The `principle of equivalence', implemented in the OECD data protection Guidelines (A17) and the Council of Europe data protection Convention (A12), and observed in most European national data protection laws, is that a state shall not impose restrictions on the export of personal data to another state which gives substantially equivalent protection to such data as is provided for in the exporting country[31]. The Directive requires all EU Member States to implement a Europe-wide standard of data protection, and then deems that implementation within the allowed 'margin for manoeuvre' is sufficient for the equivalence principle to apply. However, when it comes to states outside the EU, a somewhat different approach is taken to the 'equivalence' issue.
The Directive provides that `Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing may take place only if ... the third country in question ensures an adequate level of protection' (A25(1))[32] (emphasis added). 'Equivalent' protection is not required, only 'adequate' protection[33]
The Parliament had recommended a far less restrictive approach[34], which would not have made it mandatory for such transfers to be prohibited, merely permissible. The Commission's justification[35] for rejecting this approach was that `Without such a provision [prohibiting exports] the Community's efforts to guarantee a high level of protection for individuals could be nullified by transfers to other countries in which the protection provided is inadequate. There is also the fact that the free movement of data between Member States, which the proposal seeks to establish, will mean that there will have to be common rules on transfer to non-community countries'.
The Directive is ambiguous as to whether EU countries must allow exports of personal data to countries which do provide 'adequate protection'. Article 25 requires Member States to provide that such transfers 'may take place only if' there is adequate protection, not 'if and only if'. The preamble only says that the 'Directive does not stand in the way' of such transfers, but does not say they must be allowed. On the other hand, A26 seems at first to require EU countries to allow transfers to third countries where there is no adequate level of protection but the A26 conditions concerning the individual transfer have been met, but it is only a derogation from A25 so this may mean little. The better view is probably that the Directive gives no formal guarantees to third countries that data exports from EU countries will be allowed, irrespective of the level of protection they provide.
'The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the county of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties.'
It goes on to state that the Commission may decide that a third country `ensures an adequate level of protection ... by reason of its domestic law or the international commitments it has entered particularly upon conclusion of the negotiations [it has had with the Commission]' (A25(5)).
Some non-EU European countries are parties to the Council of Europe Convention, and this would almost certainly constitute 'adequate protection'[39]. The Commission was at one time reported to favour an approach whereby non-European countries would sign the Convention (on the invitation of the Council of Europe: A23) and ratify after passing laws `equivalent' to the Convention[40]. The EU Commission would then declare that the country had `adequate' laws, and the third country would be bound under international law by the Convention. It is not known if this approach is still under consideration.
Although it is not completely clear from A25 whether the requirement of an `adequate level of protection' must be satisfied by a country's overall privacy laws, or whether it is sufficient to prevent the banning of a particular transfer if there is an adequate level of protection in relation to information from that sector (eg credit or insurance information, or criminal records), the better view is that sectoral compliance is possible. The Parliament had recommended that an adequate level of protection need only be provided for `particular categories of specified personal data', and this seems to be the approach taken in the 1992 draft [41]. The references to sectoral legislation and `professional rules' could be seen as supporting this interpretation. Other commentators have reached the conclusion that an `overall country assessment' is not necessary[42].
Need there be 'adequate' compliance with each EU Directive requirement, or just most of them? The use of `adequate' suggests that only some partial compliance is required. A related question is whether `adequacy' need only be measured against the principles in the Directive (Chapter II), or is it also to be measured against the types of enforcement measures required by the Directive (including data protection authorities, enforceable rights and damages - see above). The latter is the better view. It would be anomalous for A26(2) to require 'sufficient guarantees' of enforcement if A25 did not. However, it might be expected that there could be adequate protection provided by either individual enforceability or enforcement via a supervising authority.
The exceptions are where the transfer:
(i) is with the data subject's
unambiguous consent;
(ii) 'is necessary for performance of a contract
between the data subject and the controller[44], or the implementation of pre-contractual measures taken
in response to the data subject's request' (eg a credit check);
(iii) 'is
necessary for the conclusion or performance of a contract concluded in the
interest of the data subject between the controller and a third party';
(iv) is `necessary on important public interest grounds' or for legal
claims; and
(v) `is necessary to protect the vital interests of the data
subject'; or
(vi) is from a public register, and in accordance with its
terms of operation.
These exceptions are not as broad as they first appear. The reference to `public interest grounds' is not an explicit reference to the public interest of the third country which is importing the data, and could be implemented so as to refer only to the public interest of the European country concerned. There is no exception referring to the vital interests of the recipient of the information, only those of the data subject. Furthermore, the exceptions will be likely to become more precise as they are implemented in national laws (A5). However, they may be broader in some respects than the exceptions found in A8 of the European Convention on Human Rights, which could lead to some interesting decisions.
'... a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection ... where the controller adduces sufficient guarantees with respect to the protection of privacy ... and as regards the exercise of the corresponding rights; such guarantees may in particular result from appropriate contractual clauses'.
This last clause seems directed, for example, to a situation where a particular company in a third country provides strong contractual guarantees of privacy to its customers, even where there are no enforceable industry codes and the country does not have overall adequate protection. What might otherwise constitute `sufficient guarantees' is not explained.
A26(2) suggests that contractual provisions between a particular company and its clients, as opposed to a sectoral code, cannot amount to an `adequate level of protection' for A25 purposes. It also reinforces the view that an `adequate level of protection' must be found to exist at least at a sectoral level within a jurisdiction, and cannot be found merely at the level of the operations of a particular company, because the alternative view would make A26(2) redundant. This is not, however, free from doubt[46].
The Member State must inform the Commission and the other Member States of 'authorisations granted' under A26(2) (A26(3)), rather than 'its proposal to grant authorization' as the 1992 Draft required. If a Member State or the Commission nevertheless does manage to object before the authorisation takes effect, the Commission is required to take `appropriate measures', after referring the matter to the Committee in accordance with A31(2) (A26(3)). Member States must then comply with the Commission's decision, including decisions that certain contractual clauses offer 'sufficient guarantees' (A26(4)).
Reidenberg, analysing the problems faced by the US private sector in complying with the EU and other privacy standards, identifies weaknesses in a purely contractual solution[50]:
Individuals may be unable to enforce effectively their protections for the treatment of personal information due to a lack of privity, the need to obtain jurisdiction in a foreign country, or the difficulty establishing foreign law in a local forum. In addition, the terms of the contract are negotiated by the companies themselves with the input of data protection authorities. The exporting company acts, in effect, ast he agent for the individual, though the individuals have no direct representation during the contract negotiations.
Reidenberg now sees supplier-recipient contracts as only of much value where they are the by-product of an enforceable law in the exporting country, as in the Hong Kong and Québec data export laws discussed below.
The Canadian Standards Association (CSA) Technical Committee on Privacy adopted a Model Code for the Protection of Personal Information in September 1995. The Code is based on the OECD Guidelines, and will involve a certification scheme. It is expected to be formally accepted by the Canadian Standards Council (a government body) in early 1996. It is not know at this stage whether the CSA will push for the Code to be adopted by the International Standards Organisation (ISO)[51]. Due to the lack of privacy legislation in the USA, there is considerable private sector interest in the Code in the USA, and it may possibly develop into a North American standard.
It is likely that the CSA privacy Code will prove to be the 'litmus test' of whether the EU's will accept that Codes of Conduct which have no enforceability at law can provide 'sufficient guarantee'. This has strong opponents, particularly within Canada. The President of Québec's data protection authority, Paul-André Comeau, praises the Code as 'a step in the right direction', but says[52] that
There is a major flaw in the code, stemming from the philosophy of voluntary compliance: the code does not provide for any form of recourse before an impartial judge. It relies essentially on the good will of those concerned. The authors of the code are counting on the use of audits to compensate for this failing.
He is reported to have concluded by urging European privacy commissioners, and the EU, 'to reject private agreements between European and Canadian industrialists and even to withold recognition of the CSA Model Code as adequate protection, given its voluntary status'[53]. He says that any European acceptance of such a standard will only encourage those in Canada who regard privacy legislation as 'useless and artificial' and unnecessary if the Code suffices for the EU[54]. Federal Canadian Privacy Commissioner Bruce Phillips is advocating the national adoption of the legislation based on Québec's Act. The battle lines are drawn in Canada.
Clearly, there is sufficient latitude in the directive for North American data users to convince their European counterparts that a combination of contracts and 'professional rules' (ie codes of practice) and security measures affords 'adequate' data protection. But this does anticipate a series of case-by-case battles, and favoured treatment for the larger multinationals that can afford to fight for their interests.
Companies in countries such as Australia or Canada will have to choose whether to support the development of 'adequate' local privacy laws, or to rely on a transaction by transaction basis on either (i) coming within an A25 mandatory exemption or (ii) convincing a European national authority, or the EU authorities (see below) that they can offer 'sufficient guarantees' for that transaction.
Under the 1992 draft, the Commission could initiate its negotiation process (discussed below) either on the basis of information provided by a Member State, or `on the basis of other information'. This may have left the way open for a form of `complaint' about a third country's laws (either general or sectoral) to be made to the Commission by, for example, national or international organisations of consumer advocates, privacy advocates or civil liberties organisations. This avenue for initiatives by NGOs is not so obviously open under the 1995 Directive, but it remains to be seen what the Commission's practice will be. Another avenue for NGOs would be to seek to have a sympathetic national data protection Commissioner raise the case of a third county's laws before the Working Party.
The implementation of Articles 25 and 26 is likely to be unpredictable and politicized, because the determination of `adequacy' rests, not with the data-protection agencies ... but with the Commission itself. Judgments about adequacy will therefore be susceptible to the vagaries of the European political process and are likely to be confused with the resolution of issues that have nothing to do with data protection. Logrolling may therefore override the more predictable and rational pursuit of a data protection standard.
Although decisions are more correctly described as being made by the Council and the Commission, not just `the Commission', this may strengthen Bennett's point, as national political interests are even more directly represented on the Council.
It is too early to know whether Bennett's fears are justified, but it is difficult to avoid the conclusion that the nature of the process means that there is likely to be a great deal of uncertainty for data users in non-EU countries which do not have an unambiguously `adequate' level of data protection.
[31] Karim Benyekhlef 'International standards for the protection of personal data and the information highway' , Proceedings of Justice on the Electronic Highway (Conference), Ottawa, January 1995, Federal Department of Justice, Canada
[32] The 1992 Draft referred to 'provide by law that the transfer, whether temporary or permanent'. The changes are not significant.
[33] There were submissions on the original draft (for example, by the European Data Protection Commissioners) that `adequate protection' should be replaced with `equivalent protection' (ie equivalent to the EU Directive).
[34] Namely, that such transfers `may be prohibited in order to prevent damage to data subject's interests from an inadequate level of protection' and `may require the express consent of the data subject'.
[35] Explanatory Memorandum, 1990
[36] See above, 'Reach of national laws'.
[37] See above 'Reach of national laws'.
[38] The 1992 draft was largely the same, but did not refer to 'the county of origin and country of final destination', or 'security measures'. `Adequate level of protection' was not defined in the 1990 draft, and the Explanatory Memorandum simply said that it was `for the Member States, and if necessary for the Commission, to determine'.
[39] Benyekhlef, op cit
[40] Privacy Laws & Business, October 1990, p6
[41] The Explanatory Memorandum to the 1992 draft states only that `As Parliament suggested in its opinion (see amendment No 79) the new paragraph 2 makes it clear that the adequacy of protection is to be assessed with reference to a transfer of data or a set of transfers of data'.
[42] See J Reidenberg `Rules of the Road for Global Electronic Commerce: Merging the Trade and Technical Paradigms' (1993) Harvard Journal of Law & Technology, Vol 6, p287 - `Under the revised draft, national authorities may consider the specific circumstances of each data transfer on a case-by-case basis, rather than an overall country assessment ...'; S McGregor `Australia could be denied access to global super highway' (1993) 2 Telecommunications Law & Policy Review 1 at p4 assumes that Australia's credit sector could have `adequate protection'; M Powell European Information Technology Law, (1994) Computer Law & Security Reporter (Special Supplement) at p46 says the amended proposal takes account of the `sectoral' approach to data protection adopted in the USA.
[43] The 1992 draft had only four exceptions, and the first and second are combined in (ii) here; 1995 exceptions (i), (iii), (vi) are new.
[44] The 1992 draft added 'who has been informed that a transfer of data to a country with inadequate protection is possible'.
[45] The 1992 draft has been rewritten, but the changes do not seem to be of substance.
[46] Reidenberg op cit seems to assume that `adequate protection' can be found in `the specific circumstances of each data transfer on a case-by-case basis'.
[47] TDR, Sept/Oct 1991, p37
[48] 65 ALJ 560
[49] Privacy Laws and Business, October 1991, p6
[50] J Reidenberg 'Setting standard for fair information practices in the US private sector', (1995) Iowa Law Review, Vol 80 No 3 497 at 546
[51] L Moisan 'The CSA Model Code: The new bid on the block', Privacy Files, Vol 1 No 2, November 1995, from which the above information is derived.
[52] P-A Comeau, speech to the International Data Protection and Privacy Commissioners' Conference, Copenhagen, September 1995
[53] Moisan, op cit - these reported comments go somewhat beyond the text of Mr Comeau's speech
[54] Comeau, op cit
[55] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p14; quare whether he means 'sufficient guarantee', not 'adequate' protection.
[56] contra Reidenberg op cit p294
[57] Privacy Laws & Business Newsletter, No 31, September 1995, p2
[58] Unlike in the 1992 draft, it does not have to first conclude that `the resulting situation is likely to harm the interests of the Community or of a Member State' - presumably the Committee would not agree to act unless this was so.
[59] Colin Bennett `Canada under the gaze of the European Sphinx', Privacy Files, October 1995, Vol 1 No 1, p13