Trans Border Data Flow

Building upon the events that heralded the globalization of the information boom since the mid 20th century, there has been increased concerns and aspirations, furthering hopes for the protection of privacy related rights on the platform of the need to formulate regulations to oversee trans-border data flow in line with the EU Data Protection Directive which imposes export restrictions by prohibiting the transfer of personal data to countries which do not have requisite privacy laws that are in conformity with the standard set out in the directive [1] . The problem emanating from this trend has been partly fuelled by economic, cultural, political and legal sentiments and suspicion.

In assessing the EU Data Protection Directive with specific reference to Articles 2, 6, 7, 25 and 26, issues bothering thereto will form further discussions on the theme of whether or not the EU Data Protection Directive overrules itself by virtue of Article 26 of the Directive.

Further emphasis in this essay will traverse the fears and opinions on the effect of the EU Data Protection Directive in relation to the US “Safe Habor Agreement” and the implications for Data Havens

Given the complexity of trans-border data flow, henceforth to be known as “TBDF”, the fact of “safe countries” will be considered with a view to proffering insightful recommendations on the general focus area of the core of TBDF.

1.1 Defining Trans-border Data Flow on the premise of Personal Information.

The European Union Directive on the Protection of Personal Data became effective October 1998. It is comprised of a general framework of data protection standards for the processing of personal data which is at the core for consideration and is given interpretation in Article 2 of the EU Data Protection Directive as:

“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified directly or indirectly… [2] ”

The application of the directive covers the processing of personal data wholly or partly by automatic means. Furthermore, by virtue of Article 7 of the EU Data Protection Directive which relates to the issue of TBDF, recourse must be made to the underlying premise that personal data may be processed only if:

“the data subject has given his consent unambiguously; where processing is required for the performance of a contract to which the data subject is party; in compliance with a legal obligation to which the controller is subject; to protect vital interest of the data subject; a task carried out in public interest or in the exercise of official authority and for legitimate interests by the controller or third parties” [3] .

Instructively, the coinage of the phrase “TBDF” took root in the 1980’s due to the influx of the deepening awareness of the information/data transfer boom between corporations/companies situated in different parts of the world.

Therefore, TBDF can be seen as including the transfer of data containing personal or sensitive information [4] across political boundaries,…a process which can cause great legal conflicts, such as who owns a particular piece of information and who may use it [5] .

2.0 Concerns for TBDF Under Article 25.

In line with entrenching the ideal purpose of the EU Directive to the extent of protecting the data emanating from the EU, the directive postulates that transfer from an EU country can only take place where a third country “ensures an adequate level of protection”.

2.1 EU Data Adequacy Requirements.

In the craft of Article 25(1) of the EU Directive, the outstanding principle of “Adequate Level of Protection of Data” comes to mind. Member states, as a minimum requirement, are encouraged to provide that the transfer to a third country of personal data [6] , satisfies the requirement of a reciprocal level of adequacy obtainable in the EU, although, without prejudice to compliance with the national provisions adopted pursuant to other provisions of the Directive.

The import of Article 25 (1) has the capacity to stifle economic relations between EU countries and other development partners outside the EU. This occurrence will be inevitable in the event that privacy protection given by non-EU partners for data emanating from the EU is deemed inadequate.

Consequent upon the above, the EU directive has further highlighted some assessment parameters having stated that:

“The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country” [7] .

A piercing look at the combined assessment of Article 25 narrows down to the duty of providing protection to the rights of data subjects in the EU, as against the possibility of data misuse in third countries by virtue of improper use where it is shown that there is inadequate protection mechanism for the processing of EU sourced data.

As much as the EU by virtue of the Directive has given EU countries the discretion to share information about countries which they feel are not upholding the EU approved standards, it leaves much to be desired because such discretion may provide the leeway for the influence of political interplay among countries, thereby encouraging trade-offs between countries who wield superior power as against third countries with minimal influence.

The above activity in my view may create a scenario wherein third countries may begin to re-order their jurisprudence to fall in line with the EU directive. A situation where this is not possible may create several inconsistencies, thereby opening pathways for the thriving activities in data havens.

2.2 Adequacy and not Equivalency Requirement.

Before an x-ray of the adequacy test in Article 26 will be examined, it must be noted that the letters of the Directive clearly states “ADEQUACY” and not “EQUIVALENCY”. This concern was noted in a letter sent by Michelle O’Neill Deputy Assistant Secretary for Information Technology Industries to the European Commission wherein she noted that:

“ the Commission and Member States should guide implementation efforts in Europe with the understanding, set forth in these Articles, that “adequacy”, not “equivalency”, is required of those nations and organizations seeking to import personal data from the EU” [8] .

The EU was further urged to refrain from imposing compliance standards beyond those already articulated in the Directive [9] .

The rationale behind the above position stems from the fact that further EU laws may raise the bar beyond the adequacy requirement thereby falling short of the EU Directive which may create inconsistencies in conformity with the directive. EU countries in trying to adhere to the directive must not vary specifics with a view to altering the directive.

In order to set the aim of Article 25 in proper perspective and building upon the above stated position, the Confederation of British Industry have stated that:

“It is not necessary, therefore, for the arrangements in a third country to replicate the Directive’s requirements: the assessment of whether there is an adequate level of protection will depend on the facts of the case including, for example, the relationship between the data exporter and importer” [10] . This position is supported by Article 25(2) of the EU Data Protection Directive.

Further question arising include: What is the benchmark for measuring adequacy? Is there a consensus among independent EU states as to the harmonization of what amounts to adequacy? Can adequacy be subject to varying standards applied by individual EU States? The above questions stem from the fact that the EU Directive only provides minimum standards which has left a level of higher discretion to independent EU States in formulating their own data protection laws.

2.3 Finding adequacy.

Article 25(6) gives the commission the power to find whether a third country has ensured an adequate level of protection with the aim of protecting the private lives and basic freedoms and rights of individuals.

The import of Article 25(6) is that data can flow from the 25 EU member states and three EEA member countries to that third country without any further safeguard being necessary [11] against the backdrop that the commission has so far recognized Argentina, Canada, Switzerland, United States- Transfer of Air Passenger Name Record(PNR) Data, United States- Safe Habor, Guernsey, Isle of man and Jersey [12] . The stated countries have been deemed safe countries by the European commission for the purpose of data flow.

Article 25 has placed a burden of necessity member states of the EU to take measures necessary to comply with the commission’s decision. This is consequent upon the commission finding that a third country ensures an adequate level of protection or any ancillary decision the commission may reach for which member states are expected to adhere to bearing in mind that the European commission finds that a non-EU State has an adequate level of protection due to domestic laws and international commitments.

This is in a bid to foster the harmonization objective of the EU so as to avoid inconsistencies relating to compliance with the commissions decisions of which member states are expected to uphold.

The above position further provides direction in considering the circumstances wherein a third country does not ensure an adequate level of protection [13] , but a transfer is still allowed by virtue of the derogations listed in Article 26 of the EU Data Protection Directive.

2.3.1 X-ray of The Adequacy Test in Article 26.

Having highlighted the rules of adequacy in Article 25, inroads into adequacy rule has been targeted and influenced by Article 26 by virtue of the lump of derogations and adequacy options that have varied the rather transfixed provisions of Article 25.

2.4. Derogations Enunciated in Article 26(1) and (2)

The EU Directive includes a number of specific derogations articulated in Article 26, which if satisfied, exempt a transfer of personal data from the data export restriction [14] .

The derogations include:

Circumstances when the data subject [15] has given unambiguous consent;

When the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request;

When the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;

When the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims;

When the transfer is necessary in order to protect the vital interests of the data subject [16]

When there are appropriate contractual provisions in place under which the data controller has ensured adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals [17]

Based on confirmed patterns/derogations stated in Article 26, an individual examination of the independent derogations therein is worthy of elaboration.

The above is to the end of facilitating trans-border data transfers legally within the EU Directive approved benchmark. It includes:

2.4. 1 Consent of the Data Subject: Article 26 (1) (a) of the Directive.

The import of Article 26(1) posits that personal data may be transferred to third countries or countries outside the EEA where there is evidence that the data subject has given his unambiguous consent to the transfer of his personal data.

The Directive in reference to non-sensitive data reflects the truth that data may be processed legitimately where the data subject has unambiguously given his consent [18] , but in the event of sensitive personal data the requirement is explicit consent of the data subject [19]

Consent as a concept is subject of multi-dimensional approaches. Based on online or e-transfers of personal data to third countries, there must be obligations placed on data controllers due to the fact that data subjects awareness of such transfers may be limited. An avenue therefore has to be created for the data subject to be intimated about the transfer of their data cross-border. Article 29 opinion instills some obligations on search engine providers, as :

“Search engines must provide a basic description of the use of personal information when collected…

They must inform users of the organisations identity and location. Non-EEA based search engine providers should inform users about the conditions in which they must comply with the Data Protection Directive, whether by establishment or by the use of equipment.

They must inform users about software, such as cookies, and how these can be refused or deleted [20] “.

Thus, the Article 29 Working Party recommends that consent mechanisms must be devised to provide consent without users having to identify themselves ahead of time, thus enabling authenticated and non-authenticated users to explicitly consent to data collection [21]

The above represents the future of anonymising the identity of data subjects which in my opinion may reduce the burden placed on data controllers thereby reducing the weight placed the requirement of consent. The validity of this view is clouded in distancing the data transferred from the data subject.

Furthermore, Article 29 working party paper issued on Article 26 derogations (WP 114) which states that consent must be a clear and unambiguous indication of wishes, given freely, specific and informed [22] . In understanding the implications of “consent”, the WP 114 noted the inability to have a unified interpretation of consent among the EU states to the end of preventing the provisions from being uniformly applied [23] .

The construction of Article 26(1) by Article 29 WP portends that the protection of data subjects may be circumvented in third country transfers due to the expansion of international trade and apparent lack of consistency in the EU directive provision on transfer of personal data cross-border.

To limit the indiscreet use of Article 26(1) to the advantage of Data controllers, the WP 12 indicated that the interpretation of Article 26(1) must be strict [24] and be applied in sync with other provisions of the directive.

2. 4. 2 Further derogations pursuant to Article 26(1)

The derogations under Article 26(1) (b), (c) & (e) places the data subject at the centre of the independent interplay with the data controller on the one hand and the data controller acting with a third party on behalf of the data subject, on the other hand.

The interest of the data subject places an obligation on the data controller to act in accordance with the directive in dealing with data emanating from the EU. This should be strictly applied as it relates to data transfer/processing obligations between the data controller and third parties where the rights of the data subject might be affected.

It has been opined that data controllers seldom indicate their interest in harnessing this derogation for data transfers relating to their employees payment but the working party has sternly noted that the derogation cannot apply as the necessary link between the interest of the data subject and the purpose of the contract [25] is not deep-rooted.

2. 4. 3 Enhancing adequate Protection Through “ Standard Contractual Clauses”.

The definition of Adequate level of Protection in the derogations of Article 26 is left out in the Directive but Article 25(2) with reliance on Article 29 WP of the Directive, gives insight as to interpreting and monitoring the extent of the application of Article 26.

Under Article 26(2) of the Directive, transfers of data to third countries with inadequate level of protection, may be authorized, “where the controller adduces adequate safeguards …”and it’s highlighted that such safeguards may have evolved through appropriate contractual clauses [26] , standard in its form but are essential for maintaining the necessary [27] data transfer between the EEA and third countries based on Article 26(4) of the Directive.

It is worthy of note that the model clauses conceptualized by the European Commission dwelt on a set of model contract clauses for controller-to-controller transfers on June 15, 2001, and a set of model clauses for controller-to-processor transfers which was also approved by the Commission on December 27, 2004 [28] which was inspired by the repeated agitations by business associations.

My view, influenced by works on the subject matter is that standard contractual clauses which relate to data protection provide relative ease for companies to transfer personal data to third countries.

2. 4. 4 Inroads into Standard Contractual Clauses.

The applicability of standard contractual clause is influenced by the parties discretion and freedom to include clauses in so far as the additional clauses are not prejudicial either directly or indirectly to the commission’s approved clauses bearing in mind the sacrosanct submission to the fundamental rights and freedom of the data subject.

Furthermore, a data controller under Article 26(2); when he assures sufficient guarantees as a result of appropriate contractual clauses, is allowed to create his own contract based solution for providing adequacy, since no letters of the directive implies that any standard contractual clauses adopted by the Commission are the only appropriate contractual clauses for adducing sufficient guarantee [29] . This is on the backdrop of the contractual clauses being in synchrony with the EU Directive approved standard contractual clauses. Some further clauses which may suffice include clauses on mutual assistance in cases of disputes with a data subject or a supervisory authority [30] and further pertinent clauses as the peculiar circumstance demands.

As much as Standard Contractual Clauses are pivotal in entrenching the flow of personal data thereby reducing burdens for companies and controllers, it places an obligation on the data controller and data processors not to go beyond the intended use for the data in their possession as a breach of this when it can be proven, may give data subjects a ground for exerting their rights for. It is on this note that the duties of supervisory authorities under Article 28, should come to bear in ensuring that personal data is adequately protected [31] during and after the transfer.

2. 4. 5 Regulating Compliance based on Standard Contractual Clauses.

In order to instill compliance with TBDF rules by data controllers, Article 28 creates “supervisory authorities” who have been saddled the responsibility monitoring the application within its (independent EU States) territory of the provisions adopted by the Member States [32] pursuant to the Directive. Supervisory authorities are also mandated to act with complete independence [33] in carrying out duties expected of them by independent member states and pursuant to the directive.

Also, where situations permit, supervisory authorities of the Member States should:

“ retain the power to prohibit or suspend a data transfer or a set of transfers based on the standard contractual clauses in those exceptional cases where it is established that a transfer on contractual basis is likely to have a substantial adverse effect on the guarantees providing adequate protection to the data subject” [34] .

Furthermore, investigative powers, powers of intervention and powers to engage in legal proceedings by the Supervisory authorities [35] can be harnessed by data subjects so as to create stability in the inter-relationship of rights accruing to all parties involved in a TBDF.

To support the use of standard contractual clauses, the EU Directive by virtue of Article 26 has further enabled the use of “Binding Corporate Rules” to aid the transfer of data cross-border for use by multinational organizations.

2. 4. 6 Binding Corporate Rules as Data Transfer mechanism.

“Binding Corporate Rules” can be defined as:

“a set of rules adopted within a particular company or corporate group that provide legally-binding protections for data processing within the company or group “ [36] engaged in the process of carrying our international data transfers in multinational organizations.

Premised on the interpretation of Article 26, binding corporate rules involve a mechanism used in influencing world-wide transfer of personal data to multinational groups in countries without sufficient data protection legislation [37] .

2. 4. 6.(a) Approval Process of BCR’s.

Before a transfer of data, binding corporate rules must be approved by every European data protection authority in whose jurisdiction a member of the multinational/corporate group will rely on them [38] . The process continues with the data protection supervisory authority in the particular EU state liaising with other relevant authorities where the data is to flow through to the end of seeking approval [39] ,

As a general rule, each EU country’s government – through its Data Protection Authority (DPA) – must approve BCRs before they can become a valid mechanism for data transfers to such country [40] . This ensures that compliance with national law of specific EU states is a condition sine qua non for any authorization to be granted [41] .

The BCR’s as a means of transfer of data cross-border is only of use within a specified multinational organization. Its use will not extend to transfers outside the corporate confines of company A to company B even though each independent company has its own approved binding corporate rules. This presumptive limitation of the binding corporate rules is salvaged by the opportunity created by the use of “standard contractual clauses”.

The restriction in BCR’s has made its popularity among multinationals to dwindle as only very few multinationals have been able to key into the potential for trans-border transfer of data.

Finally, BCRs should incorporate the necessary elements identified in documents WP 74 [42] and WP 108 [43] .

2. 4. 7 Off-shoot of the EU Directive: The Safe Harbor Principles.

Based on the US lack of adherence to the European privacy requirements, with the consequence of disrupting international trade between these giant trading blocs [44] , the European Union and the United States after series of negotiations finally reached an agreement in March 2000, known as “Safe Harbor Principles” which finally got the nod of the European Commission as satisfying the adequacy requirement of the Privacy Directive [45] .

Realistically, the hype and proposed impact of the Safe Harbor Rules has not reflected in the amount of companies that have subscribed to the rules as only private firms are covered by the rules. However, subscribed firms are bound by the principles and penalties exist for non-compliance which may be imposed by the US Department of Commerce [46] . Based on individual count as at 1st January 2010, “two thousand and ninety-five” companies have so far subscribed to the safe harbor principles.

Organizations expecting to take advantage of the safe harbor must adhere to the principles of Notice, Choice, Onward Transfer, Access, Security, Data Integrity and Enforcement. Armed with the above, TDBF is enhanced to align with the minimum benchmark for the adequacy required by the EU Directive on Data Protection.

2. 4. 8 EU Data Directive and PNR Transfers: Re-living Adequacy.

Passenger Name Record resulted from the agreement between the EU and USA consequent on the terrorist attack on US, in July 2007, a further PNR agreement between the US and the EU was undersigned [47] . The ingredients of the PNR involve the handing over of passenger name records (PNR) in transatlantic flights originating in the European Union to US Department of Homeland Security (DHS) Bureau of Customs and Border Protection.

With the above relationship between the EU and US, data protection challenges exist that compromise the rights and jeopardize the privileges that the EU Data Protection Directive has provided for data subjects in relation to cross-border transfers. This lack of trust in the capability of the US to ensure strict privacy measures regarding the protection of personal data, has heightened the urge of the EU to give a pass mark of adequacy in order to permit transfers of PNR data to the US [48] .

Based on Article 26 derogations and the overriding requirement of adequacy in Article 25 of the EU Directive, the protection of data subjects as the executors of policy relating to PNR must endeavour to uphold the rules and give adequate protection to data moving cross-border.

3. 0. CONCLUSION.

The 21st century international business is without borders due to the revolution in worldwide communication. The need to instill safeguards led to the enactment of the EU Directive on Data Protection which founded the requirement of adequate protection of personal and