Privacy Law and Policy Reporter
As all readers must surely be aware by now, the ‘adequacy’ of privacy protection in third countries, for the purposes of the EU Data Protection Directive (95/46/EU), continues to be one of the main factors influencing the privacy debate in Australia and other jurisdictions outside Europe. But for more than five years no one has been clear about exactly what the Europeans mean by ‘adequacy’ (which replaced equivalence as the key concept of the draft Directive in the mid-1990s).
In early 1998, the EU Commission contracted with four international ‘experts’, including the author, to test a methodology for assessing adequacy ((1998) 4 PLPR 141).
The final report of this study was presented to Directorate General XV of the Commission at the end of September 1998. It was made public, through the DGXV web site, just before Christmas (http://europa.eu.int/comm/dg15/en/public/index.htm#5 — go to Reports, Studies, other Documents). Copies of the report were however in the hands of some decision-makers, including the Australian Attorney General’s Department, considerably earlier, and certainly before the federal government’s announcement of its policy reversal in mid-December. While the authors would like to think the report played some small part in this decision, the report’s findings would not have come as any surprise to most close observers, and serve mainly to confirm what most people already knew — that assessing adequacy is not a simple or quick task.
The report is bulky (more than 200 pages) but is mostly comprised of detailed reports on 30 case studies of five types of data transfer to six different jurisdictions, including Australia, New Zealand and Hong Kong. (The author was responsible for the 15 cases applying to these three jurisdictions, as well as sharing responsibility for the overall findings.)
There is an executive summary and a chapter of general methodological conclusions. These include the endorsement of the EU criteria as a foundation for assessment of both laws and codes of practice, but also a warning that the process of assessment is not only time consuming but highly context specific, and therefore difficult to generalise from.
Anyone looking for clearly expressed overall judgments of the ‘adequacy’ of data protection in each country will be disappointed. We were expressly contracted not to make any such generalised conclusion, as the project was about testing an adequacy assessment methodology. The Europeans in the Commission and member states have been performing an elaborate dance, carefully skirting any such direct judgment of other jurisidictions. An unequivocal official declaration that any particular country is ‘inadequate’, and could therefore face restrictions on transfers of personal data from Europe would have major economic, and probably political, implications. The Europeans are clearly reluctant to take this step before discussions with trading partners — notably the US — have been given a chance.
But if you look at the conclusions for each case study, our view about the adequacy of the privacy protection environment in the jurisdiction concerned is fairly clear — at least in the context of the particular data transfers, but also more generally. To crudely summarise, now that the project is complete New Zealand and Hong Kong are close to, although not quite guaranteed, a seal of approval, due to their comprehensive laws with clear standards and at least superficially effective compliance and enforcement mechanisms. The few areas in which they may be deficient are acknowledged in the jurisdictions concerned and are the subject of either statutory provisions yet to be proclaimed (s 33 of the Hong Kong privacy legislation) or recommendations for corrective action (Review of the NZ Privacy Act December 1998). In contrast Australia, with its current patchwork of statutory controls and voluntary codes of practice but gaping holes in many sectors and jurisdictions, can stand no realistic chance of being assessed as adequate.
Where the report’s detailed findings may be of use is in the sectors from which the case studies were drawn. The data transfers studied were:
In each jurisdiction, where it was possible to find a co-operative subject organisation, actual transfers were studied. This applied in most jurisdictions to the human resources, airline and medical cases. Where it was not possible to find such a partner, a composite hypothetical transfer was built up partly from observation of real life examples. This was the case with most of the e-commerce and sub-contracting transfers.
The following summaries for each category combines the findings from the report with the author’s own personal observations. In each case, the main focus is on Australia, given that the other two regional jurisdictions can generally rely on their privacy laws to satisfy the Europeans’ concerns. It is only Australian organisations that still face the problem of looking to other ‘arrangements’ to try to meet the European criteria for adequate protection.
Compliance with fair information practices was found to be generally good in each of the cases studies. At least some elements of fair information principles had been incorporated into practice in all six jurisdictions studied. In most, many of the EU adequacy criteria had been met. However, this was largely due to the fact that the organisations receiving the transferred data in the destination jurisdictions were subsidiaries of European parent companies. Practices in third country based organisations transferring personnel data from small branch offices or agents in Europe would almost certainly not meet similar standards, unless they are themselves subject to equivalent domestic laws — as they are in Hong Kong and New Zealand, but not Australia.
Compliance with fair information practices is good where the data transferred was collected in Europe by European-based airlines under the jurisdiction of European data protection laws. Even third country based airlines are likely to follow common standards, partly because of their reliance on shared industry reservation systems which have had to be designed with European laws in mind. The complexity of the flow of such data, and of the uses to which the data may be put elsewhere, make generalisations difficult about compliance in other jurisdictions, especially where all the fair information principles may not apply. A single transaction may generate multiple data transfers to multiple players. Passengers with complex flight arrangements that also involve ‘special’ and other services may find that their data flows through regimes with markedly different levels of privacy protection, particularly in respect of enforcement mechanisms and remedies.
Adequate protection for all primary and secondary uses of personal health information is greatly dependent on whether the jurisdiction has a comprehensive data protection law. This is the case in New Zealand and Hong Kong but within Australia, only in the ACT (and soon NSW). The adequacy of protection for clinical trial records is heavily dependent on the practices of the company concerned, and particularly on the transfer of personal data in a nearly unidentifiable form. Health professionals’ codes of ethics and associated disciplinary mechanisms provide some protection against gross abuses of confidentiality, but do not recognise all of the rights and responsibilities included in privacy principles.
Compliance with fair information practices for the six electronic commerce transfers studied is almost wholly dependent on whether the jurisdiction has a comprehensive data protection law. Where no law applies general fair information practices to electronic commerce activities (as in Australia), electronic commerce is virtually unregulated for data protection. Voluntary industry codes exist in the jurisdictions without applicable laws, (such as the IIA and ADMA codes in Australia) but the extent to which those codes address all elements of fair information practices, let alone meet the standards in the EU data protection directive, is highly variable. Current controversies over both the IIA and ADMA codes treatment of ‘spam’ and their inadequate compliance and enforcement mechanisms suggest that they would be unlikely to satisfy the EU criteria for adequacy. Australian merchants and service providers collecting information from Europeans over the internet would therefore have to demonstrate, if challenged, that they were complying with the core data protection principles and that they had set up some form of dispute resolution system with an independent component. This is an overhead cost that most small or medium sized businesses could not support, and the case for an effective industry scheme, preferably with statutory backing, is overwhelming.
Transfers of personal data between data controllers and data processors pursuant to sub-contracts are for the most part unregulated in third countries. It is impossible to offer any general conclusions about the extent to which industry practices, in Australia or elsewhere, meet EU standards, because outside assessors cannot obtain specific information about contracts. However, a full set of protections for data subjects should be available under the law of the EU country in which the data originate, to the extent that the ‘client’ organisation retains control over the data. It is unlikely that similar protections are available in third countries without general privacy laws such as Australia, except that security requirements are probably addressed in contracts for IT services for other reasons, providing ‘incidental’ privacy protection. Contracts may or may not cover other privacy responsibilities, but will usually not be able to ensure that data subjects have easy access to enforceable rights — they cannot be given direct rights by the parties to the contract under Australian law.
The report was aimed primarily at decision-makers in Europe and elsewhere who are grappling with the implementation of the EU Directive and its implications for cross border data transfers. It has hopefully already added to the weight of pre-existing evidence that some form of government initiative is necessary to address the privacy and data protection issue in third countries. Relying on sectoral statutes, common law, voluntary industry schemes and contracts, while theoretically an option, is exposed as the most difficult and costly option.
Judging by recent developments in Australia, this message appears to have finally got through, but realistically it will be at least another 18 months before any comprehensive law is in place. In the meantime, the detailed findings of the report may provide some assistance to organisations wishing to continue transferring personal data from Europe. And as legislative schemes are developed, the report will also serve to remind those responsible of the criteria they will need to meet to ensure that those schemes come up to the standards required by many of our major trading partners.
Nigel Waters, Associate Editor.