Privacy Law and Policy Reporter
Associate Editor Nigel Waters reports from the 11th Annual Privacy Laws & Business conference in Cambridge, England, 13-15 July 1998, on sessions relating to the EU Directive and various national responses to it.
Two of the main subjects discussed at the 11th annual Privacy Laws and Business (PL&B) conference were progress in implementing the EU privacy Directive in Europe, with the focus mainly on the new UK Data Protection legislation, and the US response to the EU Directive, including development of various contract and technology-based alternatives to statutory regulation.
Professor Spiros Simitis of the University of Frankfurt (the former Hesse Data Protection Commissioner, and widely regarded as ‘father’ of data protection in Europe) gave his assessment of progress towards implementation.
So far, only three member states (of 15) have ‘Directive compliant’ laws in place (Italy, Greece and Sweden). Another four are imminent (including the UK). Others will take between six to 12 months to pass amending legislation. However, it is important to realise that from 25 October, current laws have to be interpreted and applied as far as possible in conformity with the Directive.
Also, no member state can diminish the effect of any existing law in implementing the directive, and they can also go further than the Directive, notwithstanding the harmonisation objective. This somewhat contradicts the message of the EU Commission which is that the Directive will lead to maximum consistency and minimum divergence. Simitis sees this as a positive feature, because over time countries will compete to ‘ratchet up’ the level of protection, which he believes still has a long way to go. This is not a re-assuring prospect for business looking for certainty and consistency!
Simitis observed a tendency already evident for states to continue their national preferences in revised laws — for example, for registration systems, form of supervisory authority, fees, subject access and definition of data/files. For example, Greece and Italy have gone for detailed registration while Sweden has moved away from universal licensing. The Italian law makes no attempt to limit the law to ‘structured’ files. Greece has a very strong subject access right with only some of the exemptions allowed by the Directive, and a requirement for case by case approval of exemptions by the supervisory authority.
In relation to data exports neither Italy nor Greece have chosen to include a ‘contract’ alternative as allowed by Article 26(2), although Simitis thinks a contract alternative may still be possible under the primary adequacy test in these countries.
He thinks the Directive is weak in allowing too broad an exemption for crime prevention — there is no qualifying ‘seriousness’ test. He likes the new Swedish and UK laws treatment of research as an exemption, although there is still no absolute secrecy guarantee. Privacy and the media is difficult — the Greek and UK laws demonstrate the difficulty of data protection commissioners dabbling in censorship. The Italian law has a strong requirement for the PM and Cabinet to consult the DP Commissioner on any proposal with privacy implications.
Simitis remains critical of the complexity of the language of most new or amended laws, noting that only Sweden has taken the opportunity to simplify its law. He noted that the US has a better record of plain language legislation (in other areas).
From 25 October members can theoretically restrict transfers within Europe if laws not in place in other member countries, but it is unclear how they will react to ‘pending’ laws and to long transition periods as in UK law for manual data.
Marie George, a Commissioner at CNIL (the French Privacy Commission) explained that amending legislation will take another six to eight months to finalise, following the March 1998 Braibant report to the government. A draft Bill will be available soon, with passage through National Assembly in early 1999. The intention is to keep one law for all sectors including defence and national security which are outside scope of the Directive.
The Directive removes any doubt that the law applies to pictures (although jurisdiction over video surveillance has already been removed from CNIL). It also helps to resist the effect of recent court decisions which have weakened the registration provisions. However, it is proposed to relax some of the registration requirements for routine less sensitive data processing, while strengthening CNILs powers of subsequent inspection. Unlike most countries, France is proposing to extend the law to protect the privacy of legal persons (companies).
Current French developments under existing law include a tough line on web sites. CNIL does not consider technical options such as P3P as a substitute for strict compliance with the collection and use for purpose principles, and is insisting on option of anonymous enquiry access, and deletion of log files after two weeks. The banks contested a CNIL ruling that they had to give access to statistical information about consumers (credit scores), but the ruling was upheld.
Elizabeth France, the UK Data Protection Registrar, told delegates that the new UK Data Protection Act will receive Royal Assent in July but cannot take effect until subordinate legislation is enacted — a complex approach has been taken with more than 30 statutory instruments needed — this is unlikely before end of the year.
A ‘privacy friendly’ interpretation of the law will be assisted when a new Human Rights Bill is enacted, incorporating the European Convention on Human Rights into UK law, including the Article 8 right to privacy.
The Registrar will be renamed Commissioner, but the government rejected a suggested name change from data protection to privacy. The Commissioner gets new powers to issue information notices (requiring co-operation), and to initiate codes of practice.
Many features of the existing UK law remain. The first five principles covering fair obtaining and processing and data quality are very similar, but there will be broader individual rights (P6), a tougher security principle (P7) and a new ‘EU compliant’ data export principle (P8 and Schedule 4).
Ms France said that the opportunity has been missed for a major simplification of registration but will be some relaxation, with details yet to be worked out. Exemptions are to be in regulations.
A new definition of processing puts beyond doubt that everything is covered. There had been a previous problem with browsing held by the House of Lords not to be a ‘use’ (see Brown (1996) 3 PLPR 146).
A major change is that manual records will be covered, but with a long phase-in period: 2001 for access, 2007 for some other principles. There is still some uncertainty about exact definitions, particularly the meaning of ‘structured’ records, ‘specific’ (not particular) information and ‘readily accessible’. The Minister has said that personnel files will not be covered because they are not ‘homogeneous’ but the Registrar (Commissioner) is likely to ignore this and apply the law to all such files, subject to challenge.
The Commissioner is to acquire new responsibilities under existing access to personal files legislation covering schools, local government and health records. The Commissioner will be placed between internal review and the courts in resolving access and correction disputes, and will have to apply an explicit public interest balancing test.
To comply with the EU Directive, there is a new regime for sensitive data, with stricter conditions for processing than for other data (generally requiring express consent); individuals have to be informed on request of the logic behind any automated decision making; and there is a new right to object to direct marketing.
The new rules will apply to new processing immediately the Act commences (which may not be until 1999) but the government may allow up to three years for the application of the new rules to existing data and processing. It appears that until the subordinate legislation is tabled there will be considerable uncertainty about the implications of the new law.
Paul Schwartz of Brooklyn Law School talked about a study he is doing for DG15 on regulatory initiatives to protect privacy when using on-line services, in Belgium, France, Germany and the UK. He emphasised the discrepancies and divergences in law between the different EU member states, and suggested that the Data Protection Directive is unlikely to result in much more harmonisation. While technology can be used to smooth over some differences (for example, intelligent agents could prepare different registrations for the same operation) there is a real need for further changes to laws to achieve real consistency and deal effectively with borderless internet privacy issues.
Bob Belair from the consultancy organisation Privacy and American Business reported research findings of high and growing levels of concern: more than 50 per cent of Americans think they have themselves been the victims of privacy abuses. There is major distrust of all institutions, but since this includes government, there is resistance to government mandated controls. There are clear differences by age: the over — 45s see government as the greater threat, while younger people see the private sector as a bigger danger. There is also 15 per cent greater support for legislation amongst women.
The recent Drivers Privacy Protection Act is significant as the first major restriction on access to public register information, and there is a proposed law on use of Social Security Numbers, to prevent ID theft. There is also major concern about health and genetic privacy. A law already passed provides that if no specific law is passed by the fall of 1999, the Secretary of Health must issue regulations. Twenty five days have been set aside in the next Congress for privacy debates. The Federal Communications Commission has issued rules on opt-in for telco customer personal information.
The current response to the EU Directive centres on a Department of Commerce paper on Elements of Effective Self-regulation (the consultation period ended 6 July) and on various business led initiatives for standard contracts and for privacy enhancing technical options (see below).
Colin Bennett of the University of Victoria, Canada) contrasted Canadian movement towards statutory regulation with continued US resistance. He suggests that the reason is partly to do with business reaction to emerging patchwork of different rules in Canada.
Paula Bruening, of the US Department of Commerce, explained the Clinton Administration’s approach to the privacy issue. The Department’s Elements paper makes it clear that they are looking for business self regulation to provide not just a commitment to privacy standards, but also recourse mechanisms, verification of compliance (encompassing auditing/inspection) and consequences (sanctions and penalties).
When questioned about the absence of any ‘finality’ (use limitation) principle in the Elements paper, Ms Bruening acknowledged that they are relying on the market for this — that is, they are assuming that competitors will offer more privacy/fewer uses if there is enough demand — otherwise there is nothing to limit uses, which can be on a ‘take it or leave it’ basis, provided individuals are informed.
Ms Bruening agreed with most of Bob Belair’s analysis, except that she sees Congress as somewhat more interested — not in omnibus legislation but in law to deal with specific problems (ID theft, health privacy, children’s privacy).
The Department of Commerce is due to report to the President by the end of July, after its analysis of responses to the Elements paper, and of a forum held in June in Washington where, Ms Bruening acknowledged, privacy advocates had been very critical of current business initiatives.
Mary Culnan, from Georgetown University, explained the paper she had prepared for the Department of Commerce (NTIA) on a methodology to assess the implementation of the Elements for Effective Self-regulation. In discussion, there was a general consensus (criticism) that the methodology relies too heavily on the ‘visible’ privacy policies of organisations, only assessing ‘what they say they do’ rather than what actually happens. This method applied simply to existing privacy policies would be unlikely to find evidence of many of the required features.
The potential for data exports from Europe under the provisions for ‘contracts’ in Article 26(2) of the Directive was a major focus of the conference.
Nick Platten, a consultant to DG15 of the EU Commission, reminded participants that authorisations by member state Commissioners in accordance with domestic law provisions implementing Article 26(2) will have to be notified to the Commission, which can confirm or overturn them via the Article 31 committee machinery.
Conversely, however, the Commission may adopt standard contracts or clauses which could then be used in the knowledge that they had been pre-approved.
Platten noted that Art 26(2) specifically mentions individuals rights. As the recent paper on contracts from the Article 29 Working Party makes clear, to provide an adequate level of protection, contracts will need to somehow ensure that individuals have access to effective complaint mechanisms and remedies. In some jurisdictions it may not be possible to confer contractual rights on third parties, in which case the contract will have to subject the parties to the law of a country where this is possible, creating additional complexities.
Platten drew a distinction between the many data transfers where the exporter retains control (data processing contracts) and those where some of all control is relinquished. Providing adequate machinery and remedies in this latter situation will be much more difficult.
He also emphasised the need for any contract to ensure adequate protection in the event of any further transfer, including those required by law. The objective is to create a ‘closed loop’.
Three speakers then gave details of model contracts currently under development — all have taken as their starting point the 1992 Council of Europe-International Chamber of Commerce model, and updated it to take account of the EU Directive and provisional views of the Article 29 Working Party.
Charles Prescott, Chair of the US Council for International Business working party, spoke about the initiative of the International Chamber of Commerce (ICC) to develop a model contract. A draft is nearly complete and is just being re-thought in light of the Article 29 working party paper before release probably in September. The model contract is designed to be of multinational (universal) application; generic; SME-friendly; and technology neutral. It localises responsibility for practical implementation, including dispute resolution, making it easy for individuals to exercise their rights, is concise (hopefully fitting onto one A4 page — small print!), and has minimum administrative consequences. It operates through a series of warranties, guarantees, indemnities, sureties and bonds between exporter and importer.
The ICC sees the contract as necessary even where the importing country has an ‘adequate’ law, as it makes clear the respective responsibilities of the parties, which will be needed anyway.
The approach taken is to leave the data exporter with the full range of responsibilities for compliance. An aggrieved European data subject would be able to deal with the exporter throughout any dispute. Problems still under discussion are the impracticability of a contract with each and every data subject, and the unacceptability to ‘foreign’ SMEs of making them subject to the source country jurisdiction.
Bob Belair, of Privacy and American Business (PAB) explained PAB’s initiative to develop a range of sectoral model contracts designed to satisfy the EU, taking into account all the key elements set out in the Article 29 Working Party’s paper. Sectors they have in mind include Financial Services; Customer Databases & Direct Marketing; Human Resources; Telecommunications/Internet; Pharmacies; Health Insurance; and Travel & Reservations. They are aiming to ‘launch’ the contracts at their annual conference in Washington on 28 September.
Vivian Bowern, Chairman of the Confederation of British Industry (CBI)’s Data Protection Working Party, explained the CBI’s ‘contract’ project which they were undertaking at the request of the Home Office and the Data Protection Registrar.
The CBI’s approach is to look at the contract requirements for five different ‘situations’:
The CBI models (not yet available) will not be UK specific, and will have brief clauses with more detailed schedules where necessary. Draft d 1 specifies the parties, with Sched A detailing the parties and Sched B the purposes for which data is transferred. Draft d 2 deals with warranties and obligations of the importer, with Sched C specifying such matters as onward transfers, disclosures with the authority of the exporter, data quality assurance, individuals rights etc (and provision for sensitive data, direct marketing and automated decision making where applicable). Schedule E will specify the destination jurisdiction(s). There will be optional provision for auditing.
Issues still being debated include whether it will be sufficient to include relevant clauses in other contracts, or whether it is important to have stand-alone data protection contracts, not least for their educative value. The CBI has made an assumption that there is no requirement to provide for treatment of any data collected after a transfer in the destination country. It is also interpreting Schedule 4 of the UK Bill as allowing the Commissioner to approve generic terms rather than seeking to authorise proposed transfers on a case by case basis.
Francis Aldhouse, the Deputy UK Data Protection Registrar, and a member of the EU’s Article 29 Working Party, pointed out that the trans-border provisions of the EU Directive are not an attempt to impose European laws extra-territorially. They are legitimate measures to protect the interests of Europeans, through obligations on data-users operating in Europe. If their effect is to act as a ‘non-tariff trade barrier’ then this is expressly allowed by Article 14 of the GATT.
Aldhouse explained that Sched 1, Pt 2 para 13 of the UK Bill lays out the criteria for assessing adequacy which are relevant to the Article 26(2) contract option as well as to the Article 25 assessment of overall adequacy. A potential weaknesses in the treatment of the data export issue under the UK Bill, is that if contract terms are approved by the Commissioner, then an exemption from Principle 8 is in effect, which means that individuals are deprived of their rights to challenge any non-compliance. There may therefore be no incentive for the Commissioner to approve any standard contracts. Also, if even part of the data is from a public register then it may escape the limitation on export.
Nigel Waters, Associate Editor.