ICC contract rules
could help resolve data protection conflict
Paris, 30
July 1999 - The International
Chamber of Commerce is redoubling its efforts to bring about a breakthrough
in the long-standing transatlantic dispute over protection of personal data.
The dispute could seriously hamper the growth of electronic commerce if no solution
is found.
ICC, on behalf of world
business is urging the European Union to rule that a set of ICC model contract
clauses offers satisfactory protection for personal data originating in the
EU and transmitted to countries whose data protection regime is considered to
be inadequate.
As electronic commerce spreads,
one of the greatest challenges for business is to protect customer and personnel
data from uses that infringe the individual's right to privacy. ICC instruments
enabling business to do so predate most data protection laws. Protection of
personal data has been a serious concern to ICC's global membership since the1970s.
One of ICC's greatest achievements
in this field was the 1993 publication together with the OECD, the European
Commission and the Council of Europe of a model contract for the protection
of personal data . This contract has been the basis for countless business transactions,
permitting business to be continue as usual while
guaranteeing a level of privacy
protection in line with the standard set by the 1980 OECD privacy guidelines.
In September 1998, the ICC
World Council approved a revision of the 1993 model contract. The revision took
place in light of changes in business practice and new legal requirements in
some jurisdictions - most notably the European Union's data protection directive
of 1995.
These 1998 Model
Clauses for use in contracts involving transborder data flows were written
to assist parties wishing to transfer personal data from a country that regulates
export of personal data to one whose protection of personal data is deemed unacceptable
by the source country. For instance, the legal regime in Europe created by the
Directive specifically requires the country of import to provide "adequate"
protection - much to the dismay of business and countries (such as the US) whose
approach to the protection of personal data differs substantially from the EU's.
Contrary to popular belief,
this problem is not a matter to be resolved only between the EU and the US.
Other countries are affected - but they don't always realize it. Relatively
few countries have a comprehensive data protection regime, although the European
Commission may well make this a condition for being considered adequate.
With the growth of e-commerce,
these countries will be increasingly hindered in their expansion of cross-border
trade in services with the EU (and other countries following the EU approach)
due to data protection problems. Countries with tough data protection laws may
well go so far as to advise their citizens not to engage in Internet transactions
with companies based in "inadequate" countries. Conclusion: this problem affects
all business.
The EU Directive - no doubt
drawn up with the 1993 tripartite model contract in mind - says that business
can overcome the very significant barrier thrown up by the adequacy requirement
if it uses model contracts approved by the European Commission.
ICC therefore submitted
its revised model contract clauses to the European Commission in September 1998
with a strong request that they be approved as soon as possible. Since then,
ICC has been in informal discussions with a group representing of data protection
authorities from EU member states. Under the Directive, this group can advise
EU member states whether model clauses submitted to it are considered appropriate.
ICC is convinced that the
clauses provide adequate protection of personal information, and hopes that
EU governments will recognize this as soon as possible. ICC has recently formally
requested that EU member state officials empowered to approve clauses under
the Directive should consider the ICC model contract clauses as soon as possible.
Without quick approval,
and in the absence of other solutions (such as an agreed set of "safe harbour"
principles, currently being negotiated between the EU and the US), business
will encounter tremendous problems at the ultimate expense of consumers in the
EU and around the world.