18th International Privacy and Data Protection Conference

Privacy Beyond Borders

Ottawa, Canada

September 18-20,1996

CASE STUDY: North America and the European Directive

The German RailwayCard

A model contractual solution of the "adequate level of protection" issue ?

Dr.iur. Alexander Dix, LL.M.(Lond.)
Data Protection Deputy Commissioner
Berlin, Germany

Introduction: From platform tickets to the RailwayCard

At the beginning of this century Germans were said to be entirely unable to stage a revolution because once they would be ordered to occupy all the main train stations they would first try to buy a platform ticket. Although there is certainly some truth in this observation nevertheless a lot of things have changed in Germany (since Lenin was allowed by the German government for obvious political reasons to travel across Germany in a sealed freight car from his Swiss exile to Russia to initiate the October revolution there). Some of these changes which took place in East Germany especially in the fall of 1989 may well be called a peaceful revolution. My topic today are some more recent changes which seem to be more marginal in political terms but which nevertheless have important repercussions on trans-border privacy.

Not only have platform tickets been abolished a long time ago in Germany. The German Federal Railway used to be a state-owned public monopoly like its imperial predecessor which carried Lenin to his destination. In 1994 the German Federal Railway was privatised and became a public corporation, the German Railway (Deutsche Bahn AG). The majority of its stocks is owned by the Federal Republic. The corporation is still by and large a monopolist in the German railway sector.

The German Railway started to offer a discount system based on a plastic card, the RailwayCard (BahnCard). Holders of this card are entitled to certain considerable discounts when going by train in Germany. This card soon became very popular especially with commuters and old age pensioners. Until now the card is neither equipped with a magnetic strip nor with a chip. The RailwayCard had to be applied for in train stations and was produced by another German private company (Bertelsmann).

The alliance between German Railway and Citibank

In November 1994 German Railway decided to cooperate with the German subsidiary of Citibank, one of the largest internationally operating banks. The two companies concluded a Co-Branding Agreement which provided for the issuing of the RailwayCard with a cash-free payment function. All RailwayCards were to become VISA credit cards at no additional costs for the customer. This applied also to old RailwayCards which have to be renewed on an annual basis. In addition the RailwayCard now carries the holder's photograph.

The RailwayCards as well as the normal VISAcards issued to German Ctibank customers as from July 1, 1995 are produced in the United States, more precisely in data centers run by Citibank subsidiaries in South Dakota and Nevada.

As soon as the first German train passengers wanted to renew their RailwayCard or to apply for a new one in July 1995 they were told that they had to accept the RailwayCard with credit card function (advertised by German Railway and Citibank as "the better RailwayCard") even if they did not want a credit card at all e.g. because they already had one. This led to numerous complaints and negative reports in the media about the whole co-branding deal which was said to be the biggest credit card agreement in Germany so far.

It was widely believed in Germany that the monopolist German Railway had sold the data of his existing RailwayCard customers and of all potential customers to a big US-based bank which was very likely to use these data in the direct marketing business not only for their own purposes.

The local German data protection supervisory authorities criticized a number of points in the application form issued by German Railway and Citibank, especially the fact that personal data on creditworthiness were collected from people who simply wanted to get on a train regularly.

Very soon - after strong public protests by consumer groups and data protection authorities - the Railway and Citibank had to renegotiate their Co-Branding Agreement to extend it to the production of the old-style RailwayCard without credit card function and to offer it to customers as an option. It was called the "pure" RailwayCard (BahnCard pur). From the approximately 3.054.000 RailwayCards that have been issued to German customers by the middle of July 1996 the vast majority of cards are of this type, i.e. without cash-free payment function. However, Citibank is now trying to increase the sales of the combined Railway VISA card.

Following a change in the law the Berlin Data Protection Commissioner took on jurisdiction for German Railway on August 1, 1995. Right from the beginning in our discussions with German Railway and Citibank we made it clear that German Railway as the primary collector of the passengers' personal data should not be allowed to outsource the whole issue of data protection in relation to the Railway Card especially in view of the fact that this outsourcing exercise led to a massive trans-border data flow into a non-EU country, i.e. the USA.

Although the time limit to adapt national legislation to Directive 95/46/EC of the European Parliament and Council only expires in October 1998 and Germany has not yet adapted its Federal Data Protection Act to the Directive the Berlin Data Protection Commissioner successfully argued that no transborder data flow to the United States should take place even before that date unless the requirements of Articles 25 and 26 were met. Obviously the parties of the Co-Branding Agreement were themselves interested in finding a solution which would allow them to continue the trans-Atlantic data processing venture after October 1998.

But it is important to stress that we are in a pre-1998 situation. What is legal as from October 1998 and more precisely what is an adequate level of protection is to a certain extent for the European Commission and the Article 29 Working Party to decide. This point was underlined at the European Data Protection Commissioners' Conference last April in Manchester. Although I cannot speak here on behalf of the Commission nor of the Working Party nor indeed on behalf of other autonomous national supervisory authorities in Europe I am confident that the solution which was found in the RailwayCard case is very likely to pass the "adequate protection" test in 1998.

We have to distinguish two separate issues here:

1. Does the contractual solution in the RailwayCard case meet the adequate protection requirement ?
2. Can the contractual solution in this case be regarded as as a model for exporting personal data from the EU to third countries in general ?

The answers to these questions are not necessarily identical.

Does the contractual solution in the RailwayCard case meet the "adequate protection" test ?

In February 1996 German Railway and Citibank signed a specific Data Protection Agreement stating that the responsibility for those personal data which are collected for the purposes of the railway rests with German Railway whereas Citibank is responsible for the protection of the credit data. Both companies have a joint responsibility with regard to name and address of the card holder.

This agreement was followed by the Agreement on Interterritorial Data Protection signed exclusively by the German and American subsidiaries of Citibank.

You will find a generalized version of this Agreement on Interterritorial Data Protection attached. A and C are the German subsidiaries of Citibank handling the RailwayCard business on the German side whereas B is the American Citibank subsidiary producing the cards and to this end processing personal data of the German applicants.

You may notice the typing error in the title of B ("Data Protection" instead of "Data Processing Company"). This error is certainly a positive sign as it shows the importance the parties have attached to the principles of data protection. On the other hand it is perhaps slightly Freudian if it expresses the erroneous perception of parties A and C that the implementation of data protection principles is no longer their business but excusively in the responsibility of the US company actually producing the cards. But there I am perhaps overinterpreting a little bit since Citibank has made it quite clear that all three parties to the Agreement share the responsibility for the adherance to data protection requirements.

In order to explain the route which the data of a German railway card applicant take and to focus on the transborder data flow aspect I have to simplify a little bit. The applicants data are captured at a train station (or travel agent) and are forwarded to Citibank Germany. After being checked they are then encrypted and sent to the Citibank subsidiary in South Dakota. This company organizes the production of the card with the help of another Citibank subsidiary in Nevada. No transactional data from the use of RailwayCards with VISA function are processed in the United States. The card is then put into an envelope with the customer's address, sealed and shipped to a Citibank subsidiary in the Netherlands from where it is mailed to the applicant's home address in Germany. The reason for the detour via the Dutch company is simply the lower postage due in the Netherlands compared with Germany.

What are the main features of the Interterritorial Agreement ?

1. The parties on both sides of the Atlantic agree to apply German Data Protectional Law to their handling of cardholders' data (§ 1).

2. Customer data may only be processed in the United States for the purpose of producing the cards (§ 2).

3. 3. Citibank in the United States and in Europe is not allowed to transfer personal data to third parties for marketing purposes except in two cases:

   a) Data of applicants for a RailwayCard with payment function maybe transferred to other Citibank companies in order to market financial services;
   b) Data of applicants for a pure RailwayCard may only be used or transferred for BahnCard marketing purposes, i.e. to try to convince the cardholder that he should upgrade his RailwayCard to have a "better BahnCard" with credit card function (§ 4 II).

4. The technical requirements on data security according to German law are spelt out in detail in § 5.

5. The American Citibank subsidiary has to appoint data protection supervisors again following the German legal requirements (§ 6).

6. The German card customers have all individual rights against the American Citibank subsidiary which they have under German law. They can ask for inspection, claim deletion, correction or blocking of their data and they can bring an action for compensation under the strict liability rules of German law either against German Railway, the German Citibank subsidiary or directly against the American Citibank subsidiary (§ 8).

7. The Citibank subsidiaries in the United States accept on-site audits by the German data protection supervisory authority, i.e. the Berlin Data Protection Commissioner, or his nominated agents, e.g. an American consulting or auditing firm acting on his behalf (§ 10 II).

   This very important provision contains a restriction in case US authorities instruct Citibank in their country not to allow foreign auditors in. However, this restriction is not very likely to become practical. On the contrary, US authorities have already declared by way of a diplomatic note sent to the German side that they will accept these audits. This follows an agreement between German and United States banking supervisory authorities on auditing the trans-border processing of accounting data (cf. § 11). Indeed this previous agreement very much facilitated the acceptance of German data protection audits by Citibank in the United States. As far as data security concepts are concerned the Federal Banking Supervisory Authority and the Berlin Data Protection Commissioner will be working hand in glove.

8. Finally - and this is not reproduced in the version of the Agreement which you have received - German Railway has been linked to this agreement between Citibank subsidiaries in a specific provision.

So to draw a conclusion with regard to my first question (Does the contractual solution meet the "adequate protection" test in this particular case?) I would give a positive answer.

Not only has the company in the United States accepted the German level of data protection. This goes well beyond all previous unilateral privacy codes and commitments drafted by American companies such as BankAmerica or Microsoft. In one respect Citibank even accepted a standard of protection higher than under the current German legislation. For if German Railway had continued to produce the cards themselves or to have them produced by a German company the customers would only have had a right to object to the use or sale of their data to third parties for any marketing purposes. Under the Interterritorial Agreement this is generally forbidden subject to limited exceptions.

We insisted on the strict purpose limitation that applicants' data would only be used for producing the card since it was a major point in many complaints we received that the data could easily be used for illegitimate purposes once they had been exported. The customer of a monopolist offering a public service (Daseinsvorsorge) cannot be restricted to a mere right to object against the transmission of his data.

Furthermore the Interterritorial Agreement to which the data subject is not a party nevertheless gives him individual rights which he can enforce in the German Courts. Under German law this is a contract which directly benefits a third party.

I am aware of the legal problems which common law jurisdictions have with this concept. They have been described by Prof. Napier in 1990 when discussing trans-border data flows under Convention No. 108 of the Council of Europe. However, the Interterritorial Agreement takes into account Prof. Napier's recommendations by holding the German Citibank subsidiaries and indeed German Railway responsible for any violation of the agreement and of German data protection law that might occur in the production process of RailwayCards in the United States.

Of course any party to the Interterritorial Agreement could denounce it. But this would lead not only to claims for deletion and damages brought by the card customers but also a transfer prohibition notice would very likely be served by the Berlin Data Protection Commissioner on German Railway as a consequence.

One of the most far-reaching, important and novel provisions in the Agreement is the acceptance by the US subsidiary of Citibank that-on-the-spot audits by German authorities will be allowed. In practice the Berlin Commissioner is very likely for obvious budgetary reasons to instruct a consultant's firm in the United States with auditing experience to carry out the audit on site. This is no means less effective than an audit by the Commissioner himself.

Besides, the Berlin Commissioner has already paid an exploratory visit to one of the Citibank data centers in Nevada engaged in the production of RailwayCards. His findings were very encouraging.

Can the contractual solution in this case be regarded as a model for exporting personal data from the EU to third countries ?

Turning now to my second and more general question (Can the contractual solution in this case be regarded as a model for exporting personal data from the EU to third countries?) we must first look at the structure of the provisions in Directive 95/46/EC governing data export to non-EU countries.

Articles 25 and 26 of the Directive read against the background of recitals 56 to 60 clearly state that as a rule the receiving third country has to ensure an adequate level of protection. The adequacy of the level of protection shall be assessed in the light of all the circumstances surrounding a data transfer operation; particular consideration shall be given inter alia to the rules of law, both general and sectoral, in force in the third country in question.

As a derogation from this rule Article 26 provides that Member States shall allow data transfers to third countries without an adequate level of protection on the condition that either the data subject has given his unambiguous consent to the particular transfer (Article 26 para. 1a) or were the controller adduces adequate safeguards with respect to privacy protection; such safeguards may in particular result from appropriate standardized contractual clauses (Article 26 para. 2).

It is quite obvious that the Directive lays down the principle that third countries, i.e. the states should legislate or encourage nationwide rules and security methods to guarantee an adequate level of protection. Contractual solutions involving the data subject or private companies are only acceptable under the data export regime of the Directive in exceptional circumstances. Arguing in favour of standard contractual clauses as a model solution for all trans-border data flows from Europe to third countries would therefore reverse the relation between the principle and the derogation under European law.

The whole mechanism of Articles 30 and 31 of the Directive would be rather meaningless if the problems of adequate protection could all be solved by standard contractual clauses. The question for the Working Party would then be: What is the standard of protection like in multinational corporations such as Citibank, Bertelsmann and Microsoft rather than what is the protection level in specific third countries (cf. Article 30 para. 1b) ?

There are three more reasons to be sceptical towards model contractual clauses as opposed to national legislation:

The contractual solution to the German RailwayCard case was found under exceptional circumstances. The banking supervisory authorities worked as a kind of door-opener for the data protection authorities and public protest by consumers met with a surprisingly open-minded reaction from the Citibank side. Incidentally Citibank turned out during the discussions with us to be much more flexible and privacy-minded than their partners from the state-owned German Railway. It is uncertain whether future proposals to export personal data from the EU to a third country will be made by corporations who in each case attach similar importance to data protection principles as Citibank did here.

Moreover, personal data will not only be exported by large multinational corporations with their well staffed legal departments which can draft sophisticated webs of contractual obligations. Small and medium-size enterprises will also play a role in the global market- place. One of the pilot projects launched by the G7-states in Halifax especially deals with their problems. Small and medium-size enterprises very often don't have the legal knowhow at their disposal to meet the requirements of Articles 26 (2) as interpreted by the Commission and the Member States. Only the national legislature can provide for equal conditions of competition by establishing a legal minimum standard.

Thirdly the creation of a national oversight-mechanism for the private sector is essential in large data-importing third countries such as the United States and Canada. The contractual solution just described cannot provide for such a mechanism. On the contrary it may if adopted as a general rule lead to many different supervisory authorities from foreign countries initiating audits in the third country thereby applying different (and possibly contradicting) instead of uniform standards if - as happened in the BahnCard-case - the respective national law is being extended to the third country by contract.

Conclusion

To conclude I would like to make it quite clear that multinational corporations such as Citibank can and will play an important standard-setting role in the global market-place. It will take considerable time until an adequate level of protection in terms of general and sectoral rules of law has been ensured in all third countries importing personal data from Europe. In this transitional period standard contractual clauses may in exceptional circumstances prove to be useful. In any case they should at least contain the same safeguards as the German RailwayCard Agreement.

However, contractual standard-setting by private corporations can only complement and support but never replace national legislation. Therefore the decision announced by the Canadian Government that privacy legislation (as in Québec) will be extended to the private sector is to be welcomed. Hopefully other non-European countries will follow this example soon.