Application of a methodology designed to assess the adequacy of the level of protection of individuals with regard to processing personal data

EUROPEAN-COMMISSION-DIRECTORATE-GENERAL-FOR-THE-INTERNAL-MARKET-AND-SERVICES - European Commission Directorate-General For The Internal Market And Services

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

224 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Test of the method on several categories of transfer
Fundamental rights

Sujets

Application of a methodology
designed to assess the adequacy
of the level of protection of individuals
with regard to processing personal data:
Test of the method on several categories of transfer
EUROPEAN
COMMISSION European Commission
Application of a methodology
designed to assess the adequacy
of the level of protection of individuals with regard
to processing personal data:
Test of the method on several categories of transfer
FINAL REPORT
Presented by the University of Edinburgh on behalf of:
Charles D. Raab
Colin J. Bennett
Robert M. Gellman
Nigel Waters
September 1998
Directorate-General XV
Internal Market and Financial Services Acknowledgements
This publication is of a study carried out for the European Commission by a consortium of data
protection specialists under the supervision of the University of Edinburgh. The four contributors
were Charles D. Raab (University of Edinburgh, Scotland, UK), Colin J. Bennett (University of
Victoria, B.C., Canada), Robert M. Gellman (Privacy and Information Policy Consultant,
Washington, D.C., USA) and Nigel Waters (Consultant in Fairn Practices, Sydney,
Australia).
The primary objective of the study is to test a methodology which had already been developed
for the evaluation of levels of data protection afforded in non-EU countries. Such evaluations are
a necessary consequence of the provisions on third country transfers included in the EU data pro
tection Directive 95/46/EC.
The methodology is tested by applying it to a series of test cases of specific data transfers to a
selection of six third countries. On the basis of these cases the study team then draws certain con
clusions about the methodology.
The European Commission would like to thank the authors for their major contribution to this
study, while at the same time underlining that the views expressed are those of the authors only,
and can in no way be attributed to the European Commission or its services.
A great deal of additional information on the European Union is available on the Internet.
It can be accessed through the Europa server (http://europa.eu.int).
Cataloguing data can be found at the end of this publication.
Luxembourg: Office for Official Publications of the European Communities, 1999
ISBN 92-828-5638-0
© European Communities, 1999
Reproduction is authorised provided the source is acknowledged.
Printed in Belgium EXECUTIVE SUMMARY
1. This Final Report tests a methodology for assessing the adequacy of the level of
protection of individuals with regard to processing personal data. The necessity to assess
adequacy is determined by Article 25 of the European Union Data Protection Directive
95/46/EC.
2. Thirty cases of data-transfer are described. The six countries studied are Australia,
Canada, China (Hong Kong), Japan, New Zealand and the United States of America. The
five categories of transfer reviewed are human resources data, sensitive data in airline
reservations, medical/epidemiological data, data in electronic commerce, and sub-contracted
data processing.
Summary of Category Conclusions
3. Broad conclusions, generalisable beyond the transfers studied, are difficult to draw
in each of the categories. However, on the basis of the cases, we concluded:
4. Human Resources Data: Compliance with fair information practices is generally
good. At least some elements of fair information principles have been incorporated into
practice in all six jurisdictions. In most, many of the necessary elements have been
achieved. In each case, this is largely due to the fact that the organisation receiving the
transferred data in the destination jurisdiction is a subsidiary of a European parent company.
5. Sensitive Data in Airline Reservations: Compliance with fair information practices is
good, as data are collected and used in Europe by European-based airlines under the
jurisdiction of European data protection laws. The complexity of the flow of such data, and
of the uses to which the data may be put elsewhere, make generalisations difficult about
compliance in other jurisdictions, especially where all the fair information principles may
not apply. A single transaction may generate multiple data-transfers to multiple players.
Passengers with complex flight arrangements that also involve 'special' and other services
may find that their data flow through regimes with markedly different levels of privacy
protection.
6. Medical/Epidemiological Data: Health care encompasses many associated activities
that can occur within organisations besides the health-care provider. Adequate protection for
all primary and secondary uses of personal health information is greatly dependent on
whether the jurisdiction has a comprehensive data protection law. The adequacy of
protection for clinical trial records is heavily dependent on the practices of the company
concerned, and particularly on the transfer of personal data in a nearly unidentifiable form.
7. Data in Electronic Commerce: Compliance with fair information practices for the six
electronic commerce transfers studied is almost wholly dependent on whether the
jurisdiction has a comprehensive data protection law. Where no law applies general fair
information practices to electronic commerce activities, electronic commerce is virtually
unregulated for data protection. Voluntary industry codes exist in the jurisdictions without
applicable laws, but the extent to which those codes address all elements of fair information
practices, let alone meet the standards in the EU data protection directive, is highly variable.
8. Sub-Contracted Data Processing: Transfers of personal data between data
controllers and data processors pursuant to sub-contracts are for the most part unregulated.
It is impossible to offer any general conclusions about the extent to which industry practices
meet EU standards, because outside assessors cannot obtain specific information about
contracts. However, a full set of protections for data subjects should be available under the
law of the EU country in which the data originate. It is unlikely that similar protections are
available in third countries, except that security requirements are probably addressed.
in Summary of Methodological Conclusions
9. Our experiences in conducting the investigations for this Report are discussed in a
methodological conclusion that considers the applicability of the methodology. We also
comment upon a range of issues that will be important for any future assessments of this
kind, and that should be considered in the implementation of the Directive.
10. Our broadest methodological conclusion is that collecting and analysing information
about specific transfers of personal data is not a simple task. In the future, the process of
assessing adequacy will require further refinement of analytical instruments for application
to a wider array of transfers and circumstances. The institutional machinery for assessing
adequacy and for disseminating results will need careful design.
11. We believe that a more empirical analysis of policies and practices, and not just of
legal norms and rules, serves both to advance the debate and to anticipate the specific
problems that will be encountered in the implementation of the Directive. The assessment of
adequacy will be incomplete to the extent that it cannot assess actual practices and the
realities of compliance.
12. We outline a number of practical difficulties in applying the methodology for
assessing adequacy. These concern the extent and consistency of organisations' co
operation with investigations, variations in the reliability of information elicited by the
inventory of questions, the variety of areas of business to be found in a single organisation,
legal uncertainties and jurisdictional differences. Assessment problems also arise over
determining the applicability of data protection rules to anonymised data, and over the
inseparability of data derived from the EU and from the third-country held in the same
database.
13. A further complication arises from the lack of clear priority amongst the criteria to be
applied in the assessment of adequacy. This may provide useful flexibility in the decision
making process, but it also leaves judgements open to argument. Differences in culture and
in institutional functioning may cloud the issue of determining the extent of adequacy.
14. The methodological conclusion considers a number of transitional questions that
may be important in the coming years, and which may affect the assessment of adequacy.
We also enumerate longer-term considerations concerning the effect of risk assessment,
commercial confidentiality and the nature of complaints processes on the way
determinations of adequacy are initiated and carried out. We suggest that the assessment
process itself has a beneficiai effect on organisational learning by data controllers and
others, and needs to be regularised. Attention should be given to the institutional
arrangements within and beyond the European Union for the assessment of adequacy and
the establishment of an 'intelligence capability' for this task.
IV TABLE OF CONTENTS
I. INTRODUCTION page 1
U. THE CASES page 4 <