First, it establishes a Europe-wide set of legal principles for privacy protection, to be enacted in all EU member states. EU member states are now allowed three years to amend their laws to conform with the Directive (A 32(1)). Its content therefore represents the most recent international consensus on the desirable content of data protection rights, and may be a valuable model for Asia-Pacific countries. This section gives an overview of this 'privacy content' of the Directive, pointing out how it differs from the 1992 and 1990 versions.
Second, it prohibits the transfer of personal data from EU countries to any countries which do not have 'adequate' data protection laws, and will therefore place significant international pressure for increased data protection on countries in the Asia-Pacific region and elsewhere, particularly in relation to the private sector. New Hong Kong and Taiwan laws impose similar restrictions on `data exports'. The next section will explain how this 'data export' or 'transborder data flow' aspect of the Directive will work, and the final sections will assess the impact of these developments on Asia-Pacific countries.
Earlier this year the European Commission said that the Directive 'gives a signal to the EU's trading partners, such as Canada, Japan and the United States, of the importance the EU gives to the protection of the individual's rights in the application of new technological developments'.
The Directive was the subject of substantial lobbying by business interests, particularly the International Chamber of Commerce (ICC), which argued that international privacy laws should be harmonised on the model of the OECD Guidelines and the Council of Europe Convention, rather than the model proposed by the EU[10]. This was not to be.
A Working Party of the Council of Ministers then negotiated for three years to reach a 'common position' on the Amended Proposal[15]. On February 20 1995, the EU's Council of Ministers adopted a 'common position' on the Directive, making significant amendments in the process[16]. The United Kingdom abstained. This `common position' draft Directive went to the European Parliament for a `second reading', which resulted in its approval with minor proposed amendments on 15 June 1995. The Council of Ministers then adopted the Directive on 25 July.
References are to the completed Directive unless otherwise noted. The original draft will be referred to as the '1990 draft', and the Commission's subsequent amendments will be referred to as 'the 1992 draft'.
The heart of the Directive is a set of information privacy principles set out in Chapter II ('General rules on the lawfulness of the processing of personal data'). The methods by which these are to be enforced in national law and by the EU are set out in Chapters III ('Judicial remedies, liabilities and penalties'), V ('Codes of conduct'), VI ('Supervisory authority and Working Party ...') and VII ('Community implementing measures'). Chapter V deals with prohibitions on transfers of personal data to third countries. Chapter I provides definitions and covers the scope of the Directive. A sixteen page preamble to the Directive provides comments on the objectives behind many of the provisions, and aids therefore interpretation.
The requirements of the Directive are, for the most part, in very general terms. Article 5 provides that `Member States shall, within the limits of [Chapter II] determine more precisely the circumstances in which the processing of personal data is lawful'. However, specific national implementations pursuant to A5 cannot impose restrictions or prohibitions in relation to exchange of personal information between countries within the EU because of A1(2).
It is clear from its preamble that the Directive should not be seen as a 'minimum' standard for privacy laws within the EU. It is a standard to be complied with as both the minimum and maximum information privacy protection allowable under EU laws, subject to what the preamble refers to as 'a margin for manoeuvre' left to Member States. The preamble refers to the need to 'approximate' the laws of Member States, to make the protection offered by them 'equivalent', and to reduce 'divergences' between national laws. All this is said to be in order to prevent restrictions on transfer of data between Member States. Many of the Directive's Articles include exceptions to the general privacy protections that constitute the 'general rule' of the Article. These exceptions are just as mandatory as the general rules that they qualify, and national laws which attempted to provide a stricter standard of privacy protection by not recognising or limiting such exceptions would breach the Directive. However, there is room for argument within the language of some Articles which do not make it clear than what is not forbidden is allowed (eg A7 says 'data many be processed only if...', not 'if and only if ...'). The Directive is therefore best seen as a consensus of EU states on the 'desirable' level of privacy protection, not a minimum level. The preamble makes clear, however, that the Directive is considered to exceed the standard of protection required by the Council of Europe data protection Convention[18].
The Directive applies `to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which forms part of a filing system or is intended to form part of a filing system' (A 3.1), a `filing system' being any structured set of personal data (A2(c)[20]). The Working Group's most important decision was that structured manual data will remain in the Directive, despite opposition from the UK, Denmark and Ireland.
Processing in the course of activities falling outside Community law is exempted (A3.2), including 'processing operations concerning public security, defence, State security (including the economic well-being of the State) and the activities of the State in areas of criminal law'. Processing by a natural person in the course `of a purely personal or household activity' is exempted (A3.2)[21]. Member States are also required to provide exemptions for 'processing carried out solely for journalistic purposes', and where necessary to reconcile freedom of 'artistic or literary expression' with privacy (A9).
The content of these principles is summarised or paraphrased below, emphasising those elements which are unusual.
(a) It is with the unambiguous consent of the data subject. Consent is only valid if the data subject receives prior notification of the purposes of collection and any proposed recipients, and may be withdrawn prospectively (A2(g)).
(b) It is necessary for the performance of a contract with the data subject, or for steps requested by the data subject prior to a contract[22]; or
(c) It is necessary to comply with a legal obligation to which the controller is subject;
(d) It is necessary to protect the vital interests of the data subject;
(e) It is `necessary for the performance of a task in the public interest or carried out in the exercise of public authority vested in the controller or in a third party to whom the data are disclosed' or
(f) It is 'necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject ...'. Article 7 does not elaborate on how this balancing is to be achieved, but the preamble says that Member States remain free to determine the appropriate balance in relation to use of information for 'legitimate ordinary business activities' and conditions of disclosure for marketing purposes. The Commission commented on the 1992 draft that `[t]his balance-of-interest clause is likely to concern very different types of processing, such as direct-mail marketing and the use of data which are already a matter of public record'[23]. Many of the most contentious privacy decisions are therefore still left to the Member States to make.
These six very general conditions apply to both public and private sector processing of personal data. Their generality will obviously allow for a variety of specific implementations in national laws.
(i) Rights to be informed of the purposes of collection, obligatory nature thereof, intended recipients, and subject rights, at the time of collection (A10). Where information is obtained from someone else other than the data subject, there are similar rights to be informed (A11);
(ii) Rights to obtain a copy of data about himself or herself, including information about its use; rights to obtain corrections, or erasure or blocking (suppression) of data processed in violation of the Directive; and to have such corrections, erasures or blocking communicated to third parties to whom the data has been disclosed (A12);
(iii) Rights to object to processing on 'compelling legitimate grounds' (A14(1)), and an opportunity to object to data being used for direct marketing[26] (by various forms of 'opting out'[27]) (A14(2)) .
(iv) Rights not to be subject to decisions significantly affecting him which are based solely on automated processing intended to evaluate personal aspects relating to an individual[28], except where pursuant to a contract or legislative authority and there are suitable measures to safeguard the data subject's legitimate interests (A15). The subject's right of access must also include a right to know 'the logic involved' in any such automated decisions (A12(1)). It has been claimed that these provisions, which derive from French law, will cause considerable difficulties for US companies[29].
National laws are to specify 'processing operations likely to present specific risks', so that 'prior checking' of such systems by the supervisory authority can occur (A20). The authority must be notified of such proposed operations by the controller or the data protection official (A20(2)).
Public registers are exempt from the notification requirements (A21(3)), implying that they are generally subject to the principles.
The Directive therefore requires both a data protection authority with appropriate powers to supervise the information privacy principles, and individual rights of enforcement independent of those authorities. The enforcement mechanisms it requires are therefore quite strong.
Under the control test, a company which carries out activities in an EU Member State (even if it is not based there), but which processes personal data relating to those activities in a non-EU state, will find that its activities are subject to the privacy laws of the EU state.
Under the processing test, a company based in a non-EU state which merely uses processing facilities in an EU Member State will still find itself bound by the EU state's privacy law. Not surprisingly, Europe cannot be used as a 'data haven' to avoid the reach of privacy laws.
The Commission proposed it should have a rule-making power to adopt such `technical measures' as are necessary to apply the Directive, including drawing up sectoral applications of the Directive (1992 draft A33), but the 1995 Directive does not provide for any delegated legislation.
The EU Commission's main role in the Directive is to submit to this Committee a draft of the 'community implementing measures' it considers should be taken (A31(1)). If the Committee approves the proposed measures, the Commission must then adopt them. If the Committee disapproves, or fails to approve them within the time limit set by the Chairman, then the proposed measures are to be referred to the Council of Ministers of the EU (which is to vote by qualified majority) (A31(2)).
The types of 'implementing measures' which will be dealt with by this process include decisions on adequacy of third country laws (A25(4)), and proposed authorisations of data transfers (A26(3), (4)).
The Working Party's functions include examining issues of uniformity in EU national laws, giving opinions on the level of protection in the EU and in third countries, advising the Commission on any proposed additional measures, and giving opinions on codes of conduct drawn up at community level (A29(1)). It can also, on its own initiative, make recommendations on all matters concerning processing of personal data in the EU (A29(3)). The Commission is required to produce an annual report on the responses it has made to the Working Party's opinions and recommendations (A29(5)), and the Working Party is to publish an annual report concerning the processing of personal data in Europe and in third countries (A29(6)).
The Parliament recommended the Working Party's expansion into, in effect, a supra-national data protection agency, comprising representatives of business and civil liberties groups as well as national authorities, and with a right to be heard on a wide range of issues and to take various independent initiatives, but this approach has not been adopted.
[10] International Chamber of Commerce `Statement on the Protection of Personal Data' October 4 1991, reprinted in Transnational Data and Communications Report (TDR), Jan/Feb 1992, pgs 37-41
[11] Com (90) 0314 - C3-0323/ Syn 287; OJ No. C277, 5.1.1990, p3
[12] Approved 11.03.92; For the original draft integrated with the Parliament's recommendations, see J Dumortier (Ed) Recent Developments in Data Privacy Law: Belgium's Data Protection Bill and the European Draft Directive Leuven University Press, 1992 (copy circulated with Privacy Laws and Business No 20)
[13] European Commission Amended Proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (92/C 311/04) Com (92) 422 Final - Syn 287, submitted by the Commission 16 October 1992; full text in Computer Law and Security Report Special Supplement - European Information Technology Law, 1994
[14] George Papapavlou, Principal Administrator, Commission of the European Communities `The Commission of the European Communities' Proposals on Personal Data (Privacy) Protection', in Privacy Regulation: International Developments, Australian Implications (Proc. Privacy International Conference), Continuing Legal Education Department, University of New South Wales Faculty of Law, 1992
[15] For examples of the deliberations, see article by Lotte Jorgensen (Working Group Chair during the Danish Presidency), Privacy Laws & Business, December 1993
[16] European Union (The Council) Common Position (EC) No /95 Adopted by the Council on ......... with a view to adopting Directive 94/ /EC of the European Parliament and the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data,
[17] K Benyekhlef 'International standards for the protection of personal data and the information highway' , Proceedings of Justice on the Electronic Highway (Conference), Ottawa, January 1995, Federal Department of Justice, Canada
[18] Convention of 28 January 1981 for the Protection of Individuals with Regard to the Automatic Processing of Personal Data
[19] This was a principal change in the 1992 draft, and had been a major recommendation by the European Parliament; see G Hoon, rapporteur to the Legal Affairs and Citizens' Rights Committee, speech to the European Parliament, 10 February 1992
[20] The definition adds 'which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographic basis'.
[21] The 1990 draft exempted `non-profit making bodies' (A3(2)), and the Parliament recommended more extensive exemptions relating to such bodies and to the press.
[22] The original draft's reference to `or in the context of a quasi-contractual relationship of trust' has been deleted, and the Parliament's recommended addition of `is inherent in the nature of the relationship between the controller of the data and the data subject' has not been followed.
[23] Explanatory Memorandum to the 1992 draft, p5; The 1990 draft contained a specific exemption where data comes from generally accessible public sources and is used only for `correspondence purposes', and the Parliament had recommended that this be extended to cover `marketing or credit reference purposes', but the 1992 clause (f) replaced both approaches.
[24] In the original draft, personal data could only be used for the purpose for which it was collected (A 16), and could only be communicated to third parties for purposes `compatible' with that purpose (A 8.2). The Parliament recommended replacement of the general notion of `compatibility' by eight situations of permitted `communication' of data, ranging from the very specific (`for direct marketing or similar purposes') to the very general (`necessary to safeguard the legitimate interests of a third party or the general public').
[25] See at least A8(2)-(7), A9, A11(2), A13, A15(2), A18(4).
[26] The 1990 draft said `market research or advertising purposes'; the Parliament recommended `direct marketing'; and the 1992 draft said 'marketing by mail'.
[27] National laws can provide either for objection after the data subject has been informed that the data is to be used for direct marketing, or merely at the data subject's request.
[28] The 1990 draft was limited to decisions `involving an assessment of conduct', and referred to `personality or profile'. The Parliament recommended that this only apply to assessments of `character', that there should be an exception where there is consent, but that there would be a right to be informed of and to challenge any such automated processing. The 1992 draft referred to processing defining a personality profile.
[29] Benyekhlef op cit, quoting P Mei 'The EC proposed data protection law' Law and Policy in International Business, 1993 at p311
[30] M Berthold 'Hong Kong's data privacy proposals' (1994) 1 PLPR 188