy protection should be abandoned because of compliance costs appears specious: The provision of adequate privacy protection to its customers is a normal operating cost of carrying on business. In future it will never be cost-free. National legislation embodying reasonably privacy principles and enforcement mechanisms, or supporting those developed through a co-regulatory approach, may help make the costs reasonable.

The alternative of ignoring privacy may make the costs unreasonably high.

[79] Bygrave, op cit

[80] Bygrave, op cit

[81] This is a different question from mandatory grounds for exceptions to adequacy in EU national laws (A26(1)), where consent is a ground.

[82] Article 27 requires Member States to encourage the development of national and European codes of conduct, but these cannot be a substitute for legally binding provisions in EU member states.

[83] OPINION 1/97 on Canadian initiatives relating to standardisation in the field of protection of privacy. -

[84] Ulf Brühann `The EU Data Protection Directive and its impact on flows of personal data between the European Union and the Asia-Pacific region' First Asia-Pacific Forum on Privacy and Personal Data Protection, Hong Kong, 13-14 April 1998

[85] contra Reidenberg op cit p294

[86] Privacy Laws & Business Newsletter, No 31, September 1995, p2

[87] United States, Canada, Australia, New Zealand, Hong Kong and Japan - See G Greenleaf `European Commission tests adequacy of our privacy laws' 4 PLPR 141

[88] Unlike in the 1992 draft, it does not have to first conclude that `the resulting situation is likely to harm the interests of the Community or of a Member State' - presumably the Committee would not agree to act unless this was so.

[89] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p13

[90] The exceptions may be broader in some respects than the exceptions found in A8 of the European Convention on Human Rights, which could lead to some interesting decisions.

[91] Law No 2472 on the protection of individuals with regard to the processing of personal data, 10 April 1997 (Greece), A9 `Cross-border flow of personal data'

[92] Schedule 4, Clause 1

[93] Simon Davies "Europe to US: No privacy, no trade" WIRED 6.05 (May 1998), p 135

[94] See the definition of `controller' and its distinction from `recipient' (A2)

[95] Schedule 4, Clause 4

[96] Bygrave op cit

[97] Previous versions of the Directive used the expression `sufficient guarantees' instead of `adequate safeguards'. In some of my earlier papers on this subject I have not reflected this terminological change.

[98] Reidenberg op cit seems to assume that `adequate protection' can be found in `the specific circumstances of each data transfer on a case-by-case basis'.

[99] The A26(1) provisions for transfers to third countries by `unambiguous consent' may have this effect in some cases.

[100] The US government pushed for maximum recognition for supplier-recipient contracts (TDR, Sept/Oct 1991, p37), and the French data protection authority, CNIL, has allowed a number of transfers from France to countries then without data protection laws (Italy and Belgium) on condition that such contracts were entered into (see 65 ALJ 560). The International Chamber of Commerce (ICC) was also promoting such an approach and prepared a model contract (Privacy Laws and Business, October 1991, p6).

[101] A29 Working Party `The use of contractual provisions' p6

[102] Simon Davies "Europe to US: No privacy, no trade" WIRED 6.05 (May 1998), page 135

[103] See the programme for the Privacy Laws & Business 11th Annual Conference, to be held on 13-14 July 1998, where these approaches will be compared -

[104] J Reidenberg 'Setting standard for fair information practices in the US private sector', (1995) Iowa Law Review, Vol 80 No 3 497 at 546

[105] In contrast with 'its proposal to grant authorization' as the 1992 Draft required

[106] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p14


[Previous] [Next] [Title]