EU Challenge for ACTA: Transferring Personal Data to Unsafe Countries

The European Union has a long tradition of protecting personal information. Since the 70’s, some European countries have adopted domestic law that regulates the processing of personal data. Starting in the 90’s, the European Union has approved several directives that provide a communitarian legal framework for processing personal data. Simultaneously, several countries in Europe have modified their constitutions in order to include provisions that guarantee the right to privacy and the right to protection of personal data. In addition, through the Charter of Human Rights, the European Union has raised the commitment with the protection of the right to control information about oneself to a human rights level. In sum, the European Union has built a whole legal regime that provides a comprehensive protection for the right to protection of personal information.

Adequate and effective protection for personal data requires adopting restrictions of international transferences. In fact, the European Union realized early on that protecting personal data within the Union was not enough, and that the very purpose of adopting regulation may be undermined if personal data is transferred overseas to countries that provide lower or no protection. It is to address this concern that the Directive on Data Protection forbid international transferences of personal data to third countries that do not provide an adequate level of protection for that data.

In addition to a comprehensive legal framework, European Union authorities have shown a strong commitment to protecting privacy. Only after long negotiations, some transfers of data were allowed to the United States, under the so-called Safe Harbor Agreement. The European Parliament initially rejected another agreement that would allow international transferences of personal data of flight passengers for purposes of fighting terrorism. This commitment of European Union authorities, particularly the EU Parliament, raises questions about how it will handle ACTA, since the agreement requires international transferences of personal data for purpose of intellectual property enforcement. It should be said that, currently, none of the countries involved in ACTA negotiations provides an adequate level of protection according to the high standards of the European Union.

Several provisions of ACTA endanger the right to protection of personal data. In fact, during the negotiation of the agreement, the European Union authorities on data protection, both the European Supervisor and the Working Group, raised their concern on the compliance of ACTA provisions with the communitarian law. Presumably because of that concern, negotiators introduced privacy considerations later in the text, by eliminating some controversial provisions (e.g. the one requiring the implementation of the “three strikes” policy, that is, the disconnection of users supposedly infringing on intellectual property), by improving commitments through the adoption of an optional rather than a compulsory language (“may” wording replaced “shall” wording), and by including some limited safeguards. The latter is the case of the provisions on international transferences of personal data among ACTA-members.

ACTA requires not only domestic processing of personal data but also international transference of that data for purpose of enforcing intellectual property. For example, article 34 sets forth obligations on sharing information, according to which, parties shall endeavor to exchange with other parties, without restrictions based on privacy considerations. Similarly, article 29 encourages sharing information between competent authorities in order to enhance the effectiveness of border enforcement of intellectual property. Because of that international transference of personal data, ACTA negotiators have been forced to adopt some safeguards, which are, unfortunately, insufficient.

During the last rounds of negotiations, ACTA included some provisions dealing with the disclosure of information from one party to another. According to article 9, nothing in ACTA “shall require any Party to disclose: (a) information the disclosure of which would be contrary to its law or its international agreements, including laws protecting right of privacy, [or] (b) confidential information, the disclosure of which would impede law enforcement or otherwise be contrary to the public interest.” In other words, ACTA allows parties to preserve limitations on the disclosure of information to other countries that are already available in their domestic laws or international agreements. Additionally, article 4.2 of ACTA sets forth a limitation of the use of transferred data by a receiving party, which “shall . . . refrain from disclosing or using the information for a purpose other than that for which the information was provided, except with the prior consent of the Party providing the information.” This provision intends to neutralize any risk of misuse of personal data by any party.

However, ACTA safeguards on privacy are insufficient to guarantee an adequate level of protection for personal data. First, they only refer to disclosing information (i.e., making information known), but do not apply to transfers and, more broadly, to any other processing of personal data. Thus, for example, personal data provided for intellectual property enforcement among authorities of ACTA countries can be transfered to facilities in third countries, as long as it is not disclosed, even if those third countries do not provide any protection. Data may not be disclosed, but may be “processed” and this presents a clear risk to people’s right to privacy. Second, the safeguard on refraining from using data for other purposes has additional limitations: it applies only when a party has provided “written” information that the receiving party shall refrain from disclosing or using the data, and it is “subject to its domestic law and practice.” Then, for example, if the domestic law of the country that receives personal data allows it, the purpose may be changed; let’s say using the data obtained for intellectual property enforcement for political or religious persecution. As a result, these limited safeguards become useless or, at the very least, insufficient. Moreover ACTA requires enforcement measures beyond those available in EU law in force, which increases the possibility of diminishing the right to protection of personal data.

In spite of the alerts raised by EU authorities, ACTA runs short in guaranteeing an adequate protection for personal information. As a result, the EU Parliament will face the dilemma of choosing between protecting the right to protection of personal data or enforcing intellectual property. If privacy considerations prevail, the EU Parliament will reject ACTA; if intellectual property enforcement prevails, the European Union will have damaged the level of protection of its citizens. Before making that decision, the EU Parliament should consult the EU data protection authorities about the consistency, or lack thereof, of ACTA provisions with the EU data privacy law.

Uncategorized