This week in our series of “back to privacy basics”, we look at the issue of international transfers of personal data.
Given the harmonised approach to data protection laws across Europe, transfers with the Member States of the European Union (plus Norway, Liechtenstein and Iceland – making up the rest of the European Economic Area) are not generally restricted. However, organisations are prevented from transferring personal data outside the EEA unless an adequate level of protection is assured for the personal data, or one of number of derogations from the rule applies.
Adequacy and Derogations
There are a number of grounds on which organisations can demonstrate that adequate protection is provided:
Commission Decision: Where the European Commission has assessed that the laws of a country provide adequate levels of protection, personal data may be transferred to that country without further approvals. Currently, the list is Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. So this is of limited practical benefit to many organisations.
Standard Contractual Clauses: Transfers are also permitted where the data exporter and the recipient have entered into one of the versions of the Commission-approved ‘standard contractual clauses’. Changes are not permitted to the terms of these agreements (although the relevant details regarding the data transfers will need to be included) and in many European jurisdictions they must be approved or registered with the local data protection authority.
Binding Corporate Rules (BCRs): International transfers within a group of companies are permitted where that organisation has had approved by a data protection authority a set of internal principles and procedures demonstrating that an adequate level of protection is given to personal data processed within that group. These represent the current ‘gold standard’, or best practice, in data protection compliance.
Safe Harbor: Certain organisations in the US have the ability to self-certify against a series of ‘safe harbor privacy principles’, such that they will be deemed to provide adequate protection to permit international transfers. While the enforcement of this scheme has been much criticised (and officially rebuked by the European Parliament) it remains a valid legal basis for international transfers. The US has been asked by the EU to improve the regime.
Certain limited derogations also apply: for example where the relevant individual has given his / her consent to the international transfer, or where the transfer is necessary in connection with a contract involving the individual. Other derogations from the general rule apply where transfer is necessary for the individual’s vital interests or necessary in connection with legal proceedings.
Impact of Data Protection Regulation
Under the Data Protection Regulation as currently proposed the landscape for international transfers would remain largely consistent.
The Regulation will, for the first time, give an explicit legal basis, for adequacy on the grounds of BCRs. This would help future BCR applicants as currently a number of European jurisdictions face issues in giving legal effect to BCRs.
The BCR approach may be supplemented by the concept of a ‘European Data Protection Seal’. The European Parliament propose this is awarded to organisations (controllers or processors) that demonstrate compliance with the Regulation to a data protection authority. The Parliament’s draft of the Regulation proposes that this seal would demonstrate adequacy in much the same way as BCRs.
The Commission’s draft of the Regulation had also included a derogation for transfers based on ‘legitimate interests’ in certain circumstances. This may be a practical solution for international transfers of low-sensitivity data on an ad-hoc basis. But, to our frustration, this has been removed from the most recent draft of the Regulation as approved by the European Parliament.
Finally, the Edward Snowden / NSA affair pervades even the issue of international transfers. The Regulation will require any organisation receiving a request for disclosure of personal data from a foreign court or regulator to make its data protection authority aware of the request and seek approval for such disclosure. Whether this makes the final cut will be more a question of politics than data privacy law.
Next up in our series is the topic of data accuracy and proportionality.