Industry fears rise over ‘voluntary’ data privacy code

Date: 19/07/01

By Renée Cordes

IMAGINE a large US-based multinational corporation in the midst of downsizing asks the managers of its European subsidiaries for a list of employees and their telephone numbers.

If the managers want to comply with existing EU and domestic privacy law, would they: (a) send the information by fax or electronic mail immediately; (b) turn down the request point blank and risk getting in trouble with management; or (c) ask their lawyers for advice?

As the laws governing data transfer become more complex, the answer is increasingly 'c'.

A number of EU countries have yet to implement the Union's data privacy directive, which came into effect in 1998. And as the European Commission's infringement cases remain pending, firms are putting vast resources into making sure they comply with the perplexing myriad of rules around the world.

Many larger companies, such as Electronic Data Systems, which has not signed the "safe harbour" agreement (see report below), are hiring data privacy officers to oversee these efforts. They are also racking up huge legal bills. "We are dealing with a completely grey area," said a London-based attorney who is handling data privacy cases for numerous multinationals. For example, he said, it is often unclear what firms must do to secure consent from an individual for data transfers. In some countries consent is automatically assumed if someone does not return a card mailed to him or her, while others require a definitive yes. "There are lots of weird and wonderful interpretations" of data protection laws, the lawyer said, adding that while the concept is admirable the rules more often than not defy common sense.

Under UK law, employers are required to get employees' consent for processing their sick-day records. Ironically, this kind of information is generally essential for payroll purposes. "This sort of stuff is getting silly," said the lawyer, who is nevertheless enjoying more business.

Excluding companies which have signed up to the safe harbour regime, data transfers outside the EU - except to Hungary and Switzerland - are regulated by contract. Last month, the Commission approved provisions which can be used to ensure protection for personal data. In the example, the 'data exporter' and 'data importer' agree to process the information in line with basic protection rules and concur that individuals may enforce their rights under the agreement. "This new practical measure will make it easier for companies and organisations to comply with their obligations to ensure adequate protection for personal data transferred from the community [Union] to the rest of the world while safeguarding individuals' right to privacy," Internal Market Commissioner Frits Bolkestein said when announcing the rules.

The EU executive noted that the standard contractual clauses are neither compulsory for businesses nor are they the only way to lawfully transfer data outside the Union. In some cases, this is possible if the individual has given his or her unambiguous consent and where the transfer is necessary for meeting a contractual obligation. Member states' data-protection authorities can also approve transfers on a case-by-case basis.

A Commission official insists that use of the model is purely voluntary and does not preclude alternatives. However, there is growing unease in the EU business community that the contract will become the standard and as a result will impose tougher conditions on firms than those under Union law. "Our fear is that it will serve as the benchmark," said David Coleman of EU employers' lobby UNICE.

UNICE is particularly opposed to language in the model contract on joint and several liability, which would entitle individuals to compensation if they have suffered damage as a result of illegal data transfer. Both the data exporter and the data importer could be held liable. UNICE also fears that the contract goes beyond the 'adequate protection' standard contained in the EU directive.

Meanwhile, several organisations are striving to come up with more acceptable contract language. Commission officials also have promised to come up with other models, for example to govern the processing of data.

Article forms part of a survey on e-commerce.