Transborder Data Flows and Extraterritoriality: The European Position

• Author: Yves POULLET
• Position: Prof. at the Faculties of Law of Namur and Liège Director of the CRID Yves.poullet@fundp.ac.be
• Pages: 141-153

Transborder Data Flows and Extraterritoriality: The European Position¹

Page 141

Introduction

The questions I have to deal with might be summarized as follows. Does the EU Privacy regulatory framework in respect of the first pillar ² have an impact beyond the EU frontiers? If so, what are the fundamental principles regarding extraterritoriality of EU laws?

In order to answer these questions, I will start with a brief reminder of the historical background of the present EU Privacy regulation on transborder data flows (TBDF): From article 8 of the European Convention (ECHR) to the TBDF issues. Thereafter, we will analyse more deeply the extraterritorial impacts of the two main EU Directives: the first one, dated from 1995³ , and called the General Directive and the second one, dated from 2002⁴, which is a more specific directive on "Electronic Communications and Privacy".

Page 142

I From European Convention on Human Rights (ECHR) to the TBDF issues

It is helpful to begin with a few considerations about the Council of Europe and the EU approaches to privacy protections.⁵

Council of Europe Approach

For the Council of Europe, article 8 ECHR⁶ explicitly enumerates privacy as a fundamental human right. This right was conceived in 1950 mainly as the protection of intimacy, in other words, a "right to opacity"⁷ intended to ensure the protection of sensitive data. Progressively, the right to privacy has become the right to self- determination. It means the possibility for everyone to determine for him/herself the way to find his or her way in the society. This extension has been made possible because the Convention is deemed a "living instrument", which ought to be interpreted only in an extensive way (see on these points, notably Tyrer⁸ and Selmouni⁹cases).

Further progressive development here leads one to consider that the protection of all data, what might be viewed as "the informational image of the individuals", has to be ensured, and not only the sensitive data. On that point, the Rotaru Case ¹⁰decided on May 4, 2000 by the European Court of Human Rights might be referred. According this decision, article 8 ECHR might cover all personal data including those of public nature when these data are processed systematically and automatically.

Having defined very broadly the scope of the "privacy" right, the Court adds that its protection must be "practical and effective" and must not be kept as "theoretical and illusory" (Airey, 1979) .¹¹ As discussed in the following sections, this assertion is very important in the context of the TBDF regulation.

Finally, the Council of Europe does consider that the State is the first guarantor of its citizens' data protection. The State is the ultimate guarantor of human rights and freedoms: « the State has a positive obligation to ensure that everyone within its jurisdiction enjoys in full, and without being able to waive them, the rights and freedom guaranteed by the Convention. » (Refah, 2003 ) ¹²

This role envisioned for the State means that the States do not only have a negative obligation not to interfere with Privacy (except definitively in the strict conditions of article 8.2.), but also have an an overall positive obligation to ensure that their citizens' privacy will be protected vis-à-vis third parties - this protection is thus available against private bodies (companies or associations) or persons located in third countries insofar our Privacy might be put at risk by the processing operated by these data controllers¹³. This is the main reason why

Page 143

Convention n° 108 and all European Legislation have been adopted creating a public regulatory framework enforceable not only in the public sector, but also in the private sector, including regulating explicitly the TBDF¹⁴.

European Union Approach

As regards the EU approach, it is important to note that the European Union has only been declared competent as regards human rights protection and regulation since the Treaty of Amsterdam in 1997. This Treaty refers extensively to the European Convention of Human Rights by asserting ¹⁵ that the EU has to guarantee the respect of the human rights enumerated by the ECHR.

The European Court of Justice in the Loizidou case¹⁶ has explicitly recognized the European Convention as a "constitutional instrument of the EU public order", having the priority on all other international (e.g. the WTO Agreements) and national legislation of European or other foreign countries according to ECJ decision in the Matthews case¹⁷

To take fully in consideration the extension of the scope of Article 8 ECHR with regards to privacy, the EU Charter on Human Rights adopted in 2000 by the Treaty of Nice¹⁸ has distinguished the Data Protection from the Privacy Right in order to consecrate the right of each EU citizen to have all his or her personal data protected: firstly, by limiting the processing of these data only to legitimate purpose, including their consent; secondly, by granting to the data subject a right to access; and thirdly, by recognizing to the Data Protection Authorities a prominent role for ensuring the respect of the different data protection (DP) principles¹⁹.

Having recalled the development of privacy and data protection rights, we might now envisage the specific attitude of our EU authorities vis-à-vis the TBDF. However, before further analysis on that topic, it is important to identify and distinguish two situations where European personal data are at risk due to the TBDF, which are discussed in the next section.

Page 144

II A fundamental distinction between two kinds of TBDF: Is the Directive 95/46 regime insufficient?

The first TBDF situation is traditional and obvious. A person, company, or administration located in Europe is exporting data for various reasons, e.g. to perform a contract on behalf of his/her customer, to ensure in a third country the processing of certain technical applications (back up or storage of data), or to build up a common data base concerning employees located in different countries.

The second situation is less obvious: due to the global nature of the modern networks and the absence of infrastructure frontiers, the processing operated by persons located outside of the EU might directly affect our privacy by sending spyware, transmitting data to third parties through invisible hyperlinks or addressing unsolicited mails through the web.

These last examples are quite different from the first ones, as the privacy risks are caused by parties located in third countries without the data necessarily having been transferred consciously by data controller located within Europe.

The distinction between the two TBDF hypotheses will lead to different provisions. The first situation is regulated by the General Directive and its two main principles asserted by the Recital, n° 56 and 57: " Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations; Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited. " »

In other words, the Directive recognizes the importance of positive TBDF input in the development of the commerce. At the same time, it underlines the EU commitment to ensure the protection of the Privacy considered as a Human Right and thus justifies the legitimate restrictions and conditions embodied in Articles 25 and 26, as quoted above.

A related question has recently been raised before the European Court of Justice, the famous Linqvist case ²⁰, in the context of a web site created by a European citizen and revealing and containing data about third parties. Insofar as the web site might be consulted from terminals located outside of Europe, can we consider that the EU Data Directive provision on TBDF are applicable? The European judges answer by the negative, but this negative answer is founded on weak arguments. Even if the website is not as such exporting data by his/her conscious operation and although he/she has deliberately created the risk of exportations by placing personal data on his/her website. articles 25 and 26 are arguably applicable.

Alternatively, certain other situations might not very easily fall under the application of the articles 25 and 26 of the so-called General Directive insofar they are not the consequences of a directly or indirectly voluntary data transmission by a person located in Europe. In this respect, I just will quote the "Echelon case" ²¹, insofar it is a question of the third pillar. In this case, due to the characteristics of the communications by satellite, both the US and the UK governments have developed a system of electronic surveillance which are able to read satellite communications including those sent by a person located within Europe to another European citizen. It was thus possible for the UK and US Intelligence Services to spy on European citizens, companies or administrations, whose communications were...