Privacy Law and Policy Reporter
A related question is whether ‘adequacy’ need only be measured against the principles in the Directive (Chapter II), or is it also to be measured against the types of enforcement measures required by the Directive (including data protection authorities, enforceable rights and damages). The latter is the better view. It would be anomalous for Art 26(2) to require ‘adequate safeguards’ of enforcement if Art 25 did not. However, it might be expected that there could be adequate protection provided by either individual enforceability or enforcement via a supervising authority.
The Working Party in First Orientations concedes that, while in Europe it is generally considered that data protection principles should be embodied in law, and that there should be an independent supervisory authority, a better starting point is to identify the underlying objectives of data protection procedures. Three objectives are identified:
In First Orientations the Working Party appears willing to presume that data transfers to any non-EU countries that have ratified Convention 108 are allowed under Art 25(1) provided:
The Working Party’s approach leaves open, in principle at least, the possibility of non-legislative mechanisms providing adequate protection, as it frames the criteria in terms of underlying objectives. However, First Orientations leaves as a completely open question whether industry self-regulation or technical ‘standards’ could ever meet these requirements.
Art 25 refers to assessments of adequacy being made ‘in the light of all the circumstances surrounding a data transfer’, so the Working Party is no doubt correct that an a priori exclusion of non-legislative protection is wrong. However, the only types of mechanisms referred to specifically in Art 25 are ‘the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties’ (Art 25(1)) and (in relation to Art 31 decisions) ‘domestic law or ... international commitments it has entered into’. The Directive therefore leaves the question open.
What role can industry self-regulation through codes of conduct play? Article 27 requires member states to encourage the development of national and European codes of conduct, but these cannot be a substitute for legally binding provisions in EU member states.
Entirely voluntary codes of conduct in third countries seem unlikely to constitute adequate protection. Art 25 does not make specific mention of Codes of Conduct. ‘Professional rules’ are mentioned specifically in Art 25(2), but the notion of ‘professional rules’ may entail compulsory registration as a condition of practice (as in many professions) and powers in some organisation to ‘strike off’ from the right to practice or impose other penalties. However, the new Greek law does refer to ‘codes of practice’ as one of the factors to be considered, in its implementation of Art 25.
It is also difficult to see an in industry-developed code as adequate sectoral compliance unless participation was compulsory, because sectoral recognition would protect those industry members who did not comply (sometimes called ‘free riders’). Even more serious is the problem of those sectors where there are few institutional structures that even allow identification of data controllers and therefore make it very difficult to enrol them in such schemes. The Working Party does not address this issue, or suggest whether of not ‘adequacy’ could be recognised as restricted to participants in a voluntary scheme. The advantage of legislation in relation to the ‘free rider’ problem is that at least where breaches have been identified, ex post facto sanctions may be applied.
The Canadian Standards Association (CSA) Model Code for the Protection of Personal Information was adopted in 1996. The Code is based on the OECD Guidelines, and involves a certification scheme. The CSA is now pushing for the Code to be adopted by the International Standards Organisation (ISO), and the first meeting of representatives from countries including Canada, the US and Australia took place in New York in May 1997, and Brussels in September 1997, attended by Australia’s Privacy Commissioner as part of the Australian delegation.
The CSA privacy Code may prove to be one ‘litmus test’ of whether the EU will accept that Codes of Conduct which have no enforceability at law can provide ‘adequate protection’ or even one-off ‘adequate safeguards’. This has strong opponents, particularly within Canada. The President of Québec’s data protection authority, Paul-André Comeau, praises the Code as ‘a step in the right direction’, but says that:
There is a major flaw in the code, stemming from the philosophy of voluntary compliance: the code does not provide for any form of recourse before an impartial judge. It relies essentially on the good will of those concerned. The authors of the code are counting on the use of audits to compensate for this failing.
He is reported to have concluded by urging European privacy commissioners, and the EU, ‘to reject private agreements between European and Canadian industrialists and even to withhold recognition of the CSA Model Code as adequate protection, given its voluntary status’. He says that any European acceptance of such a standard will only encourage those in Canada who regard privacy legislation as ‘useless and artificial’ and unnecessary if the Code suffices for the EU. Federal Canadian Privacy Commissioner Bruce Phillips is advocating the national adoption of the legislation based on Québec’s Act.
In terms of its content, it is debatable whether the CSA Model Code’s principles are strong enough to provide ‘adequacy’ in terms of the content of the EU Directive. However, the main problem with any ‘standards’ approach is that it does not normally provide any enforcement mechanisms that can be used by the individuals concerned, or can provide any remedies for them. Loss of accreditation is a typical sanction, but that provides no benefit to the individuals concerned, and is not a strong sanction provided that the accreditation remains voluntary.
Once again, even if it can constitute ‘adequate safeguards’ in particular cases, the costs of establishing this in each case remain high.
In the first instance, it is the laws of Member States of the EU that must provide that transfers may only take place to third countries with an adequate level of protection (Art 25(1)), and it is a decision by an authority in the Member State which prohibits the transfer.
Member States must inform the EU Commission where they consider that an importing third country does not ensure an adequate level of protection (and vice versa) (Art 25(3)). This notification requirement applies even if the data transfer is allowed under an Art 26(1) exception, or an Art 26(2) authorisation because of ‘adequate safeguards’.
As explained above in relation to supra-national enforcement of the Directive as a whole, it is the Article 31 Committee of member state representatives that decides whether to accept the draft measures proposed by the Commission (Art 31(2)). The Commission, with the Committee’s approval, is therefore able to set a Europe-wide standard for acceptance of transfers to specific third countries. The position is therefore, that Member States make any decisions to prohibit transfers, but the Committee can over-ride such decisions.
The Commission is engaging experts to undertake case studies of the adequacy of protection in six countries — Australia, Canada, China (Hong Kong), the US, Japan and NZ — for the purpose of developing a methodology to assess adequacy in third countries.
Even though it is the Committee that makes the decisions, it is still the Commission that must be first convinced to propose action against a third country, so it is important to ask how claims of ‘inadequacy’ can be brought to the Commission’s attention. Member States are obliged to do so in the course of considering transfers to third countries (Art 25(3)). The Working Party of supervisory authorities is required to produce an annual report which covers the level of protection in third countries, so the Commission would receive official notification that way. As might be expected, the Commission is reported to be likely to initiate its own studies of the laws and codes of the EU’s more important non-EU trading partners, and has in 1997 issued a tender for study of such laws in six countries including Australia.
Under the 1992 draft, the Commission could initiate its negotiation process (discussed below) either on the basis of information provided by a Member State, or ‘on the basis of other information’. This may have left the way open for a form of ‘complaint’ about a third country’s laws (either general or sectoral) to be made to the Commission by, for example, national or international organisations of consumer advocates, privacy advocates or civil liberties organisations. This avenue for initiatives by NGOs is not so obviously open under the 1995 Directive, but it remains to be seen what the Commission’s practice will be.
Another avenue for NGOs would be to seek to have a sympathetic national data protection Commissioner raise the case of a third county’s laws before the Working Party. The Working Party’s activist role in the Directive’s procedures, as shown in First Orientations, makes this more likely to be an effective way of bringing a country’s laws into the EU processes.
If the Committee accepts measures proposed by the Commission on the basis of the inadequacy of a third county’s laws, only then can the Commission enter into negotiations with the third country ‘with a view to remedying the situation’ (Art 25(4)).
A Canadian commentator interprets this decision-making process as essentially political rather than legal:
The implementation of Articles 25 and 26 is likely to be unpredictable and politicised, because the determination of ‘adequacy’ rests, not with the data-protection agencies — but with the Commission itself. Judgments about adequacy will therefore be susceptible to the vagaries of the European political process and are likely to be confused with the resolution of issues that have nothing to do with data protection. Logrolling may therefore override the more predictable and rational pursuit of a data protection standard.
Although decisions are more correctly described as being made by the Council and the Commission, not just ‘the Commission’, this may strengthen Bennett’s point, as national political interests are even more directly represented on the Council.
It is too early to know whether Bennett’s fears are justified, but it is difficult to avoid the conclusion that the nature of the process means that there is likely to be a great deal of uncertainty for data users in non-EU countries which do not have an unambiguously ‘adequate’ level of data protection.
Instead of leaving it completely to the member states to decide which transfers to countries without an adequate level of protection should be permitted (as recommended by the Parliament), the Directive requires member states to provide that transfers to a third country which does not ensure an adequate level of protection may take place if one of six conditions is satisfied (provisos to Art 26(1)).
The exceptions are where the transfer:
(i) is with the data subject’s unambiguous consent;
(ii) ‘is necessary for performance of a contract between the data subject and the controller, or the implementation of pre-contractual measures taken in response to the data subject’s request’;
(iii) ‘is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party’;
(iv) is ‘necessary on important public interest grounds’ or for legal claims; and
(v) ‘is necessary to protect the vital interests of the data subject’; or
(vi) is from a public register, and in accordance with its terms of operation.
These exceptions are not as broad as they first appear. It is crucial to recognise that they are not ‘self-executing’ exceptions: they will only exist to the extent that they are embodied in the national laws of the fifteen EU member states. They are also likely to become more precise as they are implemented in national laws (Art 5), and are likely at that point to become subject to different wordings in each national law. The only implementation to date is in Pt 9 of the new Greek law, and it illustrates these points quite nicely.
The Working Party in First Orientations says ‘the working assumption is that the wording of these exceptions is fairly narrow ...’. They will provide guidance on the meaning of these exceptions in future work.
The consent of the data subject ‘to the proposed transfer’ must be ‘unambiguous’, where only consent and not a contract with the data subject is relied upon. However, there seems to be no restriction on the consent being obtained by the third party recipient of the data (for example the Australian ‘importer’), not only by the EU-based ‘controller’. The requirement that the proposed transfer be ‘unambiguous’ may imply that the data subject must consent to his or her personal data being transferred to a country which does not have adequate privacy laws, on the basis that mere transfer to ‘another country’ is not normally a matter of concern within the EU because of the Directive. It is therefore unlikely that EU-based controllers can simply obtain blanket consents to transfer personal data anywhere they like. It almost certainly implies that consent must be explicit, not implied, and that mere notice of intent by the data controller will be ineffective.
One major unanswered question is whether individual consent to a transfer to a country where there is no adequate protection can be made subject to conditions to protect individuals by the EU national laws. The first example available, the new Greek law, is uninformative in how it interprets ‘unambiguous’ (‘except if ... extorted in a way which is contrary to law or bonos mores’), but transfers based on such consent still require ‘permission granted’ by the Greek data protection authority.
This requirement of a permit — which also applies to all the other mandatory exceptions — is not part of the Directive, so the Greek law is in this respect a narrow interpretation, designed to place maximum impediments and exposure in the way of reliance on consent.
The reference to ‘a contract between the controller and the data subject’ appears to only refer a contract with the EU-based controller of the data to be exported, not a contract with the recipient in the third country such as Australia. If so, it seems that the reference to ‘pre-contractual’ measures would be only to contracts made with a European entity. So, for example, an Australian credit bureau could not use this proviso to obtain a credit report from Europe, but a European credit bureau could use it to disclose a European’s identity to an Australian bureau in order to have a check done.
The reference to ‘public interest grounds’ is not an explicit reference to the public interest of the third country which is importing the data, and could be implemented so as to refer only to the public interest of the European country concerned. In the new Greek law, it appears that the only public interest referred to is that of Greece.
The Greek exception is also qualified by a requirement that the data controller ‘grants sufficient guarantees for the protection of private life and fundamental liberties and the exercise of the relevant rights’. Greece has obviously concluded that Art 26 mandatory exception can nevertheless be made subject to qualifications which protect individual interests. If this approach is followed by other Member States, relying on these exceptions may be a complex matter.
There is no exception referring to the vital interests of the recipient (importer) of the information, nor of the exporter, but only those of the data subject. The existence of a contract between exporter and importer is insufficient, as it must also be a contract ‘concluded in the interest of the data subject’.
In addition to these mandatory exceptions, Art 26(2) now provides that:
... a Member State may authorise a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection ... where the controller adduces adequate safeguards with respect to the protection of the privacy the fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.
This last clause seems directed, for example, to a situation where a particular company in a third country provides strong contractual guarantees of privacy to its customers, even where there are no enforceable industry codes and the country does not have overall adequate protection. What might otherwise constitute ‘adequate safeguards’ is not explained.
Article 26(2) suggests that contractual provisions between a particular company and its clients, as opposed to a sectoral code, cannot amount to an ‘adequate level of protection’ for Art 25 purposes. It also reinforces the view that an ‘adequate level of protection’ must be found to exist at least at a sectoral level within a jurisdiction, and cannot be found merely at the level of the operations of a particular company, because the alternative view would make Art 26(2) redundant. This is not, however, free from doubt.
The Working Party in First Orientations says that the contractual solutions envisaged by Art 26(2):
have inherent problems, such as the difficulty of a data subject enforcing his rights under a contract to which he is not himself a party ... and are therefore appropriate only in certain specific and probably relatively rare circumstances.
As with the Art 26(1) exceptions to Art 25, Art 26(2) ‘adequate safeguards’ cannot be relied upon unless and until they are embodied in the national legislation of the fifteen EU member states. Unlike the Art 26(1) mandatory exceptions, it is completely up to the national legislatures whether they recognise any forms of ‘adequate safeguards’.
The only implementing law to date, that of Greece, does not recognise any contractual or other forms of adequate safeguards.
The Working Party intends to issue in future some principles as to when ‘adequate safeguards’ might be found, but stresses that ‘adequate’ is used in both Art 25 and Art 26(2) and that the substance of its future work on Art 26(2) is likely to draw significantly on the ideas in First Orientations, given that both deal with a test of ‘adequacy’.
If this approach is followed, then contractual ‘adequate safeguards’ will have to provide all of the six ‘core’ principles and equivalents of the three procedural protections that are necessary for ‘adequate protection’ (as discussed above).
The type of contract that is most likely to provide ‘adequate safeguards’ is that between the individual concerned and either the European data exporter or the third country data importer, or (in some cases) both.
The European exporter is able to give the data subject a wide range of contractual rights and guarantees, including guarantees of observance of the six core principles by both exporter and importer. The contract can give the data subject a right to damages or other remedies for breach. In order to make such contractual remedies meaningful, the law of the contract can be made the law of the country of domicile of the data subject (if different from the domicile of the exporter), and ancillary rights such as payment of all legal costs in the event of a successful action and limitation of awards of costs against (so as to simulate the situation of complaints to a data protection authority). In some cases, it may be possible for the exporter to give the data subject rights to pursue remedies against the exporter under a European data protection law. Whichever way it is done, it should be possible for the exporter to give the data subject meaningful contractual rights covering almost all of the Working Party’s requirements for ‘adequacy’, with the possible exception of the institutional mechanism to investigate complaints (which could come from an industry self-regulatory scheme).
Similarly, the data importer could contract with the individual concerned to provide the same rights as discussed above. This may be likely to occur when the individual resides in the same country as the importer.
The crucial point is that any such contracts would have to cover all of the content required for ‘adequacy’. Neither the Directive, nor the Working Party, contemplate contracts being used as a device by which individuals can surrender their rights under the Directive. Their can be no ‘contracting out’ of data protection obligations under the Directive.
Can private contracts between European data exporters and third country data importers (as distinct from their contracts with data subjects) constitute ‘adequate safeguards’? The US government pushed for maximum recognition for supplier-recipient contracts, and the French data protection authority, CNIL, has allowed a number of transfers from France to countries then without data protection laws (Italy and Belgium) on condition that such contracts were entered into. The International Chamber of Commerce (ICC) was also promoting such an approach and prepared a model contract. Article 25 makes no mention of contractual clauses at all, and it seems unlikely that contractual clauses could constitute ‘adequate protection’, even on a sectoral basis where they are adopted by an industry. Article 26(2) does not clarify whether its mention of ‘contractual clauses’ includes supplier-recipient contracts. As there would be no privity of contract with the data subject, and therefore no legal rights enforceable by the data subject, it is doubtful that such contracts could constitute ‘adequate safeguards’ for Art 26(2) purposes. These are the contracts that the Working Party sees as having ‘inherent problems’.
Reidenberg, analysing the problems faced by the US private sector in complying with the EU and other privacy standards, identifies weaknesses in a purely contractual solution:
Individuals may be unable to enforce effectively their protections for the treatment of personal information due to a lack of privity, the need to obtain jurisdiction in a foreign country, or the difficulty establishing foreign law in a local forum. In addition, the terms of the contract are negotiated by the companies themselves with the input of data protection authorities. The exporting company acts, in effect, as the agent for the individual, though the individuals have no direct representation during the contract negotiations.
Reidenberg now sees supplier-recipient contracts as only of much value where they are the by-product of an enforceable law in the exporting country, as in the Hong Kong and Québec data export laws discussed below.
Voluntary codes of conduct are much more likely to provide ‘adequate safeguards’ for Art 26(2) purposes than ‘adequate protection’ under Art 25, since adequacy can be judged in relation to whether the importing party does actually apply the Code. The downside is that this will involve all the procedural requirements for a ‘one off’ approval in each case, as discussed below.
The same may be said for data protection implementation as a technical standard with accreditation schemes.
In both cases, all of the problems of whether the scheme or standard meets all of the content and procedural requirements of ‘adequacy’ will apply. It seems more likely that both voluntary codes and technical standards could form part, but only part, of ‘adequate safeguards’.
In the first place it is up the law of the member state to determine how it will grant an export authorisation, but it is clear from Art 26(2) that authorisations must be on a ‘one-off’ basis (as the controller is required to ‘adduce adequate safeguards’), not by some blanket legislative provision. The laws of each member state are likely to differ in these procedures. It seems that the EU-based ‘controller’ would have to be the applicant for authorisation, and there would need to be a separate application in relation to each EU country from which data is to be exported.
The process is therefore not under the control of the company or government department in the importing country, but is one that could be fragmented into applications by every organisation in every EU country from whom the importer wishes to obtain data.
The member state must inform the Commission and the other member states of ‘authorisations granted’ under Art 26(2) (Art 26(3)). If another member state or the Commission objects to the authorisation, the Commission is required to take ‘appropriate measures’, after referring the matter to the Committee in accordance with Art 31(2) (Art 26(3)). Such objection would have to be lodged while the data export is still taking place, but this may easily occur in relation to any ongoing export relationships.
All member states must then comply with the Commission’s decision, including decisions that certain contractual clauses or other relationships do or do not offer ‘adequate safeguards’ (Art 26(4)).
It appears, therefore, that the process for obtaining authorisations on the basis of adequate safeguards’ is one likely to be uncertain, complex, time consuming and costly.
Bennett, writing from a Canadian perspective, is sceptical about the extent to which data users can rely on Art 26:
Clearly, there is sufficient latitude in the directive for North American data users to convince their European counterparts that a combination of contracts and ‘professional rules’ (ie codes of practice) and security measures affords ‘adequate’ data protection. But this does anticipate a series of case-by-case battles, and favoured treatment for the larger multinationals that can afford to fight for their interests.
Comprehensive privacy legislation which covers the six ‘core’ principles and contains serious enforcement mechanisms something like those in Australia’s Privacy Act 1988 seems to be the only certain way to obtain ready inclusion in the proposed ‘white list’ of countries providing ‘adequate protection’ for Art 25. The scheme proposed in the Attorney-General’s 1996 Discussion Paper may well have covered all required elements. Ratification of Convention 108, even in advance of legislation, may be another route (and one that is in principle open to Australia).
Alternative approaches are all likely to result in considerable difficulties for companies and agencies wishing to obtain personal data from Europe:
At least insofar as companies wishing to obtain personal information from Europe are concerned, the Australian government’s argument that national privacy protection should be abandoned because of compliance costs appears specious:
Graham Greenleaf, General Editor.
This paper wes presented , at the ‘1997 Australian Privacy Summit’, IBC Conferences, 21-22 October 1997, Gazebo Hotel, Elizabeth Bay, Sydney under the title The European Union’s Privacy Directive — New orientations on its implications for Australia.