Transferring Personal Data Overseas
Many people are concerned that the Eighth Principle of the Data Protection Act 1998 is a barrier to their business. That principle is:
˜Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
(The EEA consists of the member states of the European Union, plus Norway, Iceland and Liechtenstein.)
What is a transfer?
The Data Protection Act doesn't define the expression "transfer". The Information Commissioner has said that it means: ˜to convey from one place, person, ownership, object, group etc, to another". This is interpretation is wide enough to cover a UK organisation sending personal data to another member of its group of companies in the USA, or releasing personal data about its customers and contacts to a prospective purchaser of the business who is based outside the EEA; someone in a UK office forwarding an email to a colleague in the States, or details of the customers of a UK company being processed in a customer relationship management centre in India.
It may not be obvious that a transfer is taking place; the US office may access a UK database without anyone in the UK actively sending any data to the US; or the personal data may be transferred in the course of a telephone conversation between people in the UK and US offices; or an employee of the UK organisation may remotely access the UK database from his laptop whilst he is abroad on business. Publishing personal data on a website that may be accessed from anywhere outside the EEA is also a transfer of those data.
Major trading partners such as the USA, China and India do not ensure an adequate level of protection. So what do you do if you do want or need to transfer personal data outside the EEA?
1. Do you come within one of the Exemptions?
The Eighth Data Protection Principle does not apply if:
i) The data subject has given his consent to the transfer.
Consent must be freely given, informed, specific and active; it may not be implied from silence, but it may be inferred from action. For instance a visitor to a website may be clearly informed, before he gives any information about himself, that his data may be transferred to a company outside the EEA and how the data will then be used. If the data subject still provides you with his personal details may infer that he is consenting to its transfer and use in the way you have informed him.
ii) The transfer is necessary for the performance of a contract between the data subject and the transferring controller, for example a travel agent making a hotel booking.
iii) The transfer is necessary for taking steps at the data subject's request with a view to entering into a contract with the data controller, for instance where a credit card company provides authorisation to an overseas web-merchant.
iv) The transfer is necessary for the conclusion of a contract between the controller and someone other than the data subject and that contract:
· is entered into at the request of the data subject; or
· is in the data subject's interests.
v) The transfer is necessary for the performance of such a contract.
vi) The transfer is necessary in connection with legal proceedings, obtaining legal advice, or exercising or defending legal rights.
vii) The transfer is necessary to protect the data subject's vital interests. Here the word "vital" is used literally - it must be a matter of life or death.
viii) The transfer is necessary for reasons of substantial public interest. This is likely to be in connection with the prevention and detection of crime.
ix) The transfer is an extract from a public register, provided the transferee complies with any restrictions on the use of that register.
x) The transfer has been authorised by the Commissioner. (This exemption is not intended to be widely used and the Information Commissioner will consider applications for authorisation only in limited circumstances.)
xii) The transfer is made on terms of a kind approved by the Commissioner.
2. Are you transferring the data to a country approved by the European Commission?
The European Commission has a "white list" of countries, i.e. countries that the Commission regards as having adequate protection and to which you may transfer personal data. There aren't many countries on the list; only Argentina, Canada, Guernsey, the Isle of Man and Switzerland.
3. If the recipient of the data is in the USA, is it in the Safe Harbor?
The white list does NOT include the USA, but the European Commission and the US Government negotiated the terms of a ˜Safe Harbor" under which US organizations self certify that they will comply with certain standards in relation to the protection of personal data. You may transfer personal data to any organization that is in the Safe Harbor and you will find details at: www.export.gov/safeharbor/.
4. Do you have a contract with the recipient that ensures adequate protection for the personal data?
The Commission has approved three sets of model clauses for use when personal data is transferred outside the EEA. They envisage that the data are transferred either to another data controller or to a data processor.
In practice it is difficult to persuade recipients overseas to accept these clauses and therefore some data controllers put other contractual terms in place. That should be done only of the data controller has assessed the risks and concluded that, in the circumstances, the contract does provide adequate protection. (See 5 below.)
An alternative to the use of contractual provisions that may be useful to international groups of companies is to have binding corporate rules that have been approved by the Information Commissioner. This is a relatively recent development and there are only one or two instances in Europe of rules being approved.
5. Do you think that the data are adequately protected in some other way?
Ultimately it is the duty of the data controller (the individual or company that decides the purpose for which any data are to be processed and how they are to be processed) to decide whether or not any country to which the data are to be transferred affords an adequate level of protection for the rights and freedoms of data subjects. The onus is on the data controller to carry out a risk assessment each time personal data are transferred outside the EEA. Factors to take into account include:
- The nature of the personal data. (At one end of the spectrum are the data sensitive or, at the other end of the spectrum, are they widely known?)
- The country of origin of the data. (If the original country had poor data protection laws is there any reason why the data subject should be placed in a better position than if the data had never come into the EEA?)
- The country of final destination of the data. (If the data controller is making an initial transfer to a country that is on the white list (see above) but is aware that the data will be transferred to a country with poor data protection laws this should be taken into account.)
- The purposes for which, and the period for which, the data are intended to be processed. (The longer the period of processing, the greater the risk to the data subject's rights is likely to be.)
- Whether the data protection laws in the country of destination are adequate.
- The international obligations of that country.
- Any relevant codes of conduct or other rules in that country.
- The security measures taken in that country - for instance is there compliance with BS7799 and will the data be encrypted?
It may not be easy to judge the adequacy of the data protection laws of another country. The Information Commissioner suggests that controllers look at: whether the laws of that country limit the purposes for which personal data may be processed; whether there is a rule that personal data be accurate and kept up to date; whether there are rules about informing the data subject as to who is processing his data and the purpose of that processing; whether the law insists that technical and organisational measures are to be taken to protect the security of the data; whether data subjects have rights of access to their data, the right to rectify incorrect data, and the right to object to the data being processed; whether further transfers are restricted in a way similar to that under the Eighth Data Protection Principle; whether there are safeguards in relation to the processing of sensitive personal data; whether the data subject can prevent his data being used for direct marketing; and whether the data subject has the right to know the logic behind any automated decision making that affects him. In short, the data controller is to take a view on whether or not the country to which the data are to be transferred protects the rights of data subjects in the same way as they are protected within Europe.
If you would like further advice about any of the issues considered above please contact Christine Reid on 01865 864195 or email her at firstname.lastname@example.org
This article is not intended to be, and should not be taken as being, legal advice. The law often changes and it varies from jurisdiction to jurisdiction; the information in this article is generic in nature and specific legal advice should be taken before acting on any of it.