Privacy Law and Policy Reporter
This is an edited version of a paper first given at the conference ‘E-privacy in the new economy’, organised by the Hong Kong Privacy Commissioner and held in Hong Kong on 26 March 2001. It is reproduced here by kind permission of the author and the Commissioner, Stephen Lau.
The potential constraint on transborder data flows (TBDF) from Europe arising from the EU Data Protection Directive (the Directive) could have far reaching effects on those businesses in recipient countries (‘third’ countries) which rely on continued access to personal data originating in Europe. The cost of various compliance mechanisms (such as TBDF contracts) and the need to build consumer trust and confidence may convince third countries of the economic efficiencies of implement-ing their own domestic privacy laws.
Transborder data flow has emerged as a significant issue for the ‘information era’. Over the past 20 years, personal data have increasingly been treated as key business commodities and assets. The knowledge economy leverages off the use of information, including personal data. The increasing capacity and sophistication of information communications technologies (ICT) are resulting in the globalisation of international data transfers. The advent of global networks such as the internet now makes it possible to collect, process and transmit personal data on an unprecedented scale. This transmission can be in high volume, such as in the form of the transfer of databases, or in multiple one off collections and exchanges from activities such as web browsing on the internet.
The role of contract, as a means of ensuring adequate privacy protection, is expressly recognised in the Directive (see art 26(2)). Early in 2001, the Commission issued a Draft Commission Decision on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries under art 26(4) of Directive 95/46. The significance of this work is that it recognises that adequacy need not only be satisfied by the existence of appropriate privacy legislation in the third country, but may also be achieved by certain mechanisms, such as the use of TBDF contracts.
To the extent that the national or domestic privacy law of an EU member also provides for privacy protection through the use of contract, then the data export may be regulated by the use of a TBDF contract. However, in order for such contracts to be ‘approved’ as providing an adequate level of privacy protection, it is necessary for there to be some template or standardisation of TBDF contracts. This need has led to a significant amount of work to develop model contract clauses. These have evolved as follows. The early focus of what is known as ‘contractual privacy solutions’ was on conventional business to business (B2B) data transfers, as opposed to what are now known as business to consumer (B2C) transfers (in the context of internet usage).
The first significant work was the 1992 Council of Europe Model Contract (to ensure equivalent data protection in the context of transborder data flows). These clauses were revised by the International Chamber of Commerce (ICC) in the light of the changing standard within the EU Directive from the draft requirement of ‘equivalent protection’ to the current reference to ‘adequate protection’. This work incorporated the comments of the art 29 Working Party. The result was the ICC Model Clauses (for use in contracts involving transborder data flows). These have in effect been superseded by the January 2001 Standard Contractual Clauses.
There have been other initiatives on the use of model contracts for B2B data transfers, including the Working Document adopted by the art 29 Working Party of the European Commission on 22 April 1998 containing ‘Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries’.
The most recent work on TBDF contracts is probably the aforementioned European Commission proposal on Standard Contractual Clauses, Draft Version, dated 19 January 2001. These clauses try to address some of the issues previously identified by the Working Party and others on the shortcomings of TBDF contracts; for example, the difficulty of providing redress for the data subject if the individual is not a party to the contract between the data exporter and importer, or where there is no law recognising the rights of third party beneficiaries. The clauses proposed by the European Commission, in the Draft Opinion or Decision, are intended to be re-evaluated after three years’ operation.
The Working Party has clarified that even if the European Commission has recommended certain contractual clauses as offering sufficient safeguards, the data transfer will still be subject to the national or domestic legislation of the relevant Member country. Therefore, the lawfulness of the processing operation will be subject to the conditions or the way in which the applicable national legislation has implemented the provisions of the Directive. It should be noted that the privacy laws of some EU countries do not recognise TBDF contracts.
The fundamental provision within the European Commission Standard Contractual Clauses is the requirement on the data importer to agree and warrant to process the personal data received from the EU Member in accordance with certain processing conditions that will provide adequate safeguards within the meaning of art 26(2) of the Directive. In particular:
The Working Party would like to stress the fundamental and indispensable character of three of these conditions in order to guarantee a minimum level of protection: the purpose limitation principle, restrictions on onward transfers and the data importers’ undertaking of providing the data subjects with the rights of access, rectification, deletion and objection arising from the Directive 95/46/EC.
The advent of the internet has exacerbated the threat to personal privacy. The use of this technology in consumer to business (C2B) TBDF poses particular problems in terms of privacy protection, especially where it involves the collection of personal data from individuals or consumers in a way which is outside their knowledge or beyond their control. Growing recognition of the linkage between consumer trust (such as that built through effective privacy protection) and the facilitation of electronic commerce has highlighted the problem.
In the online world, the nature of C2B interactions is such that often there will be no pre-existing relationship between the participants; the web browsing may be random, with many first time or intermittent site visits. The exception is where the consumer has an established relationship, such as a history of ordering goods online from a particular business or of applying for credit. The participants will also be removed from each other in terms of distance, time and geographical location. Despite this separation, the technical features of the medium are designed to facilitate data transfers. The disclosure of data is made possible by web browsing software which provide the means to identify the network and machine used to access the web, the URLs of previously visited sites, and by matching the information derived from the use of ‘cookies’. Data collection and storage is facilitated by caching and the availability of search engines, robots and internet indexes.
More overt data collection occurs when the consumer provides personal details in the course of a website interaction, for example credit card and other payment details, contact details, personal preferences and so on. In transactions to acquire goods and services, the data transfer is usually incidental to the primary purpose.
When an individual (a consumer) merely visits a website, the browsing activity can also generate data. This is a form of data transfer, and it is likely to be transborder. However, the consumer has not ordered any goods or services, but has been merely viewing and perhaps downloading information; the consumer is ‘window shopping’. It is unlikely that contractual requirements such as an intention to be bound, or offer and acceptance analysis, would apply to what is, in essence, only a communication or interaction. This characteristic of online C2B interactions requires that any attempt to protect the privacy interests of the consumer must begin prior to any contractual stage. The use of TBDF contracts for C2B may not be possible nor appropriate.
This means that in the context of C2B transfers, there is an important role for measures such as model privacy protection policies. There is a need to bring privacy protection issues to the consumer’s attention at the earliest possible stage in the website interaction — it will be too late to afford the consumer any genuine freedom of choice as to the transfer of these data if notification of the uses to which personal data may be put takes place only at the stage when a contract for the supply of goods or services is concluded.
There have been some encouraging developments in this regard. I recently completed another assignment for the OECD on electronic commerce codes of conduct. It is interesting to note that of the 29 B2C e-commerce codes studied for the report, every code addressed the issue of privacy protection. While it is not possible to draw any conclusions as to the adequacy of the privacy provisions within each code, it is interesting to note that the drafters of these codes recognised the need to incorporate privacy protection policies in the context of electronic commerce transactions.
Where privacy protection policies are incorporated into a C2B contract, the consumer will be entitled to take action to enforce these as a term of the contract. The legal status of privacy protection policies or statements is less clear and there may be limited prospect of enforcement by an individual consumer. Depending on national laws, the consumer might have a cause of action for misrepresentation or recourse under trade practices or consumer protection laws. Despite these possibilities, there are serious practical impediments in the way of any individual consumer who attempts to issue proceedings against a business which is operating on the web, given the amount of resource such actions require. There would be the difficulty of determining which court has jurisdiction — assuming it is even possible physically to locate the entity which has responsibility for the website content or the information use and disclosure practices associated with that site.
For those C2B transfers which are structured so as to form a contract, the outcome of the various initiatives on the contract requirements for electronic commerce transactions will be directly applicable to online C2B privacy contracts. These initiatives include the legal recognition of authentication measures (such as the use of electronic and digital signatures) and rationalising the evidentiary requirements. There is also on-going work to resolve conflicts of laws (choice of law and jurisdiction) in transborder transactions.
The globalisation of commerce, including TBDF, means that transactions increasingly involve parties from more than one country or involve obligations to be performed in more than one country. This gives rise to significant choice of law questions and issues. Where will the dispute be determined? Is effective interim relief available, pending trial? Will a judgment obtained in one jurisdiction be enforceable elsewhere, either against the assets of the defendant or against the defendant personally?
The problem of dealing with the conflict of laws issues for online interactions, whether in the context of electronic commerce generally or specifically in respect of TBDF remains unsolved. This is a major issue of the present day electronic environment; it is receiving close scrutiny by a number of international fora. In any international contract it is essential to prescribe which governing laws and jurisdiction should apply to that contract. TBDF contracts have the same need. Even if the parties to the contract apply some contractual foresight, this does not resolve the numerous difficulties of enforcing a foreign judgment or of applying the rules to the peculiarities of an internet interaction.
There are many participants in a C2B transfer. The internet has a number of intermediaries in the form of service providers who play a role in the way the technology operates; that is, by utilising servers to host the web page files, routing data packets through nodes around the world, and the practice of caching. Each participant or activity may be ‘located’ in different legal jurisdictions. The question, therefore, is which country’s substantive legal rules should apply to a data transfer, message content or other activity, accessed via the internet. Whose courts would have jurisdiction to adjudicate civil disputes and prosecute breaches? Clearly, the presumptions of physical location and proximity (which are inherent in the linking of territoriality to geographical borders) are fundamentally challenged by the characteristics of global networks.
The choice of law (prescribing the governing or proper law of the contract) will be highly significant in the adaptation and uptake of TBDF contracts. Although a forum may have a personal jurisdiction and venue, the choice of law rules may require that the dispute be heard under the substantive law of another jurisdiction. Each country has its own private international law (forming part of its national or domestic law). These variances between countries are what distinguishes each body of private international law from public international law. Despite these differences, there are ongoing efforts to harmonise the rules of conflict of laws. Many jurisdictions pursue common objectives and are influenced by the doctrine of comity and the need to respect the civil justice systems of other countries.
The question of when and where a contract is concluded is a major factor in determining which legal system is to govern the particular transaction. Where transactions are conducted over the internet, the question is not always easy to answer. The global top level domain name .com gives no indication where a business is located. Even where the name uses a country code such as .de or .uk, there is no guarantee that the business is established in that country. Key characteristics of the internet are its re-routing ability and anonymity features.
In general, it is provided that contracting parties are permitted, subject to a criterion of reasonableness, to select which legal system will govern a particular transaction. Linked to this is the question of which national courts will have authority to rule on the interpretation of the contract. Where parties are resident in different countries, for example, in Canada and Germany, it would be open to them to provide that the contract should be governed by Canadian law but that any disputes should be brought before the German courts.
Within Europe, the Brussels and Rome Conventions provide for partial exceptions in the case of consumer contracts. The latter provides that a supplier with a ‘branch, agency or establishment’ in the consumer’s country of residence is to be considered as domiciled there. Consumers may choose to bring actions in either their country of domicile or that of the supplier, while actions against the consumer may be brought only in the consumer’s country of domicile. The question whether an internet based business can be regarded as having a ‘branch, agency or establishment’ in all the countries from which its facilities may be accessed, is uncertain.
The Brussels Convention builds on the Rome Convention’s provisions and provides that an international contract may not deprive the consumer of ‘mandatory rights’ operating in the consumer’s country of domicile. The scope of mandatory rights is not clear cut but, given the emphasis placed on the human rights dimension in many international instruments dealing with data protection, it is arguable that any contractual attempt to deprive consumers of rights conferred under the Council of Europe Convention and the EU Directive, would be declared ineffective on this basis.
More recent developments may complicate matters. It has been proposed that within the European Union transactions entered into by electronic means should be regulated by the law of the supplier. (I am unsure as to the current implementation status of what was a draft EU Directive on electronic commerce.) This approach is justified on the basis of supporting the development of the new e-commerce industry. There appears to be an inescapable tension between choice of law provisions designed to favour the development of e-commerce (by making the nature of the liabilities incurred by service providers more predictable) and those consumer protection policies which give priority to the interests of consumers (by maximising their access to local courts and tribunals).
There is a clear link between privacy and e-commerce. The volume and nature of data transfers occurring in e-commerce transactions is prompting privacy concerns. The lack of consumer trust and confidence in the level of protection afforded personal data by the internet is an inhibiting factor in the growth of electronic commerce. Yet privacy protection (and the ability of data subjects to obtain redress) has its origins in human rights conventions and is also clearly a consumer protection issue. This tension needs to be reconciled. The issue is how much autonomy the participating parties should have to determine their choice of law and jurisdiction, if this adversely affects the data subject’s need to have access to appropriate redress mechanisms. Even if the data subject can access a local court, there remains the problem of enforcing judgment.
Work commenced in 1992 by The Hague Conference on Private International Law to draft a new Convention on jurisdiction and judgments in civil and commercial matters. The proposed approach was to specify some agreed grounds of jurisdiction, and some prohibited grounds, but otherwise to leave the question to the law of each Convention country. Judgments falling within the agreed grounds of jurisdiction would be enforceable in all other Convention countries. Where one Convention country exercised jurisdiction in the ‘grey’ area, it would be a matter for other Convention countries to decide whether or not to recognise and enforce the resulting judgment. The Convention would extend beyond money judgments to injunctions and other forms of relief, and could embrace interim orders as well as final judgment.
If the drafting work results in a ratified Convention, it will solve one of the most frequently occurring problems of private international law, which causes considerable delays and unnecessary cost in many cross-border disputes. The alternative may be for countries such as Australia, New Zealand and others in Asia to consider acceding to the Lugano Convention which, unlike the Brussels Convention (which is restricted to EU members), is open to accession by all countries. This would simplify questions of jurisdiction and enforcement of judgments as between the signatories and most European countries, including the UK.
As Goddard points out in his 1999 paper, an integral part of facilitating global commerce is facilitating the resolution of cross-border disputes, by reducing uncertainty and costs in connection with the selection of a forum, interim relief, gathering evidence and enforcement of both interim orders and final judgments. New Zealand law does not make adequate provision for these matters; no doubt this is also the case in other countries in the region. The absence of adequate provision for such matters is of particular concern between countries where there are close commercial links and regular movements of people, business and data. Any coherent approach to legislating for increased globalisation of trade, including TBDF and e-commerce, means that such issues should be an integral component of legislative reform.
The impediments to relying purely on recourse under a TBDF contract result in parties relying on ancillary mechanisms, such as looking to a data protection authority or some other supervisory agency (government or industry) for remedies and sanctions. Another avenue well worth pursuing would be the development of an online dispute resolution service which could provide first tier resolution for privacy disputes — in particular, where these are high volume and originate from individuals with insufficient resources to pursue other legal remedies (if any). In a global economy, the need for an online privacy dispute resolution is going to grow rather than diminish.
The adequacy requirement of the EU Directive is a form of export restriction. It could prove to have far reaching consequences for businesses in non-EU countries, such as in Asia, which need to obtain or use personal information or data originating within an EU country. The European Commission is currently evaluating third countries in terms of the adequacy requirement, including working through a list of countries in the Asia Pacific Region. For those countries which do not have any privacy legislation, or whose national privacy laws are significantly flawed (so as not to satisfy the adequacy test), the potential impact of these developments should not be under estimated.
The ‘new economy’ relies on the ability to transmit information, including legitimate use of personal data. What will be the impact if, as a result of a complaint over a data transfer to a third country, an airline is unable to obtain a customer manifest, an insurance company is unable to access insurance records, a business is unable to access its human resources records, or a marketing division can no longer obtain its customers’ profiles?
These examples all presume that the proposed use of the personal data exported from an EU country fulfils the purpose limitation and other principles of the OECD Privacy Guidelines. The fact of such compliance will be irrelevant, however, in the absence of appropriate national legislation to protect personal data in the third country (of the importer), or in the absence of contractual mechanisms (approved under the EU Directive) that fulfil the EU adequacy requirement.
There are other mechanisms for adequacy, such as voluntary codes of conduct and industry standards; however, experience shows that there are significant issues in meeting the content and procedural requirements of adequacy, including the need for enforcement (in the form of independent supervision, meaningful sanctions and a track history of proven compliance).
As is the case with any of the alternative mechanisms to national privacy legislation, there are significant economic costs and inefficiencies in a situation where the various mechanisms for TBDF require case by case analysis, and an approvals process to ascertain if the circumstances of the data transfer will meet the adequacy requirements under both the EU member’s privacy laws and the EU Directive. The process to establish ‘adequacy’ will be complex and lengthy, presumably requiring investigation of a number of test cases.
It could be argued that the compliance cost for third countries in satisfying the adequacy requirements by enacting their own national privacy protection laws, would be lower than the cumulative costs of requiring business and/or industry to fend for themselves in trying to design suitable adequacy mechanisms. In addition to the arguments based on economics and efficiency, there is also the important consideration that privacy protection is a human right and goes to the heart of public confidence and consumer trust.
Elizabeth Longworth is a privacy consultant and lawyer, based in Auckland, New Zealand.
 Brussels Convention 1968 on jurisdiction and the enforcement of judgements in civil and commercial matters. Rome Convention 80/934/CEE 19 June 1980 on the law applicable to contractual obligations 1980.
 I am grateful to David Goddard, Barrister, New Zealand for this update on this jurisdictional issue. Revised version of a paper presented by David Goddard, Barrister, Wellington, to the New Zealand Law Conference in Rotorua April 1999 Global Disputes — Jurisdiction, Interim Relief and Enforcement of Judgments.
 As above.