Webtrends Tracking Code
 
UK Home >  Legal Info About... >  Data Protection >  Overseas transfers of personal data

Introduction to overseas transfers of personal data

This guide is based on UK law. 

Please note: This is one of a series of guides about overseas transfers of personal data.

Businesses increasingly operate on an international basis both internally within global group structures and externally with networks of customers and suppliers. This is facilitated by the internet which allows the quick and easy transmission of data across national boundaries and technologies that allow the increasingly complex and cheap collection, storage, use and disclosure of data. The combination of these factors means that personal information about individuals in the UK may often be processed overseas, frequently without the explicit knowledge or consent of those individuals. This raises issues such as the security of such data, who may have access to it and for what purposes and what rights the individual may have to object.

Europe has a long history of data protection and has traditionally been seen as having a higher standard than the rest of the world. European data protection legislation therefore builds in a standard of protection for personal data that is being transferred outside of Europe. In the UK this protection comes from the Data Protection Act 1998 (the 'Act'), primarily the last of eight Principles set by the Act, Principle 8.

However there is an issue as to whether the legislation has been overtaken by commercial and technological advances and whether the overseas transfer requirements in fact place unreasonable and unrealistic demands on organisations that transfer data overseas. But until any changes are made, organisations must fit within the current compliance regime.

The primary legal provision is Principle 8 of the Act which states that,

"Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

However, other principles and provisions of the Act are relevant when looking at overseas transfers. For example, Principle 1 requires a data controller to provide information to individuals about the processing of personal data about them. This can include telling people that information about them will go overseas. Principle 7 requires appropriate technical and organisational security measures to be in place to protect data, including ensuring the reliability of staff and having written contracts in place with any data processors (suppliers/providers acting on behalf of a data controller in processing personal information). Compliance with the Act should be considered as a whole.

Conversely, Principle 8 only applies to transfers from a European country to a country outside the European Economic Area ('EEA') (the European member states plus Norway, Iceland and Lichtenstein) but for any other use or disclosure or transfer of personal data, although there is no Principle 8 issue, the rest of the principles still apply.

Alongside compliance, organisations should consider commercial and reputational risks. Banks and call centres are regularly being criticised for lack of security in the protection of personal data; employers transferring data to an overseas head office frequently face queries and objections from staff. Properly implementing a compliance process for overseas transfers can involve a business in time and effort and in the management of customer/employee expectations and concerns, but, in view of the damage that can be done from adverse publicity whether external or internal, compliance is well worth the investment.

Is there an international transfer of personal data from the UK?

Before considering the regulatory and compliance issues in relation to international data transfers, the first question is "whether a transfer of personal data is taking place". If personal data merely transits through another country it may not be considered to be transferred there. Guidance from the Information Commissioner, the data protection regulator, suggests that a transfer involves a transmission from one place or person to another, and whilst it recognises that for electronic transfers the data may not physically move, but rather is copied, it is quite clear that a transfer comprises more than simply a routing of data through a third country on its way from the UK to another European country.

This issue was considered by the European Court of Justice when Mrs Lindqvist, an active member of her local church in Sweden, set up an internet home page as part of a computer course and chose to create a site giving information to church parishioners. The site included names, telephone numbers and references to hobbies and jobs held by Mrs Lindqvist and her fellow parishioners.

Whilst the court held that posting information on a website did constitute the processing of personal data as covered by the data protection legislation, it found that this did not constitute an overseas transfer of such personal data, where the site was hosted by a national ISP. It reasoned that the Directive could not be construed as intending the expression "transfer of data to a third country" to cover the loading of data onto an internet page, even though this resulted in data being made accessible to persons in other countries.

However, the UK Information Commissioner has suggested that the intention of the person uploading the data is an important consideration and that in practice as data are often loaded onto the internet with the intention that they will be accessed across the world there will usually be a transfer and the Lindqvist principle will not apply. In Mrs Lindqvist's case this did not affect her as she had no intention that the information would be accessed overseas, it was a local initiative. But, though the legal position is unclear, for most global organisations whodo intend their websites to be accessed by anyone anywhere in the world, if they post personal data it is more likely that they are intentionally making a transfer overseas and Principle 8 applies.

What about transfers into the UK?

This series of articles address transfers of personal data from the UK. But in a global business UK data controllers may also receive personal data from overseas. Some issues to consider in this scenario include:

  • Is the UK entity only acting as a data processor on behalf of the overseas entity? If so, the overseas entity may wish to impose contractual obligations on the UK entity but, if the UK entity has no control over how and why the data are to be processed, it will not become a UK data controller with compliance obligations.
  • If the UK entity does exercise control over the processing of the data, is the overseas entity complying with the laws of its own country? Are there any restrictions on transfer from that country? Whilst this may not directly affect the UK data controller, it is possible that it will not be obtaining the data fairly and lawfully under the Act if it is aware that this is in breach of overseas legislation.
  • Similarly, will the UK data controller be using the data in a way compatible with the purposes for which it was originally collected? Again, it may be considered unfair under the Act to use the data for purposes not expected by the individuals.

A UK data controller should seek advice and carry out due diligence if it is importing data from overseas.

Enforcement

In the UK, the Information Commissioner is responsible for enforcing the Act. Generally, compliance issues come to light when an individual complains to the Information Commissioner. The Information Commissioner will carry out an investigation which may involve contacting the organisation and requiring further information. The Information Commissioner can issue an enforcement notice for non-compliance. Failure to comply with an enforcement notice is a criminal offence which can lead to a fine of up to £5,000 in the magistrate's court – both the organisation itself and its directors or officers can be liable.

An issue recently reported in the media was the case of SWIFT, the Belgium-based bank transfer organisation. Complaints were made that SWIFT broke privacy laws (in this case in Belgium) firstly by storing data about European banking transactions in a data centre un the United states without informing the European data subjects, and secondly for allowing US security agencies access to those transaction details. This has lead to a wider compliance issue for UK banks who may also allow US security agencies access to transaction details for anti-terror investigations. Banks have written to customers to explain that this may happen and have been in discussions with the Information Commissioner and enforcement action in the UK is not currently envisaged, although the situation could change.

It is important for any organisation to keep abreast of compliance issues, guidance from the Information Commissioner and best practice and to bear in mind that even without formal enforcement action, protecting reputation can be equally as important.

© Pinsent Masons 2008

OUT-LAW Recommends

Advert: free OUT-LAW Breakfast Seminars - 1. Making your contract work: pitfalls and best practices; 2. Transferring data: the information security issues

Winner at 2008 Webby Awards

This week's podcast
Are ISPs about to betray our trust?

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.