New Data Protection Study Examines the EU Adequacy Issue
The adequacy question relates to compliance with the standards in the European Union Data Protection Directive. Exports of personal data from Europe can only be made to countries or companies that ensure an adequate level of protection. A major uncertainty is the meaning of adequacy. If a company or industry wants to meet the EU standards for data protection, what does it have to do?
That is a surprisingly difficult question to answer simply or clearly. The directive says adequacy is to be assessed in light of all the circumstances surrounding a data transfer. So how to proceed?
The EU is aware of the difficulty here, and it recently released a study that addresses adequacy assessments. The study was prepared under contract with the EU by four privacy researchers, Charles Raab from Scotland, Colin Bennett from Canada, Nigel Waters from Australia and me. The main purpose was to test the applicability of the criteria and methodology for adequacy assessment outlined earlier by one of the working groups established by the directive.
The title of the report is a mouthful: Application of a Methodology Designed to Assess the Adequacy of the Level of Protection of Individuals with Regard to Processing Personal Data: Test of the Method on Several Categories of Transfer. The report is just more than 200 pages, and it is available on the Internet at http://europa.eu.int/comm/dg15/en/media/dataprot/studies/adequat.htm.
For the most part, the report's assessments took place in the real world. The researchers attempted to examine how actual companies transferring real data measured up against the standards in the directive. The ultimate goal was not to determine if the companies were adequate, but to see how the methodology worked.
The study included an examination of five different categories of transfers from Europe to six countries. The countries were Australia, Canada, Hong Kong, Japan, New Zealand, and the United States. The transfers involved subcontracted data processing, human resources data, medical/epidemiological data, electronic commerce data, and airline reservations.
Readers of DM News will be most interested in the electronic commerce transfers. All involved Internet-based businesses that deal directly with consumers. The Hong Kong case examined a securities dealer, but the other electronic commerce transfer cases looked at mail order companies doing business with Europeans.
For the electronic commerce transfers, the report concluded that compliance with fair information practices is almost wholly dependent on whether the jurisdiction has a comprehensive data protection law. Only Hong Kong and New Zealand have laws covering the private sector.
This leaves only voluntary industry codes as a source of general data protection standards. However, the report found that the extent to which the codes address all the elements of fair information practices is highly variable. Whether companies actually comply with these codes is another major uncertainty. Another is whether enough companies in an industry have subscribed to the codes to make the code relevant.
The study was not designed to determine if U.S. marketers are adequate. That is just as well, because existing American marketing privacy standards fall short of international standards.
A major methodological conclusion was that it's hard to make adequacy assessments. Collecting information about specific transfers of personal data is a challenge, and analyzing the data against a hazy set of standards is complex. The researchers also found it difficult to locate cooperating organizations (who were promised anonymity). Senior corporate officials sometimes found it difficult to provide authoritative information on data processing practices, and practices sometimes varied within a company.
Nevertheless, I walked away from the study with a somewhat more positive personal assessment of the underlying issue. For a company that wants to avoid data protection problems with the EU, it is not necessarily that difficult to meet the adequacy standard. Granted, the standard is unclear, and the process remains undefined, but perfection is not required. Most companies will not have to spend large sums of money, restructure their operations, or refuse business in order to be found adequate. Much can be accomplished quickly, easily and inexpensively. A good faith effort and some not-too-difficult changes may convince the EU that a company is adequate. The directive also allows some companies to avoid adequacy altogether if they organize transactions properly.
One place to start is by assigning responsibilities to a privacy officer. The next step may be to look at the report's appendix, which contains an inventory of questions as a general guide for anyone who wants to undertake an adequacy assessment. While there are many questions, not all are applicable to every transfer. Be sure as well to look at Article 26 of the directive because it contains the principal exceptions.
Solving the problems raised by the EU directive at a national or industry level will be difficult. That may not be your job. If a company can meet the adequacy test, its international business can continue to grow while its competitors are stuck. Trying to be adequate is worth a try. It may not be as difficult as you think.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House of Representatives' subcommittee on information, justice, transportation, justice, transportation and agriculture. His e-mail address is firstname.lastname@example.org.