Working Party on the Protection of Individuals with regard to the Processing of Personal Data
WORKING DOCUMENT:
Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries.
Adopted by the Working Party on 22 April 1998
(WP 9 - XV/5005/98 - EN final) I. Introduction
In the discussion document adopted by the Working Party on 26 June 1997 entitled 'First Orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in Assessing Adequacy the Working Party promised to examine in its future work the circumstances in which ad hoc contractual solutions may be an appropriate means of securing protection for individuals when personal data are transferred to a third country where the level of protection is not generally adequate. This document is intended to provide a basis for such an examination.
The data protection directive (95/46/EC) establishes the principle in Article 25(1) that transfers of personal data to third countries should only take place where the third country in question ensures an adequate level of protection. Article 26(1) sets out certain exemptions to that rule. These exemptions are not examined in this paper. The purpose of this paper is to examine the additional possibility for exemption from the 'adequate protection' principle of Article 25 set out in Article 26(2). This provision allows a Member State to authorize a transfer or set of transfers to a 'non-adequate' third country 'where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights' The provision goes on to specify that 'such safeguards may in particular result from contractual clauses'. Article 26(4) also gives a power to the Commission, acting in accordance with the procedure laid down in Article 31, to decide that certain standard contractual clauses offer the sufficient guarantees envisaged in Article 26(2).
The idea of using contracts as a means of regulating international transfers of personal data was not of course invented by the directive. As long ago as 1992 the Council of Europe, the International Chamber of Commerce and the European Commission were jointly responsible for a study on the issue 1). More recently an increasing number of experts and commentators, perhaps noticing the explicit reference in the directive, have made comments on the use of contracts in studies and articles. Contracts have also continued to be used in the 'real world', as a means of dealing with data protection problems arising from the export of personal data from certain EU Member States. They have been widely used in France since the late 1980s. In Germany the recent example of the 'Bahncard' case involving Citibank received a considerable amount of publicity 2).
1 'Model Contract to Ensure Equivalent Data Protection in the Context of Transborder Data Flows, with Explanatory Memorandum', study made jointly by the Council of Europe, the Commission of the European Communities and the International Chamber of Commerce, Strasbourg 2 November 1992
2 See the presentation of Alexander Dix of this case at the International Data Protection and Privacy Commissioners' Conference, September 1996, Ottawa.
2. The use of contracts as a basis for intra-Community flows of data
Before examining the requirements of contractual provisions in the context of data flows to third countries, it is important to clarify the difference between the third country situation and that pertaining within the Community. In this latter case, the contract is the mechanism used to define and regulate the split of data protection responsibilities when more than one entity is involved in the data processing in question. Under the directive one entity, the 'data controller', must take the principal responsibility for complying with the substantive data protection principles. The second entity, the 'processor', is responsible only for data security. An entity is deemed to be a controller if it has the decision-making power over the purposes and means of the data processing, whereas the processor is simply the body that physically provides the data processing service. The relationship between the two is regulated by Article 17(3) of the directive, which stipulates that:
the carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller
- the obligations set out in Paragraph I (the substantive provisions regarding data security), as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
This elaborates on the general principle established under Article 16 that any person acting under the authority of the controller, including the processor himself, must not process personal data except on instructions from the controller (unless required to do so by law).
Where personal data are transferred to third countries it will also normally be the case that more than one party will be involved. Here the relationship in question is between the entity transferring the data (the 'transferor') and the entity receiving the data in the third country (the 'recipient'). In this context one purpose of the contract should still be that of determining how the responsibility for data protection compliance is split between the two parties. However, the contract must do much more than this: it must provide additional safeguards for the data subject made necessary by the fact that the recipient in the third country is not subject to an enforceable set of data protection rules providing an adequate level of protection.
3._The objective of a contractual solution
In the context of third country transfers, therefore, the contract is a means by which adequate safeguards can be provided by the data controller when transferring data outside of the Community (and thus outside of the protection provided by the directive, and indeed by the general framework of Community law 3) to a third country where the general level of protection is not adequate. For a contractual provision to fulfil this function, it must satisfactorily compensate for the absence of a general level of adequate protection, by including the essential elements of protection which are missing in any given particular situation.
4. The specific requirements of a contractual solution
The starting point for assessing the meaning of 'adequate safeguards', as used in Article 26(2), is the notion of 'adequate protection' already developed at some length in the "First Orientations..." discussion document. This document sets out an approach consisting of a series of basic data protection principles together with the three further requirements: that there be a good level of compliance with these principles in practice, that support and help be available to individual data subjects in the exercise of their rights, and that an appropriate means of redress be available to the injured party when the principles are not complied with.
i) The substantive data protection rules
The first requirement of the contractual solution is, therefore, that it must result in an obligation on the parties to the transfer to ensure that the full set of basic data protection principles set out in the "First Orientations" paper apply to the processing of the data transferred to the third country. These basic principles are:
1) the purpose limitation principle - data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer. The only exemptions to this rule would be those necessary in a democratic society on one of the grounds listed in Article 13 of the directive (e.g. national security, the investigation of criminal offences). 5)
2) the data quality and proportionality principle - data should be accurate and, where necessary, kept up to date. The data should be adequate, relevant and not excessive in relation to the purposes for which they are transferred or further processed.
3) the transparency principle - individuals should be provided with information as to the purpose of the processing and the identity of the data controller in the third country, and other information insofar as this is necessary to ensure fairness. The only exemptions permitted should be in line with the Articles 13 of the directive, or Article 11(2) which allows organisations who have not collected data directly from the data subject to be exempted from the requirement to provide information if to do so would be impossible or involve a disproportionate effort
3) The exercise of an individual's data protection rights is facilitated within the Community by the general legal framework, for example the Strasbourg Agreement (1977) on the transmission of applications for legal aid.
4) "First Orientations on Transfers of Personal Data to Third Countries - Possible Ways forward in Assessing Adequacy", Discussion document adopted by the Working Party on 26 June 1997. 5) It should be noted that statistical and scientific research purposes are generally considered to be compatible, provided appropriate safeguards are in place.
4) the security principle - technical and organisational security measures should be taken by the data controller that are appropriate to the risks presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller.
5) the rights of access, rectification and opposition - the data subject should have a right to obtain a copy of all data relating to him/her that are processed, and a right to rectification of those data where they are shown to be inaccurate. In certain situations he/she should also be able to object to the processing of the data relating to him/her. The only exemptions to these rights should be in line with Article 13 of the directive.
6) restrictions on onward transfers to non-parties to the contract - further transfers of the personal data from the recipient to another third party should not be permitted, unless a means is found of contractually binding the third party in question providing the same data protection guarantees to the data subjects.
Furthermore in some situations additional principles must be applied:
1) sensitive data - where 'sensitive' categories of data are involved (those listed in article 8), additional safeguards should be in place, such as a requirement that the data subject gives his/her explicit consent for the processing.
2) direct marketing - where data are transferred for the purposes of direct marketing, the data subject should be able to 'opt-out' from having his/her data used for such purposes at any stage.
3) automated individual decision - where the purpose of the transfer is the taking of an automated decision in the sense of Article 15 of the directive, the individual should have the right to know the logic involved in this decision, and other measures should be taken to safeguard the individual's legitimate interest.
The contract should set out the detailed way in which the recipient of the data transfer should apply these principles (i.e. purposes should be specified, data categories, time limits for retention, security measures, etc.). In other situations, for example where protection in a third country is provided by a general data protection law similar to the directive, other mechanisms which clarify the way data protection rules apply in practice (codes of conduct, notification, the advisory function of the supervisory authority) are likely to be in place. In a contractual situation this is not so. Detail is therefore imperative where the transfer is based on a contract.
(ii) Rendering the substantive rules effective
The "First Orientations..." document sets out three criteria by which the effectiveness of a data protection system should be judged. These criteria are the ability of the system to:
1) deliver a good level of compliance with the rules. (No system can guarantee lOO % compliance, but some are better than others). A good system is generally characterised by a high degree of awareness among data controllers of their obligations, and among data subjects of their rights and the means of exercising them. The existence of effective and dissuasive sanctions is important in ensuring respect for rules, as of course are systems of direct verification by authorities, auditors, or independent data protection officials.
2) provide support and help to individual data subjects in the exercise of their rights. The individual must be able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there needs to be some sort of structure or mechanism allowing independent investigation of complaints.
3) provide appropriate redress to the injured party where rules are not complied with. This is a key element. It must involve a system which provides impartial judgements and which allows compensation to be paid and sanctions imposed where appropriate.
The same criteria must apply in judging the effectiveness of a contractual solution. Clearly this is a major though not impossible challenge. It is a question of finding means which can make up for the absence of oversight and enforcement mechanisms, and whichcan offer help, support and ultimately redress to a the data subject who may not be a party to the contract.
Each of these questions must be examined in detail. For ease of analysis, they are taken in reverse order.
Providing redress to a data subject
Providing a legal remedy to a data subject, (i.e. a right to have a complaint adjudicated by an independent arbiter and to receive compensation where appropriate), by way of a contract between the 'transferor' of the data and the 'recipient' is not a simple question. Much will depend on the nature of the contract law chosen as the national law applicable to the contract. It is expected that the applicable law will generally be that of the Member State in which the transferring party is established. The contract law of some Member States permits the creation of third party rights, whereas in other Member States this is not possible.
As a general rule, however, the more the recipient is limited in terms of his freedom to choose the purposes, means and conditions under which he processes the transferred data, the greater will be the legal security for the data subject. Bearing in mind that we are dealing with cases of inadequate general protection, the preferred solution would be for the contract to set down the way the recipient is to apply the basic data protection principles in such detail that, in effect, the recipient of the transfer has no autonomous decision-making power in respect of the transferred data, or the way in which they are subsequently processed. The recipient is bound to act solely under the instructions of the transferor, and while the data may have been physically transferred outside of the EU, decision-making control over the data remains with the entity who made the transfer based in the Community. The transferor thus remains the data controller, while the recipient is simply a sub-contracted processor. In these circumstances, because control over the data is exercised by an entity established in an EU Member State, the law of the Member State in question will continue to apply to the processing carried out in the third country 6), and furthermore the data controller will continue to be liable under that Member State law for any damage caused as a result of an unlawful processing operation.7)
This type of arrangement is not dissimilar to that set out in the "Inter-territorial Agreement" which resolved the Citibank 'Bahncard' case mentioned earlier. Here the contractual agreement set out in detail the data processing arrangements, particularly those relating to data security, and excluded all other uses of data by the recipient of the transfer. It applied German law to data processing carried out in the third country and thus guaranteed a legal remedy to data subjects.8)
There will of course be cases where this kind of solution cannot be used. The recipient of the transfer may not be simply providing a data processing service to the EU-based controller. Indeed the recipient may, for example, have rented or bought the data to use them for his own benefit and for his own purposes. In these circumstances the recipient will need a certain freedom to process the data as he wishes, thus in effect becoming a 'controller' of the data in his own right.
In this kind of case it is not possible to rely on the continued automatic applicability of a Member State law and the continued liability for damages of the transferor of the data. Other more complex mechanisms need to be devised to provide the data subject with an appropriate legal remedy. As mentioned above, some legal systems allow third parties to claim rights under a contract, and this could be used to create data subject rights under an open, published contract between transferor and recipient. The position of the data subject would be further strengthened if, as part of the contract, the parties committed themselves to some sort of binding arbitration in the event of a data subject challenging their compliance. Some sectoral self-regulatory codes include such arbitration mechanisms, and the use of contracts in combination with such codes could be usefully envisaged.
Another possibility is that the transferor, perhaps at the moment of obtaining the data initially from the data subject, enters into a separate contractual agreement with the data subject stipulating that he (the transferor) will remain liable for any damage or distress caused by the failure of the recipient of a data transfer to comply with the agreed set of basic data protection principles. In this way the data subject is granted a means of redress against the transferor for the misdemeanors of the recipient. It would be up to the transferor to then recover any damages he was forced to pay out to the data subject, by taking action for breach of contract against the recipient.
6) By virtue of Article 4(l)(a) of directive 95/46/EC.
7) See Article 23 of directive 95/46/EC.
8) Although because this case arose under a law which predated the directive, the law itself did not automatically apply to all processing controlled by a German-established controller. The legal remedy for the data subject was instead created by the ability of German contract law to create third party rights.
Such an elaborate three-way solution is perhaps more feasible than it might appear. The contract with the data subject could become part of the standard terms and conditions under which a bank or a travel agency, for example, provide services to their customers. It has the advantage of transparency: the data subject is made fully aware of the rights that he has.
Finally, as an alternative to a contract with the data subject, it could also be envisaged that a Member State lay down in law a continuing liability for data controllers transferring data outside of the Community for damages incurred as a result of the actions of the recipient of the transfer.
Providing support and help to data subjects
One of the main difficulties facing data subjects whose data are transferred to a foreign jurisdiction is the problem of being unable to discover the root cause of the particular problem they are experiencing, and therefore being unable to judge whether data protection rules have been properly followed or whether there are grounds for a legal challenge 9). This is why an adequate level of protection requires the existence of some sort of institutional mechanism allowing for independent investigation of complaints.
The monitoring and investigative function of a Member State supervisory authority is limited to data processing carried out on the territory of the Member State.10) Where data are transferred to another Member State, a system of mutual assistance between supervisory authorities will ensure that any complaint from a data subject in the first Member State will be properly investigated. Where the transfer is to a third country, there will in most cases be no such guarantee. The question, therefore, is what kind of compensatory mechanisms can be envisaged in the context of a data transfer based on a contract.
One possibility would be simply to require a contractual term which grants the supervisory authority of the Member State in which transferor of the data is established a right to inspect the processing carried out by the processor in the third country. This inspection could, in practice, be carried out by an agent (for example a specialist firm of auditors) nominated by the supervisory authority, if this was felt to be appropriate. A difficulty with this approach, however, is that the supervisory authority is not generally 11) a party to the contract, and thus in some jurisdictions may have no means of invoking it to gain access. Another possibility could be a legal undertaking provided by the recipient in the third country directly to the EU Member State supervisory authority involved, in which the recipient of the data agrees to allow access by the supervisory authority or a nominated agent in the event that noncompliance with data protection principles is suspected. This undertaking could also require that the parties to the data transfer inform the supervisory authority of any complaint that they receive from a data subject. Under such an arrangement the existence of such an undertaking would be a condition to be fulfilled before the transfer of data could be permitted to take place.
Whatever the solution chosen there remain significant doubts as to whether it is proper, practical, or indeed feasible from a resource point of view, for a supervisory authority of an EU Member State to take responsibility for investigation and inspection of data processing taking place in a third country.
9) Even if a data subject is granted rights under a contract, he/she will often not be able to judge whether the contract has been breached, and if so by whom. An investigative procedure outside of formal civil court proceedings is therefore necessary.
10) See Article 28(1) of directive 95/46/EC
11) The French delegation could envisage situations where the supervisory authority was a party to the contract.
Delivering a good level of compliance
Even in the absence of a particular complaint or difficulty faced by a data subject, there is a need for confidence that the parties to the contract are actually complying with its terms. The problem with the contractual solution is the difficulty in establishing sanctions for non-compliance which are sufficiently meaningful to have the dissuasive effect needed to provide this confidence. Even in cases where effective control over the data continues to be exercised from within the Community, the recipient of the transfer may not be subject to any direct penalty if he were to process data in breach of the contract. Instead the liability would rest with the Community-based transferor of the data, who would then need to recover any losses in a separate legal action against the recipient. Such indirect liability may not be sufficient to encourage the recipient to comply with every detail of the contract.
This being the case it is probable that in most situations a contractual solution will need to be complemented by at least the possibility of some form of external verification of the recipient's processing activities, such as an audit carried out by a standards body, or specialist auditing firm.
5._The problem of overriding law
A specific difficulty with the contractual approach is the possibility that the general law of the third country may include requirements for the recipient of a data transfer, in certain circumstances, to disclose personal data to the state (the police, the courts oi the tax authorities, for example), and that such legal requirements might take precedence over any contract to which the processor was subject.12) For processors within the Community this possibility is evoked in Article 16 of the directive which requires processors to process data only on instructions from the controller unless required to do so by law. However, under the directive any such disclosures (which are by their nature for purposes incompatible with those for which the data were collected) must be limited to those necessary in democratic societies for one of the 'ordre public' reasons set out in Article 13(1) of the directive. Article 6 of the Amsterdam Treaty also guarantees respect for the fundamental rights set out in the European Convention for the Protection of Human Rights and Fundamental Freedoms. In third countries similar limitations on the ability of the state to require the provision of personal data from companies and other organisations operational on their territory may not always be in place.
There is no easy way to overcome this difficulty. It is a point that simply demonstrates the limitations of the contractual approach. In some cases a contract is too frail an instrument to offer adequate data protection safeguards, and transfers to certain countries should not be authorised.
12) The extent of state powers to require the disclosure of information is also an issue when making more general assessments of the adequacy of protection in a third country.
6. Practical Considerations for the Use of Contracts
The preceding analysis has demonstrated that there is a need for any contractual solution to be detailed and properly adapted to the data transfer in question. This need for detail as regards the precise purposes and conditions under which the transferred data are to be processed does not rule out the possibility of developing a standard contract format, but it will require each contract based on this format to be completed in a way which matches the particular circumstances of the case.
The analysis has also indicated that there are particular practical difficulties in investigating non-compliance with a contract where the processing takes place outside of the EU and where no form of supervisory body is provided for by the third country in question. Taken together, these two considerations mean that there will be some situations in which a contractual solution may be an appropriate solution, and others where it may be impossible for a contract to guarantee the necessary 'adequate safeguards'.
The need for detailed adaptation of a contract to the particularities of the transfer in question implies that a contract is particularly suited to situations where data transfers are similar and repetitive in nature. The difficulties regarding supervision mean that a contractual solution may be most effective where the parties to the contract are large operators already subject to public scrutiny and regulation.13) Large international networks, such as those used for credit card transactions and airline reservations, demonstrate both of these characteristics and thus are situations in which contracts may be most useful. In these circumstances, they could even be supplemented by multi-lateral conventions creating better legal security
Equally where the parties to the transfer are affiliates or part of the same company group, the ability to investigate non-compliance with the contract is likely to be greatly re-inforced, given the strong nature of the ties between the recipient in the third country and the Community-based entity. Infra-company transfers are therefore another area where there is a clear potential for effective contractual solutions to be developed.
Main Conclusions and Recommendations
- Contracts are used within the Community as a means of specifying the split of responsibility for data protection compliance between the data controller and a sub-contracted processor. When a contract is used in relation to data flows to third countries it must do much more: it must provide additional safeguards for the data subject made necessary by the fact that the recipient in the third country is not subject to an enforceable set of data protection rules providing an adequate level of protection.
13) In the Citibank 'Bahncard' case, the Berlin data protection commissioner cooperated with the American banking supervisory authorities.
- The basis for assessing the adequacy of the safeguards delivered by a contractual solution is the same as the basis for assessing the general level of adequacy in a third country. A contractual solution must encompass all the basic data protection principles and provide means by which the principles can be enforced.
- The contract should set out in detail the purposes, means and conditions under which the transferred data are to be processed, and the way in which the basic data protection principles are to be implemented. Greater legal security is provided by contracts which limit the ability of the recipient of the data to process the data autonomously on his own behalf. The contract should therefore be used, to the extent possible, as a means by which the entity transferring the data retains decision-making control over the processing carried out in the third country.
- Where the recipient has some autonomy regarding the processing of the transferred data, the situation is not straightforward, and a single contract between the parties to the transfer may not always be a sufficient basis for the exercise of rights by individual data subjects. A mechanism may be needed through which the transferring party in the Community remains liable for any damage that may result from the processing carried out in the third country .
- Onward transfers to bodies or organisations not bound by the contract should be specifically excluded by the contract, unless it is possible to bind such third parties contractually to respect the same data protection principles.
- Confidence that data protection principles are respected after data are transferred would be boosted if data protection compliance by the recipient of the transfer were subject to external verification by, fur example, a specialist auditing firm or standards/certification body.
- In the event of a problem experienced by a data subject, resulting perhaps from a breach of the data protection provisions guaranteed in the contract, there is a general problem of ensuring that a data subject complaint is properly investigated. EU Member State supervisory authorities will have practical difficulties in carrying out such an investigation.
- Contractual solutions are probably best suited to large international networks (credit cards, airline reservations) characterised by large quantities of repetitive data transfers of a similar nature, and by a relatively small number of large operators in industries already subject to significant public scrutiny and regulation. Intra-company data transfers between different branches of the same company group is another area in which there is considerable potential for the use of contracts.
- Countries where the powers of state authorities to access information go beyond those permitted by internationally accepted standards of human rights protection will not be safe destinations for transfers based on contractual clauses.
Done at Brussels, 22 April 1998
For the Working Party
The Chairman
P.J. HUSTINX
Section IX of Chapter II of directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data ('the directive') deals with notification of processing operations to the national supervisory authorities ('the authorities').
The working party, following the mandate laid down in art.30 1a) of the directive, started discussions during its second meeting on the possible implementation of the provisions of the directive on notification. Working Documents dealing specifically with simplification and exemption from the obligation to notify data processing to the authorities were presented by the French, Dutch and UK delegations.
In connection with simplification and exemption from the obligation to notify, the German delegation presented a working document on the role in Germany of the independent data protection official (in house data protection official) referred to in article 18 paragraph 2 of the directive. Discussion on this topic continued during the third meeting following a presentation of representatives of data protection officials from Germany.
It was recognised that the Working Party could usefully give some guidance on the interpretation of the relevant provisions of the directive. The experience of some delegations in applying current national provisions which bear a significant resemblance with the ones of the directive could provide an indication of the functioning of the different options set-out in the directive.
The discussion showed that the specification of purposes at the time of notification plays an important role on the application of the principle of purpose specification. The role of the 'notified purposes' in current national legislation varies in the different legal systems, and the level of detail in the description of such purposes varies not only between Member States but also within Member States.
The Working Party agreed to exchange models of notification forms to study the type of purpose specification in the different Member States. Such models were distributed during the third meeting.
An earlier version of the present paper was discussed at the fourth meeting.
Examples of description of the purpose of processing operations carried out by a bank a medical practice and a telephone company were exchanged at the fifth meeting and served as a basis for discussion.
The following section outlines the legislative history of the relevant provisions of the directive. Section three summarises some of the main features of the current legislative situation at national level. The final section draws some preliminary conclusions and some questions as to the way the working party should proceed in relation to notification.
The original Commission proposal contained two provisions dealing with notification: article 7 dealing with public-sector files and article 11 dealing with private sector files. Recital 13 made it clear that the aim of the two provisions was the same: ensuring the 'transparency essential to the exercise by the data subject of the right to access to data relating to him'. Notification was compulsory only in relation to files 'the data in which might be communicated'.
Several Parliamentary amendments substantially modified these provisions. The amended proposal, following the parliamentary amendments, restructured the whole system of notification.
The distinction between public and private sector was abolished and the rules on notification applied to all processing operations. The explanatory memorandum, however, underlined that the potential extension of the obligation to notify had to be read in conjunction with the introduction of exemptions from and simplifications to notification.
The overall aim of notification was also modified: it should serve as the basis for selective monitoring of the legitimacy of processing operations by the supervisory authority.
Several aspects of the modified proposal contribute in effect to limit unnecessary bureaucratic requirements. A single notification could cover a set of processing operations intended to serve a single purpose. Furthermore data controllers were not required to give excessive details as notification should only mention the categories of data subjects, recipients and data. Notification was not required for data processing relating to members and usual contacts by non profit seeking bodies mentioned in art. 8 2 d. Finally notification of non automatic processing of personal data was made optional.
The amended proposal did not however aim simply at limiting or simplifying the obligations to notify but, following the wishes of Parliament, aimed at establishing a three tier system which, while avoiding excessive bureaucratic requirements, would provide different levels of safeguards in relation to the risks posed by different types of processing operations.
A system of preventive authorisation was introduced in relation to processing operations presenting 'specific risks'. The explanatory report referred to the processing of sensitive data, to 'black lists' and to 'operations aimed at informing third parties of the solvency of individuals' as examples of processing operations which might require prior checking.
The final text of the provisions on notification maintained the overall structure of the amended proposal. However simplification and exemptions from the obligation to notify were added in relation to public registers and where the data controller appoints in compliance with national law an in house data protection official.
Recital 48 makes it clear that the purpose of the notification procedures is the disclosure of the purpose and the main features of the processing operation in order to monitor its compliance with data protection legislation.
Recital 52 states that ex post-facto monitoring is the ordinary form of monitoring by the authorities. Recital 53 and 54 confirm that prior checking represents a somewhat exceptional procedure to be used only in relation to specific risks.
Notification of data processing to the authorities currently exists in all national data protection laws. However the extent of the obligation to notify varies.
In Spain, Luxembourg, Austria, Portugal, Sweden and United Kingdom broadly all processing operations which fall within the scope of application of data protection law need to be notified to the data protection authorities.
Some of these countries are currently simplifying the notification requirements or introducing exemptions from the obligation to notify. The general systems of notification have in some cases proven to be very resource consuming for the data protection authorities. Furthermore it turned out to be difficult to perform any substantive monitoring on the basis of notifications.
In Belgium and in the Netherlands most current and less risky type of processing operations have been exempted from notification by means of an act of the government under the general data protection legislation. The exemptions cover a very large proportion of all data processing (estimates of about 80%).
In France most current and less risky type of operations are subject to a simplified notification in which the data controller simply declares to process data in accordance with a so called 'norme simplifiée' predefined by the Commission Nationale Informatique et Libertés (CNIL). Forty such 'normes simplifiées' have been defined so far and they cover a large majority of processing operations (75% of notifications for 1995 were simplified notifications).
In Italy, several exemptions from notification have been introduced by decrees adopted under the general data protection legislation. These exemptions apply to certain categories of processing operations and are subject the detailed conditions.
In Denmark, Germany, Ireland and Finland the obligation to notify covers only certain types of processing operations.
The notification is normally done by means of special paper forms. In Belgium it is also possible to notify on computer diskettes. In the UK the registration can be done partly over the phone, the applicant must however fill-in a pre-printed form giving complementary information. The notification forms can normally cover all types of processing operations. In the UK, however, special templates have been created. These templates are normal notification forms in which all the parts which are normally relevant for a given type of data controllers have been highlighted.
The notification forms normally include details of the data controller and of the processing operations such as type of data that are processed, purposes of the processing operations, persons who have access to the data etc.
A key element of the notification is the description of the purpose of the processing operation. The practice in relation to the specification of purposes varies in the Member States.
In Belgium and in the UK a list of pre-defined processing purposes is enclosed with the notification form. Data controllers would therefore normally choose one of these predefined purposes. However in neither country are data controllers obliged to refer to one of the predefined purposes. They may instead add a description of the purpose in free text.
The debates during the second meeting and the models of notification exchanged during the third meeting have shows that data controllers tend to give very short and often generic descriptions of the purpose of their processing operation.
In most of the Member States the analysis of the compatibility of the operation with the finality of the processing in a posteriori enforcement is not made in relation to the abstract description of the processing but with reference to the material purpose of the concrete operation at hand.
The indication of overly generic purposes at the time of notification deprives notification of its function. Generic description of the purpose does not allow the data protection authorities to ascertain whether a processing operation complies with the law, and has very little use for the members of the public consulting the public register of processing operations.
Notification contributes to the respect of the principles of the directive because the data controllers, in order to notify, must assess and describe their processing operations, define in advance what data are to be used and for which purpose. In order to perform adequately these functions and contribute to the transparency of data processing the given information must not be general but specific.
It is particularly important that the purposes of the processing operations be adequately specified. Too generic definitions of the purpose of the processing operations devoid the system of notifications of its usefulness. Neither the data subjects nor the supervisory authorities will be in a position to assess the notified operation nor the compatibility of the various operations planned or performed by data controllers with the purpose for which the data were originally collected or further processed.
Assessing the compatibility of any given operation with the purpose for which the data were originally collected and which may have had to be notified to the data protection authority is one of the most difficult and important tasks in supervising compliance with data protection legislation. The working party is determined to develop common methods for the assessment of the compatibility of the purpose of processing operations.
Significant divergences in the description of the purpose of the processing operations in the different Member States would not only represent a burden for data controllers but could jeopardise the equivalence of the level of protection within the Community. The analysis of the current national arrangements for notification shows that there are not fundamental differences of approach in the way the purpose is described in the Member States. However the type and the amount of details that are provided vary according to the various national procedures and according to the structure of the notification forms.
The experience of the Member States that have such arrangements shows that predefined lists of the most common purposes are appreciated by data controllers and simplify the handling of notifications by the authorities. The working party will keep studying the possibility of defining standardised description of the purpose of common processing operations to serve as a guidance to data controllers.
Excessively bureaucratic requirements in relation to notification not only represent a burden for business but undermine the whole rationale of notification by becoming an excessive burden for the data protection authorities. Several countries have introduced or have shown an in interest in simplified notification or in exemptions from notification. Under the directive simplified notification or exemptions from the obligation to notify can be granted in relation to processing operations which are unlikely to affect adversely the rights and freedoms of data subjects. Several elements must be specified in relation to such processing operations.
Simplified notification or exceptions can also be granted where the controller, in compliance with national law, appoints an in house data protection official. Such an official must ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations. In order to do so according to the directive the official must at least ensure in an independent manner the application of the national provisions taken pursuant to the directive and keep the register of processing operations containing the items of information which would normally appear in the public register of processing operations. ²
The introduction of in house data protection officials limits the need of centralised supervision. The working party supports the introduction of such officials be it on a compulsory or on a voluntary basis. It is however necessary that such officials be given the means to perform their tasks in an effective manner. Should the powers and resources granted to in house data protection officials be insufficient to ensure that the rights and freedoms of the data subject are unlikely to be adversely affected, the derogations from the ordinary notification requirements would no longer be justified.
The effective independence of such officials in ensuring the application of data protection law is essential in guaranteeing the rights of the data subjects and in order to ensure compliance with data protection legislation. Adequate guarantees should be offered to ensure the of the data protection officials in the performance of their functions independence especially from management.
A certain degree of consistency exists in relation to the categories of operations which are unlikely to affect adversely the rights and freedoms of the data subjects. They include data processing in relation to payroll management, accounting, partners and shareholders, customers and suppliers etc.
The working party is determined to keep working towards the definition of a list of processing operations which, quite independently from the procedural arrangements adopted by the Member States for the transposition of the relevant provisions of the directive, could be used as reference in deciding which operations are less likely to affect adversely the rights and freedoms of the data subjects.
Notifying by other means than paper forms makes notification more efficient both for data controllers and for the authorities. The working party supports the use of such forms of notification as a way to reduce compliance costs for economic operators and allow for a less costly and more efficient supervision by the authorities.
One of the functions of notification is to inform the public about existing processing operations by means of the public register of processing operations. The working party considers it very important to make the register easily accessible to the public. The working party looks with interest to the projects making the public registers available via the world wide web. The working party notes the need to adopt adequate safeguards to avoid that the personal data included in the registers of processing operations be used improperly.
|