- Email: [email protected]
Impact of the EU data protection directive on transborder data flows
Report Highlights
Impact of the EU Data Protection Directive on Transborder Data Flows, Christopher Millard. Page 47 The EU Data Protection Directive is likely to have a substantial impact on international businesses. Local data protection regimes will be undermined if there are no restrictions on the transfer of personal data to other jurisdictions for processing, storage or use. Almost all non-EU countries have no data protection legislation and must therefore be expected to be in the EU’s ‘inadequate’ category. Even in cases where consents or specific contractual arrangements are an option, it may take a considerable time and significant expense to obtain such consents or introduce revised contracts. Those who leave international data protection compliance to the last minute do so at their peril.
A Commercial View of the OECD Recommendation on Cryptography Policy, Chris Sundt. Page 50 Industry is becoming increasingly dependent on the Global Information Infrastructure for electronic commerce. Users and customers need to trust that infrastructure _--- and cryptography is a technology that can help build that trust. Unfortunately cryptography is controlled by governments, and this can inhibit its effective use internationally, undermining that trust.
a
The OECD has developed Guidelines on Cryptography Policy that provide a framework within which national policies should be defined - creating a consistent environment for international trade. This paper briefly describes why there is a problem that affects business, outlines what governments are currently doing, and summarizes the intent of the OECD Guidelines.
Stop That E-Mail! You are Probably Bill Hancock. Breaking the Law! Page 58 Because of the international nature of many networks, the opportunity to export technical data which is legally restricted for export from the US is highly probable. This article provides some background on relevant legal issues and other related US regulations that customers must adhere to when exporting any technical data outside the US - or face criminal and civil charges. These controls apply to computer technologies and information about such technologies, as well as other technical ‘data’ issues including biotechnology. In a now famous incident, a computer vendor in 1991 was fined over $8 million for disclosing restricted processor technology to countries not on the ‘V’ list at the Department of Commerce. Copying of certain algorithms (not necessarily cryptographic algorithms that is another issue) for software or scientific ‘endeavours’ could result in violation of applicable software export laws or national security export laws.
Information
Security Technical
Report, Vol. 2, No. 1
Information
Security Technical Report, Vol. 2, No. 1 (1997) 47-49
Impact of the EU Data Protection Directive on Transborder Data Flows By Christopher Millard, Partner, Media, Computer and Communications Group, Clifford Chance, London This article presents the thesis that the ELI Data Protection Directive is likely tohavea substantial impact on international businesses. In particular, the transborder dataflow rules in the Directiveare examined and are found to be incompatible with distributed network environments in general and the Internet in particular
National laws and international initiatives More than 30 jurisdictions have legislation regulating the collection, processing and use of personal data by private sector organizations. While each local law is directed mainly at data processing activities within the relevant jurisdiction, the transfer of personal data outside that jurisdiction is usually subject to controls. The conventional argument for such export controls is that local data protection regimes will be undermined if there are no restrictions on the transfer of personal data to other jurisdictions for processing, storage or use. Just as money may gravitate towards tax havens, so personal data may end up in jurisdictions with the most lax, or more likely, no data protection standards. To extend the tax analogy, there may be nothing to stop organizations devising ‘data protection avoidance’ schemes to enable them to process sensitive personal data in ‘data havens’. The 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data, on which the UK’s 1984 Data Protection Act and most
0167-4048/97/$17.00 0 1997, Elsevier Science Ltd
other European statutes are based, allows for restrictions to be imposed on the direct or indirect transfer of personal data to non-signatory states. The 1995 EU Directive “on the protection of individuals with regard to the processing of personal data, and on the free movement of such data” goes further and prohibits, subject to certain limited exceptions, the transfer of personal data to non-EU countries which lack ‘adequate’ data protection standards. Almost all countries have no data protection legislation and must, therefore, be expected to appear on the ‘inadequate’ list. The most important of the ‘limited exceptions’ referred to in the previous paragraph are where the individual’s unambiguous consent to the transfer has been obtained, or where the transfer is made pursuant to a contract between the transferring party and the individual whose data are to be transferred. Many routine data transfers fall outside these exemptions and, in future, would only be permissible with the authorization of the relevant national data protection regulator(s). Even in cases where consents or specific contractual arrangements are an option, it may take considerable time and expense to obtain such consents or introduce revised contracts. AUEU Member States must implement the main operative provisions of the Directive by October 1998.
What happens in practice The territorial rules in the Directive seem at odds
47
Impact of the EU Data Protection Directive on Transborder Data Flows
with established commercial and technical practices. It has long been the case that, in many organizations, data processing is distributed via wide-area networks over hundreds or thousands of machines located in many countries. The current enthusiasm for building global enterprise-wide ‘intranets’ will only serve to reinforce this type of distributed processing model. Moreover, as organizations increasingly share data with each other, corporate and geographical boundaries are becoming progressively more blurred. Enormous volumes of personal data are transferred daily via, for example, financial and travel networks. Traditionally, parties to such transfers have had some kind of contractual relationship with each other. Obvious examples are banks which are members of SWIFT, and airlines which use a particular reservation system. Increasingly, however, data are shared across borders via ‘open’ systems and networks of networks, the most striking example being the Internet.
Current UK controls on personal data exports The current UK data protection regime, though rather bureaucratic in terms of registration obligations, deals with data exports in a pragmatic fashion. Subject to limited exceptions, all ‘data users’ must apply to register with the Data Protection Registrar stating, among other things, the country or countries to which personal data may be transferred. Registered data users must then comply with eight Data Protection Principles which, in essence, are broad statements of good practice in relation to the processing of personal data. Provided a particular proposed international data transfer is to a country which has been specified in an appropriate register entry, no further procedural step need be taken before data are transferred to that place.
48
As in so many areas of law at the moment, the Internet raises interesting issues. Given the unpredictability of Internet traffic routings, all UK data users which send personal data via the Internet (including simple Internet E-mail messages), should register for worldwide transfers of data. In practice, however, UK-based organizations currently face very few obstacles to transferring data on a global basis. Indeed, though the Registrar has the power to issue a ‘Transfer Prohibition Notice’, so far only one such notice has been served.
Approaches taken elsewhere in Europe The current UK approach is in marked contrast to that in some other European jurisdictions. Spain is particularly noteworthy as its data protection legislation is closely modelled on the Directive. Data users must report actual transfers of data and obtain prior consent if the transfer is to a legal third party. In addition, if a transfer is to be made to a country whose laws do not provide for a comparable level of protection to that of Spanish law, a specific authorization from the Director of the Data Protection Agency must be sought. It can take several months to obtain a specific authorization. A recent case in Germany is indicative of the type of data export control environment which may become common in the EU once national laws have been brought into line with the Directive. In 1995 the Berlin Data Protection Commissioner objected to a co-branding agreement between German Railway and the German subsidiary of Citibank whereby holders of the German Railwaycard were offered combined Railway/VISA cards. All data processing was to be conducted in the US. Even though the EU Directive had not, and still has not, been implemented in Germany, the Berlin
Information Security Technical Report, Vol. 2, No. 1
Impact of the EU Data Protection
regulator applied the Directive’s transborder data flow rules. Under the guidance of the Berlin regulator, in 1996 Citibank and German Railway entered into contractual arrangements whereby they apply German law to their handling of cardholder data on both sides of the Atlantic. Citibank has accepted very tough marketing restrictions, and has agreed that the Berlin Data Protection Commissioner can conduct on-site audits in the US. Moreover, the main ‘Agreement on Interterritorial Data Protection’ is a contract for the benefit of a third party, i.e. each German cardholder.
Directive on Transborder
Data Flows
transfer a vast amount of data to almost any country of the world at almost negligible cost. Even pocket computers can store substantial amounts of personal data which can readily be transferred across borders via a phone line or cellular connection. Internet E-mail alone makes a nonsense of national data export rules of the type required by the EU directive. Consider, for example, the contrast between the ease with which an E-mail message may be sent to multiple addressees around the globe by a computer user and the cumbersome process which would have to be followed before all of the EU Member States could be persuaded to approve such a transfer.
At a recent International Data Protection and Privacy Commissioners’ conference in Ottawa, the Berlin regulator was congratulated by other European data protection regulators on its proactive approach.
It will be some years before the full impact of the EU directive becomes clear. Regulatory practices already adopted in Spain and Germany, however, are indicative of the substantial impact which the new transborder data flow rules may have on international transactions.
Conclusion: the EU Directive is incompatible with current networking practices
For many businesses which operate globally, particularly those which deal with large numbers of customers, the task of bringing their contractual arrangements into line with the Directive will be difficult and costly. As with the ‘millennium bug’, which threatens technical chaos when the year 2000 dawns, those who leave international data protection compliance to the last minute do so at their peril.
The transborder data flow regime envisaged by the Directive might have been practicable in the very early days of computing when few organizations had access to computers and international data transfers were rare. Today, most organizations have computers which, in power and processing capacity, dwarf the largest mainframe machines of even 20 years ago. powerful networking and Moreover, communications facilities are now commonplace. Anyone with Internet access can
Information Security Technical Report, Vol. 2, No. 1
Copyright reserved.
Clifford Chance,
1997. All rights
E-mail:[email protected] web: http:l/www.cliffrdchance.com
49
Impact of the EU Data Protection Directive on Transborder Data Flows, Christopher Millard. Page 47 The EU Data Protection Directive is likely to have a substantial impact on international businesses. Local data protection regimes will be undermined if there are no restrictions on the transfer of personal data to other jurisdictions for processing, storage or use. Almost all non-EU countries have no data protection legislation and must therefore be expected to be in the EU’s ‘inadequate’ category. Even in cases where consents or specific contractual arrangements are an option, it may take a considerable time and significant expense to obtain such consents or introduce revised contracts. Those who leave international data protection compliance to the last minute do so at their peril.
A Commercial View of the OECD Recommendation on Cryptography Policy, Chris Sundt. Page 50 Industry is becoming increasingly dependent on the Global Information Infrastructure for electronic commerce. Users and customers need to trust that infrastructure _--- and cryptography is a technology that can help build that trust. Unfortunately cryptography is controlled by governments, and this can inhibit its effective use internationally, undermining that trust.
a
The OECD has developed Guidelines on Cryptography Policy that provide a framework within which national policies should be defined - creating a consistent environment for international trade. This paper briefly describes why there is a problem that affects business, outlines what governments are currently doing, and summarizes the intent of the OECD Guidelines.
Stop That E-Mail! You are Probably Bill Hancock. Breaking the Law! Page 58 Because of the international nature of many networks, the opportunity to export technical data which is legally restricted for export from the US is highly probable. This article provides some background on relevant legal issues and other related US regulations that customers must adhere to when exporting any technical data outside the US - or face criminal and civil charges. These controls apply to computer technologies and information about such technologies, as well as other technical ‘data’ issues including biotechnology. In a now famous incident, a computer vendor in 1991 was fined over $8 million for disclosing restricted processor technology to countries not on the ‘V’ list at the Department of Commerce. Copying of certain algorithms (not necessarily cryptographic algorithms that is another issue) for software or scientific ‘endeavours’ could result in violation of applicable software export laws or national security export laws.
Information
Security Technical
Report, Vol. 2, No. 1
Information
Security Technical Report, Vol. 2, No. 1 (1997) 47-49
Impact of the EU Data Protection Directive on Transborder Data Flows By Christopher Millard, Partner, Media, Computer and Communications Group, Clifford Chance, London This article presents the thesis that the ELI Data Protection Directive is likely tohavea substantial impact on international businesses. In particular, the transborder dataflow rules in the Directiveare examined and are found to be incompatible with distributed network environments in general and the Internet in particular
National laws and international initiatives More than 30 jurisdictions have legislation regulating the collection, processing and use of personal data by private sector organizations. While each local law is directed mainly at data processing activities within the relevant jurisdiction, the transfer of personal data outside that jurisdiction is usually subject to controls. The conventional argument for such export controls is that local data protection regimes will be undermined if there are no restrictions on the transfer of personal data to other jurisdictions for processing, storage or use. Just as money may gravitate towards tax havens, so personal data may end up in jurisdictions with the most lax, or more likely, no data protection standards. To extend the tax analogy, there may be nothing to stop organizations devising ‘data protection avoidance’ schemes to enable them to process sensitive personal data in ‘data havens’. The 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data, on which the UK’s 1984 Data Protection Act and most
0167-4048/97/$17.00 0 1997, Elsevier Science Ltd
other European statutes are based, allows for restrictions to be imposed on the direct or indirect transfer of personal data to non-signatory states. The 1995 EU Directive “on the protection of individuals with regard to the processing of personal data, and on the free movement of such data” goes further and prohibits, subject to certain limited exceptions, the transfer of personal data to non-EU countries which lack ‘adequate’ data protection standards. Almost all countries have no data protection legislation and must, therefore, be expected to appear on the ‘inadequate’ list. The most important of the ‘limited exceptions’ referred to in the previous paragraph are where the individual’s unambiguous consent to the transfer has been obtained, or where the transfer is made pursuant to a contract between the transferring party and the individual whose data are to be transferred. Many routine data transfers fall outside these exemptions and, in future, would only be permissible with the authorization of the relevant national data protection regulator(s). Even in cases where consents or specific contractual arrangements are an option, it may take considerable time and expense to obtain such consents or introduce revised contracts. AUEU Member States must implement the main operative provisions of the Directive by October 1998.
What happens in practice The territorial rules in the Directive seem at odds
47
Impact of the EU Data Protection Directive on Transborder Data Flows
with established commercial and technical practices. It has long been the case that, in many organizations, data processing is distributed via wide-area networks over hundreds or thousands of machines located in many countries. The current enthusiasm for building global enterprise-wide ‘intranets’ will only serve to reinforce this type of distributed processing model. Moreover, as organizations increasingly share data with each other, corporate and geographical boundaries are becoming progressively more blurred. Enormous volumes of personal data are transferred daily via, for example, financial and travel networks. Traditionally, parties to such transfers have had some kind of contractual relationship with each other. Obvious examples are banks which are members of SWIFT, and airlines which use a particular reservation system. Increasingly, however, data are shared across borders via ‘open’ systems and networks of networks, the most striking example being the Internet.
Current UK controls on personal data exports The current UK data protection regime, though rather bureaucratic in terms of registration obligations, deals with data exports in a pragmatic fashion. Subject to limited exceptions, all ‘data users’ must apply to register with the Data Protection Registrar stating, among other things, the country or countries to which personal data may be transferred. Registered data users must then comply with eight Data Protection Principles which, in essence, are broad statements of good practice in relation to the processing of personal data. Provided a particular proposed international data transfer is to a country which has been specified in an appropriate register entry, no further procedural step need be taken before data are transferred to that place.
48
As in so many areas of law at the moment, the Internet raises interesting issues. Given the unpredictability of Internet traffic routings, all UK data users which send personal data via the Internet (including simple Internet E-mail messages), should register for worldwide transfers of data. In practice, however, UK-based organizations currently face very few obstacles to transferring data on a global basis. Indeed, though the Registrar has the power to issue a ‘Transfer Prohibition Notice’, so far only one such notice has been served.
Approaches taken elsewhere in Europe The current UK approach is in marked contrast to that in some other European jurisdictions. Spain is particularly noteworthy as its data protection legislation is closely modelled on the Directive. Data users must report actual transfers of data and obtain prior consent if the transfer is to a legal third party. In addition, if a transfer is to be made to a country whose laws do not provide for a comparable level of protection to that of Spanish law, a specific authorization from the Director of the Data Protection Agency must be sought. It can take several months to obtain a specific authorization. A recent case in Germany is indicative of the type of data export control environment which may become common in the EU once national laws have been brought into line with the Directive. In 1995 the Berlin Data Protection Commissioner objected to a co-branding agreement between German Railway and the German subsidiary of Citibank whereby holders of the German Railwaycard were offered combined Railway/VISA cards. All data processing was to be conducted in the US. Even though the EU Directive had not, and still has not, been implemented in Germany, the Berlin
Information Security Technical Report, Vol. 2, No. 1
Impact of the EU Data Protection
regulator applied the Directive’s transborder data flow rules. Under the guidance of the Berlin regulator, in 1996 Citibank and German Railway entered into contractual arrangements whereby they apply German law to their handling of cardholder data on both sides of the Atlantic. Citibank has accepted very tough marketing restrictions, and has agreed that the Berlin Data Protection Commissioner can conduct on-site audits in the US. Moreover, the main ‘Agreement on Interterritorial Data Protection’ is a contract for the benefit of a third party, i.e. each German cardholder.
Directive on Transborder
Data Flows
transfer a vast amount of data to almost any country of the world at almost negligible cost. Even pocket computers can store substantial amounts of personal data which can readily be transferred across borders via a phone line or cellular connection. Internet E-mail alone makes a nonsense of national data export rules of the type required by the EU directive. Consider, for example, the contrast between the ease with which an E-mail message may be sent to multiple addressees around the globe by a computer user and the cumbersome process which would have to be followed before all of the EU Member States could be persuaded to approve such a transfer.
At a recent International Data Protection and Privacy Commissioners’ conference in Ottawa, the Berlin regulator was congratulated by other European data protection regulators on its proactive approach.
It will be some years before the full impact of the EU directive becomes clear. Regulatory practices already adopted in Spain and Germany, however, are indicative of the substantial impact which the new transborder data flow rules may have on international transactions.
Conclusion: the EU Directive is incompatible with current networking practices
For many businesses which operate globally, particularly those which deal with large numbers of customers, the task of bringing their contractual arrangements into line with the Directive will be difficult and costly. As with the ‘millennium bug’, which threatens technical chaos when the year 2000 dawns, those who leave international data protection compliance to the last minute do so at their peril.
The transborder data flow regime envisaged by the Directive might have been practicable in the very early days of computing when few organizations had access to computers and international data transfers were rare. Today, most organizations have computers which, in power and processing capacity, dwarf the largest mainframe machines of even 20 years ago. powerful networking and Moreover, communications facilities are now commonplace. Anyone with Internet access can
Information Security Technical Report, Vol. 2, No. 1
Copyright reserved.
Clifford Chance,
1997. All rights
E-mail:[email protected] web: http:l/www.cliffrdchance.com
49