Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Decisions soon on adequacy [1999] PLBIRp 32; (1999) 49 Privacy Laws and Business International Report 16

Decisions soon on adequacy for international transfers

THE EU DATA PROTECTION WORKING PARTY has an advisory role in the decision-making on adequacy. The first recommendation finds Switzerland's level of data protection as adequate.

The question of third countries' adequacy, in terms of the EU Data Protection Directive's requirements for transborder data flows, keeps the EU Data Protection Article 29 Working Party busy. The decisions will be made by the EU Commission after consultation with the Article 31 Committee (consisting of representatives of the Member States). The Working Group's (consisting of national Data Protection Authorities) task is to give recommendations on which countries could be seen to provide adequate protection.

The Chairman of the Working Party, and President of the Netherlands' Data Protection Authority, Peter Hustinx gave an insight into the decision-making process at the Privacy Laws & Business 12th Annual International Conference in June.

First of all, Peter Hustinx stressed that the EU Member States implement the EU Data Protection Directive in different ways. Further down the road, it is the national courts which take the initial decision whether the application of the law has been correct.

The national Data Protection Authorities have an important role as they can authorise transfers to countries outside of the EU on a case by case basis. They can also take the initiative in establishing adequacy. When authorising transfers to third countries, they must inform both other Member States and the Commission of such a decision.

The EU Commission will decide on adequacy in the following cases:

1. The Commission receives a signal from one of the Member States indicating that a particular country does not offer adequate protection. The Commission can take a binding negative decision stopping transfers of personal data to that country. This decision applies in all Member States. The Commission can also take a positive decision. If the protection is found adequate, this decision will, again, apply in all EU Member States.

2. If a Member State authorises a data flow, the Commission can take a positive or a negative decision.

In addition, the Commission may approve model contracts.

ADEQUATE DOES NOT MEAN EQUIVALENT

The EU Data Protection Working Party has studied the question of adequacy for quite some time. The group has published several papers, which reflect its current thinking, and the criteria for adequacy (available at www.europa.eu.int/comm/dg15/en/index.htm).

Peter Hustinx stressed that the Directive does not require third countries to have European-type, omnibus data protection laws. In other words, adequate does not mean equivalent. The two main aspects that are sought after are:

1. Content requirement: the countries should have the main elements of good data protection in place, such as purpose limitation.

2. Effectiveness: Does adequate protection provide adequate compliance? The enforcement function should be credible and effective.

"On the whole, countries which have ratified and implemented the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data are in a good position," Peter Hustinx said (for a list of countries, see PL&B May '99 p.12). "However, there are two defects. The Convention does not require an independent authority. It is also unclear about transfers to other countries. "

An amendment, which rectifies this issue, is now close to being adopted. As the Convention 108 is open also for countries outside of Europe, it may assist the process of determining adequacy outside Europe.

FINAL DECISIONS IN THE AUTUMN

The Data Protection Working Party is in the process of assessing the level of protection in several countries, including the USA, Hungary, Hong Kong and Switzerland. The Working Party has recommended that Switzerland should be regarded as adequate.

Self-regulation has also been studied. "Self-regulation with muscles and teeth could qualify under this policy, but of course the enforcement side is of great importance," Peter Hustinx said.

With regard to the timetable of producing final decisions, Peter Hustinx predicted that the new Commission will publish the first decisions in September-October time.