CFP'93 - International Trends in Privacy/Data Protection and Transborder Data Flow
By Professor Greg F. Tucker Syme School Of Business Frankston, Monash University
I have been fortunate enough to have prepared two OECD reports on privacy protection. The first was "The Situation and Trends in Privacy and Data Protection in The OECD Area". This report was prepared in 1988 at a relatively calm stage in the development of the privacy regulations of the 24 OECD countries.
By contrast, the second report (in publication) entitled "Privacy and Data Protection -- Issues and Challenges" was produced during the torrid period after the publication of the two draft directives of the European Commission conceding privacy and data protection. This torrid period continues.
I am pleased to address you on this topic. I have been very interested in the developments in privacy protection in the United States and look forward to learning more about these regulations at first hand. In the area of privacy research much depends upon the cultural background of the country concerned so it is vital that researchers gain some appreciation of the cultural basis of each country in order to understand its approach to privacy protection.
Overview of the Countries in the OECD
There continues to be much activity in the OECD area. At present 15 member countries have comprehensive data protection legislation (Austria, Denmark, Finland, France, Germany, Iceland, Ireland, Luxembourg, the Netherlands, Norway, Portugal, Spain, Sweden, Switzerland and the United Kingdom). Five member countries have specific public sector regulation with some private sector regulation or initiatives (Australia, Canada, Japan, New Zealand and the United States) and two member countries (Belgium and Greece) have bills containing comprehensive data protection proposals before their parliaments. These figures do not take into account legislation at state or local government levels in the OECD member countries.
In addition to this, much activity has taken place as regards self-regulation. This shall be considered later on in this paper.
Outside the OECD area, Israel has a long standing data protection regime and Hong Kong has provided in its 1990 bill of rights for protection of privacy. Article 14 of the bill of rights provides:
- "no-one shall be subjected to arbitrary or unlawful interference with
privacy, family, home or correspondence, Nor to unlawful attacks on his honor or
- everyone has the right to the protection of the law against such interference from attacks."
Singapore has also given consideration to the regulation of data protection and it is understood that South Korea has produced a proposal in this area.
It is important to stress once more that the adoption of privacy and data protection regimes will vary considerably depending upon the cultural and legal background of the country concerned.
Transborder Data Flows (TBDF)
This is a vintage issue which has been maturing for many years. It brings sharply into focus the tension that exists between the free flow of information and protection of personal information.
At one level the problem assumes impractical proportions: you simply cannot monitor all forms of TBDF (fax, telephone, letter, computer transmission etc.). This does not mean there should be no attempt to set in place appropriate measures to ensure that, in general, privacy protection principles are observed for TBDFs.
The OECD countries vary on the level of domestic protection for personal information, when personal information is transferred abroad it raises the question of restriction or prohibition of the transfer where the recipient country accords a lower level of protection than the country transferring the data. It was within this context that the 1980 OECD guidelines were drafted. Indeed, in 1985 the ministers of the OECD member countries adopted a declaration on transborder data flows. It declared its intention to promote access to data and information and avoid the creation of unjustified barriers to international exchange of data and information. It sought transparency in the regulations of policies relating to information, computers and communication services affecting transport data flows and to develop common approaches for dealing with issues related to TBDF and, when appropriate, develop harmonious solutions. Finally, it declared that consideration ought to be given to the possible implications for other countries when dealing with issues related to TBDF.
My research indicated that while a substantial number of countries have TBDF provisions in their domestic data protection laws there have not been a large number of disputes in this area relative to the absolute number of transfers of data that would occur. Nevertheless, there have been a significant number cases in the area.
In many instances the solution has been to either alter the nature of information which has been sent abroad or to create a contract between the transferer of the data and the receiver of it, requiring the receiver to respect the rights of the data subject in the same way as they would be respected in the country of the transferer. This contractual approach to TBDF has had some success but may not be an adequate long term solution as it will not be applicable in all cases. A model contact has been drafted in a joint project between the Council of Europe, the European Commission and the International Chamber of Commerce.
Two French cases clearly demonstrate how a contractual solution may operate. The first case concerned the transfer of employee data from the Paris office of Fiat Motor Company to its Turin office in Italy (deliberation no. 89-78 of 11 July, 1989, Commission Nationale de l'Informatique et des Libertes). France has a data protection law but Italy does not. The French data protection commission required the two companies to enter into an agreement which, in essence, provided the data subjects with the same rights against Fiat in Turin as they would have in France under the French legislation. Thus the French law was extended across its borders. This approach raises interesting questions as to sovereignty and jurisdiction.
The second case concerned the transfer of medical data from France to Belgium (deliberation no. 89-98 of September, 1989, of the Commission Nationale de l'Informatique et des Libertes). Belgium also lacks a comprehensive data protection law. The data were being transferred so that they could be placed onto a network and be available for medical research purposes. The French commission required that some alterations be made to data before they were sent and that a contract be set in place between the parties to provide privacy protection to the data subjects.
Codes of practice have been another device used by organizations or industries in countries outside of the EC countries to provide reassurance that the industry or company provides an adequate level of data protection for its records or records received by it. IBM has provided a detailed set of internal protections for personal data and this type of approach has met with the approval of some European data protection authorities.
The European Commission has drafted two proposals which effect the area of privacy and data protection. The first is a general data protection directive (syn 287) and the second is a proposed directive in the sector of telecommunications (syn 288), both these proposals have been subject to the scrutiny of the European Parliament and detailed amendments have been given by Parliament to the European Commission. The second draft of the general directive has now been published by the Commission. This is now the subject of debate inside and outside the EC.
The general directive contains a provision relating to TBDF (articles 26 & 27)
This is the means proposed by the EC to ensure that the personal data within the 12 member states is protected. In the absence of such a provision it is claimed that some data processors may send personal data to non-member countries for processing in order to avoid the rigor of the law in their own countries.
The provision is in two parts -- the General Rule and its Exceptions.
The General Rule
The general rule stated that personal data may only be transferred to a third country if the recipient country ensures "an adequate level of protection" for personal data. This assessment is made by the relevant EC country. Accordingly, once the directive is fully operative then transfers of personal data within the EC will be free as each member country will offer the band of protection laid down in the directive. Thus transfers from France or Germany to the UK should present no difficulty provided the provisions of the appropriate national laws are obeyed.
Where a transfer from a member country to a non-member country is contemplated then the member country must apply the following test in order to determine the adequacy of the regime in the recipient country:
What are all the circumstances surrounding the transfer of the data, including the nature of the data (e.g. is it sensitive?), The purpose of the processing operations and the protective legislation available in the country. Sectoral and general rules and regulations will also be taken into account, including codes of conduct, when assessing the adequacy of the level of protection.
There are several exceptions to the requirement of adequacy:
- Where the data subject has consented to the transfer in order to take steps
preliminary to entering into an agreement (e.g. a retailer performing an
international credit check before entering into a transaction with a client) or
where it is necessary for the performance of a contract between the data subject
and data controller (e.g. concluding an international credit or debit card
- On the grounds of important public interest or in order to protect the vital
interests of the data subject. For example, the transfer of information about
suspected criminals or the international transfer of sensitive medical data to
assist in the medical treatment of an individual.
This provision permits the recipient company to demonstrate to the sending country that it has appropriate safeguards to guarantee the right of the data subject. These safeguards could be contractual in nature or in the form of codes of practice or internal regulations. To this extent, the directive may permit a company carrying on business outside the EC to continue to receive personal data provided it demonstrate its bona fides in this area.
Self-regulation/Codes of Practice and Privacy/Data Protection
From the foregoing section it will be appreciated that the existence and quality of self-regulatory schemes may have a significant impact on the ability of a proposed transferee of data to actually receive it, accordingly, it is appropriate to take a brief look at this area.
The means of protection of personal data is not confined to government rules and regulations. It is within the capacity of the collectors and users of data to design and model their own form of data protection. This can have significant benefits over legislation which is imposed by government. For example, it may take into account a more detailed appreciation of the data protection issue in an industry or sector and, once this type of regulation is developed within the industry or sector, the industry or sector feels that it has ownership of it and may be more committed to its implementation and to compliance with it.
The experience in the OECD area has been varied. Some regimes rely upon industry self-regulation as the principal form of regulation while other use self-regulation in conjunction with more formal data protection laws and yet other groups of countries do not formally acknowledge self-regulation as part of the data protection structure.
The Netherlands has one of the most well known models which integrates legislation with self-regulation. This system arises out of a self-regulatory system which predated its data protection legislation. Thus the private and public sectors had a considerable time to adjust to the blending of self-regulation with statutory provisions. Under this model industries are encouraged to register codes with the data protection authority (the registration chamber). There is no compulsion to provide codes of practice however this is strongly recommended for the act provides that general administrative orders may be made establishing binding rules for the industries. Accordingly, there is an incentive to develop a registrable code of conduct in order to avoid sector-specific regulation by government.
The system is still developing but there has already been a substantial response by industry associations which have submitted codes for registration by the registration chamber. In recognition that circumstances may change once the codes are registered they remain registered for a maximum period of five years. These codes do not have the force of law, however, their breach will, in most circumstances, amount to a prima facie breach of the Dutch Data Protection Act so that civil remedies may be available to injured parties. This would require court action.
One of the crucial aspects in the Dutch system is the level of detail and application required in the codes of practice. The registration chamber requires that the codes submitted to it do not merely reflect broad principles of data protection/privacy but provide details of the application of the principles in the industry concerned. In this way the codes provide direct, relevant guidance to the participants in the industry. The codes are also required to be in comprehensible form and to be given wide publicity in the relevant sector or industry. In some cases the codes also contain standards of ethics and best practice for the industries or sectors concerned.
The Irish model permits the data protection registrar to approve codes of practice where it is considered that the code gives protection to individuals which conforms with the relevant provision of the Irish Data Protection Act of 1988. The code is required to be laid before Parliament and if approved it has the force of law. It differs from the Dutch model where the code lacks the force of law. Of course, in Ireland this does not prevent voluntary codes from arising which do not have the force of law and which have not been submitted to Parliament for its approval. Thus two tiers of codes of practice may arise. This system is still in its developmental stage and it will be looked at with interest in years to come.
Australia uses a mixture of legislation in some sectors and industries and self-regulation, or co-regulation, in other sectors or industries. The legislation which does exist does not specifically encourage the use of codes of practice but these may arise to complement the legislation. Some industries like direct marketing and telecommunications have developed their own forms of self-regulation. However, there is no overseeing body to insure that these codes are adhered to and are able to be enforced where breaches occur. The trend in Australia is certainly towards development of codes of practice in this area and this usually arises out of a fear by an industry or that legislation will be imposed if some self-regulation is not actively developed and applied.
At the OECD I developed a checklist of value-added Codes of Conduct (see Appendix 1). This should provide some guide to the establishment of a code.
The Future of the OECD Guidelines
The OECD guidelines have provided a minimum framework for data protection for member countries for many years. They represent the departure point for member countries to mold their own set of data protection measures. The data protection convention of the Council of Europe (convention 108/198l) has a similar function, however, it is a legal instrument and is binding upon the European countries that have ratified it.
The guidelines continue to be used actively both inside and outside the member countries of the OECD. Recently, Hong Kong, New Zealand, and Slovenia (formerly part of Yugoslavia) have specified the OECD guidelines as the basis for their proposals or laws. Singapore has also considered regulation of this area based upon the terms of the OECD guidelines.
In terms of self-regulation, the guidelines form the basis for industry codes including the Canadian Bankers' Association code of conduct and the Centre for Financial Industry Information Systems in Japan. They have also formed the starting point for a sectoral code on telecommunications developed by the Ministry of Posts and Telecommunications in Japan and the New York Public Service Commission. Furthermore, one outstanding matter which still remains at issue under the guidelines is the development of a method of reconciling the divergent approaches to domestic data protection resolution in the OECD countries in a way that will not unnecessarily impede the free flow of personal information between these countries. This does not mean that all countries should adopt the same laws but merely the articulation between the domestic data protection laws should be given greater attention so that the transborder data flow issue does not become a significant problem. I have already discussed several possible solutions.
In summary, the OECD guidelines have survived very well and continue to provide a yardstick for many different approaches and advances in the area of data protection. The OECD is continuing its role in this area and is having regular meetings to discuss relevant issues.
At the heart of the debate over regulation of TBDF lie two different views: one dictates that privacy protection is a fundamental human right and must be respected; the other states that privacy protection as an unnecessary impediment to trade or information transfer. Neither position can be absolute: the solution lies somewhere in the vast gulf between these views.
Checklist For Value-Added Code Of Practice
- Form. The code should make positive statements which indicate a commitment to
the adoption of proper data protection principles. Mere descriptive language is
- Substance. The code should be tailored to the industry/company concerned and
not merely recite general principles of date protection;
- Level of Detail. The code should deal with the data protection issues
confronting the relevant industry/company and other interested parties.
- Transparency. The code should be written in simple language readily
comprehensible to participants in the relevant industry/company.
- Implementation. The code should provide for an implementation procedure
within the industry/company so that there is no doubt as to the style end manner
of protection offered. Part of this process is the nomination and declaration of
an officer or officers to take responsibility for this domain who would have the
duty to report regularly to the appropriate Management body. Management should
be careful to ensure that the establishment of this internal position does not
lead to the isolation of the relevant officer from the files and procedures of
the firm. This would have a reverse impact to that which is intended.
- Review. The code should provide for a means of review of its terms from time
to time in order to make an assessment of their relevance and, where, necessary,
to make appropriate changes. This is a recognition that market conditions, like
technological change, may warrant a reconsideration of the terms of the code. It
may include soliciting public comment and these comments might be taken into
account when the review process is undertaken.
- Control/Enforcement. The code should be underpinned with some means of
control or enforcement of its terms. This may be legislative, contractual or
administrative but it should provide data subjects or other interested parties
with some means of redress for a breach of the terms of the code.
- Publicity. The code must receive publicity by the industry/company so that consumers are aware of their position.
Return to the CPSR home page.
Created before October 2004