AustLII Home | Databases | WorldLII | Search | Feedback

Journal of Law, Information and Science

Journal of Law, Information and Science (JLIS)
You are here:  AustLII >> Databases >> Journal of Law, Information and Science >> 1994 >> [1994] JlLawInfoSci 3

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Carr, Indira; Williams, Katherine --- "Electronic Data Interchange, Data Protection and the European Community" [1994] JlLawInfoSci 3; (1994) 5(1) Journal of Law, Information and Science 24

Electronic Data Interchange, Data Protection and the European Community[*]

INDIRA MAHALINGAM CARR[1] AND KATHERINE WILLIAMS[2]

Abstract

In this article the authors examine the various directives issued by the European Community to protect the privacy of individuals, both natural and artificial where personal, sensitive or confidential information is transmitted by electronic interchange.

1. Introduction: Electronic Data Interchange and Data Protection

Recent years have witnessed a rapid growth in the use of computers for transmitting information. The general assumption in relation to electronic data interchange (EDI) is that it will largely be used in the commercial sector for transferring information like product specifications and prices at a national and international level. However, EDI is also expected to play a central role in the insurance and banking sectors as well as in public administration areas like health services, social security, customs, immigration and the police. This means that besides information relating to commercial products and services, details about individuals and government bodies will also be transferred through the electronic network. And, as can be expected, some of the information transmitted in all these spheres may be of a highly confidential nature. This raises a number of interesting questions some of which are listed below, the answers to these however are largely dependent on the principles underlying the right to privacy.[3]

a. Should collation of information on individuals, private organisations and government bodies for non-private use be allowed without any system of control?

b. Even if collation of information is allowed for non-private use in principle, should there be control on the contents collated?

c. Should certain sectors of society be given special protection? For instance, should information about individuals be treated specially? Should sensitive data on individuals, like race, religion, political affiliation, be subject to special protection provisions?

d. Should collated data be circulated nationally and internationally, without any system of control? For instance, should State A ensure that the level of data protection in State B is adequate before allowing data export even though by so doing State A stands to lose economically due to the legal controls?

In order to establish a perspective, it is necessary to preface the discussion of these questions with an acknowledgment of some of the advantages of EDI for data transference in all contexts. There are strong reasons for believing that, in general, the use of EDI will enhance the quality of life all round and is therefore worth promoting. To illustrate, in the commercial arena it will speed transactions thereby contributing to economic growth, and in the area of public administration it will facilitate quick decisions and actions by public bodies such as customs and police thereby improving the general security and well-being of the populace at large.[4] Both these observations are pertinent and exude good sense. The advantages are even more striking when seen in the context of the European Community (EC) whose aim is to establish economic unity among the member states with a general welfare of its citizens in mind. Persuasive through these may be, one should not lose sight of the imbalance that would be caused by the promotion of only the economic and commercial benefits of this technology without taking due account of other factors such as the right to privacy.[5] Of course, the weighting that is to be given to each of these values will largely depend on the objectives that a given society has.

The right to privacy as a concept has been acknowledged by some states, albeit to a limited extent, through legislation which provides specific protection for such data, especially when held on computer, by restricting its use both within that state and its transfer to third countries. However, there is no common ideological thread connecting the actions of various nations. As a result there is disparate legislation on the kind and the nature of information that is protected and the means through which any protection is to be achieved. This is the case even among member states of the EC despite their stated desire for harmonisation.[6] For instance, some of the EC states with data protection legislation are limited to covering personal details held on computers about living humans, others extend the protection to legal entities such as companies and trade unions[7] whilst still others cover manual records as well as computerised data.[8] Beyond the confines of the EC the diversity is even more bewildering. In some states data protection is limited to public sector processing of data[9] whilst a number of Third World countries, especially in Latin America and Africa, have proposed that information affecting national sovereignty, economic well-being and socio-cultural interests should also be protected.[10] Presumably, the reason for proposing protection of these types of information is a perceived need to promote political stability which in turn would enhance the economic welfare of the country.

The disparate views in relation to the kinds of information that qualify for protection and the way these controls should be exercised mean that states may view cross border flow of information through electronic means with some suspicion. States may regulate the transborder flow of data by requiring that the recipient state offers the level of protection that is available in the originating state. This, in real terms, would pose difficulties for those wishing to carry out business through EDI either at the international level or EC level. And it would not be an exaggeration to suggest that the disparities might threaten the successful implementation of the single market in the EC.

The consequences that the disparities in legislation would have for business engaged in cross border data flow could be countered by entering into contractual agreement which guarantee the protection of personal data. The Council of Europe has recommended six clauses for inclusion in any contract to ensure equivalent protection in the context of transborder data flow.[11] Another way of ensuring protection would be to incorporate a choice of law clause in the contract. So, one could incorporate the national laws of the country from which the information is exported. The problem with contractual incorporation of suitable terms for protecting data is that the parties entering into the contractual obligations may not suffer financially for breaches, thereby reducing the incentive to obey the clauses. Also, in most legal regimes the data subject (the third party) would not be able to invoke the clauses in a contract between two parties due to lack of privity. It may however be politically beneficial for the companies to ensure that the contractual obligations are followed since otherwise they would risk the introduction of more wide-ranging protective legislation.

A way out of this conundrum, at the EC level, would be to harmonise the laws in relation to privacy and data protection.[12] The European Community has moved in this direction and in 1990 put forward a draft directive which was subsequently amended by the European Parliament. The Council has now put forward a revised proposal that takes into account Parliament’s opinion.[13] The main proposals of the revised draft directive and the problems concerning some of the provisions are considered in the following section.

2. Data Protection and the European Community

One of the motivating features behind the directive was to prevent ‘data havens’ being exploited by companies that wanted to avoid the processing restrictions and protection which exist in certain member states. The draft directive is drawn widely to cover both manual and computerised personal data files,[14] and public and private sectors[15] but does not extend to include legal persons.[16]

A major change introduced by the revised draft directive is that it lists the situations in which the processing of personal data will be lawful. These are where:

- the data subject has consented (Article 7(a));

- processing is necessary for the performance of a contract with the data subject, or in order to take steps at the request of the data subject preliminary to entering into a contract (Article 7(b));

- processing is necessary in order to comply with an obligation imposed by national law or Community law (article 7(c));

- processing is necessary to protect the vital interests of the data subject (Article 7(d));

- processing is necessary for the performance of a task in the public interest or carried out in the exercise of public authority vested in the controller or in a third party to whom the data are disclosed (Article 7(e)); or

- processing is necessary in pursuit of the general interest or of the legitimate interests of the controller of a third party to whom the data are disclosed, except where such interests are overridden by the interests of the data subject (Article 7(f)).

Data subjects will be regarded as having consented where express indication of their wishes signifying their agreement to personal data relating to themselves being processed is presented and this is freely given and specific. The following information however must be available to them:

- the purposes of the processing;

- the recipient of the personal data; and

- the name and address of the controller and of his or her representative, if any (Article 2(g)).

Article 11 further sets out a minimum list of information that must be provided to the data subject. These are:

- the purposes of the processing for which the data are intended;

- the obligatory or voluntary nature of any reply to the questions to which answers are sought;

- the consequence of any failure to reply;

- the recipients or categories of recipients of the data;

- the existence of a right of access to the rectification of relevant data; and

- the name and address of the controller and of his or her representative, if any

Where data is transferred to a third party in cases referred to in Article 7(b), (e) and (f) the data subject must be informed of this by the controller at the appropriate time, which should be no later than the time of the first disclosure to the third party (Article 12).

Article 2(g) states that consent must be expressly indicated; obviously a written expression or a verbal expression will be sufficient to fulfil this. Problems can arise however in the following situations:

1. Business forms may require the data subject to place an ‘X’ indicating lack of consent. If the data subject fails to place the ‘X’ in the required box would this be deemed as an express indication of consent?

2. During the course of negotiations the data subject may be asked to consent to the processing information. Would silence or a nod of assent from the data subject be sufficient to fulfil the requirement for an express indication of consent? In other words, is express indication limited to linguistic expressions or could it include non-verbal behaviour?

Under Article 2(g) the data subject is given the right to revoke consent at any time without it having any retrospective effect. But the form this revocation should take remains unstated. Could the revocation be implied or must it be express? For instance, could an individual’s expression of doubts/unhappiness about the processing constitute an implied revocation? Furthermore, it is not clear whether the form of revocation should match the form of consent? That is, could an oral revocation be effective to cancel a written expression of consent?

Article 7(e) is another source of potential concern. It appears to give free rein to public authorities like the police and customs to collect and exchange information with third parties on the basis that it is necessary for the performance of their task in the public interest. It is unclear what ‘necessary for the performance of a task in the public interest’ is envisaged to cover. Presumably, it will depend on the nature of the perception of the relevant public authorities. However, because of the open ended nature of the phrase there is ample scope for misuse. Likewise, Article 7(f) allows processing for the purposes of pursuing the general interest or legitimate interests of the controller and third party unless such interests are overridden by the interests of the data subject. What exactly does general interest cover? Does it mean public interest used in Article 7(e)? If so, it is indeed very difficult to think of situations where the individual’s rights can be said to override the general interests, given the utilitarian thrust behind this provision.

The Directive makes the welcome move of making specific reference to sensitive data.[17] Article 8(1) prohibits the processing of data revealing racial or ethnic origins, political opinions, religious beliefs, philosophical or ethical persuasion and membership of trade union and of data referring to health or sexual orientation of the subject. This general prohibition is subject to a number of exceptions:

- where the data subject has given written consent to the processing provided the law of the Member State does not prohibit by law such a waiver by the data subject (Article 8(2)(a);

- where the processing is carried out by a foundation or non-profit making association of a political, philosophical, religious or trade union character in the course of the legitimate activities provided that the processing relates solely to its members or persons who have regular contact with it in relation to its purposes and that the data are not disclosed to third parties without the data subject’s consent (Article 8(2)(b));

- where the processing is performed in circumstances where there is manifestly no infringement of privacy or fundamental freedoms (Article 8(2)(c); and

- where there are important grounds of public interest as laid down by the law (Article 8(c)).[18]

As far as criminal convictions are concerned data concerning these can be held only by judicial and law enforcement authorities and by the persons directly concerned with these convictions or by their representatives under Article 8(4).

Article 8(1), since it is widely cast, could be a source of potential problems. For instance, a person’s name could reveal of lot about the person’s ethnic origins and religious beliefs. In these circumstances, does Article 8(1) envisage that a written consent is needed from the data subject whenever the data subject’s name needs to be entered for ordinary commercial transactions like requests for hotel and flight bookings? To illustrate, the name Inderjit Singh connotes that the individual is of Indian origin and perhaps a follower of Sikhism. So will the travel agent require a written consent from Mr. Singh before he enters his name on the form? If this is the intention behind this provision then this jeopardises business efficiency since customer service oriented acts offered by businesses like telephone bookings will not longer be feasible. Of course, it is possible to argue that the enigmatic Article 8(2)(c) exception could be used to cover such situations since there is ‘manifestly no infringement of privacy or fundamental freedoms’. However, it is not clear from Article 8 or the explanatory memorandum whether these are the kinds of situations that Article 8(2)(c) is meant to cover, some guidance on this provision could help avoid legal uncertainties.

In relation to criminal convictions there is a strong argument for saying that such data should be allowed to be at the very least accessed, if not held, by employers and service sectors like insurers and bankers since they would find such information necessary in their decision making process. For instance, a bank may seriously consider its offer of employment to a person previously convicted for fraud. Under Article 8(4) member states can lay down exemptions through legislation specifying suitable safeguards (Article 8(4)). It is highly likely that most states will have exemptions to Article 8(4) to suite the needs of their industries which means that there is the possibility of disparate legislation’s emerging from Article 8(4). In these circumstances, it would perhaps be wiser for the directive to address this issue and list the exemptions to Article 8(4).

As far as export of data to non-EC countries is concerned Article 26 generally prohibits such transfer, with some exceptions,[19] unless the receiving country provides an adequate level of protection thereby ring fencing the EC. The reason for this rule is understandable since allowing free flow of information to non-EC countries could result in circumventing the EC Rules that aim to ensure free flow of information without unduly affecting the individual’s right to privacy.

The adequacy of the level of protection afforded by the third country is to be assessed by taking in to account all the circumstances surrounding the data transfer. Particular account is to be taken of the following:

- the nature of the data;

- the purpose/s and duration of the proposed processing operation;

- the legislative provisions, general and sectorial, in force on the third country; and

- the professional rules complied with in the third country. (Article 26(2)).

It is not clear whether, in taking into account the legislative provisions and professional rules, due regard will be paid to the philosophical tenants on which the third country’s legislation and other rules are based.

Where the third country does not offer an adequate level of protection, and thus likely to harm the interests of the EC or its Member State, Article 26(4) empowers the Commission to enter into negotiations with that country to remedy the situation. Of course there would be no obligation on the part of the third country to comply with the Commission’s requests except in the interests of international comity and economic growth.

The best way forward in these situations would be for the EC exporting party and non-EC importing party to enter into specific contractual provision ensuring adequate protection of the data to EC standards in the importing country. The privity problem can also be circumvented if the data exporter stipulates that the contract is entered into on behalf of the data subject also.[20] And indeed Article 27 allows authorisation to be given by a Member State for transfer, or categories of transfers, of personal data to a third country which does not ensure an adequate level of protection where the controller adduces sufficient justification. This justification could, in particular, be in the form of appropriate contractual provisions guaranteeing especially the effective exercise of the data subject’s rights.

There is a problem with allowing Member States to determine the adequacy of the level of protection offered by a third country (Article 26(2)) or allowing the controller to adduce sufficient justification in contractual provisions guaranteeing the data subject’s rights for transfer of information to take place to countries lacking adequate level of protection; it means that there will be a lack of uniformity in approach amongst the Member States. A way round this would be to provide extensive guidelines.

3. Conclusion

The revised draft directive goes a long way in harmonising the disparate laws of its Member States and seems to promote the free flow of information whilst taking into account the right to privacy of the individual. However, what yet remains to be assessed is the cost to industry, especially small and medium sized organisations, and to the people, especially taxpayers and consumers, of introducing this piece of legislation. It may be premature to agree with the Commission that the directive will promote economic growth and create jobs in the private and public sectors.

A major objective that can be levelled at the directive is that it may already be outdated due to advances in computer technology. The current trend is towards highly powerful networks that use sophisticated software which can accumulate and process strands of information from a wide range of sources to produce a profile on the spending trends of Mr A Smith over a period of time by drawing upon information on various financial transactions that he may have entered into on different occasions with different parties in different countries. The drawing together of strands of information relating to a particular individual from various sources is potentially hazardous since it could result in an invasion of privacy even though that individual may have consented to the maintenance of each strand of information. It is questionable whether the directive specifically addresses such possibilities since it seems to view data processing and transfer in rather simplistic terms. A quick solution would be to insert a provision in the directive requiring the controller to disclose the existence of networks and inform the data subject of the likely consequences thereby giving him the option to withdraw his consent.[21]

A further problem with recent technology is the speed with which large data bases can be transferred across borders. There remains the practical problem of policing these data transfers. Under Article 30 supervisory authorities are given powers of investigation but the extent to which these authorities can carry out their tasks efficiently will largely depend on the availability of funds.


[*] This article is based in parts on ‘Bytes into Computer Law’, Chapter 1 of Computers and Law Carr, Indira and Williams, Katherine (eds.) (1994) Oxford: Intellect Books.

[1] Lecturer in Law, University of Exeter

[2] Lecturer in Law, University of College of Wales, Aberystwyth

[3] The word ‘privacy’ seems to be variously interpreted in different countries. For instance, ID cards carried by individuals in countries like Malaysia and France would be regarded as an invasion of privacy in England. In Canada, the concept is interpreted widely to encompass freedom of information, ie the freedom of access to information held by the government and government bodies.

[4] According to an item in the business news section of The Independent on Sunday, 30 May 1993, BUPA has introduced EDI for its billing service which reduces claims processing time for more than a week to two days. The information is transmitted from the hospitals to the UK to the clearing house in the US where the information is formatted and subsequently deposited in the hospital’s mailbox. This system is said to have a number of advantages: reduced administration cost, improved data quality and accuracy, faster payment claims and reduced bad debt.

[5] See Parent, WA (1983) ‘Recent Works on the Concept of Privacy’ American Philosophical Review p343; Rubenfeld J (1988) ‘The Rights of Privacy’ Harvard Law Journal 102:737; Report of the Committee on Privacy Cmnd 5012 1972 HMSO Report of the Committee on Data Protection Cmd 7341 1978 HMSO.

[6] Belgium, Greece, Italy and Spain do not have any data protection regulations. It is particularly interesting to note the lack of any protection in Spain as it was one of the first states to ratify the Council of Europe Convention which was passed in 1981 and came into force in 1985.

[7] Denmark and Austria.

[8] France, Germany and the Netherlands.

[9] United States and New Zealand.

[10] For further details see Intergovernmental Bureau for Informatics TDF 270 at p55.

[11] Council of Europe, Revised Version of Proposed Clauses for Inclusion in a Model Contract Designed to Ensure Equivalent Data Protection in the Context of Transborder Data Flows, T-PD (91)8.

[12] This is easier said than done. It took the EC over fifteen years of discussion to put forward a Draft Directive which was published in 1990. See Official Journal No C100 3 May 1976; no C 140 5 June 1979; No L 246 29 August 1979; No C 87 5 April 1982.

[13] OJ No L 123, 8 May 1992.

[14] Under Article 2(b) ‘procession of personal data’ means any operations or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

[15] The revised draft directive has dropped the distinction between the private sector and the public sector. An interesting feature of the original draft directive was the extreme tolerance with which it treated public sectors collecting information. Under Article 5 the creation of a file and any other procession of personal data would be lawful insofar as they were necessary for the performance of the tasks of the public authority in control of the file. And Article 6 allowed for transfer between public sector bodies as long as they were necessary of the performance of the tasks. The data subject’s consent was not required. As to what exactly “necessary for the performance of the tasks” encapsulated was unclear. It was felt that public bodies like the police and immigration authorities construe this phrase very widely. The individual was given the right to consult the register kept by a supervisory authority of public sector files with personal data that might be communicated under Article 7(1); however Article 7(3) in conjunction with Article 15(1) provided that consultation would be restricted for reasons of national security, defence, criminal proceedings, public safety monitoring and inspection purposes of public authorities. It was felt that these provisions were wide ranging and had a great potential for misuse. The European Parliament deleted the whole of chapter two on special provisions relating to the public sector.

[16] Since legal persons like companies are excluded from the requirements of data protection, Denmark and Australia might consider protection offered as falling below the standards required by their national laws and might restrict the flow of information to states with lower levels of protection.

[17] Section 2(3) of the Data Protection Act 1984 states that the Secretary of State may by order modify or supplement the seven principles for the purposes of providing additional safeguards in relation to personal data consisting of information as to the racial origin of the data subject, his political opinions or religious or other beliefs, his physical or mental health or his sexual life or his criminal convictions. This power however has not be exercised to date. The reason for this could be due to the fact that the concept of ‘sensitive data’ is fuzzy and seems to depend very much on the circumstances to acquire its content.

[18] Sensitive data in the 1990 Draft Directive was dealt with under s 17 and made specific reference to automatic processing of data which referred to racial or ethnic origins, political, religious or philosophical beliefs and membership of trade union and of data referring to the health and sexual orientation of the subject. Under Article 17 manual records of such information could be stored and freely circulated which was perceived as a wild move in an otherwise privacy driven legislation.

[19] The exceptions allowed under Article 26 are:

- subject, where appropriate, to Article 8(2)(a) the data subject has consented to the proposed transfer in order to take steps preliminary to entering into a contract;

- where the transfer is necessary for the performance of a contract between the data subject and the controller and the data subject has been informed of the fact that it is or might be proposed to transfer the data to a third country which does not ensure an adequate level of protection;

- the transfer is necessary on important public interest grounds; or

- the transfer is necessary in order to protect the vital interest of the data subject.

[20] Such a clause, if suitably worded, may be effective in common law countries. See New Zealand Shipping v Satherthwaite [1974] UKPC 1; [1975] AC 154 where the stevedore was allowed to take advantage of the exceptions and immunities in the contract of carriage to which he was not a party on the basis that the carriers had contracted on behalf of the stevedores. See Lord Wilberforce’s judgement which stresses the need for taking a pragmatic approach to commercial transactions and not be constrained by legal technicalities.

[21] In some situations the processing of data will be lawful even where the data subject has not consented. See Articles 7(b) to 7(f).


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/1994/3.html