Article 25 deals with the movement of data, by whatever means, from E.U. Member States to other countries.
¶ 1. The Member States shall provide that the transfer to a [non E.U.] country of personal data which are undergoing processing or are intended for processing after transfer may take place only if ... the [recipient] country in question ensures an adequate level of protection.
How, in practice, will "adequate level of protection" be determined? What criteria will be applied? Article 25 continues:
¶ 2. The adequacy of the level of protection afforded by a [non E.U.] country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the [non E.U.] country in question and the professional rules and security measures which are complied with in that country.
By whom and by what process will the determination be made? Article 29 establishes an independent Working Party on the Protection of Individuals with regard to the Processing of Personal Data, comprising representatives from all of the Member States (usually, in practice, their privacy commissioners) and representatives from the Commission structure itself. The Working Party has elected as its first chair Peter J. Hustinx, the President of the Registratiekamer of The Netherlands. The "adequacy" question is among the first topics the Working Party is addressing.83,84
Will the transferability determination be made institution-by-institution (medical clinic, pharmaceutical company, university, contract research firm, government agency)? More likely, E.U. officials suggest, the determination will be made on a country-by-country basis, probably sector-by-sector.
Such assessments surely will be more straightforward for non-E.U. recipient countries having strong national or provincial data-protection laws and authority to enforce them. For this reason, E.U. officials strongly encourage the U.S. to pass a such a law. Although no overall data- protection law is under contemplation in the U.S., no doubt a sound Federal medical-records confidentiality law would go a long way toward meeting the E.U.'s concerns and keeping health- research data flowing.
The Directive leaves doors open for Member States to allow data-transfers to recipients in countries not certified as having adequate protection. Article 26(1)(d) mentions "important public interest grounds," for example, and Article 26(2) holds that a Member State may authorize data transfers "where the controller adduces adequate safeguards" in the recipient country, suggesting that "such safeguards may in particular result from appropriate contractual clauses." This seems to encourage parties wishing to transfer data to establish contractual undertakings regarding data protections.
(83) A background review of U.S. law was prepared for the E.U. Commission: Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law: A Study of United States Data Protection (Mitchie Law Publishers, Charlottesville, Virginia, 1996).
(84) The Commission has requested a study of the "adequacy" issues from Prof. Yves Poullet of the University of Namur; his report is expected to be delivered soon.