The European Union's Data Protection Directive protects the
personal data of EU citizens from abuse and misuse. Organisations
have a duty to protect it, and that means ensuring that it is not
sent to countries with poor data protection.
The Directive says that data can be sent to another country
"only if … the third country in question ensures an adequate level
of protection".
Only a handful of countries have been deemed acceptable
destinations for data by the European Commission. Those are
Switzerland, Canada, Argentina, the Bailiwick of Guernsey, the Isle
of Man, the Bailiwick of Jersey and the US, when the data's
treatment is in the Safe Harbor Privacy Principles of the US
Department of Commerce
The advice has been prepared by the Data Protection Unit of the
Directorate-General for Justice, Freedom and Security at the
European Commission. It is designed particularly to help small and
medium sized companies to understand the law when it comes to
transferring personal data outside of the European Economic Area
(EEA).
The guidance points out that in order for a transfer to be
legal, data has to be properly handled in the first place according
to the data protection laws of the country where the processing
organisation is established.
If the transfer is to a country not listed as having adequate
data protections in place, a transfer can still take place, the
guidance says, but only if "the data controller offers
'adequate safeguards with respect to the protection of the privacy
and fundamental rights and freedoms of individuals and as regards
the exercise of the corresponding rights'," says the guidance,
quoting the Directive.
"These safeguards may result from appropriate contractual
clauses, and more particularly from standard contractual clauses
issued by the Commission," it said. "In the case of multinationals,
the adoption of binding corporate rules could be an appropriate
solution."
Binding corporate rules can be put in place by corporations
which want to operate in a number of countries. They submit their
data protection processes for analysis by a data protection
authority, such as the UK's Information Commissioner's Office
(ICO). That office then gains the approval for the processes from
the data protection authority in every EU country in which the
organisation wants to operate.
Once that approval has been won the organisation is free to move
data from these countries to any country in the world, as long as
the data stays within the corporate structure of that organisation.
Very few companies follow this approach. The ICO lists only two:
Philips and General Electric.
For international transfers outside of an organisation,
companies will have to use contractual safeguards for the data,
unless it has the consent of all data subjects to the transfer.
"The Commission has the power to decide that certain standard
contractual clauses offer sufficient safeguards as required by
Article [the Directive], that is, they provide adequate safeguards
with respect to the protection of the privacy and fundamental
rights and freedoms of individuals and as regards the exercise of
the corresponding rights," says the guidance.
"The effect of such a decision is that by incorporating the
standard contractual clauses into a contract, personal data can
flow from a data controller established in any of the [EEA
countries] to a data controller established in a country not
ensuring an adequate level of data protection. Except in very
specific circumstances, national data protection authorities cannot
block such transfer."
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
