Title: Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S.
1Anomalous Aspects of Transfer of Personal Data
from the E.U. to the U.S.
- Stephen R. BellWillkie Farr Gallagher
- ABA Section of International LawNew York, New
YorkApril 7, 2006
2Introduction
- Examine the mechanisms by which personal data
(personally identifiable) can be transmitted from
member states of the E.U. to a third country. - A determination that the third country has
adequate safeguard (including U.S. Safe Harbor). - An ad hoc or standard agreement between the data
controller and the party in the third country. - Binding Corporate Rules.
- Consent of the data subject.
- Master Agreement.
3Introduction (contd)
- Discuss some indicators on how frequently the
formal mechanisms are being employed to transfer
personal data.
4E.U. Data Protection Principles
- E.U. and member states have created most
elaborate mechanism for protection of Personal
Data. - Directive 95/46/EC of 25 October 1995 On the
protection of individuals regarding processing or
transfer of personal data. - Directive 2002/58/EC of 12 July 2002 On
processing of personal data and protection of
electronic communication. - Regulation (EC) 45/2001 of 18 December 2000 On
the processing of personal data by Community
Institutions. - Directive 2006/__/EC On retention of data
generated in the provision of electronic
communications.
5E.U. Data Protection Principles (contd)
- The 25 member states adopted laws implementing
the Directive. - Process took a long time.
- France 2004
- Ireland still has not notified the adoption.
- Laws vary widely.
- Not wholly consistent with the primary Directive.
- Not wholly consistent with each other.
6E.U. Data Protection Principles (contd)
- Difference between member states.
- Definition of collection
- Jurisdiction over foreign-based websites
- Definition of personal data
- Obligation to notify data protection authorities
when collection and processing occurs - Attitudes toward trans-border data flow contracts
7E.U. Data Protection Principles (contd)
- Goal
- Harmonize members laws and provide a high level
of protection to accommodate the increased
cross-border data flow. - Member state laws reflect a high level of
protection of personal data. - Transborder data flow from the EEA (E.U. and
Norway, Liechtenstein, and Iceland) is
problematic.
8E.U. Data Protection Principles (contd)
- Articles 25 and 26 of Directive 95/46/EC
prescribe the conditions under which personal
data may be transferred to third countries. - Article 25(1) requires an E.U. Commission finding
that the level of data protection in the third
countries is adequate. - Argentina
- Canada
- Guernsey
- Isle of Man
- Switzerland
- U.S. (Safe Harbor participant)
- U.S. (Air Passenger name record)
9Safe Harbor (www.export.gov/safeharbor/)
- Became effective October 1998 after lengthy and
sometimes ambiguous negotiations between the E.U.
and DOC. - U.S. entities register with DOC.
- U.S. entities establish a privacy policy and Safe
Harbor procedure similar to but not precisely the
same as the E.U. principles. - Notice of purpose of collection
- Choice of disclosure to third parties
- Onward transfer limitation
- Reasonable security precautions
- Data integrity
- Access
- Recourse mechanisms
10Safe Harbor (www.export.gov/safeharbor/) (contd)
- Advantages
- All E.U. members must allow transfer pursuant to
Safe Harbor. - With limited exceptions, interpretation is based
on U.S. law. - Certain exceptions, such as the U.S.-oriented
journalistic exceptions apply. - Self-assessment or verification of compliance is
available. - FTC enforcement only after self-regulation.
- Extremely simple to join.
- Limitations
- Applies to organizations subject to the FTC or
air carriers subject to DOT. - Only legitimizes transfer, any required consent
to collect must still be obtained.
11Alternatives (Derogations)
- Article 26 provides alternative.
- 26(1) Transfer can occur with the unambiguous
consent of the data subject, to fulfill
a contract or when it is necessary for
other important public policies. - Working Party 29 (WP 114, 25 November 2005) and a
number of data protection authorities question
whether consent can be unambiguous, particularly
in employee/employer setting or when there is
long-term framework for repeated transfer of
data. - 26(2) Authorized transfer if adequate protection
is provided through contractual provision. - Ad hoc
- Standard claims
12Alternatives (Derogations) (contd)
- Two Commission Decisions adopted standardized
clauses. - Decision 2001/497/EC applies to transfer from a
data controller in the EC to a data controller in
third countries. - Decision 2002/16/EC applies to transfer from a
data controller in the EC to data processors in
third countries. - Original Standard Clauses.
- Incorporate principles similar to the Privacy
Directive. - Specify the relevant E.U. member laws on
governing. - Ad hoc contracts require approval of relevant
data protection authority.
13Alternatives (Derogations) (contd)
- Almost as soon as the standard clauses were
adopted, the Commission realized that they were
not going to work. - Decision C (2004) 5271 was adopted.
- Alternative is slightly less onerous provision.
- Effective April 1, 2005.
14Alternatives (Derogations) (contd)
- Binding Corporate Rules.
- A number of business organizations lobbied for
adoption of approval to transfer on the basis of
Binding Corporate Rules (internal). - Article 29 Working Party adopted Initial Binding
Rules in 2003 and a checklist for such rules of
14 April 2005. - Approval of the binding corporate rules by a
member states data protection authority is
required. - Member states do not have to approve Binding
Corporate Rules.
15Alternatives (Derogations) (contd)
- Master Agreement
- Business groups like the International Chamber of
Commerce continued to lobby for simplification
and expedition. - Commission Staff Document SEC (2006) 95 discussed
this option, but the discussion contained some of
the caveats that appeared in the early discussion
of Binding Corporate Rules.
16Anomaly
- Staff Document SEC (2006) 95 tallied contractual
clauses or Binding Corporate Rule notified to the
Commission. - 14 ad hoc contractual clauses or Binding
Corporate Rules have been notified to the
Commission. - 64 standard contractual clauses have been
notified. - Mostly H.R. to U.S.
- These agreements do not have to be notified.
- Safe Harbor
- 884 Organization on the Safe Harbor List (24 Feb
2006). - Some small percentages are not current.
17CONCLUSION
- Elaborate formal proceedings are not being
implemented to comply with the limits on
transmission. - Consent (26.1) or standard contractual (26.2)
clauses may be used to justify transfer. - A number of entities that transfer data from the
E.U. may simply be ignoring the issue.