![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Notes
1. and References The author, an official of the European Commission and a lawyer, has in the past held responsibilities in the data protection field. He is currently attached to the copyright unit of the Internal Market and Services Directorate General of the European Commission. All opinions expressed in this article are strictly personal and do not represent the views of the European Commission on this matter.
2. The complete official title of the Unfair Commercial Practices Directive continues as follows ‘and amending Council Directive 84/450/EC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006&2004 of the European Parliament and of the Council’. This directive has been published in the EU Official Journal on 11 June 2005, L 149, pp 22–39.
3. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJEU, 23 November 1995, L281/31.
4. All references to the EU in the current document should be understood as comprising the EU and the EEA (European Economic Area). The Data Protection Directive was incorporated to the EEA Agreement by Joint Decision 83/99, which means, in practice, that EEA States have also implemented the provisions of the Data Protection Directive in their national legislation. EEA countries are regularly informed of the agendas of the Article 31 Committee and any comitology decisions taken by the Commission. They also send representatives to the meetings of the Article 29 Working Party where they enjoy full membership status without the right to vote.
5. This also includes nationals of third countries resident in EU soil who benefit from the same rights provided by the Data Protection Directive and the national laws implementing it.
6. The Treaty establishing the European Community created (as from 1992) an internal market characterized by the abolition between Member States of obstacles to the free movement of goods, persons, services and capitals (see Articles 2 and 3.c of the Treaty)—numbers in accordance with the consolidated version.
7. See list of exceptions in the first paragraph of Article 26.
8. See the reference to standard contractual clauses in Article 26.4 and Commission decisions 2001/49/EC and 2002/16/EC adopted further to this provision.
9. The list of ‘adequate countries’ is available on the data protection website of the European Commission. Countries found adequate by the Commission to be providing adequate protection are so far: Argentina, Canada (for general purposes and for the purpose of the transfer of PNR data), Switzerland, the United States of America (for the purposes of the Safe Harbor agreement and the transfer of PNR data), Guernsey and the Isle of Man—UK territories with the consideration of third countries from the perspective of the application of Community Law.
10. The Data Protection Directive in its Article 2, paragraph (a), defines personal data as any information relating to an identified or identifiable natural person (data subject). E-mail addresses are therefore personal data within the meaning of the directive.
11. For some EU countries, these trivial processing operations involving transfers to third countries might not be that problematic. The second paragraph of Article 25 says that the adequacy of the destination is to be found in the light of all the circumstances surrounding the transfer. A flexible interpretation of this provision would allow some data protection authorities to conclude that, in view of the circumstances surrounded the sending of these e-mails, the nature of the data, duration, purposes, etc., the data controller could normally assume that the recipients of these e-mails provide ‘adequate protection’.
12. SEC 2004 (1323) of 20 October 2004.
13. It is of considerable political significance that the former US Vice-President Al Gore addressed the data protection authorities participating at the International Data Protection Conference in Venice in writing in September 2000.
14. See above note 8.
15. The adoption of this third model took place as an amendment to decision 2001/497/EC. This amending decision has number 2004/915/EC and was published in the OJEU on 29 December 2004.
16. The wording of Article 26.2 of the directive makes it very clear that contractual means are only one of the possible means to adduce adequate safeguards.
17. Working Document: ‘Transfers of personal data to third countries: applying Articles 25 and 26 of the EU Data Protection Directive’. All Article 29 Working Party documents can be consulted at the Article 29 Working Party website: http://europa.eu.int/comm/justice_home/fsj/privacy/workinggroup/index_en.htm
18. Although most of the orientations contained in this document are also relevant for the issue of binding corporate rules, the original idea reflected in WP 12 was a set of data protection rules applying to a plurality of data controllers from the same profession or industry sector.
19. The first of these documents, WP 74, was adopted in 2003 and it has been later completed with two operational documents, WP 107 and WP 108.
20. There is already some doctrine on the issue of binding corporate rules that can be consulted for further reference. An interesting example is the Special Report on International Data Transfers published by BNA International recently.
21. The company must undertake to apply these standards of protection at least to those personal data that once (before their transfer to a third country) were subject to the data protection legislation of any of the EU Member States.
22. For some multinational companies, the right approach might be to take privacy as another layer of internal quality which should be regularly audited; for others, the right approach is perhaps a code of good practice to be implemented by a team of data protection officers.
23. As far as standard contractual clauses are concerned, the traditional privity of contract is overcome by means of the allocation of third party beneficiary rights to data subjects. See for example, recital 16 of Commission Decision 2001/497/EC or clause number 3: ‘Third party beneficiary clause’.
24. See notes 17 and 19 above.
25. The high degree of flexibility shown by the Article 29 Working Party in document WP 74 is sometimes remarkable. The heavy criticism expressed by some business circles against the work of this group is unfounded, at least, as far as this document is concerned. See, for example, the way in which the group dealt with the difficult issue of mandatory requirements of national legislation in open contradiction with binding corporate rules (p 14):
-
‘Mandatory requirements of national legislation applicable to the members of the corporate group which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13 (1) of Directive 95/46/EC, are in principle not in contradiction with the binding corporate rules. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax reporting requirements or anti money-laundering reporting requirements’.
26. This seems to be clearly the situation, inter alia, in Germany or Austria
27. This seems to be the situation in countries such as, inter alia, Italy, Spain or the UK.
28. This is acknowledged by the Article 29 Working Party itself. See for example p 12 of WP 74: ‘Where in some cases the legal enforceability of such unilateral declarations do not raise any doubts, in other Member States the situation is not that clear and unilateral declarations might not be sufficient as such’.
29. The official summary of the hearing, drafted by the Dutch Data Protection Authority, one of the most active authorities in this field, is available on the website of the Article 29 Working Party:
-
http://europa.eu.int/comm/justice_home/fsj/privacy/docs/binding-rules/hearing_bcr_en.pdf
-
See in particular the reservations expressed by business circles on this particular issue:
-
‘(…) businesses noted that the specific legal systems in the various EU countries made it difficult to give Binding Corporate Rules a legally binding status’.
30. Three proposals for binding corporate rules were discussed at the public hearing on binding corporate rules of the Article 29 Working Party in the Hague: the proposals from Daimler Chrysler, Philips and General Electric. Other companies and business associations such as Hewlett Packard, the International Chamber of Commerce, the European Privacy Officers Forum or the Japanese Business Council in Europe, present at the hearing, also expressed a great deal of interest in these new developments.
31. See recital 6 of the Unfair Commercial Practices Directive.
32. See recital 8 of the Unfair Commercial Practices Directive.
33. See recital 13 of the Unfair Commercial Practices Directive.
34. See recitals 21 and 22 of the Unfair Commercial Practices Directive.
35. See Article 3, paragraph 1.
36. See definition in Article 2 (c).
37. See for example, ‘without prejudice’ to rules on health and safety aspects of products, rules on jurisdiction of courts, rules on regulated professions or some financial services.
38. Article 13 (3) on unsolicited communications read as follows:
-
‘Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing, in cases other than those referred to in paragraphs 1 and 2 (consent and the existence of a previous relationship), are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation’.
39. See Article 5, paragraph 1.
40. See Article 5, paragraph 2.
41. See Article 2, paragraph (e).
42. See Article 2, paragraph (h).
43. See Article 5, paragraph 4.
44. Important elements are: the existence or nature of the product, Article 6.1.a; the main characteristics of the product (inter alia, risks, after-sale customer assistance and complaint handling), Article 6.1.b; the extent of the trader's commitments, Article 6.1.c; the price, Article 6.1.d; the need for a service, part, replacement or repair, Article 6.1.e; the nature, attributes and rights of the trader or his agent, Article 6.1.f.
45. See definition of misleading actions in the first paragraph of Article 6.
46. See definition of misleading omissions in the first paragraph of Article 7.
47. See Articles 6 (b) and (g) at this regard.
48. It is worth nothing that a misleading practice can happen by declaring something that does not correspond to the reality (for example, by stating that given standards of protection are in place when they are not) or by not declaring something which would make the consumer take a transaction decision that he would not have taken otherwise (for example, by not stating that certain risks exist or that the data are being exchanged for purposes unknown to the data subjects).
49. See first paragraph of Article 11.
50. See for example the Misleading and Deceptive Conduct and the Trade Practices Act.
51. See for example the Federal Competition Act or Provincial Legislation on Unfair Business Practices.
52. See for example the Fair Trading Act and the Commerce Act.
53. See for example the Consumer Protection Fundamental Law and other Acts related to Competition Law and the protection of Consumers' interests.
54. See first line after the heading ‘FTC Authority and Privacy’, Safe Harbor Enforcement Overview, Annex 3 of Commission Decision 2000/520/EC.
55. Declaration adopted at the 27th International Conference of Data Protection and Privacy Commissioners (14–16 September 2005): ‘The protection of personal data and privacy in a globalised world: a universal right respecting diversities’.
56. See p 2 of the Montreux Declaration.
57. Idem.