[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Transborder Data Flows and Data Havens

The ease with which electronic data flows across borders leads to a concern that data protection laws could be circumvented by simply transferring personal information to third countries, where the national law of the country of origin does not apply. This data could then be processed in those countries, frequently called "data havens," without any limitations.

For this reason, most data protection laws include restrictions on the transfer of information to third countries unless the information is protected in the destination country. For example, Article 12 of the Council of Europe's 1981 Convention places restrictions on the transborder flows of personal data.[57] Similarly, Article 25 of the European Directive imposes an obligation on member States to ensure that any personal information relating to European citizens is protected by law when it is exported to, and processed in, countries outside Europe. It states:

The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if the third country in question ensures an adequate level of protection.

This requirement has resulted in growing pressure outside Europe for the passage of strong data protection laws. Those countries that refuse to adopt meaningful privacy laws may find themselves unable to conduct certain types of information flows with Europe, particularly if they involve sensitive data. Determination of a third country's system for protecting privacy is made by the European Commission. The overarching principle in this determination process is that the level of protection in the receiving country must be "adequate" rather than "equivalent." Therefore, a reasonably high standard of protection is expected from the third party, although the precise dictates of the Directive need not be followed.

On July 26, 2000, the European Commission ruled that both Switzerland and Hungary (now an EU member) provide "adequate" protection for personal information and therefore all transfers of personal data to these countries could continue. [58] In January 2002, the European Commission recognized that the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) provides adequate protection for certain personal data transferred from the European Union to Canada. The Commission's decision of adequacy does not cover any personal data held by federal sector or provincial bodies or information held by personal organizations and used for non-commercial purposes, such as data handled by charities or collected in the context of an employment relationship.[59] In 2003, the Commission ruled that Argentina’s data protection laws are adequate, as are the laws of Guernsey.[60] In 2004, the Commission deemed adequate the data protection laws of the Isle of Man.[61] The Commission is currently looking into the privacy protection schemes in several other non-European Union countries, including New Zealand, Australia, and Hong Kong.

Another possible way to protect the privacy of information transferred to countries that do not provide "adequate protection" is to rely on a private contract containing standard data protection contractual clauses. This kind of contract would bind the data processor to respect fair information practices such as the right to notice, consent, access and legal remedies. In the case of data transferred from the European Union, the contract would have to meet the standard "adequacy" test, in order to satisfy the Data Protection Directive.[62] Several model clauses that could be included in such a contract were outlined in a 1992 joint study by the Council of Europe, the European Commission and the International Chamber of Commerce.[63] In a June 2000 report (see below), the European Parliament accused the European Commission of a "serious omission" in failing to draft standard contractual clauses that European citizens could invoke in the courts of third countries before the Data Directive came into force.[64] It recommended that they do so before September 30, 2000.[65] In July 2001, the Commission issued a final decision approving the standard contractual clauses.[66] During the drafting process, the United States criticized the standard contacts as "unduly burdensome" and "incompatible with real world operations."[67]

The transfer of travel records concerning European citizens to the United States government has raised particular concern as there has not yet been a determination that the United States provides an “adequate” level of data protection. The European Council recently adopted an agreement between the EU and the United States concerning the transfer of passenger name records information for travelers on all flights originating in the EU and landing in the US.[68] The agreement has been met with sharp criticism from the European Parliament.[69]

European Union-United States Safe Harbor Arrangement

Although the Commission never issued a formal opinion on the adequacy of privacy protection in the United States, there were serious doubts whether the United States' sectoral and self-regulatory approach to privacy protection would pass the adequacy standard set out in the Directive. The European Union commissioned two prominent United States law professors, who wrote a detailed report on the state of United States privacy protections and pointed out the many gaps in United States protection.[70]

The United States strongly lobbied the European Union and its member countries to find the United States system adequate. In 1998, the United States began negotiating a "Safe Harbor" agreement with the European Union in order to ensure the continued transborder flows of personal data. The idea of the "Safe Harbor" was that United States companies would voluntarily self-certify to adhere to a set of privacy principles worked out by the United States Department of Commerce and the Internal Market Directorate of the European Commission. These companies would then have a presumption of adequacy and they could continue to receive personal data from the European Union. Negotiations on the drafting of the Safe Harbor principles lasted nearly two years and were the subject of bitter criticism by privacy and consumer advocates.[71] In early July, the European Parliament approved a forceful resolution that the agreement needed to be re-negotiated in order to provide adequate protection.[72]

On July 26, 2000, the Commission approved the agreement.[73] The Commission did, however, promise to re-open negotiations on the arrangement if the remedies available to European citizens proved inadequate. European Union member states were given 90 days to put the Commission's decision into effect and United States companies began joining Safe Harbor in November 2000. There is an open-ended grace period for United States signatory companies to implement the principles.

The principles require all signatory organizations to provide individuals with "clear and conspicuous" notice of the kind of information they collect, the purposes for which it may be used, and any third parties to whom it may be disclosed. This notice must be given at the time of the collection of any personal information or "as soon thereafter as is practicable." Individuals must be given the ability to choose (opt-out of) the collection of data where the information is either going to be disclosed to a third party or used for an incompatible purpose. In the case of sensitive information, individuals must expressly consent (opt-in) to the collection. Organizations wishing to transfer data to a third party may do so if the third party subscribes to Safe Harbor or if that third party signs an agreement to protect the data. Organizations must take reasonable precautions to protect the security of information against loss, misuse and unauthorized access, disclosure, alteration and destruction. Organizations must provide individuals with access to any personal information held about them, and with the opportunity to correct, amend, or delete that information where it is inaccurate. This right is to be granted only if the burden or expense of providing access would not be disproportionate to the risks to the individual's privacy or where the rights of persons other than the individual would not be violated. In terms of enforcement, organizations must provide access to readily available and affordable independent recourse mechanisms that may investigate complaints and award damages. They must issue follow up compliance procedures and must adhere to sanctions for failing to comply with the principles.

Privacy advocates and consumer groups both in the United States and Europe are highly critical of the European Commission's decision to approve the agreement, which they say will fail to provide European citizens with adequate protection for their personal data.[74] The agreement rests on a self-regulatory system whereby companies merely promise not to violate their declared privacy practices. There is little enforcement or systematic review of compliance. The Safe Harbor status is granted at the time of self-certification. There is no individual right to appeal or right to compensation for privacy infringements. There is an open-ended grace period for United States signatory companies to implement the principles. The agreement will only apply to companies overseen by the Federal Trade Commission and Department of Transportation (excluding the financial and telecommunications sectors) and there are special exceptions granted for public records information protected by European Union law.

In February 2002, the European Commission issued a report on the practical operation of the European Union-United States Safe Harbor Agreement.[75] This was the first report to evaluate the success of the agreement. It concluded that all the essential elements of the agreement are in place and that a structure exists for individuals to lodge complaints if they feel their rights have been infringed. It did find, however, that there is not sufficient transparency among the organizations that have signed up to Safe Harbor and that not all dispute resolution providers relied on to enforce Safe Harbor actually comply with the privacy principles in the agreement itself. The Commission was expected to issue a full evaluation of the agreement in 2003, but the report has not yet been issued.

In July 2002, the Article 29 Data Protection Working Party issued a working paper on the functioning of the agreement. In it, the Working Party expressed its intention to study the agreement in further detail with particular regard to "possible gaps between the principles...and the implementing practices" and also "the transparency requirements to be met by organizations." The Working Party called on all authorities, organizations and companies concerned to enhance compliance and awareness of the Agreement.[76]

In June 2006, the Commission started an investigation into the transfer of personal financial data from Brussels-based banking consortium SWIFT. At the request of the US Treasury Department, SWIFT systematically transmitted information of financial transactions of millions of European bank clients.[77] It appeared that the US Department of Treasury periodically addressed warrants to SWIFT in the US. The Commission expressed astonishment about the exportation of information about Belgian citizens to the US and their revelation to the US authorities each time an individual performs an international payment transaction.[78] The Commission stated that these practices violate basic provisions of the Belgian and European data protection legislation. This opinion was later confirmed by an opinion of the Article 29 Working Party.[79]

The Commission received a letter from the Belgian Prime Minister requesting advice on a possible agreement with the US about the transfer of SWIFT data to the US Department of Treasury. In its second opinion, the Commission reminded the Belgian government of the essential principles with regard to transfers of personal data between Europe and the US and suggested a series of possible actions.[80] In June 2007, the Council of Europe and the US reached an agreement on the transfer of personal financial information from SWIFT to the US.[81] SWIFT joined Safe Harbor.[82]

[57] Council of Europe, Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data 1981, available at <http://conventions.coe.int/Treaty/EN/Treaties/Html/108.htm>.

[58] See European Commission Press Release, "Data protection: Commission adopts decisions recognising adequacy of regimes in United States, Switzerland and Hungary," July 27, 2000.
[59] Commission Decision of December 20, 2001, Official Journal of the European Communities L 2/13, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/canada_ec_230_2006_en.pdf>
[60] Commission Decision C(2003) 1731 of 30 June 2003 - OJ L 168, 5.7.2003, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/decision-c2003-1731/decision-argentine_en.pdf>; Commission Decision of 21 November 2003 on the adequate protection of personal data in Guernsey - OJ L 308, 25.11.2003, available at <http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32003D0821&model=guichett>.
[61] Commission Decision 2004/411/EC of 28.4.2004 on the adequate protection of personal data in the Isle of Man at 48, available at <http://ec.europa.eu/images/language/lang_en3.gif>.

[62] See European Union, Internal Market Directorate, Background Information: Transfer of data to non-European Union countries – FAQ, available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/backinfo/info.htm>.
[63] Joint Study of the Council of Europe and the Commission of the European Communities (1992), available at <http://www.coe.fr/dataprotection/Etudes_Rapports/ectype.htm>.
[64] European Parliament Resolution on the Draft Commission Decision on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the United States Department of Commerce, available at <http://www.epic.org/privacy/intl/EP_SH_resolution_0700.html>.
[65] For general guidance on the role of contracts see European Union Article 29 Data Protection Working Group, "Transfers of personal data to third countries: Applying Articles 25 and 26 of the European Union data protection directive," July 24, 1998, available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp12en.htm>.
[66] Commission Approves Standard Contractual Clauses For Data Transfers To Non-European Union Countries, Press Release of the Internal Market Directorate, July 18, 2001, available at <http://europa.eu.int/comm/internal_market/en/dataprot/news/clauses2.htm>.
[67] "Bush Administration Criticizes European Union Privacy Rules," EPIC Alert 8.06, March 29, 2001 <http://www.epic.org/alert/EPIC_Alert_8.06.html>.

[68] Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), available at <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2007:204:0016:0017:EN:PDF>. Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), available at <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2007:204:0018:0025:EN:PDF>. A 2004 agreement on the same subject was declared invalid by the European Court of Justice in 2006. See Parliament v. Council, C-317/04 and C-318/04, [2006] O.J. C. 178 at 1, available at <http://curia.eu.int/jurisp/cgi-bin/form.pl?lang=EN&Submit=Rechercher$docrequire=alldocs&numaff=C-317/04&datefs=&datefe=&nomusuel=&domaine=&mots=&resmax=100>.
[69] Joint Resolution on the PNR Agreement with the United States, July 10, 2007, available at <http://quintessenz.org/doqs/000100003894/2007_07_11_EU-parl_PNR_joint%20resolution.pdf>.

[70] Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law (Michie 1996).

[71] See, e.g., Public Comments Received by the United States Department of Commerce in Response to the Safe Harbor Documents April 5, 2000, available at <http://www.ita.doc.gov/td/ecom/Comments400/publiccomments0400.html>.
[72] European Parliament Resolution, supra.

[73] Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the United States Department of Commerce, available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/decision.pdf>.

[74] See, e.g. earlier Statement of the Transatlantic Consumer Protection Dialogue on United States Department of Commerce Draft International Safe Harbor Privacy Principles and FAQs, March 30, 2000, available at <http://www.tacd.org/ecommercef.html#usdraft>.

[75] European Commission Staff Working Paper, February 2002, available at <http://europa.eu.int/comm/internal_market/en/dataprot/news/02-196_en.pdf>.

[76] "Working Document on the Functioning of the Safe Harbor Agreement," Article 29 Data Protection Working Party, 11194/02/EN, July 2, 2002, available at <http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp62_en.pdf>

[77] <www.swift.com>.
[78] Decision Nr. 37/2006, available at <www.privacycommission.be> (in French and Dutch).
[79] Opinion of November 22, 2006, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/wp128_en.pdf>.

[80] Opinion nr. 47/2006 of December 20, 2006, available at <www.privacycommission.be> (in French and Dutch).
[81] Processing and protection of personal data subpoenaed by the Treasury Department from the US based operation centre of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) June 28, 2007, available at <http://www.epic.org/privacy/pdf/swift-agmt-2007.pdf>.
[82] “SWIFT completes transparency improvements and obtains registration for Safe Harbor,” July 20, 2007, available at <http://www.swift.com/index.cfm?item_id=62669>.