Privacy Law and Policy Reporter
Australia, and Australian businesses, have a privacy dilemma. Member countries of the European Union will restrict the export of personal data to countries that do not provide privacy protection that is up to European standards, from October 1998 at the latest. Australia’s Commonwealth Government has rejected privacy laws in favour of voluntary self-regulation.
Is there any likelihood that voluntary self-regulation will satisfy the EU requirements? If not, what must Australian businesses do if they wish to obtain personal information from Europe? Should Australian businesses support privacy legislation to help resolve this dilemma? These issues are the subject of this paper.
By focussing on the implications for Australia of the EU privacy Directive we explore one of the reasons why Australia may still abandon the Prime Minister’s insistence on voluntary self-regulation , by examining what will be necessary for Australian businesses and government agencies in order to obtain transfers of personal data from Europe. The different consequences of Australia having comprehensive legislation, a comprehensive voluntary code such as proposed by the Privacy Commissioner, and the status quo of neither (a distinct possibility) will become apparent. In particular, the likely ‘compliance costs’ which will flow from a lack of comprehensive privacy laws in Australia will become more clear.
The European Union Directive on privacy and free flow of personal data of 1995 (the Directive) makes it mandatory for EU member countries to prohibits the transfer of personal data to any countries which do not have privacy laws meeting the standards set out in the Directive. These changes to the laws of member countries to implement the Directive must be in force by October 1998, less than one year away.
The 1995 Directive is in stark contrast in this respect to the two previous major international privacy instruments, the OECD privacy guidelines and the Council of Europe privacy convention of the early 1980s. Neither of these agreements require their signatories to impose export restrictions on non-signatory countries, or on countries which do not provide an equivalent degree of protection. They do not contain any positive requirement to restrict exports, but leave this up to the signatory countries.
Until recently there was little guidance available from official bodies of the EU, or even from authoritative spokespersons, to assist in determining the likely impact of the Directive on countries such as Australia, both in terms of how its content will be interpreted, and in the procedures for its administration.
New sources of interpretation of the Directive and its implementation are now available:
Reactions outside Europe to the date export aspects of the Directive range across a wide spectrum, ranging from ‘denial’ to exaggeration of its likely effects.
Some, particularly the American government, have tended to say that Europeans have no right to impose their privacy standards on the rest of the world. The reply is that Europeans have a right to protect personal data concerning Europeans from leaving Europe if it is likely to be misused, and that is what the Directive requires. Of course, any national legislation which protects data imported from Europe is likely to give privacy protection to domestic data as well.
Exactly the same argument applies to the international insistence on minimum standards of protection for intellectual property, for which the Americans have been the most strident advocates and the most willing to resort to trade sanctions to achieve their aim of protecting American intellectual property. The European demand for minimum standards of data protection where European personal data is exported is very similar.
The realistic reply is that this time for this argument ended in 1995 when the EU made its decision to adopt the Directive.
Furthermore, Australia was considering enacting similar restrictions, proposed in the Attorney-General’s 1996 Discussion Paper.
The second form of ‘denial’ is to assume ‘they can’t be serious and won’t really enforce this’. It will take until beyond 1998 for the extent of enforcement to become clear, but European experts who have followed the development of the Directive stress that European authorities regard the Directive as a whole as an important element of the protection of human rights and its enforcement as a serious and important matter. The rest of this paper will amplify how serious they are.
The collapse in April 1997 of the proposed treaty between Europe and Australia, and its replacement by a lower-level joint declaration, because of European insistence on a clause requiring observance of human rights underlines the extent to which Europe is willing to place human rights considerations before other important economic policy goals.
The opposite extreme is to assume that Australian businesses and government agencies will immediately be refused access to European personal data on the day after the Directive comes into force because Australia’s Privacy Act 1988 does not cover the private sector.
The reality is more complex. The exceptions to the Directive, and the means by which the practices of specific companies can satisfy its requirements, all require detailed analysis. Much remains unknown because EU authorities have not until recently provided significant further interpretation of the Directive, either as to how assessments of ‘adequacy’ will be made in relation to countries like Canada, the USA or Australia, or the procedural steps that will have to be taken and what compliance costs these will imply for organisations outside Europe.
The main purpose of this paper is to assess how the emerging interpretations of the Directive shed light on its likely impact on Australia.
Before moving to a detailed consideration of the Directive’s data export provisions, there are a number of related international developments in data protection which should not be ignored.
The force of the Directive continues to prompt other data protection developments in Europe that indicate just how seriously the Europeans now regard privacy protection.
All of the fifteen EU member states have now implemented national data protection laws binding both the public and privacy sectors, with the recent laws in Italy and Greece completing the set. The Greek law is the first in Europe to seek to implement all the requirements of the EU Directive in its domestic law (as all other EU members must do by October 1998). As will be discussed later, its data export restrictions take the strictest possible interpretation of the Directive, making no provision for contractual solutions in the absence of ‘adequate protection’ and requiring permits for transfers of data even where mandatory exceptions apply.
The EU has now legally bound its own institutions by the provisions of the Directive, through Art 213b of the Treaty of Amsterdam, a modification of the treaty constituting the European Community. This Article also requires the EU to establish its own data protection supervisory body by 1999, so there will now be a pan-European ‘Data Protection Commissioner’ (the name is not determined) who will no doubt have an influential voice in the future direction of data protection in Europe.
There is a draft decision before the Council of the EU to authorise the EU Commission to negotiate EU accession to the Council of Europe privacy Convention (Convention 108). Accession would give the EU a formal role in the future development of the Convention, which has a broader international coverage than the Directive. It is expected that some countries from Eastern Europe and Central Europe will become parties to the Convention. It is also possible for non-members of the Council of Europe to become parties to the Convention, and this could assist when decisions are made concerning whether a non-EU country has ‘adequate’ laws.
The Working Party in First Orientations considers that a transfer to a country which is a party to Convention 108 could be considered to be to a country with ‘adequate protection’ provided the country has appropriate institutional mechanisms for enforcement, and provided it is the final destination of the date.
Three jurisdictions outside Europe also have privacy laws including data export restrictions, Hong Kong, Québec, and Taiwan. The implications of their laws are set out in an Appendix to this paper. I have argued elsewhere that the proliferation of such restrictions will lead to a need for a regional privacy convention, one of the possible eventual avenues being an ‘Asia-Pacific privacy convention’.
Although they are not the subject of this paper, it should be remembered that Australia does have international obligations to protect privacy, which it has not met. Two of the most important obligations are the OECD privacy guidelines and Art 17 of the International Covenant on Civil and Political Rights (ICCPR).
The Directive’s data export requirements can be satisfied in three ways, stated in decreasing order of generality:
Each of these is examined below, but first it is necessary to consider the scope of the Directive, and its enforcement mechanisms.
It is obvious that wholesale ‘transfers’ of personal data outside Europe, such as when a company or government body outsources its data processing overseas, or when a direct marketeer sells a mailing list to an overseas company, are covered by the data export prohibitions. However, there may be other less obvious types of ‘transfer’ of data between Europe and countries like Australia that could be affected.
Article 25 refers to ‘transfer ... to a third country’, so the question arises of whether it will be possible to access Europe-based databases from non-European locations. Examples would include an Australian branch of a European or international company accessing the company’s own internal database located in Europe. The problem is that any such access would necessarily involve such data as is necessary for the screen display on the user’s computer to be ‘transferred’ to the user’s computer, and would therefore constitute ‘transfer ... to a third country’. Remote access would therefore have to come within an exception to Art 25 before it was permissible. The processing would also have to comply with the law of the European country where it took place, applying the processing test.
If a company in a country such as Australia enters into transactions over the internet with customers in Europe, then there are at least two ways to analyse this situation. The US National Telecommunications and Information Administration (NTIA) has raised concerns about the effect of the Directive on US-based companies that use the internet, and it is easy to see why.
First, the transfer of this personal data from Europe must (in theory) comply with the Directive’s data export requirements. Since the ‘exporter’ is the individual concerned, it may be that the exception for ‘unambiguous consent’ would apply, but perhaps only if the person knew that the data was being transferred to a country without adequate privacy laws. Although it seems unlikely that national data protection laws could be used to directly stop European individuals from transferring their own personal data to overseas companies on the internet, there could be indirect consequences. For example, if the same company is seeking to show the European Commission that it provides ‘adequate safeguards’ in another type of transaction, then its internet transactions may complicate its position. Complications for enforcement of such transactions in European courts might also require consideration.
More likely, however, is the possibility that the collection of the personal data could be considered to be governed by the national law of the European country concerned, since it is ‘processing of personal data’ (which includes collection) which ‘makes use of equipment’ (the user’s computer) ‘situated on the territory’ of the European country (Art 4(1)(c)). The Directive requires such processing to be covered by national data protection laws. In this case, the act of collection (at least) would have to comply with all the national requirements or the overseas company would be in breach, not of the export prohibitions but the collection requirements. In this case there is an additional procedural hurdle and compliance cost, because Art 4(2) then requires the overseas controller to ‘designate a representative established in the territory of the Member State’. Appointing local representatives in every EU country is not exactly what one associates with global commerce over the internet!
There are no explicit equivalent restrictions on the import of personal data from a third country into an EU Member State. Article 26 only refers to transfers ‘to’ a third country, and not transfers ‘from’ a third country. However, the importing of the data may constitute ‘collection’ and therefore ‘processing’, so that the importer must comply with national laws of the EU state into which the import takes place, applying the processing test, including all conditions relating to fair collection. If personal data is collected in a country which has no privacy laws governing fair collection, how can its transfer to a European country be guaranteed to comply with European fair collection standards? If this is so, then objections to data imports from countries such as Australia could be made to the relevant national data protection authority and also to the European Commission, and the same enforcement mechanisms as discussed below brought into play.
European companies which operate in Australia, or are considering doing so, will have to pay particular regard to all of the complexities listed above, because of likely complexities in their legal position in their home country.
However, they may face the additional complication that any processing they do in Australia could be considered to be ‘carried out in the context of the activities of an establishment of the controller on the territory of a member state’ (the control test) and therefore required by the Directive to be governed by the national data protection law of the member state (Art 4(1)(a)). In other words, they may have to comply fully with the European privacy principles in relation to data processed in Australia — including the data export restrictions on transferring data to other Australian companies within Australia!
In the first instance, the implementation and supervision of the Directive’s contents is carried out by the national data protection authorities in the Member States, once their privacy laws have been amended to incorporate the Directive’s requirements.
The ‘EU-level’ supervision of the Directive is distributed between four bodies: the Commission of the EU (via DG XV); a Committee of representatives of EU Member States (and in some circumstances, the EU Council itself) (the Article 31 Committee); and an advisory Working Party of the national data protection authorities (the Working Party). The following comments relate principally to the data export aspects of the Directive, where all four bodies may have a role.
The European Commission’s role in supervision of the Directive is carried out by Directorate-General XV, Internal Market and Financial Services, Unit D1 — Free Movement of Information and Data Protection, Including International Aspects (DG XV).
The Commission is to report to the Council and the Parliament at regular intervals on the implementation of the Directive, with any proposals for amendment. The Commission is also required to advise the Working Party of what action it has taken concerning its opinions and recommendations (Art 30(5)), and to negotiate with non-EU countries concerning ‘adequate protection’ (Art 25(5)). The Commission does not have delegated legislative powers.
Chapter VII (Community implementing measures) provides for a Committee comprised of representatives of each Member State and chaired by a non-voting Commission representative (Art 31(1)).
The EU Commission’s main role in the Directive is to submit to this Article 31 Committee a draft of the ‘community implementing measures’ it considers should be taken (Art 31(1)). The Article 31 Committee can decide to implement the recommended measures, but if it disagrees with the Commission then the Council decides.
The types of ‘implementing measures’ which will be dealt with by this process include decisions on adequacy of third country laws (Art 25(4)), and proposed authorisations of data transfers on the grounds of ‘adequate safeguards’ (Art 26(3), (4)). As they are formal decisions on these matters under the Directive, national authorities would be expected to adhere to the approach decided under the Art 31 procedure.
The Working Party on the Protection of Individuals with regard to the Processing of Personal Data (the Working Party) is composed of representatives of national data protection authorities (one for each EU state), a representative of EU institutions (in future, presumably the new EU ‘Data Protection Commissioner’), and a representative of the Commission (Art 29). It takes decisions by simple majority.
The Working Party’s functions include examining issues of uniformity in EU national laws, giving opinions on the level of protection in the EU and in third countries, advising the Commission on any proposed additional measures, and giving opinions on codes of conduct drawn up at community level (Art 29(1)). It can also, on its own initiative, make recommendations on all matters concerning processing of personal data in the EU (Art 29(3)). The Commission is required to produce an annual report on the responses it has made to the Working Party’s opinions and recommendations (Art 29(5)), and the Working Party is to publish an annual report concerning the processing of personal data in Europe and in third countries (Art 29(6)).
It seems, therefore, that the Working Party, which is likely to be the body best informed and concerned about the state of privacy laws in non-EU countries, will be able to bring the inadequacy of the laws in particular countries to the attention of the Commission.
In the Working Party’s First Orientations paper it proposes the formulation of ‘White Lists’ of third countries that provide adequate data protection. While admitting that it has ‘no explicit role in making decisions about particular data transfers’ (that is the role of the Art 31 procedure), it interprets its explicit role in ‘giving the Commission an opinion on the level of protection in third countries’ as meaning that it is ‘well within the remit’ of the Working Party ‘to examine the situation in particular third countries in the light of some individual cases, and come to a provisional view as to the adequacy of protection’. They then note that:
Where such decisions are positive they could constitute parts of the white list envisaged. The list could then be distributed widely and used by data controllers, supervisory authorities and Member States as a guide to their own decisions.
The Working Party does not propose to produce a ‘black list’. They say that this is politically very sensitive, and suggest only that an absence from the ‘white list’ means that no general guidance is available concerning that country.
In First Orientations the Working Party also states that it will produce a further paper outlining which categories of transfer it considers pose particular risks to privacy. Where such a transfer was proposed to a country not on the white list, this document would provide guidance to national data protection authorities on:
First Orientations only deals with Art 25 and ‘adequate protection’, but the Working Party does intend to produce further papers dealing with Art 26 ‘adequate safeguards’ and other matters.
The formal decision-making power about adequate protection rests with the Article 31 Committee of representatives of member states, but the Working Party of representatives of national data protection Commissioners is clearly intent on taking an activist role. It would not be surprising if the experts committed to the value of data protection were more willing to prohibit data transfers than governments preoccupied with good relations with trading partners.
There are, however, a number of factors which may give the Working Party an influence beyond its formal role:
It may also be significant that the Commission (DG XV), in its tender documents for development of a methodology for assessing ‘adequacy’, indicates that the Working Party’s First Orientations is a starting point for the development of the Commission’s own methodology. This may indicate an intention by the Commission to ensure consistency by all EU organs in their approach to the Directive, but it also indicates that the significance of the Working Party has extended beyond what appears from the mere words of the Directive.
Does a country provide an ‘adequate level of protection’?
The Directive provides that:
Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing may take place only if ... the third country in question ensures an adequate level of protection’ (Art 25(1)) (emphasis added).
‘Equivalent’ protection is not required, only ‘adequate’ protection.
The Directive defines ‘adequate level of protection’ as follows (Art 26(2)):
The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the county of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties.
It goes on to state that the Commission may decide that a third country ‘ensures an adequate level of protection ... by reason of its domestic law or the international commitments it has entered particularly upon conclusion of the negotiations [it has had with the Commission]’ (Art 25(5)).
In First Orientations the Working Party considers that Art 25 ‘envisages a case by case approach whereby the assessment of adequacy is in relation to individual transfers or individual categories of transfers’. Nevertheless, it says, the impossibility of considering all data exports individually means that mechanisms must be developed ‘which rationalise the decision-making process for large numbers of cases’ — for the benefit of both data controllers and data protection authorities.
Although it is not completely clear from Art 25 whether the requirement of an ‘adequate level of protection’ must be satisfied by a country’s overall privacy laws, or whether it is sufficient to prevent the banning of a particular transfer if there is an adequate level of protection in relation to information from that sector (for example credit or insurance information, or criminal records), the better view is that sectoral compliance is possible. The references to sectoral legislation and ‘professional rules’ could be seen as supporting this interpretation. Other commentators have reached the conclusion that an ‘overall country assessment’ is not necessary. In First Orientations the Working Party is of this view, commenting that ‘nothing would prevent the partial white listing of a third country’.
Need there be ‘adequate’ compliance with each EU Directive requirement, or just most of them? The use of ‘adequate’ suggests that only some partial compliance is required.
The Working Party concludes from the EU Directive and other international privacy instruments that there are six ‘core’ or ‘basic’ principles which are the minimum requirements for protection to be considered adequate are as follows (in summary):
Any exceptions to these core principles must be consistent with those in Art 13 (Exemptions and restrictions) which provide for legislative exceptions necessary to safeguard important state interests, or ‘the protection of the data subject or the rights or freedoms of others’. Individual consent is not explicitly included in the permitted grounds for exemption.
The first five ‘core’ principles are a strong restatement of standard information privacy principles, particularly in that consent is not seen as a basis for reducing protection.
The sixth principle, restrictions on onward transfers, is the logical closing of a loophole which could otherwise be used to circumvent the restrictions on transfers from the EU by an intermediate transfer through a ‘safe’ third country. It is a significant proposal because it weakens the case for adequacy of what is otherwise one of the strongest privacy laws outside Europe, that of New Zealand.
The Working Party does not see this list as ‘set in stone’, and envisages that there can be circumstances where greater or lesser protection was needed, depending in particular on the degree of risk that the transfer poses to the data subject.
Graham Greenleaf, General Editor.
Part II of this article will be published in the next issue of Privacy Law & Policy Reporter.
This paper wes presented at the ‘1997 Australian Privacy Summit’, IBC Conferences, 21-22 October 1997, Gazebo Hotel, Elizabeth Bay, Sydney under the title The European Union’s Privacy Directive — New orientations on its implications for Australia.
Under the control test, a company which carries out activities in an EU member mtate (even if it is not based there), but which processes personal data relating to those activities in a non-EU state, will find that its activities are subject to the privacy laws of the EU state.
Under the processing test, a company based in a non-EU state which merely uses processing facilities in an EU member state will still find itself bound by the EU state’s privacy law. Not surprisingly, Europe cannot be used as a ‘data haven’ to avoid the reach of privacy laws. Report of speech by Barbara Wellbury, Chief Counsel NTIA, July 1996 — Privacy Laws & Business, December 1996, 15.  ibid.  The Commission proposed it should have a rule-making power to adopt such ‘technical measures’ as are necessary to apply the Directive, including drawing up sectoral applications of the Directive (1992 draft Art 33), but the 1995 Directive does not provide for any delegated legislation.  The Committee acts by majority, but the votes of each representative are weighted according Art 148(2) of the Treaty establishing the European Community (Art 31(2)).  If the Committee approves the proposed measures, the Commission must then adopt them. If the Committee disapproves, or fails to approve them within the time limit set by the Chairman, then the proposed measures are to be referred to the Council of Ministers of the EU (which is to vote by qualified majority) (Art 31(2)).  The Parliament recommended the Working Party’s expansion into, in effect, a supra-national data protection agency, comprising representatives of business and civil liberties groups as well as national authorities, and with a right to be heard on a wide range of issues and to take various independent initiatives, but this approach has not been adopted.  See J Reidenberg, ‘Rules of the Road for Global Electronic Commerce: Merging the Trade and Technical Paradigms’ (1993) Harvard Journal of Law & Technology, Vol 6, 287 — ‘Under the revised draft, national authorities may consider the specific circumstances of each data transfer on a case-by-case basis, rather than an overall country assessment ...’; S McGregor, ‘Australia could be denied access to global super highway’ (1993) 2 Telecommunications Law & Policy Review 1 at 4 assumes that Australia’s credit sector could have ‘adequate protection’; M Powell, ‘European Information Technology Law’, (1994) Computer Law & Security Reporter (Special Supplement) at 46 says the amended proposal takes account of the ‘sectoral’ approach to data protection adopted in the USA.  This is a different question from mandatory grounds for exceptions to adequacy in EU national laws (Art 26(1)), where consent is a ground.