Development of Electronic Data Flows

Development of Electronic Data Flows 1. Introduction The current development on the flow of electronic data, especially those relating to personal data across nations is increasing daily. Most of the flows are related to business activities whereas services are provided to fulfill the needs of people. It also leads to the transformation of commerce, which becomes worldwide and increasingly international. The transfer of huge quantities of data, relating to customers and employees, are required and often occurred among entities that located in different countries. An example would be the system of outsourcing, a practice in which companies and governments hire an external service provider in another country to deliver a program or provide a service, such as managing database of human resources or customers. This can often result in improved efficiencies and levels of services. Further, the advancement of global networks, such as the internet, provides the possibilities to collect, process, and distribute personal data on an unprecedente d scale. However, the trans-border flow of personal data is not only performed by companies or governments but also conducted by individuals in everyday life as well. When the data is used by companies or government, this can represent a high volume of data, such as in the form of the transfer of databases. There will be a quite different volume of data when it is provided by individuals when they disclose their personal data while participating in particular activities, such as browsing the internet or registering on various websites to obtain certain services. Additionally, there is a strong possibility for individuals, who are engaging in data transfer activities to lack of full awareness concerning what could be done to their personal data. In some instances, they do not realize that they have disclosed their personal data and it is subject to transmission and processing within countries not offering the same level of protection as their own country. For example, a student physically located in the Netherlands may complete an online game registration form, containing several spaces soliciting his/her identities, not knowing that the actual service provider is registered in India. Another example, a social worker residing within the United Kingdom might disclose his/her personal data on a web application for an internet banking service provided by a bank based in the United States. From the short description above, the trans-border flow of personal data exists in everyday life on a daily basis and it becomes a vital need of every stakeholder, whether governments or private sectors, including individuals. Nevertheless, while the flow has led to greater efficiencies and economic benefits, on the other hand this kind of flow has also raised concerns that some information could end up in the hands of people for whom it was not intended. Worse even is the situation when no one has realized the flow has taken place, spawning a great opportunity for infringement upon ones privacy rights. Some rules concerning privacy and data protection have been set up at national, regional, and international levels to guarantee privacy as one of the human rights is not harmed by any activity, including data processing as the final purpose of trans-border flow. Consequently, the trans-border flow of personal data has to be conducted in a lawful manner. In this respect, a legal framework on trans-border flow of personal data has been enacted in Europe by the European Commission (EC) under two directives. The first one is Directive 95/46/EC concerning the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. This Directive has been further equipped by the second directive, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). In relation to the research objective of this thesis, Directive 95/46/EC is the most relevant and therefore, Directive 2002/58/EC will be referred to when necessary. It should be noted that whenever a term the Directive is being used in this thesis, the term shall refer to Directive 95/46/EC. Under the Directive, a main rule concerning the trans-border flow of personal data has been set up. These include the obligation of data controller to use personal data for specified, explicit, and legitimate purposes, to collect only relevant and necessary data, to guarantee the security of the data against accidental or unauthorized access or manipulation, and in specific cases to notify the competent independent supervisory body before carrying out all or certain types of data processing operations. On the other hand, there is a series of rights for individuals as data subject, such as the right to receive certain information whenever data is collected, to access and correct the data, and to object to certain types of data processing. Nevertheless, all of the practice of these rights and obligations present a significant problem when the trans-border flow of personal data takes place from the European Union/European Economic Area (the EU/EEA) Member States to countries outside the EU/EEA, for the reason that the Directive requires an adequate level of protection in the destination countries. The transfer of personal data to a third country is prohibited when the third country does not have an adequate level of protection to ensure that the processing of personal data will not cause any violation to the rights of data subjects. The binding power of the Directive to the EU/EEA Member States requires each of the Member States to embed the provisions in the Directive into their national legal system. Thus, there is a free zone where trans-border flow of personal data can take place freely among the Member States because they provide the adequate level of protection. Any approval, adequate safeguard, or additional requirement is not necessary to any further extent. As far as public international law is concerned, by applying the extra-territoriality principle, the requirement of the adequacy is automatically fulfilled at the official representatives of the EU/EEA Member States in the third country, such as the Embassy or Consulate General because of the extended jurisdiction of the Member States. However, this principle is not extended to private sectors, since subsidiary offices of multinational companies, still have to abide to the national law in the third country although the base of operations of the company is located in the EU/EEA Member States. In this case, the adequate level of protection is still required even though the transfer is conducted internally among the subsidiaries of the company located in third countries. Currently, the EC has conducted some adequacy findings and has compiled a white list of countries providing an adequate level of protection. This approval means the trans-border flow of personal data can take place as in the free zone between the EU/EEA Member States. However, to date, the white list covers a limited list of countries, seven to be exact. This list might not prove too sufficient from the point of view of multinational companies in accommodating their interest, as it does not include many countries of growing commercial interest. From this point of view, there is a need to harmonize various privacy and data protection regulations in many countries through the establishment of an internationally congruent legal framework for privacy and data protection. Unfortunately, it will take some effort and time for the establishment, while a fast solution is needed. By considering the Directive thus far the strictest legal framework compared with other existing legal framework on privacy and data protection, obviously, there is a need for countries outside the EU/EEA Member States to improve their legal framework to become compliance with adequate level of protection requirement under the Directive. Since Indonesia is neither a Member State of the EU/EEA nor included in the white list of adequacy finding, the requirement of adequate level of protection is applied to Indonesia as a third country. The trans-border flow of personal data only can take place after the data controller is certain that the protection level of personal data in Indonesia is adequate under the Directive. Apparently, Indonesia is needed to criticize, whether or not its legal framework providing an adequate level of protection. Moreover, Indonesia as a Member State of the Asia-Pacific Economic Cooperation (APEC) has received a pressure to provide a sufficient level of protection on trans-border flow of personal data, in relation to the existence of the APEC Privacy Framework. This pressure has become heavier because of Indonesia position as the Association of South East Asian Nations/ASEAN Member States. Therefore, the main objective of this thesis is to examinehow Indonesia can improve its legal framework to comply with the adequate level of protection in view of Directive 95/46/EC. Conducting this examination is important in determining ways Indonesia might be developed into an attractive destination country for international commerce activities. In order to answer the objective of this thesis, three research questions have to be answered: firstly,currently, why Directive 95/46/EC is being acknowledged as the strictest legal instrument concerning privacy and data protection on conducting trans-border flow of personal data compared with other existing legal instruments. Secondly, how the European Commission determines the adequate level of protection in the third country in question under Directive 95/46/EC. Then, thirdly, to what extent legal framework of data protection in Indonesia measures up to the adequate level of protection in Indonesia under Directive 95/46/EC. In line with the effort to answer the first research question, this thesis will try to identify any possibility for improvement towards the current adequacy finding system. Hence, a balance accommodation might be obtained and maintained between the one who requires the adequate level of protection and the one who has to fulfill it. This thesis will be structured as follows. The first chapter is the introduction in which the objective of this thesis is explained. In the second chapter, there will be a brief comparison between the Directive with other legal instruments concerning privacy and data protection. Afterwards, some explanations on the requirement of the adequate level of protection in the light of the Directive will be provided, including the measurement to be used in conducting the adequacy finding and will explore any possible solution if there is no adequate level of protection in the third country in question. Further, this chapter will cover the current problems within the Directive as well as possible suggestions to overcome them. Thus, answering the first and second research question. In the third chapter, relevant issues surrounding Indonesian legal framework will be discussed, including a brief explanation on how Indonesia regulates privacy and data protection as well as a number of the difficulties experienced in doing so. The findings in the second and third chapters shall be employed to carry out the examination in the fourth chapter, which objective is to answer the third research question. The chapter serves to analyze the adequate level of protection of Indonesian legal framework by applying the measurements in the light of the Directive. The analysis will include various potential problems faced by Indonesia on its effort to improve protection of personal data along with several suggestions on how to overcome them. At the final stage, there will be a conclusion, to what extent Indonesia can be deemed as providing an adequate level of protection. As a result, a solution on how Indonesia might improve its legal framework under the Directive to both avoid a lack of protection and offer an adequate level of protection will be achieved. 2. The EU Legal Framework regarding trans-border flow of Personal Data The trans-border flow of personal data is stipulated by regulations concerning data protection. Since the early eighties, several regulations, drawn up by different organizations, have been published in this respect. The first initiative was performed by Organization for Economic Co-operation and Development (OECD) by establishing the Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data (the OECD Guidelines) in 1980. The intention of the Guidelines is to prevent any conflicts between national laws, which can hamper the free flow of personal data between the OECD Member States. This establishment brought an awareness of the importance protection of the trans-border flow of personal data. A similar purpose with the OECD Guidelines has brought the Member States of the Council of Europe (the CoE) to publish a convention on their interest in the following year. They agreed that it is needed to reconcile the fundamental values of the respect for privacy and the free flow of information between them. The agreement is stated in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), with purpose to take into account the right of privacy and the increasing flow across frontiers of personal data in regards of automatic processing, as a way to extend the safeguards for everyones rights and fundamental freedoms. In 1990, by considering the UN has more Member States compared with the OECD and the CoE, Guidelines concerning Computerized Personal Data Files (the UN Guidelines) was established as a way to bring the principles on privacy and data protection being implemented wider among countries. The UN General Assembly through Resolution No. A/RES/45/95 on 14 December 1990, requests the Governments of every Member States to take into account this Guidelines in their legislation. Further, the governmental, intergovernmental, and non-governmental organizations are also requested to respect the Guidelines in carrying out the activities within their field of competence. Nonetheless, the OECD Guidelines, the CETS No. 108, and the UN Guidelines still have some weaknesses. There are some principles of data protection, which are required to be embedded in national laws of each of the Member States but there is no means for ensuring their effective application. For examples, there are no supervisory authority provision in the CETS No. 108 and a lack of procedural clauses in the OECD Guidelines. In another case, concerning the binding power of the instrument, the OECD Guidelines is voluntarily binding to its Member States as well as the UN Guidelines, even though the UN Guidelines has the supervision and sanction provisions. Therefore, Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data has been established by the European Union (the EU) to overcome the limited effect of the two Guidelines and the Convention as mentioned above. Good level of compliance, support and help to individual data subject, and appropriate redress to the injured parties are the means used by the Directive for ensuring the effective application of the content of the rules. Apart from the compliance issue, the obligations and rights set down in the Directive are built upon the OECD Guidelines, the CETS No. 108, and the UN Guidelines. These three legal instruments contain similar principles, except for lawfulness, fairness, and non-discrimination principles are from the UN Guidelines; and special categories of data and additional safeguards for the data subject principles are from the ECTS No. 108. While the rest of the adopted principles are collection limitation, data quality, purpose specification, use limitation, security safeguard, openness, individual participation, and accountability. Further, the aims of the Directive can be seen from two perspectives. The first one is the economical perspective, in relation to the establishment and functioning of an internal market, in which to ensure the free movement of goods, persons, services, and capital, including the free movement of personal data. The second is from the fundamental rights perspective, in which to set the rules for high-level data protection to ensure the protection of the fundamental rights of the individuals. The newest legal instrument concerning privacy and data protection is the APEC Privacy Framework 2004 (the Framework), established by Asia-Pacific Economic Cooperation (APEC). The purpose of the Framework is to ensure there are no barriers for information flows among the APEC Member Economies by promoting a consistent approach to data protection. There are nine principles in the Framework that are built based on the OECD Guidelines. In brief, the adopted principles are preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguard, access and correction, and accountability. However, this Framework has the same weakness as the previous legal instruments on privacy and data protection before the Directive, which is the absent of means for ensuring the effective application of the principles. Additionally, it should be noted that APEC is a forum that established based on a voluntary basis, without any constitut ion or legally binding obligations for the Member Economies. Hence, the Framework is not binding to the Member Economies. From the brief analysis above, currently, the Directive posses the highest level of protection compared with other existing legal instruments on privacy and data protection. In this respect, to achieve the objective of this thesis as stated in the first chapter, the research questions will be answered by focusing on the Directive. Therefore, in the next section, there will be an explanation on the legal bases of trans-border flow of personal data to third countries under the Directive, followed by a rationalization on how the European Commission (EC) determines whether or not an adequate level of protection exists in the third country in question. Subsequently, the means for ensuring the effective application of the content of rules will be elaborated upon a description on a series of possibilities if the third country in question is not deemed to provide an adequate level of protection. Although currently, the Directive provides high-level of protection, some problems and suggestions will be provided, as an effort to address input for improvement. The findings in this chapter will be used to carry out the adequacy finding of Indonesia as a third country (in the fourth chapter) by doing a comparison with the findings on Indonesian legal framework in chapter three. 2. The Legal Bases of Trans-border Flows of Personal Data to Third Countries The trans-border flow of personal data to a third country to be acknowledged as lawful, it has to be conducted in accordance with the national data protection law of the EU/EEA Member States. It is applicable to the data controllers established in the EU, both at the time when data is being collected and processed. In general, the law consists of a combination between the obligations of data controllers and the rights of data subject. Before the establishment of the Directive, these rights and obligations were regulated under some national data protection laws with different level of protection. In the light of the functioning of internal market in the EU/EEA, all these obligations and rights, including certain procedures to be applied in case of trans-border flow of personal data to a third country, are regulated in the Directive. Whereas the Directive is legally binding to the EU/EEA Member States, an adequate level of protection is fulfilled and consequently trans-border flow of personal data is able to take place among them. Further, when the personal data is used for electronic communication purposes, then the rights and obligations as lay down in Directive 2002/58/EC shall take place. There are three possible types of transfer under the Directive. The first and second types are a communication of personal data by a data controller based in the EU/EEA Member States to another data controller or to a processor based in a third country. Another possibility type is a communication of personal data by a data subject based in the EU/EEA Member States to a data controller based in a third country. Nevertheless, it should noted that the Directive does not cover transfers of personal data in the course of judicial and police cooperation activities falling within Titles V and VI of the Treaty on European Union. The main regulation in the Directive concerning trans-border flow of personal data to a third country is Article 25. The first paragraph of the Article sets out the principle that the EU/EEA Member States shall allow the transfer of personal data only if the third country in question ensures an adequate level of protection. From this provision, it is necessary to explain further on the subject of the transfer of personal data and an adequate level of protection. First, what the Directive means by the transfer of personal data. Undoubtedly, it is often associated with the act of sending or transmitting personal data from one country to another, for instance by sending paper or electronic documents containing personal data by post or e-mail. By seeing from a different perspective, the situation where one conducts a certain activity with the purpose to make data available for others, besides the owner of the data (the data subject), and located in another country, is included as a trans-border flow of personal data. However, by making data accessible for everyone who connects to internet by uploading any personal data on internet web pages, even though that person is located in another country, is not included in the meaning of transfer of personal data to another country. The reason for the previous statement is this kind of activity is properly acknowledged as publishing activity, not transferring activity. This exception is stated clearly by the Court of Justice in the Bodil Lindqvist Case as there is no transfer of personal data to a third country where an individual in a Member State loads personal data onto an internet page making those data accessible to anyone who connects to the internet, including people in a third country. Subsequently, since the Directive is binding to 27 EU Member States, including three countries (Norway, Liechtenstein, and Iceland), which are bound by the Directive by virtue of the European Economic Area agreement (EEA), personal data can flow freely among them. In other words, there is a free zone among the EU/EEA member states. Therefore, transfer in the light of the Directive has to be seen as transfer of personal data from EU/EEA member states to other countries outside EU/EEA, which are recognized as third countries, and the adequate level of protection in those third countries has to be assessed. There is a so-called white list of countries, which have been assessed by the EC and affirmed to provide an adequate level of protection according to the Directive. Currently, the list consists of seven countries as follows: Argentina, Canada (limited to private sector data), Switzerland, United States (Safe Harbor and specific type of transfer: Passenger Name Record/PNR), the Bailiwick of Guernsey, the Isle of Man, and the Bailiwick of Jersey. The approval of adequacy shall be analyzed more carefully because once a country is listed in the white list, does not automatically mean that personal data can flow to the country freely. One should pay attention whether the affirmation is given for the entire legal framework or only for certain part of it in a specific field, sector (public or private), or regarding a specific type of transfer. Insofar, even though the result of adequacy finding shows that the data protection level in certain countries is not adequate, the EC will not create a black list for that negative finding because of political consequences. Instead of the black list, the EC tends to enter into negotiation with the certain country in order to find a solution. It can be concluded from the foregoing, that the adequacy finding is temporary and subject to be reviewed. Procedure of the Adequacy Finding In acknowledging the adequacy finding, the EC has to follow certain procedure, which has been determined in Article 25 Paragraph (6) of the Directive and is known as comitology. At first, there will be a proposal from the EC, followed by an opinion from Article 29 Working Party and an opinion from Article 31 Management Committee, which needs to be delivered by a qualified majority of member states. Afterwards, the EC submits the proposed finding to the European Parliament (EP), who will examine whether the EC has used its executing powers correctly and comes up with recommendation if necessary. As a final point, the EC then can formally issue the result of the adequacy finding. In the next section, the measurements used by the EC in conducting the finding will be explained in detail. 3. Assessing the Adequate Level of Protection The Article 29 Working Party has given an obvious statement thatany meaningful analysis of adequate protection must comprise the two basic elements: the content of the rules applicable and the means for ensuring their effective application.According to WP 12 of the European Commission (EC), a set of content principles that should be embodied in the existing regulations are the following: Purpose limitation principle: data should be processed for a specific purpose and subsequently used or further communicated only if it is compatible with the purpose of the transfer. Data quality and proportionality principle: data should be accurate and, where necessary, kept up to date. Transparency principle: individuals should be provided with information as to the purpose of the processing, the identity of the data controller in the third country and other necessary information to ensure fairness. Security principle: technical and organizational measures should be taken by the data controller that are appropriate to the risks presented by the processing. Rights of access, rectification and opposition: the data subject have the right to obtain a copy of all data relating to him/her that are processed, to rectification of those data that are shown to be inaccurate, and be able to object to the processing of the data. Restrictions on onwards transfers to non-parties to the contract: further transfers of the personal data by the recipient of the original data transfer only permitted if the second recipient provides an adequate level of protection. In addition to these content principles, another set of the means for ensuring the effective application of the principles, whether judicial or non-judicial, are required in order to fulfill the following objectives: Good level of compliance with the rules: the level of awareness of controllers and data subjects and the existence of effective and dissuasive sanctions are the measurements to examine the compliance level, including direct verification by authorities, auditors, or independent data protection officials. Support and help to individual data subjects: an individual should be able to enforce his/her rights rapidly and effectively without prohibitive cost. Institutional mechanism is needed to conduct independent investigation of complaints. Appropriate redress to the injured parties: where rules are not complied, redress to the injured party with independent adjudication or arbitration is provided, including compensation and sanction impose. Beyond the content principles, some additional principles are still needed to consider when it comes to certain types of processing. Additional safeguards when sensitive categories of data are involved and a right to opt-out when data are processed for direct marketing purposes should be in place. Another principle is the right for the data subject not to be a subject to an automated individual decision that intended to evaluate certain aspects, which can give any legal effects and have a significant effect to the data subject. These content principles, including additional principles, and the means for ensuring their effectiveness should be viewed as a minimum requirement in assessing the adequate level of protection in all cases. However, according to Article 25 Paragraph 2 of the Directive, in some cases, there will be two possibilities. There is a need to add the list with more requirements or to reduce it. To determine whether some requirements need to be added or reduced, the degree of risk that the transfer poses to the data subject becomes an important factor. The Article 29 Working Party has provided a list of categories of transfer, which poses particular risks to privacy, as mentioned below: Transfers involving certain sensitive categories of data as defined by Article 8 of the Directive Transfers which carry the risk of financial loss (e.g., credit card payments over the internet) Transfers carrying a risk to personal safety Transfers made for the purpose of making a decision which significantly affects the individual (e.g., recruitment or promotion decisions, the granting of credit, etc) Transfers which carry a risk of serious embarrassment or tarnishing of an individuals reputation Transfers which may result in specific actions which constitute a significant intrusion into an individuals private life (e.g., unsolicited telephone calls) Repetitive transfers involving massive volumes of data (e.g., transactional data processed over telecommunications networks, the Internet, etc.) Transfers involving the collection of data in a particularly covert or clandestine manner (e.g., internet cookies) To sum up, the circumstances should be taken into account when assessing adequacy in a specific case, being: the nature of the data the purpose and duration of the proposed processing operations the country of origin and the country of final destination the rules of law, both general and sectoral, in force in the country in question the professional rules and the security measures which are complied with in that country. Self -regulation From the circumstances as referred to Article 25 Paragraph 2 of the Directive, it can be seen that the assessments of the adequate level of protection is conducted according to the rules of law as well as the professional rules and the security measures. In other words, it has to be examined from a self-regulation perspective as well. The Article 29 Working Party presents a broad meaning of self-regulation asany set of data protection rules applying to a plurality of the data controllers from the same profession or industry sector, the content of which has been determined primarily by members of the industry or profession concerned.This wide definition offers the possibility to on the one hand a voluntary data protection code developed by a small industry association with only a few members and on the other hand a set of codes of professional ethics with quasi judicial force for a certain profession, such as doctors or bankers. Still, one should bear in mind, to be considered as an appropriate legal instrument to be analyzed, it has to have binding power to its members and has to provide adequate safeguards if the personal data are transferred again to non-member entities. Ob Development of Electronic Data Flows Development of Electronic Data Flows 1. Introduction The current development on the flow of electronic data, especially those relating to personal data across nations is increasing daily. Most of the flows are related to business activities whereas services are provided to fulfill the needs of people. It also leads to the transformation of commerce, which becomes worldwide and increasingly international. The transfer of huge quantities of data, relating to customers and employees, are required and often occurred among entities that located in different countries. An example would be the system of outsourcing, a practice in which companies and governments hire an external service provider in another country to deliver a program or provide a service, such as managing database of human resources or customers. This can often result in improved efficiencies and levels of services. Further, the advancement of global networks, such as the internet, provides the possibilities to collect, process, and distribute personal data on an unprecedente d scale. However, the trans-border flow of personal data is not only performed by companies or governments but also conducted by individuals in everyday life as well. When the data is used by companies or government, this can represent a high volume of data, such as in the form of the transfer of databases. There will be a quite different volume of data when it is provided by individuals when they disclose their personal data while participating in particular activities, such as browsing the internet or registering on various websites to obtain certain services. Additionally, there is a strong possibility for individuals, who are engaging in data transfer activities to lack of full awareness concerning what could be done to their personal data. In some instances, they do not realize that they have disclosed their personal data and it is subject to transmission and processing within countries not offering the same level of protection as their own country. For example, a student physically located in the Netherlands may complete an online game registration form, containing several spaces soliciting his/her identities, not knowing that the actual service provider is registered in India. Another example, a social worker residing within the United Kingdom might disclose his/her personal data on a web application for an internet banking service provided by a bank based in the United States. From the short description above, the trans-border flow of personal data exists in everyday life on a daily basis and it becomes a vital need of every stakeholder, whether governments or private sectors, including individuals. Nevertheless, while the flow has led to greater efficiencies and economic benefits, on the other hand this kind of flow has also raised concerns that some information could end up in the hands of people for whom it was not intended. Worse even is the situation when no one has realized the flow has taken place, spawning a great opportunity for infringement upon ones privacy rights. Some rules concerning privacy and data protection have been set up at national, regional, and international levels to guarantee privacy as one of the human rights is not harmed by any activity, including data processing as the final purpose of trans-border flow. Consequently, the trans-border flow of personal data has to be conducted in a lawful manner. In this respect, a legal framework on trans-border flow of personal data has been enacted in Europe by the European Commission (EC) under two directives. The first one is Directive 95/46/EC concerning the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. This Directive has been further equipped by the second directive, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). In relation to the research objective of this thesis, Directive 95/46/EC is the most relevant and therefore, Directive 2002/58/EC will be referred to when necessary. It should be noted that whenever a term the Directive is being used in this thesis, the term shall refer to Directive 95/46/EC. Under the Directive, a main rule concerning the trans-border flow of personal data has been set up. These include the obligation of data controller to use personal data for specified, explicit, and legitimate purposes, to collect only relevant and necessary data, to guarantee the security of the data against accidental or unauthorized access or manipulation, and in specific cases to notify the competent independent supervisory body before carrying out all or certain types of data processing operations. On the other hand, there is a series of rights for individuals as data subject, such as the right to receive certain information whenever data is collected, to access and correct the data, and to object to certain types of data processing. Nevertheless, all of the practice of these rights and obligations present a significant problem when the trans-border flow of personal data takes place from the European Union/European Economic Area (the EU/EEA) Member States to countries outside the EU/EEA, for the reason that the Directive requires an adequate level of protection in the destination countries. The transfer of personal data to a third country is prohibited when the third country does not have an adequate level of protection to ensure that the processing of personal data will not cause any violation to the rights of data subjects. The binding power of the Directive to the EU/EEA Member States requires each of the Member States to embed the provisions in the Directive into their national legal system. Thus, there is a free zone where trans-border flow of personal data can take place freely among the Member States because they provide the adequate level of protection. Any approval, adequate safeguard, or additional requirement is not necessary to any further extent. As far as public international law is concerned, by applying the extra-territoriality principle, the requirement of the adequacy is automatically fulfilled at the official representatives of the EU/EEA Member States in the third country, such as the Embassy or Consulate General because of the extended jurisdiction of the Member States. However, this principle is not extended to private sectors, since subsidiary offices of multinational companies, still have to abide to the national law in the third country although the base of operations of the company is located in the EU/EEA Member States. In this case, the adequate level of protection is still required even though the transfer is conducted internally among the subsidiaries of the company located in third countries. Currently, the EC has conducted some adequacy findings and has compiled a white list of countries providing an adequate level of protection. This approval means the trans-border flow of personal data can take place as in the free zone between the EU/EEA Member States. However, to date, the white list covers a limited list of countries, seven to be exact. This list might not prove too sufficient from the point of view of multinational companies in accommodating their interest, as it does not include many countries of growing commercial interest. From this point of view, there is a need to harmonize various privacy and data protection regulations in many countries through the establishment of an internationally congruent legal framework for privacy and data protection. Unfortunately, it will take some effort and time for the establishment, while a fast solution is needed. By considering the Directive thus far the strictest legal framework compared with other existing legal framework on privacy and data protection, obviously, there is a need for countries outside the EU/EEA Member States to improve their legal framework to become compliance with adequate level of protection requirement under the Directive. Since Indonesia is neither a Member State of the EU/EEA nor included in the white list of adequacy finding, the requirement of adequate level of protection is applied to Indonesia as a third country. The trans-border flow of personal data only can take place after the data controller is certain that the protection level of personal data in Indonesia is adequate under the Directive. Apparently, Indonesia is needed to criticize, whether or not its legal framework providing an adequate level of protection. Moreover, Indonesia as a Member State of the Asia-Pacific Economic Cooperation (APEC) has received a pressure to provide a sufficient level of protection on trans-border flow of personal data, in relation to the existence of the APEC Privacy Framework. This pressure has become heavier because of Indonesia position as the Association of South East Asian Nations/ASEAN Member States. Therefore, the main objective of this thesis is to examinehow Indonesia can improve its legal framework to comply with the adequate level of protection in view of Directive 95/46/EC. Conducting this examination is important in determining ways Indonesia might be developed into an attractive destination country for international commerce activities. In order to answer the objective of this thesis, three research questions have to be answered: firstly,currently, why Directive 95/46/EC is being acknowledged as the strictest legal instrument concerning privacy and data protection on conducting trans-border flow of personal data compared with other existing legal instruments. Secondly, how the European Commission determines the adequate level of protection in the third country in question under Directive 95/46/EC. Then, thirdly, to what extent legal framework of data protection in Indonesia measures up to the adequate level of protection in Indonesia under Directive 95/46/EC. In line with the effort to answer the first research question, this thesis will try to identify any possibility for improvement towards the current adequacy finding system. Hence, a balance accommodation might be obtained and maintained between the one who requires the adequate level of protection and the one who has to fulfill it. This thesis will be structured as follows. The first chapter is the introduction in which the objective of this thesis is explained. In the second chapter, there will be a brief comparison between the Directive with other legal instruments concerning privacy and data protection. Afterwards, some explanations on the requirement of the adequate level of protection in the light of the Directive will be provided, including the measurement to be used in conducting the adequacy finding and will explore any possible solution if there is no adequate level of protection in the third country in question. Further, this chapter will cover the current problems within the Directive as well as possible suggestions to overcome them. Thus, answering the first and second research question. In the third chapter, relevant issues surrounding Indonesian legal framework will be discussed, including a brief explanation on how Indonesia regulates privacy and data protection as well as a number of the difficulties experienced in doing so. The findings in the second and third chapters shall be employed to carry out the examination in the fourth chapter, which objective is to answer the third research question. The chapter serves to analyze the adequate level of protection of Indonesian legal framework by applying the measurements in the light of the Directive. The analysis will include various potential problems faced by Indonesia on its effort to improve protection of personal data along with several suggestions on how to overcome them. At the final stage, there will be a conclusion, to what extent Indonesia can be deemed as providing an adequate level of protection. As a result, a solution on how Indonesia might improve its legal framework under the Directive to both avoid a lack of protection and offer an adequate level of protection will be achieved. 2. The EU Legal Framework regarding trans-border flow of Personal Data The trans-border flow of personal data is stipulated by regulations concerning data protection. Since the early eighties, several regulations, drawn up by different organizations, have been published in this respect. The first initiative was performed by Organization for Economic Co-operation and Development (OECD) by establishing the Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data (the OECD Guidelines) in 1980. The intention of the Guidelines is to prevent any conflicts between national laws, which can hamper the free flow of personal data between the OECD Member States. This establishment brought an awareness of the importance protection of the trans-border flow of personal data. A similar purpose with the OECD Guidelines has brought the Member States of the Council of Europe (the CoE) to publish a convention on their interest in the following year. They agreed that it is needed to reconcile the fundamental values of the respect for privacy and the free flow of information between them. The agreement is stated in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), with purpose to take into account the right of privacy and the increasing flow across frontiers of personal data in regards of automatic processing, as a way to extend the safeguards for everyones rights and fundamental freedoms. In 1990, by considering the UN has more Member States compared with the OECD and the CoE, Guidelines concerning Computerized Personal Data Files (the UN Guidelines) was established as a way to bring the principles on privacy and data protection being implemented wider among countries. The UN General Assembly through Resolution No. A/RES/45/95 on 14 December 1990, requests the Governments of every Member States to take into account this Guidelines in their legislation. Further, the governmental, intergovernmental, and non-governmental organizations are also requested to respect the Guidelines in carrying out the activities within their field of competence. Nonetheless, the OECD Guidelines, the CETS No. 108, and the UN Guidelines still have some weaknesses. There are some principles of data protection, which are required to be embedded in national laws of each of the Member States but there is no means for ensuring their effective application. For examples, there are no supervisory authority provision in the CETS No. 108 and a lack of procedural clauses in the OECD Guidelines. In another case, concerning the binding power of the instrument, the OECD Guidelines is voluntarily binding to its Member States as well as the UN Guidelines, even though the UN Guidelines has the supervision and sanction provisions. Therefore, Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data has been established by the European Union (the EU) to overcome the limited effect of the two Guidelines and the Convention as mentioned above. Good level of compliance, support and help to individual data subject, and appropriate redress to the injured parties are the means used by the Directive for ensuring the effective application of the content of the rules. Apart from the compliance issue, the obligations and rights set down in the Directive are built upon the OECD Guidelines, the CETS No. 108, and the UN Guidelines. These three legal instruments contain similar principles, except for lawfulness, fairness, and non-discrimination principles are from the UN Guidelines; and special categories of data and additional safeguards for the data subject principles are from the ECTS No. 108. While the rest of the adopted principles are collection limitation, data quality, purpose specification, use limitation, security safeguard, openness, individual participation, and accountability. Further, the aims of the Directive can be seen from two perspectives. The first one is the economical perspective, in relation to the establishment and functioning of an internal market, in which to ensure the free movement of goods, persons, services, and capital, including the free movement of personal data. The second is from the fundamental rights perspective, in which to set the rules for high-level data protection to ensure the protection of the fundamental rights of the individuals. The newest legal instrument concerning privacy and data protection is the APEC Privacy Framework 2004 (the Framework), established by Asia-Pacific Economic Cooperation (APEC). The purpose of the Framework is to ensure there are no barriers for information flows among the APEC Member Economies by promoting a consistent approach to data protection. There are nine principles in the Framework that are built based on the OECD Guidelines. In brief, the adopted principles are preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguard, access and correction, and accountability. However, this Framework has the same weakness as the previous legal instruments on privacy and data protection before the Directive, which is the absent of means for ensuring the effective application of the principles. Additionally, it should be noted that APEC is a forum that established based on a voluntary basis, without any constitut ion or legally binding obligations for the Member Economies. Hence, the Framework is not binding to the Member Economies. From the brief analysis above, currently, the Directive posses the highest level of protection compared with other existing legal instruments on privacy and data protection. In this respect, to achieve the objective of this thesis as stated in the first chapter, the research questions will be answered by focusing on the Directive. Therefore, in the next section, there will be an explanation on the legal bases of trans-border flow of personal data to third countries under the Directive, followed by a rationalization on how the European Commission (EC) determines whether or not an adequate level of protection exists in the third country in question. Subsequently, the means for ensuring the effective application of the content of rules will be elaborated upon a description on a series of possibilities if the third country in question is not deemed to provide an adequate level of protection. Although currently, the Directive provides high-level of protection, some problems and suggestions will be provided, as an effort to address input for improvement. The findings in this chapter will be used to carry out the adequacy finding of Indonesia as a third country (in the fourth chapter) by doing a comparison with the findings on Indonesian legal framework in chapter three. 2. The Legal Bases of Trans-border Flows of Personal Data to Third Countries The trans-border flow of personal data to a third country to be acknowledged as lawful, it has to be conducted in accordance with the national data protection law of the EU/EEA Member States. It is applicable to the data controllers established in the EU, both at the time when data is being collected and processed. In general, the law consists of a combination between the obligations of data controllers and the rights of data subject. Before the establishment of the Directive, these rights and obligations were regulated under some national data protection laws with different level of protection. In the light of the functioning of internal market in the EU/EEA, all these obligations and rights, including certain procedures to be applied in case of trans-border flow of personal data to a third country, are regulated in the Directive. Whereas the Directive is legally binding to the EU/EEA Member States, an adequate level of protection is fulfilled and consequently trans-border flow of personal data is able to take place among them. Further, when the personal data is used for electronic communication purposes, then the rights and obligations as lay down in Directive 2002/58/EC shall take place. There are three possible types of transfer under the Directive. The first and second types are a communication of personal data by a data controller based in the EU/EEA Member States to another data controller or to a processor based in a third country. Another possibility type is a communication of personal data by a data subject based in the EU/EEA Member States to a data controller based in a third country. Nevertheless, it should noted that the Directive does not cover transfers of personal data in the course of judicial and police cooperation activities falling within Titles V and VI of the Treaty on European Union. The main regulation in the Directive concerning trans-border flow of personal data to a third country is Article 25. The first paragraph of the Article sets out the principle that the EU/EEA Member States shall allow the transfer of personal data only if the third country in question ensures an adequate level of protection. From this provision, it is necessary to explain further on the subject of the transfer of personal data and an adequate level of protection. First, what the Directive means by the transfer of personal data. Undoubtedly, it is often associated with the act of sending or transmitting personal data from one country to another, for instance by sending paper or electronic documents containing personal data by post or e-mail. By seeing from a different perspective, the situation where one conducts a certain activity with the purpose to make data available for others, besides the owner of the data (the data subject), and located in another country, is included as a trans-border flow of personal data. However, by making data accessible for everyone who connects to internet by uploading any personal data on internet web pages, even though that person is located in another country, is not included in the meaning of transfer of personal data to another country. The reason for the previous statement is this kind of activity is properly acknowledged as publishing activity, not transferring activity. This exception is stated clearly by the Court of Justice in the Bodil Lindqvist Case as there is no transfer of personal data to a third country where an individual in a Member State loads personal data onto an internet page making those data accessible to anyone who connects to the internet, including people in a third country. Subsequently, since the Directive is binding to 27 EU Member States, including three countries (Norway, Liechtenstein, and Iceland), which are bound by the Directive by virtue of the European Economic Area agreement (EEA), personal data can flow freely among them. In other words, there is a free zone among the EU/EEA member states. Therefore, transfer in the light of the Directive has to be seen as transfer of personal data from EU/EEA member states to other countries outside EU/EEA, which are recognized as third countries, and the adequate level of protection in those third countries has to be assessed. There is a so-called white list of countries, which have been assessed by the EC and affirmed to provide an adequate level of protection according to the Directive. Currently, the list consists of seven countries as follows: Argentina, Canada (limited to private sector data), Switzerland, United States (Safe Harbor and specific type of transfer: Passenger Name Record/PNR), the Bailiwick of Guernsey, the Isle of Man, and the Bailiwick of Jersey. The approval of adequacy shall be analyzed more carefully because once a country is listed in the white list, does not automatically mean that personal data can flow to the country freely. One should pay attention whether the affirmation is given for the entire legal framework or only for certain part of it in a specific field, sector (public or private), or regarding a specific type of transfer. Insofar, even though the result of adequacy finding shows that the data protection level in certain countries is not adequate, the EC will not create a black list for that negative finding because of political consequences. Instead of the black list, the EC tends to enter into negotiation with the certain country in order to find a solution. It can be concluded from the foregoing, that the adequacy finding is temporary and subject to be reviewed. Procedure of the Adequacy Finding In acknowledging the adequacy finding, the EC has to follow certain procedure, which has been determined in Article 25 Paragraph (6) of the Directive and is known as comitology. At first, there will be a proposal from the EC, followed by an opinion from Article 29 Working Party and an opinion from Article 31 Management Committee, which needs to be delivered by a qualified majority of member states. Afterwards, the EC submits the proposed finding to the European Parliament (EP), who will examine whether the EC has used its executing powers correctly and comes up with recommendation if necessary. As a final point, the EC then can formally issue the result of the adequacy finding. In the next section, the measurements used by the EC in conducting the finding will be explained in detail. 3. Assessing the Adequate Level of Protection The Article 29 Working Party has given an obvious statement thatany meaningful analysis of adequate protection must comprise the two basic elements: the content of the rules applicable and the means for ensuring their effective application.According to WP 12 of the European Commission (EC), a set of content principles that should be embodied in the existing regulations are the following: Purpose limitation principle: data should be processed for a specific purpose and subsequently used or further communicated only if it is compatible with the purpose of the transfer. Data quality and proportionality principle: data should be accurate and, where necessary, kept up to date. Transparency principle: individuals should be provided with information as to the purpose of the processing, the identity of the data controller in the third country and other necessary information to ensure fairness. Security principle: technical and organizational measures should be taken by the data controller that are appropriate to the risks presented by the processing. Rights of access, rectification and opposition: the data subject have the right to obtain a copy of all data relating to him/her that are processed, to rectification of those data that are shown to be inaccurate, and be able to object to the processing of the data. Restrictions on onwards transfers to non-parties to the contract: further transfers of the personal data by the recipient of the original data transfer only permitted if the second recipient provides an adequate level of protection. In addition to these content principles, another set of the means for ensuring the effective application of the principles, whether judicial or non-judicial, are required in order to fulfill the following objectives: Good level of compliance with the rules: the level of awareness of controllers and data subjects and the existence of effective and dissuasive sanctions are the measurements to examine the compliance level, including direct verification by authorities, auditors, or independent data protection officials. Support and help to individual data subjects: an individual should be able to enforce his/her rights rapidly and effectively without prohibitive cost. Institutional mechanism is needed to conduct independent investigation of complaints. Appropriate redress to the injured parties: where rules are not complied, redress to the injured party with independent adjudication or arbitration is provided, including compensation and sanction impose. Beyond the content principles, some additional principles are still needed to consider when it comes to certain types of processing. Additional safeguards when sensitive categories of data are involved and a right to opt-out when data are processed for direct marketing purposes should be in place. Another principle is the right for the data subject not to be a subject to an automated individual decision that intended to evaluate certain aspects, which can give any legal effects and have a significant effect to the data subject. These content principles, including additional principles, and the means for ensuring their effectiveness should be viewed as a minimum requirement in assessing the adequate level of protection in all cases. However, according to Article 25 Paragraph 2 of the Directive, in some cases, there will be two possibilities. There is a need to add the list with more requirements or to reduce it. To determine whether some requirements need to be added or reduced, the degree of risk that the transfer poses to the data subject becomes an important factor. The Article 29 Working Party has provided a list of categories of transfer, which poses particular risks to privacy, as mentioned below: Transfers involving certain sensitive categories of data as defined by Article 8 of the Directive Transfers which carry the risk of financial loss (e.g., credit card payments over the internet) Transfers carrying a risk to personal safety Transfers made for the purpose of making a decision which significantly affects the individual (e.g., recruitment or promotion decisions, the granting of credit, etc) Transfers which carry a risk of serious embarrassment or tarnishing of an individuals reputation Transfers which may result in specific actions which constitute a significant intrusion into an individuals private life (e.g., unsolicited telephone calls) Repetitive transfers involving massive volumes of data (e.g., transactional data processed over telecommunications networks, the Internet, etc.) Transfers involving the collection of data in a particularly covert or clandestine manner (e.g., internet cookies) To sum up, the circumstances should be taken into account when assessing adequacy in a specific case, being: the nature of the data the purpose and duration of the proposed processing operations the country of origin and the country of final destination the rules of law, both general and sectoral, in force in the country in question the professional rules and the security measures which are complied with in that country. Self -regulation From the circumstances as referred to Article 25 Paragraph 2 of the Directive, it can be seen that the assessments of the adequate level of protection is conducted according to the rules of law as well as the professional rules and the security measures. In other words, it has to be examined from a self-regulation perspective as well. The Article 29 Working Party presents a broad meaning of self-regulation asany set of data protection rules applying to a plurality of the data controllers from the same profession or industry sector, the content of which has been determined primarily by members of the industry or profession concerned.This wide definition offers the possibility to on the one hand a voluntary data protection code developed by a small industry association with only a few members and on the other hand a set of codes of professional ethics with quasi judicial force for a certain profession, such as doctors or bankers. Still, one should bear in mind, to be considered as an appropriate legal instrument to be analyzed, it has to have binding power to its members and has to provide adequate safeguards if the personal data are transferred again to non-member entities. Ob