Development of Electronic Data Flows
Disclaimer: This dissertation has been submitted by a student. This is not an example of the work written by our professional dissertation writers. You can view samples of our professional work here.
Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.
The current development on the flow of electronic data, especially those relating to personal data across nations is increasing daily. Most of the flows are related to business activities whereas services are provided to fulfill the needs of people. It also leads to the transformation of commerce, which becomes worldwide and increasingly international. The transfer of huge quantities of data, relating to customers and employees, are required and often occurred among entities that located in different countries. An example would be the system of outsourcing, a practice in which companies and governments hire an external service provider in another country to deliver a program or provide a service, such as managing database of human resources or customers. This can often result in improved efficiencies and levels of services. Further, the advancement of global networks, such as the internet, provides the possibilities to collect, process, and distribute personal data on an unprecedented scale.
However, the trans-border flow of personal data is not only performed by companies or governments but also conducted by individuals in everyday life as well. When the data is used by companies or government, this can represent a high volume of data, such as in the form of the transfer of databases. There will be a quite different volume of data when it is provided by individuals when they disclose their personal data while participating in particular activities, such as browsing the internet or registering on various websites to obtain certain services.
Additionally, there is a strong possibility for individuals, who are engaging in data transfer activities to lack of full awareness concerning what could be done to their personal data. In some instances, they do not realize that they have disclosed their personal data and it is subject to transmission and processing within countries not offering the same level of protection as their own country. For example, a student - physically located in the Netherlands - may complete an online game registration form, containing several spaces soliciting his/her identities, not knowing that the actual service provider is registered in India. Another example, a social worker residing within the United Kingdom might disclose his/her personal data on a web application for an internet banking service provided by a bank based in the United States.
From the short description above, the trans-border flow of personal data exists in everyday life on a daily basis and it becomes a vital need of every stakeholder, whether governments or private sectors, including individuals. Nevertheless, while the flow has led to greater efficiencies and economic benefits, on the other hand this kind of flow has also raised concerns that some information could end up in the hands of people for whom it was not intended. Worse even is the situation when no one has realized the flow has taken place, spawning a great opportunity for infringement upon one's privacy rights.
Some rules concerning privacy and data protection have been set up at national, regional, and international levels to guarantee privacy as one of the human rights is not harmed by any activity, including data processing as the final purpose of trans-border flow. Consequently, the trans-border flow of personal data has to be conducted in a lawful manner.
In this respect, a legal framework on trans-border flow of personal data has been enacted in Europe by the European Commission (EC) under two directives. The first one is Directive 95/46/EC concerning the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. This Directive has been further equipped by the second directive, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). In relation to the research objective of this thesis, Directive 95/46/EC is the most relevant and therefore, Directive 2002/58/EC will be referred to when necessary. It should be noted that whenever a term "the Directive" is being used in this thesis, the term shall refer to Directive 95/46/EC.
Under the Directive, a main rule concerning the trans-border flow of personal data has been set up. These include the obligation of data controller to use personal data for specified, explicit, and legitimate purposes, to collect only relevant and necessary data, to guarantee the security of the data against accidental or unauthorized access or manipulation, and in specific cases to notify the competent independent supervisory body before carrying out all or certain types of data processing operations. On the other hand, there is a series of rights for individuals as data subject, such as the right to receive certain information whenever data is collected, to access and correct the data, and to object to certain types of data processing.
Nevertheless, all of the practice of these rights and obligations present a significant problem when the trans-border flow of personal data takes place from the European Union/European Economic Area (the EU/EEA) Member States to countries outside the EU/EEA, for the reason that the Directive requires an adequate level of protection in the destination countries. The transfer of personal data to a third country is prohibited when the third country does not have an adequate level of protection to ensure that the processing of personal data will not cause any violation to the rights of data subjects.
The binding power of the Directive to the EU/EEA Member States requires each of the Member States to embed the provisions in the Directive into their national legal system. Thus, there is a "free zone" where trans-border flow of personal data can take place freely among the Member States because they provide the adequate level of protection. Any approval, adequate safeguard, or additional requirement is not necessary to any further extent.
As far as public international law is concerned, by applying the extra-territoriality principle, the requirement of the adequacy is automatically fulfilled at the official representatives of the EU/EEA Member States in the third country, such as the Embassy or Consulate General because of the extended jurisdiction of the Member States. However, this principle is not extended to private sectors, since subsidiary offices of multinational companies, still have to abide to the national law in the third country although the base of operations of the company is located in the EU/EEA Member States. In this case, the adequate level of protection is still required even though the transfer is conducted internally among the subsidiaries of the company located in third countries.
Currently, the EC has conducted some adequacy findings and has compiled a "white list" of countries providing an adequate level of protection. This approval means the trans-border flow of personal data can take place as in the "free zone" between the EU/EEA Member States. However, to date, the "white list" covers a limited list of countries, seven to be exact. This list might not prove too sufficient from the point of view of multinational companies in accommodating their interest, as it does not include many countries of growing commercial interest.
From this point of view, there is a need to harmonize various privacy and data protection regulations in many countries through the establishment of an internationally congruent legal framework for privacy and data protection. Unfortunately, it will take some effort and time for the establishment, while a fast solution is needed. By considering the Directive thus far the strictest legal framework compared with other existing legal framework on privacy and data protection, obviously, there is a need for countries outside the EU/EEA Member States to improve their legal framework to become compliance with adequate level of protection requirement under the Directive.
Since Indonesia is neither a Member State of the EU/EEA nor included in the "white list" of adequacy finding, the requirement of adequate level of protection is applied to Indonesia as a third country. The trans-border flow of personal data only can take place after the data controller is certain that the protection level of personal data in Indonesia is adequate under the Directive. Apparently, Indonesia is needed to criticize, whether or not its legal framework providing an adequate level of protection.
Moreover, Indonesia as a Member State of the Asia-Pacific Economic Cooperation (APEC) has received a "pressure" to provide a sufficient level of protection on trans-border flow of personal data, in relation to the existence of the APEC Privacy Framework. This "pressure" has become heavier because of Indonesia position as the Association of South East Asian Nations/ASEAN Member States. Therefore, the main objective of this thesis is to examinehow Indonesia can improve its legal framework to comply with the adequate level of protection in view of Directive 95/46/EC.
Conducting this examination is important in determining ways Indonesia might be developed into an attractive destination country for international commerce activities. In order to answer the objective of this thesis, three research questions have to be answered: firstly,currently, why Directive 95/46/EC is being acknowledged as the strictest legal instrument concerning privacy and data protection on conducting trans-border flow of personal data compared with other existing legal instruments. Secondly, how the European Commission determines the adequate level of protection in the third country in question under Directive 95/46/EC. Then, thirdly, to what extent legal framework of data protection in Indonesia measures up to the adequate level of protection in Indonesia under Directive 95/46/EC.
In line with the effort to answer the first research question, this thesis will try to identify any possibility for improvement towards the current adequacy finding system. Hence, a balance accommodation might be obtained and maintained between the one who requires the adequate level of protection and the one who has to fulfill it.
This thesis will be structured as follows. The first chapter is the introduction in which the objective of this thesis is explained. In the second chapter, there will be a brief comparison between the Directive with other legal instruments concerning privacy and data protection. Afterwards, some explanations on the requirement of the adequate level of protection in the light of the Directive will be provided, including the measurement to be used in conducting the adequacy finding and will explore any possible solution if there is no adequate level of protection in the third country in question. Further, this chapter will cover the current problems within the Directive as well as possible suggestions to overcome them. Thus, answering the first and second research question.
In the third chapter, relevant issues surrounding Indonesian legal framework will be discussed, including a brief explanation on how Indonesia regulates privacy and data protection as well as a number of the difficulties experienced in doing so.
The findings in the second and third chapters shall be employed to carry out the examination in the fourth chapter, which objective is to answer the third research question. The chapter serves to analyze the adequate level of protection of Indonesian legal framework by applying the measurements in the light of the Directive. The analysis will include various potential problems faced by Indonesia on its effort to improve protection of personal data along with several suggestions on how to overcome them. At the final stage, there will be a conclusion, to what extent Indonesia can be deemed as providing an adequate level of protection. As a result, a solution on how Indonesia might improve its legal framework under the Directive - to both avoid a lack of protection and offer an adequate level of protection - will be achieved.
2. The EU Legal Framework regarding trans-border flow of Personal Data
The trans-border flow of personal data is stipulated by regulations concerning data protection. Since the early eighties, several regulations, drawn up by different organizations, have been published in this respect.
The first initiative was performed by Organization for Economic Co-operation and Development (OECD) by establishing the Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data (the OECD Guidelines) in 1980. The intention of the Guidelines is to prevent any conflicts between national laws, which can hamper the free flow of personal data between the OECD Member States. This establishment brought an awareness of the importance protection of the trans-border flow of personal data.
A similar purpose with the OECD Guidelines has brought the Member States of the Council of Europe (the CoE) to publish a convention on their interest in the following year. They agreed that it is needed to reconcile the fundamental values of the respect for privacy and the free flow of information between them. The agreement is stated in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), with purpose to take into account the right of privacy and the increasing flow across frontiers of personal data in regards of automatic processing, as a way to extend the safeguards for everyone's rights and fundamental freedoms.
In 1990, by considering the UN has more Member States compared with the OECD and the CoE, Guidelines concerning Computerized Personal Data Files (the UN Guidelines) was established as a way to bring the principles on privacy and data protection being implemented wider among countries. The UN General Assembly through Resolution No. A/RES/45/95 on 14 December 1990, requests the Governments of every Member States to take into account this Guidelines in their legislation. Further, the governmental, intergovernmental, and non-governmental organizations are also requested to respect the Guidelines in carrying out the activities within their field of competence.
Nonetheless, the OECD Guidelines, the CETS No. 108, and the UN Guidelines still have some weaknesses. There are some principles of data protection, which are required to be embedded in national laws of each of the Member States but there is no means for ensuring their effective application. For examples, there are no supervisory authority provision in the CETS No. 108 and a lack of procedural clauses in the OECD Guidelines. In another case, concerning the binding power of the instrument, the OECD Guidelines is voluntarily binding to its Member States as well as the UN Guidelines, even though the UN Guidelines has the supervision and sanction provisions.
Therefore, Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data has been established by the European Union (the EU) to overcome the limited effect of the two Guidelines and the Convention as mentioned above. Good level of compliance, support and help to individual data subject, and appropriate redress to the injured parties are the means used by the Directive for ensuring the effective application of the content of the rules.
Apart from the compliance issue, the obligations and rights set down in the Directive are built upon the OECD Guidelines, the CETS No. 108, and the UN Guidelines. These three legal instruments contain similar principles, except for lawfulness, fairness, and non-discrimination principles are from the UN Guidelines; and special categories of data and additional safeguards for the data subject principles are from the ECTS No. 108. While the rest of the adopted principles are collection limitation, data quality, purpose specification, use limitation, security safeguard, openness, individual participation, and accountability.
Further, the aims of the Directive can be seen from two perspectives. The first one is the economical perspective, in relation to the establishment and functioning of an internal market, in which to ensure the free movement of goods, persons, services, and capital, including the free movement of personal data. The second is from the fundamental rights perspective, in which to set the rules for high-level data protection to ensure the protection of the fundamental rights of the individuals.
The newest legal instrument concerning privacy and data protection is the APEC Privacy Framework 2004 (the Framework), established by Asia-Pacific Economic Cooperation (APEC). The purpose of the Framework is to ensure there are no barriers for information flows among the APEC Member Economies by promoting a consistent approach to data protection. There are nine principles in the Framework that are built based on the OECD Guidelines. In brief, the adopted principles are preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguard, access and correction, and accountability. However, this Framework has the same weakness as the previous legal instruments on privacy and data protection before the Directive, which is the absent of means for ensuring the effective application of the principles. Additionally, it should be noted that APEC is a forum that established based on a voluntary basis, without any constitution or legally binding obligations for the Member Economies. Hence, the Framework is not binding to the Member Economies.
From the brief analysis above, currently, the Directive posses the highest level of protection compared with other existing legal instruments on privacy and data protection. In this respect, to achieve the objective of this thesis as stated in the first chapter, the research questions will be answered by focusing on the Directive.
Therefore, in the next section, there will be an explanation on the legal bases of trans-border flow of personal data to third countries under the Directive, followed by a rationalization on how the European Commission (EC) determines whether or not an adequate level of protection exists in the third country in question. Subsequently, the means for ensuring the effective application of the content of rules will be elaborated upon a description on a series of possibilities if the third country in question is not deemed to provide an adequate level of protection. Although currently, the Directive provides high-level of protection, some problems and suggestions will be provided, as an effort to address input for improvement. The findings in this chapter will be used to carry out the adequacy finding of Indonesia as a third country (in the fourth chapter) by doing a comparison with the findings on Indonesian legal framework in chapter three.
2. The Legal Bases of Trans-border Flows of Personal Data to Third Countries
The trans-border flow of personal data to a third country to be acknowledged as lawful, it has to be conducted in accordance with the national data protection law of the EU/EEA Member States. It is applicable to the data controllers established in the EU, both at the time when data is being collected and processed. In general, the law consists of a combination between the obligations of data controllers and the rights of data subject.
Before the establishment of the Directive, these rights and obligations were regulated under some national data protection laws with different level of protection. In the light of the functioning of internal market in the EU/EEA, all these obligations and rights, including certain procedures to be applied in case of trans-border flow of personal data to a third country, are regulated in the Directive. Whereas the Directive is legally binding to the EU/EEA Member States, an adequate level of protection is fulfilled and consequently trans-border flow of personal data is able to take place among them. Further, when the personal data is used for electronic communication purposes, then the rights and obligations as lay down in Directive 2002/58/EC shall take place.
There are three possible types of transfer under the Directive. The first and second types are a communication of personal data by a data controller based in the EU/EEA Member States to another data controller or to a processor based in a third country. Another possibility type is a communication of personal data by a data subject based in the EU/EEA Member States to a data controller based in a third country. Nevertheless, it should noted that the Directive does not cover transfers of personal data in the course of judicial and police cooperation activities falling within Titles V and VI of the Treaty on European Union.
The main regulation in the Directive concerning trans-border flow of personal data to a third country is Article 25. The first paragraph of the Article sets out the principle that the EU/EEA Member States shall allow the transfer of personal data only if the third country in question ensures an adequate level of protection. From this provision, it is necessary to explain further on the subject of the transfer of personal data and an adequate level of protection.
First, what the Directive means by the transfer of personal data. Undoubtedly, it is often associated with the act of sending or transmitting personal data from one country to another, for instance by sending paper or electronic documents containing personal data by post or e-mail. By seeing from a different perspective, the situation where one conducts a certain activity with the purpose to make data available for others, besides the owner of the data (the data subject), and located in another country, is included as a trans-border flow of personal data.
However, by making data accessible for everyone who connects to internet by uploading any personal data on internet web pages, even though that person is located in another country, is not included in the meaning of transfer of personal data to another country. The reason for the previous statement is this kind of activity is properly acknowledged as publishing activity, not transferring activity. This exception is stated clearly by the Court of Justice in the Bodil Lindqvist Case as "there is no transfer of personal data to a third country where an individual in a Member State loads personal data onto an internet page ... making those data accessible to anyone who connects to the internet, including people in a third country".
Subsequently, since the Directive is binding to 27 EU Member States, including three countries (Norway, Liechtenstein, and Iceland), which are bound by the Directive by virtue of the European Economic Area agreement (EEA), personal data can flow freely among them. In other words, there is a "free zone" among the EU/EEA member states. Therefore, transfer in the light of the Directive has to be seen as transfer of personal data from EU/EEA member states to other countries outside EU/EEA, which are recognized as third countries, and the adequate level of protection in those third countries has to be assessed.
There is a so-called "white list" of countries, which have been assessed by the EC and affirmed to provide an adequate level of protection according to the Directive. Currently, the list consists of seven countries as follows: Argentina, Canada (limited to private sector data), Switzerland, United States (Safe Harbor and specific type of transfer: Passenger Name Record/PNR), the Bailiwick of Guernsey, the Isle of Man, and the Bailiwick of Jersey. The approval of adequacy shall be analyzed more carefully because once a country is listed in the "white list", does not automatically mean that personal data can flow to the country freely. One should pay attention whether the affirmation is given for the entire legal framework or only for certain part of it in a specific field, sector (public or private), or regarding a specific type of transfer.
Insofar, even though the result of adequacy finding shows that the data protection level in certain countries is not adequate, the EC will not create a "black list" for that negative finding because of political consequences. Instead of the "black list", the EC tends to enter into negotiation with the certain country in order to find a solution. It can be concluded from the foregoing, that the adequacy finding is temporary and subject to be reviewed.
Procedure of the Adequacy Finding
In acknowledging the adequacy finding, the EC has to follow certain procedure, which has been determined in Article 25 Paragraph (6) of the Directive and is known as comitology. At first, there will be a proposal from the EC, followed by an opinion from Article 29 Working Party and an opinion from Article 31 Management Committee, which needs to be delivered by a qualified majority of member states. Afterwards, the EC submits the proposed finding to the European Parliament (EP), who will examine whether the EC has used its executing powers correctly and comes up with recommendation if necessary. As a final point, the EC then can formally issue the result of the adequacy finding. In the next section, the measurements used by the EC in conducting the finding will be explained in detail.
3. Assessing the Adequate Level of Protection
The Article 29 Working Party has given an obvious statement that"any meaningful analysis of adequate protection must comprise the two basic elements: the content of the rules applicable and the means for ensuring their effective application".According to WP 12 of the European Commission (EC), a set of content principles that should be embodied in the existing regulations are the following:
Purpose limitation principle: data should be processed for a specific purpose and subsequently used or further communicated only if it is compatible with the purpose of the transfer.
Data quality and proportionality principle: data should be accurate and, where necessary, kept up to date.
Transparency principle: individuals should be provided with information as to the purpose of the processing, the identity of the data controller in the third country and other necessary information to ensure fairness.
Security principle: technical and organizational measures should be taken by the data controller that are appropriate to the risks presented by the processing.
Rights of access, rectification and opposition: the data subject have the right to obtain a copy of all data relating to him/her that are processed, to rectification of those data that are shown to be inaccurate, and be able to object to the processing of the data.
Restrictions on onwards transfers to non-parties to the contract: further transfers of the personal data by the recipient of the original data transfer only permitted if the second recipient provides an adequate level of protection.
In addition to these content principles, another set of the means for ensuring the effective application of the principles, whether judicial or non-judicial, are required in order to fulfill the following objectives:
Good level of compliance with the rules: the level of awareness of controllers and data subjects and the existence of effective and dissuasive sanctions are the measurements to examine the compliance level, including direct verification by authorities, auditors, or independent data protection officials.
Support and help to individual data subjects: an individual should be able to enforce his/her rights rapidly and effectively without prohibitive cost. Institutional mechanism is needed to conduct independent investigation of complaints.
Appropriate redress to the injured parties: where rules are not complied, redress to the injured party with independent adjudication or arbitration is provided, including compensation and sanction impose.
Beyond the content principles, some additional principles are still needed to consider when it comes to certain types of processing. Additional safeguards when sensitive categories of data are involved and a right to opt-out when data are processed for direct marketing purposes should be in place. Another principle is the right for the data subject not to be a subject to an automated individual decision that intended to evaluate certain aspects, which can give any legal effects and have a significant effect to the data subject.
These content principles, including additional principles, and the means for ensuring their effectiveness should be viewed as a minimum requirement in assessing the adequate level of protection in all cases. However, according to Article 25 Paragraph 2 of the Directive, in some cases, there will be two possibilities. There is a need to add the list with more requirements or to reduce it.
To determine whether some requirements need to be added or reduced, the degree of risk that the transfer poses to the data subject becomes an important factor. The Article 29 Working Party has provided a list of categories of transfer, which poses particular risks to privacy, as mentioned below:
- Transfers involving certain sensitive categories of data as defined by Article 8 of the Directive
- Transfers which carry the risk of financial loss (e.g., credit card payments over the internet)
- Transfers carrying a risk to personal safety
- Transfers made for the purpose of making a decision which significantly affects the individual (e.g., recruitment or promotion decisions, the granting of credit, etc)
- Transfers which carry a risk of serious embarrassment or tarnishing of an individual's reputation
- Transfers which may result in specific actions which constitute a significant intrusion into an individual's private life (e.g., unsolicited telephone calls)
- Repetitive transfers involving massive volumes of data (e.g., transactional data processed over telecommunications networks, the Internet, etc.)
- Transfers involving the collection of data in a particularly covert or clandestine manner (e.g., internet cookies)
To sum up, the circumstances should be taken into account when assessing adequacy in a specific case, being:
- the nature of the data
- the purpose and duration of the proposed processing operations
- the country of origin and the country of final destination
- the rules of law, both general and sectoral, in force in the country in question
- the professional rules and the security measures which are complied with in that country.
From the circumstances as referred to Article 25 Paragraph 2 of the Directive, it can be seen that the assessments of the adequate level of protection is conducted according to the rules of law as well as the professional rules and the security measures. In other words, it has to be examined from a self-regulation perspective as well.
The Article 29 Working Party presents a broad meaning of self-regulation as"any set of data protection rules applying to a plurality of the data controllers from the same profession or industry sector, the content of which has been determined primarily by members of the industry or profession concerned".This wide definition offers the possibility to on the one hand a voluntary data protection code developed by a small industry association with only a few members and on the other hand a set of codes of professional ethics with quasi judicial force for a certain profession, such as doctors or bankers.
Still, one should bear in mind, to be considered as an appropriate legal instrument to be analyzed, it has to have binding power to its members and has to provide adequate safeguards if the personal data are transferred again to non-member entities. Obviously, it can be seen that in assessing self-regulation, the main decisive factor is not the content principles but the existence of the means for ensuring the effectiveness of the principles.
4. Data Transfer to Third Countries without Adequate Protection
Under Article 26 Paragraph 2 of the Directive, adequate safeguard will be sufficient if it is in form of contractual clauses. It does not mean to put aside any other possibility of adequate safeguard, such as intra-corporate data protection rules (also known as Binding Corporate Rules/BCR) and sectoral codes of conduct.
There is a possibility that the finding of the adequacy assessment is the third country in question is not deemed to provide the adequate level of protection. If this is the case, then trans-border flow of personal data cannot be processed. However, with the intention to provide a legal basis for this kind of condition, the Directive offers two possibilities. The first possibility is if there is any adequate safeguard and the second one is if any one of six derogations under Article 26 Paragraph (1) takes place, then trans-border flow of personal data is allowed to occur. Each of this exception will be explained in the following section.
1. Adequate Safeguard
Under Article 26 Paragraph 2 of the Directive, adequate safeguard will be sufficient if it is in form of contractual clauses. It does not mean to put aside any other possibility of adequate safeguard, such as intra-corporate data protection rules (also known as Binding Corporate Rules/BCR) and sectoral codes of conduct.
To overcome the lack of proper contractual clauses, according to Article 26 Paragraph 4 and under the procedure laid down in Article 31 Paragraph 2 of the Directive, the EC has approved three sets of contractual clauses to ensure the adequate level of protection. The data controllers can fully rely on the clauses as a legal basis to carry on trans-border flow of personal data to third countries because it will be no longer subject to suspend or stop by any national authorities of the EU/EEA Member States.
The standard contractual clauses provide a possibility to set up a minimum standard of protection. Further, if there is certain Standard Contractual Clauses, then the adequacy finding will be less time-consuming and costly and can provide effectiveness, comparing with the negotiation of international agreement.
In fact, both the Council of Europe (CoE) and the International Chamber of Commerce (ICC) have drafted standard contractual clauses concerning trans-border flow of personal data but these instruments are not sufficient to accommodate all the content of the rules applicable and relatively weak on the means for ensuring their effective application under Directive 95/46/EC. These instruments do not address....
Besides the standard contractual clauses, there is a possibility for the data controllers to set up ad hoc contracts, only this kind of contracts still need to obtain an approval by every Data Protection Authority (DPA) of the EU/EEA Member States from where the data will be exported. In other words, it needs to get a permit before it can be used and trans-border flow of personal data can take place. It is possible for the data controllers not to submit applications for each individual transfer because a permit for a category of transfers can be obtained as long as the same circumstances play a role. Hence, this permit can only be given based on the specific and well-defined circumstances, safeguards foreseen to address the specific risks at stake, and where the scope of the permit can be determined at all times.
Nevertheless, there are weaknesses in the standard contractual clauses as a solution for ensuring the adequate level of protection. The first weakness is the possibility to gain a permit for either each of transfer or a transfer category is not a solution for multinational companies. In practice, it is still a burdensome and costly because of the organizational system in the companies. Another weakness is for specific and well-defined circumstances requirement is not easy to determine when it comes to political condition in the third countries in question. Each of the weakness will be explained in the following section.
The Problems related to Contractual Solutions
As mentioned on the foregoing, even though standard contractual solutions can ensure the adequate level of protection, in some situations it becomes impossible to be applied.
When it comes to multinational companies, the standard contractual clauses become non-practical solutions. A multinational company has a sophisticated organizational management in order to ensure the operational of company can perform well in different countries. The company no longer consists of one office but there are some subsidiary offices located in different countries. It means when a contract is drafted, it will cover both internal entities of the company and external entities as well. Consequently, any contract has to involve all the parties.
Definitely, the multinational companies will face thousands of contracts and agreements for every set of transfer between various parties among different countries. This burden becomes heavier when there is a modification of a contract, whether it is an update or addition, because it has to be re-authorized by the relevant DPA, which will take minimum one until two months. To solve this problem, the company prefers to adopt Binding Corporate Rules/BCR.
Another situation that can turn the standard contractual clauses to be non-practical solution is in relation with less democratic third countries. When the less democratic third countries are intended to be the destination countries for trans-border flow of personal data, there will be no legal effect to the existing legal requirements, including to the limitation clauses for controllers or processors of the third countries. The powers of state authorities in such third countries to access information go beyond any international human right protection. The political condition can diminished the possibility to obtain the permit.
While there is an exception under Article 13 Paragraph 1 of the Directive, especially related to public order matters, when the act of the States are beyond any international standards and agreements, then the third countries in question are simply not provided an adequate level of protection. Thus, these third countries are acknowledged as not safe destinations for trans-border flow of personal data.
2. Derogations under Article 26 Paragraph 1 of Directive 95/46/EC
Under Article 26 Paragraph 1 of the Directive, six derogations are provided to facilitate an exception when the adequate level of protection is not fulfilled. However, there is a common misunderstanding that this exceptions are used when there is no adequate level of protection in a third country in question, but a fortiori, they could also be used as a legal basis where the country does ensure an adequate level of protection only when its adequacy has not been assessed.
At a glance, this provision seems inconsistent with the requirement under Article 25 Paragraph 1 of the Directive. Thus, the Article 29 Working Party has recommended that the derogations should preferably be applied to cases in which trans-border flow of personal data would be genuinely inappropriate, maybe even impossible to take place based on adequate safeguards. Furthermore, this strong recommendation is possible to take place, even when trans-border flow of personal data is conducted in repeated, mass, or structural way, only if the risks to the data subject are small and certain rules are applied properly. The rules that should be fulfilled are data quality principle, criteria of legitimate data processing, and special categories of processing.
The derogations are mentioned in brief as follows: Unambiguous consent of the data subject as the first derogation requires that the data subjects have to give consent in state of free, specific, and informed indication to the data subject's wishes, whatever the circumstances are. The second and third derogations relate to transfers necessary in a contractual context. When the transfer is legally required for public interest grounds or for legal claims, the fourth derogation applies. The vital interest of the data subject is the fifth derogation for trans-border flow of personal data. Finally, the last derogation concerns transfers from public registers in order to provide information for public, which is open for consultation.
5. The Current Problems in EU Directive 95/46/EC
The requirements, procedures, and current practices for ensuring the adequate level of protection in doing trans-border flow of personal data to third countries under the Directive, including two possibilities of exception schemes, have been explained before. All these schemes have made the Directive provides a high-level protection concerning privacy and data protection.
Nevertheless, there are some weaknesses in the Directive, in relation to the assessment of an adequate level of protection of trans-border flow of personal data into third countries. The first problem is the unclear status of third countries and the second one is the possibility to circumvent the "free zones".
The unclear status of third countries becomes a problem because this situation gives difficulties to the data controllers in their effort to conduct a lawful data transfer to third countries. Starting from a different interpretation of each of the EU/EEA Member State, there are distinctions into some standing points concerning the third countries, as follows:
- six Member States do not regard the non-EU/EEA Member States as third countries and assume they provide an adequate level of protection, while others do regard the non-EU/EEA Member States as third countries so the adequacy finding should be done before the data being transferred
- one Member State expressly allows transfer to the Member States of the CETS No. 108 without any additional requirement to fulfill the Directive 95/46/EC provisions, while other Member States require additional requirements
- only four Member States clearly stated that in the absence of the EC adequacy finding, only the national authorities can determine whether a third country in question fulfill the adequate requirement
The effect of this condition is the possibility that the data controllers unlikely have to conduct the adequacy finding because there is no prior adequacy finding conducted by the EC or the DPA of the EU/EEA Member States for the third country that the data controllers is needed. Undoubtedly, it is not easy for the controller to do so because of a lack of qualification and capacity. From another point of view, it will be difficult to stay objective in doing the assessment because there will be a conflict of interest when they realize if the result is not adequate, then it will influence their interest. Moreover, there is no guarantee that the assessment that is conducted by the data controllers takes place in a right way. In this case, it can bring disadvantages for the data controllers if the DPA decides that trans-border flow of personal data has been conducted in unlawful manner.
The existence of "white list" for the data controllers is not fully useful either on assessing whether or not the adequate level of protection exists. The list is not sufficient to accommodate multinational company interests because the countries, which are listed, might not be in the interest of multinational companies, while countries, which are really of interest to the companies, such as China, Brazil, India, and Singapore, are currently lacking the adequate protection status.
The possibility of circumvention of the "free zone" also becomes an issue here. The cause of this possibility is the inconsistent obligation for the EU/EEA Member States to inform whether or not a third country in question provides an adequate level of protection. This inconsistency can be seen from Article 25 Paragraph 3 and Article 26 Paragraph 3 of the Directive. In the first provision, a Member State should inform the EC and other Member States when there is no adequate level of protection in third countries. In the second provision, a Member State should inform the EC and other Member States when there is any authorization for data transfer to take place as an exception of the adequate level of protection requirement. In this case, the data controllers can easily conduct the transfer from other Member States, which acknowledge or authorize trans-border flow of personal data to take place, when they find out that the first Member State had restricted it.
6. Suggestions to Overcome the Problems
Acknowledging the weaknesses mentioned above, the improvements for the Directive are obvious. First, to overcome the unclear status of third countries, the Article 29 Working Party can provide a recommendation that gives a clear statement for the non-EU/EEA Member States, which are not in the "white list" of adequacy finding to be considered as third countries. Thus, the adequate level of protection in these countries shall be reviewed. If the non-EU/EEA Member States are not considered as third countries, logically, their level of protection is deemed as adequate thus opens the possibility for any violation to the rights of privacy of data subject as fundamental human rights. Hence, it is better to minimize this possibility by treating the non-EU/EEA Member States as the third countries.
For the second issue, the provisions in the Paragraphs 3 of both Articles 25 and 26 should be amended and synchronized. The obligation to inform the EC and the other Member States will not create a possibility of "free zone" circumvention if the Member State has to inform the EC in both situations, whether they acknowledge or authorize the adequate level of protection or not.
In this chapter, the measurements of adequate level of protection under the Directive, specifically in Articles 25 and 26, as the vital part for conducting the analysis in this thesis have been introduced.
There are a set of the content of rules, followed by a set of procedures for ensuring the effectiveness of the principles, which are completed by additional principles, in relation to certain conditions of transfer. The degree of risks that is possessed by certain kinds of transfers has to be considered as well as in special circumstances for specific cases. Moreover, this set of adequacy finding measurements is also applicable in assessing the self-regulation in the third country in question, with the emphasis on the means for ensuring the effectiveness of the principles as the main decisive factor. In the event that the requirement of an adequate level of protection is not fulfilled, there are adequate safeguards can be put into play, which consist of standard and ad hoccontractual clauses, intra-corporate data protection rules (Binding Corporate Rules/BCR), and Sectoral Codes of Conduct, and six derogations as the last option to conduct trans-border flow of personal data.
Some current problems related to Article 25 and 26 of the Directive, including the suggestions to solve it, have been addressed in this chapter. In relation to sub-conclusion, this part should be mentioned concisely. In the next chapter, the Indonesian legal framework on privacy and data protection will be introduced, as an effort to provide insight into how Indonesia as a third country administers the protection for personal data.
The Indonesian Legal Framework on Privacy and Data Protection
As of today, Indonesia still does not have any comprehensive or specific legislation concerning privacy and data protection. Consequently, there are no clear regulations on trans-border flow of personal data, although a Personal Data Protection Law was drafted in 2006 by State Minister for Administrative Reforms. By the time this thesis is being written, the draft has been sitting at the executive level for almost three years. The draft still needs to be proposed, examined, and promulgated by the House of Representatives to be effective.
Considering the time it took in the executive level, it seems like the Indonesian Government (the Government) does not regard the draft as a high priority law therefore does not find it necessary to speed up the processes. There is also a possibility that the Government relies on Law No. 11/2008 concerning Electronic Information and Transaction (the EIT Law) and Law No. 14/2008 concerning Transparency of Public Information (the Public Information Law), which have provisions on privacy and data protection issues at a general level. Unfortunately, they do not regulate trans-border flow of personal data.
Also, there are some Laws which provided general provisions on privacy and data protection, namely Law No. 7/1971 concerning General Principles of Archive (the Archive Law), Law No. 8/1981 concerning Criminal Procedural Law (the Criminal Procedural Law), Law No. 8/1997 concerning Corporate Document (the Corporate Document Law), and Law No. 39/1999 concerning Human Rights (the Human Rights Law). These laws also do not stipulate trans-border flow of personal data.
Some Laws directed to certain sectors also have certain degree of provisions on privacy and data protection, such as Law No. 23/1992 concerning Health Care (the Health Care Law), Law No. 29/2004 concerning Medical Practice (the Medical Practice Law), Law No. 10/1998 concerning Banking Activities (the Banking Law), and Law No. 36/1999 concerning Telecommunication (the Telecommunication Law).
In the light of the assessment whether or not Indonesia has an adequate level of protection, these general and sectoral regulations shall be analyzed. In the next sections, brief explanations on each of the Laws as mentioned in the foregoing with the focus on their protection to personal data are provided.
2. The Hierarchy of Laws and Regulations in Indonesia
The Indonesian hierarchy of Laws and regulations is stipulated in Law No. 10/2004 concerning the Formulation of Laws and Regulations. The level of hierarchy is as follows; The groundnormis the 1945 Constitution (UUD 1945/the Constitution), then Laws (Undang-Undang) and Government Regulation in lieu of Law (Perpu), followed by Implementing Regulations such as Government Regulation (Peraturan Pemerintah), Presidential Regulation (Perpres) and Regional Regulation (Perda - provincial/municipal level). Additionally, there are Ministerial decrees and the decrees of non-department chiefs. They are binding as an administrative decision in their respective sectors but do not have the as much binding power as the laws.
The 1945 Constitution (the Constitution) is the highest legal authority in Indonesia, of which legislative, executive, and judicial branches of government must refer to it. Hence, any law has to be drafted according to the Constitution as its basis.
Under the Constitution, Laws can only be enacted after the approval of the People's Representative Council (the Legislative). A draft of Law can be proposed by the President (the Executive) to obtain the approval. During the process of establishing the draft into a law, the Legislative will form a working group to discuss and synchronize the draft with the corresponding ministries. This lengthy and costly process will be accomplished when an agreement has been reached between the Legislative and the Executive. Afterwards, the draft shall be endorsed into law by the Executive. In case the Executive for any reason does not endorse the draft that has been agreed, then it is automatically promulgated into law within thirty days. There is also a possibility when an agreement cannot be reached then the draft cannot be proposed again during the current term of the Legislative members.
3. General Regulations
It has been explained that all of the Indonesian general and sectoral regulations are based upon the Constitution. As for Human rights, it is assured in the Constitution under Chapter XA, which consists of several rules as follows.
Article 28G Paragraph 1 of the Constitution states that "every person shall have the right to protection of his/herself, family, honor, dignity, and property, and shall have the right to feel secure against and receive protection from the threat of fear to do or not do something that is a human right". However, this right is not without limitation. According to Article 28J of the Constitution, every person shall have the duty to respect the human rights of others. The relevance of the Constitution with regard to privacy and data protection can be seen in Article 28F of the Constitution, which states that"every person shall have the right to possess, store, process, and convey information by employing all available types of channels". However, there is no further explanation on what the Article means by types of channels.
Human Rights Law
he only article in the Human Rights Law that accommodate Article 28F, 28G, and 28J of the Constitution is Article 21, which states that"every person shall have the right to personal integrity, both physical and spiritual, and therefore may not be the object of research without consent". vThe relevancy of Article 21 with regard to data protection is laid down in its elucidation that defines the object of research. It is defined that becoming an object of research means the data subject is requested to provide any comments, opinions, or information concerning his/her private life and the person's image and sound will be recorded during the process. Further, in Article 32 of the Law, the independence and secrecy in relation to correspondence, including the communication through electronic means may not be disturbed, except upon the judge or other authority in accordance with the legal provisions of the laws.
Criminal Procedural Law
Personal data protection is regulated in Criminal Procedural Law under Articles 43, 47, 48 and 49. In these articles, legal officers have to obtain consent from the data subject or special permission from the judge of the district court, unless statutory regulations stipulated otherwise, to seize any letters or documents. Moreover, they are obliged to keep the information confidential in the case that the letters or documents are irrelevant to a case. All of the processes have to be recorded in the official report.
Archive and Corporate Document Laws
Concerning archive activities, Indonesia has two legal instruments, which regulates archiving for public and private sectors. Law No.7/1971 concerning General Principles of Archive is applicable to the public and the private sectors while Law No.8/1997 concerning Corporate Document is for the private sector.
Article 1(a) of the Archive Law stipulates the requirement for protection of any archived documents from any parties who has no rights of access. There is a criminal sanction for those who fail to do so as stated in Article 11. On the other hand, the Corporate Document Law obliges a company to record every information and activity to accommodate legal certainty and stakeholders interests (as stated in consideration section point e). The Law also has procedures to be followed by the company to create, store, and destroy the documents. There is a business common practice that a company should make a list of their employees including their personal data as part of company documents. Thus, the company has to follow the regulations under the Law as well for their list of employees.
Public Services Law
The protection of personal data in relation to public services is provided under Article 17 of the Public Services Law, which excepted personal data to be accessed as public information if it contains personal authentic deeds or testament, including personal confidential information (family, medical, finance, and educational). However, the access to personal data is possible if there is any consent from the data subject or if the data subject is a public officer. Violations toward Article 17 can lead to imprisonment for up to two years and a fine up to IDR 10 million (approximately EUR 700).
The exceptions of access to personal data under the Public Services Law have to be examined thoroughly by Information and Documentation Officers within each of the government agencies before any access to personal data is authorized. However, the exceptions given through the authorization is not permanent because there is a certain period for the exception of the access to protect the privacy of the data subject. The period will be regulated under the Implementing Regulations of the Law, which unfortunately, has not been drafted yet.
Further, the exception of access also includes the personal data of an informant, informer, witness, or victim, who knows that a crime has occurred, if there is any interest of court process for criminal matters. The access to this information shall be granted following an authorization from the authorized legal officer and after obtaining the permission from the President to do so. Chapter VIII of the Law provides the procedures for objection and settlement of dispute if the application to access the public information is not approved by the Government Agency and the applicant opposes the decision.
Electronic Information and Transaction Law
A more transparent provision on protection of personal data can be seen in Article 26 of the Electronic Information and Transaction/EIT Law. The Law is an umbrella legislation covering e-government, e-contract, privacy, cybercrime, digital copyright, and other cyber law issues.
Under Article 26 Paragraph 1 of the EIT Law, the usage of every personal data provided through electronic media shall only be conducted with the approval of the data subject unless statutory regulations stipulated otherwise. The second paragraph of the Article gives an opportunity for every person, whose right has been trespassed to file a lawsuit for compensations. The elucidation of the Law defines the Article as conferring upon data subjects a very broad privacy right that involves the right to enjoy personal life and to be free from all kinds of disturbances, the right to communicate with other persons without being monitored, and the right to control access to personal data about oneself. Although the provision is the only clear provision in the protection of personal data, it is still too general and requires implementing regulations for its effectiveness.
A more focused provision on the protection of personal data in Indonesia can be found in the sectoral regulations, such as in health care, telecommunication, and banking sectors laws. These laws do not only stipulate the acts but also the codes of conduct, such as ethical codes. In the light of the Directive, the personal data that regulated in the sectors is acknowledged as sensitive data. For that reason, a brief explanation of those three sectors will be explained in this section.
Health Care Sector
The protection of patient's data in Indonesia is stated clearly in Law No.23/1992 concerning Health Care and Law No. 24/2004 concerning Medical Practice. In this respect, the implementing regulations are Government Regulation No. 32/1996 concerning Health Worker and the Minister of Health Regulation No. 269/Menkes/Per/III/2008 concerning Medical Record.
Every health worker is obliged to comply with professional standards and respect for patient rights. Failure to do so shall result in disciplinary punishment from Majelis Kehormatan Etik Kedokteran/MKEK. Moreover, they are required not to freely share their patient's medical records without the patient's approval, or in the case of criminal investigation under the authorization from the head of the district court. Failure to comply with this requirement can lead to imprisonment for up to one year or a fine up to IDR 50 million.
Further, there is an obligation for doctors to make a medical record for each patient and these records must be treated as confidential. However, the confidentiality of the records may be revoked for the interests of patient's health interest, court order for legal process, consent from patient, statutory obligation, and medical research-education-audit interest as long as the identity of the patient is not mentioned.
In addition to the regulations, doctors have an obligation to comply with their own professional ethic codes. To keep patient's data confidential is part of these codes. A Disciplinary Board of Health Ethic has been formed that is known as Majelis Kehormatan Etik Kedokteran/MKEK) as a part of the Indonesian Medical Association (Ikatan Dokter Indonesia/IDI). Currently, the health sector (through IDI) is the only sector in Indonesia, which has the means for ensuring effectiveness of their ethic codes, compared with other sectors.
Law No. 36/1999 concerning Telecommunication stipulates that telecommunication service providers are required to maintain the confidentiality of all information transmitted to, or received by, their subscribers, otherwise it can lead to imprisonment for up to two years and/or a fine up to IDR 200 million. Nevertheless, when required, telecommunication service providers have to provide access to legal officers for legal enforcement interests (investigation or court).
This regulation provides an appropriate redress to the injured parties if they find out that their rights are not protected by the service provider, unless the providers can proof otherwise. This obligation is applicable as well during the registration process for pre-paid mobile phone card.
Unlike the health care sector, the telecommunication sector does not have any ethic codes. However, this sector has a supervisory body called Indonesia Telecommunication Regulatory Body (Badan Regulasi Telekomunikasi Indonesia - BRTI). This body is an independent regulatory body (IRB) that aims to protect public interest (telecommunication users) and to support and protect telecommunication business competition so it will remain healthy, efficient, and attractive to investors. In doing its functions, BRTI coordinates with Directorate General of Post and Telecommunication (Dirjen Postel) and give report to the Minister of Department of Communication and ICT (Depkominfo).
Bankers are obliged to secure the confidentiality of their customers' data, so called as bank's confidentiality. Exceptions are made to taxation interest, bank receivable settlement, criminal process in court, and customer's consent. This requirement is regulated in Law No. 10/1998 concerning Amendment on Law No. 7/1992 on Banking.
For each exception, a written authorization from the Governor of Central Bank of Indonesia has to be obtained. The authorization will be provided based on requests from related Government Officers, such as Minister of Finance and other Legal Officers. The customer's data shall mean any information related to customer and the deposit.
Bankers may be sanctioned by imprisonment ranging from two to four years and a fine ranging from IDR 4 trillion to 8 trillion. The burden of this obligation is not only for the bankers but also for any person who would like to obtain the customers' data. Those who insist to obtain the data without any authorization from the Governor of the Central Bank of Indonesia are threatened by imprisonment up to four years and a fine up to IDR 200 trillion.
Moreover, the Central Bank of Indonesia through its regulation No. 7/6/PBI/2005 concerning Transparency of Bank Product Information and the Use of Customer Personal Data requires a bank to provide a transparent policy and procedure for the use of customer personal data. The Bank's Board of Directors with the approval of the Commissioners of the Bank sha
Cite This Dissertation
To export a reference to this article please select a referencing stye below: