That is the conclusion of a "Staff Working Document", published by the European Commission on 20th January which questions whether Member States are monitoring international data transfers sufficiently. Countries such as France, Italy, Ireland, Greece, Sweden or Luxembourg, are gently chastised for not making any return to the Commission on the subject.
In fact, the UK's first reported use of so-called binding corporate rules took place in the same month as the Staff Working Document report was published: the country's Information Commissioner authorised General Electric to pass employee information to parts of the group situated overseas. That information possibly came too late for the Commission's report.
The EU’s Data Protection Directive creates several safeguards that must be met before personal data can be transferred to countries outside the EU.
One safeguard permits the Commission to issue a formal determination that the particular country to which the personal data is to be transferred has an adequate level of data protection – a so-called ‘adequacy finding’.
The Commission has so far recognised only Switzerland, Canada, Argentina, Guernsey and the Isle of Man as providing adequate protection. Limited transfers to the US are also possible under the US Department of Commerce's Safe Harbor Privacy Principles, and, controversially, the transfer of Air Passenger Name Record to the US Bureau of Customs and Border Protection. The latter being motivated on political rather than privacy grounds.
Alternatively, the transfer may still take place if one of several exceptions applies (for example, where the person to whom the data relates has consented to the transfer), or if the contract between the EU-based firm and the non-EU based company incorporates standard contractual clauses that have been approved by the Commission.
These clauses are designed to ensure that sufficient protection will be given to the personal data transferred outside the EU (or, to be exact, the 25 EU Member States plus Norway, Liechtenstein and Iceland). The Commission therefore prefers that companies use these clauses rather than the exceptions, which, while they permit the data transfer, do not necessarily give protection to that data once it has been exported.
The Commission adopted Decisions approving two basic sets of standard contractual clauses – one relating to transfers of personal data to third country data controllers, and the other to transfers to third country data processors – in 2001. These were then complemented by another set of provisions – relating to business clauses – that was approved in 2004.
One requirement of these Decisions is that the Commission staff must evaluate how the clauses are operating. To this end, the Commission has now published a working document, setting out its findings.
It seems that the Commission's staff have found it hard to obtain sufficient evidence to properly evaluate the use that is being made of the clauses.
While Member States are obliged to monitor the transfer of personal data to non-EU countries, the methods in which they do this vary, and the information available, is sketchy.
According to the Working Document: "Member States have very little information on the use of standard contractual clauses to transfer personal data out of the EU as well as poor information on international data transfers in general, which seem to result from insufficient controls being put in place."
It recommends that Member States and national data protection authorities improve their monitoring of international data transfers. But it acknowledges that there have been no major problems or incidents reported following use of the standard clauses.
What evidence there is shows that the clauses are not being used as frequently as the Commission would like, and the report suggests that Member States and regulators make more effort to promote the clauses.
It also suggests that the three sets of clauses could be amalgamated into a single set of contractual terms, with one set of rules for using those terms.
Finally, the report considers recommendations made by the International Chamber of Commerce (ICC) for improvements to the standard clauses. These mostly relate to the logistics of using the clauses.
Most controversial of these is the ICC request that the rules relating to onward transfers of personal data from the a data controller outside the EU to a data processor be clarified. According to the report, this issue should be passed on to the EU Data Protection Working Party for further consideration.