Emergency Info

Morrison | Foerster
Japan
Japan		 China
China		 Europe Israel
Hebrew
SEARCH

About the Firm Practices and Industries Attorneys & Professionals Careers Legal Updates and News Events
Legal Updates and News
Overview
Legal Updates
Press Releases
In The News


Related Practices:

Codes of Conduct: The Solution for International Data Transfers?
July 2003
by   Miriam Wugmeister, Karin Retzer, Cynthia Rich

In its long-awaited Report on the implementation of the Data Protection Directive 95/46/EC,[fn1] which was published on May 15, 2003, the European Commission recognises the enormous difficulties that companies are facing when transferring data on a global basis. E. U. Member States' laws governing cross-border transfer are complex, burdensome, and, often contradictory. Compliance with these regulations can be a Herculean task, involving considerable time and expense.

Rather than being forced to satisfy diverging rules for transferring data on a country-by-country basis, more and more companies are pushing for the development of global codes of conduct that would govern their global data processing practices and at the same time facilitate all their international data transfers. In the Report, the European Commission now too is encouraging industry and Member States to experiment more widely with a code of conduct approach to cross-border data transfers.

Rules on Cross-Border Data Transfers

The Directive[fn2] restricts cross-border transfers to third countries that have been found to ensure an "adequate" level of protection (Article 25). To date, the European Commission has deemed adequate the laws of Canada, Hungary, and Switzerland, as well as the U.S. safe harbor principles. An adequacy finding with respect to the Argentine data protection legislation is under way. While the Commission continues to assess laws in other countries, it has made clear in various public statements that it does not have the resources to issue "adequacy decisions" more frequently.

For those countries that are not covered by a "adequacy decision", data transfers can only take place if one of several conditions are met (Article 26 of the Directive):

  • the individual to whom the data relate (the data subject) has provided unambiguous consent to the transfer;
  • a contract with the organisation receiving the data has been established;
  • the transfer is necessary for the performance of a contract between the data subject and the organisation exporting the data;
  • the transfer is necessary for the performance of a contract concluded in the interest of the data subject;
  • the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject; or
  • the transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest.
Despite the fact that the Directive provides a means for transferring data to non-adequate countries, the divergent implementations of the Directive among Member States makes it virtually impossible for companies to select a single safeguard to protect the data as they transfer data out of the European Union. For example, the transfer of personal data based on consent of the data subject may be restricted to non-employee data situations in many Member States.[fn3] In addition, the "necessary to complete the contract between the controller and data subject" basis for transfers has been interpreted narrowly in some Member States, which limits its usability.[fn4] The end result is that companies must analyse and satisfy fifteen different standards for transferring data, thus defeating the harmonising intent of the Directive.[fn5] The European Commission acknowledged this difficulty in its Report, and stated "More work is needed on the simplification of the conditions for international transfers."

The Directive's rules on cross-border data transfers have influenced heavily the development of other countries' rules in this area. Argentina, Brazil, and Mexico in Latin America and Australia, Malaysia, South Korea, Taiwan, and Thailand in the Asia-Pacific Rim have either adopted or are considering adopting legislation that would impose varying degrees of restrictions on cross-border transfers. In addition, E.U.-style cross-border restrictions have been or will be implemented in the near future by all of the New Member States, i.e., Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia, Slovenia, (anticipated population of 75 million).

Codes of Conduct: An Alternative Approach

Given the growing number of cross-border data transfers, the idea of relying on global rules for all cross-border data transfers is attractive. The code of conduct concept is a simple one. Related companies doing business in multiple E.U. Member States would apply Just one set of rules to govern their data transfers from within the European Union to outside the E.U. rather than 15 different rules that comply with the specific requirements of each of the 15 Member States. Companies could also draft these codes so that they comply with the privacy rules in non-E.U. countries.

What the Directive Says about Codes of Conduct

The Directive clearly provides for the use of codes of conduct. To contribute to the proper implementation of the Directive at the national level, Article 27 of the Directive directs the Member States and the Commission to encourage the development of codes of conduct. Member States are required to facilitate the approval procedure of draft codes and amendments or extensions to existing codes prepared by trade associations and other bodies. Organisations representing certain industry sectors, and established in multiple Member States, may submit draft Community codes, and amendments or extensions to existing Community codes, to the Article 29 Working Party to determine whether the drafts comply with the Directive.

The extent to which companies can use codes of conduct as a means to transfer data globally within their organisations is unclear, however. Codes of conduct are not expressly mentioned in the sections of the Directive that addresses data transfers to third countries (Articles 25 and 26). Article 26, as explained above, establishes the safeguards, which must be in place for a Member State to authorise transfers to third countries that do not provide an adequate level of protection. Member States are authorised to approve such transfers, provided the appropriate legal bases have been satisfied, and if the organisation provides evidence that it has adequate safeguards in place to protect the data. Contractual clauses are cited as an example ("in particular") of such safeguards and traditionally have been the most common way of providing the required "adequate protection", but the wording of Article 26(2) suggests that codes may be equally provided by other means, i.e. codes. Unfortunately Article 26(4) is silent about whether the Commission has the right to approve "standard codes of conduct" similar to the right of the Commission to approve standard contractual clauses.

Growing Support for Codes of Conduct

The Commission and some Member States support the idea of codes of conduct as a means to facilitate data transfers. During his closing remarks at the 2002 data protection conference,[fn6] Commissioner Bolkestein acknowledged that the promotion of self-regulatory approaches and in particular codes of conduct can contribute to the free movement of personal data and that the idea that approval by one data protection authority should in principle work in all Member States needs to be pursued. Some data protection authorities believe that self-regulatory codes of conduct could serve as a simple and effective means to achieve adequacy. Moreover, in the case of Germany, section 4(c) of the German Data Protection Act expressly provides for the possibility to legitimise international data transfers via binding company rules.

The primary obstacle to using codes of conduct i that there is no streamlined mechanism for approving enterprise-wide codes. During the 2002 conference, the Commission was urged by some in industry to ensure that any proposal it makes to revise the Directive in eludes a proposal that expressly allows the Commission to approve such enterprise-wide codes of conduct in streamlined manner. Such a proposal also should also individual Member States to approve codes of conduct under their own law and for those codes then to receive mutual recognition throughout the E.U. Member States. Mutual recognition of codes would eliminate the need for some adequacy rulings and help alleviate the European Union's already over-taxed system for issuing adequacy decisions. Alternatively, Member State authorities could institute co-operation mechanisms to facilitate the needs of multinational companies with establishment in several jurisdictions.

Experimenting with Codes of Conduct

To date, the Dutch Data Protection Authority ("DPA") has approved fifteen codes of conduct, mainly in the financial services, pharmaceutical, and direct marketing services sector that can be used to satisfy national requirements for the processing of personal data. These codes are used to promote compliance with sector specific data protection requirements. To our knowledge, these rules have not been used for the purpose of satisfying requirements imposed on transfers to non-adequate third countries.

Discussions about the use of corporate codes of conduct specifically for cross-border data transfers are underway, however. The Dutch DPA is discussing with Royal Dutch/Shell Group of Companies the use of a corporate code of conduct to facilitate the transfer of human resources data from Shell's headquarters in the Netherlands to its 2,200 subsidiaries in 140 countries. The project would involve approval of the Shell code, and co-operation between the authorities in the Netherlands and the United Kingdom.

DaimlerChrysler has obtained approval from the German authorities for its Code of Conduct for Human Resources. The authorities have found that the conditions stipulated in the codes under which personal data can be transmitted between countries provide sufficient protection throughout the group and therefore allow transfers of data outside of the European Union without additional safeguards.

The hope of these DPAs is that once the process starts, other DPAs might follow. There also have been discussions with these DPAs about the possibility of mutual recognition of codes that are compliant with the laws of the country in which the data controller has a "centre of activities". Acceptance of this concept is not expected in the short term, however. The more likely approach will be to experiment with co-operation mechanisms between a limited number of DPAs.

Article 29 WP - Lack of Consensus on Codes

During the April meeting of the Article 29 Working Party, codes of conduct were discussed but no agreement was reached on EU-wide codes of conduct. (Only 11 Member States refer expressly to codes of conducts in their national laws implementing the Directive, and approaches to codes differ from Member State to Member State.) Some members of the Article 29 Working Party appear either opposed or at best lukewarm to the idea of using codes of conduct. Further discussion is likely to remain on hold until these differences of opinions are resolved.

Although some representatives in the DPAs and the Commission believe that Article 26 of the Directive allows single sets of rules to serve as a legal basis for international transfers, the Commission is not expected to push right away for E.U-wide codes. Lack of Member State political will and the lack of consensus within the Article 29 Working Party are to blame. It appears that the Article 29 Working Party will continue the discussion and a working document that outlines its initial views on codes of conduct or binding corporate rules is expected to be published soon. Companies should take this opportunity to voice support for codes and identify potential problems and solutions.

Conclusion

While the development of a code of conduct approach to data protection and cross-border transfers will not happen overnight, a code of conduct approach holds promise for global companies looking to simplify and facilitate their cross-border transfers. Experimentation with codes at the Member State level is likely to continue for some time, though, before action on an E.U-wide basis is taken. Companies interested in exploring and promoting the use of codes should take the opportunity to voice their support for codes of conduct and identify potential problems and solutions directly to the Member State data protection authorities and government policy makers, the Commission, and the Article 29 Working Party. When the Article 29 Working Party issues its working document on codes of conduct, companies should review its conclusions carefully and, may make their views known, either on an individual basis or through trade associations or other business groups directly to the Working Party, the Commission, and/or the Member States. Continued expressions of interest in pursuing this and other innovative solutions to global data transfers will add to the growing momentum for change in the global privacy/data protection field.

Editor's Note: The Article 29 ,Working Party has recently adopted (on June 3, 2003) a document entitled, "Working Document on Transfers of Personal Data to Third Countries: Applying Article 26 (2) of the E.U Data Protection Directive to Binding Corporate Rules for International Data Transfers"(dealing with so-called company :codes of conduct"). The document is available on the DC Internal Market's website, at www.europa.eu.int/comm/internal_market/privacy/docs/2003/wp74_en.pdf.


Footnotes

1: First report on the implementation of the Data Protection Directive (951461EC) of May 15, 2003, COM (2003) 265 final, available at: http://europa.eu.int/internal_market/privacy/lawreport_en.htm.

2: Directive 951461EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, 23/11/1995 p. 0031-0050 (1995).

3: Many data protection authorities are of the opinion that employees do not have the necessary freedom to consent meaningfully to the transfer of such data because of their inherent dependence on their employers. See Article 29 Data Protection Working Party Opinion 81200 I on the processing of personal data in the employment context, September 13,2001 available at: http://europo.eu.int/comm/internal_market/en/dataprot/wpdocs.

4: For example, German commentary suggests that the criteria "necessary" for the performance of the labor contract had a meaning of "indispensable" see Wolfgang Däubler: Internet und Arbeitsrecht, 2001, p. 143.

5: The only uniform method of complying across the E.U. is with standard clauses/model contracts. If a global company, however, elected to utilise model contracts to transfer data among affiliates, it is perfectly possible that it would have to enter into hundreds of contracts which would be administratively burdensome and complex.

6: See Commissioner BoIkestein's closing speech at the 2002 data protection conference, available at: http://europa.eu.int/internal_market/en/dataprot/lawreport/programme_en.htm.

 

This article was first published in WDPR, June 2003, and is reprinted with permission of the publisher, The Bureau of National Affairs, Inc.