Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

How to assess adequate protection in international transfers [1999] PLBIRp 4; (1999) 4X Privacy Laws and Business International Report 4

How to assess adequate protection: suggestions for ways forward

A STUDY ON ASSESSING the level of protection in international data transfers was published in December by DG XV of the European Commission. It suggests that an international certifiable standard, coupled with privacy audits, could provide a solution to the problem of adequacy in third countries.

The study, entitled Application of a Methodology designed to assess the Adequacy of the Level of Protection of Individuals with regard to Processing Personal Data, was conducted to help the European Commission evaluate how to assess adequacy which is required for transfers to third countries by the EU Data Protection Directive's Article 25 and 26. It tests the methodology for assessing adequacy of protection of personal data in Australia, Canada, China (Hong Kong), Japan, New Zealand and the United States. Five categories of data processing were studied: sub-contracted data processing, human resources data, medical/epidemiological data, data in electronic commerce, and sensitive data in airline reservations.

NO RECOMMENDATIONS

The purposes of the study were to look at the process of assessment and the challenges it poses, as well as to contribute to an international debate on how adequacy could best be determined, and who should be responsible for this work.

While clear cut recommendations as to which of the six countries could be adequate are not offered, the study gives an idea of which countries are most likely to fulfil the requirements, and which sectors have adopted good information handling practices.

FOCUS ON ACTUAL TRANSFERS

The study looks at actual or typical transfers that occur in the above mentioned countries in the five sectors. Thirty case studies provide hypothetical scenarios that reflect reality, but do not reveal the real names of the organisations involved.

The study does not include simple cases where the question of a data transfer between EU countries and non-EU countries could be resolved by individual consent. It does, however, touch on contractual solutions. The authors of the study point out that the complexity of adequacy assessments may have implications for the use of contracts. In their view, the level of detail that is required for assessing adequacy exceeds the level applied in contracts that are currently being developed.

The questions put to the companies aimed, first of all, at defining the nature and circumstances of the transfer in question. A central part of the adequacy assessment, an overview of the existing laws and codes of practice, was accompanied by a more empirical approach of looking at what other measures companies take. These issues include looking at the existing practices, such as that of limiting the purposes for which data can be collected, disclosures, data quality and security. A list of the research questions is annexed to the report, and the authors emphasise that it may be useful for organisations undertaking similar assessments of adequacy.

TRANSFERS OF EMPLOYEE DATA

The authors found the compliance with fair information (data protection) practices within the human resources transfers studied to be generally good in all six jurisdictions. In all the cases, at least some elements of fair information principles had been adopted. In each case, the recipient organisation was a subsidiary of a European parent company. This seems to have contributed to the fairly high level of protection in these non-EU countries. However, the authors conclude that if employee data were transferred to an organisation independent of the parent organisation, it is unlikely that a similar level of protection would be found.

Hong Kong and New Zealand offered the highest level of protection of the six countries studied. Both have introduced laws for the private sector, and offer individuals an opportunity to file complaints with an independent supervisory authority. In addition, the Hong Kong Privacy Commissioner has issued a guidance note about the application of the law in this field, and is preparing a code of practice which will be issued sometime in 1999. In New Zealand, the Institute of Personnel and Management has issued guidance notes on compliance with the law.

The authors recommend that "in the absence of a specific law on the subject, as is found in Hong Kong but not elsewhere, restrictions on the onward transfer of personal data are dependent on company policies. In the human resources area, companies have few, if any reasons to permit the transfer of employee information to other jurisdictions, except to other subsidiaries of the parent company."

AIRLINE DATA A COMPLEX ISSUE

Airline reservations was chosen as one of the fields of study, as some of the data airlines process is highly sensitive. Airlines collect various medical data on their passengers, such as diabetic status and handicaps. Other sensitive information includes details of dietary requirements, which may reveal religious beliefs.

For airlines which have their headquarters in an EU country, the situation is clear: they have to comply with the national data protection laws, and grant individuals access and other privacy rights. The authors stress that a data protection problem arises when a passenger flies from an EU country to outside the EU, and transfers to domestic carriers within a third country or between one and another. For example, airlines situated in the United States, which has no omnibus privacy law, give passengers few rights regarding their personal data. Although domestic airlines have some policies to protect the security and privacy of personal information, it is hard to say whether these practices provide a good level of protection.

The best situation in the six countries studied can be found in Hong Kong and New Zealand. In Hong Kong, the Privacy Ordinance protects the personal information of any living individual, including overseas visitors. Also, the Hong Kong law includes provisions for transborder data flows which aim to prevent companies from transferring personal data abroad unless certain conditions are met. The Privacy Commissioner has jurisdiction over most data users who "control" personal data in Hong Kong. Given these circumstances, the processing of passenger data by airlines seems to be adequately protected by the Hong Kong framework of privacy protection.

New Zealand also guarantees a number of rights for both residents and foreigners under its Privacy Act. The Commissioner has jurisdiction over personal data held by all the airlines in New Zealand. The authors have come to the conclusion that the personal data of a European passenger flying to New Zealand would be protected in a way that fulfils the main requirements of adequate protection.

The study does not provide any generalisations as to the adequacy of protection within the airline industry. This is mainly due to the complexity of transfers. However, it seems that compliance with fair information practices is generally good in the six countries studied.

MEDICAL DATA NEEDS SEAMLESS PROTECTION

Again, Hong Kong and New Zealand which have privacy laws offer the best protection for medical and epidemiological data. The Canadian province of Quebec which has a privacy law for the private sector, also provides a good level of protection. Elsewhere in Canada, the adequacy of protection depends on the province to which the data is sent, and the type of the recipient organisation.

Australia's level of health privacy protection is very uneven. The Australian Capital Territory provides nearly the same level of protection as the EU directive. However, other states and territories are way behind. While both Canada and Australia are making efforts to create a more even level of protection, Japan is doing little in this field.

The United States lacks comprehensive data protection for health records. President Clinton promised, however, in his State of the Union address to Congress in January, to introduce a privacy law for health records this year, if Congress had not taken action by July 1999. At the moment there are state and federal privacy laws, but they offer only limited protection. The authors conclude that at present it is difficult to name any codes or laws that ensure a good level of compliance with fair information practices.

PRIVACY IN E-COMMERCE MAINLY UNREGULATED

The European Union's Data Protection (Article 29) Working Party has taken the provisional view that by having a website, companies are processing personal data on the computer equipment of the person browsing, and/or the file servers located in the browser's home country. This effectively means that anyone publishing on the Internet is a data controller, and has to comply with all the data protection laws of the countries in which people access the site. The authors' view is that there will be problems of compliance and enforcement. This study concentrates only at looking at the privacy protection afforded to Europeans browsing websites situated in the six countries studied.

The authors found compliance with fair information practices to be generally good. Hong Kong, New Zealand and Quebec offer privacy protection for electronic commerce transfers. In other jurisdictions, privacy in e-commerce is not regulated. Where there are voluntary codes, they seem to be inadequate to fulfil the requirements of the EU directive. One of the most important aspects, an independent complaint mechanism, is also missing.

SUB-CONTRACTED PROCESSING UNREGULATED

Transfers of personal data between data controllers and sub-contractors are mainly unregulated. A typical scenario would be a large multinational which uses sub-contractors to process credit transactions or subscriber information. The authors found that even in jurisdictions that have data protection laws in the private sector, the laws do not necessarily apply to processors that do not make independent use of the data. As there are many different situations where sub-contracting is used, it is difficult to make any generalisations about the level of protection offered. The authors recognise that contracts might offer a solution, but do not evaluate their potential in this study.

LAW DOES NOT GUARANTEE ADEQUACY

The authors found some significant differences between policies that companies reported to have been adopted, and practical compliance with these rules. They stress that the mere existence of a law does not guarantee adequacy as there is no certainty about compliance. With regard to self-regulatory approaches, their diversity makes it difficult to evaluate their impact on adequacy.

For companies that wish to assess their adequacy, or the adequacy of the recipient organisation, it is suggested that they use independent auditors. The authors say that many problems of compliance monitoring could be alleviated with the use of certifiable privacy standards. This would enable European data exporters to insist that the data importer registers to such a standard.

The study refers to two existing privacy standards that have been developed in Canada and Japan. Ultimately, the authors wish to see an international certifiable standard that could be accompanied with privacy audits. However, they do not proceed to suggest which international body should develop such a standard.

WHAT HAPPENS DURING THE TRANSITIONAL PERIOD?

Many EU countries are still in the process of adopting new laws. This factor, and the directive's transitional periods, mean that it will take some years before the directive is fully implemented. The authors ask whether there could be some stages in the process of reaching adequacy. For example, might an organisation be judged adequate during the transitional period, but expected to put additional provisions in place during that time? It also needs to be decided how often decisions on adequacy should be reviewed. An important aspect will also be the treatment of the organisations' confidential information during the adequacy assessment.

But most importantly, who is to gather the information required to make a decision on adequacy? The EU Data Protection (Article 29) Working Party, The Article 31 Committee, or national data protection authorities? Whoever will get involved in this type of task, will certainly benefit from the findings and experiences of the authors of this study. The authors stress that in order to get a full picture of compliance within organisations, a detailed audit is needed. However, ground work was not possible during this study due to financial constraints.

The authors summarise that there are no short cuts to the assessment of adequacy. Even a comprehensive data protection law does not provide the required level of protection if it is not enforced effectively. Codes of practice may have their own particular problems, such as lack of universal application. Finally, even though security measures and privacy-enhancing technologies are useful tools, they cannot offer complete protection.

The study was carried out by independent researchers who are specialist in the field of data protection: Charles Raab (UK), Colin Bennett (Canada), Robert Gellman (United States) and Nigel Waters (Australia). The study is available in pdf form (Adobe Acrobat) on European Commission/ DG XV's website, at http://europa.eu.int/comm/dg15/en/ public/index.htm#5. To contact the authors of the study, e-mail or call Charles Raab, Reader, Department of Politics at Edinburgh University: c.d.raab@ed.ac.uk, Tel: + 44 (0) 131 650 4243.

New study on on-line services

Another data protection study commissioned by the European Commission (DGXV) was published in December. The study, carried out by Professors Joel R. Reidenberg of Fordham University Law School, New York, and Paul M. Schwartz of Brooklyn Law School, considers the regulatory response to on-line services in the EU. The study analyses critical data protection issues for the development of European on-line services. It compares the data protection laws in Belgium, France, Germany and the United Kingdom, and examines the impact that the implementation of the EU Data Protection Directive is likely to have on the differences between these laws. The study, entitled Data protection law and on-line services: regulatory responses, is available on DGXV's website: http://www.europa.eu.int/comm/dg15/en/media/dataprot/studies/regul.htm