WelcomeAbout CIINewsletterNewsEvents CalendarFind MembersMembershipMembers OnlyContact CII


Article Index

Current News


European Directive On Data Protection
by Chris Brogan MA
International Commercial Agency Ltd., London
for The Society of Competitive Intelligence Professionals
Munich, 24-26 October 2001

In 1981 the Council of Europe introduced a convention on Data Protection. The objective was to:

(a) Protect an individual's privacy with regard to their personal data;
(b) Permit the free flow of personal data between those states in Europe who had ratified the convention on Data Protection.

By 1990 only a few member states had ratified the convention. The introduction of the single market was imminent, and the European Commission decided that a unified approach to Data Protection was necessary and introduced a draft Data Protection Directive. It was accepted on 25th October 1995 and all member states were given three years to enact it in their own national laws. Most European countries have now completed the enactment.

One of the conditions stipulated by this directive is that personal data shall not be transferred outside the European Economic Area to a country that does not have adequate Data Protection laws. Currently, only Czechoslovakia and Switzerland are deemed to have adequate Data Protection laws. In October last year the U.S.A. signed up to an agreement which is referred to as the 7 Safe Harbor Principles, but this agreement may be rebutted by President George Bush.

Companies are not just about assets, they include people. Any information about people is personal data. If your competitor changes half its board at one fell swoop, then you may want to know why. This would necessitate processing personal data about those individuals and I am suggesting you would have problems in justifying the processing of that personal data. You may want to transfer that personal data from your office here in Munich to your head office in Chicago. This requires certain conditions being fulfilled. Failure to fulfill them could mean that you are breaking the law in Europe and therefore would be in breach of SCIP's ethical code.

It is necessary to have a firm understanding of this law so that you can develop ways to cope with it. Transfer of data from Munich to Chicago could be by way of a contract. If all you are transferring is what is in the public sector, this could also be satisfying one of the conditions. The final objective of this presentation will be to show how this type of data can be collected and transferred outside Europe, thereby complying with European law and SCIP's ethical code.

Conditions for Transfer of Personal Data to Countries Outside the European Economic Area

  1. The Data Subject has given consent to the transfer

    Consent within the Data Protection Directive allows almost everything, but it must be recognized that consent given can also be taken away. There is also an expectation on the Data Subject's part that the personal data will only be used for the purpose consent was given. An organization using it for another purpose would be in breach of the EC Directive. If this is adhered to, then consent allows that subject's personal data to be sent even to the most authoritarian regime in the world, wherever that may be.

  2. The data transferred forms part of the performance of a contract

    It should be recognized that where possible (and it would be difficult to find an argument where it wasn't) the permission of the individual will be sought. Therefore, the contract should include notification to the Data Subject that their personal data would be passed to countries outside the European Economic Area, and the privacy of that data could not necessarily be guaranteed to fall in line with the European Directive. An example here would be where a Data Subject has applied for an insurance policy and those personal details are being passed on to other companies throughout the world as part of the reinsurance process. There is also the issue of someone living in Germany applying for a position in Singapore, which is not deemed as having an adequate Data Protection Act. There would need to be a transfer of personal data in order to complete that employment contract. One note of caution. If the personal data transferred is deemed necessary, then it follows that only the minimum amount of personal data to satisfy the contract should be transferred.

  3. The transfer is necessary for reasons of substantial public interest

    If it is known that a Data Subject has just caught a plane from Heathrow Airport in London and is flying to Dubai and is a carrier of the bubonic plague, then that would clearly be of substantial public interest and no permission or satisfaction of any other conditions would be necessary for the transfer of that personal data.

  4. The transfer is necessary for the establishment, exercise, or defense of legal claims

    In a multi-national environment it would be unreasonable that a Data Subject could hide behind the European data laws to avoid a legal responsibility he may have in Argentina. Therefore, a company based in Argentina would be able to obtain information on a Data Subject in Germany for the purpose of issuing litigation or seeking legal advice.

  5. The transfer is necessary in order to protect the vital interests of the Data Subject

    The vital interests of the Data Subject are normally associated with something life threatening or other extreme critical circumstances. For the recipient of the personal data to use it just to send a selling letter to the Data Subject would not be considered in the vital interests of the Data Subject, no matter what importance the sender may attribute to the product he is trying to sell.

  6. The transfer has been authorized by or made on terms which are of the kind approved by the Data Protection Commissioner as ensuring adequate safeguards for the rights and freedoms of Data Subjects

    This is a very broad condition and has to be used on a case-by-case basis. As one would expect, this has been the subject of immense debate here in Europe between the Data Protection Commissioners at their regular meetings. The European view is that a European citizen's personal data should not be protected just because he leaves the European borders.

  7. The transfer is part of the personal data on a public register

    In the United Kingdom there is a list of all the directors of U.K. companies. The list is accessible on the Internet upon payment of a fee. It would be unreasonable to expect the Registrar of Companies in the U.K. to seek the permission of every single director (hundreds of thousands) before allowing their details to be transferred outside the European Economic Area. It is a requirement under the U.K. Companies Act that details of directors be accessible to the public so that they can see who they are doing business with. Also in the U.K. there is an electoral register which appears on several databases accessible by the public. You might like to know that our Commissioner for Data Protection (now known as the Information Commissioner) is developing arguments to have access to these public registries reduced. Her argument is that the personal data is being used for a purpose other than that for which it was originally given, and as such would be in breach of the 2nd Data Protection Principle of the U.K. Data Protection Act. I, as a director of International Commercial Agency Ltd., am required to provide that information to our Registrar of Companies so that people could check on who the directors of International Commercial Agency Ltd. are. That information was not given so that individuals could track me down, obtain details of the other companies of which I am a director, establish my nationality and date of birth. The argument that is being considered is that that is a breach of my privacy.

I think you can see from paragraph 7, "the transfer is part of the personal data on a public register", can deal with much of what is required for the purposes of Competitive Intelligence.

Unfortunately, however, not all the information we need is conveniently contained in a public register. We need to have access to other sources of information, e.g. press databases, commercial databases (Dun & Bradstreet), credit reference agencies, and many other sources that would differ in content and intensity from country to country.

These sources of information have to be thoroughly researched, and the data obtained must be analyzed, the subsequent information being obtained given value, and we end up with intelligence. This intelligence cycle may require an individual to process personal data. The European Directive lays down various conditions for processing personal data, the prime condition being that it must be processed fairly and lawfully.

Let me begin by discussing the lawful aspect of the processing. I think it is quite clear that your agent could not access someone's bank account. However, what may not be so clear is that your agent gathering that personal data is processing personal data, and as such may be required to notify the relevant Information Commissioner in the country of operation that he or she is processing personal data. If they haven't notified and are required to do so, then this is a strict liability offence and as such they are breaking the law. The argument is then developed that they are unlawfully processing personal data on your behalf. In European countries there are different regulations that apply to certain aspects of processing. In the U.K. we have a Consumer Credit Act similar to the Fair Credit Reporting Act in the U.S.A. If your agent is passing a financial opinion on an individual in the U.K. then they would be caught within the 1974 Consumer Credit Act. In order to pass such an opinion they should be registered under that Act. If they are not then they are breaking the law and as such would be breaching the ~ Principle of the European Data Protection Directive.

In Spain all investigators are required to be licensed. If your agent was gathering information in Spain on an individual, it could well be determined that they were acting as a private investigator. If they are not licensed as a private investigator then they would be breaking the law and subsequently be in breach of the European Directive.

Let me now deal with the "fairly" aspect of processing personal data. The Directive lays down conditions for the fair processing of personal data. Each country interprets it in accordance with their own national laws. Taking the U.K. as an example which I know best, it is a breach of the 1st Principle of the Data Protection Act -fairly and lawfully processing personal data - to process any personal data without complying with one of the following six conditions (these conditions are pr6cised):

  1. The Data Subject has given consent to the processing;
  2. The processing is necessary to fulfill a contract;
  3. The processing is necessary for compliance with a legal obligation by the Data Controller;
  4. The processing is necessary to protect the vital interests of the Data Subject;
  5. The processing is necessary for the administration of justice;
  6. The processing is necessary for the purposes of legitimate interests pursued by the Data Controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject.

Remember, only one of these conditions needs to be satisfied. I would suggest that you could easily develop an argument for the justification of this processing with regard to Competitive Intelligence needs basing it on paragraph 6. I don't think it would be difficult to argue that you have a legitimate interest in the activities of your competitor as long as these interests are limited to a Competitive Intelligence situation. I feel you would have difficulty justifying the obtaining of information relating to the Data Subject's family, or his family's business activities. I would therefore suggest a modicum of common sense be applied to the extent of the information that is gathered on the Data Subject.

This legislation is somewhat complex but not insurmountable. It requires a degree of knowledge on the part of your agent here in Europe with this European Directive. It requires a degree of understanding between those of you outside the European Economic Area and your agent here in Europe as to the type of information that you require and are legitimately entitled to. It is up to you also to establish that your agent in Europe has the required licensing in place to comply with this Directive.

Once the above has been established then the final compliance with the Directive could be achieved by way of a contractual agreement. You can find a draft copy of an existing agreement on www. securitvsi.com/contractuala~eement.

I hope I have shown you that it is possible to cope with this European Directive. It does pose problems but they are not insuperable. However, I suspect that many of you at this stage will be asking the question - Why bother complying if you are outside the European Economic Area. It would be remiss of me not to list some of the consequences of failing to comply. I recognize that some of these consequences would be difficult to apply to an organization on the other side of the world.

Consequences of failing to comply with the Directive

  • Fine - in the U.K. a maximum of £5,000;
  • A criminal record against the company, its directors and/or its senior management;
  • A visit from the relevant European Commissioner's office;
  • The cessation of processing until such time as the Directive is complied with;
  • Litigation by the Data Subject; Subsequent legal costs incurred.

All this before we begin to discuss corporate governance issues.

In my presentation I will quote you a few cases of companies that failed to give due respect to this legislation, and tell you what happened to them.

Let me conclude with a warning given to the European Commissioners by a pressure group called Privacy International.

In 1998 Privacy International met at the London School of Economics with government officials from the United States. The meeting was at the behest of the U.S. Government and they met all expenses. They were concerned at the views that had been previously expressed by Privacy International with regard to non-compliance of American companies with the European Directive. Privacy International warned the American Government and the European Commissioners that if they found any breaches of the European Directive taking place, and the European Commissioners did not prosecute, then Privacy International would take out their own private prosecutions. Privacy International is a well-funded, well-supported pressure group, respected throughout the world for its probity. It is not an organization that you would wish to cross.
Prepared by Chris Brogan MA
International Commercial Agency Ltd., London
Tel. 44 20 8347 2111
Fax. 44 20 8347 1852
www.securitvsi.com
for The Society of Competitive Intelligence Professionals
Munich, 24-26 October 2001


© 2006 Council of International Investigators. All rights reserved. Privacy Policy | Site Map | Search