European Data Protection Rules - Slow Changes Ahead
The European Commission's first formal review of implementation of the EU's privacy Directive contains both good news and bad news for U.S. companies doing business in Europe The good news is that the Commission has acknowledged and is committed to relieving some of the burdens created by inconsistent transposition of the community legislation by EU Member States. The bad news is that the changes needed to relieve these burdens are likely to occur only gradually.
The European Directive 95/46 EC (the “Directive”) imposes a number of obligations on businesses that process personal information about their European customers, employees, and business contacts. Those businesses must follow certain principles of fair information practices and work around certain roadblocks to the transfer of personal data to countries outside the European Economic Area that do not have "adequate" data protection laws. In the U.S., privacy regulation is sectoral. For example, the Gramm-Leach-Bliley Act governs what a financial institution can do with personal information about its customers. Because it lacks an omnibus framework for privacy protection, the United States is not deemed to have "adequate" data protection laws measured by EU standards. Companies that want to leverage substantial IT investments by, for example, creating a single data platform in the United States—an SAP or PeopleSoft database, for example—must find other ways to meet the EU's adequacy standard.
Even as the Directive was adopted in 1995, industry argued that the legislation was already technologically outdated. Though Member States have been slow to transpose the Directive (Ireland's amended Data Protection Act entered into force in July of this year and France has yet to adopt implementing legislation), businesses operating in the EU have now had several years of experience with the Directive. Thus, industry already had a long list of issues and concerns to bring to the table when the Commission initiated a public consultation on implementation of the Directive in 2002. As the public consultation drew to a close, some Member States also called for substantial revisions, raising hopes that the Commission might reduce some of the burdens imposed by the Directive. Instead, the Commission adopted a much more evolutionary approach to smoothing out the rough spots associated with implementation of the Directive.
In May 2003, the European Commission released a report on the implementation the Directive, the culmination of its review of the data protection rules. While acknowledging industry concerns about compliance burdens created by divergent implementations of the Directive by EU Member States, the report concludes that it is premature to consider legislative changes at this time. Rather, it establishes a "work plan" for change, calling on Member States to harmonize and clarify national laws, step up enforcement efforts, and ease burdens on data transfers to third countries. The report is therefore likely to disappoint those who sought rapid change in the data protection framework
In the review process that culminated in the Commission's report, numerous U.S.-based companies and industry organizations responded to the Commission's call for comments, including the United States Council for International Business ("USCIB"), the Securities Industry Association, the Coalition of Service Industries, and the Global Privacy Alliance (the "GPA") made up of multinational corporations including Baxter International, Citigroup, Fidelity, General Motors, IBM, Oracle, Procter & Gamble, and Verisign. Their submissions reflected several key criticisms of the Directive, namely that:
- The Directive is not compatible with information technology advances, the commercialization of the Internet, and a globalized economy, nor is it sufficiently responsive to post-September 11 security requirements; and
- Significant differences in national implementation, involving both law and interpretation of the Directive itself, as well as a lack of transparency at all levels, makes compliance needlessly burdensome and places multi-national companies at a competitive disadvantage.
This article examines the Commission's response to some of the specific problems identified by U.S. companies doing business in the European Union.
Under the Directive, each Member States must regulate the processing of personal information by businesses established in, or using equipment located in, that country. Industry describes the current jurisdictional rules as unworkable, creating uncertainty about which law applies in any given situation, and a risk that multiple - and inconsistent - requirements can apply to the same processing activities. The “use of equipment” provision in particular is identified as a problem because in distributed processing environments such as the Internet, equipment located in different jurisdictions may be used to process the same information. For example, if an Internet user in Belgium creates an account at amazon.co.uk, the site drops a "cookie" on the Belgian user's hard drive so that he or she will be recognized when returning to the site. Some data protection authorities have argued that by dropping a cookie, the UK web site has introduced processing equipment (the user's hard drive) into Belgium. Does UK law or Belgian law apply to the personal information processed by amazon.co.uk? What if Amazon.co.uk in turn uses the back-end fulfillment system based in the U.S.? At least one industry coalition (the GPA) suggested that the Commission adopt the “country of origin” approach contained in the E-Commerce Directive to ensure that only the national data protection regime where the processor has its “center of activities” applies to a processing activity or database.
The Commission report flatly rejects the “country of origin” rule suggested by industry, but concedes that the “use of equipment” provision is vague, cumbersome, and may at some point require amendment. Meanwhile, the Commission attributes much of the difficulty in this area to faulty Member State transpositions of the Directive, and commits to work with relevant Member States to correct the problem.
The Directive created two Brussels-based bodies, the Article 29 Working Party, an advisory body made up of representatives of national data protection authorities (“DPAs”), and the Article 31 Committee, consisting of Member State representatives and chaired by a representative of the Commission. Industry has called upon the Article 29 Working Party and the Article 31 Committee to embrace a more transparent approach to policy development. The Article 29 Working Party, in particular, was urged to open its deliberations to the public, to seek the views of industry prior to completing reports, and to publish reports and decisions as soon as they are adopted. U.S. Industry also urged Member States to make implementing laws and enforcement decisions readily available to the public. Both the Working Party and the national DPAs were encouraged to publish actual decisions.
On this point, the report simply notes that the Commission “…encourages the efforts the Working Party is currently undertaking further to enhance the transparency of its work,” and expects “an appropriate degree of transparency” in the work of the Article 29 Working Party and Article 31 Committee to simplify international data transfers.
Inconsistent Implementation by Member States
The USCIB reported significant national differences with respect to:
- Requirements to register any data process activities (notification);
- The circumstances under which an individual must be permitted to review and correct information held by a data processor;
- The need for prior approval of national DPAs for transborder data transfers;
- The nature of the consent required in any given situation (e.g. unambiguous, explicit, opt-in, opt-out); and
- The definition of sensitive data.
Likewise, the GPA called for simplification and harmonization of the provisions of national law that currently only “increases the costs of compliance and distorts the function of the Internal Market without any concomitant improvement in data protection.”
The Commission agrees that the divergences that mark the data protection legislation of the Member States are “too great,” but will press Member States to change their laws only where they have incorrectly implemented the Directive. For example, differences with the list of activities that constitute "legitimate" processing require amendment of national legislation. Likewise, the report encourages Member States to eliminate unnecessary notification requirements and to create more standard exceptions to the notification requirement.
Other issues of importance to multinational corporations—those pertaining to sensitive data, access provisions, and the definition of personal data—are seen as falling within Member States’ “margin of manoeuvre” under the Directive, and the Commission will not address these. The report dismisses proposals to relax the Directive's list of sensitive data rules. Similarly, the report gives little weight to industry worries about the potential for onerous “bad faith” access requests and rejects suggestions for a “proportionality requirement” under which access will be provided only if the cost of providing such access is not disproportionate to the privacy interests to be protected.
Finally, the Commission rejects the suggestion that business contact data—so-called “professional data”—be excluded from the reach of the Directive.
Transborder Data Flows
U.S. industry cited serious problems with respect to transborder data flows including the de facto elimination of the Directive's exceptions ("derogations") from the prohibition on data transfers to countries lacking adequate data protection laws. These exceptions permit transfers of personal data to third countries not deemed to have adequate data protection laws where, for example, the transfer is necessary in connection with a contract (either with the data subject or a third party) concluded by or in the interests of the data subject. According to industry commenters, various reasons make it almost impossible in practice to make use of these derogations. Numerous commenters cited the impact of the Directive, along with labor laws, on multinational corporations seeking to develop integrated human resources management tools.
Other concerns cited by U.S industry include limitations imposed by DPAs on the validity of a data subject's consent to data transfers involving human resources data, and the very narrow interpretation given to the “necessary to complete a contract” between a data controller and a data subject. Finally, industry commenters asserted that the mechanisms approved by the Commission for transferring data to the United States - the "Safe Harbor" program and model contract provisions - are more burdensome on multi-national operators than the Directive itself is on European controllers. Many commenters focused on the difficulty surrounding data transfers among affiliates and called for the adoption of flexible mechanisms, such as alternative model contracts developed by business groups like the International Chamber of Commerce, and the recognition of enterprise-wide codes of conduct, to facilitate intra-enterprise transfers.
Early in its report, the Commission asserts that it “…considers as a priority the harmonious application of the rules relating to the transfer of data to third countries” and commits to use its authority to made adequacy determinations based on contractual or other alternatives to a legal regime to ease burdens on third party transfers. Specifically, the report recommends that Member States and the Article 29 Working Party:
- Make more adequacy findings based on contractual obligations;
- Approve additional standard contractual clauses, including, if feasible, those proposed by business organizations like the International Chamber of Commerce;
- Develop more consistent interpretations of the Directive's exceptions in Article 26;
- Encourage the development of more industry-wide codes of conduct, which “…should play an important rule in the future development of data protection in the EU and outside.”
The Commission report also takes a tough stance against Member States that make international data transfers unnecessarily complicated. It reminds these States that once a transfer is allowed under an adequacy finding, standard contractual clause, or Article 26 exception, they may not impose additional authorization requirements since the transfer is “already authorized by Community law.” Finally, the Commission recommends “finding a balanced solution and implementing it throughout the Community” for the cumbersome notification procedures for international data transfers.
The Commission appears to be taking a “wait and see approach” to industry calls for fundamental change in the data protection rules. Rather than proposing amendments, the Commission will focus on harmonizing Member States’ laws, speeding up implementation, and enhancing enforcement. To the extent these actions are within the authority of the Commission, change may come more rapidly. Otherwise, the Commission has elected to work through the national DPAs to resolve the concerns cited. The success of these efforts will likely determine whether the Commission will be receptive to amendments when it conducts its review in 2005.