EU Challenge for ACTA: Transferring Personal Data to Unsafe Countries

Submitted by alberto.cerda on 29. June 2011

* EU Commission
* Privacy

The European Union has a long tradition of protecting personal
information. Since the 70’s, some European countries have adopted
domestic law that regulates the processing of personal data. Starting
in the 90’s, the European Union has approved several directives that
provide a communitarian legal framework for processing personal data.
Simultaneously, several countries in Europe have modified their
constitutions in order to include provisions that guarantee the right
to privacy and the right to protection of personal data. In addition,
through the Charter of Human Rights, the European Union has raised the
commitment with the protection of the right to control information
about oneself to a human rights level. In sum, the European Union has
built a whole legal regime that provides a comprehensive protection
for the right to protection of personal information.

Adequate and effective protection for personal data requires adopting
restrictions of international transferences. In fact, the European
Union realized early on that protecting personal data within the Union
was not enough, and that the very purpose of adopting regulation may
be undermined if personal data is transferred overseas to countries
that provide lower or no protection. It is to address this concern
that the Directive on Data Protection forbid international
transferences of personal data to third countries that do not provide
an adequate level of protection for that data.

In addition to a comprehensive legal framework, European Union
authorities have shown a strong commitment to protecting privacy. Only
after long negotiations, some transfers of data were allowed to the
United States, under the so-called Safe Harbor Agreement. The European
Parliament initially rejected another agreement that would allow
international transferences of personal data of flight passengers for
purposes of fighting terrorism. This commitment of European Union
authorities, particularly the EU Parliament, raises questions about
how it will handle ACTA, since the agreement requires international
transferences of personal data for purpose of intellectual property
enforcement. It should be said that, currently, none of the countries
involved in ACTA negotiations provides an adequate level of protection
according to the high standards of the European Union.

Several provisions of ACTA endanger the right to protection of
personal data. In fact, during the negotiation of the agreement, the
European Union authorities on data protection, both the European
Supervisor and the Working Group, raised their concern on the
compliance of ACTA provisions with the communitarian law. Presumably
because of that concern, negotiators introduced privacy considerations
later in the text, by eliminating some controversial provisions (e.g.
the one requiring the implementation of the “three strikes” policy,
that is, the disconnection of users supposedly infringing on
intellectual property), by improving commitments through the adoption
of an optional rather than a compulsory language (“may” wording
replaced “shall” wording), and by including some limited safeguards.
The latter is the case of the provisions on international
transferences of personal data among ACTA-members.

ACTA requires not only domestic processing of personal data but also
international transference of that data for purpose of enforcing
intellectual property. For example, article 34 sets forth obligations
on sharing information, according to which, parties shall endeavor to
exchange with other parties, without restrictions based on privacy
considerations. Similarly, article 29 encourages sharing information
between competent authorities in order to enhance the effectiveness of
border enforcement of intellectual property. Because of that
international transference of personal data, ACTA negotiators have
been forced to adopt some safeguards, which are, unfortunately,

During the last rounds of negotiations, ACTA included some provisions
dealing with the disclosure of information from one party to another.
According to article 9, nothing in ACTA “shall require any Party to
disclose: (a) information the disclosure of which would be contrary to
its law or its international agreements, including laws protecting
right of privacy, [or] (b) confidential information, the disclosure of
which would impede law enforcement or otherwise be contrary to the
public interest.” In other words, ACTA allows parties to preserve
limitations on the disclosure of information to other countries that
are already available in their domestic laws or international
agreements. Additionally, article 4.2 of ACTA sets forth a limitation
of the use of transferred data by a receiving party, which “shall . .
. refrain from disclosing or using the information for a purpose other
than that for which the information was provided, except with the
prior consent of the Party providing the information.” This provision
intends to neutralize any risk of misuse of personal data by any

However, ACTA safeguards on privacy are insufficient to guarantee an
adequate level of protection for personal data. First, they only refer
to disclosing information (i.e., making information known), but do not
apply to transfers and, more broadly, to any other processing of
personal data. Thus, for example, personal data provided for
intellectual property enforcement among authorities of ACTA countries
can be transfered to facilities in third countries, as long as it is
not disclosed, even if those third countries do not provide any
protection. Data may not be disclosed, but may be “processed” and this
presents a clear risk to people’s right to privacy. Second, the
safeguard on refraining from using data for other purposes has
additional limitations: it applies only when a party has provided
“written” information that the receiving party shall refrain from
disclosing or using the data, and it is “subject to its domestic law
and practice.” Then, for example, if the domestic law of the country
that receives personal data allows it, the purpose may be changed;
let’s say using the data obtained for intellectual property
enforcement for political or religious persecution. As a result, these
limited safeguards become useless or, at the very least, insufficient.
Moreover ACTA requires enforcement measures beyond those available in
EU law in force, which increases the possibility of diminishing the
right to protection of personal data.

In spite of the alerts raised by EU authorities, ACTA runs short in
guaranteeing an adequate protection for personal information. As a
result, the EU Parliament will face the dilemma of choosing between
protecting the right to protection of personal data or enforcing
intellectual property. If privacy considerations prevail, the EU
Parliament will reject ACTA; if intellectual property enforcement
prevails, the European Union will have damaged the level of protection
of its citizens. Before making that decision, the EU Parliament should
consult the EU data protection authorities about the consistency, or
lack thereof, of ACTA provisions with the EU data privacy law.

1 comment for “EU Challenge for ACTA: Transferring Personal Data to Unsafe Countries

Comments are closed.