The alliance between German Railway and Citibank
In November 1994 German Railway decided to cooperate with the
German subsidiary of Citibank, one of the largest internationally
operating banks. The two companies concluded a Co-Branding Agreement
which provided for the issuing of the RailwayCard with a cash-free
payment function. All RailwayCards were to become VISA credit
cards at no additional costs for the customer. This applied also
to old RailwayCards which have to be renewed on an annual basis.
In addition the RailwayCard now carries the holder's photograph.
The RailwayCards as well as the normal VISAcards issued to German
Ctibank customers as from July 1, 1995 are produced in the United
States, more precisely in data centers run by Citibank subsidiaries
in South Dakota and Nevada.
As soon as the first German train passengers wanted to renew their
RailwayCard or to apply for a new one in July 1995 they were told
that they had to accept the RailwayCard with credit card function
(advertised by German Railway and Citibank as "the better
RailwayCard") even if they did not want a credit card at
all e.g. because they already had one. This led to numerous complaints
and negative reports in the media about the whole co-branding
deal which was said to be the biggest credit card agreement in
Germany so far.
It was widely believed in Germany that the monopolist German Railway
had sold the data of his existing RailwayCard customers and of
all potential customers to a big US-based bank which was very
likely to use these data in the direct marketing business not
only for their own purposes.
The local German data protection supervisory authorities criticized
a number of points in the application form issued by German Railway
and Citibank, especially the fact that personal data on creditworthiness
were collected from people who simply wanted to get on a train
regularly.
Very soon - after strong public protests by consumer groups and
data protection authorities - the Railway and Citibank had to
renegotiate their Co-Branding Agreement to extend it to the production
of the old-style RailwayCard without credit card function and
to offer it to customers as an option. It was called the "pure"
RailwayCard (BahnCard pur). From the approximately 3.054.000 RailwayCards
that have been issued to German customers by the middle of July
1996 the vast majority of cards are of this type, i.e. without
cash-free payment function. However, Citibank is now trying to
increase the sales of the combined Railway VISA card.
Following a change in the law the Berlin Data Protection Commissioner
took on jurisdiction for German Railway on August 1, 1995. Right
from the beginning in our discussions with German Railway and
Citibank we made it clear that German Railway as the primary collector
of the passengers' personal data should not be allowed to outsource
the whole issue of data protection in relation to the Railway
Card especially in view of the fact that this outsourcing exercise
led to a massive trans-border data flow into a non-EU country,
i.e. the USA.
Although the time limit to adapt national legislation to Directive
95/46/EC of the European Parliament and Council only expires in
October 1998 and Germany has not yet adapted its Federal Data
Protection Act to the Directive the Berlin Data Protection Commissioner
successfully argued that no transborder data flow to the United
States should take place even before that date unless the requirements
of Articles 25 and 26 were met. Obviously the parties of the Co-Branding
Agreement were themselves interested in finding a solution which
would allow them to continue the trans-Atlantic data processing
venture after October 1998.
But it is important to stress that we are in a pre-1998 situation.
What is legal as from October 1998 and more precisely what is
an adequate level of protection is to a certain extent for the
European Commission and the Article 29 Working Party to decide.
This point was underlined at the European Data Protection Commissioners'
Conference last April in Manchester. Although I cannot speak here
on behalf of the Commission nor of the Working Party nor indeed
on behalf of other autonomous national supervisory authorities
in Europe I am confident that the solution which was found in
the RailwayCard case is very likely to pass the "adequate
protection" test in 1998.
We have to distinguish two separate issues here:
- Does the contractual solution in the RailwayCard case meet
the adequate protection requirement ?
- Can the contractual solution in this case be regarded as as
a model for exporting personal data from the EU to third countries
in general ?
The answers to these questions are not necessarily identical.
Does the contractual solution in the RailwayCard case meet
the "adequate protection" test ?
In February 1996 German Railway and Citibank signed a specific
Data Protection Agreement stating that the responsibility for
those personal data which are collected for the purposes of the
railway rests with German Railway whereas Citibank is responsible
for the protection of the credit data. Both companies have a joint
responsibility with regard to name and address of the card holder.
This agreement was followed by the Agreement on Interterritorial
Data Protection signed exclusively by the German and American
subsidiaries of Citibank.
You will find a generalized version of this Agreement on Interterritorial
Data Protection attached. A and C are the German subsidiaries
of Citibank handling the RailwayCard business on the German side
whereas B is the American Citibank subsidiary producing the cards
and to this end processing personal data of the German applicants.
You may notice the typing error in the title of B ("Data
Protection" instead of "Data Processing Company").
This error is certainly a positive sign as it shows the importance
the parties have attached to the principles of data protection.
On the other hand it is perhaps slightly Freudian if it expresses
the erroneous perception of parties A and C that the implementation
of data protection principles is no longer their business but
excusively in the responsibility of the US company actually producing
the cards. But there I am perhaps overinterpreting a little bit
since Citibank has made it quite clear that all three parties
to the Agreement share the responsibility for the adherance to
data protection requirements.
In order to explain the route which the data of a German railway
card applicant take and to focus on the transborder data flow
aspect I have to simplify a little bit. The applicants data are
captured at a train station (or travel agent) and are forwarded
to Citibank Germany. After being checked they are then encrypted
and sent to the Citibank subsidiary in South Dakota. This company
organizes the production of the card with the help of another
Citibank subsidiary in Nevada. No transactional data from the
use of RailwayCards with VISA function are processed in the United
States. The card is then put into an envelope with the customer's
address, sealed and shipped to a Citibank subsidiary in the Netherlands
from where it is mailed to the applicant's home address in Germany.
The reason for the detour via the Dutch company is simply the
lower postage due in the Netherlands compared with Germany.
What are the main features of the Interterritorial Agreement ?
- The parties on both sides of the Atlantic agree to apply German
Data Protectional Law to their handling of cardholders' data
(§ 1).
- Customer data may only be processed in the United States for
the purpose of producing the cards (§ 2).
-
3. Citibank in the United States and in Europe is not allowed
to transfer personal data to third parties for marketing purposes
except in two cases:
a) Data of applicants for a RailwayCard with payment function
maybe transferred to other Citibank companies in order to market
financial services;
b) Data of applicants for a pure RailwayCard may only be used
or transferred for BahnCard marketing purposes, i.e. to try to convince
the cardholder that he should upgrade his RailwayCard to have a "better
BahnCard" with credit card function (§ 4 II).
- The technical requirements on data security according to German
law are spelt out in detail in § 5.
- The American Citibank subsidiary has to appoint data protection
supervisors again following the German legal requirements (§
6).
- The German card customers have all individual rights against
the American Citibank subsidiary which they have under German
law. They can ask for inspection, claim deletion, correction or
blocking of their data and they can bring an action for compensation
under the strict liability rules of German law either against
German Railway, the German Citibank subsidiary or directly against
the American Citibank subsidiary (§ 8).
- The Citibank subsidiaries in the United States accept on-site
audits by the German data protection supervisory authority, i.e.
the Berlin Data Protection Commissioner, or his nominated agents,
e.g. an American consulting or auditing firm acting on his behalf (§ 10 II).
This very important provision contains a restriction in case US
authorities instruct Citibank in their country not to allow foreign
auditors in. However, this restriction is not very likely to become
practical. On the contrary, US authorities have already declared
by way of a diplomatic note sent to the German side that they
will accept these audits. This follows an agreement between German
and United States banking supervisory authorities on auditing
the trans-border processing of accounting data (cf. § 11).
Indeed this previous agreement very much facilitated the acceptance
of German data protection audits by Citibank in the United States.
As far as data security concepts are concerned the Federal Banking
Supervisory Authority and the Berlin Data Protection Commissioner
will be working hand in glove.
- Finally - and this is not reproduced in the version of the
Agreement which you have received - German Railway has been linked
to this agreement between Citibank subsidiaries in a specific
provision.
So to draw a conclusion with regard to my first question (Does
the contractual solution meet the "adequate protection"
test in this particular case?) I would give a positive answer.
Not only has the company in the United States accepted the German
level of data protection. This goes well beyond all previous unilateral
privacy codes and commitments drafted by American companies such
as BankAmerica or Microsoft. In one respect Citibank even accepted
a standard of protection higher than under the current German
legislation. For if German Railway had continued to produce the
cards themselves or to have them produced by a German company
the customers would only have had a right to object to the use
or sale of their data to third parties for any marketing purposes.
Under the Interterritorial Agreement this is generally forbidden
subject to limited exceptions.
We insisted on the strict purpose limitation that applicants'
data would only be used for producing the card since it was a
major point in many complaints we received that the data could
easily be used for illegitimate purposes once they had been exported.
The customer of a monopolist offering a public service (Daseinsvorsorge)
cannot be restricted to a mere right to object against the transmission
of his data.
Furthermore the Interterritorial Agreement to which the data subject
is not a party nevertheless gives him individual rights which
he can enforce in the German Courts. Under German law this is
a contract which directly benefits a third party.
I am aware of the legal problems which common law jurisdictions
have with this concept. They have been described by Prof. Napier
in 1990 when discussing trans-border data flows under Convention
No. 108 of the Council of Europe. However, the Interterritorial
Agreement takes into account Prof. Napier's recommendations by
holding the German Citibank subsidiaries and indeed German Railway
responsible for any violation of the agreement and of German data
protection law that might occur in the production process of RailwayCards
in the United States.
Of course any party to the Interterritorial Agreement could denounce
it. But this would lead not only to claims for deletion and damages
brought by the card customers but also a transfer prohibition
notice would very likely be served by the Berlin Data Protection
Commissioner on German Railway as a consequence.
One of the most far-reaching, important and novel provisions in
the Agreement is the acceptance by the US subsidiary of Citibank
that-on-the-spot audits by German authorities will be allowed.
In practice the Berlin Commissioner is very likely for obvious
budgetary reasons to instruct a consultant's firm in the United
States with auditing experience to carry out the audit on site.
This is no means less effective than an audit by the Commissioner
himself.
Besides, the Berlin Commissioner has already paid an exploratory
visit to one of the Citibank data centers in Nevada engaged in
the production of RailwayCards. His findings were very encouraging.
Can the contractual solution in this case be regarded as a
model for exporting personal data from the EU to third countries
?
Turning now to my second and more general question (Can the contractual
solution in this case be regarded as a model for exporting personal
data from the EU to third countries?) we must first look at the
structure of the provisions in Directive 95/46/EC governing data
export to non-EU countries.
Articles 25 and 26 of the Directive read against the background
of recitals 56 to 60 clearly state that as a rule the receiving
third country has to ensure an adequate level of protection.
The adequacy of the level of protection shall be assessed in the
light of all the circumstances surrounding a data transfer operation;
particular consideration shall be given inter alia to the rules
of law, both general and sectoral, in force in the third country
in question.
As a derogation from this rule Article 26 provides that
Member States shall allow data transfers to third countries without
an adequate level of protection on the condition that either the
data subject has given his unambiguous consent to the particular
transfer (Article 26 para. 1a) or were the controller adduces
adequate safeguards with respect to privacy protection; such safeguards
may in particular result from appropriate standardized contractual
clauses (Article 26 para. 2).
It is quite obvious that the Directive lays down the principle
that third countries, i.e. the states should legislate or encourage
nationwide rules and security methods to guarantee an adequate
level of protection. Contractual solutions involving the data
subject or private companies are only acceptable under the data
export regime of the Directive in exceptional circumstances. Arguing
in favour of standard contractual clauses as a model solution
for all trans-border data flows from Europe to third countries
would therefore reverse the relation between the principle and
the derogation under European law.
The whole mechanism of Articles 30 and 31 of the Directive would
be rather meaningless if the problems of adequate protection could
all be solved by standard contractual clauses. The question for
the Working Party would then be: What is the standard of protection
like in multinational corporations such as Citibank, Bertelsmann
and Microsoft rather than what is the protection level in specific
third countries (cf. Article 30 para. 1b) ?
There are three more reasons to be sceptical towards model contractual
clauses as opposed to national legislation:
The contractual solution to the German RailwayCard case was found
under exceptional circumstances. The banking supervisory authorities
worked as a kind of door-opener for the data protection authorities
and public protest by consumers met with a surprisingly open-minded
reaction from the Citibank side. Incidentally Citibank turned
out during the discussions with us to be much more flexible and
privacy-minded than their partners from the state-owned German
Railway. It is uncertain whether future proposals to export personal
data from the EU to a third country will be made by corporations
who in each case attach similar importance to data protection
principles as Citibank did here.
Moreover, personal data will not only be exported by large multinational
corporations with their well staffed legal departments which can
draft sophisticated webs of contractual obligations. Small and
medium-size enterprises will also play a role in the global market-
place. One of the pilot projects launched by the G7-states in
Halifax especially deals with their problems. Small and medium-size
enterprises very often don't have the legal knowhow at their disposal
to meet the requirements of Articles 26 (2) as interpreted by
the Commission and the Member States. Only the national legislature
can provide for equal conditions of competition by establishing
a legal minimum standard.
Thirdly the creation of a national oversight-mechanism for the
private sector is essential in large data-importing third countries
such as the United States and Canada. The contractual solution
just described cannot provide for such a mechanism. On the contrary
it may if adopted as a general rule lead to many different supervisory
authorities from foreign countries initiating audits in the third
country thereby applying different (and possibly contradicting)
instead of uniform standards if - as happened in the BahnCard-case
- the respective national law is being extended to the third country
by contract.
Conclusion
To conclude I would like to make it quite clear that multinational
corporations such as Citibank can and will play an important standard-setting
role in the global market-place. It will take considerable time
until an adequate level of protection in terms of general and
sectoral rules of law has been ensured in all third countries
importing personal data from Europe. In this transitional period
standard contractual clauses may in exceptional circumstances
prove to be useful. In any case they should at least contain the
same safeguards as the German RailwayCard Agreement.
However, contractual standard-setting by private corporations
can only complement and support but never replace national legislation.
Therefore the decision announced by the Canadian Government that
privacy legislation (as in Québec) will be extended to
the private sector is to be welcomed. Hopefully other non-European
countries will follow this example soon.
|