Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

"Great Wall of Europe" Misinterpretations of the EU Data Protection Directive [1998] PLBIRp 33; (1998) 46 Privacy Laws and Business International Report 4

“The Great Wall of Europe” or Too Much Ado About Nothing

THERE ARE AS MANY OPINIONS about the EU Data Protection Directive as speakers. Marco Gasparinetti, a civil servant at DG XV of the European Commission, explores the common misunderstandings about the directive.

In 1995, the European Community enacted a directive1 that, having estab- lished a common set of rights with respect to the processing of personal data, ensures the free movement of such data throughout the European Union. At a time when an increasing quantity of personal data is collected, retrieved and disclosed for many dif- ferent purposes, Directive 95/46/EC spells out the basic individual rights to privacy: for example, the right of every person to access personal data relating to him/her, the right to rectify data where they are shown to be inaccurate, and the right “to be left alone” as regards certain categories of data. Where “sensitive” data are involved (for instance, medical data, data revealing racial or ethnic origin, religious or philosophical beliefs), the directive requires that, as a general rule, the person concerned gives his/her explicit consent to the pro- cessing2.

START OF A CYBER WAR?

At first sight, this is the kind of right about which one could expect very broad consensus in the “civilised” world. However, as the deadline for implementing the directive approached, its alleged effects were the subject of growing concern fuelled by a number of “scare stories”. Referring to the directive, major newspapers made their head- lines about an imminent “Cyber War,” while other sources compared it to the “millennium bug” and, in other circles, the directive was termed “The Great Wall of Europe.”4 Western readers may be forgiven for assuming that these stories must have been circulated by those nostal- gic for the Warsaw Pact, or by “Big Brother oriented” regimes of some remote areas of the world. In fact, this new “Euromyth” originated in the United States, one of the countries in which the right to privacy was first developed and cherished5, and whose record in fundamental rights is often presented as a benchmark for the rest of the world.

THE “BLACKOUT” SCENARIO According to some sources, the direc- tive could cause a general “blackout” of data flows between the two sides of the Atlantic Ocean, and may even- tually kill the emergence of electronic commerce in poor old Europe. This scenario is based on a somehow apoc- alyptic interpretation of Article 25, focused on the following part of the provision: “Member States shall provide that the transfer to a third country of personal data (...) may take place only if (...) the third country in question ensures an adequate level of protection.” However, while they converge in depicting the “blackout scenario,” the scare stories originate from two different categories of sources: on the one hand, lobby groups furthering their own interests; on the other, what may be pure mis- understanding over the relevant provisions of the directive. The aim of this contribution is seeking to deal with the latter (the possible misunderstanding)6.

As to the former category, legal arguments would have little weight if they had to be balanced against the following conclusions of a non-profit, non-partisan US organisation7: “Time and again, we found, Congress has put big-money corporate interests ahead of the basic privacy interests of the American People. Among the Center’s principal findings: Congress first heard testimony on the problem of medical records confidentiality in

1971; 27 years later, it still hasn’t enacted legislation to curb abuses. And Capitol Hill lawmakers have been amply rewarded for rejecting efforts to apply greater privacy pro- tections to health-care records. Since

1987, the nation’s hospitals, insurance companies, and the members of trade associations that oppose such protec- tions have apparently poured more than $ 45.6 million into congressional campaigns.”8

Irrespective of the reasons which may explain Congress’s reluctance to pass legislation in this field, the fact is that US federal law has been protect- ing the confidentiality of videotape rentals since 19889, but affords no protection to personal data concern- ing health or political opinions. This may reflect a genuine trust in self- regulation and other soft law devices. However, the problem is not confined to medical records. In the words of the above research: “In 1991 and

1993, at the behest of various corpo- rate interests, Congress killed legislation that would have regulated

the clandestine videotaping and wire- tapping of workers on their jobs. In 1996, after lobbying by the direct- marketing industry, it killed a bill that would have restricted companies’ gathering of information about chil- dren without their parents’ consent (...) and torpedoed another bill that would have barred Internet-service providers and on-line services from releasing or selling information about customers without their permis- sion”10.

In these circumstances, if any dis- ruption of data flows had to occur, a fair question would be the following: is it the EU Directive which should be blamed, or is it the “serial killing” of the US privacy bills (those bills which, if enacted by Congress, would have ensured the free movement of data between the two sides of the Ocean)? In “‘The Great Wall of Europe,” Peter Swire wrote11:

“When the directive was passed in 1995, many European officials hon- estly believed the United States would respond by enacting compre- hensive privacy regulation. The Europeans hoped the United States would create a national privacy agency that would oversee enforce- able codes of fair information practices. If such a statute had passed, then the United States would have had adequate protection of privacy, and there would be no need to consider banning transfers of data out of Europe.”

THE “GREAT WALL”...

In most European countries, the pro- tection of personal data is a constitutional principle, and the right to privacy is enshrined in the European Convention on Human Rights. Without the directive, differ- ent national approaches to data protection would create barriers within the market and the free move- ment of personal information would be impaired. In harmonising data pro- tection laws, the directive ensures the free movement of personal data within the EU. The raison d’ê tre of the directive is thus the Single Market: the directive ensures that companies and other organisations will be able to transfer personal data throughout the European Union (Article 1, second paragraph).

At the same time, the directive establishes rules designed to ensure that data is transferred only to coun- tries outside the EU when these countries ensure “adequate protec- tion”12 or when certain specific exemptions apply (Articles 25 and 26). Without such rules, the high standards of data protection estab- lished by the directive would quickly be undermined, given the ease with which data can be moved around on international networks.

However, in negotiating the direc- tive, due consideration has been paid to the fact that “cross-border flows of personal data are necessary to the expansion of international trade” (recital n° 56). As a result, the “Great Wall” includes a comfortable “bridge” and a number of “doors” (exceptions) that remain open even where the receiving country does not ensure an adequate level of protection. For some of these doors, the keys are held by the data subject; for others, by the data controller.

...THE BRIDGE

The “bridge” can be found in Article 25, second paragraph: in accordance with this provision, the level of pro- tection afforded by a third country “shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations” and particular consideration shall be given to “the rules of law, both general and sec- toral, in force in the third country in question and the professional rules and security measures which are com- plied with in that country.”

This “bridge” is important in two respects: on the one hand, the refer- ence to “all the circumstances” seems to suggest that any decision to block a transfer would apply only to other transfers of the same type, not to all transfers to the country concerned. On the other, the reference to “pro- fessional rules” indicates that, even in the absence of legislative or regulatory measures, an adequate level of pro- tection may well be achieved by self-regulatory means: what matters is the result.

As far as self-regulation is con- cerned, the main obstacle is represented by enforcement: as regards certain regulated professions, compliance with professional rules is a condition for membership, but experience in other areas shows that compliance with self-regulation is exclusively a matter of good will, with little or no consequence in case of breach of the rules. In these circumstances, it is hard to see how the self-regulatory instrument can be seen as a “substitute” for regulation13. However, the powers granted to the

(US) Federal Trade Commission under the “deceptive practices” principle14 seems to indicate that, in a proper construction, the gap could be filled15.

... AND THE DOORS

Where it is found that in a given third country, neither the rules of law nor professional rules would ensure ade- quate protection, transfers may still take place in circumstances specified in Article 26. This will be the case when, for example:

1. The individual has given unam- biguous consent to the transfer, or

2. The transfer is necessary for the performance of a contract with the individual concerned (e.g. employ- ment contracts) or the implemen- tation of pre-contractual measures taken in response to the data subject’s request (e.g. application for a job), or

3. The transfer is necessary or legally required for the establishment, exer- cise or defence of legal claims, or

4. The transfer is necessary in order to protect the vital interests of the indi- vidual (e.g. transfer of medical data concerning an individual hospitalised in a non-EU country).

Other exceptions are provided by the directive and show that, even for data flows to those countries which do not ensure an adequate level of protection, the so-called “Great Wall” offers a generous number of doors. In addition, another possibility remains

open even where the above condi- tions are not met, and the keys of this door are held by industry itself.

THE CONTRACT SOLUTION Companies operating world-wide may wish to establish safeguards that make them less dependent on the good will of the legislators of a given country. Even in the best case sce- nario, a number of non-EU countries are likely to fall short of an “ade- quate” level of protection, and individuals may be reluctant to give their consent to the transfer of their personal data to such countries. The directive pays due attention to this reality, and Article 26 (second para- graph) recognises that adequate safeguards may be provided by the company itself. This provision speci- fies that these safeguards may in particular result from appropriate contractual clauses.

Contractual provisions are one of the ways of providing the safeguards which make a transfer possible where the legislative or self-regulatory pro- visions in a non-EU country cannot themselves ensure “adequate protec- tion.” Such contract clauses would have to contain the same elements as the Commission is looking for when assessing adequacy (such as access for the data subject, right to rectification,

information on purpose of process- ing, legal remedies if privacy rights are breached). On 22 April 1998, the Article 29 Working Party adopted a document giving guidance in this area16. The European Commission encourages the use of contracts in such circumstances and are currently considering the “model clauses” drafted by the International Chamber of Commerce on 23 September 1998.

CONCLUSIONS

The aim of the directive is to promote the flow of information, not to impede it. Ensuring the free move- ment of personal data within the EU by minimising differences between national rules for their protection was the legal basis of the directive17. However, ignoring what happens to data transferred to third countries would jeopardise the application of the directive.

By setting a high standard, the directive fosters consumer confidence and thus encourages the development of electronic commerce. This is con- firmed by all market surveys and polls carried out in recent months. In a 1997 Harris-Westin survey for the Center for Social and Legal Research,

92% of the respondents said that they were “concerned” about threats to their privacy; 64% said they were

“very concerned.” And in a 1998

Business Week survey, 78% of the respondents said they would make more use of the Internet if the con- fidentiality of personal data and communications were protected more effectively.

As a result, the stance of the US policy makers has evolved and there is now a clear consensus regarding the need for levels of privacy protection in the US to be improved. On 31 July

1998, Vice-President Gore committed the administration to an “electronic bill of rights” embodying four key privacy principles. There are a number of bills before Congress dealing with different aspects of privacy protection, including the pro- tection of children’s privacy

(particularly on-line privacy), medical privacy, financial data, genetic data, unsolicited e-mail, and the dissemina- tion of sensitive Social Security numbers on-line. In July 1998, the Federal Trade Commission issued a call for the introduction of legislation to protect on-line privacy by the end of 1998 if industry self-regulation has not improved significantly.

In conclusion, does the directive represent a “Great Wall” or was it just

“Too Much Ado About Nothing”? In the words of Megan Santosus18: