La gestion des DRM en perspective

§2- contracts of transborder flows

These problems, in particular, were evoked in a working paper of the Group of Article 29^148(*) in June 2003. Indeed, the provisions of articles 25^149(*) and 26^150(*) of Directive 95/46 on the personal data protection impose, in particular, these measures to the framework of transfers of these data in countries non-member of the European Union.

Moreover, following the first report/ratio at the Commission on the application of Directive 95/46 in May 2003^151(*), the Director of the Domestic market DG questioned himself and indicates in a note that « certain indicators obviously give to think that many transfers not - authorized and possibly illegal take place towards destinations or recipients not guaranteeing an adequate protection. One of these indicators [being] the very limited number of received notifications of the Member States pursuant to article 26, paragraph 3 of the directive: «although there are other possible means of legal transfers that article 26, paragraph 2, the number of received notifications is ridiculous compared to what one could reasonably expect ».^152(*)

Also, of measurements likely to facilitate the diffusion of information will be taken : for example, if « directive 95/46/EC does not make obligation at the Commission to inform the Member States of the notifications received under the terms of article 26, paragraph 3. The Member States are urged to inform the European Commission and the other Member States of any granted authorization. Nevertheless, the Commission departments will alert the Member States and the authorities in charge of the data protection of these notifications so that the interested parties can contact the authority of qualified notification and obtain all information necessary directly of this one ».^153(*)

The recourse to the contractual clauses is also a possibility. For the United States, these contractual clauses are not, generally, necessary in the case of a transfer of data to American companies adhering to the principles of the «sphere of safety» (safe harbor) published by the ministry for the trade of the United States.

However, have regard with the importance and the sensitivity of information, this principle is checked by the national authorities such as the CNIL and the Group of article 29 also emits within the framework of the mission which to him was entrusted opinions. In this respect, one will follow with interest the evolution of the discussions which take place on the problems of the personal data contained in the files of passengers (PNR). Indeed, since March 5, 2003, the European airline companies transmit these data to the American authorities. However to follow the successive opinions of the group of article 29^154(*) these transfers are not satisfactory ; the position of the CNIL being it similar insofar as it considers that « the transmission of the data contained in the PNR with the American authorities constitutes a diversion of finality of the data-processing treatment insofar as they were collected at commercial purposes and not for reasons of safety ».^155(*) It also specifies the fact that « certain information appearing in the file of reservation of a passenger is likely to reveal with a third of the data likely to attack the private life of the people concerned. The route of displacements of a person, the name of her travelling companions, his telephone number can concern its private life. It is even more the case of the data which can reveal the racial origins or the political opinions, philosophical, religious or manners ».^156(*) It finishes by referring to article 26 of directive 95/46 and by indicating that the United States does not offer an adequate protection of this information. ^157(*)

Also, in the light of these difficulties of processing personal data in an identified context, one can wonder what it will be on the level of the management of the DRM. Indeed, the services suggested to the users will have to be in conformity with the whole of the legislations in place and in particular the European legislation and to give a report on contract of transborder flows of data respecting these intentions imperatively so that the sedentary and commercial mistakes allowing the crossing of the files, the resale of those can be authorized only within the limits of legality.

Companies will have, in any event, if an adequate protection is not established to draw up contractual clauses which can, through the application of an exception of article 26, to substitute and offer sufficient guarantees to carry out the known as transfers to third countries. The Commission thus proposed certain models of contractual clauses^158(*) being obligatory allowing the companies on the matter to respect their obligations. ^159(*)

* ¹⁴⁸ Article 29 Groups data protection, Working paper on the Transfers of personal data towards third countries: Application of article 26 (2) of the directive of the EU relating to the data protection to the constraining rules the company applicable to the international transfers of data, June 3, 2003, 22p. www.europa.eu.int/comm/privacy

* ¹⁴⁹Article 25- Principles 1. «  The Member States provide that the transfer to a third country of data in personal matter being the object a treatment, or intended to be the subject of a treatment after their transfer, can take place only if, subject to the respect of the national provisions taken pursuant to the other provisions of this directive, third country in question ensures an adequate level of protection  ». Directive 95/46/EC of the European Parliament and the Council of October 24, 1995, directive on the protection of the physical people with regard to the processing the data in personal matter and to freedom of movement of these data, Texte published in the Official Journal of the European Communities n° L 281 of the 23/11/1995 p. 0031- 0050.

* ¹⁵⁰ In particular the following provisions interest us  : Article 26- Exemptions 1. «  Notwithstanding article 25 and subject to contrary provisions of their national law governing of the particular cases, the Member States provide that a transfer of data in personal matter towards a third country not ensuring an adequate level of protection within the meaning of article 25 paragraph 2 can be carried out, provided that: ) the person concerned has undoubtedly gave her assent to the transfer considered or

b) the transfer is necessary to the fulfilment of a contract between the person concerned and the person in charge for the treatment or for the execution of précontractuelles measurements taken at the request of the person concerned or

c) the transfer is necessary to the concluding or the fulfilment of a concluded contract or to conclude, in the interest of the person concerned, between the person in charge for the treatment and a third or

d) the transfer necessary or is made juridically obligatory for the safeguard of an important public interest, or for the observation, the exercise or the defense of a right in justice or

e) the transfer is necessary to the safeguard of the vital interest of the person concerned or

f) the transfer intervenes at the beginning of a public register which, under the terms of legislative or lawful provisions, is intended for the information of the public and is opened with the consultation of the public or any person justifying of a legitimate interest, insofar as the legal conditions for the consultation are met in the particular case  . 2. Without damage of paragraph 1, a Member State can authorize a transfer, or a whole of transfers, data in personal matter towards a third country not ensuring an adequate level of protection within the meaning of article 25 paragraph 2, when the person in charge for the treatment offers sufficient guarantees in comparison with the protection of the private life and freedoms and basic rights of the people, like with regard to the exercise of the corresponding rights; these guarantees can in particular result from suitable contractual clauses  ». Directive 95/46/EC of the European Parliament and the Council of October 24, 1995, directive on the protection of the physical people with regard to the processing the data in personal matter and to freedom of movement of these data, Texte published in the Official Journal of the European Communities n° L 281 of the 23/11/1995 p. 0031- 0050.

* ¹⁵¹ First Commission Report on the implementation of the Directive on the data protection, «  Analysis and impact study one the implementation off Directive EC. 95/46 in Member States  », May 16, 2003, 68p.

http://europa.eu.int/comm/internal_market/privacy/lawreport/data-directive_fr.htm

* ¹⁵² European Commission, Interior DG Marche, Services, Intellectual and Industrial Propriété, Medias and Protection of Give, the Director  - National Notifications under the terms of article 26, paragraph 3 of the directive and exchange of better practices, August 21, 2003, p. 1.

http://europa.eu.int/comm/internal_market/privacy/docs/lawreport/notification-art-26_fr.pdf

* ¹⁵³ Ibid, p. 4.

* ¹⁵⁴ In particular the opinion of January 29, 2004, Article 29 Groups data protection, opinion 2/2004 on the adequate level of protection of the data in personal matter contained in the files of the air passengers (PNR) transferred to the Office from the customs and protection from the borders from the United States (US CBP), Adopté on January 29, 2004, 14p.

http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2004/wp87_fr.pdf

* ¹⁵⁵ www.cnil.fr/index.php?id=1017 at February 24, 2004.

* ¹⁵⁶ Ibid

* ¹⁵⁷ «  (...) In parallel, the Council examined a project of negociating brief between the European Union and the United States intended to create the obligation for the airline companies to transfer the data passengers to the American authorities and to authorize these last to be reached directly the systems of reservation. It is in this context that the European Parliament, seized of this draft agreement, decided on April 21 2004 to seize the Court of Justice so that it comes to a conclusion about its compatibility with the European legislation  ». PNR: last evolutions, 3/05/2004, www.cnli.fr

* ¹⁵⁸ Decision of the Commission relating to the standard contractual clauses for the transfer of data in personal matter towards third countries, June 15, 2001, 14p.

http://europa.eu.int/comm/internal_market/privacy/modelcontracts_fr.htm

* ¹⁵⁹ Guillaume Desgens-Pasanau, transborder Data flows: legal and average risks of protection, April 16, 2002, www.journaldunet.com/juridique/juridique020416.shtml