|
New Page 2
Mr Chairman,
Honourable Members,
Thank you for inviting me to
testify today at this important hearing. My name is Stefano Rodotà, and I am
the Chairman of the Data Protection Working Party that was established by the EU
Directive on the protection of physical persons with regard to the processing of
personal data. This Directive was passed by the European Parliament and the
Council in 1995, that is after 5 years of fierce discussions on the proposal
presented by the European Commission in 1990: passing legislation on such a
complex issue is not easy - neither in the EU nor in the US, you will say…
Since the creation of a Data
Protection Commission in Italy (1997) I also wear the hat of Privacy
Commissioner, and in this capacity I would like to share with you a couple of
ideas on the concrete implementation of the Directive in my country. Before
doing that, may I say something about the European approach to privacy and data
protection, that may explain some of the difficulties that we have experienced
in bridging the gap with the approach of the US Government.
When compared to other pieces of
European legislation, the Directive presents a prominent feature: it aims at
protecting "fundamental rights and freedoms", although this objective
is twinned with the free movement of information and services. This approach has
been recently stressed by a major development: in the Charter of Fundamental
Rights of the European Union, that was signed in December 2000 by the European
Parliament, the Council and the Commission, two specific provisions are devoted
to privacy and data protection. Let me quote them.
Article 7,
Respect for private and family life.
Everyone has the right to respect
for his or her private and family life, home and communications.
Article 8, Protection of Personal
Data.
Everyone has the right to the protection of
personal data concerning him or her.
Such data must be processed fairly for specified
purposes and on the basis of the consent of the person concerned or some other
legitimate basis laid down by law. Everyone has the right of access to data
which has been collected concerning him or her, and the right to have it
rectified.
Compliance with these rules shall be the subject
to control of an independent authority.
These independent authorities, as
you know, meet together in the Data Protection Working Party, which is also
called "Article 29 " Group, although its powers are to be found in
Article 30 of the Directive. The Working Party, that I’m honoured to chair
since last year, has an advisory status and acts independently. Since its
creation, it has adopted a number of Recommendations and Opinions, some of which
were devoted to the different versions which led to the final shape of the
"Safe Harbor". All these documents are available to the public at the
following web page:
http://www.europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/
The Italian experience.
In Italy, the Directive was
implemented by the Data Protection Act (1996). This Act is being complemented by
secondary legislation and – may I stress this aspect – by a number of Codes
of conduct, which represent an important factor of flexibility. All the relevant
documents are available at:
http://www.garanteprivacy.it
Judging from my personal
experience on the ground, I can testify that the provisions by which the
Directive was implemented in Italy are being invoked on such a wide range of
issues that were probably hard to imagine when the law was passed - there are
over 2,000 claims pending before the Garante, covering almost all business areas
and administration branches – but no company has gone out of business – nor
has it suffered the dramatic consequences that were anticipated by some
interested circles. In Capitol Hill, you are in a good position to know that
lobbying groups sometimes tend to exaggerate the cost of new legislation. In
earlier times, the same happened during the Parliamentary discussions on child
labour legislation, but nobody today would argue that such legislation was not
appropriate.
When the Directive was passed
(1995) in Italy there was no legislation in this area, and the issue was
virtually confined to the academic and literary circles. In less than 4 years,
the word "Privacy" has entered into the daily vocabulary of the
average Italian (without any Italian translation: the media and the man in the
street just say "Privacy", and they seem to know what they mean).
Sometimes I’m myself puzzled about that.
The widespread use of the word
"Privacy", in Italy and in other non-English speaking countries,
indicates an amazing paradox. Privacy was "invented" in the US, and
has long been considered to be typical of American society. Still, Europe is
nowadays the region of the world where personal data is most protected – so
much so that the Charter of Fundamental Rights of the European Union has
recently included data protection among fundamental human rights (see Article 8,
quoted above).
This does not mean, however, that
the European and the US systems are mutually opposed or absolutely
irreconcilable. For instance, it is an instance of misrepresentation to simplify
the picture by making Europe the domain of law and the US the domain of
self-regulation. Indeed, it is exactly the legislative framework provided by EU
directives and national laws which is making it possible to develop
self-regulatory codes and contractual models on a large scale. At the same time,
many highly sensitive issues and topics are being dealt with in the USA by means
of legislative tools, as shown by the many laws passed in the US at the State
level and by the Executive Order issued by Clinton on 8 February 2000 to
prohibit the use of genetic data for federal employees.
The implementation of the
Directive in other EU countries
The Directive has been
implemented in 11 out of the 15 EU Member States. The deadline for
implementation was October 1998 and of course, as in many other policy areas,
the European Commission has started an infringement procedure against the four
Member States that have not yet notified the implementing measures (France,
Germany, Ireland and Luxembourg). It is the Commission’s duty, and I strongly
hope that this will help in completing the implementing process. However, if we
consider both the "core principles" of data protection and the
creation of Supervisory Authorities, I would say that almost all Member States
are now in line with the "fundamentals" of the Directive (please, don’t
ask me to name the one or two countries that may still make an exception).
Germany and France are, for
different reasons, in a similar paradox: they are late in passing the
implementing measures; however, their data protection legislation is sound and
well belongs to the best established in Europe (the two were the main source of
inpirationinspiration of the European Directive). According to some observers,
this paradox shows that "adapting" old laws may prove harder than
passing a brand new law, but the case of Germany is certainly made more complex
by the Federal structure of the State, that implies several levels of
discussion.
The Netherlands seem to have
experienced one of the most interesting parliamentary debates. As far as I
understand, this was prompted by an major amendment initiative aimed at
excluding the private sector from the "jurisdiction" of the Data
Protection Authority: roughly speaking, the business community argued that they
would feel more com nfortable with the powers of self-disciplinary bodies, and
they found sympathetic ears in the Dutch Parliament; an amendment to this
purpose was tabled, but the Dutch Government found that it may have been
incompatible with the Directive, and the idea was finally rejected.
The provisions of the Directive
with regard to transborder data flows
A prominent feature of the EU
approach, if compared to the US privacy debate, is that the Directive provides
with a single framework which applies irrespective of the business sector
concerned, and regardless of the nature of the data controller (public or
private body), although some broad exceptions are allowed.
In the recent past, some
observers have argued that, since the Directive had been drafted at the time of
mainframe computers, its provisions would be outdated in the Internet era. The
experience gained in the meantime points to the opposite conclusion: all the
core principles established by the directive, such as the right of access,
rectification, deletion and the right to damages are drafted in a way that copes
with technology developments, and they work properly irrespective of the
technology used to process personal data.
Incidentally, a similar debate
took place with regard to the OECD Privacy Guidelines, that are based on the
same core principles. At the end, as you know, the applicability of the OECD
Guidelines were to electronic commerce was reaffirmed by the Ministerial
Conference held in Ottawa in 1998, although the Guidelines are much
"older" than the Directive (OECD Guidelines: 1980, EU Directive:
1995!).
Of course, the Internet
revolution carries its lot of new challenges, but these normally concern the
issues of applicable law and jurisdiction, rather than the content of the
substantive rules, and this is the same kind of problems that does arise in many
other areas of Law.
To be concrete, may I give you
one example: which law applies to the online collection of personal data from
individuals of country "A" by a company established in country
"B" using a server located in country "C"?
When the countries concerned are
within the European Union, the answer is simple: the law of Member State
"B", that is the country in which the company is established. In my
opinion, this solution is well balanced:
on the one hand, it allows data
controllers to comply with one single set of rules (instead of 15 or more), and
this is very business-friendly;
on the other hand, it protects
citizens from the possible circumvention of their rights: using a server located
in a third country would be an easy route to circumvention, but what matters for
the Directive is the country in which the economic activity of the controller is
located.
This approach makes sense, as all
Member States share the same values and are legally bound by the same
"core" principles, enshrined in the Directive. Of course, the above
applies only insofar as the data controller is established in a EU Member State:
where this is not the case, the issue is far more complex. If the data
controller is established in a country with "no rules" on data
protection, the same approach would result in the absolute lack of guarantees
for the data subject, whose personal data could be processed without any
restriction.
In my opinion, there is therefore
a case for an International instrument on data protection, as recently stressed
in the "Venice declaration" by all the colleagues convened at the 22nd
International Conference on Privacy and Data Protection.
However, in the absence of an
international instrument, the Directive has established two very important
safeguards:
By requiring that Member States
apply the Directive where the data controller is established in a third country
but processes personal data by using means equipment that are located in the EU
territory (Article 4c);
By the well known "Article
25", that prompted a number of alarming articles in the US press, warning
against what was called "the Great Wall of Europe": according to this
provision, personal data can be transferred from the EU to third countries only
if the receiving country ensures an "adequate" level of data
protection. Until now, only Canada, Switzerland and Hungary have met the
"adequacy test" in the judgement of the Article 29 Working Party.
I agree that Article 25 sounds
like a bold provision. However, to be understood, this general rule must be read
together with the many exceptions established by Article 26, which allow a
significant degree of flexibility (examples: the data transfer is allowed if the
individual has given his unambiguous consent, or where necessary for the
performance of a contract with the data subject, or to protect his vital
interests, and so on). In addition, data transfers can also take place where the
controller adduces appropriate safeguards, that can be offered by way of
contractual provisions.
As you probably know, standard
contractual clauses have been drafted by the Commission Services and have
received the positive Opinion of the Data Protection (" Article 29")
Working Party. In my opinion, such clauses are crucial in ensuring transborder
data flows, because many companies make business on a global scale and because
data flows from the EU are not limited to the US. These clauses, when adopted,
will not be mandatory but if companies choose to use them, they will be able to
cut out most of the administrative loops which the contractual route otherwise
requires.
The Safe Harbor
The Safe Harbor is living living
proof that the Directive allows significant flexibility. In finding that the SH
offers adequate protection, the European Commission may have gone beyond the
letter of Article 25, which refers to "domestic law" or international
commitments, and has accepted a set of rules that are proposed to US companies
on a voluntary basis, but I will not re-open that debate: all that I want to
stress, is that on the European side there has been a lot of good will.
I understand that, until now,
only twenty five US organisations have adhered to the Safe Harbor, and it is to
be hoped that their number will increase, after all the commendable efforts that
were deployed on both sides to secure the deal.
Mr Chairman, Honourable Members,
thank you for giving me the
opportunity to testify. May I conclude with my very best wishes for your future
discussions, which are crucial for the democratic values that we share.
Prof. Stefano Rodotà
Garante per la protezione dei dati
personali
Piazza Monte Citorio 121
I, 00186 Roma
e-mail: Rodota@garanteprivacy.it
|
