Privacy Law and Policy Reporter
Australia and New Zealand will be two of six countries involved in a European Commission test study of methods of assessing whether laws of ‘third countries’ (that is countries outside the EU) are ‘adequate’ for the purposes of the data export provisions of the European Union’s Data Protection Directive (Directive 95/46/EC).
The European Commission has contracted a consortium of four consultants to undertake a test of a method of assessing third country adequacy for the purpose of the Directive. In September 1997, the Commission issued a contract notice (request for tender) for the Implementation of a methodology to evaluate the adequacy of the level of protection of natural persons regarding the handling of private data: testing the method on several transfer categories (Reference No XV/97/18/D, Official Journal of the European Union, 23 September 1997). The contract was awarded in December and is to be completed by the end of September 1998, immediately before the Directive’s provisions come into force in October 1998 .
The consultants are:
The testing is to involve five specified categories of data, and hypothetical transfers to six specified jurisdictions, giving a total of 30 ‘case studies’ of simulated data transfer from a European Union member state. The six countries to be used in the test are Australia, Canada, China (Hong Kong), the United States, Japan and New Zealand.
The five categories of data are to be in the following fields:
The contract does not specify whether the test is to be carried out, for one of these categories, in relation to one company operating in all six jurisdictions (if such companies exist), or whether different companies may be chosen to represent a category in different jurisdictions.
There is a high level of interest around the world in the way in which the Directive will impact on so called ‘third countries’, countries outside the EU whose trade with one or more EU member states involves the transfer of personal information.
Article 25 of the Directive provides that personal data should only be transferred to third countries where there exists an ‘adequate’ level of protection, and Art 26 provides for a range of exceptions, and a method by which the circumstances of individual transfers can be held to provide ‘adequate guarantees’. EU member states are required to implement this provision in their domestic privacy or data protection law, revising existing ‘transfer prohibition’ measures if necessary. All EU Member states are at present revising their laws.
Other countries outside Europe are likely to incorporate similar data export prohibitions, as Hong Kong and Taiwan have already done. The Personal Data (Privacy) Ordinance 1995 (Hong Kong) s .33, requires the Commissioner for Personal Data to compile a ‘white list’ of places with laws which are ‘substantially similar to, or serve the same purpose as’, the Hong Kong law. (See the article by Commissioner Lau in this issue, comparing these two laws.)
Many aspects of the meaning of ‘adequacy’ in the Directive remain uncertain. The most authoritative guidance to date on the implementation of the data export provisions of the Directive is contained in a 1997 paper by the working party established under Art 29 to advise the Commission. This paper — First orientations on Transfers of Personal Data to Third Countries — Possible Ways Forward in Assessing Adequacy (Reference XV D/5020/97 — EN final, adopted 26 June 1997) — makes it clear that in assessing adequacy, European countries are likely to be looking not only at the laws, standards or rules applying in third countries, but also the mechanisms available for external supervision, independent investigation of complaints and provision of appropriate redress for injured parties. It must also be remembered that in many respects it is the implementation of the Directive’s requirements in EU national laws that is crucial, and only Greece has yet enacted its revised law. (See the article on the EU Directive in this issue, for discussion of both these issues).
According to project consultant Nigel Waters, a detailed methodology will be designed before testing begins, taking as a starting point the parameters in the First Orientations paper, but also incorporating points raised in subsequent debate and commentary, and to be finalised by the consultants in consultation with the European Commission — Directorate-General XV (DG XV).
While the exact work program remains to be drawn up, it is proposed that different consultants will take primary responsibility for assessing the implications of the transfers into each of the ‘third countries’, with Colin Bennett covering Canada and Japan, Nigel Waters covering Australia, New Zealand and China (Hong Kong), and Robert Gellman covering the USA. Charles Raab will have main responsibility for liaison with the client (DG XV), for liaison with data sources in an EU member state and for overall co-ordination.
The consultants propose to develop a list of questions structured around six broad areas which correspond to standard privacy or data protection principles.
The questions to be asked in relation to each of the 30 hypothetical data transfers will cover both the existence, and nature, of substantive rules relating to these six areas, and the existence, and nature, of compliance monitoring and enforcement mechanisms.
The contract does not provide for extensive field work, and the project will therefore be conducted by a combination of desk based research and telephone, email and other remote contact with relevant parties in the EU and in the six ‘destination’ countries. These parties will include government officials, regulators, business organisations and academic and other experts.
There will clearly be a high level of interest in this project while it is underway, and the consultants hope to keep interested parties informed of general progress of the project as it develops.