AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1995 >> [1995] PrivLawPRpr 67

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Greenleaf, Graham --- "European Privacy Directive and data exports" [1995] PrivLawPRpr 67; (1995) 2(6) Privacy Law & Policy Reporter 105

European Privacy Directive and data exports

Graham Greenleaf continues a review of the 1995 Directive.

The now-completed European Union Directive on privacy and free flow of personal data (outlined in 2 PLPR 81) is significant to Asia-Pacific countries because it prohibits the transfer of personal data from EU countries to any countries which do not have 'adequate' data protection laws. It will therefore place significant international pressure for increased data protection on countries in the Asia-Pacific and elsewhere, particularly in relation to the private sector.

The 'principle of equivalence', implemented in the OECD data protection Guidelines (art 17) and the Council of Europe data protection Convention (art 12), and observed in most European national data protection laws, is that a state shall not impose restrictions on the export of personal data to another state which gives substantially equivalent protection to such data as is provided for in the exporting country.[1] The Directive requires all EU member states to implement a Europe-wide standard of data protection, and then deems that implementation within the allowed 'margin for manoeuvre' is sufficient for the equivalence principle to apply. However, when it comes to states outside the EU, a somewhat different approach is taken to the 'equivalence' issue.

Exports of personal data from the EU to third countries

Neither the OECD Guidelines nor the Council of Europe Convention require their signatories to impose TBDF restrictions on non-signatory countries, or on countries which do not provide an equivalent degree of protection. They do not contain any positive requirement to restrict exports, but leave this up to the signatory countries. This is where the 1995 Directive is in stark contrast, because it makes it mandatory for EU countries to prohibit the export of personal data to any countries which do not provide 'an adequate level of protection.'

The Directive provides that 'member states shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing may take place only if ... the third country in question ensures an adequate level of protection' (art 25(1))[2] (emphasis added). 'Equivalent' protection is not required, only 'adequate' protection.[3]

The Parliament had recommended a far less restrictive approach[4], which would not have made it mandatory for such transfers to be prohibited, merely permissible. The commission's justification[5] for rejecting this approach was that: 'Without such a provision [prohibiting exports] the community's efforts to guarantee a high level of protection for individuals could be nullified by transfers to other countries in which the protection provided is inadequate. There is also the fact that the free movement of data between member states, which the proposal seeks to establish, will mean that there will have to be common rules on transfer to non-community countries'.

The Directive is ambiguous as to whether EU countries must allow exports of personal data to countries which provide 'adequate protection'. Article 25 requires member states to provide that such transfers 'may take place only if' there is adequate protection, not 'if and only if'. The preamble only says that the 'Directive does not stand in the way' of such transfers, but does not say they must be allowed. On the other hand, art 26 seems at first to require EU countries to allow transfers to third countries where there is no adequate level of protection but the art 26 conditions concerning the individual transfer have been met, but it is only a derogation from art 25 so this may mean little. The better view is probably that the Directive gives no formal guarantees to third countries that data exports from EU countries will be allowed, irrespective of the level of protection they provide.

Remote access to EU personal data from third countries

Article 25 refers to 'transfer ... to a third country', so the question arises of whether it will be possible to access Europe-based databases from non-European locations. The problem is that any such access would necessarily involve such data as is necessary for the screen display on the user's computer to be 'transferred' to the user's computer, and would therefore constitute 'transfer ... to a third country'. Remote access would therefore have to come within an exception to art 25 before it is permissible. The processing would also have to comply with the law of the European country where it took place, applying the processing test.[6]

Imports of personal data from third countries into the EU

There are no explicit equivalent restrictions on the import of personal data from a third country into a member state. Article 26 only refers to transfers 'to' a third country, and not transfers 'from' a third country. However, the importing of the data may constitute 'collection' and therefore 'processing', so that the importer must comply with national laws of the EU state into which the import takes place, applying the processing test.[7]

The meaning of 'adequate level of protection'

The Directive now[8] defines 'adequate level of protection' as follows (art 26(2)):

The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the county of origin and country of final destination, the rules of law - both general and sectoral - in force in the third country in question and the professional rules and security measures which are complied with in those counties.

It goes on to state that the commission may decide that a third country 'ensures an adequate level of protection ... by reason of its domestic law or the international commitments it has entered particularly upon conclusion of the negotiations [it has had with the commission]' (art 25(5)).

Some non-EU European countries are parties to the Council of Europe Convention, and this would almost certainly constitute 'adequate protection'.[9] The commission was at one time reported to favour an approach whereby non-European countries would sign the Convention (on the invitation of the Council of Europe; art 23) and ratify after passing laws 'equivalent' to the Convention.[10] The EU Commission would then declare that the country had 'adequate' laws, and the third country would be bound under international law by the Convention. It is not known if this approach is still under consideration.

Although it is not completely clear from art 25 whether the requirement of an 'adequate level of protection' must be satisfied by a country's overall privacy laws, or whether it is sufficient to prevent the banning of a particular transfer if there is an adequate level of protection in relation to information from that sector (for example, credit or insurance information, or criminal records), the better view is that sectoral compliance is possible. The Parliament had recommended that an adequate level of protection need only be provided for 'particular categories of specified personal data', and this seems to be the approach taken in the 1992 draft.[11] The references to sectoral legislation and 'professional rules' could be seen as supporting this interpretation. Other commentators have reached the conclusion that an 'overall country assessment' is not necessary.[12]

Need there be 'adequate' compliance with each EU Directive requirement, or just most of them? The use of 'adequate' suggests that only some partial compliance is required. A related question is whether 'adequacy' need only be measured against the principles in the Directive (Ch II), or is it also to be measured against the types of enforcement measures required by the Directive (including data protection authorities, enforceable rights and damages - see above). The latter is the better view. It would be anomalous for art 26(2) to require 'sufficient guarantees' of enforcement if art 25 did not. However, it might be expected that there could be adequate protection provided by either individual enforceability or enforcement via a supervising authority.

Mandatory exceptions to the requirement of adequate protection

Instead of leaving it to the member states to decide which transfers to countries without an adequate level of protection should be permitted (as recommended by the Parliament), the 1995 Directive requires member states to provide that transfers to a third country which does not ensure an adequate level of protection may take place if one of six[13] conditions is satisfied (provisos to art 26(1)).

The exceptions are where the transfer:

  1. Is with the data subject's unambiguous consent.
  2. 'Is necessary for performance of a contract between the data subject and the controller,[14] or the implementation of precontractual measures taken in response to the data subject's request' (for example, a credit check).
  3. 'Is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party'.
  4. Is 'necessary on important public interest grounds' or for legal claims.
  5. 'Is necessary to protect the vital interests of the data subject'.
  6. Is from a public register, and in accordance with its terms of operation.

These exceptions are not as broad as they first appear. The reference to 'public interest grounds' is not an explicit reference to the public interest of the third country which is importing the data, and could be implemented so as to refer only to the public interest of the European country concerned. There is no exception referring to the vital interests of the recipient of the information, only those of the data subject. Furthermore, the exceptions will be likely to become more precise as they are implemented in national laws (art 5). However, they may be broader in some respects than the exceptions found in art 8 of the European Convention on Human Rights, which could lead to some interesting decisions.

Authorisation of particular transfers without 'adequate' protection

In addition to these mandatory exceptions, art 26(2) now[15] provides that

a member state may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection ... where the controller adduces sufficient guarantees with respect to the protection of privacy ... and as regards the exercise of the corresponding rights; such guarantees may in particular result from appropriate contractual clauses.

This last clause seems directed, for example, to a situation where a particular company in a third country provides strong contractual guarantees of privacy to its customers, even where there are no enforceable industry codes and the country does not have overall adequate protection. What might otherwise constitute 'sufficient guarantees' is not explained.

Article 26(2) suggests that contractual provisions between a particular company and its clients, as opposed to a sectoral code, cannot amount to an 'adequate level of protection' for art 25 purposes. It also reinforces the view that an 'adequate level of protection' must be found to exist at least at a sectoral level within a jurisdiction, and cannot be found merely at the level of the operations of a particular company, because the alternative view would make art 26(2) redundant. This is not, however, free from doubt.[16]

The member state must inform the commission and the other member states of 'authorisations granted' under art 26(2) (art 26(3)), rather than 'its proposal to grant authorization' as the 1992 draft required. If a member state or the commission nevertheless does manage to object before the authorisation takes effect, the commission is required to take 'appropriate measures', after referring the matter to the committee in accordance with art 31(2) (art 26(3)). Member states must then comply with the commission's decision, including decisions that certain contractual clauses offer 'sufficient guarantees' (art 26(4)).

The meaning of 'sufficient guarantee'

Can private contracts between data suppliers and recipients (as distinct from contracts with data subjects) constitute sufficient guarantee'? The US Government pushed for maximum recognition for supplier-recipient contracts,[17] and the French data protection authority, CNIL, has allowed a number of transfers from France to countries without data protection laws (Italy and Belgium) on condition that such contracts were entered into.[18] The International Chamber of Commerce (ICC) was also promoting such an approach and prepared a model contract.[19] Article 25 makes no mention of contractual clauses at all, and it seems unlikely that contractual clauses could constitute 'adequate protection', even on a sectoral basis where they are adopted by an industry. Article 26(2) does not clarify whether its mention of 'contractual clauses' includes supplier-recipient contracts. As there would be no privity of contract with the data subject, and therefore no legal rights enforceable by the data subject, it is doubtful that such contracts could constitute a 'guarantee' for art 26(2) purposes.

What role can industry self-regulation through codes of conduct play? Article 27 requires member states to encourage the development of national and European codes of conduct, but (as discussed above) these cannot be a substitute for legally binding provisions. Voluntary codes of conduct in third countries are unlikely to constitute adequate protection, although it is possible that a scheme run by an industry body which was shown to have enforcement powers might be sufficient to be regarded as 'professional rules' for the purposes of art 25(2) (which does not make specific mention of codes of conduct). An industry-developed code backed up by legally binding enforcement procedures may well constitute adequate sectoral compliance (the enforcement provisions would be 'rules of law' for art 25(2) purposes). Such enforceable codes might also provide 'sufficient guarantees' for art 26(2) purposes.

The mechanisms for decisions concerning 'adequate protection'

Decision and notification by a member state

In the first instance, it is the laws of member states of the EU that must provide that transfers may only take place to third countries with an adequate level of protection (art 25(1)), and it is a decision by an authority in the member state which prohibits the transfer. Member states must inform the EU Commission where they consider that an importing third country does not ensure an adequate level of protection (and vice versa) (art 25(3)). This notification requirement applies even if the data transfer is allowed under an art 26(1) exception, or an art 26(2) authorisation because of 'sufficient guarantees'.

Decisions by the committee on adequacy

As explained above in relation to supra-national enforcement of the Directive as a whole, it is the committee of member state representatives that decides whether to accept the draft measures proposed by the commission (art 31(2)). The commission, with the committee's approval, is therefore able to set a Europe-wide standard for acceptance of transfers to specific third countries.[20] The position is therefore that member states make any decisions to prohibit transfers, but the committee can over-ride such decisions.

'Complaints' about adequacy

Even though it is the committee that makes the decisions, it is still the commission that must be first convinced to propose action against a third country, so it is important to ask how claims of 'inadequacy' can be brought to the committee's attention. Member states are obliged to do so in the course of considering transfers to third countries (art 25(3)). The working party of supervisory authorities is required to produce an annual report which covers the level of protection in third countries, so the commission would receive official notification that way.

Under the 1992 draft, the commission could initiate its negotiation process (discussed below) either on the basis of information provided by a member state, or 'on the basis of other information'. This may have left the way open for a form of 'complaint' about a third country's laws (either general or sectoral) to be made to the commission by, for example, national or international organisations of consumer advocates, privacy advocates or civil liberties organisations. This avenue for initiatives by NGOs is not so obviously open under the 1995 Directive, but it remains to be seen what the commission's practice will be. Another avenue for NGOs would be to seek to have a sympathetic national data protection Commissioner raise the case of a third country's laws before the working party.

Commission negotiations with third countries

If the committee accepts measures proposed by the commission on the basis of the inadequacy of a third country's laws, only then can the commission enter into negotiations with the third country 'with a view to remedying the situation' (art 25(4))[21].

The final part of this review will consider the implications of the Directive for the Asia-Pacific.

Graham Greenleaf

[1] Karim Benyekhlef, 'International standards for the protection of personal data and the information highway', Proceedings of Justice on the Electronic Highway (Conference), Ottawa, January 1995, Federal Department of Justice, Canada.

[2] The 1992 draft referred to 'provide by law that the transfer, whether temporary or permanent'. The changes are not significant.

[3] There were submissions on the original draft (for example, by the European Data Protection Commissioners) that 'adequate protection' should be replaced with 'equivalent protection' (that is, equivalent to the EU Directive).

[4] Namely, that such transfers 'may be prohibited in order to prevent damage to data subject's interests from an inadequate level of protection' and 'may require the express consent of the data subject'.

[5] Explanatory Memorandum, 1990.

[6] See 2 PLPR 85, 'The reach of national laws'.

[7] See 2 PLPR 85, 'The reach of national laws'.

[8] The 1992 draft was largely the same, but did not refer to 'the country of origin and country of final destination', or 'security measures'. 'Adequate level of protection' was not defined in the 1990 draft, and the Explanatory Memorandum simply said that it was 'for the member states, and if necessary for the commission, to determine'.

[9] Benyekhlef, op cit.

[10] Privacy Laws & Business, October 1990, p 6

[11] The Explanatory Memorandum to the 1992 draft states only that 'As Parliament suggested in its opinion (see amendment No 79) the new paragraph 2 makes it clear that the adequacy of protection is to be assessed with reference to a transfer of data or a set of transfers of data'.

[12] See J Reidenberg, 'Rules of the Road for Global Electronic Commerce: Merging the Trade and Technical Paradigms' (1993) Harvard Journal of Law & Technology, Vol 6, p 287 - 'Under the revised draft, national authorities may consider the specific circumstances of each data transfer on a case-by-case basis, rather than an overall country assessment'; S McGregor, 'Australia could be denied access to global super highway' (1993) 2 Telecommunications Law & Policy Review 1 at 4 assumes that Australia's credit sector could have 'adequate protection'; M Powell, European Information Technology Law, (1994) Computer Law & Security Reporter (Special Supplement) at 46 says the amended proposal takes account of the 'sectoral' approach to data protection adopted in the US.

[13] The 1992 draft had only four exceptions, and the first and second are combined in (ii) here; 1995 exceptions (i), (iii), (vi) are new.

[14] The 1992 draft added 'who has been informed that a transfer of data to a country with inadequate protection is possible'.

[15] The 1992 draft has been rewritten, but the changes do not seem to be of substance.

[16] Reidenberg, op cit seems to assume that 'adequate protection' can be found in 'the specific circumstances of each data transfer on a case-by-case basis'.

[17] TDR, Sept/Oct 1991, p 37.

[18] 65 ALJ 560.

[19]Privacy Laws and Business, October 1991, p 6.

[20] Contra Reidenberg op cit p 294.

[21] Unlike in the 1992 draft, it does not have to first conclude that 'the resulting situation is likely to harm the interests of the Community or of a member state' - presumably the committee would not agree to act unless this was so.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback