EXPORTING DATA FROM THE EEA
Peter James, Commercial and Technology Partner at UK TAGLaw member, Clarkslegal LLP, sets out the ground rules for international data transfers.
With the increasing trend of globalisation and internet usage, it is difficult for businesses to control the transfer of personal data for which they are responsible. However, it is that processor’s responsibility (as data controller) to ensure that the requirements of the Data Protection Act 1998 are met.
Due to European harmonisation, data transfers within the EEA (that is the EU Member States plus Iceland, Norway and Liechtenstein) can be made on the same basis as UK data transfers.
The Eighth Data Protection Principle
The restriction regarding the transfer of data outside the EEA stems from the eighth data protection principle under the Data Protection Act 1998. This provides that personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects. It is the responsibility of the business or body transferring the data to make sure that these requirements are met.
Good Practice
The Information Commissioner has issued a four step procedure of good practice in order to establish whether or not a cross-border data transfer complies with the 1998 Act:-
(i) the data controller should consider whether (or the extent to which) the third country in question is the subject of a community finding of adequacy;
(ii) the data controller should consider the type of transfer involved and whether this enables any presumption of adequacy (for example, in the case of data controller to processor transfers);
(iii) the data controller should apply the adequacy test, including consideration of the application and use of contracts and/or codes of conduct to create adequacy;
(iv) the data controller should look at the exemptions from the eighth principle in schedule 4 of the 1998 Act, since the transfer can proceed if one of these exemptions applies.
Community Findings of Adequacy
The European Commission has produced a list of countries which it regards as having an adequate level of protection for personal data. Countries included in that list are Switzerland, Hungary, Canada (subject to certain conditions), Argentina, Guernsey and the Isle of Man.
Safe Harbour Agreements
Although there has been no general finding of adequacy in relation to the USA, personal data can be transferred to companies in the USA who have signed up to the safe harbour principles agreed between the European Commission and the US Government.
(Certain sectors are excluded, including financial services, transport and telecoms.)
Where a US business signs up and complies with a safe harbour agreement, it is automatically authorised to accept data transfers from the EU without any additional need for separate approval. If the US business fails to comply with the requirements of the safe harbour agreement, enforcement proceedings can be take by the US Federal Trade Commission and those directly affected can take action in the US Courts.
Relatively few companies have signed up to safe harbour agreements. A list of those who have is retained on the US Department of Commerce website.
Model Clauses
Another way of ensuring adequate protection is to adopt standard clauses devised by the Information Commissioner regarding data transfers. Any such transfer will then be deemed to be made in a manner which ensures adequate safeguards for the rights and freedoms of data subjects.(See www.informationcommissioner.gov.uk, for more information).
Exemptions
There are some important exceptions to the eighth data protection principle including:-
(i) The individual has consented to the transfer. In order to obtain informed consent, the data controller must give reasons for the transfer, so far as possible the countries involved and should bring any risks to the data subject’s attention. You need to bear in mind that we are concerned here with personal data, so a company cannot consent on behalf of its individual employees or employees of its customers.
(ii) The transfer is necessary to perform a contract with the individual concerned. Bear in mind that it has to be necessary, not simply more convenient to transfer the data.
(iii) The transfer is necessary for reasons of substantial public interest, such as detecting crime.
(iv) The transfer is necessary for the purpose of or in connection with legal proceedings.
(v) The transfer is necessary to protect the vital interests of the individual.
(vi) The transfer is made on terms which are of a kind approved by the Information Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.
Binding Corporate Rules
In a group situation, where a transfer is carried out by a UK established company to other members of its group in different jurisdictions, the transfer will comply with the eighth data protection principle if it is controlled by a set of legally enforceable corporate rules, approved by the Information Commissioner. There is a useful check list which sets out questions which need to be dealt with if an application is to be approved including:-
(i) How have the rules been made legally binding on the applicant company, other companies in its group, employees and sub-contractors?
(ii) How do the individuals enforce the rules against companies in the group?
(iii) What are the applicant company’s data protection audit procedures?
(iv) What types of data are covered by the rules, for what purposes are the data being processed and to what extent are they being transferred between jurisdictions?
(v) What internal data protection safeguards are in place and how are these reflected in the rules?
(vi) What procedures are in place for keeping the data protection authorities and other members of the group of companies informed about changes in these rules?
(The International Chamber of Commerce has issued detailed guidance on the drafting and implementation of such binding corporate rules).
What happens if you get in wrong?
A breach of the eighth data protection principle is not a criminal offence in itself. However the Information Commissioner could issue an enforcement notice, requiring the data controller to comply with the principle within a specified period or not to make the offending transfer. If a business does not comply with an enforcement notice, then a criminal offence is committed. If convicted, the fine could be up to £5,000 in the Magistrates Court or an unlimited fine if convicted in the Crown Court. Directors and other officers of companies which have committed offences may also be liable to prosecution. This is subject to the usual “consent or connivance” test, as well as whether there has been any neglect on the part of the officer concerned.
In addition, a data subject could bring civil proceedings against a data controller if they have suffered damage and distress relating to the non-compliance.
Peter James, Clarkslegal LLP
Tel 00 44 1189 585 321
e-mail: pjames@clarkslegal.com
www.clarkslegal.com