Privacy International

Overview

Privacy is a fundamental human right recognized in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional treaties. Privacy underpins human dignity and other values such as freedom of association and freedom of speech. It has become one of the most important human rights issues of the modern age. The publication of this report reflects the growing importance, diversity and complexity of this fundamental right.

This report provides details of the state of privacy in over fifty countries. It outlines the constitutional and legal conditions of privacy protection, and summarizes important issues and events relating to privacy and surveillance.

Nearly every country in the world recognizes a right of privacy in their constitution. At a minimum, these provisions include rights of inviolability of the home and secrecy of communications. Most recently written constitutions such as South Africa's and Hungary's include specific rights to access and control one's personal information. In many of the countries where privacy is not explicitly recognized in the constitution, such as the United States, Ireland and India, the courts have found that right in other provisions. In many countries, international agreements that recognize privacy rights such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights have been adopted into law.

In the early 1970s, countries began adopting broad laws intended to protect individual privacy. Throughout the world, there is a general movement towards the adoption of comprehensive privacy laws that set a framework for protection. Most of these laws are based on the models introduced by the Organization for Economic Cooperation and Development and the Council of Europe.

In 1995, conscious both of the shortcomings of law, and the many differences in the level of protection in each of its States, the European Union passed a Europe-wide directive which will provide citizens with a wider range of protections over abuses of their personal information. [1] The directive on the "Protection of Individuals with regard to the processing of personal data and on the free movement of such data" sets a benchmark for national law. Each E.U. State must pass complementary legislation to incorporate this into their domestic laws.

The Directive also imposes an obligation on member States to ensure that the personal information relating to European citizens is covered by law when it is exported to, and processed in, countries outside Europe. This requirement has resulted in growing pressure outside Europe for the adoption of privacy laws. Nearly fifty countries now have comprehensive data protection or information privacy laws or are in the process of adopting them.

Threats to Privacy

The increasing sophistication of information technology with its capacity to collect, analyze and disseminate information on individuals has introduced a sense of urgency to the demand for privacy legislation. Furthermore, new developments in medical research and care, telecommunications, advanced transportation systems and financial transfers have dramatically increased the level of information generated by each individual. Computers linked together by high-speed networks with advanced processing systems can create comprehensive dossiers on any person without the need for a single central computer system. New technologies developed by the defense industry are spreading into law enforcement, civilian agencies, and private companies.

According to opinion polls, concern over privacy violations is now greater than at any time in recent history. [2] Uniformly, populations throughout the world express fears about encroachment on privacy, prompting an unprecedented number of nations to pass laws which specifically protect the privacy of their citizens. Human rights groups are concerned that much of this technology is being exported to developing countries that lack adequate protections. Currently, there are few barriers to the trade in surveillance technologies.

It is now common wisdom that the power, capacity and speed of information technology is accelerating rapidly. The extent of privacy invasion – or certainly the potential to invade privacy – increases correspondingly.

Beyond these obvious aspects of capacity and cost, there are a number of important trends that contribute to privacy invasion:

GLOBALISATION removes geographical limitations to the flow of data. The development of the Internet is perhaps the best known example of a global technology.

CONVERGENCE is leading to the elimination of technological barriers between systems. Modern information systems are increasingly interoperable with other systems, and can mutually exchange and process different forms of data.

MULTI-MEDIA fuses many forms of transmission and expression of data and images so that information gathered in a certain form can be easily translated into other forms.

Technology transfer and policy convergence

The macro-trends outlined above have had particular effect on surveillance in developing nations. In the field of information and communications technology, the speed of policy convergence is compressed. Across the surveillance spectrum – wiretapping, personal ID systems, data mining, censorship or encryption controls – it is the industrialized countries that invariably set a proscriptive pace. [3]

Governments of developing nations rely on First World countries to supply them with technologies of surveillance such as digital wiretapping equipment, deciphering equipment, scanners, bugs, tracking equipment and computer intercept systems. The transfer of surveillance technology from first to third world is now a lucrative sideline for the arms industry. [4]

According to a 1997 report Assessing the Technologies of Political Control, commissioned by the European Parliament's Civil Liberties Committee and undertaken by the European Commission's Science and Technology Options Assessment office (STOA), [5] much of this technology is used to track the activities of dissidents, human rights activists, journalists, student leaders, minorities, trade union leaders, and political opponents. The report concludes that such technologies (which it describes as "new surveillance technology") can exert a powerful "chilling effect" on those who "might wish to take a dissenting view and few will risk exercising their right to democratic protest." Large-scale ID systems are also useful for monitoring larger sectors of the population. In the absence of meaningful legal or constitutional protections, such technology is inimical to democratic reform. It can certainly prove fatal to anyone "of interest" to a regime.

Government and citizen alike may benefit from the plethora of IT schemes being implemented by the private and public sectors. New "smart card" projects in which client information is placed on a chip in a card may streamline complex transactions. The Internet will revolutionize access to basic information on government services. Encryption can provide security and privacy for all parties.

However, these initiatives will require a bold, forward looking legislative framework. Whether governments can deliver this framework will depend on their willingness to listen to the pulse of the emerging global digital economy and to recognize the need for strong protection of privacy.

Defining Privacy

Of all the human rights in the international catalogue, privacy is perhaps the most difficult to define and circumscribe. [6] Privacy has roots deep in history. The Bible has numerous references to privacy. [7] There was also substantive protection of privacy in early Hebrew culture, Classical Greece and ancient China. [8] These protections mostly focused on the right to solitude. Definitions of privacy vary widely according to context and environment. In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information. Outside this rather strict context, privacy protection is frequently seen as a way of drawing the line at how far society can intrude into a person's affairs. [9] It can be divided into the following facets:

Information privacy, which involves the establishment of rules governing the collection and handling of personal data such as credit information and medical records;

Bodily privacy, which concerns the protection of people's physical selves against invasive procedures such as drug testing and cavity searches;

Privacy of communications, which covers the security and privacy of mail, telephones, email and other forms of communication; and

Territorial privacy, which concerns the setting of limits on intrusion into the domestic and other environments such as the workplace or public space.

The lack of a single definition should not imply that the issue lacks importance. As one writer observed, "in one sense, all human rights are aspects of the right to privacy."[10]

Some viewpoints on privacy:

In the 1890s, future U.S. Supreme Court Justice Louis Brandeis articulated a concept of privacy that urged that it was the individual's "right to be left alone." Brandeis argued that privacy was the most cherished of freedoms in a democracy, and he was concerned that it should be reflected in the Constitution. [11]

The Preamble to the Australian Privacy Charter provides that, "A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organizations to intrude on that autonomy . . . Privacy is a key value which underpins human dignity and other key values such as freedom of association and freedom of speech. . . . Privacy is a basic human right and the reasonable expectation of every person." [12]

Alan Westin, author of the seminal 1967 work "Privacy and Freedom," defined privacy as the desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behavior to others. [13]

According to Edward Bloustein, privacy is an interest of the human personality. It protects the inviolate personality, the individual's independence, dignity and integrity. [14]

According to Ruth Gavison, there are three elements in privacy: secrecy, anonymity and solitude. It is a state which can be lost, whether through the choice of the person in that state or through the action of another person. [15]

The Calcutt Committee in the UK said that, "nowhere have we found a wholly satisfactory statutory definition of privacy." But the committee was satisfied that it would be possible to define it legally and adopted this definition in its first report on privacy:

The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information. [16]

The Right to Privacy

Privacy can be defined as a fundamental, though not an absolute, human right. The law of privacy can be traced as far back as 1361, when the Justices of the Peace Act in England provided for the arrest of peeping toms and eavesdroppers. [17] In 1765, British Lord Camden, striking down a warrant to enter a house and seize papers wrote, "We can safely say there is no law in this country to justify the defendants in what they have done; if there was, it would destroy all the comforts of society, for papers are often the dearest property any man can have." [18] Parliamentarian William Pitt wrote, "The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail; its roof may shake; the wind may blow though it; the storms may enter; the rain may enter – but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement."

Various countries developed specific protections for privacy in the centuries that followed. In 1776, the Swedish Parliament enacted the Access to Public Records Act which required that all government-held information be used for legitimate purposes. In 1792, the Declaration of the Rights of Man and the Citizen declared that private property is inviolable and sacred. France prohibited the publication of private facts and set stiff fines for violators in 1858. [19] In 1890, American lawyers Samuel Warren and Louis Brandeis wrote a seminal piece on the right to privacy as a tort action describing privacy as "the right to be left alone."[20]

The modern privacy benchmark at an international level can be found in the 1948 Universal Declaration of Human Rights, which specifically protected territorial and communications privacy. Article 12 states:

No one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interferences or attacks.[21]

Numerous international human rights covenants give specific reference to privacy as a right. The International Covenant on Civil and Political Rights (ICCPR), the UN Convention on Migrant Workers [22] and the UN Convention on Protection of the Child [23] adopt the same language.[24]

On the regional level, various treaties can make these rights legally enforceable. Article 8 of the 1950 Convention for the Protection of Human Rights and Fundamental Freedoms [25] states:

(1) Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health of morals, or for the protection of the rights and freedoms of others.

The Convention created the European Commission of Human Rights and the European Court of Human Rights to oversee enforcement. Both have been particularly active in the enforcement of privacy rights and have consistently viewed Article 8's protections expansively and the restrictions narrowly.[26] The Commission found in its first decision on privacy:

For numerous Anglo-Saxon and French authors, the right to respect "private life" is the right to privacy, the right to live, as far as one wishes, protected from publicity . . . In the opinion of the Commission, however, the right to respect for private life does not end there. It comprises also, to a certain degree, the right to establish and develop relationships with other human beings, especially in the emotional field for the development and fulfillment of one's own personality. [27]

The Court has reviewed member states' laws and imposed sanctions on several countries for failing to regulate wiretapping by governments and private individuals. [28] It has also reviewed cases of individuals' access to their personal information in government files to ensure that adequate procedures exist. [29] It has expanded the protections of Article 8 beyond government actions to those of private persons where it appears that the government should have prohibited those actions. [30] Presumably, under these combined analyses, the court could order the imposition of data protection laws if data was improperly processed to the detriment of the data subject. [31]

Other regional treaties are also beginning to be used to protect privacy. Article 11 of the American Convention on Human Rights sets out the right to privacy in terms similar to the Universal Declaration. [32] In 1965, the Organization for American States proclaimed the American Declaration of the Rights and Duties of Man, which called for the protection of numerous human rights including privacy. [33] The Inter-American Court of Human Rights has begun to address privacy issues in its cases.

The Evolution of Data Protection

Interest in the right of privacy increased in the 1960s and 1970s with the advent of information technology (IT). The surveillance potential of powerful computer systems prompted demands for specific rules governing the collection and handling of personal information. In many countries, new constitutions reflect this right. The genesis of modern legislation in this area can be traced to the first data protection law in the world enacted in the Land of Hesse in Germany in 1970. This was followed by national laws in Sweden (1973), the United States (1974), Germany (1977), and France (1978). [34]

Two crucial international instruments evolved from these laws. The Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data [35] and the Organization for Economic Cooperation and Development's Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data [36] articulate specific rules covering the handling of electronic data. The rules within these two documents form the core of the Data Protection laws of dozens of countries. These rules describe personal information as data that are afforded protection at every step from collection to storage and dissemination.

The expression of data protection in various declarations and laws varies in degree. All require that personal information must be:

obtained fairly and lawfully;
used only for the original specified purpose;
adequate, relevant and not excessive to purpose;
accurate and up to date;
accessible to the subject;
kept secure; and
destroyed after its purpose is completed.

These two agreements have had a profound effect on the enactment of laws around the world. Over twenty countries have adopted the COE convention and another six have signed it but have not yet adopted it into law. The OECD guidelines have also been widely used in national legislation, even outside the OECD countries.

Reasons for Adopting Comprehensive Laws

There are three major reasons for the movement towards comprehensive privacy and data protection laws. Many countries are adopting these laws for one or more reasons.

To remedy past injustices. Many countries, especially in Central Europe, South America and South Africa, are adopting laws to remedy privacy violations that occurred under previous authoritarian regimes.

To promote electronic commerce. Many countries, especially in Asia, but also Canada, have developed or are currently developing laws in an effort to promote electronic commerce. These countries recognize consumers are uneasy with their personal information being sent worldwide. Privacy laws are being introduced as part of a package of laws intended to facilitate electronic commerce by setting up uniform rules.

To ensure laws are consistent with Pan-European laws. Most countries in Central and Eastern Europe are adopting new laws based on the Council of Europe Convention and the European Union Data Protection Directive. Many of these countries hope to join the European Union in the near future. Countries in other regions, such as Canada, are adopting new laws to ensure that trade will not be affected by the requirements of the E.U. Directive.

The European Telecommunications Directive and the European Data Protection Directive

In the past three years, the European Union has enacted two directives which will provide citizens with a wider range of protections over abuses of their data. The Directives set a baseline common level of privacy which not only reinforce current data protection law, but extend it to establish a range of new rights. The Data Protection Directive sets a benchmark for national law that will harmonize law throughout the European Union. [37] Each E.U. State was required to enact complementary legislation by October 1998, though it is more likely that not all will have completed the process until the early part of 2000. The Telecommunications Directive [38] establishes specific protections covering telephone, digital television, mobile networks and other telecommunications systems.

Several principles of data protection are strengthened under the Directives, the right to know where the data originated, the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use data in some circumstances. For example, individuals will have the right to opt-out free of charge from being sent direct marketing material. The Data Protection Directive contains strengthened protections over the use of sensitive personal data relating, for example, to health or finances. In the future, the commercial and government use of such information will generally require "explicit and unambiguous" consent of the data subject.

The key concept in the European model is "enforceability." The European Union is concerned that data subjects have rights that are enshrined in explicit rules, and that they can go to a person or an authority that can act on their behalf. Every E.U. country will have a Privacy Commissioner or agency that enforces the rules. It is expected that the countries with which Europe does business will have to have a similar level of oversight.

The Directive imposes an obligation on member States to ensure that the personal information relating to European citizens is covered by law when it is exported to, and processed in, countries outside Europe. [39] This requirement has resulted in growing pressure outside Europe for the passage of privacy laws. Those countries that refuse to adopt meaningful privacy law may find themselves unable to conduct certain types of information flows with Europe, particularly if they involve sensitive data.

The Telecommunications Directive imposes wide-ranging obligations on carriers and service providers to ensure the privacy of users' communications, including Internet-related activities. The new rules will cover areas that until now have fallen between the cracks of data protection laws. Access to billing data will be severely restricted, as will marketing activity. Caller ID technology must incorporate an option for per-line blocking of number transmission. Information collected in the delivery of a communication must be purged once the call is completed.

Models of Privacy Protection

There are currently several major models for privacy protections. Depending on their application, these models can be complimentary or contradictory. In most countries reviewed in the survey, several models are used simultaneously. In the countries that protect privacy the most, all of the models work together to ensure privacy protection.

Comprehensive laws

In many countries around the world, there is a data protection law that governs the collection, use and dissemination of personal information by both the public and private sectors. This is the preferred model for most countries adopting data protection law. It is also the model favored by Europe to ensure compliance with its new data protection regime. In most of these countries, there is also an official or agency that oversees enforcement of the act. This official, known variously as a Commissioner, Ombudsman or Registrar, monitors compliance with the law and conducts investigations into alleged breaches. In some cases the official can find against an offender. The official is also responsible for public education and international liaison in data protection and data transfer. However, the powers of the commissions vary greatly and many report a serious lack of resources to adequately enforce the laws. A variation of these laws, which is described as a co-regulatory model, is currently being adopted in Canada and Australia. Under this approach, industry develops enforceable standards for the protection of privacy that are enforced by the industry and oversight by a privacy agency.

Sectoral Laws

Some countries such as the United States have avoided general data protection rules in favor of specific sectoral laws governing, for example, video rental records and financial privacy. In such cases, enforcement is achieved through a range of mechanisms. A major drawback with this approach is that it requires that new legislation be introduced with each new technology so protections frequently lag behind. There is also the problem of a lack of an oversight agency. The lack of legal protections for medical and genetic information in the U.S. is a striking example of its limitations. In many countries, sectoral laws are used to complement comprehensive legislation by providing more detailed protections for certain categories of information, such as telecommunications, police files or consumer credit records.

Self Regulation

Data protection can also be achieved - at least in theory - through various forms of self-regulation, in which companies and industry bodies establish codes of practice. However, these efforts have been disappointing, with little evidence that the aims of the codes are regularly fulfilled. Adequacy and enforcement are the major problem with these approaches. Industry codes in many countries have tended to provide only weak protections and lack enforcement. This is currently the policy promoted by the governments of United States, Japan, and Singapore.

Technologies of Privacy

With the recent development of commercially available technology-based systems, privacy protection has also moved into the hands of individual users. Users of the Internet and of some physical applications can employ a range of programs and systems that will ensure varying degrees of privacy and security of communications. These include encryption, anonymous remailers, proxy servers, digital cash and smart cards. Questions remain about security and trustworthiness of these systems. Recently, the European Commission evaluated some of the technologies and stated that the tools would not replace a legal framework but could be used to compliment existing laws. [40]

Continuing Problems

Even with the adoption of legal and other protections, violations of privacy remain a concern. In many countries, laws have not kept up with the technology, leaving significant gaps in protections. In other countries, law enforcement and intelligence agencies have been given significant exemptions. Finally, without adequate oversight and enforcement, the mere presence of a law may not provide adequate protection.

There are widespread violations of laws relating to surveillance of communications, even in the most democratic of countries. The U.S. State Department's annual review of human rights violations finds that over 90 countries illegally monitor the communications of political opponents, human rights workers, journalists and labor organizers. In 1996, a French government commission estimated that there were over 100,000 illegal wiretaps conducted by private parties, many on behalf of government agencies. There were protests in Ireland after it was revealed that the UK was monitoring all UK/Ireland communications from a base in Northern England. In Japan, police were recently fined 2.5 million yen for illegally wiretapping members of the Communist Party. The Echelon system is used by the United States, UK, Australia, Canada and New Zealand to monitor communications worldwide.

Police services, even in countries with strong privacy laws, still maintain extensive files on citizens for political purposes not accused or even suspected of any crime. There are currently investigations in Sweden and Norway, two countries with the longest history of privacy protection for intelligence and police files. In Switzerland, a scandal over secret police spying led to the enactment of their data protection act. In many former Eastern Bloc countries, there are still controversies over the disposition of the files of the secret police.

Companies regularly flaunt the laws, collecting and disseminating personal information. In the United States, even with the long-standing existence of a law on consumer credit information, companies still make extensive use of such information for marketing purposes and banks sell customer information to marketers. In other countries, inadequate security has resulted in the accidental disclosure of thousands of customers' records.

[1. Directive 95/46/EC of the European Parliament and of the Council of on the Protection of Individuals with regard to the processing of personal data and on the free movement of such data.]

2. Simon Davies "Re-engineering the right to privacy: how privacy has been transformed from a right to a commodity", in Agre and Rotenberg (eds.) Technology and Privacy: The New Landscape (MIT Press, Cambridge: 1997). p.143.

3. Simon Davies and Ian Hosein, "Liberty on the Line" in Liberating Cyberspace (Pluto Press, London, 1998)

4. Big Brother Incorporated, Privacy International site: [http://www.privacy.org/pi/reports/].

5. Science and Technology Options Assessment (STOA). Ref : project no. IV/STOA/RSCH/LP/politicon.1

6. James Michael, Privacy and Human Rights (UNESCO 1994) p.1.

7. Richard Hixson, Privacy in a Public Society: Human Rights in Conflict, p. 3 (1987). See Barrington Moore, Privacy: Studies in Social and Cultural History (1984).

8. Ibid. at 5.

9. Simon Davies, Big Brother: Britain's web of surveillance and the new technological order ( Pan, London, 1996) p. 23.

10. Volio, Fernando. "Legal personality, privacy and the family" in Henkin (ed) The International Bill of Rights,(New York: Columbia University Press 1981).

11. Samuel Warren and Louis Brandeis, "The right to privacy", Harvard Law Review 4, 1890 pp 193 - 220.

12. "The Australian Privacy Charter", published by the Australian Privacy Charter Group, Law School, University of New South Wales, Sydney 1994.

13. Alan F Westin, Privacy and Freedom, (New York: Atheneum: 1967) p. 7.

14. “Privacy as an Aspect of Human Dignity”, 39 New York University Law Review, p. 971 (1964)

15. “Privacy and the Limits of Law,” 89 Yale Law Journal 421, at 428 (1980).

16. Report of the Committee on Privacy and Related Matters, Chairman David Calcutt QC,

1990, Cmnd. 1102, London: HMSO, page 7.

[17. James Michael, p. 15.]

18. Entick v. Carrington, 1558-1774 All E.R. Rep. 45.

19. The Rachel affaire. Judgment of June 16, 1858, Trib. pr. inst. de la Seine, 1858 D.P. III 62. See Jeanne M. Hauch, Protecting Private Facts in France: The Warren & Brandeis Tort is Alive and Well and Flourishing in Paris, 68 Tul. L. Rev. 1219 (May 1994).

20. Warren and Brandeis, “The Right to Privacy”, 4 Harvard Law Review 193 (1890).

21. Universal Declaration of Human Rights, http://www.hrweb.org/legal/udhr.html.

[22. A/RES/45/158 25 February 1991, Article 14.]

23. UNGA Doc A/RES/44/25 (12 December 1989) with Annex, Article 16.

24. International Covenant on Civil and Political Rights[http://www.hrweb.org/legal/cpr.html].

[25. Convention for the Protection of Human Rights and Fundamental Freedoms Rome, 4.XI.1950. [http://www.coe.fr/eng/legaltxt/5e.htm].]

26. Nadine Strossen, “Recent U.S. and Intl. Judicial Protection of Indvidual Rights: A comparative Legal Process Analysis and Proposed Synthesis,” 41 Hastings Law Journal 805 (1990).

27. X v. Iceland, 5 Eur. Comm’n H.R. 86.87(1976).

28. European Court of Human Rights, Case of Klass and Others: Judgement of 6 September 1978, Series A No. 28 (1979). Malone v. Commissioner of Police, 2 All E.R. 620 (1979). See Note, “Secret Surveillance and the European Convention on Human Rights,” 33 Stanford Law Review 1113, 1122 (1981).

29. Judgement of 26 March 1987 (Leander Case).

30. Id. at 848, 849.

31. Rolv Ryssdal, Data Protection and the European Convention on Human Rights in Council of Europe Data protection, human rights and democratic values, XIII Conference of the Data Commissioners 2-4 October 1991 41-43 (1992).

32. Signed Nov. 22, 1969, entered into force July 18, 1978, O.A.S. Treaty Series No. 36, at 1, O.A.S. Off. Rec. OEA/Ser. L/V/II.23 dec rev. 2.

33. O.A.S. Res XXX, adopted by the Ninth Conference of American States, 1948 OEA/Ser/. L./V/I.4 Rev (1965).

34. An excellent analysis of these laws is found in David Flaherty, Protecting Privacy in Surveillance Societies (University of North Carolina Press 1989).

35. Convention fn the Protection of Individuals with regard to the Automatic Processing of Personal Data Convention, ETS No. 108, Strasbourg, 1981. [http://www.coe.fr/eng/legaltxt/108e.htm].

36. OECD, “Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data” Paris, 1981.

37. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [http://www.odpr.org/restofit/Legislation/Directive/Directive_Contents.html].

38. Directive Concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector (Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997), [http://www2.echo.lu/legal/en/dataprot/protection.html].

39. Article 25 of the Directive stipulates that in many circumstances, the level of protection in the receiving country must be "adequate" - an expression which is widely accepted to mean "equivalent". Article 26 lays out certain options for transferring data out of Europe in circumstances where the level of protection is not deemed adequate. These include consent and contracts.

40. Opinion 1/98: Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS), [http://europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp11en.htm].