![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
Information Communications Technology (ICT) law has developed rapidly during the past 15 years within the European Union (EU). The Directives on Data Protection, Databases, Software and the Internet (to mention but a few) have together formed a corpus representing various layers of legal principles of varying importance. Some of these, like Directive 95/46, essentially are designed to protect fundamental human rights principles such as the right to private life. Recent events such as the negotiations over personal data transfer issues to the United States highlight the importance of such legal instruments and their transnational impact outside the boundaries of the EU. While much attention has been focused on EU 95/46 and transborder data flows to/from North America and G7 countries, little attention has been paid to the impact/compatibility of such laws vis-à-vis North African and Middle Eastern states where Islamic culture or Islamic law underlies much of everyday legal practice. This article attempts to identify the extent to which the principles of European Charter on Human Rights Articles 8 and 10 are to some extent established/respected within North African and Middle Eastern states and consequently the extent to which data protection laws are in (or could conceivably be brought into) place in a way that would ensure de facto compatibility with the requirements of EU 95/46. This issue is becoming of greater importance as more and more EU-based industries move their operations to North African and Islamic law states in order to take advantage of lower labour costs.
Notes
1 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data—Transfers of Personal Data to Third Countries—Applying Articles 25 and 26 of the EU Data Protection Directive, adopted on 24 July 1998. DG XV D/5025/98 WP12.
2 The ‘content’ principles are: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the rights of access, rectification and opposition, restrictions on onward transfers to other third countries, plus other additional principles which may be applied to specific types of processing—for example, sensitive data, direct marketing and automated individual decision.
3 For, e.g., sanctions for non-compliance and independent supervisory authorities.
4 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data—Transfers of Personal Data to Third Countries.
5 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data—Transfers of Personal Data to Third Countries (emphasis added).
6 The eight principle is the principle that ‘personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data’.
7 Carey P. (2004) Data Protection – A practical guide to UK and EU law, 2nd edn (Oxford, Oxford University Press) at p. 110.
8 They could be industry-wide or profession-wide with clearly comprehensive coverage or simply voluntary data protection codes developed by small groupings of companies within sectors.
9 Article 29 Data Protection Working Party ‘Working Document: Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries’, 22 April 1998, at p. 4.
10 Kirby M. D. (1991) Legal aspects of transborder data flows, International Computer Law Adviser, 5(4), pp. 5 – 6.
11 Bygrave L. A. (2002) Data Protection Law: Approaching its Rationale, Logic and Limits, Chapter 6, p. 114 (The Hague, Kluwer Law International).
12 Ellger R. (1990) Der Datenschutz in grenzűberschreitende Datenverkehr: eine rechtsvergleichende und collisions – rechtliche Untersuchung (Baden-Baden, Reihe Wirtschaftsrecht der Internationalen Telekommunikation, Bd. 14).
13 See J. Bing (1985) Data protection in practice: International service bureau and transnational data flows. In CompLex 1/85 (Oslo, Universitetsforlaget), referred to in Bygrave, Data Protection Law, at p. 115. However, the rules in Denmark's Private Registers Act on transborder data flows were concerned not solely with protection of individual persons; they were also grounded upon a desire to build up a national computer industry such that public or private enterprise in Denmark could continue to operate independent of events in other countries (see P. Blume (1996) Personregistering (Copehagen, Akademisk forlag) 3rd edn, and references cited therein). Nevertheless, the latter concern apparently did not reflect a desire for economic protectionism as such, but rather a desire to ensure that enterprises in the country could continue functioning in the event of a foreign crisis.
14 Bygrave, Data Protection Law, at p. 115.
15 See COM(90) 314 final, 13 September 1990, 4.
16 COM(90) 314 final, at p. 20 et seq.
17 Singleton S. (2002) Privacy as a Trade Issue: Guidelines for US Trade Negotiators, Economic Freedom Project Report #02 – 02 (Washington, DC, The Heritage Foundation). Available online at: http://www.cei.org/pdf/2901.pdf
18 Swire P. & Litan R. (1998) None of Your Business: World Data Flows, Electronic Commerce and the European Privacy Directive (Washington, DC, Brookings Institution Press).
19 See, e.g., China, US reach deal on trade issues, China Daily—Agencies Available online at: http://english.people.com.cn/200404/22/eng20040422_141233.shtml
20 Term employed by M. V. Perez Asinari ((2003) The WTO and the Protection of Personal Data: Do EU measures fall within GATS exception? Which Future for Data Protection within the WTO e-Commerce Context? Paper presented at the 18th BILETA Conference on Controlling Information in the Online Environment, London, April), used because of its special nature since it does not declare that the whole American system is ‘adequate’, but just the adhesion by American companies to the Agreement's principles and FAQs (frequently asked questions).
21 Commission Decision 2000/520/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Safe Harbor privacy principles and related frequently asked questions issued by the US Department of Commerce, Official Journal L 215/7, 25 August 2000. Available online at: http://www.europa.eu.int/comm/internal_market/en/dataprot/adequacy/dec2000520ec.pdf
22 For detailed information about the self-certification process, see http://www.export.gov/safeharbor/helpful_hints.html
23 Singleton, Privacy as a Trade Issue.
24 For a far more careful study of the Safe Harbor Principles, see Y. Poullet (2000) The ‘Safe Harbor Principles’: An Adequate Protection? Paper presented at the IFCLA International Colloquium, Paris, 15 – 16 June.
25 Airline passenger data transfers from the EU to the United States (Passenger Name Record) frequently asked questions, MEMO/03/53, 12/03/2003.
26 Title 49, United States Code, section 44909(c)(3), 19 November 2001.
27 Article 25 of the EU Data Protection Directive, adopted on 24 July 1998, p. 26.
28 2004/535/EC, OJ L 235, 6 July 2004, p. 11.
29 Recital (8) of the Decision states that: “Community law provides for striking the necessary balances between security concerns and privacy concerns. For example, Article 13 of Directive 95/46/EC provides that Member States may legislate to restrict the scope of certain requirements of that Directive, where it is necessary to do so for reasons of national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.”
30 Opinion 6/2004 on the implementation of the Commission decision of 14-V-2004 on the adequate protection of personal data contained in the Passenger Name Records of air passengers transferred to the United States' Bureau of Customs and Border Protection, and of the Agreement between the European Community and the United States of America on the processing and transfer of PNR data by air carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (11221/04/EN) WP95, adopted on 22 June 2004.
31 Opinion 4/2003 of 13 June 2003, WP78, Opinion 6/2002 of 24 October 2002, WP66.
32 Council Decision of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (2004/496/EC), OJ L 183 of 20 May 2004, p. 83.
33 See Bygrave, Data Protection Law, Chapter 6 (‘Catalysts for Emergence of Data Protection Laws’).
34 Bygrave, Data Protection Law, Chapter 6.
35 Michael J. (1994) Privacy and Human Rights: An International and Comparative Study, with Special Reference to Developments in Information Technology (Dartmouth, Unesco Publishing).
36 Ogaranko T. (1996) Transborder Data Flows, at paragraph 3.1. Available online at http://www.compusmart.ab.ca/ogaranko/tdf/tdftoc.htm
37 Briant M. (1988) Freedom of Data Flows and EEC Law (Amsterdam, Kluwer).
38 Lloyd I. J. (1997) Information Technology Law, 2nd edn (Croydon, Butterworths), at p. 149.
39 Singleton, Privacy as a Trade Issue.
40 Under the global trade regime administered through the WTO, laws that appear to prevent free trade in goods and services are carefully scrutinized.
41 GATT Article XX (d) and GATS Article XIV (c).
42 The commitments and limitations are in every case entered with respect to each of the four modes of supply envisaged in the GATS—i.e., (1) from the territory of one Member into the territory of any other Member (cross-border supply: the possibility for non-resident service suppliers to supply services cross-border into the Member's territory); (2) in the territory of one Member to the service consumer of any other Member (consumption abroad: the freedom for the Member's residents to purchase services in the territory of another Member); (3) by a service supplier of one Member, through commercial presence in the territory of any other Member (commercial presence: the opportunities for foreign service suppliers to establish, operate or expand a commercial presence in the Member's territory, such as a branch, agency or wholly-owned subsidiary); and (4) by a service supplier of one Member, through presence of natural persons of a Member in the territory of any other Member (presence of natural persons: the possibilities offered for the entry and temporary stay in the Member's territory of foreign individuals in order to supply a service). See GATS, Part III, ‘Specific Commitments’.
43 WTO members must give the service suppliers of other members ‘treatment no less favourable than that accorded to like services and suppliers of any other country’.
44 GATS, Article II.2: Before the agreement went into force, Members were permitted to list exemptions. These Article II exemptions are subject to review and not intended to last longer than ten years. It has to be noted that it is not required to specify measures providing for preferential liberalisation of trade in services among members of economic integration processes, provided that the conditions described in Article V of the GATS are met.
45 Perez Asinari, The WTO and the Protection of Personal Data.
46 See, e.g., the national constitutions of Spain, Portugal, Belgium and the Netherlands.
47 This reasoning has been followed in ‘United States—Section 337 of the Tariff Act of 1930’ and ‘Thailand—Restrictions on Importation of and Internal Taxes on Cigarettes’, but not in ‘Korea—Measures Affecting Imports of Fresh, Chilled and Frozen Beef’.
48 Article 29 Data Protection Working Party, Discussion Document: First Orientations on Transfers of Personal Data to Third Countries—Possible Ways Forward in Assessing Adequacy, 26 June 1997, WP 4; Working Document: Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive, 24 July 1998, WP 12.
49 Perez Asinari, The WTO and the Protection of Personal Data.
50 WTO (2001) WTO Ministerial Declaration adopted on 14 November 2001. Available online at: http://www.wto.org/english/thewto_e minist_e/min01_e/mindecl_e.htm.
51 The Doha Declaration has reaffirmed the importance of paying attention to non-classical-trade issues (e.g., the protection of the environment, the promotion of a sustainable development and the safeguarding of core labour standards). At the time when the necessity of a Directive harmonising data protection legislation was first acknowledged in the EU (in the 1970s), the issue had arisen as to how the EU (EEC) could regulate on a fundamental right if it had no competence in this realm. Even if, as time went by, the EU expanded the reference and competence on fundamental rights, Directive 95/46 was passed using as legal basis ex-article 100A (currently Article 95) (which is the one prescribed to regulate internal market issues). The EU internal market implications were solved, harmonising the effective protection given by Member States to personal data in order to permit the free-flow of information.
52 WTO, Third Dedicated Discussion on Electronic Commerce under the Auspices of the General Council on 25 October 2002, Summary by the Secretariat of Issues Raised, WT/GC/W/486, 4 December 2002; Second Dedicated Discussion on Electronic Commerce under the Auspices of the General Council on 6 May 2002, Summary by the Secretariat of Issues Raised, WT/GC/W/475, 20 June 2002; Dedicated Discussion on Electronic Commerce under the Auspices of the General Council on 15 June 2001, Summary by the Secretariat of Issued Raised, WT/GC/W/436, 6 July 2001.
53 Unlike the EU, which is a ‘supranational’ process implying delegation of sovereignty.
54 Swire & Litan, None of Your Business, p. 189.
55 Singleton, Privacy as a Trade Issue.
56 Reidenberg J. (2001) E-commerce and trans-Atlantic privacy, Houston Law Review, 38, p. 717.
57 See, generally, Final Act Embodying the Results of the Uruguay Round of Multilateral Trade Negotiations: Agreement Establishing the World Trade Organisation (1994) (including the TRIPS annex on intellectual property).
58 Reidenberg J. (2000) Resolving conflicting international data privacy rules in cyberspace, Stanford Law Review, 52.
59 Reidenberg, Resolving conflicting international data privacy rules.
60 Swire & Litan, None of Your Business, p. 194.
61 Swire & Litan, None of Your Business, p. 195.
62 Reidenberg, E-commerce and trans-Atlantic privacy, at p. 747.
63 Longworth E. (2001) Transborder data flow: EU Directive and implications for international business, at p. 11. Available online at: http://www.pcpd.org.hk/english/infocentre/files/nz_3.doc
64 Longworth, Transborder data flow, p. 11.
65 The letter included a proviso stating that ‘the European Commission is not a data protection supervisory authority so our knowledge as regards incidents with these countries might not correspond to the reality but if these incidents ever happen, we are not aware of them. A Member State has notified to the Commission the use of standard contractual clauses for the transfer of personal data to Morocco.’
66 Room S. (2004) The European Data Protection Regime: An Excuse to Keep Developing Countries out of the Information Society? Paper presented at the Institute for Development Policy and Management, University of Manchester, 19 April.
67 Room, The European Data Protection Regime.
68 Cannataci J. A. (1986), Privacy and Data Protection Law: International Development and Maltese Perspectives (Oslo, Norwegian University Press AS), at p. 90.
69 Cannataci, Privacy and Data Protection Law, p. 90.
70 Cannataci, Privacy and Data Protection Law, at p. 91.
71 Carey, Data Protection, at p. 106.
72 The nature of the protection of privacy in Islamic society is not dealt with at length in this article since such background material is also outlined in the study by Aslam Ayat in this special issue.
73 Al Ahmad, Akhal (1999) The Virtual Law Firm: Privacy Issue World Wide Activities Middle East—Jordan. Available online at: http://vlf.juridicum.su.se/master99/staff/akhal/privacy.html
74 Bygrave, Data Protection Law.
75 It is worth noting in this context that the European Court of Human Rights has, since 1981, exhibited increasing willingness to read data protection principles into Article 8 of the European Convention on Human Rights.
76 Obeidat M. (2001) Consumer Protection and Electronic Commerce in Jordan: An Exploratory Study. Paper presented at the Public Voice in Emerging Market Economies Conference.
77 Electronic Privacy Information Center (EPIC) and Privacy International, Privacy and Human Rights 2003 – An International Survey of Privacy Law and Developments.
78 The OECD Guidelines carry only the requirement that they be ‘taken into account’ in domestic legislation. Although not dissimilar in their content to Convention 108 and Directive 95/46, they do not provide for procedural mechanisms to ensure the effectiveness of such rules. Chapter 1 of this study has drawn a distinction between the European tendency, reflected in Directive 95/46, for data protection rules to be embodied in a law that includes additional procedural mechanisms (such as the establishment of supervisory authorities), and the absence of such a law in the United States.
79 EPIC et., Privacy and Human Rights 2003.
80 E.g., amendments to the Law of Evidence, providing that electronic documents possess an evidentiary strength equal to that of regular documents, and the Copyright Law, relating to copyright ownership in the software development sector.
81 Electronic Transactions Law 85 of 31 December 2001.
82 Instructions for Regulating the Work of the Internet Centers and Cafés and the Bases for their Licensing for the Year 2001.
83 Amendment to the Telecommunications Law 8 of 17 February 2002.
84 Article 37.
85 Article 38.
86 Instructions for Regulating the Work of the Internet Centers and Cafés, Articles 6 (1) and (2).
87 Article 13.
88 Article 6 (3)
89 Article 11 (2).
90 Gov't nixes new Net café regulations, Jordan Times, 29 January 2001.
91 Thus, one must take into consideration the Court's ability to influence the way in which Government agencies implement the provisions of the data protection act, as well as the range of remedies given to the courts pursuant to the act.
92 See Annex.
93 For several reasons—the most important of which being the monopoly of political life by one party. The second reason is that certain laws concerning fundamental rights and freedoms are very narrow, such as the Press Code (28 April 1975, modified), the Public Assemblies Law (24 January 1969) and a right of association law (7 November 1959, modified 2 April 1992), which is obviously contrary to the Constitution and provoked the resignation of two members of the Constitutional Council in 1992. The third reason concerns abuses by the political regime, which have become increasingly important and been denounced both locally and internationally. See, generally, H. M. Krtizer (ed.) (2002) Legal Systems of the World: A Political, Social and Cultural Encyclopedia (Santa Barbara, ABC-CLIO Ltd.).
94 Working Document: Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive, Adopted by the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data on 24 July 1998.
95 Means for ensuring effective application would include sanctions for non-compliance and the establishment of a supervisory authority.
96 Law for the Protection of Personal Data, promulgated on 28 July 2004, following its adoption by the Chamber of Deputies on 20 July 2004.
97 ‘[A] first for Arab and African countries and which has no equal except in some Western countries' (Adoption du projet de loi organique relative à la protection des données personnelles, Tunisia Online (Tunis), 22 July 2004. Available online at: http://www.reveiltunisien.org/breve.php3?id_breve=1313).
98 ‘[I]t reinforces the orientation towards democracy and bolsters the human rights system in Tunisia’ (Adoption du projet, Tunisia Online).
99 ‘[W]orks for the dignity of the human being and the development of his personality’ (Article 5 of the Tunisian Constitution).
100 ‘Tunisian domestic law has attributed a constitutional value to the respect of private life by means of its strong link to the principle of individual freedom, which is a constitutionally guaranteed freedom … personal data is a part of this right with respect of private life which encompasses everything that has to do with personal identity’ E. Mariem (2004) Réforme Constitutionnelle—Tribune—Le projet de référendum et la protection des données personnelles. Available online at: http://www.rcd.tn/infos/Reforme_150.htm
101 E.g., the purpose limitation principle finds expression in Articles 10 and 12; the data quality and proportionality principle finds expression in Article 11; Article 14 of the Tunisian Act defines the exact same categories of sensitive data defined in Directive 95/46.
102 No preparatory work or explanatory memorandum has been traced with regard to the Tunisian Data Protection Act.
103 ‘[O]f reuniting the necessary guarantees so that the handling of personal data occurs whilst still preserving the equilibrium between progress within modern means of communication and respect for private life’ (Mariem, Réforme Constitutionnelle).
104 Sihem Bensedrine is a Tunisian journalist and human rights activist, director of the online weekly Kalime (http://www.kalima.com), general secretary of the Observatory for the Defence of Press, Publishing and Creation Freedom (OLPEC, affiliated with the Reporters Sans Frontieres (RSF) network) and member and ex-spokesperson of the National Committee for Rights in Tunisia (Comité National pour les Libertés en Tunisie (CNLT)).
105 ‘[T]he Tunisian law is effectively a pale copy of the European Directive of 1995 … it borrows its headings but empties it of its protection of the private life of citizens, over which the administration retains absolute right, whilst removing from civil society every right over the public use of its data’ (S. Bensedrine (2004) La loi organique relative à la protection des données personnelles—Criminaliser la transparence et renforcer l'opacité. Available online at: http://kalimatunisie.com/num27/loi%20perso.htm
106 Bensedrine, La loi organique.
107 ‘[E]very person has the right to the protection of personal data relating to his private life, this being one of the fundamental rights guaranteed by the constitution.’
108 Bensedrine, La loi organique.
109 In terms of Article 6, Convention 108 and Article 8, EU 95/46.
110 See Explanatory Memorandum to Recommendation R(87)15.
111 Commission on Human Rights 54th session—Question of the Human Rights of all Persons subjected to any form of Detention of Imprisonment—Written statement submitted by the International Federation of Human Rights Leagues, a non-governmental organization in special consultative status, 20 March 1998.
112 Bensedrine, La loi organique.
113 Article 86 provides for a punishment of 2 – 5 years imprisonment and a fine of 5,000 – 50,000 Dinars.
114 ‘It is forbidden in all cases, to communicate or transfer personal data to a foreign country, if this can lead to an attempt on public security or to interests which are vital to Tunisia.’
115 ‘It is all about a law which protects those who are in power and who can be guilty of corruption or … under the scrutiny of the independent press and the independent ONG’ (Bensedrine, La loi organique).
116 ‘[T]his new law puts the citizen in jeopardy, reinforces lack of transparency and criminalizes transparency’ (Bensedrine, La loi organique).
117 Articles 86 – 103.
118 Articles 75 et seq.
119 Article 85.
120 See the criticisms levelled at the Maltese Act in: University unit critical of information practices White Paper, The Times, 1 July 2000.
121 Malta is now possibly compatible with EU 95/46, but not Convention 108, which requires specific safeguards for use of sensitive data and that Cap.440 Article14 talks about but does not provide.
122 See informal report received from European Commission Media and Data Protection Unit, 10 September 2004.
123 Cannataci, Privacy and Data Protection Law, at p. 91.
124 Lloyd, Information Technology Law, at p. 156.
125 Lloyd, Information Technology Law, p. 156.
126 Caruana M. M. (2004) European ICT Law Fundamentals in Transit. Unpublished Magister Juris dissertation, University of Malta.
127 Room, The European Data Protection Regime.
128 ‘Privacy, like an elephant, is perhaps more readily recognised than described’ (J. B. Young (1978) ‘A look at privacy’, Privacy (Chichester, John Wiley & Sons), p. 2).