0A4F4F9BD490A749D5437F821CF06DF1
Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive (1998): Consent (2018)
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/1998/wp12_en.pdf
http://leaux.net/URLS/ConvertAPI Text Files/3468723974CE8E81C83BDC9962BB092D.en.txt
Examining the file media/Synopses/3468723974CE8E81C83BDC9962BB092D.html:
This file was generated: 2020-07-15 06:44:28
| Indicators in focus are typically shown highlighted in yellow; |
Peer Indicators (that share the same Vulnerability association) are shown highlighted in pink; |
"Outside" Indicators (those that do NOT share the same Vulnerability association) are shown highlighted in green; |
Trigger Words/Phrases are shown highlighted in gray. |
Link to Orphaned Trigger Words (Appendix (Indicator List, Indicator Peers, Trigger Words, Type/Vulnerability/Indicator Overlay)
Applicable Type / Vulnerability / Indicator Overlay for this Input
Political / Illegal Activity
Searching for indicator unlawful:
(return to top)
p.000017:
p.000017: As a general rule the more the recipient is limited in terms of his freedom to choose the purposes, means and
p.000017: conditions under which he processes the transferred data, the greater will be the legal security for the
p.000017: data subject. Bearing in mind that we are dealing with cases of inadequate general protection, the
p.000017: preferred solution would be for the contract to provide that the recipient of the transfer has no
p.000017: autonomous decision-making power in respect of the transferred data, or the way in which they are subsequently
p.000017: processed. The recipient is bound in this case to act solely under the instructions of the transferer,
p.000017: and while the data may have been physically transferred outside of the EU, decision-making control over the data
p.000017: remains with the entity who made the transfer based in the Community. The transferer thus remains the
p.000017: data controller, while the recipient is simply a sub-contracted processor. In these circumstances,
p.000017: because control over the data is exercised by an entity established in an EU Member State, the law of the Member State
p.000017: in question will continue to apply to the processing carried out in the third country11, and furthermore the data
p.000017: controller
p.000017:
p.000017:
p.000017: 11 By virtue of Article 4(1)(a) of directive 95/46/EC.
p.000017:
p.000018: 18
p.000018:
p.000018: will continue to be liable under that Member State law for any damage caused as a result of an unlawful
p.000018: processing operation.12
p.000018:
p.000018: This type of arrangement is not dissimilar to that set out in the "Inter-territorial Agreement" which
p.000018: resolved the Citibank 'Bahncard' case mentioned earlier. Here the contractual agreement set out in detail the data
p.000018: processing arrangements, particularly those relating to data security, and excluded all other uses of data by the
p.000018: recipient of the transfer. It applied German law to data processing carried out in the third country and thus
p.000018: guaranteed a legal remedy to data subjects.13
p.000018:
p.000018: There will of course be cases where this kind of solution cannot be used. The recipient of the transfer may not be
p.000018: simply providing a data processing service to the EU-based controller. Indeed the recipient may, for example, have
p.000018: rented or bought the data to use them for his own benefit and for his own purposes. In these
p.000018: circumstances the recipient will possess a certain freedom to process the data as he wishes, thus in effect becoming a
p.000018: 'controller' of the data in his own right.
p.000018:
p.000018: In this kind of case it is not possible to rely on the continued automatic applicability of a Member State law and
p.000018: the continued liability for damages of the transferer of the data. Other more complex mechanisms need to be
p.000018: devised to provide the data subject with an appropriate legal remedy. As mentioned above, some legal systems allow
p.000018: third parties to claim rights under a contract, and this could be used to create data subject rights under an open,
p.000018: published contract between transferer and recipient. The position of the data subject would be further strengthened if,
p.000018: as part of the contract, the parties committed themselves to some sort of binding arbitration in the event of a data
...
p.000031: given.
p.000031: The individual therefore has no legal guarantee of being informed about the fact that the specific Credit
p.000031: Reporting Agency concerned is processing data about him. However, given that the agency has no
p.000031: direct contact with the individual, for the agency to be under an obligation to contact the individual
p.000031: specifically to inform him/her would appear to represent a “disproportionate effort” in the sense of Article 11 of the
p.000031: directive. The level of protection regarding transparency would therefore appear to be sufficient.
p.000031:
p.000031: The quality and proportionality principle includes several different elements. There is no restriction on the
p.000031: collection and processing of unnecessary data in the federal law. As to duration of storage, there are rules
p.000031: that prevent the dissemination of obsolete information (bankruptcy judgements more than 10 years old), which
p.000031: effectively lead to the erasure of this information. There is no general legal requirement to keep data
p.000031: accurate, although when an individual who has applied for access to his credit report disputes some of the information,
p.000031: data which can’t be verified must be deleted.
p.000031: Once again protection does not seem entirely adequate, and the company’s privacy policy goes no further than
p.000031: the federal law.
p.000031:
p.000031: The security principle is reflected in the federal law by a requirement to take reasonable measures to
p.000031: prevent unlawful disclosure. The privacy policy of the company makes it clear that stringent controls are in place to
p.000031: prevent unauthorised access to and manipulation of credit information. These controls take the form of both
p.000031: technical devices (passwords etc.) and instructions to employees which if broken can result in
p.000031: disciplinary proceedings. This would seem to ensure an adequate level of security.
p.000031:
p.000031: The rights of access and rectification are included in the federal law and are comparable to those
p.000031: found in the directive. Where an individual has been refused credit the access to the credit report is free
p.000031: of charge. There is, however no right of opposition although an individual can complain to a specialist federal
p.000031: agency or go to court (see below) where his legal rights under the federal law have been violated.
p.000031:
p.000031:
p.000031:
p.000031:
p.000032: 32
p.000032:
p.000032: Sensitive data about the individual’s health form part of the data transferred. The federal law does
p.000032: include stricter provisions for the processing of information relating to criminal records, sex, race, ethnic
p.000032: origin, age and marital status, but not for health information. However, in its privacy policy the
...
Political / Prosecuted
Searching for indicator prosecuted:
(return to top)
p.000033: proceedings are taking place.
p.000033:
p.000033: The company’s internal privacy policy contains no independent mechanism allowing an individual to enforce his/her
p.000033: rights, but it does contain some disciplinary sanctions for employees who violate the policy. Several employees
p.000033: have indeed already been disciplined regarding past violations.
p.000033:
p.000033: The combination of legislation and internal privacy code must be evaluated according to the ‘objectives’ that have been
p.000033: laid down for procedural mechanisms. In this case the key questions could include:
p.000033:
p.000033: Good level of general compliance
p.000033:
p.000033: The main encouragement for the company to comply with its own privacy policy is the risk of harmful publicity in the
p.000033: press if it is found not to deliver on its promises. In addition individuals within the company may be subject to
p.000033: disciplinary measures if they flout rules on security.
p.000033: However, these mechanisms do not in themselves seem sufficient to ensure that the privacy policy is
p.000033: complied with in practice.
p.000033: This conclusion may have been different different if :
p.000033: (1) the company’s privacy policy had been mirrored in an industry-wide code of conduct established by the
p.000033: industry trade association, under which any company found to be in breach of the code would be immediately expelled
p.000033: from the association; or
p.000033: (2) a general principle of law allowed a company found to be in breach of its own published privacy
p.000033: code to be prosecuted by a public agency on the grounds of “unfair and deceptive” practices.
p.000033:
p.000033: As far as the federal law is concerned, compliance is encouraged by the possibility of private law suits in the case of
p.000033: non-compliance. The prospect of being taken to court would have some deterrent effect on the data controller. There
p.000033: is, however, very little in the way of direct external verification of data processing procedures, as the public
p.000033: authority reacts only where a problem is drawn to its attention by a complainant or by the press, for example.
p.000033:
p.000033: Support and help to individual data subjects
p.000033: Clearly a public agency does exist and it does serve as a focal point for complaints from individuals
p.000033: about their credit reports. Complaint investigation carries no cost to the individual.
p.000033:
p.000033: Appropriate Redress
p.000033: For breaches of the fairly narrow legal obligations of the federal law, the individual can obtain redress from a court.
p.000033: This is, however, a relatively expensive process, and the individual often does not receive support from the
p.000033: public agency in these legal proceedings. The court can order the data controller to pay damages to the individual
p.000033: (where it finds that damage has been caused) and to amend its data processing procedures and the content
p.000033: of the credit file in question. For breaches of those data protection principles enshrined only in the privacy
p.000033: policy, no such redress is possible.
p.000033:
p.000033:
p.000033:
p.000034: 34
p.000034:
p.000034: The Verdict
p.000034:
...
Political / criminal
Searching for indicator criminal:
(return to top)
p.000005: controller that are appropriate to the risks presented by the processing. Any person acting under the
p.000005: authority of the data controller, including a processor, must not process data except on instructions from the
p.000005: controller.
p.000005:
p.000005: 5) the rights of access, rectification and opposition - the data subject should have a right to obtain a copy of all
p.000005: data relating to him/her that are processed, and a right to rectification of those data where they are shown to be
p.000005: inaccurate. In certain situations he/she should also be able to object to the processing of the data relating to
p.000005: him/her. The only exemptions to these rights should be in line with Article 13 of the directive.
p.000005:
p.000005: 6) restrictions on onward transfers - further transfers of the personal data by the recipient of the
p.000005: original data transfer should be permitted only where the second recipient (i.e. the recipient of the onward
p.000005: transfer) is also subject to rules affording an adequate level of protection. The only exceptions permitted
p.000005: should be in line with Article 26(1) of the directive (These exemptions are examined in Chapter Five.)
p.000005:
p.000005: Examples of additional principles to be applied to specific types of processing are:
p.000005:
p.000005:
p.000005: 2 Article 13 permits a restriction to the 'purpose principle' if such a restriction constitutes a necessary measure to
p.000005: safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of
p.000005: criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest,
p.000005: or the protection of the data subject or the rights and freedoms of others.
p.000005: 3 Article 11(2) stipulates that when data are collected from some-one other than the data subject, information need not
p.000005: be provided to the data subject if this proves impossible, involves a disproportionate effort, or if the recording or
p.000005: disclosure of the data is expressly required by law.
p.000005:
p.000006: 6
p.000006:
p.000006: 1) sensitive data - where ‘sensitive’ categories of data are involved (those listed in article 8 of the
p.000006: directive4), additional safeguards should be in place, such as a requirement that the data subject gives
p.000006: his/her explicit consent for the processing.
p.000006:
p.000006: 2) direct marketing - where data are transferred for the purposes of direct marketing, the data subject should be
p.000006: able to ‘opt-out’ from having his/her data used for such purposes at any stage.
p.000006:
p.000006: 3) automated individual decision - where the purpose of the transfer is the taking of an automated decision in the
p.000006: sense of Article 15 of the directive, the individual should have the right to know the logic involved in this decision,
p.000006: and other measures should be taken to safeguard the individual’s legitimate interest.
p.000006:
p.000006:
p.000006: (ii) Procedural/ Enforcement Mechanisms
p.000006:
...
p.000006: awareness among data controllers of their obligations, and among data subjects of their rights and the means
p.000006: of exercising them. The existence of effective and dissuasive sanctions can play an important in ensuring respect for
p.000006: rules, as of course can systems of direct verification by authorities, auditors, or independent data protection
p.000006: officials.
p.000006:
p.000006: 2) to provide support and help to individual data subjects in the exercise of their rights. The individual must be
p.000006: able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort
p.000006: of institutional mechanism allowing independent investigation of complaints.
p.000006:
p.000006: 3) to provide appropriate redress to the injured party where rules are not complied with. This is a key element
p.000006: which must involve a system of independent adjudication or arbitration which allows compensation to be paid and
p.000006: sanctions imposed where appropriate.
p.000006:
p.000006:
p.000006:
p.000006: 4 Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade- union
p.000006: membership, data concerning health or sex life, and data relating to offences, criminal convictions or security
p.000006: measures.
p.000006:
p.000007: 7
p.000007:
p.000007: CHAPTER TWO: APPLYING THE APPROACH TO COUNTRIES THAT HAVE RATIFIED COUNCIL OF EUROPE CONVENTION 108
p.000007:
p.000007: Convention 108 is the only existing international instrument with binding force in the data protection field apart
p.000007: from the directive. Most of the parties to the Convention are also Member States of the European Union (all
p.000007: 15 have now ratified it) or countries, such as Norway and Iceland, which may in any case be bound by
p.000007: the directive by virtue of the European Economic Area agreement. However, Slovenia, Hungary and Switzerland
p.000007: have also ratified the Convention, and other third countries are likely do so in the future, particularly given that
p.000007: the Convention is also open to non Council of Europe countries. It is therefore of more than purely academic interest
p.000007: to examine whether countries that have ratified the Convention can be considered to afford an adequate level
p.000007: of protection in the sense of Article 25 of the directive.
p.000007:
p.000007: As a starting point it is useful to examine the text of the Convention itself in the light of the theoretical outline
p.000007: of ‘adequate protection’ set out in Chapter One of this document.
p.000007:
p.000007: As regards the content of the basic principles, the Convention could be said to include the first five of the six
p.000007: ‘minimum conditions’. 5 The Convention also includes the requirement for appropriate safeguards for
...
p.000031: the federal law.
p.000031:
p.000031: The security principle is reflected in the federal law by a requirement to take reasonable measures to
p.000031: prevent unlawful disclosure. The privacy policy of the company makes it clear that stringent controls are in place to
p.000031: prevent unauthorised access to and manipulation of credit information. These controls take the form of both
p.000031: technical devices (passwords etc.) and instructions to employees which if broken can result in
p.000031: disciplinary proceedings. This would seem to ensure an adequate level of security.
p.000031:
p.000031: The rights of access and rectification are included in the federal law and are comparable to those
p.000031: found in the directive. Where an individual has been refused credit the access to the credit report is free
p.000031: of charge. There is, however no right of opposition although an individual can complain to a specialist federal
p.000031: agency or go to court (see below) where his legal rights under the federal law have been violated.
p.000031:
p.000031:
p.000031:
p.000031:
p.000032: 32
p.000032:
p.000032: Sensitive data about the individual’s health form part of the data transferred. The federal law does
p.000032: include stricter provisions for the processing of information relating to criminal records, sex, race, ethnic
p.000032: origin, age and marital status, but not for health information. However, in its privacy policy the
p.000032: credit reporting agency states that health data will not be used for credit assessment purposes, but only for
p.000032: employment or insurance checks. In these two situations the use of such data will be authorised by the individual on an
p.000032: employment application or insurance form.
p.000032: There would therefore appear to be substantively reinforced protection for the health data involved in this example,
p.000032: even though this protection is not provided by statute.
p.000032:
p.000032: Use of the data for direct marketing purposes by the credit reporting agency (and the disclosure of the data to
p.000032: others for such purposes) is an issue here. There is no real statutory impediment to such use and no legal
p.000032: requirement to offer an opt-out. This is clearly inadequate particularly as in this case not only will the
p.000032: data be used by the agency (to carry out host mailings for credit granting financial institutions) but
p.000032: also disclosed to third parties for the marketing of both related financial services products and unrelated products
p.000032: such as lawn-mowers and holidays.
p.000032:
p.000032: It would appear that the purpose of the transfer may be to enable an automated decision to be made about
p.000032: whether the data subject should be granted credit. The data subject should therefore benefit from additional
...
Political / political affiliation
Searching for indicator party:
(return to top)
p.000001: EUROPEAN COMMISSION
p.000001: DIRECTORATE GENERAL XV
p.000001: Internal Market and Financial Services
p.000001: Free movement of information, company law and financial information
p.000001: Free movement of information and data protection, including international aspects
p.000001:
p.000001:
p.000001:
p.000001: DG XV D/5025/98
p.000001: WP 12
p.000001:
p.000001:
p.000001:
p.000001: Working Party on the Protection of Individuals with regard to the Processing of Personal Data
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001: Working Document
p.000001:
p.000001: Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive
p.000001:
p.000001:
p.000001: Adopted by the Working Party on 24 July 1998
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001: 1
p.000001:
p.000001:
p.000001: Table of contents
p.000001:
p.000001:
p.000001: Introduction
p.000001: p. 3
p.000001:
p.000001: Chapter 1 What constitutes “adequate protection”? p. 5
p.000001:
p.000001:
p.000001: Chapter 2 Applying the approach to countries that have ratified Convention 108
p.000001: p. 9
p.000001: Chapter 3 Applying the approach to industry self-regulation p. 11 Chapter 4
p.000001: The role of contractual provisions p. 16
p.000001: Chapter 5 Exemptions from the adequacy requirement p. 26
p.000001:
p.000001: Chapter 6 Procedural issues p. 28
p.000001:
p.000001:
p.000001: Annex 1
p.000001: Annex 2
p.000001: Examples
p.000001: Articles 25 and 26
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000001:
p.000002: 2
p.000002:
p.000002:
p.000002: Introduction
p.000002:
p.000002: This document seeks to bring together the previous work done by the Working Party of EU Data Protection
p.000002: Commissioners established under Article 29 of the Data Protection Directive1 into a more comprehensive set of
p.000002: views covering all the central questions raised by flows of personal data to third countries in the context
p.000002: of the application of EU data protection directive (95/46/EC). It is organised according to the system provided for
p.000002: international transfers of personal data set out in Articles 25 and 26 of the directive. (The text of these articles is
p.000002: attached as Annex 2)
p.000002:
p.000002: Article 25, paragraph (1), sets out the principle that Member States shall only allow a transfer to take place if
p.000002: the third country in question ensures an adequate level of protection. Paragraph (2) explains that 'adequacy'
p.000002: should be assessed on a case by case basis 'in the light of all the circumstances surrounding a data transfer operation
p.000002: or set of data transfer operations'. Paragraph (6) provides that the Commission may determine that
p.000002: certain countries offer adequate protection. Chapter One of this paper deals with this central question of
p.000002: adequate protection. It seeks to explain what is meant by 'adequate' and outlines a framework for how
p.000002: the adequacy of protection should be assessed in a particular case.
p.000002:
p.000002: The application of this approach is further dealt with in Chapters Two and Three. Chapter Two deals with
p.000002: transfers to countries that have ratified the Council of Europe Convention 108, while Chapter Three assesses the issues
p.000002: surrounding transfers where the protection of personal data is provided for mainly or entirely by
p.000002: self-regulatory mechanisms and not by rules of law..
p.000002:
p.000002: Where there is an absence of adequate protection in the sense of Article 25 (2), the directive also
p.000002: envisages in Article 26(2) the possibility of ad hoc measures, notably of a contractual nature, which could result in
p.000002: the establishment of adequate safeguards on the basis of which the transfer in question could proceed. In
p.000002: Chapter Four of this paper the circumstances in which ad hoc contractual solutions may be appropriate are examined
p.000002: and some recommendations as to the possible form and content of such solutions are set out.
p.000002:
p.000002: Chapter Five deals with the third and final situation envisaged by the directive: those limited sets of cases contained
p.000002: in Article 26(1) where there is effectively an exemption to the requirement of ‘adequate protection’. The precise scope
p.000002: of these exemptions is
p.000002:
p.000002:
p.000002:
p.000002: 1See WP 4 (5020/97) " First orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in
p.000002: Assessing Adequacy", a discussion document adopted by the Working Party on 26 June 1997;
p.000002: WP 7 (5057/97) Working document: "Judging industry self-regulation: when does it make a meaningful contribution to the
p.000002: level of data protection in a third country?", adopted by the Working Party on 14 January 1998;
p.000002: WP 9 (5005/98) Working Document: "Preliminary views on the use of contractual provisions in the context of transfers of
p.000002: personal data to third countries", adopted by the Working Party on 22 April 1998.
p.000002:
p.000003: 3
p.000003:
p.000003: examined, with illustrative examples of the kinds of cases that might be covered together with those that
p.000003: would seem not to be.
p.000003:
p.000003: Finally Chapter Six contains some comments on procedural matters arising in connection with the making
p.000003: of judgements on the adequacy (or non-adequacy) of protection and the achieving of a coherent
p.000003: Community-wide approach to these questions.
p.000003:
p.000003: Attached as annex 1 are a series of illustrative case studies which seek to demonstrate how the approach set out in
p.000003: this document might apply in practice.
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000003:
p.000004: 4
p.000004:
p.000004: CHAPTER ONE: ASSESSING WHETHER PROTECTION IS ADEQUATE
p.000004:
p.000004: (1) What constitutes ‘adequate protection’?
p.000004:
p.000004: The purpose of data protection is to afford protection to the individual about whom data are processed. This is
...
p.000006: To provide a basis for the assessment of the adequacy of the protection provided, it is necessary to identify the
p.000006: underlying objectives of a data protection procedural system, and on this basis to judge the variety of different
p.000006: judicial and non-judicial procedural mechanisms used in third countries.
p.000006:
p.000006: The objectives of a data protection system are essentially threefold:
p.000006:
p.000006: 1) to deliver a good level of compliance with the rules. (No system can guarantee 100% compliance, but
p.000006: some are better than others). A good system is generally characterised by a high degree of
p.000006: awareness among data controllers of their obligations, and among data subjects of their rights and the means
p.000006: of exercising them. The existence of effective and dissuasive sanctions can play an important in ensuring respect for
p.000006: rules, as of course can systems of direct verification by authorities, auditors, or independent data protection
p.000006: officials.
p.000006:
p.000006: 2) to provide support and help to individual data subjects in the exercise of their rights. The individual must be
p.000006: able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort
p.000006: of institutional mechanism allowing independent investigation of complaints.
p.000006:
p.000006: 3) to provide appropriate redress to the injured party where rules are not complied with. This is a key element
p.000006: which must involve a system of independent adjudication or arbitration which allows compensation to be paid and
p.000006: sanctions imposed where appropriate.
p.000006:
p.000006:
p.000006:
p.000006: 4 Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade- union
p.000006: membership, data concerning health or sex life, and data relating to offences, criminal convictions or security
p.000006: measures.
p.000006:
p.000007: 7
p.000007:
p.000007: CHAPTER TWO: APPLYING THE APPROACH TO COUNTRIES THAT HAVE RATIFIED COUNCIL OF EUROPE CONVENTION 108
p.000007:
p.000007: Convention 108 is the only existing international instrument with binding force in the data protection field apart
p.000007: from the directive. Most of the parties to the Convention are also Member States of the European Union (all
p.000007: 15 have now ratified it) or countries, such as Norway and Iceland, which may in any case be bound by
p.000007: the directive by virtue of the European Economic Area agreement. However, Slovenia, Hungary and Switzerland
p.000007: have also ratified the Convention, and other third countries are likely do so in the future, particularly given that
p.000007: the Convention is also open to non Council of Europe countries. It is therefore of more than purely academic interest
p.000007: to examine whether countries that have ratified the Convention can be considered to afford an adequate level
p.000007: of protection in the sense of Article 25 of the directive.
p.000007:
p.000007: As a starting point it is useful to examine the text of the Convention itself in the light of the theoretical outline
p.000007: of ‘adequate protection’ set out in Chapter One of this document.
p.000007:
p.000007: As regards the content of the basic principles, the Convention could be said to include the first five of the six
p.000007: ‘minimum conditions’. 5 The Convention also includes the requirement for appropriate safeguards for
p.000007: sensitive data which should be a requirement for adequacy whenever such data are involved.
p.000007:
p.000007: A missing element of the Convention in terms of the content of its substantive rules is the absence of restrictions
p.000007: on transfers to countries not party to it. This creates the risk that a Convention 108 country could be used as
p.000007: a ‘staging post’ in a data transfer from the Community to a further third country with entirely inadequate
p.000007: protection levels.
p.000007:
p.000007: The second aspect of ‘adequate protection’ concerns the procedural mechanisms in place to ensure that the
p.000007: basic principles are rendered effective. The Convention requires its principles to be embodied in domestic law
p.000007: and that appropriate sanctions and remedies for violations of these principles be established. This should be
p.000007: sufficient to ensure a reasonable level of compliance with the rules and appropriate redress to data
p.000007: subjects where the rules are not complied with (objectives (1) and (3) of a data protection compliance system).
p.000007: However, the Convention does not oblige contracting parties to establish institutional mechanisms allowing the
p.000007: independent investigation of complaints, although in practice ratifying countries have generally done so.
p.000007: This is a weakness in that without such institutional mechanisms appropriate support and help to individual data
p.000007: subjects in the exercise of their rights (objective (2)) may not be guaranteed.
p.000007:
p.000007:
p.000007:
p.000007:
p.000007: 5 There may be some doubts about the ‘transparency principle’. Article 8 (a) of the Convention may not equate to the
p.000007: active duty to provide information which is the essence of Articles 10 and 11 of the directive. Furthermore the
...
p.000014: Conference, September 1996, Ottawa.
p.000014:
p.000015: 15
p.000015:
p.000015: responsibility for complying with the substantive data protection principles. The second entity, the
p.000015: 'processor', is responsible only for data security. An entity is deemed to be a controller if it has the
p.000015: decision-making power over the purposes and means of the data processing, whereas the processor is simply the body that
p.000015: physically provides the data processing service. The relationship between the two is regulated by Article 17(3) of the
p.000015: directive, which stipulates that:
p.000015:
p.000015: the carrying out of processing by way of a processor must be governed by a contract or legal act binding the
p.000015: processor to the controller and stipulating in particular that:
p.000015: - the processor shall act only on instructions from the controller
p.000015: - the obligations set out in Paragraph 1 (the substantive provisions regarding data security), as defined
p.000015: by the law of the Member State in which the processor is established, shall also be incumbent on the
p.000015: processor.
p.000015:
p.000015: This elaborates on the general principle established under Article 16 that any person acting under the
p.000015: authority of the controller, including the processor himself, must not process personal data except on instructions
p.000015: from the controller (unless required to do so by law).
p.000015:
p.000015: Where personal data are transferred to third countries it will also normally be the case that more than one party will
p.000015: be involved. Here the relationship in question is between the entity transferring the data (the 'transferer') and the
p.000015: entity receiving the data in the third country (the 'recipient'). In this context one purpose of the contract should
p.000015: still be that of determining how the responsibility for data protection compliance is split between the two
p.000015: parties. However, the contract must do much more than this: it must provide additional safeguards for the data subject
p.000015: made necessary by the fact that the recipient in the third country is not subject to an enforceable set of
p.000015: data protection rules providing an adequate level of protection.
p.000015:
p.000015:
p.000015: 3. The objective of a contractual solution
p.000015:
p.000015:
p.000015: In the context of third country transfers, therefore, the contract is a means by which adequate safeguards can be
p.000015: provided by the data controller when transferring data outside of the Community (and thus outside the
p.000015: protection provided by the directive, and indeed by the general framework of Community law9) to a third country where
p.000015: the general level of protection is not adequate. For a contractual provision to fulfil this function, it must
p.000015: satisfactorily compensate for the absence of a general level of adequate protection, by including the
p.000015: essential elements of protection which are missing in any given particular situation.
...
p.000016: - the data quality and proportionality principle
p.000016: - the transparency principle
p.000016: - the security principle
p.000016: - the rights of access, rectification and opposition
p.000016: - restrictions on onward transfers to non-parties to the contract10
p.000016:
p.000016: Furthermore in some situations additional principles relating to sensitive data, direct marketing and automated
p.000016: decisions must be applied.
p.000016:
p.000016: The contract should set out the detailed way in which the recipient of the data transfer should apply these principles
p.000016: (i.e. purposes should be specified, data categories, time limits for retention, security measures, etc.). In
p.000016: other situations, for example where protection in a third country is provided by a general data protection law
p.000016: similar to the directive, other mechanisms which clarify the way data protection rules apply in practice
p.000016: (codes of conduct, notification, the advisory function of the supervisory authority) are likely to be in
p.000016: place. In a contractual situation this is not so. Detail is therefore imperative where the transfer is based on a
p.000016: contract.
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016: 10 Further transfers of the personal data from the recipient to another third party should not be permitted, unless a
p.000016: means is found of contractually binding the third party in question providing the same data protection guarantees to
p.000016: the data subjects.
p.000016:
p.000017: 17
p.000017:
p.000017: (ii) Rendering the substantive rules effective
p.000017:
p.000017: Chapter One sets out three criteria by which the effectiveness of a data protection system should be
p.000017: judged. These criteria are the ability of the system to:
p.000017: - to deliver a good level of compliance with the rules
p.000017: - to provide support and help to individual data subjects in the exercise of their rights
p.000017: - and, as a key element, to provide appropriate redress to the injured party where rules are not complied with.
p.000017:
p.000017: The same criteria must apply in judging the effectiveness of a contractual solution. Clearly this is a
p.000017: major though not impossible challenge. It is a question of finding means which can make up for the absence
p.000017: of oversight and enforcement mechanisms, and which can offer help, support and ultimately redress to a the data subject
p.000017: who may not be a party to the contract.
p.000017:
p.000017: Each of these questions must be examined in detail. For ease of analysis, they are taken in reverse
p.000017: order.
p.000017:
p.000017:
p.000017: Providing redress to a data subject
p.000017:
p.000017: Providing a legal remedy to a data subject, (i.e. a right to have a complaint adjudicated by an independent arbiter and
p.000017: to receive compensation where appropriate), by way of a contract between the 'transferer' of the data and the
p.000017: 'recipient' is not a simple question. Much will depend on the nature of the contract law chosen as the
p.000017: national law applicable to the contract. It is expected that the applicable law will generally be that of the Member
p.000017: State in which the transferer is established. The contract law of some Member States permits the creation of
p.000017: third party rights, whereas in other Member States this is not possible.
p.000017:
p.000017: As a general rule the more the recipient is limited in terms of his freedom to choose the purposes, means and
p.000017: conditions under which he processes the transferred data, the greater will be the legal security for the
p.000017: data subject. Bearing in mind that we are dealing with cases of inadequate general protection, the
p.000017: preferred solution would be for the contract to provide that the recipient of the transfer has no
p.000017: autonomous decision-making power in respect of the transferred data, or the way in which they are subsequently
p.000017: processed. The recipient is bound in this case to act solely under the instructions of the transferer,
p.000017: and while the data may have been physically transferred outside of the EU, decision-making control over the data
p.000017: remains with the entity who made the transfer based in the Community. The transferer thus remains the
p.000017: data controller, while the recipient is simply a sub-contracted processor. In these circumstances,
p.000017: because control over the data is exercised by an entity established in an EU Member State, the law of the Member State
p.000017: in question will continue to apply to the processing carried out in the third country11, and furthermore the data
p.000017: controller
p.000017:
p.000017:
p.000017: 11 By virtue of Article 4(1)(a) of directive 95/46/EC.
p.000017:
p.000018: 18
p.000018:
p.000018: will continue to be liable under that Member State law for any damage caused as a result of an unlawful
p.000018: processing operation.12
p.000018:
...
p.000018: mechanisms, and the use of contracts in combination with such codes could be usefully envisaged.
p.000018:
p.000018: Another possibility is that the transferer, perhaps at the moment of obtaining the data initially from the data
p.000018: subject, enters into a separate contractual agreement with the data subject stipulating that he (the
p.000018: transferer) will remain liable for any damage or distress caused by the failure of the recipient of a
p.000018: data transfer to comply with the agreed set of basic data protection principles. In this way the data subject is
p.000018: granted a means of redress against the transferer for the misdemeanors of the recipient. It would be up to the
p.000018: transferer to then recover any damages he was forced to pay out to the data subject, by taking action for breach of
p.000018: contract against the recipient.
p.000018:
p.000018: Such an elaborate three-way solution is perhaps more feasible than it might appear. The contract with
p.000018: the data subject could become part of the standard terms and conditions under which a bank or a travel
p.000018: agency, for example, provide services to their customers. It has the advantage of transparency: the data
p.000018: subject is made fully aware of the rights that he has.
p.000018:
p.000018:
p.000018: 12 See Article 23 of directive 95/46/EC.
p.000018: 13 Although because this case arose under a law which predated the directive, the law itself did not automatically
p.000018: apply to all processing controlled by a German-established controller. The legal remedy for the data subject was
p.000018: instead created by the ability of German contract law to create third party rights.
p.000018:
p.000019: 19
p.000019:
p.000019: Finally, as an alternative to a contract with the data subject, it could also be envisaged that a Member State lay
p.000019: down in law a continuing liability for data controllers transferring data outside the Community for damages
p.000019: incurred as a result of the actions of the recipient of the transfer.
p.000019:
p.000019:
p.000019: Providing support and help to data subjects
p.000019:
p.000019: One of the main difficulties facing data subjects whose data are transferred to a foreign jurisdiction is the problem
p.000019: of being unable to discover the root cause of the particular problem they are experiencing, and therefore being
p.000019: unable to judge whether data protection rules have been properly followed or whether there are grounds for a legal
p.000019: challenge.14 This is why an adequate level of protection requires the existence of some sort of
p.000019: institutional mechanism allowing for independent investigation of complaints.
p.000019:
p.000019: The monitoring and investigative function of a Member State supervisory authority is limited to data processing carried
p.000019: out on the territory of the Member State. 15 Where data are transferred to another Member State, a system of mutual
p.000019: assistance between supervisory authorities will ensure that any complaint from a data subject in the first Member
p.000019: State will be properly investigated. Where the transfer is to a third country, there will in most cases be no such
p.000019: guarantee. The question, therefore, is what kind of compensatory mechanisms can be envisaged in the context of a data
p.000019: transfer based on a contract.
p.000019:
p.000019: One possibility would be simply to require a contractual term which grants the supervisory authority of the
p.000019: Member State in which transferer of the data is established a right to inspect the processing carried out by the
p.000019: processor in the third country. This inspection could, in practice, be carried out by an agent (for example a
p.000019: specialist firm of auditors) nominated by the supervisory authority, if this was felt to be appropriate. A difficulty
p.000019: with this approach, however, is that the supervisory authority is not generally16 a party to the contract,
p.000019: and thus in some jurisdictions may have no means of invoking it to gain access. Another possibility could be a legal
p.000019: undertaking provided by the recipient in the third country directly to the EU Member State supervisory
p.000019: authority involved, in which the recipient of the data agrees to allow access by the supervisory
p.000019: authority or a nominated agent in the event that non-compliance with data protection principles is suspected. This
p.000019: undertaking could also require that the parties to the data transfer inform the supervisory authority of any complaint
p.000019: that they receive from a data subject. Under such an arrangement the existence of such an undertaking would be a
p.000019: condition to be fulfilled before the transfer of data could be permitted to take place.
p.000019:
p.000019:
p.000019:
p.000019: 14 Even if a data subject is granted rights under a contract, he/she will often not be able to judge whether the
p.000019: contract has been breached, and if so by whom. An investigative procedure outside of formal civil court proceedings is
p.000019: therefore necessary.
p.000019: 15 See Article 28(1) of directive 95/46/EC
p.000019: 16 The French delegation could envisage situations where the supervisory authority was a party to the contract.
p.000019:
p.000020: 20
p.000020:
p.000020: Whatever the solution chosen there remain significant doubts as to whether it is proper, practical, or
p.000020: indeed feasible from a resource point of view, for a supervisory authority of an EU Member State to take
p.000020: responsibility for investigation and inspection of data processing taking place in a third country.
p.000020:
p.000020:
p.000020: Delivering a good level of compliance
p.000020:
p.000020: Even in the absence of a particular complaint or difficulty faced by a data subject, there is a need for confidence
p.000020: that the parties to the contract are actually complying with its terms. The problem with the contractual
p.000020: solution is the difficulty in establishing sanctions for non-compliance which are sufficiently meaningful to have
p.000020: the dissuasive effect needed to provide this confidence. Even in cases where effective control over the data
p.000020: continues to be exercised from within the Community, the recipient of the transfer may not be subject to any
p.000020: direct penalty if he were to process data in breach of the contract. Instead the liability would rest with the
p.000020: Community-based transferer of the data, who would then need to recover any losses in a separate legal action against
p.000020: the recipient. Such indirect liability may not be sufficient to encourage the recipient to comply with every detail of
p.000020: the contract.
p.000020:
p.000020: This being the case it is probable that in most situations a contractual solution will need to be complemented by at
p.000020: least the possibility of some form of external verification of the recipient's processing activities, such as an audit
p.000020: carried out by a standards body, or specialist auditing firm.
p.000020:
...
p.000022: • The basis for assessing the adequacy of the safeguards delivered by a contractual solution is the same as the
p.000022: basis for assessing the general level of adequacy in a third country. A contractual solution must
p.000022: encompass all the basic data protection principles and provide means by which the principles can be enforced.
p.000022: • The contract should set out in detail the purposes, means and conditions under which the transferred
p.000022: data are to be processed, and the way in which the basic data protection principles are to be
p.000022: implemented. Greater legal security is provided by contracts which limit the ability of the recipient
p.000022: of the data to process the data autonomously on his own behalf. The contract should therefore be used, to the
p.000022: extent possible, as a means by which the entity transferring the data retains decision-making control over the
p.000022: processing carried out in the third country.
p.000022: • Where the recipient has some autonomy regarding the processing of the transferred data, the
p.000022: situation is not straightforward, and a single contract between the parties to the transfer may not
p.000022: always be a sufficient basis for the exercise of rights by individual data subjects. A mechanism may
p.000022: be needed through which the transferring party in the Community remains liable for any damage that may
p.000022: result from the processing carried out in the third country .
p.000022: • Onward transfers to bodies or organisations not bound by the contract should be specifically excluded by the
p.000022: contract, unless it is possible to bind such third parties contractually to respect the same data protection
p.000022: principles.
p.000022: • Confidence that data protection principles are respected after data are transferred would be boosted if data
p.000022: protection compliance by the recipient of the transfer were subject to external verification by, for example, a
p.000022: specialist auditing firm or standards/certification body.
p.000022: • In the event of a problem experienced by a data subject, resulting perhaps from a breach of the data
p.000022: protection provisions guaranteed in the contract, there is a general problem of ensuring that a data subject
p.000022: complaint is properly investigated. EU Member State supervisory authorities will have practical
p.000022: difficulties in carrying out such an investigation.
p.000022: • Contractual solutions are probably best suited to large international networks (credit cards, airline
p.000022: reservations) characterised by large quantities of repetitive data transfers of a similar nature, and by
p.000022: a relatively small number of large operators in industries already subject to significant public scrutiny and
p.000022: regulation. Intra-company data transfers between different branches of the same company group is another
...
p.000023: relevant in that it requires that the data subject be properly informed of the particular risk that his/her data are
p.000023: to be transferred to a country lacking adequate protection. If this information is not provided, this
p.000023: exemption will not apply. Because the consent must be unambiguous, any doubt about the fact that consent has
p.000023: been given would also render the exemption inapplicable. This is likely to mean that many situations where
p.000023: consent is implied (for example because an individual has been made aware of a transfer and has not
p.000023: objected) would not qualify for his exemption. The exemption could, however, be useful in cases where the
p.000023: transferer has direct contact with the data subject and where the necessary information could be easily provided and
p.000023: unambiguous consent obtained. This may often be the case for transfers undertaken in the context of providing
p.000023: insurance, for example.
p.000023:
p.000023: The second and third exemptions cover transfers necessary either for the performance of a contract between the
p.000023: data subject and the controller (or the implementation of precontractual measures taken in response to
p.000023: the data subject's request) or for the conclusion or performance of a contract concluded in the interest of the
p.000023: data subject between the controller and a third party. These exemptions appear potentially quite wide, but,
p.000023: as with the fourth and fifth exemptions discussed below their application in practice is likely to be limited by the
p.000023: 'necessity test' : all of the data transferred must be necessary for the performance of the contract. Thus if
p.000023: additional non-essential data are transferred or if the purpose of the transfer is not the performance of the contract
p.000023: but rather some other purpose (follow-up marketing, for example) the exemption will be lost. As regards
p.000023: pre-contractual situations, this would only include situations initiated by the data subject (such as a request for
p.000023: information about a particular service) and not those resulting from marketing approaches made by the data controller.
p.000023:
p.000023: In spite of these caveats, these second and third exemptions will not be without impact. They are likely often to
p.000023: be applicable, for example, to those transfers necessary to reserve an airline ticket for a passenger or to
p.000023: transfers of personal data necessary for the operation of an international bank or credit card payment. Indeed the
p.000023: exemption for contracts "in the interest of the data subject" (Article 26(1)(c)) specifically covers the transfer of
p.000023: data about the beneficiaries of bank payments, who, although data subjects, may often not be party to a contract with
p.000023: the transferring controller.
p.000023:
p.000023:
p.000024: 24
p.000024:
p.000024: The fourth exemption has two strands. The first covers transfers necessary or legally required on important public
p.000024: interest grounds. This may cover certain limited transfers between public administrations, although care must be
p.000024: taken not to interpret this provision too widely. A simple public interest justification for a transfer
p.000024: does not suffice, it must be a question of important public interest. Recital 58 suggests that data transfers between
p.000024: tax or customs administrations or between services responsible for social security will generally be covered.
p.000024: Transfers between supervisory bodies in the financial services sector may also benefit from the exemption. The
p.000024: second strand concerns transfers taking place in the context of international litigation or legal
p.000024: proceedings, specifically transfers that are necessary for the establishment, exercise or defence of legal claims.
p.000024:
p.000024: The fifth exemption concerns transfers necessary in order to protect the vital interests of the data subject. An
p.000024: obvious example of such a transfer would be the urgent transfer of medical records to a third country where a
p.000024: tourist who had previously received medical treatment in the EU has suffered an accident or has become dangerously
p.000024: ill. It should be borne in mind, however, that recital 31 of the directive interprets 'vital interest'
p.000024: fairly narrowly as an interest "which is essential for the data subject's life". This would normally exclude, for
...
p.000025: such as the US, Canada and Australia, where differences often exist between the various states that make up
p.000025: the federation. As a result, it seems unlikely that, at present, many third countries could be considered to offer
p.000025: adequate protection across the board. The fewer countries for which postive findings could be made, the less useful
p.000025: the exercise would be, of course, in terms of providing greater certainty to
p.000025:
p.000025:
p.000025: 19 Member States may set down different administrative procedures to discharge their obligations under Article 25.
p.000025: These may include imposing a direct obligation on data controllers and/or developing systems of prior authorisation or
p.000025: ex post facto verification by the supervisory authority.
p.000025:
p.000026: 26
p.000026:
p.000026: data controllers. A further risk is that some third countries might come to see the absence of a finding
p.000026: that they provided adequate protection as politically provocative or at least discriminatory, in that the absence of a
p.000026: finding is as likely to be the result of their case not having been examined as of a judgement on their
p.000026: data protection system.
p.000026:
p.000026: Having weighed these different arguments carefully, it is nevertheless the opinion of the Working Party that
p.000026: initiating work to make a series of findings under Article 25(6) would be a useful step. Such a process should be seen
p.000026: as a continuing one, not one that would produce a definitive list, but rather a list that would be constantly added to
p.000026: and revised in the light of developments. A positive finding should not in principle be limited to
p.000026: countries having horizontal data protection laws, but should also cover specific sectors within countries
p.000026: where data protection is adequate, even though in other sectors the same country's protection may be less than
p.000026: adequate.
p.000026:
p.000026: It should be noted that the Article 29 group has no explicit role in making decisions about particular data transfers
p.000026: or in determinations of “adequacy” under Article 25(6). Both are subject to the comitology procedure laid down
p.000026: in Article 31. It should be recalled, however, that one of the specific duties of the Article 29 group is to give
p.000026: the Commission an opinion on the level of protection in third countries (see Article 30(i)b). It
p.000026: therefore falls well within the remit of the Article 29 group to examine the situation in particular third
p.000026: countries and come to a provisional view as to the adequacy of protection. Positive findings, once
p.000026: confirmed in accordance with Article 25(6) would need to be widely promulgated in order to be useful. Where a country
...
p.000026: third country in question is not the subject (in whole or in part) of a positive finding. How Member States deal with
p.000026: these cases may well vary according to the way Article 25 is transposed into national law (see footnote
p.000026: on the previous page). If a specific role is given to the supervisory authority either to authorise data transfers
p.000026: before they take place, or to carry out an ex post facto check, the shear volume of transfers involved may mean that a
p.000026: system to prioritise the efforts of the supervisory authority will need to be envisaged. Such a system
p.000026: could take the form of an agreed set of criteria which enable a particular transfer or category of transfer to be
p.000026: considered as a priority on the grounds of posing a particular threat to individual privacy.
p.000026:
p.000026: The effect of such a system would not of course change the obligation on each Member State to ensure
p.000026: that only those transfers where the third country ensures an adequate level of protection are permitted to take
p.000026: place. It would constitute guidance regarding which cases of data transfer should be considered as ‘priority
p.000026: cases’ for examination or even investigation, and thereby allow the resources available to be
p.000026:
p.000026:
p.000027: 27
p.000027:
p.000027: directed towards those transfers which raise the greatest concerns in terms of the protection of data
p.000027: subjects.
p.000027:
p.000027: The Working Party considers that among those categories of transfer which pose particular risks to privacy
p.000027: and therefore merit particular attention are the following:
p.000027: - those transfers involving certain sensitive categories of data as defined by Article 8 of the directive;
p.000027: - transfers which carry the risk of financial loss (e.g. credit card payments over the Internet);
p.000027: - transfers carrying a risk to personal safety;
p.000027: - transfers made for the purposes of making a decision which significantly affects the individual (such as
p.000027: recruitment or promotion decisions, the granting of credit, etc.);
p.000027: - transfers which carry a risk of serious embarrassment or tarnishing of an individual’s reputation;
p.000027: - transfers which may result in specific actions which constitute a significant intrusion into an individual’s
p.000027: private life, such as unsolicited telephone calls;
p.000027: - repetitive transfers involving massive volumes of data (such as transactional data processed over telecommunications
p.000027: networks, the Internet etc.);
p.000027: - transfers involving the collection of data using new technologies, which, for instance could be undertaken in a
p.000027: particularly covert or clandestine manner (e.g. Internet cookies).
p.000027:
p.000027: (i) Standard Contract Clauses
p.000027:
p.000027: As discussed at length in Chapter Four the directive envisages the possibility that, even where the level of protection
p.000027: is not adequate, a data controller may adduce adequate safeguards for a data transfer by way of a contract. Article
p.000027: 26(2) of the directive allows Member States to authorise transfers on the basis of such contractual
p.000027: provisions, a decision which must then be notified to the Commission. If there are objections to the authorisation,
p.000027: the decision may be overturned or confirmed by the Commission following the comitology procedure laid down in
p.000027: Article 31. In addition to Member State authorisations, Article 26(4) of the directive also allows the Commission,
p.000027: again following the comitology procedure laid down in Article 31, to make judgements as to whether certain standard
p.000027: contractual clauses offer sufficient safeguards. These judgements are then binding on Member States.
p.000027:
p.000027: Given the evident complexity and difficulty of such contractual solutions, there is clearly a need for
p.000027: agreed guidance to those data controllers who envisage using contracts in this way. At Member State level,
p.000027: the competent national authorities are likely to bear a major responsibility for providing this guidance,
p.000027: particularly when preparing authorisations in the context of Article 26(2). Member State authorities and the
p.000027: Commission should co-operate and exchange opinions on contract clauses submitted to them. Where
p.000027: proposed standard clauses are submitted either to Member State authorities or directly to the Commission, a
p.000027: procedure should be developed to ensure that these clauses also be examined by the Working Party, so as
p.000027: to avoid differences in national practices developing and to ensure that the Commission is able to benefit from the
p.000027: appropriate expert advice before making any decision under Article 26(4).
p.000027:
p.000027:
p.000028: 28
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000028:
p.000029: 29
p.000029:
p.000029: ANNEX 1
p.000029:
p.000029: WHAT ARTICLES 25 AND 26 OF THE DIRECTIVE MAY MEAN IN PRACTICE FOR THE TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
p.000029:
p.000029: Introduction
p.000029:
p.000029: The main body of this document sets out an overall approach to the issue of third country transfers
p.000029: including:
p.000029:
p.000029: - an assessment of adequate protection within the meaning of Article 25 of the data protection directive;
p.000029: - an assessment of alternative means of adducing adequate safeguards through contractual solutions, as envisaged by
p.000029: Article 26(2) ;
...
p.000034: particularly in the context of a judicial system that functions well and the “litigation culture” found in
p.000034: Country A. The law contains clear provisions on perhaps the most important data protection principle of all
p.000034: - the right of access and rectification, and some limitations on the purpose for which data can be used.
p.000034:
p.000034: Conclusion
p.000034: Protection is inadequate because the law covers too few of the “core principles” and the privacy policy, standing
p.000034: alone, is not an effective means of providing protection. An adequate verdict could result either if the law
p.000034: were developed to include principles such as transparency and protection for health data, or if the privacy
p.000034: policy were rendered more effective by one of the methods suggested above (i.e. making
p.000034: compliance a condition for membership of an industry association, or giving a public agency powers to prosecute the
p.000034: company for misleading and deceptive practices if it failed to comply with its own policy).
p.000034:
p.000034:
p.000034: STEP TWO : SEARCHING FOR A SOLUTION
p.000034:
p.000034: Of the possible exemptions set out in Article 26(1), only (a), the consent of the data subject, would appear to
p.000034: be appropriate. The exemption in (b) which deals with a transfers necessary for contractual reasons is
p.000034: not applicable because the transferring party, the UK-based credit reference agency has no contractual
p.000034: relationship with the data subject. It is also difficult to make an argument that the transfer is necessary on the
p.000034: basis of a contract “in the interests of the data subject” as required by exemption (c).
p.000034:
p.000034: Data subject consent would, however, seem to be a relatively straightforward solution to the problem. Consent
p.000034: could be obtained either directly by the UK-based credit reference agency, or on behalf of the UK agency by the
p.000034: financial institution in Country A, who could ask for consent on the loan application form. Whatever method chosen,
p.000034: the data subject should be informed of the particular risk resulting from the fact that his data are to be
p.000034: transferred to a Ccountry lacking adequate protection.
p.000034:
p.000034:
p.000034:
p.000035: 35
p.000035:
p.000035: Given the fact that this kind of transfer is still relatively rare, the obtaining of consent on a one-off basis is
p.000035: probably the most practical solution. If credit reporting and reference agencies around the world begin
p.000035: to exchange data on a more systematic basis, then other arrangements, such as contractual solutions or an
p.000035: international code of conduct could be developed.
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
...
p.000038: subject to his/her inclusion on the mailing lists. In view of this it is unlikely that any of the exemptions in
p.000038: Article 26(1) are likely to be useful.
p.000038:
p.000038: The Netherlands company has two possibilities, which could be used as alternatives or together. First would be to
p.000038: limit his trade in mailing lists to companies in jurisdictions which clearly appeared to ensure adequate
p.000038: protection by virtue of laws or effective self-regulatory instruments. In making this decision the company
p.000038: could be guided by any available “White list”.
p.000038:
p.000038: The second possibility would be to require contractual undertakings from all client companies (or at least
p.000038: those in “non-adequate” jurisdictions) regarding the protection
p.000038:
p.000038:
p.000039: 39
p.000039:
p.000039: of the data transferred. These contractual arrangements should follow the advice set out in Chapter Four of the
p.000039: main paper. In particular they should seek to create a situation under which the Netherlands company remained
p.000039: liable under Netherlands law for any violation of data protection principles resulting from the actions of the client
p.000039: company to whom the mailing lists had been transferred.
p.000039:
p.000039: Such a contractual solution, if properly implemented, would help overcome the effective barrier to trade
p.000039: that the lack of adequate data protection in certain third countries creates.
p.000039:
p.000039: Done at Brussels, 24 July 1998 For the Working Party
p.000039: The Chaiman
p.000039:
p.000039: P.J. HUSTINX
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
p.000039:
...
Searching for indicator political:
(return to top)
p.000006:
p.000006: 1) to deliver a good level of compliance with the rules. (No system can guarantee 100% compliance, but
p.000006: some are better than others). A good system is generally characterised by a high degree of
p.000006: awareness among data controllers of their obligations, and among data subjects of their rights and the means
p.000006: of exercising them. The existence of effective and dissuasive sanctions can play an important in ensuring respect for
p.000006: rules, as of course can systems of direct verification by authorities, auditors, or independent data protection
p.000006: officials.
p.000006:
p.000006: 2) to provide support and help to individual data subjects in the exercise of their rights. The individual must be
p.000006: able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort
p.000006: of institutional mechanism allowing independent investigation of complaints.
p.000006:
p.000006: 3) to provide appropriate redress to the injured party where rules are not complied with. This is a key element
p.000006: which must involve a system of independent adjudication or arbitration which allows compensation to be paid and
p.000006: sanctions imposed where appropriate.
p.000006:
p.000006:
p.000006:
p.000006: 4 Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade- union
p.000006: membership, data concerning health or sex life, and data relating to offences, criminal convictions or security
p.000006: measures.
p.000006:
p.000007: 7
p.000007:
p.000007: CHAPTER TWO: APPLYING THE APPROACH TO COUNTRIES THAT HAVE RATIFIED COUNCIL OF EUROPE CONVENTION 108
p.000007:
p.000007: Convention 108 is the only existing international instrument with binding force in the data protection field apart
p.000007: from the directive. Most of the parties to the Convention are also Member States of the European Union (all
p.000007: 15 have now ratified it) or countries, such as Norway and Iceland, which may in any case be bound by
p.000007: the directive by virtue of the European Economic Area agreement. However, Slovenia, Hungary and Switzerland
p.000007: have also ratified the Convention, and other third countries are likely do so in the future, particularly given that
p.000007: the Convention is also open to non Council of Europe countries. It is therefore of more than purely academic interest
p.000007: to examine whether countries that have ratified the Convention can be considered to afford an adequate level
p.000007: of protection in the sense of Article 25 of the directive.
p.000007:
p.000007: As a starting point it is useful to examine the text of the Convention itself in the light of the theoretical outline
...
Political / stateless persons
Searching for indicator nation:
(return to top)
p.000029: therefore, a number of realistic (though fictional) case studies of data transfers are examined in the
p.000029: way it is envisaged that such cases are likely to be examined once the national laws implementing the
p.000029: directive enter into force.
p.000029:
p.000029: Three different cases are set out. With each case the first step is to assess whether protection in the
p.000029: destination country is adequate by virtue of relevant laws or effective private sector self-regulation. If it is
p.000029: not then the second step is to search for a solution to the problem among the possibilities set out
p.000029: in Article 26, paragraphs 1 (exemptions) and 2 (contractual solutions). Only then, if no solution is
p.000029: appropriate, would the third step be to block the transfer.
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000030: 30
p.000030:
p.000030: CASE (1) : A transfer of data regarding credit-worthiness
p.000030:
p.000030: A community citizen wishes to buy a holiday home in Country A outside the EC and applies for credit to a financial
p.000030: institution in that country. The financial institution requests a credit report from a credit reporting agency.
p.000030: The agency has no file on the individual but arranges for the individual’s full credit history to be transferred from
p.000030: its ‘sister’ Credit Reference Agency in the UK. Country A is an advanced industrialised nation, with
p.000030: long-standing and stable democratic institutions. The judicial system is well-resourced and functions
p.000030: effectively. It has a federal constitutional structure.
p.000030:
p.000030: STEP ONE : ASSESSING THE ADEQUACY OF THE PROTECTION
p.000030:
p.000030:
p.000030: The relevant applicable rules
p.000030:
p.000030: The receiving data controller is subject to a federal law which sets down rules regarding personal
p.000030: information held for the assessment of credit risks. The data controller additionally claims to comply with
p.000030: its own published privacy policy. No state law is applicable and there is no industry-wide self-regulatory code.
p.000030:
p.000030:
p.000030: Evaluation of the content of the applicable rules
p.000030:
p.000030: First it should be noted that the communication made by the UK based credit reference agency would, like any
p.000030: communication to a data controller elsewhere in the UK or another Member State, be subject to the
p.000030: normal requirements of UK law which implement all the articles of the directive other than articles 25
p.000030: and 26. This is important because it eliminates the need to examine the lawfulness of the
p.000030: communication itself. The focus of attention is rather the protection that will be afforded to the data
p.000030: once transferred to Country A.
p.000030:
p.000030: Evaluation of rule content should logically start with the federal legislation. Where gaps are found here,
p.000030: the ‘softer’ law of the privacy policy could be considered to see if it fills these gaps. What follows is a list of the
...
Political / vulnerable
Searching for indicator vulnerable:
(return to top)
p.000022: reservations) characterised by large quantities of repetitive data transfers of a similar nature, and by
p.000022: a relatively small number of large operators in industries already subject to significant public scrutiny and
p.000022: regulation. Intra-company data transfers between different branches of the same company group is another
p.000022: area in which there is considerable potential for the use of contracts.
p.000022: • Countries where the powers of state authorities to access information go beyond those permitted by internationally
p.000022: accepted standards of human rights protection will not be safe destinations for transfers based on contractual clauses.
p.000022:
p.000022:
p.000022:
p.000023: 23
p.000023:
p.000023: CHAPTER FIVE: EXEMPTIONS FROM THE ADEQUACY REQUIREMENT
p.000023:
p.000023: Article 26(1) of the directive sets out a limited number of situations in which an exemption from the
p.000023: 'adequacy' requirement for third country transfers may apply. These exemptions, which are tightly drawn, for the
p.000023: most part concern cases where the risks to the data subject are relatively small or where other interests (public
p.000023: interests or those of the data subject himself) override the data subject's right to privacy. As
p.000023: exemptions from a general principle, they must be interpreted restrictively. Furthermore Member
p.000023: States may provide in domestic law for the exemptions not to apply in particular cases. This might be the
p.000023: case, for example, where it is necessary to protect particularly vulnerable groups of individuals, such as workers or
p.000023: patients.
p.000023:
p.000023: The first of these exemptions covers cases where the data subject gives his/her consent unambiguously to the proposed
p.000023: transfer. An important point to bear in mind is that the consent, following the definition in Article 2(h)
p.000023: of the directive, must be freely given, specific and informed. The requirement for information is particularly
p.000023: relevant in that it requires that the data subject be properly informed of the particular risk that his/her data are
p.000023: to be transferred to a country lacking adequate protection. If this information is not provided, this
p.000023: exemption will not apply. Because the consent must be unambiguous, any doubt about the fact that consent has
p.000023: been given would also render the exemption inapplicable. This is likely to mean that many situations where
p.000023: consent is implied (for example because an individual has been made aware of a transfer and has not
p.000023: objected) would not qualify for his exemption. The exemption could, however, be useful in cases where the
p.000023: transferer has direct contact with the data subject and where the necessary information could be easily provided and
p.000023: unambiguous consent obtained. This may often be the case for transfers undertaken in the context of providing
p.000023: insurance, for example.
p.000023:
...
Health / Mentally Disabled
Searching for indicator disabled:
(return to top)
p.000034: transferred to a Ccountry lacking adequate protection.
p.000034:
p.000034:
p.000034:
p.000035: 35
p.000035:
p.000035: Given the fact that this kind of transfer is still relatively rare, the obtaining of consent on a one-off basis is
p.000035: probably the most practical solution. If credit reporting and reference agencies around the world begin
p.000035: to exchange data on a more systematic basis, then other arrangements, such as contractual solutions or an
p.000035: international code of conduct could be developed.
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000035:
p.000036: 36
p.000036:
p.000036: CASE (2) : A transfer of sensitive data in the airline industry
p.000036:
p.000036: A Portuguese citizen books a ticket at a Lisbon travel agency for a flight on board an airline based in Country B.
p.000036: The data collected include details of the fact that the citizen is disabled and uses a wheelchair. The data
p.000036: are entered on an international computer reservation system, and from there are down-loaded by the airline onto its
p.000036: passenger database located in Country B, where they are retained indefinitely. The airline plans to use the
p.000036: data to provide better service to the passenger if he were to travel with the airline in the future, as well
p.000036: as for internal management planning purposes.20
p.000036:
p.000036: STEP ONE : ASSESSING THE ADEQUACY OF THE PROTECTION
p.000036:
p.000036: The relevant applicable rules
p.000036:
p.000036: Although there is an international code of conduct applying to the data held on computer reservation
p.000036: system, no data protection rules are in place regarding the data held on the airline’s own database in Country B.
p.000036:
p.000036: Evaluation of the content of the applicable rules
p.000036:
p.000036: None are applicable.
p.000036:
p.000036: Evaluating the effectiveness of the protection
p.000036:
p.000036: Not applicable
p.000036:
p.000036: Verdict
p.000036:
p.000036: Protection levels in Country B are not adequate, particularly given the sensitivity of the data involved.
p.000036:
p.000036:
p.000036: STEP TWO : SEARCHING FOR A SOLUTION
p.000036:
p.000036: The transfer of data onto the Computer Reservation System and its use by the airline for the purpose of providing the
p.000036: appropriate service to the disabled passenger for the flight in question is a transfer necessary for the performance
p.000036: of the contract between the passenger and the airline (Article 26(1)(b)). However, the continued retention of the
p.000036: data (including sensitive data about the data subject’s health) on the airline’s database cannot be
p.000036: justified on these grounds. The transfer of data to the airline must therefore be covered by a different exemption.
p.000036:
p.000036: As with Case (1), data subject consent would seem to be the best solution. Consent could be obtained by the travel
p.000036: agent in Lisbon on behalf of the airline. The risks of the
p.000036:
p.000036: 20 This case has some similarities with a real case that has arisen under existing Swedish law, involving American
p.000036: airlines and Lufthansa. The case is still under appeal.
p.000036:
p.000037: 37
p.000037:
p.000037: data being held in Country B should be pointed out to the data subject, as should the fact that the transfer and
p.000037: retention of data in airline’s own database is not necessary for the reasons pertaining to the specific flight being
p.000037: booked.
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
...
Health / Motherhood/Family
Searching for indicator family:
(return to top)
p.000024: 24
p.000024:
p.000024: The fourth exemption has two strands. The first covers transfers necessary or legally required on important public
p.000024: interest grounds. This may cover certain limited transfers between public administrations, although care must be
p.000024: taken not to interpret this provision too widely. A simple public interest justification for a transfer
p.000024: does not suffice, it must be a question of important public interest. Recital 58 suggests that data transfers between
p.000024: tax or customs administrations or between services responsible for social security will generally be covered.
p.000024: Transfers between supervisory bodies in the financial services sector may also benefit from the exemption. The
p.000024: second strand concerns transfers taking place in the context of international litigation or legal
p.000024: proceedings, specifically transfers that are necessary for the establishment, exercise or defence of legal claims.
p.000024:
p.000024: The fifth exemption concerns transfers necessary in order to protect the vital interests of the data subject. An
p.000024: obvious example of such a transfer would be the urgent transfer of medical records to a third country where a
p.000024: tourist who had previously received medical treatment in the EU has suffered an accident or has become dangerously
p.000024: ill. It should be borne in mind, however, that recital 31 of the directive interprets 'vital interest'
p.000024: fairly narrowly as an interest "which is essential for the data subject's life". This would normally exclude, for
p.000024: example, financial, property or family interests.
p.000024:
p.000024: The sixth and final exemption concerns transfers made from registers intended by law for consultation by the
p.000024: public, provided that in the particular case the conditions for consultation are fulfilled. The intention of
p.000024: this exemption is that where a register in a Member State is available for public consultation or by persons
p.000024: demonstrating a legitimate interest, then the fact that the person who has the right to consult the
p.000024: register is actually situated in a third country, and that the act of consultation in fact involves a data transfer,
p.000024: should not prevent the information being transmitted to him. Recital 58 makes it clear that entire registers or entire
p.000024: categories of data from registers should not be permitted to be transferred under this exemption.
p.000024: Given these restrictions this exemption should not be considered to be a general exemption for the transfer of
p.000024: public register data. For example, it is clear that mass transfers of public register data for commercial
p.000024: purposes or the trawling of publicly available data for the purpose of profiling specific individuals would not benefit
p.000024: from the exemption.
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000025: 25
p.000025:
p.000025: CHAPTER SIX: PROCEDURAL ISSUES
p.000025:
p.000025: Article 25 envisages a case by case approach whereby the assessment of adequacy is in relation to individual transfers
p.000025: or individual categories of transfers. Nevertheless it is clear that, given the huge number of transfers of personal
...
Health / Physically Disabled
Searching for indicator physically:
(return to top)
p.000014:
p.000014: 2. The use of contracts as a basis for intra-Community flows of data
p.000014:
p.000014:
p.000014: Before examining the requirements of contractual provisions in the context of data flows to third
p.000014: countries, it is important to clarify the difference between the third country situation and that
p.000014: pertaining within the Community. In this latter case, the contract is the mechanism used to define and
p.000014: regulate the split of data protection responsibilities when more than one entity is involved in the data
p.000014: processing in question. Under the directive one entity, the 'data controller', must take the principal
p.000014:
p.000014: 7 ‘Model Contract to Ensure Equivalent Data Protection in the Context of Transborder Data Flows, with Explanatory
p.000014: Memorandum’, study made jointly by the Council of Europe, the Commission of the European Communities and the
p.000014: International Chamber of Commerce, Strasbourg 2 November 1992
p.000014: 8 See the presentation of Alexander Dix of this case at the International Data Protection and Privacy Commissioners’
p.000014: Conference, September 1996, Ottawa.
p.000014:
p.000015: 15
p.000015:
p.000015: responsibility for complying with the substantive data protection principles. The second entity, the
p.000015: 'processor', is responsible only for data security. An entity is deemed to be a controller if it has the
p.000015: decision-making power over the purposes and means of the data processing, whereas the processor is simply the body that
p.000015: physically provides the data processing service. The relationship between the two is regulated by Article 17(3) of the
p.000015: directive, which stipulates that:
p.000015:
p.000015: the carrying out of processing by way of a processor must be governed by a contract or legal act binding the
p.000015: processor to the controller and stipulating in particular that:
p.000015: - the processor shall act only on instructions from the controller
p.000015: - the obligations set out in Paragraph 1 (the substantive provisions regarding data security), as defined
p.000015: by the law of the Member State in which the processor is established, shall also be incumbent on the
p.000015: processor.
p.000015:
p.000015: This elaborates on the general principle established under Article 16 that any person acting under the
p.000015: authority of the controller, including the processor himself, must not process personal data except on instructions
p.000015: from the controller (unless required to do so by law).
p.000015:
p.000015: Where personal data are transferred to third countries it will also normally be the case that more than one party will
p.000015: be involved. Here the relationship in question is between the entity transferring the data (the 'transferer') and the
p.000015: entity receiving the data in the third country (the 'recipient'). In this context one purpose of the contract should
p.000015: still be that of determining how the responsibility for data protection compliance is split between the two
p.000015: parties. However, the contract must do much more than this: it must provide additional safeguards for the data subject
...
p.000017:
p.000017: Each of these questions must be examined in detail. For ease of analysis, they are taken in reverse
p.000017: order.
p.000017:
p.000017:
p.000017: Providing redress to a data subject
p.000017:
p.000017: Providing a legal remedy to a data subject, (i.e. a right to have a complaint adjudicated by an independent arbiter and
p.000017: to receive compensation where appropriate), by way of a contract between the 'transferer' of the data and the
p.000017: 'recipient' is not a simple question. Much will depend on the nature of the contract law chosen as the
p.000017: national law applicable to the contract. It is expected that the applicable law will generally be that of the Member
p.000017: State in which the transferer is established. The contract law of some Member States permits the creation of
p.000017: third party rights, whereas in other Member States this is not possible.
p.000017:
p.000017: As a general rule the more the recipient is limited in terms of his freedom to choose the purposes, means and
p.000017: conditions under which he processes the transferred data, the greater will be the legal security for the
p.000017: data subject. Bearing in mind that we are dealing with cases of inadequate general protection, the
p.000017: preferred solution would be for the contract to provide that the recipient of the transfer has no
p.000017: autonomous decision-making power in respect of the transferred data, or the way in which they are subsequently
p.000017: processed. The recipient is bound in this case to act solely under the instructions of the transferer,
p.000017: and while the data may have been physically transferred outside of the EU, decision-making control over the data
p.000017: remains with the entity who made the transfer based in the Community. The transferer thus remains the
p.000017: data controller, while the recipient is simply a sub-contracted processor. In these circumstances,
p.000017: because control over the data is exercised by an entity established in an EU Member State, the law of the Member State
p.000017: in question will continue to apply to the processing carried out in the third country11, and furthermore the data
p.000017: controller
p.000017:
p.000017:
p.000017: 11 By virtue of Article 4(1)(a) of directive 95/46/EC.
p.000017:
p.000018: 18
p.000018:
p.000018: will continue to be liable under that Member State law for any damage caused as a result of an unlawful
p.000018: processing operation.12
p.000018:
p.000018: This type of arrangement is not dissimilar to that set out in the "Inter-territorial Agreement" which
p.000018: resolved the Citibank 'Bahncard' case mentioned earlier. Here the contractual agreement set out in detail the data
p.000018: processing arrangements, particularly those relating to data security, and excluded all other uses of data by the
p.000018: recipient of the transfer. It applied German law to data processing carried out in the third country and thus
p.000018: guaranteed a legal remedy to data subjects.13
p.000018:
p.000018: There will of course be cases where this kind of solution cannot be used. The recipient of the transfer may not be
p.000018: simply providing a data processing service to the EU-based controller. Indeed the recipient may, for example, have
p.000018: rented or bought the data to use them for his own benefit and for his own purposes. In these
...
Health / ill
Searching for indicator ill:
(return to top)
p.000023: exemption for contracts "in the interest of the data subject" (Article 26(1)(c)) specifically covers the transfer of
p.000023: data about the beneficiaries of bank payments, who, although data subjects, may often not be party to a contract with
p.000023: the transferring controller.
p.000023:
p.000023:
p.000024: 24
p.000024:
p.000024: The fourth exemption has two strands. The first covers transfers necessary or legally required on important public
p.000024: interest grounds. This may cover certain limited transfers between public administrations, although care must be
p.000024: taken not to interpret this provision too widely. A simple public interest justification for a transfer
p.000024: does not suffice, it must be a question of important public interest. Recital 58 suggests that data transfers between
p.000024: tax or customs administrations or between services responsible for social security will generally be covered.
p.000024: Transfers between supervisory bodies in the financial services sector may also benefit from the exemption. The
p.000024: second strand concerns transfers taking place in the context of international litigation or legal
p.000024: proceedings, specifically transfers that are necessary for the establishment, exercise or defence of legal claims.
p.000024:
p.000024: The fifth exemption concerns transfers necessary in order to protect the vital interests of the data subject. An
p.000024: obvious example of such a transfer would be the urgent transfer of medical records to a third country where a
p.000024: tourist who had previously received medical treatment in the EU has suffered an accident or has become dangerously
p.000024: ill. It should be borne in mind, however, that recital 31 of the directive interprets 'vital interest'
p.000024: fairly narrowly as an interest "which is essential for the data subject's life". This would normally exclude, for
p.000024: example, financial, property or family interests.
p.000024:
p.000024: The sixth and final exemption concerns transfers made from registers intended by law for consultation by the
p.000024: public, provided that in the particular case the conditions for consultation are fulfilled. The intention of
p.000024: this exemption is that where a register in a Member State is available for public consultation or by persons
p.000024: demonstrating a legitimate interest, then the fact that the person who has the right to consult the
p.000024: register is actually situated in a third country, and that the act of consultation in fact involves a data transfer,
p.000024: should not prevent the information being transmitted to him. Recital 58 makes it clear that entire registers or entire
p.000024: categories of data from registers should not be permitted to be transferred under this exemption.
p.000024: Given these restrictions this exemption should not be considered to be a general exemption for the transfer of
p.000024: public register data. For example, it is clear that mass transfers of public register data for commercial
p.000024: purposes or the trawling of publicly available data for the purpose of profiling specific individuals would not benefit
p.000024: from the exemption.
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
...
Health / injured
Searching for indicator injured:
(return to top)
p.000006: To provide a basis for the assessment of the adequacy of the protection provided, it is necessary to identify the
p.000006: underlying objectives of a data protection procedural system, and on this basis to judge the variety of different
p.000006: judicial and non-judicial procedural mechanisms used in third countries.
p.000006:
p.000006: The objectives of a data protection system are essentially threefold:
p.000006:
p.000006: 1) to deliver a good level of compliance with the rules. (No system can guarantee 100% compliance, but
p.000006: some are better than others). A good system is generally characterised by a high degree of
p.000006: awareness among data controllers of their obligations, and among data subjects of their rights and the means
p.000006: of exercising them. The existence of effective and dissuasive sanctions can play an important in ensuring respect for
p.000006: rules, as of course can systems of direct verification by authorities, auditors, or independent data protection
p.000006: officials.
p.000006:
p.000006: 2) to provide support and help to individual data subjects in the exercise of their rights. The individual must be
p.000006: able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort
p.000006: of institutional mechanism allowing independent investigation of complaints.
p.000006:
p.000006: 3) to provide appropriate redress to the injured party where rules are not complied with. This is a key element
p.000006: which must involve a system of independent adjudication or arbitration which allows compensation to be paid and
p.000006: sanctions imposed where appropriate.
p.000006:
p.000006:
p.000006:
p.000006: 4 Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade- union
p.000006: membership, data concerning health or sex life, and data relating to offences, criminal convictions or security
p.000006: measures.
p.000006:
p.000007: 7
p.000007:
p.000007: CHAPTER TWO: APPLYING THE APPROACH TO COUNTRIES THAT HAVE RATIFIED COUNCIL OF EUROPE CONVENTION 108
p.000007:
p.000007: Convention 108 is the only existing international instrument with binding force in the data protection field apart
p.000007: from the directive. Most of the parties to the Convention are also Member States of the European Union (all
p.000007: 15 have now ratified it) or countries, such as Norway and Iceland, which may in any case be bound by
p.000007: the directive by virtue of the European Economic Area agreement. However, Slovenia, Hungary and Switzerland
p.000007: have also ratified the Convention, and other third countries are likely do so in the future, particularly given that
...
p.000016: similar to the directive, other mechanisms which clarify the way data protection rules apply in practice
p.000016: (codes of conduct, notification, the advisory function of the supervisory authority) are likely to be in
p.000016: place. In a contractual situation this is not so. Detail is therefore imperative where the transfer is based on a
p.000016: contract.
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016: 10 Further transfers of the personal data from the recipient to another third party should not be permitted, unless a
p.000016: means is found of contractually binding the third party in question providing the same data protection guarantees to
p.000016: the data subjects.
p.000016:
p.000017: 17
p.000017:
p.000017: (ii) Rendering the substantive rules effective
p.000017:
p.000017: Chapter One sets out three criteria by which the effectiveness of a data protection system should be
p.000017: judged. These criteria are the ability of the system to:
p.000017: - to deliver a good level of compliance with the rules
p.000017: - to provide support and help to individual data subjects in the exercise of their rights
p.000017: - and, as a key element, to provide appropriate redress to the injured party where rules are not complied with.
p.000017:
p.000017: The same criteria must apply in judging the effectiveness of a contractual solution. Clearly this is a
p.000017: major though not impossible challenge. It is a question of finding means which can make up for the absence
p.000017: of oversight and enforcement mechanisms, and which can offer help, support and ultimately redress to a the data subject
p.000017: who may not be a party to the contract.
p.000017:
p.000017: Each of these questions must be examined in detail. For ease of analysis, they are taken in reverse
p.000017: order.
p.000017:
p.000017:
p.000017: Providing redress to a data subject
p.000017:
p.000017: Providing a legal remedy to a data subject, (i.e. a right to have a complaint adjudicated by an independent arbiter and
p.000017: to receive compensation where appropriate), by way of a contract between the 'transferer' of the data and the
p.000017: 'recipient' is not a simple question. Much will depend on the nature of the contract law chosen as the
p.000017: national law applicable to the contract. It is expected that the applicable law will generally be that of the Member
p.000017: State in which the transferer is established. The contract law of some Member States permits the creation of
p.000017: third party rights, whereas in other Member States this is not possible.
p.000017:
p.000017: As a general rule the more the recipient is limited in terms of his freedom to choose the purposes, means and
p.000017: conditions under which he processes the transferred data, the greater will be the legal security for the
...
Social / Access to Social Goods
Searching for indicator access:
(return to top)
p.000004:
p.000004:
p.000005: 5
p.000005:
p.000005:
p.000005: (i) Content Principles
p.000005:
p.000005: The basic principles to be included are the following:
p.000005:
p.000005: 1) the purpose limitation principle - data should be processed for a specific purpose and subsequently used or further
p.000005: communicated only insofar as this is not incompatible with the purpose of the transfer. The only exemptions
p.000005: to this rule would be those necessary in a democratic society on one of the grounds listed in Article
p.000005: 13 of the directive.2
p.000005:
p.000005: 2) the data quality and proportionality principle - data should be accurate and, where necessary, kept
p.000005: up to date. The data should be adequate, relevant and not excessive in relation to the purposes for
p.000005: which they are transferred or further processed.
p.000005:
p.000005: 3) the transparency principle - individuals should be provided with information as to the purpose of the
p.000005: processing and the identity of the data controller in the third country, and other information insofar as
p.000005: this is necessary to ensure fairness. The only exemptions permitted should be in line with Articles 11(2) 3 and 13 of
p.000005: the directive.
p.000005:
p.000005: 4) the security principle - technical and organisational security measures should be taken by the data
p.000005: controller that are appropriate to the risks presented by the processing. Any person acting under the
p.000005: authority of the data controller, including a processor, must not process data except on instructions from the
p.000005: controller.
p.000005:
p.000005: 5) the rights of access, rectification and opposition - the data subject should have a right to obtain a copy of all
p.000005: data relating to him/her that are processed, and a right to rectification of those data where they are shown to be
p.000005: inaccurate. In certain situations he/she should also be able to object to the processing of the data relating to
p.000005: him/her. The only exemptions to these rights should be in line with Article 13 of the directive.
p.000005:
p.000005: 6) restrictions on onward transfers - further transfers of the personal data by the recipient of the
p.000005: original data transfer should be permitted only where the second recipient (i.e. the recipient of the onward
p.000005: transfer) is also subject to rules affording an adequate level of protection. The only exceptions permitted
p.000005: should be in line with Article 26(1) of the directive (These exemptions are examined in Chapter Five.)
p.000005:
p.000005: Examples of additional principles to be applied to specific types of processing are:
p.000005:
p.000005:
p.000005: 2 Article 13 permits a restriction to the 'purpose principle' if such a restriction constitutes a necessary measure to
p.000005: safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of
p.000005: criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest,
p.000005: or the protection of the data subject or the rights and freedoms of others.
p.000005: 3 Article 11(2) stipulates that when data are collected from some-one other than the data subject, information need not
...
p.000015: essential elements of protection which are missing in any given particular situation.
p.000015:
p.000015:
p.000015:
p.000015:
p.000015: 9 The exercise of an individual's data protection rights is facilitated within the Community by the general legal
p.000015: framework, for example the Strasbourg Agreement (1977) on the transmission of applications for legal aid.
p.000015:
p.000016: 16
p.000016:
p.000016: 4. The specific requirements of a contractual solution
p.000016:
p.000016:
p.000016: The starting point for assessing the meaning of 'adequate safeguards', as used in Article 26(2), is the notion of
p.000016: 'adequate protection' already developed at some length in Chapter One. This consists of a series of basic data
p.000016: protection principles together with certain conditions necessary to ensure their effectiveness.
p.000016:
p.000016: (i) The substantive data protection rules
p.000016:
p.000016: The first requirement of the contractual solution is, therefore, that it must result in an obligation on the parties
p.000016: to the transfer to ensure that the full set of basic data protection principles set out in Chapter
p.000016: One apply to the processing of the data transferred to the third country. These basic principles are:
p.000016:
p.000016: - the purpose limitation principle
p.000016: - the data quality and proportionality principle
p.000016: - the transparency principle
p.000016: - the security principle
p.000016: - the rights of access, rectification and opposition
p.000016: - restrictions on onward transfers to non-parties to the contract10
p.000016:
p.000016: Furthermore in some situations additional principles relating to sensitive data, direct marketing and automated
p.000016: decisions must be applied.
p.000016:
p.000016: The contract should set out the detailed way in which the recipient of the data transfer should apply these principles
p.000016: (i.e. purposes should be specified, data categories, time limits for retention, security measures, etc.). In
p.000016: other situations, for example where protection in a third country is provided by a general data protection law
p.000016: similar to the directive, other mechanisms which clarify the way data protection rules apply in practice
p.000016: (codes of conduct, notification, the advisory function of the supervisory authority) are likely to be in
p.000016: place. In a contractual situation this is not so. Detail is therefore imperative where the transfer is based on a
p.000016: contract.
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016: 10 Further transfers of the personal data from the recipient to another third party should not be permitted, unless a
...
p.000019: institutional mechanism allowing for independent investigation of complaints.
p.000019:
p.000019: The monitoring and investigative function of a Member State supervisory authority is limited to data processing carried
p.000019: out on the territory of the Member State. 15 Where data are transferred to another Member State, a system of mutual
p.000019: assistance between supervisory authorities will ensure that any complaint from a data subject in the first Member
p.000019: State will be properly investigated. Where the transfer is to a third country, there will in most cases be no such
p.000019: guarantee. The question, therefore, is what kind of compensatory mechanisms can be envisaged in the context of a data
p.000019: transfer based on a contract.
p.000019:
p.000019: One possibility would be simply to require a contractual term which grants the supervisory authority of the
p.000019: Member State in which transferer of the data is established a right to inspect the processing carried out by the
p.000019: processor in the third country. This inspection could, in practice, be carried out by an agent (for example a
p.000019: specialist firm of auditors) nominated by the supervisory authority, if this was felt to be appropriate. A difficulty
p.000019: with this approach, however, is that the supervisory authority is not generally16 a party to the contract,
p.000019: and thus in some jurisdictions may have no means of invoking it to gain access. Another possibility could be a legal
p.000019: undertaking provided by the recipient in the third country directly to the EU Member State supervisory
p.000019: authority involved, in which the recipient of the data agrees to allow access by the supervisory
p.000019: authority or a nominated agent in the event that non-compliance with data protection principles is suspected. This
p.000019: undertaking could also require that the parties to the data transfer inform the supervisory authority of any complaint
p.000019: that they receive from a data subject. Under such an arrangement the existence of such an undertaking would be a
p.000019: condition to be fulfilled before the transfer of data could be permitted to take place.
p.000019:
p.000019:
p.000019:
p.000019: 14 Even if a data subject is granted rights under a contract, he/she will often not be able to judge whether the
p.000019: contract has been breached, and if so by whom. An investigative procedure outside of formal civil court proceedings is
p.000019: therefore necessary.
p.000019: 15 See Article 28(1) of directive 95/46/EC
p.000019: 16 The French delegation could envisage situations where the supervisory authority was a party to the contract.
p.000019:
p.000020: 20
p.000020:
p.000020: Whatever the solution chosen there remain significant doubts as to whether it is proper, practical, or
p.000020: indeed feasible from a resource point of view, for a supervisory authority of an EU Member State to take
p.000020: responsibility for investigation and inspection of data processing taking place in a third country.
p.000020:
p.000020:
p.000020: Delivering a good level of compliance
p.000020:
p.000020: Even in the absence of a particular complaint or difficulty faced by a data subject, there is a need for confidence
...
p.000022: contract, unless it is possible to bind such third parties contractually to respect the same data protection
p.000022: principles.
p.000022: • Confidence that data protection principles are respected after data are transferred would be boosted if data
p.000022: protection compliance by the recipient of the transfer were subject to external verification by, for example, a
p.000022: specialist auditing firm or standards/certification body.
p.000022: • In the event of a problem experienced by a data subject, resulting perhaps from a breach of the data
p.000022: protection provisions guaranteed in the contract, there is a general problem of ensuring that a data subject
p.000022: complaint is properly investigated. EU Member State supervisory authorities will have practical
p.000022: difficulties in carrying out such an investigation.
p.000022: • Contractual solutions are probably best suited to large international networks (credit cards, airline
p.000022: reservations) characterised by large quantities of repetitive data transfers of a similar nature, and by
p.000022: a relatively small number of large operators in industries already subject to significant public scrutiny and
p.000022: regulation. Intra-company data transfers between different branches of the same company group is another
p.000022: area in which there is considerable potential for the use of contracts.
p.000022: • Countries where the powers of state authorities to access information go beyond those permitted by internationally
p.000022: accepted standards of human rights protection will not be safe destinations for transfers based on contractual clauses.
p.000022:
p.000022:
p.000022:
p.000023: 23
p.000023:
p.000023: CHAPTER FIVE: EXEMPTIONS FROM THE ADEQUACY REQUIREMENT
p.000023:
p.000023: Article 26(1) of the directive sets out a limited number of situations in which an exemption from the
p.000023: 'adequacy' requirement for third country transfers may apply. These exemptions, which are tightly drawn, for the
p.000023: most part concern cases where the risks to the data subject are relatively small or where other interests (public
p.000023: interests or those of the data subject himself) override the data subject's right to privacy. As
p.000023: exemptions from a general principle, they must be interpreted restrictively. Furthermore Member
p.000023: States may provide in domestic law for the exemptions not to apply in particular cases. This might be the
p.000023: case, for example, where it is necessary to protect particularly vulnerable groups of individuals, such as workers or
p.000023: patients.
p.000023:
p.000023: The first of these exemptions covers cases where the data subject gives his/her consent unambiguously to the proposed
p.000023: transfer. An important point to bear in mind is that the consent, following the definition in Article 2(h)
p.000023: of the directive, must be freely given, specific and informed. The requirement for information is particularly
...
p.000031: agency in Country A and of any new purposes for which data are to be processed. The precise way in which this is done
p.000031: should be comparable with that set out in Article 11 of the directive.
p.000031: In this case the federal law has no specific provisions on transparency which impact directly on the
p.000031: credit reporting agency. The credit grantor in Country A is, however, required to inform the individual that a credit
p.000031: report will be requested from the Credit Reporting Agency, although the name and address of the agency need not be
p.000031: given.
p.000031: The individual therefore has no legal guarantee of being informed about the fact that the specific Credit
p.000031: Reporting Agency concerned is processing data about him. However, given that the agency has no
p.000031: direct contact with the individual, for the agency to be under an obligation to contact the individual
p.000031: specifically to inform him/her would appear to represent a “disproportionate effort” in the sense of Article 11 of the
p.000031: directive. The level of protection regarding transparency would therefore appear to be sufficient.
p.000031:
p.000031: The quality and proportionality principle includes several different elements. There is no restriction on the
p.000031: collection and processing of unnecessary data in the federal law. As to duration of storage, there are rules
p.000031: that prevent the dissemination of obsolete information (bankruptcy judgements more than 10 years old), which
p.000031: effectively lead to the erasure of this information. There is no general legal requirement to keep data
p.000031: accurate, although when an individual who has applied for access to his credit report disputes some of the information,
p.000031: data which can’t be verified must be deleted.
p.000031: Once again protection does not seem entirely adequate, and the company’s privacy policy goes no further than
p.000031: the federal law.
p.000031:
p.000031: The security principle is reflected in the federal law by a requirement to take reasonable measures to
p.000031: prevent unlawful disclosure. The privacy policy of the company makes it clear that stringent controls are in place to
p.000031: prevent unauthorised access to and manipulation of credit information. These controls take the form of both
p.000031: technical devices (passwords etc.) and instructions to employees which if broken can result in
p.000031: disciplinary proceedings. This would seem to ensure an adequate level of security.
p.000031:
p.000031: The rights of access and rectification are included in the federal law and are comparable to those
p.000031: found in the directive. Where an individual has been refused credit the access to the credit report is free
p.000031: of charge. There is, however no right of opposition although an individual can complain to a specialist federal
p.000031: agency or go to court (see below) where his legal rights under the federal law have been violated.
p.000031:
p.000031:
p.000031:
p.000031:
p.000032: 32
p.000032:
p.000032: Sensitive data about the individual’s health form part of the data transferred. The federal law does
p.000032: include stricter provisions for the processing of information relating to criminal records, sex, race, ethnic
p.000032: origin, age and marital status, but not for health information. However, in its privacy policy the
p.000032: credit reporting agency states that health data will not be used for credit assessment purposes, but only for
p.000032: employment or insurance checks. In these two situations the use of such data will be authorised by the individual on an
p.000032: employment application or insurance form.
p.000032: There would therefore appear to be substantively reinforced protection for the health data involved in this example,
p.000032: even though this protection is not provided by statute.
p.000032:
p.000032: Use of the data for direct marketing purposes by the credit reporting agency (and the disclosure of the data to
p.000032: others for such purposes) is an issue here. There is no real statutory impediment to such use and no legal
...
p.000033: policy, no such redress is possible.
p.000033:
p.000033:
p.000033:
p.000034: 34
p.000034:
p.000034: The Verdict
p.000034:
p.000034: 1) Certain of the data protection principles set down as ‘core principles’ in the discussion paper can be
p.000034: found in some form in the federal law applicable to the credit file. Certain others are found in the privacy policy.
p.000034: Even taken together, though, the complete set of ‘core principles’ cannot be said to be present, and some of those that
p.000034: are present (e.g. the purpose limitation principle) are in a fairly weak form.
p.000034: 2) There is a more general problem of whether the privacy policy of the company is in any case a sufficiently effective
p.000034: mechanism to be taken into account at all. Unless the policy is underpinned and made more enforceable by way of
p.000034: powers of external control given to an industry association or public body, its provisions are largely unenforceable
p.000034: and can therefore be left to one side.
p.000034: 3) Although the public body established to enforce the federal law does not have quite the same powers as the
p.000034: typical European data protection authority, the law nevertheless provides a certain legal security,
p.000034: particularly in the context of a judicial system that functions well and the “litigation culture” found in
p.000034: Country A. The law contains clear provisions on perhaps the most important data protection principle of all
p.000034: - the right of access and rectification, and some limitations on the purpose for which data can be used.
p.000034:
p.000034: Conclusion
p.000034: Protection is inadequate because the law covers too few of the “core principles” and the privacy policy, standing
p.000034: alone, is not an effective means of providing protection. An adequate verdict could result either if the law
p.000034: were developed to include principles such as transparency and protection for health data, or if the privacy
p.000034: policy were rendered more effective by one of the methods suggested above (i.e. making
p.000034: compliance a condition for membership of an industry association, or giving a public agency powers to prosecute the
p.000034: company for misleading and deceptive practices if it failed to comply with its own policy).
p.000034:
p.000034:
p.000034: STEP TWO : SEARCHING FOR A SOLUTION
p.000034:
p.000034: Of the possible exemptions set out in Article 26(1), only (a), the consent of the data subject, would appear to
p.000034: be appropriate. The exemption in (b) which deals with a transfers necessary for contractual reasons is
p.000034: not applicable because the transferring party, the UK-based credit reference agency has no contractual
p.000034: relationship with the data subject. It is also difficult to make an argument that the transfer is necessary on the
p.000034: basis of a contract “in the interests of the data subject” as required by exemption (c).
p.000034:
...
Social / Age
Searching for indicator age:
(return to top)
p.000031: prevent unlawful disclosure. The privacy policy of the company makes it clear that stringent controls are in place to
p.000031: prevent unauthorised access to and manipulation of credit information. These controls take the form of both
p.000031: technical devices (passwords etc.) and instructions to employees which if broken can result in
p.000031: disciplinary proceedings. This would seem to ensure an adequate level of security.
p.000031:
p.000031: The rights of access and rectification are included in the federal law and are comparable to those
p.000031: found in the directive. Where an individual has been refused credit the access to the credit report is free
p.000031: of charge. There is, however no right of opposition although an individual can complain to a specialist federal
p.000031: agency or go to court (see below) where his legal rights under the federal law have been violated.
p.000031:
p.000031:
p.000031:
p.000031:
p.000032: 32
p.000032:
p.000032: Sensitive data about the individual’s health form part of the data transferred. The federal law does
p.000032: include stricter provisions for the processing of information relating to criminal records, sex, race, ethnic
p.000032: origin, age and marital status, but not for health information. However, in its privacy policy the
p.000032: credit reporting agency states that health data will not be used for credit assessment purposes, but only for
p.000032: employment or insurance checks. In these two situations the use of such data will be authorised by the individual on an
p.000032: employment application or insurance form.
p.000032: There would therefore appear to be substantively reinforced protection for the health data involved in this example,
p.000032: even though this protection is not provided by statute.
p.000032:
p.000032: Use of the data for direct marketing purposes by the credit reporting agency (and the disclosure of the data to
p.000032: others for such purposes) is an issue here. There is no real statutory impediment to such use and no legal
p.000032: requirement to offer an opt-out. This is clearly inadequate particularly as in this case not only will the
p.000032: data be used by the agency (to carry out host mailings for credit granting financial institutions) but
p.000032: also disclosed to third parties for the marketing of both related financial services products and unrelated products
p.000032: such as lawn-mowers and holidays.
p.000032:
p.000032: It would appear that the purpose of the transfer may be to enable an automated decision to be made about
p.000032: whether the data subject should be granted credit. The data subject should therefore benefit from additional
p.000032: safeguards in this regard. Although the federal law includes provisions permitting the individual to dispute
p.000032: information held on a credit report and attach explanations to the report if necessary, there are no
...
Social / Ethnicity
Searching for indicator ethnic:
(return to top)
p.000006: judicial and non-judicial procedural mechanisms used in third countries.
p.000006:
p.000006: The objectives of a data protection system are essentially threefold:
p.000006:
p.000006: 1) to deliver a good level of compliance with the rules. (No system can guarantee 100% compliance, but
p.000006: some are better than others). A good system is generally characterised by a high degree of
p.000006: awareness among data controllers of their obligations, and among data subjects of their rights and the means
p.000006: of exercising them. The existence of effective and dissuasive sanctions can play an important in ensuring respect for
p.000006: rules, as of course can systems of direct verification by authorities, auditors, or independent data protection
p.000006: officials.
p.000006:
p.000006: 2) to provide support and help to individual data subjects in the exercise of their rights. The individual must be
p.000006: able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort
p.000006: of institutional mechanism allowing independent investigation of complaints.
p.000006:
p.000006: 3) to provide appropriate redress to the injured party where rules are not complied with. This is a key element
p.000006: which must involve a system of independent adjudication or arbitration which allows compensation to be paid and
p.000006: sanctions imposed where appropriate.
p.000006:
p.000006:
p.000006:
p.000006: 4 Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade- union
p.000006: membership, data concerning health or sex life, and data relating to offences, criminal convictions or security
p.000006: measures.
p.000006:
p.000007: 7
p.000007:
p.000007: CHAPTER TWO: APPLYING THE APPROACH TO COUNTRIES THAT HAVE RATIFIED COUNCIL OF EUROPE CONVENTION 108
p.000007:
p.000007: Convention 108 is the only existing international instrument with binding force in the data protection field apart
p.000007: from the directive. Most of the parties to the Convention are also Member States of the European Union (all
p.000007: 15 have now ratified it) or countries, such as Norway and Iceland, which may in any case be bound by
p.000007: the directive by virtue of the European Economic Area agreement. However, Slovenia, Hungary and Switzerland
p.000007: have also ratified the Convention, and other third countries are likely do so in the future, particularly given that
p.000007: the Convention is also open to non Council of Europe countries. It is therefore of more than purely academic interest
p.000007: to examine whether countries that have ratified the Convention can be considered to afford an adequate level
p.000007: of protection in the sense of Article 25 of the directive.
p.000007:
p.000007: As a starting point it is useful to examine the text of the Convention itself in the light of the theoretical outline
...
p.000031:
p.000031: The security principle is reflected in the federal law by a requirement to take reasonable measures to
p.000031: prevent unlawful disclosure. The privacy policy of the company makes it clear that stringent controls are in place to
p.000031: prevent unauthorised access to and manipulation of credit information. These controls take the form of both
p.000031: technical devices (passwords etc.) and instructions to employees which if broken can result in
p.000031: disciplinary proceedings. This would seem to ensure an adequate level of security.
p.000031:
p.000031: The rights of access and rectification are included in the federal law and are comparable to those
p.000031: found in the directive. Where an individual has been refused credit the access to the credit report is free
p.000031: of charge. There is, however no right of opposition although an individual can complain to a specialist federal
p.000031: agency or go to court (see below) where his legal rights under the federal law have been violated.
p.000031:
p.000031:
p.000031:
p.000031:
p.000032: 32
p.000032:
p.000032: Sensitive data about the individual’s health form part of the data transferred. The federal law does
p.000032: include stricter provisions for the processing of information relating to criminal records, sex, race, ethnic
p.000032: origin, age and marital status, but not for health information. However, in its privacy policy the
p.000032: credit reporting agency states that health data will not be used for credit assessment purposes, but only for
p.000032: employment or insurance checks. In these two situations the use of such data will be authorised by the individual on an
p.000032: employment application or insurance form.
p.000032: There would therefore appear to be substantively reinforced protection for the health data involved in this example,
p.000032: even though this protection is not provided by statute.
p.000032:
p.000032: Use of the data for direct marketing purposes by the credit reporting agency (and the disclosure of the data to
p.000032: others for such purposes) is an issue here. There is no real statutory impediment to such use and no legal
p.000032: requirement to offer an opt-out. This is clearly inadequate particularly as in this case not only will the
p.000032: data be used by the agency (to carry out host mailings for credit granting financial institutions) but
p.000032: also disclosed to third parties for the marketing of both related financial services products and unrelated products
p.000032: such as lawn-mowers and holidays.
p.000032:
p.000032: It would appear that the purpose of the transfer may be to enable an automated decision to be made about
p.000032: whether the data subject should be granted credit. The data subject should therefore benefit from additional
p.000032: safeguards in this regard. Although the federal law includes provisions permitting the individual to dispute
...
Social / Linguistic Proficiency
Searching for indicator language:
(return to top)
p.000010:
p.000010: The starting point for the evaluation of any specific set of data protection rules (whether categorised as
p.000010: self-regulation or regulation) must be the general approach set down in Chapter One of this document. The
p.000010: cornerstone of this approach is an examination not only of the content of the instrument (it should contain a
p.000010: series of core principles) but also of its effectiveness in achieving:
p.000010: - a good level of general compliance,
p.000010: - support and help to individual data subjects,
p.000010: - and, crucially, appropriate redress (including compensation where
p.000010: appropriate).
p.000010:
p.000010: Evaluating the content of a self-regulatory instrument
p.000010:
p.000010: This is a relatively easy task. It is a question of ensuring that the necessary ‘content principles’ set out in
p.000010: Chapter One are present. This is an objective evaluation. It is a question of what the code contains, and not
p.000010: how it was developed. The fact that an industry or profession has itself played the major role in developing the
p.000010: content of the code is not in itself relevant, although clearly if the opinions of data subjects and
p.000010: consumer organisations have been taken into account during its development, it is more likely that the code
p.000010: will reflect more closely the core data protection principles which are required.
p.000010: The transparency of the code is a crucial element; in particular, the code should be drafted in plain
p.000010: language and offer concrete examples, which illustrate its provisions.
p.000010: Furthermore, the code should prohibit the disclosure of data to non-member companies who are not governed by the code,
p.000010: unless other adequate safeguards are provided.
p.000010:
p.000010: Evaluating the effectiveness of a self-regulatory instrument
p.000010:
p.000010: Assessing the effectiveness of a particular self-regulatory code or instrument is a more difficult exercise, which
p.000010: requires an understanding of the ways and means by which adherence to the code is ensured and problems
p.000010: of non-compliance dealt with. The three functional criteria for judging the effectiveness of protection must all
p.000010: be met if a self-regulatory code is to be considered as providing adequate protection.
p.000010:
p.000010: Good level of compliance
p.000010:
p.000010: An industry or professional code will typically be developed by a representative body of the industry or profession
p.000010: concerned, and it will then apply to members of that particular representative body. The level of
p.000010: compliance with the code is likely to depend on the degree of awareness of the code’s existence and of its
p.000010: content among members, on the steps taken to ensure transparency of the code to consumers in order to allow the
p.000010: market forces to make an effective contribution, on the existence of a
p.000010:
p.000010:
p.000011: 11
p.000011:
p.000011: system of external verification (such as a requirement for an audit of compliance at regular intervals)
p.000011: and, perhaps most crucially, on the nature and enforcement of the sanction in cases of non-compliance
p.000011: Important questions are therefore:
...
Social / Marital Status
Searching for indicator single:
(return to top)
p.000022: used in relation to data flows to third countries it must do much more: it must provide additional
p.000022: safeguards for the data subject made necessary by the fact that the recipient in the third country is not subject to an
p.000022: enforceable set of data protection rules providing an adequate level of protection.
p.000022: • The basis for assessing the adequacy of the safeguards delivered by a contractual solution is the same as the
p.000022: basis for assessing the general level of adequacy in a third country. A contractual solution must
p.000022: encompass all the basic data protection principles and provide means by which the principles can be enforced.
p.000022: • The contract should set out in detail the purposes, means and conditions under which the transferred
p.000022: data are to be processed, and the way in which the basic data protection principles are to be
p.000022: implemented. Greater legal security is provided by contracts which limit the ability of the recipient
p.000022: of the data to process the data autonomously on his own behalf. The contract should therefore be used, to the
p.000022: extent possible, as a means by which the entity transferring the data retains decision-making control over the
p.000022: processing carried out in the third country.
p.000022: • Where the recipient has some autonomy regarding the processing of the transferred data, the
p.000022: situation is not straightforward, and a single contract between the parties to the transfer may not
p.000022: always be a sufficient basis for the exercise of rights by individual data subjects. A mechanism may
p.000022: be needed through which the transferring party in the Community remains liable for any damage that may
p.000022: result from the processing carried out in the third country .
p.000022: • Onward transfers to bodies or organisations not bound by the contract should be specifically excluded by the
p.000022: contract, unless it is possible to bind such third parties contractually to respect the same data protection
p.000022: principles.
p.000022: • Confidence that data protection principles are respected after data are transferred would be boosted if data
p.000022: protection compliance by the recipient of the transfer were subject to external verification by, for example, a
p.000022: specialist auditing firm or standards/certification body.
p.000022: • In the event of a problem experienced by a data subject, resulting perhaps from a breach of the data
p.000022: protection provisions guaranteed in the contract, there is a general problem of ensuring that a data subject
p.000022: complaint is properly investigated. EU Member State supervisory authorities will have practical
p.000022: difficulties in carrying out such an investigation.
p.000022: • Contractual solutions are probably best suited to large international networks (credit cards, airline
...
p.000038: the resulting lists purport to include individuals fitting particular a particular socio-economic profile.. These lists
p.000038: are then sold by the Dutch company to client companies not only in the Netherlands and the EU, but in a
p.000038: multitude of other third countries. The recipient client companies then use the lists (which include
p.000038: postal e-mail addresses, telephone numbers, and often e-mail addresses) to contact the individuals on the
p.000038: lists with a view to selling a bewildering array of different products and services. A large number of individuals
p.000038: included in the lists have complained to the Dutch data protection authority about the marketing approaches
p.000038: they have received.
p.000038:
p.000038: The relevant applicable rules
p.000038:
p.000038: Some of the client companies who buy in the mailing lists offered by the Dutch company are based in
p.000038: countries which have general data protection legislation in place which includes a right for individuals to
p.000038: opt-out of receiving such marketing approaches. Others are in countries without such laws, but are
p.000038: members of self- regulatory associations which have developed a data protection codes. Others are subject
p.000038: to no data protection rules at all.
p.000038:
p.000038:
p.000038: Evaluation of the content of the applicable rules
p.000038:
p.000038: This single case would require the evaluation of a multitude of different laws and codes. If the
p.000038: Netherlands-based company is to maintain its approach of selling or renting its lists to companies based
p.000038: in any country of the world, then there are necessarily going to be situations where the level of protection is
p.000038: not adequate.
p.000038:
p.000038:
p.000038: STEP TWO : SEARCHING FOR A SOLUTION
p.000038:
p.000038: In this example, because the data are collected from public sources and without any direct contact with
p.000038: the data subject it would be very problematic for the Netherlands company to seek consent from each and every data
p.000038: subject to his/her inclusion on the mailing lists. In view of this it is unlikely that any of the exemptions in
p.000038: Article 26(1) are likely to be useful.
p.000038:
p.000038: The Netherlands company has two possibilities, which could be used as alternatives or together. First would be to
p.000038: limit his trade in mailing lists to companies in jurisdictions which clearly appeared to ensure adequate
p.000038: protection by virtue of laws or effective self-regulatory instruments. In making this decision the company
p.000038: could be guided by any available “White list”.
p.000038:
p.000038: The second possibility would be to require contractual undertakings from all client companies (or at least
p.000038: those in “non-adequate” jurisdictions) regarding the protection
p.000038:
p.000038:
p.000039: 39
p.000039:
p.000039: of the data transferred. These contractual arrangements should follow the advice set out in Chapter Four of the
...
Social / Police Officer
Searching for indicator police:
(return to top)
p.000020:
p.000020:
p.000020: Delivering a good level of compliance
p.000020:
p.000020: Even in the absence of a particular complaint or difficulty faced by a data subject, there is a need for confidence
p.000020: that the parties to the contract are actually complying with its terms. The problem with the contractual
p.000020: solution is the difficulty in establishing sanctions for non-compliance which are sufficiently meaningful to have
p.000020: the dissuasive effect needed to provide this confidence. Even in cases where effective control over the data
p.000020: continues to be exercised from within the Community, the recipient of the transfer may not be subject to any
p.000020: direct penalty if he were to process data in breach of the contract. Instead the liability would rest with the
p.000020: Community-based transferer of the data, who would then need to recover any losses in a separate legal action against
p.000020: the recipient. Such indirect liability may not be sufficient to encourage the recipient to comply with every detail of
p.000020: the contract.
p.000020:
p.000020: This being the case it is probable that in most situations a contractual solution will need to be complemented by at
p.000020: least the possibility of some form of external verification of the recipient's processing activities, such as an audit
p.000020: carried out by a standards body, or specialist auditing firm.
p.000020:
p.000020:
p.000020: 5. The problem of overriding law
p.000020:
p.000020:
p.000020: A specific difficulty with the contractual approach is the possibility that the general law of the third country
p.000020: may include requirements for the recipient of a data transfer, in certain circumstances, to disclose personal
p.000020: data to the state (the police, the courts or the tax authorities, for example), and that such legal
p.000020: requirements might take precedence over any contract to which the processor was subject.17 For
p.000020: processors within the Community this possibility is evoked in Article 16 of the directive which requires
p.000020: processors to process data only on instructions from the controller unless required to do so by law.
p.000020: However, under the directive any such disclosures (which are by their nature for purposes incompatible with
p.000020: those for which the data were collected) must be limited to those necessary in democratic societies for
p.000020: one of the 'ordre public' reasons set out in Article 13(1) of the directive (see footnote 2 on page 4). Article 6
p.000020: of the Amsterdam Treaty also guarantees respect for the fundamental rights set out in the European
p.000020: Convention for the Protection of Human Rights and Fundamental Freedoms. In third countries similar limitations
p.000020: on the ability of the state to require the provision of personal data from companies and other organisations
p.000020: operational on their territory may not always be in place.
p.000020:
p.000020:
p.000020:
p.000020: 17 The extent of state powers to require the disclosure of information is also an issue when making more general
p.000020: assessments of the adequacy of protection in a third country.
p.000020:
p.000021: 21
p.000021:
p.000021: There is no easy way to overcome this difficulty. It is a point that simply demonstrates the limitations of the
p.000021: contractual approach. In some cases a contract is too frail an instrument to offer adequate data
...
Social / Property Ownership
Searching for indicator home:
(return to top)
p.000029: Article 26(2) ;
p.000029: - an assessment of the exemptions from the requirement for adequate protection as set out in Article 26(1).
p.000029:
p.000029: An understanding of the issues would not, however, be complete without an illustration of how
p.000029: this overall approach is likely to impact upon real transfers of personal data. In this annex,
p.000029: therefore, a number of realistic (though fictional) case studies of data transfers are examined in the
p.000029: way it is envisaged that such cases are likely to be examined once the national laws implementing the
p.000029: directive enter into force.
p.000029:
p.000029: Three different cases are set out. With each case the first step is to assess whether protection in the
p.000029: destination country is adequate by virtue of relevant laws or effective private sector self-regulation. If it is
p.000029: not then the second step is to search for a solution to the problem among the possibilities set out
p.000029: in Article 26, paragraphs 1 (exemptions) and 2 (contractual solutions). Only then, if no solution is
p.000029: appropriate, would the third step be to block the transfer.
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000029:
p.000030: 30
p.000030:
p.000030: CASE (1) : A transfer of data regarding credit-worthiness
p.000030:
p.000030: A community citizen wishes to buy a holiday home in Country A outside the EC and applies for credit to a financial
p.000030: institution in that country. The financial institution requests a credit report from a credit reporting agency.
p.000030: The agency has no file on the individual but arranges for the individual’s full credit history to be transferred from
p.000030: its ‘sister’ Credit Reference Agency in the UK. Country A is an advanced industrialised nation, with
p.000030: long-standing and stable democratic institutions. The judicial system is well-resourced and functions
p.000030: effectively. It has a federal constitutional structure.
p.000030:
p.000030: STEP ONE : ASSESSING THE ADEQUACY OF THE PROTECTION
p.000030:
p.000030:
p.000030: The relevant applicable rules
p.000030:
p.000030: The receiving data controller is subject to a federal law which sets down rules regarding personal
p.000030: information held for the assessment of credit risks. The data controller additionally claims to comply with
p.000030: its own published privacy policy. No state law is applicable and there is no industry-wide self-regulatory code.
p.000030:
p.000030:
p.000030: Evaluation of the content of the applicable rules
p.000030:
p.000030: First it should be noted that the communication made by the UK based credit reference agency would, like any
p.000030: communication to a data controller elsewhere in the UK or another Member State, be subject to the
p.000030: normal requirements of UK law which implement all the articles of the directive other than articles 25
p.000030: and 26. This is important because it eliminates the need to examine the lawfulness of the
...
Searching for indicator property:
(return to top)
p.000023: the transferring controller.
p.000023:
p.000023:
p.000024: 24
p.000024:
p.000024: The fourth exemption has two strands. The first covers transfers necessary or legally required on important public
p.000024: interest grounds. This may cover certain limited transfers between public administrations, although care must be
p.000024: taken not to interpret this provision too widely. A simple public interest justification for a transfer
p.000024: does not suffice, it must be a question of important public interest. Recital 58 suggests that data transfers between
p.000024: tax or customs administrations or between services responsible for social security will generally be covered.
p.000024: Transfers between supervisory bodies in the financial services sector may also benefit from the exemption. The
p.000024: second strand concerns transfers taking place in the context of international litigation or legal
p.000024: proceedings, specifically transfers that are necessary for the establishment, exercise or defence of legal claims.
p.000024:
p.000024: The fifth exemption concerns transfers necessary in order to protect the vital interests of the data subject. An
p.000024: obvious example of such a transfer would be the urgent transfer of medical records to a third country where a
p.000024: tourist who had previously received medical treatment in the EU has suffered an accident or has become dangerously
p.000024: ill. It should be borne in mind, however, that recital 31 of the directive interprets 'vital interest'
p.000024: fairly narrowly as an interest "which is essential for the data subject's life". This would normally exclude, for
p.000024: example, financial, property or family interests.
p.000024:
p.000024: The sixth and final exemption concerns transfers made from registers intended by law for consultation by the
p.000024: public, provided that in the particular case the conditions for consultation are fulfilled. The intention of
p.000024: this exemption is that where a register in a Member State is available for public consultation or by persons
p.000024: demonstrating a legitimate interest, then the fact that the person who has the right to consult the
p.000024: register is actually situated in a third country, and that the act of consultation in fact involves a data transfer,
p.000024: should not prevent the information being transmitted to him. Recital 58 makes it clear that entire registers or entire
p.000024: categories of data from registers should not be permitted to be transferred under this exemption.
p.000024: Given these restrictions this exemption should not be considered to be a general exemption for the transfer of
p.000024: public register data. For example, it is clear that mass transfers of public register data for commercial
p.000024: purposes or the trawling of publicly available data for the purpose of profiling specific individuals would not benefit
p.000024: from the exemption.
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000025: 25
p.000025:
p.000025: CHAPTER SIX: PROCEDURAL ISSUES
p.000025:
p.000025: Article 25 envisages a case by case approach whereby the assessment of adequacy is in relation to individual transfers
...
Social / Racial Minority
Searching for indicator race:
(return to top)
p.000031: the federal law.
p.000031:
p.000031: The security principle is reflected in the federal law by a requirement to take reasonable measures to
p.000031: prevent unlawful disclosure. The privacy policy of the company makes it clear that stringent controls are in place to
p.000031: prevent unauthorised access to and manipulation of credit information. These controls take the form of both
p.000031: technical devices (passwords etc.) and instructions to employees which if broken can result in
p.000031: disciplinary proceedings. This would seem to ensure an adequate level of security.
p.000031:
p.000031: The rights of access and rectification are included in the federal law and are comparable to those
p.000031: found in the directive. Where an individual has been refused credit the access to the credit report is free
p.000031: of charge. There is, however no right of opposition although an individual can complain to a specialist federal
p.000031: agency or go to court (see below) where his legal rights under the federal law have been violated.
p.000031:
p.000031:
p.000031:
p.000031:
p.000032: 32
p.000032:
p.000032: Sensitive data about the individual’s health form part of the data transferred. The federal law does
p.000032: include stricter provisions for the processing of information relating to criminal records, sex, race, ethnic
p.000032: origin, age and marital status, but not for health information. However, in its privacy policy the
p.000032: credit reporting agency states that health data will not be used for credit assessment purposes, but only for
p.000032: employment or insurance checks. In these two situations the use of such data will be authorised by the individual on an
p.000032: employment application or insurance form.
p.000032: There would therefore appear to be substantively reinforced protection for the health data involved in this example,
p.000032: even though this protection is not provided by statute.
p.000032:
p.000032: Use of the data for direct marketing purposes by the credit reporting agency (and the disclosure of the data to
p.000032: others for such purposes) is an issue here. There is no real statutory impediment to such use and no legal
p.000032: requirement to offer an opt-out. This is clearly inadequate particularly as in this case not only will the
p.000032: data be used by the agency (to carry out host mailings for credit granting financial institutions) but
p.000032: also disclosed to third parties for the marketing of both related financial services products and unrelated products
p.000032: such as lawn-mowers and holidays.
p.000032:
p.000032: It would appear that the purpose of the transfer may be to enable an automated decision to be made about
p.000032: whether the data subject should be granted credit. The data subject should therefore benefit from additional
p.000032: safeguards in this regard. Although the federal law includes provisions permitting the individual to dispute
...
Searching for indicator racial:
(return to top)
p.000006: judicial and non-judicial procedural mechanisms used in third countries.
p.000006:
p.000006: The objectives of a data protection system are essentially threefold:
p.000006:
p.000006: 1) to deliver a good level of compliance with the rules. (No system can guarantee 100% compliance, but
p.000006: some are better than others). A good system is generally characterised by a high degree of
p.000006: awareness among data controllers of their obligations, and among data subjects of their rights and the means
p.000006: of exercising them. The existence of effective and dissuasive sanctions can play an important in ensuring respect for
p.000006: rules, as of course can systems of direct verification by authorities, auditors, or independent data protection
p.000006: officials.
p.000006:
p.000006: 2) to provide support and help to individual data subjects in the exercise of their rights. The individual must be
p.000006: able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort
p.000006: of institutional mechanism allowing independent investigation of complaints.
p.000006:
p.000006: 3) to provide appropriate redress to the injured party where rules are not complied with. This is a key element
p.000006: which must involve a system of independent adjudication or arbitration which allows compensation to be paid and
p.000006: sanctions imposed where appropriate.
p.000006:
p.000006:
p.000006:
p.000006: 4 Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade- union
p.000006: membership, data concerning health or sex life, and data relating to offences, criminal convictions or security
p.000006: measures.
p.000006:
p.000007: 7
p.000007:
p.000007: CHAPTER TWO: APPLYING THE APPROACH TO COUNTRIES THAT HAVE RATIFIED COUNCIL OF EUROPE CONVENTION 108
p.000007:
p.000007: Convention 108 is the only existing international instrument with binding force in the data protection field apart
p.000007: from the directive. Most of the parties to the Convention are also Member States of the European Union (all
p.000007: 15 have now ratified it) or countries, such as Norway and Iceland, which may in any case be bound by
p.000007: the directive by virtue of the European Economic Area agreement. However, Slovenia, Hungary and Switzerland
p.000007: have also ratified the Convention, and other third countries are likely do so in the future, particularly given that
p.000007: the Convention is also open to non Council of Europe countries. It is therefore of more than purely academic interest
p.000007: to examine whether countries that have ratified the Convention can be considered to afford an adequate level
p.000007: of protection in the sense of Article 25 of the directive.
p.000007:
p.000007: As a starting point it is useful to examine the text of the Convention itself in the light of the theoretical outline
...
Social / Religion
Searching for indicator religious:
(return to top)
p.000006:
p.000006: 1) to deliver a good level of compliance with the rules. (No system can guarantee 100% compliance, but
p.000006: some are better than others). A good system is generally characterised by a high degree of
p.000006: awareness among data controllers of their obligations, and among data subjects of their rights and the means
p.000006: of exercising them. The existence of effective and dissuasive sanctions can play an important in ensuring respect for
p.000006: rules, as of course can systems of direct verification by authorities, auditors, or independent data protection
p.000006: officials.
p.000006:
p.000006: 2) to provide support and help to individual data subjects in the exercise of their rights. The individual must be
p.000006: able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort
p.000006: of institutional mechanism allowing independent investigation of complaints.
p.000006:
p.000006: 3) to provide appropriate redress to the injured party where rules are not complied with. This is a key element
p.000006: which must involve a system of independent adjudication or arbitration which allows compensation to be paid and
p.000006: sanctions imposed where appropriate.
p.000006:
p.000006:
p.000006:
p.000006: 4 Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade- union
p.000006: membership, data concerning health or sex life, and data relating to offences, criminal convictions or security
p.000006: measures.
p.000006:
p.000007: 7
p.000007:
p.000007: CHAPTER TWO: APPLYING THE APPROACH TO COUNTRIES THAT HAVE RATIFIED COUNCIL OF EUROPE CONVENTION 108
p.000007:
p.000007: Convention 108 is the only existing international instrument with binding force in the data protection field apart
p.000007: from the directive. Most of the parties to the Convention are also Member States of the European Union (all
p.000007: 15 have now ratified it) or countries, such as Norway and Iceland, which may in any case be bound by
p.000007: the directive by virtue of the European Economic Area agreement. However, Slovenia, Hungary and Switzerland
p.000007: have also ratified the Convention, and other third countries are likely do so in the future, particularly given that
p.000007: the Convention is also open to non Council of Europe countries. It is therefore of more than purely academic interest
p.000007: to examine whether countries that have ratified the Convention can be considered to afford an adequate level
p.000007: of protection in the sense of Article 25 of the directive.
p.000007:
p.000007: As a starting point it is useful to examine the text of the Convention itself in the light of the theoretical outline
p.000007: of ‘adequate protection’ set out in Chapter One of this document.
p.000007:
...
Social / Threat of Stigma
Searching for indicator threat:
(return to top)
p.000026: confirmed in accordance with Article 25(6) would need to be widely promulgated in order to be useful. Where a country
p.000026: is not found to have adequate protection, on the other hand, this need not imply that the country is implicitly or
p.000026: explicitly ‘black-listed’. The public message would rather be that no general guidance regarding that particular
p.000026: country is yet available.
p.000026:
p.000026:
p.000026: (ii) Risk analysis of specific transfers
p.000026:
p.000026: Although the use of Article 25(6) as described above will be a valuable aid to the decision-making
p.000026: process in respect of large numbers of data transfers, there will nevertheless still be many cases where the
p.000026: third country in question is not the subject (in whole or in part) of a positive finding. How Member States deal with
p.000026: these cases may well vary according to the way Article 25 is transposed into national law (see footnote
p.000026: on the previous page). If a specific role is given to the supervisory authority either to authorise data transfers
p.000026: before they take place, or to carry out an ex post facto check, the shear volume of transfers involved may mean that a
p.000026: system to prioritise the efforts of the supervisory authority will need to be envisaged. Such a system
p.000026: could take the form of an agreed set of criteria which enable a particular transfer or category of transfer to be
p.000026: considered as a priority on the grounds of posing a particular threat to individual privacy.
p.000026:
p.000026: The effect of such a system would not of course change the obligation on each Member State to ensure
p.000026: that only those transfers where the third country ensures an adequate level of protection are permitted to take
p.000026: place. It would constitute guidance regarding which cases of data transfer should be considered as ‘priority
p.000026: cases’ for examination or even investigation, and thereby allow the resources available to be
p.000026:
p.000026:
p.000027: 27
p.000027:
p.000027: directed towards those transfers which raise the greatest concerns in terms of the protection of data
p.000027: subjects.
p.000027:
p.000027: The Working Party considers that among those categories of transfer which pose particular risks to privacy
p.000027: and therefore merit particular attention are the following:
p.000027: - those transfers involving certain sensitive categories of data as defined by Article 8 of the directive;
p.000027: - transfers which carry the risk of financial loss (e.g. credit card payments over the Internet);
p.000027: - transfers carrying a risk to personal safety;
p.000027: - transfers made for the purposes of making a decision which significantly affects the individual (such as
p.000027: recruitment or promotion decisions, the granting of credit, etc.);
p.000027: - transfers which carry a risk of serious embarrassment or tarnishing of an individual’s reputation;
...
Social / Trade Union Membership
Searching for indicator union:
(return to top)
p.000006:
p.000006: 1) to deliver a good level of compliance with the rules. (No system can guarantee 100% compliance, but
p.000006: some are better than others). A good system is generally characterised by a high degree of
p.000006: awareness among data controllers of their obligations, and among data subjects of their rights and the means
p.000006: of exercising them. The existence of effective and dissuasive sanctions can play an important in ensuring respect for
p.000006: rules, as of course can systems of direct verification by authorities, auditors, or independent data protection
p.000006: officials.
p.000006:
p.000006: 2) to provide support and help to individual data subjects in the exercise of their rights. The individual must be
p.000006: able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort
p.000006: of institutional mechanism allowing independent investigation of complaints.
p.000006:
p.000006: 3) to provide appropriate redress to the injured party where rules are not complied with. This is a key element
p.000006: which must involve a system of independent adjudication or arbitration which allows compensation to be paid and
p.000006: sanctions imposed where appropriate.
p.000006:
p.000006:
p.000006:
p.000006: 4 Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade- union
p.000006: membership, data concerning health or sex life, and data relating to offences, criminal convictions or security
p.000006: measures.
p.000006:
p.000007: 7
p.000007:
p.000007: CHAPTER TWO: APPLYING THE APPROACH TO COUNTRIES THAT HAVE RATIFIED COUNCIL OF EUROPE CONVENTION 108
p.000007:
p.000007: Convention 108 is the only existing international instrument with binding force in the data protection field apart
p.000007: from the directive. Most of the parties to the Convention are also Member States of the European Union (all
p.000007: 15 have now ratified it) or countries, such as Norway and Iceland, which may in any case be bound by
p.000007: the directive by virtue of the European Economic Area agreement. However, Slovenia, Hungary and Switzerland
p.000007: have also ratified the Convention, and other third countries are likely do so in the future, particularly given that
p.000007: the Convention is also open to non Council of Europe countries. It is therefore of more than purely academic interest
p.000007: to examine whether countries that have ratified the Convention can be considered to afford an adequate level
p.000007: of protection in the sense of Article 25 of the directive.
p.000007:
p.000007: As a starting point it is useful to examine the text of the Convention itself in the light of the theoretical outline
p.000007: of ‘adequate protection’ set out in Chapter One of this document.
p.000007:
p.000007: As regards the content of the basic principles, the Convention could be said to include the first five of the six
p.000007: ‘minimum conditions’. 5 The Convention also includes the requirement for appropriate safeguards for
p.000007: sensitive data which should be a requirement for adequacy whenever such data are involved.
p.000007:
p.000007: A missing element of the Convention in terms of the content of its substantive rules is the absence of restrictions
p.000007: on transfers to countries not party to it. This creates the risk that a Convention 108 country could be used as
...
Social / employees
Searching for indicator employees:
(return to top)
p.000031: specifically to inform him/her would appear to represent a “disproportionate effort” in the sense of Article 11 of the
p.000031: directive. The level of protection regarding transparency would therefore appear to be sufficient.
p.000031:
p.000031: The quality and proportionality principle includes several different elements. There is no restriction on the
p.000031: collection and processing of unnecessary data in the federal law. As to duration of storage, there are rules
p.000031: that prevent the dissemination of obsolete information (bankruptcy judgements more than 10 years old), which
p.000031: effectively lead to the erasure of this information. There is no general legal requirement to keep data
p.000031: accurate, although when an individual who has applied for access to his credit report disputes some of the information,
p.000031: data which can’t be verified must be deleted.
p.000031: Once again protection does not seem entirely adequate, and the company’s privacy policy goes no further than
p.000031: the federal law.
p.000031:
p.000031: The security principle is reflected in the federal law by a requirement to take reasonable measures to
p.000031: prevent unlawful disclosure. The privacy policy of the company makes it clear that stringent controls are in place to
p.000031: prevent unauthorised access to and manipulation of credit information. These controls take the form of both
p.000031: technical devices (passwords etc.) and instructions to employees which if broken can result in
p.000031: disciplinary proceedings. This would seem to ensure an adequate level of security.
p.000031:
p.000031: The rights of access and rectification are included in the federal law and are comparable to those
p.000031: found in the directive. Where an individual has been refused credit the access to the credit report is free
p.000031: of charge. There is, however no right of opposition although an individual can complain to a specialist federal
p.000031: agency or go to court (see below) where his legal rights under the federal law have been violated.
p.000031:
p.000031:
p.000031:
p.000031:
p.000032: 32
p.000032:
p.000032: Sensitive data about the individual’s health form part of the data transferred. The federal law does
p.000032: include stricter provisions for the processing of information relating to criminal records, sex, race, ethnic
p.000032: origin, age and marital status, but not for health information. However, in its privacy policy the
p.000032: credit reporting agency states that health data will not be used for credit assessment purposes, but only for
p.000032: employment or insurance checks. In these two situations the use of such data will be authorised by the individual on an
p.000032: employment application or insurance form.
...
p.000032: in other sectors within Country A not subject to the rules laid down in the federal law. There are no such
p.000032: provisions either in the federal law or the company privacy policy.
p.000032:
p.000032: Scope of the federal law and privacy policy
p.000032: One further check should be made to ensure that both the law and the privacy policy apply to data about all
p.000032: individuals, and not just data about residents or nationals of Country A. In this case, no such restrictions
p.000032: to the scope are present.
p.000032:
p.000032:
p.000032: Evaluating the effectiveness of the protection
p.000032:
p.000032: The federal law in question has the force of law and also establishes a public authority with some external
p.000032: supervisory powers. Individuals may also take private law suits under the legislation to enforce their
p.000032: rights. However, the public authority is not under a clear obligation to investigate all individual complaints,
p.000032: and, according to some commentators, has not always been particularly active in enforcing the law. Private
p.000032: law suits are an expensive and often time-consuming means for individuals to ensure
p.000032:
p.000032:
p.000032:
p.000033: 33
p.000033:
p.000033: redress, particularly where the individual data subject lives in a country other than the country where the legal
p.000033: proceedings are taking place.
p.000033:
p.000033: The company’s internal privacy policy contains no independent mechanism allowing an individual to enforce his/her
p.000033: rights, but it does contain some disciplinary sanctions for employees who violate the policy. Several employees
p.000033: have indeed already been disciplined regarding past violations.
p.000033:
p.000033: The combination of legislation and internal privacy code must be evaluated according to the ‘objectives’ that have been
p.000033: laid down for procedural mechanisms. In this case the key questions could include:
p.000033:
p.000033: Good level of general compliance
p.000033:
p.000033: The main encouragement for the company to comply with its own privacy policy is the risk of harmful publicity in the
p.000033: press if it is found not to deliver on its promises. In addition individuals within the company may be subject to
p.000033: disciplinary measures if they flout rules on security.
p.000033: However, these mechanisms do not in themselves seem sufficient to ensure that the privacy policy is
p.000033: complied with in practice.
p.000033: This conclusion may have been different different if :
p.000033: (1) the company’s privacy policy had been mirrored in an industry-wide code of conduct established by the
p.000033: industry trade association, under which any company found to be in breach of the code would be immediately expelled
p.000033: from the association; or
p.000033: (2) a general principle of law allowed a company found to be in breach of its own published privacy
p.000033: code to be prosecuted by a public agency on the grounds of “unfair and deceptive” practices.
p.000033:
p.000033: As far as the federal law is concerned, compliance is encouraged by the possibility of private law suits in the case of
p.000033: non-compliance. The prospect of being taken to court would have some deterrent effect on the data controller. There
...
Social / philosophical differences/differences of opinion
Searching for indicator opinion:
(return to top)
p.000025: but not for others. An added difficulty occurs for countries which have federal constitutions
p.000025: such as the US, Canada and Australia, where differences often exist between the various states that make up
p.000025: the federation. As a result, it seems unlikely that, at present, many third countries could be considered to offer
p.000025: adequate protection across the board. The fewer countries for which postive findings could be made, the less useful
p.000025: the exercise would be, of course, in terms of providing greater certainty to
p.000025:
p.000025:
p.000025: 19 Member States may set down different administrative procedures to discharge their obligations under Article 25.
p.000025: These may include imposing a direct obligation on data controllers and/or developing systems of prior authorisation or
p.000025: ex post facto verification by the supervisory authority.
p.000025:
p.000026: 26
p.000026:
p.000026: data controllers. A further risk is that some third countries might come to see the absence of a finding
p.000026: that they provided adequate protection as politically provocative or at least discriminatory, in that the absence of a
p.000026: finding is as likely to be the result of their case not having been examined as of a judgement on their
p.000026: data protection system.
p.000026:
p.000026: Having weighed these different arguments carefully, it is nevertheless the opinion of the Working Party that
p.000026: initiating work to make a series of findings under Article 25(6) would be a useful step. Such a process should be seen
p.000026: as a continuing one, not one that would produce a definitive list, but rather a list that would be constantly added to
p.000026: and revised in the light of developments. A positive finding should not in principle be limited to
p.000026: countries having horizontal data protection laws, but should also cover specific sectors within countries
p.000026: where data protection is adequate, even though in other sectors the same country's protection may be less than
p.000026: adequate.
p.000026:
p.000026: It should be noted that the Article 29 group has no explicit role in making decisions about particular data transfers
p.000026: or in determinations of “adequacy” under Article 25(6). Both are subject to the comitology procedure laid down
p.000026: in Article 31. It should be recalled, however, that one of the specific duties of the Article 29 group is to give
p.000026: the Commission an opinion on the level of protection in third countries (see Article 30(i)b). It
p.000026: therefore falls well within the remit of the Article 29 group to examine the situation in particular third
p.000026: countries and come to a provisional view as to the adequacy of protection. Positive findings, once
p.000026: confirmed in accordance with Article 25(6) would need to be widely promulgated in order to be useful. Where a country
p.000026: is not found to have adequate protection, on the other hand, this need not imply that the country is implicitly or
p.000026: explicitly ‘black-listed’. The public message would rather be that no general guidance regarding that particular
p.000026: country is yet available.
p.000026:
p.000026:
p.000026: (ii) Risk analysis of specific transfers
p.000026:
p.000026: Although the use of Article 25(6) as described above will be a valuable aid to the decision-making
p.000026: process in respect of large numbers of data transfers, there will nevertheless still be many cases where the
p.000026: third country in question is not the subject (in whole or in part) of a positive finding. How Member States deal with
p.000026: these cases may well vary according to the way Article 25 is transposed into national law (see footnote
p.000026: on the previous page). If a specific role is given to the supervisory authority either to authorise data transfers
p.000026: before they take place, or to carry out an ex post facto check, the shear volume of transfers involved may mean that a
...
General/Other / Impaired Autonomy
Searching for indicator autonomy:
(return to top)
p.000022: data protection compliance between the data controller and a sub-contracted processor. When a contract is
p.000022: used in relation to data flows to third countries it must do much more: it must provide additional
p.000022: safeguards for the data subject made necessary by the fact that the recipient in the third country is not subject to an
p.000022: enforceable set of data protection rules providing an adequate level of protection.
p.000022: • The basis for assessing the adequacy of the safeguards delivered by a contractual solution is the same as the
p.000022: basis for assessing the general level of adequacy in a third country. A contractual solution must
p.000022: encompass all the basic data protection principles and provide means by which the principles can be enforced.
p.000022: • The contract should set out in detail the purposes, means and conditions under which the transferred
p.000022: data are to be processed, and the way in which the basic data protection principles are to be
p.000022: implemented. Greater legal security is provided by contracts which limit the ability of the recipient
p.000022: of the data to process the data autonomously on his own behalf. The contract should therefore be used, to the
p.000022: extent possible, as a means by which the entity transferring the data retains decision-making control over the
p.000022: processing carried out in the third country.
p.000022: • Where the recipient has some autonomy regarding the processing of the transferred data, the
p.000022: situation is not straightforward, and a single contract between the parties to the transfer may not
p.000022: always be a sufficient basis for the exercise of rights by individual data subjects. A mechanism may
p.000022: be needed through which the transferring party in the Community remains liable for any damage that may
p.000022: result from the processing carried out in the third country .
p.000022: • Onward transfers to bodies or organisations not bound by the contract should be specifically excluded by the
p.000022: contract, unless it is possible to bind such third parties contractually to respect the same data protection
p.000022: principles.
p.000022: • Confidence that data protection principles are respected after data are transferred would be boosted if data
p.000022: protection compliance by the recipient of the transfer were subject to external verification by, for example, a
p.000022: specialist auditing firm or standards/certification body.
p.000022: • In the event of a problem experienced by a data subject, resulting perhaps from a breach of the data
p.000022: protection provisions guaranteed in the contract, there is a general problem of ensuring that a data subject
p.000022: complaint is properly investigated. EU Member State supervisory authorities will have practical
p.000022: difficulties in carrying out such an investigation.
...
General/Other / Relationship to Authority
Searching for indicator authority:
(return to top)
p.000004: consensus as to the content of data protection rules which stretches well beyond the fifteen states
p.000004: of the Community.
p.000004:
p.000004: However, data protection rules only contribute to the protection of individuals if they are followed in practice. It
p.000004: is therefore necessary to consider not only the content of rules applicable to personal data transferred to a third
p.000004: country, but also the system in place to ensure the effectiveness of such rules. In Europe, the tendency historically
p.000004: has been for data protection rules to be embodied in law, which has provided the possibility for
p.000004: non-compliance to be sanctioned and for individuals to be given a right to redress. Furthermore such laws have
p.000004: generally included additional procedural mechanisms, such as the establishment of supervisory authorities with
p.000004: monitoring and complaint investigation functions. These procedural aspects are reflected in directive 95/46/EC, with
p.000004: its provisions on liabilities, sanctions, remedies, supervisory authorities and notification. Outside the
p.000004: Community it is less common to find such procedural means for ensuring compliance with data protection rules.
p.000004: Parties to Convention 108 are required to embody the principles of data protection in law, but there is
p.000004: no requirement for additional mechanisms such as a supervisory authority. The OECD guidelines carry only
p.000004: the requirement that they be ‘taken into account’ in domestic legislationand provide for no procedural means
p.000004: to ensure that the guidelines actually result in effective protection for individuals. The later UN
p.000004: guidelines, on the other hand, do include provisions on supervision and sanctions, which reflects a
p.000004: growing realisation worldwide of the need to see data protection rules properly enforced.
p.000004:
p.000004: Against this background it is clear that any meaningful analysis of adequate protection must comprise the two basic
p.000004: elements : the content of the rules applicable and the means for ensuring their effective application.
p.000004:
p.000004: Using directive 95/46/EC as a starting point, and bearing in mind the provisions of other international
p.000004: data protection texts, it should be possible to arrive at a ‘core’ of data protection ‘content’ principles
p.000004: and ‘procedural/enforcement’ requirements, compliance with which could be seen as a minimum requirement for
p.000004: protection to be considered adequate. Such a minimum list should not be set in stone. In some instances there will be
p.000004: a need to add to the list, while for others it may even be possible to reduce the list of requirements.
p.000004: The degree of risk that the transfer poses to the data subject will be an important factor in determining the
p.000004: precise requirements of a particular case. Despite this proviso, the compilation of a basic list of
p.000004: minimum conditions is a useful starting point for any analysis.
p.000004:
p.000004:
p.000005: 5
p.000005:
p.000005:
p.000005: (i) Content Principles
p.000005:
p.000005: The basic principles to be included are the following:
p.000005:
p.000005: 1) the purpose limitation principle - data should be processed for a specific purpose and subsequently used or further
p.000005: communicated only insofar as this is not incompatible with the purpose of the transfer. The only exemptions
p.000005: to this rule would be those necessary in a democratic society on one of the grounds listed in Article
p.000005: 13 of the directive.2
p.000005:
p.000005: 2) the data quality and proportionality principle - data should be accurate and, where necessary, kept
p.000005: up to date. The data should be adequate, relevant and not excessive in relation to the purposes for
p.000005: which they are transferred or further processed.
p.000005:
p.000005: 3) the transparency principle - individuals should be provided with information as to the purpose of the
p.000005: processing and the identity of the data controller in the third country, and other information insofar as
p.000005: this is necessary to ensure fairness. The only exemptions permitted should be in line with Articles 11(2) 3 and 13 of
p.000005: the directive.
p.000005:
p.000005: 4) the security principle - technical and organisational security measures should be taken by the data
p.000005: controller that are appropriate to the risks presented by the processing. Any person acting under the
p.000005: authority of the data controller, including a processor, must not process data except on instructions from the
p.000005: controller.
p.000005:
p.000005: 5) the rights of access, rectification and opposition - the data subject should have a right to obtain a copy of all
p.000005: data relating to him/her that are processed, and a right to rectification of those data where they are shown to be
p.000005: inaccurate. In certain situations he/she should also be able to object to the processing of the data relating to
p.000005: him/her. The only exemptions to these rights should be in line with Article 13 of the directive.
p.000005:
p.000005: 6) restrictions on onward transfers - further transfers of the personal data by the recipient of the
p.000005: original data transfer should be permitted only where the second recipient (i.e. the recipient of the onward
p.000005: transfer) is also subject to rules affording an adequate level of protection. The only exceptions permitted
p.000005: should be in line with Article 26(1) of the directive (These exemptions are examined in Chapter Five.)
p.000005:
p.000005: Examples of additional principles to be applied to specific types of processing are:
p.000005:
p.000005:
p.000005: 2 Article 13 permits a restriction to the 'purpose principle' if such a restriction constitutes a necessary measure to
p.000005: safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of
p.000005: criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest,
p.000005: or the protection of the data subject or the rights and freedoms of others.
p.000005: 3 Article 11(2) stipulates that when data are collected from some-one other than the data subject, information need not
p.000005: be provided to the data subject if this proves impossible, involves a disproportionate effort, or if the recording or
p.000005: disclosure of the data is expressly required by law.
p.000005:
p.000006: 6
p.000006:
p.000006: 1) sensitive data - where ‘sensitive’ categories of data are involved (those listed in article 8 of the
p.000006: directive4), additional safeguards should be in place, such as a requirement that the data subject gives
p.000006: his/her explicit consent for the processing.
p.000006:
p.000006: 2) direct marketing - where data are transferred for the purposes of direct marketing, the data subject should be
p.000006: able to ‘opt-out’ from having his/her data used for such purposes at any stage.
p.000006:
p.000006: 3) automated individual decision - where the purpose of the transfer is the taking of an automated decision in the
p.000006: sense of Article 15 of the directive, the individual should have the right to know the logic involved in this decision,
p.000006: and other measures should be taken to safeguard the individual’s legitimate interest.
p.000006:
p.000006:
p.000006: (ii) Procedural/ Enforcement Mechanisms
p.000006:
p.000006: In Europe there is broad agreement that data protection principles should be embodied in law. There is also broad
p.000006: agreement that a system of ‘external supervision’ in the form of an independent authority is a necessary feature
p.000006: of a data protection compliance system. Elsewhere in the world, however, these features are not always present.
p.000006: To provide a basis for the assessment of the adequacy of the protection provided, it is necessary to identify the
p.000006: underlying objectives of a data protection procedural system, and on this basis to judge the variety of different
p.000006: judicial and non-judicial procedural mechanisms used in third countries.
p.000006:
p.000006: The objectives of a data protection system are essentially threefold:
p.000006:
p.000006: 1) to deliver a good level of compliance with the rules. (No system can guarantee 100% compliance, but
p.000006: some are better than others). A good system is generally characterised by a high degree of
p.000006: awareness among data controllers of their obligations, and among data subjects of their rights and the means
p.000006: of exercising them. The existence of effective and dissuasive sanctions can play an important in ensuring respect for
p.000006: rules, as of course can systems of direct verification by authorities, auditors, or independent data protection
p.000006: officials.
p.000006:
p.000006: 2) to provide support and help to individual data subjects in the exercise of their rights. The individual must be
p.000006: able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort
p.000006: of institutional mechanism allowing independent investigation of complaints.
p.000006:
...
p.000007: and that appropriate sanctions and remedies for violations of these principles be established. This should be
p.000007: sufficient to ensure a reasonable level of compliance with the rules and appropriate redress to data
p.000007: subjects where the rules are not complied with (objectives (1) and (3) of a data protection compliance system).
p.000007: However, the Convention does not oblige contracting parties to establish institutional mechanisms allowing the
p.000007: independent investigation of complaints, although in practice ratifying countries have generally done so.
p.000007: This is a weakness in that without such institutional mechanisms appropriate support and help to individual data
p.000007: subjects in the exercise of their rights (objective (2)) may not be guaranteed.
p.000007:
p.000007:
p.000007:
p.000007:
p.000007: 5 There may be some doubts about the ‘transparency principle’. Article 8 (a) of the Convention may not equate to the
p.000007: active duty to provide information which is the essence of Articles 10 and 11 of the directive. Furthermore the
p.000007: Convention includes no specific 'opt-out' rights where data are used for direct marketing purposes nor any provisions
p.000007: on automated individual decisions (profiling).
p.000007:
p.000008: 8
p.000008:
p.000008: This brief analysis seems to indicate that most transfers of personal data to countries that have ratified
p.000008: Convention 108 could be presumed to be allowable under Article 25(1) of the directive provided that
p.000008: - the country in question also has appropriate mechanisms to ensure compliance, help individuals
p.000008: and provide redress (such as an independent supervisory authority with appropriate powers); and
p.000008: - the country in question is the final destination of the transfer and not an intermediary country through which
p.000008: the data are transiting, except
p.000008: where onward transfer is back into the EU or to another destination offering adequate protection. 6
p.000008:
p.000008: Of course this is a rather simplified and superficial examination of the Convention. Specific cases of
p.000008: data transfers to Convention countries may raise new problems not considered here.
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008: 6 Convention 108 is currently being re-examined, a process which may result in changes which address these and other
p.000008: difficulties.
p.000008:
p.000009: 9
p.000009:
p.000009: CHAPTER THREE: APPLYING THE APPROACH TO INDUSTRY SELF- REGULATION
p.000009:
p.000009: Introduction
p.000009:
p.000009: Article 25(2) of the data protection directive (95/46/EC) requires the level of protection
p.000009: afforded by a third country to be assessed in the light of all the circumstances
p.000009: surrounding a data transfer operation or set of such operations. Specific reference is made not only to
...
p.000011: - where a member has been shown to breach the code, what forms of disciplinary sanction are available
p.000011: to the representative body (expulsion or other) ?
p.000011: - is it possible for an individual or company to continue working in the particular profession or industry, even after
p.000011: expulsion from the representative body?
p.000011: - is compliance with the code enforceable in other ways, for example by way of the courts or a specialist tribunal?
p.000011: Professional codes of ethics have legal force in some countries. It might also be possible in some
p.000011: circumstances to use general laws relating to fair trading practice or even competition to enforce
p.000011: industry codes.
p.000011:
p.000011: When examining the types of sanction in place, it is important to distinguish between a “remedial” sanction which
p.000011: simply requires a data controller, in a case of non- compliance, to change its practices so as to bring them
p.000011: into line with the code, and a sanction which goes further by actually punishing the controller for its
p.000011: failure to comply. It is only this second category of “punitive” sanction which actually has an effect on the
p.000011: future behaviour of data controllers by providing some incentive to comply with the code on an ongoing basis.
p.000011:
p.000011: The absence of genuinely dissuasive and punitive sanctions is therefore a major weakness in a code.
p.000011: Without such sanctions it is difficult to see how a good level of overall compliance could be achieved, unless a
p.000011: rigorous system of external verification (such as a public or private authority competent to intervene in case of non
p.000011: compliance with the code, or a compulsory requirement for external audit at regular intervals) were put in
p.000011: place.
p.000011:
p.000011: Support and help to individual data subjects
p.000011:
p.000011: A key requirement of an adequate and effective data protection system is that an individual faced with a
p.000011: problem regarding his/her personal data is not left alone, but is given some institutional support allowing
p.000011: his/her difficulties to be addressed. This institutional support should ideally be impartial, independent
p.000011: and equipped with the necessary powers to investigate any complaint from a data subject. Relevant questions for
p.000011: self-regulation in this regard are:
p.000011:
p.000011:
p.000012: 12
p.000012:
p.000012: - is there a system in place allowing for investigation of complaints from individual data subjects?
p.000012: - how are data subjects made aware of this system and of the decisions taken in individual cases?
p.000012: - are there any costs involved for the data subject?
p.000012: - who carries out the investigation? Do they have the necessary powers?
p.000012: - who adjudicates on an alleged breach of the code? Are they independent and impartial?
p.000012:
p.000012: The impartiality of the arbiter or adjudicator in any alleged breach of a code is a key point. Clearly such a
p.000012: person or body must be independent in relation to the data controller. However, this in itself is not
p.000012: sufficient to ensure impartiality. Ideally the arbiter should also come from outside the profession or sector
p.000012: concerned, the reason being that fellow members of a profession or sector have a clear commonality of
...
p.000014: Memorandum’, study made jointly by the Council of Europe, the Commission of the European Communities and the
p.000014: International Chamber of Commerce, Strasbourg 2 November 1992
p.000014: 8 See the presentation of Alexander Dix of this case at the International Data Protection and Privacy Commissioners’
p.000014: Conference, September 1996, Ottawa.
p.000014:
p.000015: 15
p.000015:
p.000015: responsibility for complying with the substantive data protection principles. The second entity, the
p.000015: 'processor', is responsible only for data security. An entity is deemed to be a controller if it has the
p.000015: decision-making power over the purposes and means of the data processing, whereas the processor is simply the body that
p.000015: physically provides the data processing service. The relationship between the two is regulated by Article 17(3) of the
p.000015: directive, which stipulates that:
p.000015:
p.000015: the carrying out of processing by way of a processor must be governed by a contract or legal act binding the
p.000015: processor to the controller and stipulating in particular that:
p.000015: - the processor shall act only on instructions from the controller
p.000015: - the obligations set out in Paragraph 1 (the substantive provisions regarding data security), as defined
p.000015: by the law of the Member State in which the processor is established, shall also be incumbent on the
p.000015: processor.
p.000015:
p.000015: This elaborates on the general principle established under Article 16 that any person acting under the
p.000015: authority of the controller, including the processor himself, must not process personal data except on instructions
p.000015: from the controller (unless required to do so by law).
p.000015:
p.000015: Where personal data are transferred to third countries it will also normally be the case that more than one party will
p.000015: be involved. Here the relationship in question is between the entity transferring the data (the 'transferer') and the
p.000015: entity receiving the data in the third country (the 'recipient'). In this context one purpose of the contract should
p.000015: still be that of determining how the responsibility for data protection compliance is split between the two
p.000015: parties. However, the contract must do much more than this: it must provide additional safeguards for the data subject
p.000015: made necessary by the fact that the recipient in the third country is not subject to an enforceable set of
p.000015: data protection rules providing an adequate level of protection.
p.000015:
p.000015:
p.000015: 3. The objective of a contractual solution
p.000015:
p.000015:
p.000015: In the context of third country transfers, therefore, the contract is a means by which adequate safeguards can be
p.000015: provided by the data controller when transferring data outside of the Community (and thus outside the
p.000015: protection provided by the directive, and indeed by the general framework of Community law9) to a third country where
...
p.000016:
p.000016: The first requirement of the contractual solution is, therefore, that it must result in an obligation on the parties
p.000016: to the transfer to ensure that the full set of basic data protection principles set out in Chapter
p.000016: One apply to the processing of the data transferred to the third country. These basic principles are:
p.000016:
p.000016: - the purpose limitation principle
p.000016: - the data quality and proportionality principle
p.000016: - the transparency principle
p.000016: - the security principle
p.000016: - the rights of access, rectification and opposition
p.000016: - restrictions on onward transfers to non-parties to the contract10
p.000016:
p.000016: Furthermore in some situations additional principles relating to sensitive data, direct marketing and automated
p.000016: decisions must be applied.
p.000016:
p.000016: The contract should set out the detailed way in which the recipient of the data transfer should apply these principles
p.000016: (i.e. purposes should be specified, data categories, time limits for retention, security measures, etc.). In
p.000016: other situations, for example where protection in a third country is provided by a general data protection law
p.000016: similar to the directive, other mechanisms which clarify the way data protection rules apply in practice
p.000016: (codes of conduct, notification, the advisory function of the supervisory authority) are likely to be in
p.000016: place. In a contractual situation this is not so. Detail is therefore imperative where the transfer is based on a
p.000016: contract.
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016:
p.000016: 10 Further transfers of the personal data from the recipient to another third party should not be permitted, unless a
p.000016: means is found of contractually binding the third party in question providing the same data protection guarantees to
p.000016: the data subjects.
p.000016:
p.000017: 17
p.000017:
p.000017: (ii) Rendering the substantive rules effective
p.000017:
p.000017: Chapter One sets out three criteria by which the effectiveness of a data protection system should be
p.000017: judged. These criteria are the ability of the system to:
p.000017: - to deliver a good level of compliance with the rules
p.000017: - to provide support and help to individual data subjects in the exercise of their rights
p.000017: - and, as a key element, to provide appropriate redress to the injured party where rules are not complied with.
p.000017:
p.000017: The same criteria must apply in judging the effectiveness of a contractual solution. Clearly this is a
p.000017: major though not impossible challenge. It is a question of finding means which can make up for the absence
...
p.000018: subject is made fully aware of the rights that he has.
p.000018:
p.000018:
p.000018: 12 See Article 23 of directive 95/46/EC.
p.000018: 13 Although because this case arose under a law which predated the directive, the law itself did not automatically
p.000018: apply to all processing controlled by a German-established controller. The legal remedy for the data subject was
p.000018: instead created by the ability of German contract law to create third party rights.
p.000018:
p.000019: 19
p.000019:
p.000019: Finally, as an alternative to a contract with the data subject, it could also be envisaged that a Member State lay
p.000019: down in law a continuing liability for data controllers transferring data outside the Community for damages
p.000019: incurred as a result of the actions of the recipient of the transfer.
p.000019:
p.000019:
p.000019: Providing support and help to data subjects
p.000019:
p.000019: One of the main difficulties facing data subjects whose data are transferred to a foreign jurisdiction is the problem
p.000019: of being unable to discover the root cause of the particular problem they are experiencing, and therefore being
p.000019: unable to judge whether data protection rules have been properly followed or whether there are grounds for a legal
p.000019: challenge.14 This is why an adequate level of protection requires the existence of some sort of
p.000019: institutional mechanism allowing for independent investigation of complaints.
p.000019:
p.000019: The monitoring and investigative function of a Member State supervisory authority is limited to data processing carried
p.000019: out on the territory of the Member State. 15 Where data are transferred to another Member State, a system of mutual
p.000019: assistance between supervisory authorities will ensure that any complaint from a data subject in the first Member
p.000019: State will be properly investigated. Where the transfer is to a third country, there will in most cases be no such
p.000019: guarantee. The question, therefore, is what kind of compensatory mechanisms can be envisaged in the context of a data
p.000019: transfer based on a contract.
p.000019:
p.000019: One possibility would be simply to require a contractual term which grants the supervisory authority of the
p.000019: Member State in which transferer of the data is established a right to inspect the processing carried out by the
p.000019: processor in the third country. This inspection could, in practice, be carried out by an agent (for example a
p.000019: specialist firm of auditors) nominated by the supervisory authority, if this was felt to be appropriate. A difficulty
p.000019: with this approach, however, is that the supervisory authority is not generally16 a party to the contract,
p.000019: and thus in some jurisdictions may have no means of invoking it to gain access. Another possibility could be a legal
p.000019: undertaking provided by the recipient in the third country directly to the EU Member State supervisory
p.000019: authority involved, in which the recipient of the data agrees to allow access by the supervisory
p.000019: authority or a nominated agent in the event that non-compliance with data protection principles is suspected. This
p.000019: undertaking could also require that the parties to the data transfer inform the supervisory authority of any complaint
p.000019: that they receive from a data subject. Under such an arrangement the existence of such an undertaking would be a
p.000019: condition to be fulfilled before the transfer of data could be permitted to take place.
p.000019:
p.000019:
p.000019:
p.000019: 14 Even if a data subject is granted rights under a contract, he/she will often not be able to judge whether the
p.000019: contract has been breached, and if so by whom. An investigative procedure outside of formal civil court proceedings is
p.000019: therefore necessary.
p.000019: 15 See Article 28(1) of directive 95/46/EC
p.000019: 16 The French delegation could envisage situations where the supervisory authority was a party to the contract.
p.000019:
p.000020: 20
p.000020:
p.000020: Whatever the solution chosen there remain significant doubts as to whether it is proper, practical, or
p.000020: indeed feasible from a resource point of view, for a supervisory authority of an EU Member State to take
p.000020: responsibility for investigation and inspection of data processing taking place in a third country.
p.000020:
p.000020:
p.000020: Delivering a good level of compliance
p.000020:
p.000020: Even in the absence of a particular complaint or difficulty faced by a data subject, there is a need for confidence
p.000020: that the parties to the contract are actually complying with its terms. The problem with the contractual
p.000020: solution is the difficulty in establishing sanctions for non-compliance which are sufficiently meaningful to have
p.000020: the dissuasive effect needed to provide this confidence. Even in cases where effective control over the data
p.000020: continues to be exercised from within the Community, the recipient of the transfer may not be subject to any
p.000020: direct penalty if he were to process data in breach of the contract. Instead the liability would rest with the
p.000020: Community-based transferer of the data, who would then need to recover any losses in a separate legal action against
p.000020: the recipient. Such indirect liability may not be sufficient to encourage the recipient to comply with every detail of
p.000020: the contract.
p.000020:
p.000020: This being the case it is probable that in most situations a contractual solution will need to be complemented by at
p.000020: least the possibility of some form of external verification of the recipient's processing activities, such as an audit
p.000020: carried out by a standards body, or specialist auditing firm.
p.000020:
p.000020:
p.000020: 5. The problem of overriding law
p.000020:
p.000020:
p.000020: A specific difficulty with the contractual approach is the possibility that the general law of the third country
...
p.000024: Given these restrictions this exemption should not be considered to be a general exemption for the transfer of
p.000024: public register data. For example, it is clear that mass transfers of public register data for commercial
p.000024: purposes or the trawling of publicly available data for the purpose of profiling specific individuals would not benefit
p.000024: from the exemption.
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000024:
p.000025: 25
p.000025:
p.000025: CHAPTER SIX: PROCEDURAL ISSUES
p.000025:
p.000025: Article 25 envisages a case by case approach whereby the assessment of adequacy is in relation to individual transfers
p.000025: or individual categories of transfers. Nevertheless it is clear that, given the huge number of transfers of personal
p.000025: data leaving the Community on a daily basis and the multitude of actors involved in such transfers, no
p.000025: Member State, whatever the system it chooses to implement Article 25 19, will be able to ensure that each and every
p.000025: case is examined in detail. This does not of course mean that no cases will be examined in detail, but rather that
p.000025: mechanisms will need to be developed which rationalise the decision-making process for large numbers of
p.000025: cases, allowing decisions, or at least provisional decisions, to be made without undue delay or excessive
p.000025: resource implications.
p.000025:
p.000025: Such rationalisation is needed irrespective of who is making the decision, whether it be the data controller, the
p.000025: supervisory authority, or some other body established by Member State procedure.
p.000025:
p.000025:
p.000025: (i) Use of Article 25(6) of the directive
p.000025:
p.000025: An obvious way of contributing to such rationalisation, foreseen in the directive itself, is would be to
p.000025: determine that certain third countries ensure an adequate level of protection. Such findings would be
p.000025: ‘for guidance only’, and therefore without prejudice to cases which might present particular difficulties.
p.000025: Nevertheless, this would be a practical response to the problem.
p.000025: Such determinations would in particular provide a degree of certainty for economic operators regarding those
p.000025: countries which could be considered as generally ensuring an 'adequate' level of protection. They would also
p.000025: offer a clear and public incentive to those third countries still in the process of developing and improving
p.000025: their systems of protection. Moreover, a series of such determinations at Community level would contribute
p.000025: to the establishment of a coherent approach on this issue and prevent the development of a multiplicity of
p.000025: differing and perhaps conflicting 'white lists' issued by Member State governments or data protection authorities.
p.000025:
p.000025: This approach is not, however, without its difficulties. Principal among them is that many third
p.000025: countries do not have uniform protection in all economic sectors. For instance many countries have data
p.000025: protection law in the public sector but not in the private. Some countries, for example the United
p.000025: States, have specific laws for particular areas (credit reporting and video rental records in the case of the US),
p.000025: but not for others. An added difficulty occurs for countries which have federal constitutions
p.000025: such as the US, Canada and Australia, where differences often exist between the various states that make up
p.000025: the federation. As a result, it seems unlikely that, at present, many third countries could be considered to offer
p.000025: adequate protection across the board. The fewer countries for which postive findings could be made, the less useful
p.000025: the exercise would be, of course, in terms of providing greater certainty to
p.000025:
p.000025:
p.000025: 19 Member States may set down different administrative procedures to discharge their obligations under Article 25.
p.000025: These may include imposing a direct obligation on data controllers and/or developing systems of prior authorisation or
p.000025: ex post facto verification by the supervisory authority.
p.000025:
p.000026: 26
p.000026:
p.000026: data controllers. A further risk is that some third countries might come to see the absence of a finding
p.000026: that they provided adequate protection as politically provocative or at least discriminatory, in that the absence of a
p.000026: finding is as likely to be the result of their case not having been examined as of a judgement on their
p.000026: data protection system.
p.000026:
p.000026: Having weighed these different arguments carefully, it is nevertheless the opinion of the Working Party that
p.000026: initiating work to make a series of findings under Article 25(6) would be a useful step. Such a process should be seen
p.000026: as a continuing one, not one that would produce a definitive list, but rather a list that would be constantly added to
p.000026: and revised in the light of developments. A positive finding should not in principle be limited to
p.000026: countries having horizontal data protection laws, but should also cover specific sectors within countries
p.000026: where data protection is adequate, even though in other sectors the same country's protection may be less than
p.000026: adequate.
p.000026:
p.000026: It should be noted that the Article 29 group has no explicit role in making decisions about particular data transfers
p.000026: or in determinations of “adequacy” under Article 25(6). Both are subject to the comitology procedure laid down
p.000026: in Article 31. It should be recalled, however, that one of the specific duties of the Article 29 group is to give
p.000026: the Commission an opinion on the level of protection in third countries (see Article 30(i)b). It
p.000026: therefore falls well within the remit of the Article 29 group to examine the situation in particular third
p.000026: countries and come to a provisional view as to the adequacy of protection. Positive findings, once
p.000026: confirmed in accordance with Article 25(6) would need to be widely promulgated in order to be useful. Where a country
p.000026: is not found to have adequate protection, on the other hand, this need not imply that the country is implicitly or
p.000026: explicitly ‘black-listed’. The public message would rather be that no general guidance regarding that particular
p.000026: country is yet available.
p.000026:
p.000026:
p.000026: (ii) Risk analysis of specific transfers
p.000026:
p.000026: Although the use of Article 25(6) as described above will be a valuable aid to the decision-making
p.000026: process in respect of large numbers of data transfers, there will nevertheless still be many cases where the
p.000026: third country in question is not the subject (in whole or in part) of a positive finding. How Member States deal with
p.000026: these cases may well vary according to the way Article 25 is transposed into national law (see footnote
p.000026: on the previous page). If a specific role is given to the supervisory authority either to authorise data transfers
p.000026: before they take place, or to carry out an ex post facto check, the shear volume of transfers involved may mean that a
p.000026: system to prioritise the efforts of the supervisory authority will need to be envisaged. Such a system
p.000026: could take the form of an agreed set of criteria which enable a particular transfer or category of transfer to be
p.000026: considered as a priority on the grounds of posing a particular threat to individual privacy.
p.000026:
p.000026: The effect of such a system would not of course change the obligation on each Member State to ensure
p.000026: that only those transfers where the third country ensures an adequate level of protection are permitted to take
p.000026: place. It would constitute guidance regarding which cases of data transfer should be considered as ‘priority
p.000026: cases’ for examination or even investigation, and thereby allow the resources available to be
p.000026:
p.000026:
p.000027: 27
p.000027:
p.000027: directed towards those transfers which raise the greatest concerns in terms of the protection of data
p.000027: subjects.
p.000027:
p.000027: The Working Party considers that among those categories of transfer which pose particular risks to privacy
p.000027: and therefore merit particular attention are the following:
p.000027: - those transfers involving certain sensitive categories of data as defined by Article 8 of the directive;
p.000027: - transfers which carry the risk of financial loss (e.g. credit card payments over the Internet);
p.000027: - transfers carrying a risk to personal safety;
...
p.000032: whether the data subject should be granted credit. The data subject should therefore benefit from additional
p.000032: safeguards in this regard. Although the federal law includes provisions permitting the individual to dispute
p.000032: information held on a credit report and attach explanations to the report if necessary, there are no
p.000032: provisions allowing a decision made on the basis of erroneous or incomplete information to be
p.000032: challenged, reviewed and, if the challenge is justified, changed. The mechanism allows a credit report to be altered
p.000032: so as to avoid future problems, but it does not necessarily address the problem of a credit decision already taken.
p.000032: This non- retroactive legal protection is not sufficient.
p.000032:
p.000032: Restrictions on onward transfers of the data to a further third country or to organisations
p.000032: in other sectors within Country A not subject to the rules laid down in the federal law. There are no such
p.000032: provisions either in the federal law or the company privacy policy.
p.000032:
p.000032: Scope of the federal law and privacy policy
p.000032: One further check should be made to ensure that both the law and the privacy policy apply to data about all
p.000032: individuals, and not just data about residents or nationals of Country A. In this case, no such restrictions
p.000032: to the scope are present.
p.000032:
p.000032:
p.000032: Evaluating the effectiveness of the protection
p.000032:
p.000032: The federal law in question has the force of law and also establishes a public authority with some external
p.000032: supervisory powers. Individuals may also take private law suits under the legislation to enforce their
p.000032: rights. However, the public authority is not under a clear obligation to investigate all individual complaints,
p.000032: and, according to some commentators, has not always been particularly active in enforcing the law. Private
p.000032: law suits are an expensive and often time-consuming means for individuals to ensure
p.000032:
p.000032:
p.000032:
p.000033: 33
p.000033:
p.000033: redress, particularly where the individual data subject lives in a country other than the country where the legal
p.000033: proceedings are taking place.
p.000033:
p.000033: The company’s internal privacy policy contains no independent mechanism allowing an individual to enforce his/her
p.000033: rights, but it does contain some disciplinary sanctions for employees who violate the policy. Several employees
p.000033: have indeed already been disciplined regarding past violations.
p.000033:
p.000033: The combination of legislation and internal privacy code must be evaluated according to the ‘objectives’ that have been
p.000033: laid down for procedural mechanisms. In this case the key questions could include:
p.000033:
p.000033: Good level of general compliance
p.000033:
p.000033: The main encouragement for the company to comply with its own privacy policy is the risk of harmful publicity in the
p.000033: press if it is found not to deliver on its promises. In addition individuals within the company may be subject to
p.000033: disciplinary measures if they flout rules on security.
p.000033: However, these mechanisms do not in themselves seem sufficient to ensure that the privacy policy is
p.000033: complied with in practice.
p.000033: This conclusion may have been different different if :
p.000033: (1) the company’s privacy policy had been mirrored in an industry-wide code of conduct established by the
p.000033: industry trade association, under which any company found to be in breach of the code would be immediately expelled
p.000033: from the association; or
p.000033: (2) a general principle of law allowed a company found to be in breach of its own published privacy
p.000033: code to be prosecuted by a public agency on the grounds of “unfair and deceptive” practices.
p.000033:
p.000033: As far as the federal law is concerned, compliance is encouraged by the possibility of private law suits in the case of
p.000033: non-compliance. The prospect of being taken to court would have some deterrent effect on the data controller. There
p.000033: is, however, very little in the way of direct external verification of data processing procedures, as the public
p.000033: authority reacts only where a problem is drawn to its attention by a complainant or by the press, for example.
p.000033:
p.000033: Support and help to individual data subjects
p.000033: Clearly a public agency does exist and it does serve as a focal point for complaints from individuals
p.000033: about their credit reports. Complaint investigation carries no cost to the individual.
p.000033:
p.000033: Appropriate Redress
p.000033: For breaches of the fairly narrow legal obligations of the federal law, the individual can obtain redress from a court.
p.000033: This is, however, a relatively expensive process, and the individual often does not receive support from the
p.000033: public agency in these legal proceedings. The court can order the data controller to pay damages to the individual
p.000033: (where it finds that damage has been caused) and to amend its data processing procedures and the content
p.000033: of the credit file in question. For breaches of those data protection principles enshrined only in the privacy
p.000033: policy, no such redress is possible.
p.000033:
p.000033:
p.000033:
p.000034: 34
p.000034:
p.000034: The Verdict
p.000034:
p.000034: 1) Certain of the data protection principles set down as ‘core principles’ in the discussion paper can be
p.000034: found in some form in the federal law applicable to the credit file. Certain others are found in the privacy policy.
p.000034: Even taken together, though, the complete set of ‘core principles’ cannot be said to be present, and some of those that
p.000034: are present (e.g. the purpose limitation principle) are in a fairly weak form.
p.000034: 2) There is a more general problem of whether the privacy policy of the company is in any case a sufficiently effective
p.000034: mechanism to be taken into account at all. Unless the policy is underpinned and made more enforceable by way of
p.000034: powers of external control given to an industry association or public body, its provisions are largely unenforceable
p.000034: and can therefore be left to one side.
p.000034: 3) Although the public body established to enforce the federal law does not have quite the same powers as the
p.000034: typical European data protection authority, the law nevertheless provides a certain legal security,
p.000034: particularly in the context of a judicial system that functions well and the “litigation culture” found in
p.000034: Country A. The law contains clear provisions on perhaps the most important data protection principle of all
p.000034: - the right of access and rectification, and some limitations on the purpose for which data can be used.
p.000034:
p.000034: Conclusion
p.000034: Protection is inadequate because the law covers too few of the “core principles” and the privacy policy, standing
p.000034: alone, is not an effective means of providing protection. An adequate verdict could result either if the law
p.000034: were developed to include principles such as transparency and protection for health data, or if the privacy
p.000034: policy were rendered more effective by one of the methods suggested above (i.e. making
p.000034: compliance a condition for membership of an industry association, or giving a public agency powers to prosecute the
p.000034: company for misleading and deceptive practices if it failed to comply with its own policy).
p.000034:
p.000034:
p.000034: STEP TWO : SEARCHING FOR A SOLUTION
p.000034:
p.000034: Of the possible exemptions set out in Article 26(1), only (a), the consent of the data subject, would appear to
p.000034: be appropriate. The exemption in (b) which deals with a transfers necessary for contractual reasons is
...
p.000037: booked.
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000037:
p.000038: 38
p.000038:
p.000038: CASE (3) : A transfer of marketing list data
p.000038:
p.000038: A company in the Netherlands specialises in the creation of mailing lists. Using many disparate sources of public
p.000038: information available in the Netherlands, together with client lists rented from several other Dutch companies,
p.000038: the resulting lists purport to include individuals fitting particular a particular socio-economic profile.. These lists
p.000038: are then sold by the Dutch company to client companies not only in the Netherlands and the EU, but in a
p.000038: multitude of other third countries. The recipient client companies then use the lists (which include
p.000038: postal e-mail addresses, telephone numbers, and often e-mail addresses) to contact the individuals on the
p.000038: lists with a view to selling a bewildering array of different products and services. A large number of individuals
p.000038: included in the lists have complained to the Dutch data protection authority about the marketing approaches
p.000038: they have received.
p.000038:
p.000038: The relevant applicable rules
p.000038:
p.000038: Some of the client companies who buy in the mailing lists offered by the Dutch company are based in
p.000038: countries which have general data protection legislation in place which includes a right for individuals to
p.000038: opt-out of receiving such marketing approaches. Others are in countries without such laws, but are
p.000038: members of self- regulatory associations which have developed a data protection codes. Others are subject
p.000038: to no data protection rules at all.
p.000038:
p.000038:
p.000038: Evaluation of the content of the applicable rules
p.000038:
p.000038: This single case would require the evaluation of a multitude of different laws and codes. If the
p.000038: Netherlands-based company is to maintain its approach of selling or renting its lists to companies based
p.000038: in any country of the world, then there are necessarily going to be situations where the level of protection is
p.000038: not adequate.
p.000038:
p.000038:
p.000038: STEP TWO : SEARCHING FOR A SOLUTION
p.000038:
p.000038: In this example, because the data are collected from public sources and without any direct contact with
p.000038: the data subject it would be very problematic for the Netherlands company to seek consent from each and every data
...
Orphaned Trigger Words
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008:
p.000008: 6 Convention 108 is currently being re-examined, a process which may result in changes which address these and other
p.000008: difficulties.
p.000008:
p.000009: 9
p.000009:
p.000009: CHAPTER THREE: APPLYING THE APPROACH TO INDUSTRY SELF- REGULATION
p.000009:
p.000009: Introduction
p.000009:
p.000009: Article 25(2) of the data protection directive (95/46/EC) requires the level of protection
p.000009: afforded by a third country to be assessed in the light of all the circumstances
p.000009: surrounding a data transfer operation or set of such operations. Specific reference is made not only to
p.000009: rules of law but also to “professional rules and security measures which are complied with in that country.”
p.000009:
p.000009: The text of the directive therefore requires that account be taken of non-legal rules that may be in force in the third
p.000009: country in question, provided that these rules are complied with. It is in this context that the role of industry
p.000009: self-regulation must be considered.
p.000009:
p.000009: What is self-regulation?
p.000009:
p.000009: The term “self-regulation” can mean different things to different people. For the purpose of this
p.000009: document, self-regulatory code (or other instrument) should be taken to mean any set of data protection rules applying
p.000009: to a plurality of data controllers from the same profession or industry sector, the content of which has
p.000009: been determined primarily by members of the industry or profession concerned.
p.000009:
p.000009: This is a broad definition which would encompass, at one end of the scale, a voluntary data protection code
p.000009: developed by a small industry association with only a few members, to at the other end, the kind of
p.000009: detailed codes of professional ethics applicable to entire professions, such as doctors and bankers, which often
p.000009: have quasi- judicial force.
p.000009:
p.000009: Is the body responsible for the code representative of the sector?
p.000009:
p.000009: As this chapter will go on to argue, one important criterion for judging the value of a code is the degree to which
p.000009: its rules can be enforced. In this context, the question of whether the association or body responsible for the code
p.000009: represents all the operators in a sector or only a small percentage of them, is probably less important
p.000009: than the strength of the association in terms of its ability to, for example, impose sanctions on its members for
p.000009: non-compliance with the code. However, there are several secondary reasons which render industry-wide or
p.000009: profession-wide codes with clearly comprehensive coverage more useful instruments of protection than those
p.000009: developed by small groupings of companies within sectors. First is the fact that, from the consumer’s
p.000009: point of view, an industry that is fragmented and characterised by several rival associations, each with its own
p.000009: data protection code, is confusing. The co- existence of several different codes creates an overall picture which
p.000009: lacks transparency for the data subject. The second point is that, particularly in industries such as direct marketing,
p.000009: where personal data is routinely passed between different companies of the same sector, situations can arise where
p.000009: the company disclosing personal data is not subject to the same data protection code as the company
p.000009: that receives it. This is a source of uncertainty as to the rules applicable, and it might also render more
p.000009: difficult the investigation and resolution of complaints from individual data subjects.
p.000009:
p.000009:
p.000010: 10
p.000010:
p.000010: Evaluating self-regulation - the approach to take
p.000010:
p.000010: Given the wide variety of instruments which fall within the notion of self-regulation, it is clear that there is a need
p.000010: to differentiate between the various forms of self-regulation in terms of their real impact on the level of data
p.000010: protection applicable when personal data are transferred to a third country.
p.000010:
p.000010: The starting point for the evaluation of any specific set of data protection rules (whether categorised as
p.000010: self-regulation or regulation) must be the general approach set down in Chapter One of this document. The
p.000010: cornerstone of this approach is an examination not only of the content of the instrument (it should contain a
p.000010: series of core principles) but also of its effectiveness in achieving:
p.000010: - a good level of general compliance,
p.000010: - support and help to individual data subjects,
p.000010: - and, crucially, appropriate redress (including compensation where
p.000010: appropriate).
p.000010:
p.000010: Evaluating the content of a self-regulatory instrument
p.000010:
p.000010: This is a relatively easy task. It is a question of ensuring that the necessary ‘content principles’ set out in
p.000010: Chapter One are present. This is an objective evaluation. It is a question of what the code contains, and not
...
p.000011: self-regulation in this regard are:
p.000011:
p.000011:
p.000012: 12
p.000012:
p.000012: - is there a system in place allowing for investigation of complaints from individual data subjects?
p.000012: - how are data subjects made aware of this system and of the decisions taken in individual cases?
p.000012: - are there any costs involved for the data subject?
p.000012: - who carries out the investigation? Do they have the necessary powers?
p.000012: - who adjudicates on an alleged breach of the code? Are they independent and impartial?
p.000012:
p.000012: The impartiality of the arbiter or adjudicator in any alleged breach of a code is a key point. Clearly such a
p.000012: person or body must be independent in relation to the data controller. However, this in itself is not
p.000012: sufficient to ensure impartiality. Ideally the arbiter should also come from outside the profession or sector
p.000012: concerned, the reason being that fellow members of a profession or sector have a clear commonality of
p.000012: interests with the data controller alleged to have breached the code. Failing this the neutrality of the
p.000012: adjudicating body could be ensured by including consumer representatives (in equal numbers) alongside the
p.000012: industry representatives.
p.000012:
p.000012: Appropriate Redress
p.000012:
p.000012: If the self-regulatory code is shown to have been breached, a remedy should be available to the data
p.000012: subject. This remedy must put right the problem (e.g. correct or delete any inaccurate data, ensure that
p.000012: processing for incompatible purposes ceases) and, if damage to the data subject has resulted, allow for the payment
p.000012: of appropriate compensation. It should be borne in mind that “damage” in the sense of the data
p.000012: protection directive includes not only physical damage and financial loss, but also any psychological or moral harm
p.000012: caused (known as “distress” under UK and US law).
p.000012:
p.000012: Many of the questions regarding sanctions listed above in the section “Good level of compliance” are relevant here. As
p.000012: explained earlier sanctions have a dual function: to punish the offender (and thus encourage compliance with the rules
p.000012: by the offender and by others), and to remedy a breach of the rules. Here we are primarily concerned with the second of
p.000012: these functions. Additional questions would therefore include:
p.000012: - is it possible to verify that a member who has been shown to contravene the code has changed his practices and put
p.000012: the problem right?
p.000012: - can individuals obtain compensation under the code, and how?
p.000012: - is the breach of the code equivalent to a breach of contract, or enforceable under public law (e.g.
p.000012: consumer protection, unfair competition), and can the competent jurisdiction award damages on this basis?
p.000012:
p.000012:
p.000012:
p.000012: Conclusions
p.000012:
p.000012: • Self-regulation should be evaluated using the objective and functional approach set out in Chapter One.
p.000012: • For a self-regulatory instrument to be considered as a valid ingredient of “adequate protection” it must be
p.000012: binding on all the members to whom personal data are
p.000012:
p.000012:
p.000012:
p.000013: 13
p.000013:
p.000013: transferred and provide for adequate safeguards if data are passed on to non- members.
p.000013: • The instrument must be transparent and include the basic content of all core data protection principles.
p.000013: • The instrument must have mechanisms which effectively ensure a good level of general compliance. A
p.000013: system of dissuasive and punitive sanctions is one way of achieving this. Mandatory external audits are
p.000013: another.
p.000013: • The instrument must provide support and help to individual data subjects who are faced with a problem involving
p.000013: the processing of their personal data. An easily accessible, impartial and independent body to hear
p.000013: complaints from data subjects and adjudicate on breaches of the code must therefore be in place.
p.000013: • The instrument must guarantee appropriate redress in cases of non-compliance. A data subject must be able to
p.000013: obtain a remedy for his/her problem and compensation as appropriate.
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000013:
p.000014: 14
p.000014:
p.000014: CHAPTER FOUR : THE ROLE OF CONTRACTUAL PROVISIONS
p.000014:
p.000014:
p.000014:
p.000014: 1. Introduction
p.000014:
p.000014: The data protection directive (95/46/EC) establishes the principle in Article 25(1) that transfers of personal data
p.000014: to third countries should only take place where the third country in question ensures an adequate level
p.000014: of protection. The purpose of this Chapter is to examine the possibility for exemption from the
p.000014: 'adequate protection' principle of Article 25 set out in Article 26(2). This provision allows a Member State to
p.000014: authorize a transfer or set of transfers to a ‘non-adequate’ third country ‘where the controller adduces adequate
p.000014: safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and
p.000014: as regards the exercise of the corresponding rights’. The provision goes on to specify that ‘such safeguards may in
p.000014: particular result from contractual clauses’. Article 26(4) also gives a power to the Commission, acting
p.000014: in accordance with the procedure laid down in Article 31, to decide that certain standard
p.000014: contractual clauses offer the sufficient guarantees envisaged in Article 26(2).
p.000014:
p.000014: The idea of using contracts as a means of regulating international transfers of personal data was not of course
p.000014: invented by the directive. As long ago as 1992 the Council of Europe, the International Chamber of Commerce and the
p.000014: European Commission were jointly responsible for a study on the issue.7 More recently an increasing number
p.000014: of experts and commentators, perhaps noticing the explicit reference in the directive, have made comments on the use
p.000014: of contracts in studies and articles. Contracts have also continued to be used in the ‘real world’, as a means
p.000014: of dealing with data protection problems arising from the export of personal data from certain EU
p.000014: Member States. They have been widely used in France since the late 1980s. In Germany the recent example
p.000014: of the ‘Bahncard’ case involving Citibank received a considerable amount of publicity.8
p.000014:
p.000014: 2. The use of contracts as a basis for intra-Community flows of data
p.000014:
p.000014:
p.000014: Before examining the requirements of contractual provisions in the context of data flows to third
p.000014: countries, it is important to clarify the difference between the third country situation and that
p.000014: pertaining within the Community. In this latter case, the contract is the mechanism used to define and
p.000014: regulate the split of data protection responsibilities when more than one entity is involved in the data
p.000014: processing in question. Under the directive one entity, the 'data controller', must take the principal
p.000014:
p.000014: 7 ‘Model Contract to Ensure Equivalent Data Protection in the Context of Transborder Data Flows, with Explanatory
p.000014: Memorandum’, study made jointly by the Council of Europe, the Commission of the European Communities and the
p.000014: International Chamber of Commerce, Strasbourg 2 November 1992
p.000014: 8 See the presentation of Alexander Dix of this case at the International Data Protection and Privacy Commissioners’
p.000014: Conference, September 1996, Ottawa.
p.000014:
p.000015: 15
p.000015:
p.000015: responsibility for complying with the substantive data protection principles. The second entity, the
...
p.000020: requirements might take precedence over any contract to which the processor was subject.17 For
p.000020: processors within the Community this possibility is evoked in Article 16 of the directive which requires
p.000020: processors to process data only on instructions from the controller unless required to do so by law.
p.000020: However, under the directive any such disclosures (which are by their nature for purposes incompatible with
p.000020: those for which the data were collected) must be limited to those necessary in democratic societies for
p.000020: one of the 'ordre public' reasons set out in Article 13(1) of the directive (see footnote 2 on page 4). Article 6
p.000020: of the Amsterdam Treaty also guarantees respect for the fundamental rights set out in the European
p.000020: Convention for the Protection of Human Rights and Fundamental Freedoms. In third countries similar limitations
p.000020: on the ability of the state to require the provision of personal data from companies and other organisations
p.000020: operational on their territory may not always be in place.
p.000020:
p.000020:
p.000020:
p.000020: 17 The extent of state powers to require the disclosure of information is also an issue when making more general
p.000020: assessments of the adequacy of protection in a third country.
p.000020:
p.000021: 21
p.000021:
p.000021: There is no easy way to overcome this difficulty. It is a point that simply demonstrates the limitations of the
p.000021: contractual approach. In some cases a contract is too frail an instrument to offer adequate data
p.000021: protection safeguards, and transfers to certain countries should not be authorised.
p.000021:
p.000021:
p.000021: 6. Practical Considerations for the Use of Contracts
p.000021:
p.000021:
p.000021: The preceding analysis has demonstrated that there is a need for any contractual solution to be detailed
p.000021: and properly adapted to the data transfer in question. This need for detail as regards the precise purposes and
p.000021: conditions under which the transferred data are to be processed does not rule out the possibility of
p.000021: developing a standard contract format, but it will require each contract based on this format to be completed in a
p.000021: way which matches the particular circumstances of the case.
p.000021:
p.000021: The analysis has also indicated that there are particular practical difficulties in investigating
p.000021: non-compliance with a contract where the processing takes place outside of the EU and where no form of supervisory body
p.000021: is provided for by the third country in question. Taken together, these two considerations mean that there
p.000021: will be some situations in which a contractual solution may be an appropriate solution, and others where it may be
p.000021: impossible for a contract to guarantee the necessary 'adequate safeguards'.
p.000021:
p.000021: The need for detailed adaptation of a contract to the particularities of the transfer in question implies that a
p.000021: contract is particularly suited to situations where data transfers are similar and repetitive in nature. The
p.000021: difficulties regarding supervision mean that a contractual solution may be most effective where the parties to the
p.000021: contract are large operators already subject to public scrutiny and regulation18. Large international
p.000021: networks, such as those used for credit card transactions and airline reservations, demonstrate both of
p.000021: these characteristics and thus are situations in which contracts may be most useful. In these circumstances,
p.000021: they could even be supplemented by multi- lateral conventions creating better legal security
p.000021: Equally where the parties to the transfer are affiliates or part of the same company group, the ability
p.000021: to investigate non-compliance with the contract is likely to be greatly re-inforced, given the strong nature of
p.000021: the ties between the recipient in the third country and the Community-based entity. Intra-company
p.000021: transfers are therefore another area where there is a clear potential for effective contractual solutions to be
p.000021: developed.
p.000021:
p.000021:
p.000021:
p.000021: Main Conclusions and Recommendations
p.000021:
p.000021:
p.000021:
p.000021:
p.000021:
p.000021: 18 In the Citibank 'Bahncard' case, the Berlin data protection commissioner cooperated with the American banking
p.000021: supervisory authorities.
p.000021:
p.000022: 22
p.000022:
p.000022: • Contracts are used within the Community as a means of specifying the split of responsibility for
p.000022: data protection compliance between the data controller and a sub-contracted processor. When a contract is
p.000022: used in relation to data flows to third countries it must do much more: it must provide additional
p.000022: safeguards for the data subject made necessary by the fact that the recipient in the third country is not subject to an
p.000022: enforceable set of data protection rules providing an adequate level of protection.
p.000022: • The basis for assessing the adequacy of the safeguards delivered by a contractual solution is the same as the
p.000022: basis for assessing the general level of adequacy in a third country. A contractual solution must
p.000022: encompass all the basic data protection principles and provide means by which the principles can be enforced.
p.000022: • The contract should set out in detail the purposes, means and conditions under which the transferred
p.000022: data are to be processed, and the way in which the basic data protection principles are to be
p.000022: implemented. Greater legal security is provided by contracts which limit the ability of the recipient
p.000022: of the data to process the data autonomously on his own behalf. The contract should therefore be used, to the
...
p.000030: once transferred to Country A.
p.000030:
p.000030: Evaluation of rule content should logically start with the federal legislation. Where gaps are found here,
p.000030: the ‘softer’ law of the privacy policy could be considered to see if it fills these gaps. What follows is a list of the
p.000030: content that would appear necessary, and a judgement as to whether this necessary content is present either
p.000030: in the law or the privacy policy.
p.000030:
p.000030: The purpose limitation principle can in this context concern itself solely with the requirement that any
p.000030: secondary uses and disclosures of the transferred data are not incompatible with the purpose for which they
p.000030: were transferred. The inclusion of the data in a mailing list to be sold or rented on the open market
p.000030: might be considered incompatible, as would the disclosure of the data to prospective employers or business partners
p.000030: interested in the solvency of the individual concerned. Disclosures of the data to other credit grantors (banks,
p.000030: credit card companies), however, might be considered compatible.
p.000030: In this case the federal law does lay down a limited number of purposes for which personal credit
p.000030: information can be legitimately disclosed. However, these purposes
p.000030:
p.000030:
p.000031: 31
p.000031:
p.000031: include “employment” and “legitimate business need related to a business transaction involving the individual”. This
p.000031: latter concept includes certain marketing uses of data which could involve the marketing of goods or services
p.000031: other than credit by third parties.
p.000031: It would therefore appear that the purpose is not sufficiently limited by the federal law, and that on this point
p.000031: protection is not adequate. The company’s privacy policy does not improve the situation.
p.000031:
p.000031:
p.000031: The transparency principle should result in the data subject being made aware of the identity of the credit reporting
p.000031: agency in Country A and of any new purposes for which data are to be processed. The precise way in which this is done
p.000031: should be comparable with that set out in Article 11 of the directive.
p.000031: In this case the federal law has no specific provisions on transparency which impact directly on the
p.000031: credit reporting agency. The credit grantor in Country A is, however, required to inform the individual that a credit
p.000031: report will be requested from the Credit Reporting Agency, although the name and address of the agency need not be
p.000031: given.
p.000031: The individual therefore has no legal guarantee of being informed about the fact that the specific Credit
p.000031: Reporting Agency concerned is processing data about him. However, given that the agency has no
p.000031: direct contact with the individual, for the agency to be under an obligation to contact the individual
p.000031: specifically to inform him/her would appear to represent a “disproportionate effort” in the sense of Article 11 of the
p.000031: directive. The level of protection regarding transparency would therefore appear to be sufficient.
p.000031:
p.000031: The quality and proportionality principle includes several different elements. There is no restriction on the
p.000031: collection and processing of unnecessary data in the federal law. As to duration of storage, there are rules
p.000031: that prevent the dissemination of obsolete information (bankruptcy judgements more than 10 years old), which
...
Appendix
Indicator List
| Indicator | Vulnerability |
|---|
| access | Access to Social Goods |
| age | Age |
| authority | Relationship to Authority |
| autonomy | Impaired Autonomy |
| criminal | criminal |
| disabled | Mentally Disabled |
| employees | employees |
| ethnic | Ethnicity |
| family | Motherhood/Family |
| home | Property Ownership |
| ill | ill |
| injured | injured |
| language | Linguistic Proficiency |
| nation | stateless persons |
| opinion | philosophical differences/differences of opinion |
| party | political affiliation |
| physically | Physically Disabled |
| police | Police Officer |
| political | political affiliation |
| property | Property Ownership |
| prosecuted | Prosecuted |
| race | Racial Minority |
| racial | Racial Minority |
| religious | Religion |
| single | Marital Status |
| threat | Threat of Stigma |
| union | Trade Union Membership |
| unlawful | Illegal Activity |
| vulnerable | vulnerable |
Indicator Peers (Indicators in Same Vulnerability)
| Indicator | Peers |
|---|
| home | ['property'] |
| party | ['political'] |
| political | ['party'] |
| property | ['home'] |
| race | ['racial'] |
| racial | ['race'] |
Trigger Words
consent
developing
ethics
harm
protect
protection
risk
sensitive
Applicable Type / Vulnerability / Indicator Overlay for this Input