Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

EU guide on international data [1998] PLBIRp 17; (1998) 45 Privacy Laws and Business International Report 5

New EU guidance on transborder data flows

THE EUROPEAN COMMISSION’S Data Protection Working Party issued, in July, a new working paper on transborder data flows.

The document is based on an earlier paper which gave an initial view on how the adequacy of protection should be assessed in flows of person- al data to third countries. The current paper, published on 24th July, takes as a starting point the Council of Europe Convention 108. The Working Group assumes that most transfers of personal data to countries that have ratified the Convention could be seen to have adequate pro- tection. However, the Working Group requires that the country in question also has appropriate mecha- nisms to ensure compliance, help individuals and provide redress. In practice, this is likely to mean that an independent supervisory authority with appropriate powers is required. Another requirement is that the country in question is the final desti- nation of the transfer. If these prerequisites cannot be fulfilled, con- tracts could be used.

The paper makes some suggestions on the possible form and content of such contracts. Many of these are the same as discussed in the previous paper (PL&B May ’98 p. 13-14).

EXEMPTIONS FROM ADEQUATE PROTECTION

The requirement for adequacy does not apply in some cases. First of all, when data subjects have given their consent to the transfer. Secondly, when the transfer is necessary for the performance of a contract. The Working Party envisages that such situations could include transfers that are necessary for reserving an airline ticket, or handling a credit card payment. Other exemptions are likely to cover certain limited transfers between public administrations, transfers in the context of internation- al legal proceedings, and urgent transfers of medical records. In addi- tion, transfers that may be allowed are those made from registers intend- ed by law for consultation by the public. This type of transfer would apply in cases where the person enti- tled to consult the register is actually situated in a third country.

CASE STUDIES OFFER GUIDANCE

The Working Party also provides additional guidance in the form of hypothetical case studies. In each study, the group assesses an imagi- nary data transfer, and offers its judgement as to whether the protec- tion of data in the destination countries (not identified) is adequate.

The first case study discusses a transfer of data regarding credit-wor- thiness. It is assumed that an EU citizen wishes to purchase a holiday home in a non-EU country. As he applies for a loan in that country, the financial institution in question requires a credit report from a credit reporting agency. As this agency has no previous record of the customer, it asks its “sister” company in the UK to send the full credit history.

The verdict of the Working Party is that even if the company has a privacy policy, it is not enough on its own. The protection offered by the law in that country covers few privacy principles, and is, therefore, inadequate. It is suggested that in a case like this, the law could be amended to include principles such as transparency, or the privacy policy could be made more effective by, for example, making compliance a condi- tion for membership of an industry association.

The second case study looks at a transfer of sensitive data in the airline industry. The starting point, entering sensitive personal data on an interna- tional computer reservation system, resembles a Swedish court case involving American Airlines and Lufthansa which was initiated a few years ago.

In the imaginary case, data protec- tion is not adequate in the country which receives the data. The working group suggests that seeking the data subject’s consent would be the best solution. Consent could be obtained by the travel agency where the pas- senger books his ticket. The passenger should also be informed about the level of protection offered by the receiving country.

The third case study evaluates the problems related to a transfer of mar- keting list data. All case studies are reported in full length in the Working Party’s document (see below).

The EU Data Protection Working

Party’s Working document

“Transfers of personal data to third countries: Applying Articles

25 and 26 of the EU Data Protection Directive” is available on the DG XV website, http://www.europa.eu.int/

comm/dg15/en/index.htm