Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Europeanwide sectoral codes soon to be a reality [1999] PLBIRp 42; (1999) 50 Privacy Laws and Business International Report 10

European-wide sectoral codes soon to be a reality

A report by Charles Raab

SECTORAL CODES OF PRACTICE or conduct play an important part in a number of national data protection systems. Codes are now likely to become more prominent, as they are encouraged by the 1995 European Union Data Protection Directive. The airline and direct marketing industries are already preparing codes.

Article 27(2) of the Directive adds a further dimension by providing for Community-level codes to be created through a procedure, which involves the Article 29 Working Party. A session at the Privacy Laws & Business Annual International Conference at Cambridge in June was appropriately devoted to looking at experience so far with devising codes in two industries: direct marketing and airline transport.

Peter Hustinx, President of the Dutch data protection agency Registratiekamer and Chairman of the Article 29 Working Party, led off with an account of how these procedures are meant to work. His candid view acknowledged the difficulties as well as the creative opportunities: there is no recipe or blueprint for devising codes, and they must be tailor-made by an intellectually challenging process.

He pointed out a variety of scenarios in which codes play a key part of self-regulation, with or without legislation. If there is no general data protection law, selfregulation can be the default position. It can also be applied strategically, as in the United States, in order to avoid legislation. Self-regulation can also help to prepare for legislation and gain experience, as in the Netherlands. Where a data protection law exists, self-regulation implements and gives further effect to it by translating general provisions into sectoral applications. Self-regulation can also avoid detailed sectoral rules and build a bridge to the law, but procedures and mechanisms are required to check the quality and effects of this kind of self-regulation. Finally, self-regulation can interactively supplement the law.

HOW TO PREPARE A CODE

Peter Hustinx pointed out that the Directive sees self-regulation as implementing general legal schemes, as Article 27 and Recital 68 show, and that codes set benchmarks. Article 27(1) requires that account be taken of specific sectoral features. Article 27(2) refers to the national laws and procedures for adoption within the Member States. Then, Article 27(3) takes a further step and provides for Community codes, for which drafts may be submitted to the Working Party to determine their conformity to national laws. The views of organisations representing data subjects could be invited. Publicity would then be given to approved codes.

Early on, the Working Party saw the need to provide guidance on the applicable criteria, and to set out an evaluative procedure. This was adopted in September 1998, and put forward a three-phase process. First is the stage of submission and acceptance for consideration; then comes the preparation of the Working Party's opinion; and finally, the opinion is given. The codes in question are intended to apply to a plurality of controllers from the same profession, industry or sector, who have determined the code's content.

The criteria for accepting a draft as eligible for consideration can be applied flexibly. The code should be drafted by an organisation that is 'representative' of the sector, and that is established or active in a significant number of Member States. It should be prepared with due care, preferably involving consultation with data subjects. The code must clearly define the sector, be translated into English and French, and have an explanatory memorandum. Premature drafts would be rejected.

In the case of the first two codes, submitted by the International Air Transport Association (IATA) and the Federation of Direct Marketing Associations (FEDMA) - which were the subjects of the talks by the next two speakers - the criteria were used flexibly, with any deficiencies subsequently repaired.

CODES MUST BRING ADDED VALUE

In the second stage, a sub-group is set up to produce an interim opinion and to hold discussions with the organisation. Revisions may then follow, and then the Working Party decides whether the code agrees with the Directive and has added value; it should not merely copy the Directive or national law.

Peter Hustinx emphasised that the representative organisation should therefore analyse what the Directive or national law means for its sector, and should concentrate on what matters for the typical problems of that sector - not on each and every possible point. Here the sector has an opportunity to show what it thinks would be a responsible balance between competing interests, and its code should reflect that balance. They should also be concerned about clarity and consistency, and about the code's legal effect.

He pointed out that conformity to national law is a difficult task, as there are fifteen such laws, and many of them so far have not transposed the Directive. Therefore, conformity remains a problem to be ironed out. The legal effect of an approved code depends on the nature of the code. It could have quasijudicial force, or, on the other hand, the added value would be its important contribution, although some sectors might require something more substantial for their codes.

The Directive does not impose a requirement that a code should have the force of law, but a national legislature could choose this option. Dutch codes have been a valuable instrument for legal interpretation but, Peter Hustinx again insisted, it is the added value that really matters.

AIRLINE INDUSTRY FACES PROBLEM OF APPLICABLE LAW

Following this presentation, Monique de Smet, IATA's Assistant Director for Government and Industry Affairs, explained the procedures for their code. IATA is a trade organisation that represents 265 airlines from more than 150 countries. She emphasised that IATA is just a forum for its members, and does not itself decide issues. Two types of rules may emerge: resolutions and recommended practices; resolutions are binding, in order to create the necessary uniformity.

Monique De Smet revealed that it was a non-European airline, Qantas, that triggered off the drafting of a code, reflecting a concern with Articles 25 and 26 concerning the adequacy of data protection in third countries. IATA realised the problems in these and other Articles and began to talk to the European Commission's Directorate-General (DG) XV two years ago. IATA already had a recommended practice on the protection of privacy and transborder dataflows. Although it needed to be revised, they submitted it as a draft.

The Data Protection Working Party gave comments on the recommended practice document in December 1998, and further comments were awaited on a revised submission; most parts of the draft code remained to be negotiated.

WHICH LAW APPLIES?

Article 4 on the applicable national law is one of IATA's main concerns. The issue is complicated, because of code-sharing and uncertainties concerning whether the airline or its agents are the data controllers. The airline is the controller of reservation data, but a problem arises if the reservation centre is in a third country, where the law's adequacy is debatable. As for Article 6 on data quality, the question of the permitted duration of data storage was complicated.

In Europe, the rules for central reservation systems (CRS) include data protection provisions. Some of these also apply to airlines even if a reservation is made directly and does not pass through a CRS. Article 8 on special categories of (sensitive) data is also difficult. Reservation data can fall into this, but some countries do not see, for example, a request for a kosher meal as necessarily indicating one's religion. If such a meal is ordered, or if a wheelchair is required, the passenger is deemed to have, in IATA's view, voluntarily given explicit consent by requesting this 'better' service.

CODE WOULD NOT BE BINDING

Monique De Smet also referred to Article 10 concerning information to be given to the data subject. The CRS system is also applicable in Europe to airlines' direct bookings. Passengers are informed of the name and address of the controller, the purposes, the duration of storage, and the means of access - which is free of charge.

But there is a problem concerning telephone reservations: if standard information had to be given over the telephone, it would constrain airlines' agents, and long conversations are costly. The code stipulates that this information should be given at first contact, but there is a question whether it should be given in a written confirmation of the booking.

USE OF CONTRACTS POSSIBLE

Monique De Smet argued that the derogation in Article 26(1)(b) seemed expressly designed for industries like IATA's, where transfers are necessary for contractual or precontractual reasons. Reservation data falls into this category. However, data necessary to establish customer profiles cannot be included in this, but could come under the consent provision of 26(1)(a).

She concluded by saying that airlines' acceptance of the IATA code would be in the form of a recommended practice: there will be no compliance mechanism, and it was not binding on members. Each airline could have its own code, adapted to it own national circumstances. Therefore, the Community code for airlines will act as a guideline when airlines prepare their own codes.

DIRECT MARKETERS ALREADY HAVE NATIONAL CODES

FEDMA provided the other test-case for Community code procedures. Alastair Tempest, its Director- General described the circumstances. The question of representativeness was important. FEDMA is a large organisation, with 18 national Direct Marketing Associations (DMAs), of which five are not in EU, and with 482 direct marketing company members who have agreed to accept existing FEDMA codes.

FEDMA's role was to promote direct marketing and to lobby on behalf of the industry. But 'direct marketing' escapes simple definition, and many other names are in use: 'interactive marketing', 'one-to-one marketing', 'database marketing' and 'relationship marketing'. The techniques bring in many other things besides simply selling.

Alastair Tempest wondered how long customer data can be kept in the case of a magazine publisher who must remind subscribers to renew, or in the case of a garage owner who needs to keep data for years before the customer changes cars. There is a need to target consumers because direct marketers are not simply selling, but trying to keep customers by relationship techniques like loyalty cards. So the industry needs to be close to privacy commissioners and their laws.

Many national DMAs have privacy codes. The French one was awarded a prize by the data protection authority (CNIL). Before Portugal implemented the Directive, the national DMA was faced by a hastily-drafted and contradictory law. The DMA developed a code in order to sort out problems, and it was agreed by the data protection authority. The nub, he said, was the need for security when one is dealing with large databases.

But codes also help marketers because it is in the industry's self - interest to have codes in order to retain consumers' trust and confidence.

FEDMA SEEKS PRACTICAL SOLUTIONS

FEDMA proposed a Community code to the Article 29 Working Party in September 1997, presented a draft in August 1998, received comments in February 1999, and a second draft is now going to the Working Party. FEDMA has working parties in the Netherlands, France, Italy and the UK, which include the Privacy Commissions.

One objective of the proposed code is to help the industry to apply the Directive's complexities in practical terms, so there was added value. There are major interpretative problems under various Articles, such as 11, 12 and 14. The transparency of information for the customer is also very difficult to apply and needs interpretation.

The second objective is to enhance consumer confidence. There are national Robinson lists, but at the EU level the industry needs to encourage confidence in good marketing practices.

Electronic commerce holds great promise for direct marketers, and they are working on codes for this. The one that is being negotiated under Article 27 will be a key element. Nationally, consumer complaints are reduced where there are codes; their complaints tend to go to the DMAs. FEDMA is looking at inhouse suppression of files and at an on-line TrustMark and software solutions for electronic commerce complaints.

DIFFERENCES IN NATIONAL LAWS CREATE PROBLEMS

There is a need, Alastair Tempest said, to get at small companies, and to cope with different national laws. The industry's sanctions include bad publicity, peer pressure, and the expulsion of firms from associations. DMAs have to play a role in referring serious breaches to the data protection authorities. He hoped that non-EU direct marketers will be encouraged to use the code, especially in Eastern Europe.

These presentations at the Privacy Laws & Business 12th Annual International Conference were reported by Professor Charles Raab, Department of Politics, University of Edinburgh, 31 Buccleuch Place, Edinburgh EH8 9JT Scotland. Tel: + 44 (0) 131 650 4243, Fax: + 44 (0) 131 650 6546, e-mail: c.d.raab@ed.ac.uk. A set of conference papers is available from Privacy Laws & Business, Tel: + 44 (0) 181 423 1300.